You are on page 1of 1364

Help Book Guardium V9.

ii

Help Book Guardium V9.0

Contents
Guardium Help . . . . . . . . . . . . 1

User Identification . . . . . . . . . 131

Quick Start Help Book . . . . . . . . 3

Identify Users via Application User


Translation . . . . . . . . . . . . 133

Express Security Setup . . . . . . . . 5


Identify Users via API . . . . . . . . 141
GRC Heatmap. . . . . . . . . . . . 11
Identify Users via Stored Procedures

145

Common Tools Help Book . . . . . . 15


Flat Log Process . . . . . . . . . . 147
Getting Started with the Guardium GUI

17
Custom Alerting . . . . . . . . . . 149

Aliases. . . . . . . . . . . . . . . 25
Value Change Auditing . . . . . . . 153
Comments . . . . . . . . . . . . . 29
Create an Audit Database . . . . . . 157
Datasources . . . . . . . . . . . . 31
Discover help book . . . . . . . . . 161
Dates and Timestamps . . . . . . . . 39
Classification . . . . . . . . . . . 163
Groups

. . . . . . . . . . . . . . 43
Classification Policies

. . . . . . . 165

Notifications . . . . . . . . . . . . 61
Classification Process . . . . . . . 175
Customize the Portal. . . . . . . . . 63
Database Auto-discovery . . . . . . 179
Regular Expressions. . . . . . . . . 67
Assess and Harden help book . . . . 183
Scheduling . . . . . . . . . . . . . 73
Security Roles . . . . . . . . . . . 75

Introducing Guardium Vulnerability


Assessment . . . . . . . . . . . . 185

Time Periods . . . . . . . . . . . . 77

Vulnerability Assessment . . . . . . 189

Portlet Editor . . . . . . . . . . . . 79

Creating and Running an Assessment 195

Basic Information for IBM Support . . . 81

Configuration Auditing System . . . . 207

Monitor and Audit Help Book . . . . . 87

CAS Start-up and Failover . . . . . . 221

Audit and Report . . . . . . . . . . 89

CAS Templates. . . . . . . . . . . 225

Queries . . . . . . . . . . . . . . 91

CAS Hosts

Reports . . . . . . . . . . . . . . 103

CAS Reporting . . . . . . . . . . . 237

External Data Correlation . . . . . . 117

CAS Status . . . . . . . . . . . . 249

Privacy Sets . . . . . . . . . . . . 129

Comply Help Book . . . . . . . . . 253

. . . . . . . . . . . . 233

iii

255

S-TAP error messages . . . . . . . 491

Open the To-Do List . . . . . . . . 273

S-TAP appendix . . . . . . . . . . 493

Audit Process To-Do List . . . . . . 275

Aggregation and Central Management


Help Book . . . . . . . . . . . . . 495

Compliance Workflow Automation

Open Workflow Process Results . . . 277


Aggregation . . . . . . . . . . . . 497
Optional External Feed . . . . . . . 279
Central Management . . . . . . . . 511
Workflow Builder . . . . . . . . . . 281
Investigation Center . . . . . . . . 531
Monitored Table Access . . . . . . . 283
Guardium for System Z help book

535

Protect Help Book . . . . . . . . . 285


Baselines . . . . . . . . . . . . . 287
Policies . . . . . . . . . . . . . . 295

IBM InfoSphere Guardium S-TAP for


z/OS . . . . . . . . . . . . . . . 537
Guardium Installation Manager help
book . . . . . . . . . . . . . . . 551

Install Policies . . . . . . . . . . . 347


GIM Installation . . . . . . . . . . 553
Correlation Alerts

. . . . . . . . . 349
GIM - GUI . . . . . . . . . . . . . 557

Incident Management . . . . . . . . 355


GIM - CLI . . . . . . . . . . . . . 565
S-TAP help book . . . . . . . . . . 359
Guardium Administration Help Book

569

S-TAP administration guide . . . . . 361


Guardium Administration . . . . . . 571
Configure Guardium appliance to
manage agents . . . . . . . . . . 369

Installation . . . . . . . . . . . . 573

Unix S-TAP . . . . . . . . . . . . 371

System Configuration . . . . . . . . 595

Windows S-TAP . . . . . . . . . . 421

Inspection Engine Configuration . . . 601

Configure S-TAP from the GUI . . . . 435

Portal Configuration . . . . . . . . 607

Edit the S-TAP configuration file . . . 449

Configure Authentication . . . . . . 609

Delayed cluster disk mounting . . . . 451

Global Profile . . . . . . . . . . . 611

Default Windows S-TAP configuration


file . . . . . . . . . . . . . . . . 453

Alerter Configuration . . . . . . . . 617


Anomaly Detection . . . . . . . . . 619

Default Unix S-TAP configuration file

463
Session Inference . . . . . . . . . 621

S-TAP events panel . . . . . . . . . 481


IP to Hostname Aliasing . . . . . . . 623
S-TAP reports . . . . . . . . . . . 483
Upload Key File . . . . . . . . . . 625
Install and Configure SharePoint
Agent . . . . . . . . . . . . . . . 485
iv

Help Book Guardium V9.0

Support Maintenance . . . . . . . . 627

Unit Utilization Level . . . . . . . . 629

Monitoring via SNMP . . . . . . . . 751

Customer Uploads . . . . . . . . . 633

Appendices Help Book . . . . . . . 755

Archive, Purge and Restore . . . . . 635

CLI Overview . . . . . . . . . . . 757

Results Export (CSV, CEF, PDF) . . . 645

Aggregator CLI Commands . . . . . 761

System Backup . . . . . . . . . . 647

Alerter CLI Commands . . . . . . . 767

Export/Import Definitions . . . . . . 651

Certificate CLI Commands . . . . . . 773

Distributed Interface . . . . . . . . 659

Configuration and Control CLI


Commands . . . . . . . . . . . . 781

Capture Replay

. . . . . . . . . . 663
diag CLI command . . . . . . . . . 831

S-TAP Certification . . . . . . . . . 673


File Handling CLI Commands . . . . 847
Custom Alerting Class Administration 675
Inspection Engine CLI Commands
Configure Permission to Socket
connection . . . . . . . . . . . . 677

861

Network Configuration CLI


Commands . . . . . . . . . . . . 865

Manage Custom Classes . . . . . . 679


SSH Public Keys . . . . . . . . . . 681

User Account, Password and


Authentication CLI Commands . . . . 875

Running Query Monitor . . . . . . . 683

Generate New Layout . . . . . . . . 885

Guardium Integration with BigInsights 685

GuardAPI Reference . . . . . . . . 887

Configure BIG-IP Application Security


Manager (ASM) to communicate with
Guardium system . . . . . . . . . 689

GuardAPI Catalog Entry Functions

893

GuardAPI Data User Security


Functions . . . . . . . . . . . . . 897

Access Management Help Book . . . 703


GuardAPI Database User Functions

901

Access Management Overview . . . . 705


GuardAPI Datasource Functions . . . 905
Manage Users . . . . . . . . . . . 707
Import Users from LDAP . . . . . . 713

GuardAPI Datasource Reference


Functions . . . . . . . . . . . . . 913

Manage Roles . . . . . . . . . . . 719

GuardAPI Group Functions . . . . . 917

Manage Application Role Permissions 723

GuardAPI Input Generation . . . . . 925

Data Security - User Hierarchy and


Database Associations . . . . . . . 735

GuardAPI Process Control Functions

935

GuardAPI Role Functions . . . . . . 949


Self Monitoring Help Book . . . . . . 739
GuardAPI S-TAP Functions . . . . . 955
Self Monitoring

. . . . . . . . . . 741
Contents

GuardAPI Archive and Restore


Functions . . . . . . . . . . . . . 963

How to create a user with the proper


entitlements to login to CLI . . . . . 1181

GuardAPI GIM Functions . . . . . . 965

How to build a report and customize


parameters . . . . . . . . . . . . 1183

GuardAPI Auto-discovery Functions

973
How to populate a group from LDAP

1189

GuardAPI Assessment Functions . . . 977


GuardAPI Classification Functions

983

GuardAPI Capture Replay Functions

997

Domains, Entities, and Attributes


Overview . . . . . . . . . . . . . 1005

How to combine Guardium's


real-time alerts and correlation
analysis with SIEM products . . . . 1195
How to use Access Maps to show
paths between clients and servers. . 1201
How to define User Hierarchies . . . 1205

Domains . . . . . . . . . . . . . 1007
Custom Domains . . . . . . . . . 1011
Database Entitlement Reports. . . . 1025
Entities and Attributes . . . . . . . 1041
Predefined Content . . . . . . . . 1095
Predefined Groups . . . . . . . . 1097
Predefined Alerts . . . . . . . . . 1105
Predefined Reports . . . . . . . . 1107

How to install an appliance


certificate to avoid browser SSI
certificate challenge . . . . . . . . 1207
How to install patches . . . . . . . 1211
How to report on dormant tables and
columns . . . . . . . . . . . . . 1217
How to create custom reports from
stored data . . . . . . . . . . . . 1223
How to transfer sensitive data

. . . 1229

Predefined admin Reports . . . . . 1109

How to create Customized


Workflows . . . . . . . . . . . . 1233

Predefined user Reports . . . . . . 1141

How to create an Audit Workflow

1237

Predefined Reports Common . . . . 1159

How to use Customized Workflows

1241

CEF Mapping . . . . . . . . . . . 1163

How to signify events through


Correlation Alerts . . . . . . . . . 1243

LEEF Mapping . . . . . . . . . . 1165


Access Maps . . . . . . . . . . . 1169
Activity Monitoring - Additional
Controls . . . . . . . . . . . . . 1173

How to create a real-time alert . . . 1247


How to Replay Captured
Transactions . . . . . . . . . . . 1251

How-to Guide Overview . . . . . . 1175

How to create a Security


Assessment . . . . . . . . . . . 1259

How to perform an Initial Installation


and Configuration . . . . . . . . . 1177

How to manage the review of


multiple database security incidents . 1267
Guardium Glossary . . . . . . . . 1271

vi

Help Book Guardium V9.0

Legal Notices . . . . . . . . . . . 1283

Index . . . . . . . . . . . . . . 1355

Notices . . . . . . . . . . . . . 1287

Contents

vii

viii

Help Book Guardium V9.0

Guardium Help
The Help System is intended for all administrators and users.
Select a topic from the Contents panel to the left, or use the Search function on the
toolbar, or use the help-index.
A glossary with terms specific to the Guardium application is also available.
Copyright 2012 IBM Corp. All rights reserved.
IBM InfoSphere Guardium Version 9.0
August 2, 2012

Search function
Use quotation marks around words or phrases to precisely define search terms.
Search will display ranked topics that contain search keywords. The search results
appear as links in the Search tab of the navigation pane. The search keywords are
highlighted in the topic pane.

Help Book Guardium V9.0

Quick Start Help Book


This book describes how to use Express Security and GRC Heatmap.
Select a topic from the Contents entry page, or use the Search function on the PDF
version of the online help (last entry on Contents entry page, after help-index) or
use the help-index.

Help Book Guardium V9.0

Express Security Setup


This user application permits a quick start to the Guardium solution. Based on a
profile (one profile per user), this application generates a policy (and installs it), an
assessment, and defines an audit process.
There are four prerequisites before using Express Security Setup:
1. Logon as admin, select Tools, Database Definitions and then choose the
Security Assessment application to define the databases. In particular,
Hostname IP, Port, Database name, Database type and Schema are needed. For
further information on this procedure, see datasources.
2. In this same Database Definitions menu screen, assign roles for this datasource.
For further information on this procedure, see Security Roles.
3. The next prerequisite is to configure how alert messages are transmitted. Logon
as admin, select Administration Console and then choose Alerter. At this menu
screen, fill in the appropriate SMTP (email) and SNMP information. For further
information on this procedure, see Alerter Configuration.
4. Groups of databases, servers, objects, etc. must be defined by the admin or use
the predefined Guardium choices. For further information on this procedure,
see Groups.
Note: Express Security does not run on Aggregators or Central Managers.

Select Datasources
Datasources are used by a number of applications and tools, such as Vulnerability
Assessment and Classification. A datasource identifies a specific database or file on
a remote system.
The choices in this menu screen identify available data sources and permit
selection or de-selection of these data sources. Move a datasource from the
Available Column to the Selected Column by highlighting the datasource and then
click on the > button.
Datasources can be modified directly from this page by adding them and then
double-clicking on each one.

Audit Filters/ Granularity


These policy choices define the exclusions per groups (users and servers). The
default choice is no exclusions. However, the more users and servers are
monitored, the more processing and data collection that takes place.
Granularity is the relative level of detail that characterizes an object or activity.
The Express Security menu choices are (Open drop down choice to see policy
group choices):
v Exclude applications in group
v Exclude users in group
v Exclude users not in group
v Exclude Client IPs in group

The granularity of the policy is chosen by clicking on one the two selections below.
These choices appear after the Merge common access requests heading:
v Yes, maintaining counts - Merge common access requests and maintain counts
(this is also known as Audit only) (default), or
v No - log full detail
Note: Click the Groups icon to modify members of selected groups. However,
groups of databases, servers, objects, etc. must be defined by the admin user.

Alerting Options
An alert is a message indicating that an exception or policy rule violation was
detected.
These choices specify how to handle exception or policy rule violations. They also
define how to transmit the message.
The menu choices are:
Table 1. Alerting Options
Alerting Options

Choices

Alert On

Signature violations (requires Database Activity Monitor Content


Subscription service)
Failed logins
SQL Errors

Alert Per

Alert per occurrence (event)


Alert once per session (default)

Alert Using

Syslog (Default)
SNMP Traps
Email (SMTP). Send all emails to user: a created user address.

Add policy rules


A security policy contains an ordered set of rules to be applied to the observed
traffic between database clients and servers. Each rule can apply to a request from
a client, or to a response from a server.
Each rule in a policy defines a conditional action. The condition tested can be a
simple test, for example, it might check for any access from a client IP address that
does not belong to an Authorized Client IPs group. Or the condition tested can be
a complex test that considers multiple message and session attributes (database
user, source program, command type, time of day, etc.), and it can be sensitive to
the number of times the condition is met within a specified timeframe. See Policies.
Selecting a policy in this section of the menu screen takes all the rules from the
particular policy and appends them to the rules that Express Security Setup has
collected in the other sections of the total menu screen. The user does not have to
select additional policies in the Add Policy rules section of this total menu screen.

Help Book Guardium V9.0

The Express Security menu choices list rules from predefined or customized
policies. Examples shown in column two of the table below are Guardium
predefined policies.
Table 2. Example of Predefined Policies
Menu selection

Predefined Policies

Copy all rules from Allow-All;


policy
Basel II;
Data Privacy;
Data Privacy PII;
HIPAA PCI;
PCI Oracle EBS
PCI SAP;
Privileged Users Monitoring (black list);
Privileged Users Monitoring (white list);
SOX;
SOX Oracle EBS;
Vulnerability & Threats Management

Assessments
The security assessment function scans the database infrastructure for
vulnerabilities and provides evaluation of database and data security health, with
real time and historical measurements. For further information on this procedure,
see Vulnerability Assessment.
Choose test databases of type (choices):
v
v
v
v
v
v
v
v
v

DB2
Informix
Microsoft SQL Server
MySQL
Netezza
Oracle
PostgreSQL
Sybase
Teradata

Place a checkmark next to the security assessment tests:


v
v
v
v
v

Include
Include
Include
Include
Include

configuration tests
version/vulnerability tests
authentication tests
privilege tests
other tests

v Include file system tests (Requires CAS being installed and configured)
Express Security Setup

Auditing Of
This section of the Express Security menu screen includes selecting additional
policies that result in a selective audit policy.
To completely control the client traffic that is logged, a policy can be defined as a
selective audit trail policy. In this type of policy, "audit-only" rules and an optional
pattern identify all of the client traffic to be logged. For further information see
Using_Selective_Audit_Trail in Policies.
Express Security menu choices are as follows:
Table 3. Additional policies for Selective Audit Policy
Menu Choices

Policy groups

Privileged users

Open drop down choice to see policy group


choices.

Data Definition Language (DDL) commands


Administrative commands
Data Manipulation Language (DML) on
SELECT commands on

Open drop down choice to see policy group


choices.

EXECUTE commands on

Compliance Reporting/ Sign-off


The results of this entire process including pre-defined reports, period of time
displayed on reports, sign-off trail and specified retention period of this data are
selected in the following menu choices:
v SQL report
v Exception report
v
v
v
v

Security assessment report


Session report (Login/Logout/Ignored)
Policy violations report
Alerts sent report

Display report data for:


v One Month
v One Week
v One Day
Get sign-off from: access role, admin role, user-defined role, accessmgr or admin
user.
Retention period (in days - must be positive). 30 is default.
After checking off selections, click Install to install and save the policy choices, or
Save to save the choices without installing the policy choices.
A "Done" message will appear when the choices have been successfully saved.
When Install is done, another menu screen will appear. The menu defines the
schedule when the Audit will run. The choices are day/week or month and the
choices require specific times.

Help Book Guardium V9.0

The details of an Installed Policy can also be seen from the System View of a user
and from Administration Console/ Policy Installation of the admin user.
There is a Revert button at the bottom of the screen (along with Save and Install).
When the Revert button is clicked, the scheduling page is re-opened with the
expectation that the user will want to remove the schedule from this process.
Note: A comment field is available after the Express Security Setup has been
saved.

Express Security Setup

10

Help Book Guardium V9.0

GRC Heatmap
This high-level management report shows a snapshot of the current state of the
Guardium system in terms of three areas that matter most: Governance, Risk, and
Compliance (GRC).
There are 16 speedometer views. Each has a title and a tool tip explaining what it
reports on. Double-clicking on the view produces a drill-down tabular report with
full details.
The view is organized as a heatmap. The background color of each graph is green,
red or yellow (in some views it is either green or red). A heat map is a graphical
representation of data, which uses color to show data values in a two-dimensional
image. Black color within the speedo view indicates that there is underlying data
that can be accessed by double-clicking on the view. White color within the speedo
view indicates that there is no underlying data available. However, in Inactive
S-TAPs, the speedo view may display a white color and there is data displayed
during the drill-down. In this instance, there is a listing of Active S-TAPS.
In Compliance, there are two rows - the first for the database environment and the
second for the appliance (for example, whether data is being backed up or not).
A proper Governance strategy implements systems to monitor and record current
business activity, takes steps to ensure compliance with agreed policies, and
provides for corrective action in cases where the rules have been ignored or
misconstrued.
Risk Management is the process by which an organization sets the risk tolerance,
identifies potential risks and prioritizes the tolerance for risk based on the
organizations business objectives. Compliance is the process that records and
monitors the policies, procedures and controls needed to enable compliance with
legislative or industry mandates as well as internal policies.
The speedometer views are as follows:
Table 4. Speedometer Views of GRC Heatmap
Heatmap Views
Governance

Active audit process

Risk

Processes with
pending results

Pending to-dos lists


items

Open Incidents

Unpatched Databases Critical tests failed

Access violations

Classification
violations

Conformance

Policy Installed?

Non-assessed data
sources

Unmonitored Servers

Inactive S-TAPs

Conformance (self)

Data Archiving
Performed

Results Archiving
Performed?

Data Purged?

Backups Performed?

11

Table 5. Specifications for each View/Report:


Heatmap Views
Governance

Active audit process


Color-coding
Green >0
Red =0
Data Used - Number
of audit processes
marked as Active
Timeframe - ALL

Risk

Pending to-dos lists


items

Color-coding

Color-coding

Green <=10

Green <=25

Yellow >10 and <= 20 Yellow >25 and <=50


Red > 20

Red >50

Data Used - Total


number of open audit
results - meaning,
results that are in a
status other than
Reviewed or
Signed

Data Used - Number


of audit
process-receiver
pairings for all
receivers who have
been distributed audit
processes results

Timeframe - One
week

Timeframe - One
month

Unpatched Databases Critical tests failed

Access violations

Color-coding

Color-coding

Color-coding

Red >=0

Green =0

Green =0

Green <=1

Yellow >0 and <=5

Yellow >0 and <=10

Data Used - Number


of used datasources
whose version and
patch level do not
match a version and
patch level from a
Group such as
Oracle Database
Version+Patches

Red >5

Red >10

Data Used - Number


of failed security
assessment test
results of critical
severity

Data Used - Number


of policy violations

Timeframe - ALL

12

Processes with
pending results

Help Book Guardium V9.0

Timeframe - One
month

Timeframe - One
week

Open Incidents
Color-coding
Green <=25
Yellow >25 and <=50
Red >50
Data Used - Total
number of incidents
not in status Closed
Timeframe - Three
months

Classification
violations
Color-coding
Green 0
Yellow >0 and <=10
Red >10
Data Used - Number
of classifier violations
Timeframe - One
week

Table 5. Specifications for each View/Report: (continued)


Heatmap Views
Conformance

Policy Installed?
Color-coding
Green >0
Red =0
Data Used - Number
of installed policy
rules

Non-assessed data
sources
Color-coding
Green <=1
Red >=0

Data Used - Number


of datasources that
have been assessed
Timeframe - From
on that machine in
three years ago to one the past but do not
hour in the future
have any assessment
results in the past
three months. If a
data-source was
never assessed it will
never appear in the
"Non-assessed Data
Sources" report.

Unmonitored Servers

Inactive S-TAPs

Color-coding

Color-coding

Green <=1

Green <=1

Red >=0

Red >=0

Data Used - Number


of server IPs where
we have previously
sniffed traffic but
where we have
sniffed no traffic in
the past hour

Data Used - Number


of S-TAPs inactive for
more than one hour
Timeframe - ALL

Timeframe - Two
days

Timeframe - Three
months
Conformance (self)

Data Archiving
Performed

Results Archiving
Performed?

Color-coding

Color-coding

Green >0

Green >0

Red =0

Red =0

Data Used - Number


of successful data
archives performed

Data Used - Number


of successful results
archives performed

Timeframe - One
month

Timeframe - One
month

Data Purged?

Backups Performed?

Color-coding

Color-coding

Green >0

Green >0

Red =0

Red =0

Data Used - Number


of successful data
purges performed

Data Used - Number


of successful backups
performed

Timeframe - One
month

Timeframe - One
week

Note: The Unmonitored servers report will always return a 0 on aggregators as


this report is not meaningful for aggregators or its drill down.

GRC Heatmap

13

14

Help Book Guardium V9.0

Common Tools Help Book


This help book describes tools like the Group Builder, for example, that are used
from multiple applications.
Select a topic from the Contents entry page, or use the Search function on the PDF
version of the online help (last entry on Contents entry page, after help-index) or
use the help-index.

15

16

Help Book Guardium V9.0

Getting Started with the Guardium GUI


Use this help topic to learn how to use the Guardium GUI.
The following help topics are covered in this section:
v
v
v
v
v
v
v

Portal Overview
Check Microsoft Internet Explorer Settings
Log in to the appliance
Standard Portal Controls
Report Portlet Toolbar Controls
Overview Tab
Override Default Aliases Setting

Portal Overview
Users access the appliance over a secure (HTTPS) connection, using a Web browser.
All users are defined on the system by the access manager. Your access manager
will provide you with your user name and initial password. In a default
installation, you will need to change your password the first time that you log in.
Within your browser window, information is displayed on a set of tabbed panes.
By selecting a tab or menu option, you can overlay panes on the same screen area.
Each pane may contain one or more portlets. A portlet can be a report, application,
or tool. Each pane may contain any number of report portlets, and a single
application or tool portlet.
When you log in for the first time, your portal displays with a layout determined
by the roles that the access manager has assigned to your user account. Although
the access manager controls the initial layout, you can customize your layout
easily, changing the panes displayed and the placement of portlets on each pane.

Apply/ Save/ Done/ Back/ Next/ Revert


Many screens share the action buttons listed below.
1. Click the Apply button. The system displays a message saying your changes
were applied successfully. Clicking on an Apply button will save changes and
stay on the screen.
2. Click Save. Do not leave a screen to perform another configuration before
saving your work. Work-in-progress is not saved and not held in half-created
suspension if you leave this screen to go create something else needed for the
configuration task at hand. Click Done when you have finished all the tasks
required on the menu screen. Clicking on a Save button will save changes and
leave the screen.
3. Click Back and Next. Move back and forth between menu screens of a
multi-screen task or function using the Back and Next buttons at the bottom of
each screen. The F5/CTRL-R/Refresh/Reload, Back/Forward arrows in the
web browser are not supported for navigation between menu screens.
4. Click Revert. Click this button to undo the last saved change.

17

Cross-site Request Forgery (CSRF) and 403 permission errors


403 Permission Denied
You do not have permission for this request

The Guardium application must ALWAYS know where a URL came from and
where it is going to.
Thus, there are specific web browser actions accessing the Guardium application
that will lead to 403 permission issues, such as:
v F5/CTRL-R/Refresh/Reload (from the web browser)
v Back/Forward (from the web browser)
v Opening multiple tabs in a browser session on the same Guardium system
v Closing a browser tab to a Guardium system and then trying to connect via a
new tab
Use the navigation buttons within the Guardium application instead of the
selections of the web browser.
Also, once a 403 permission error has occurred within a GUI session, this GUI
session will cease to work. At this point, the 403 permission error will auto-logout
of the GUI.
When installing a new Guardium system or machine or upgrading from an earlier
version of Guardium, CSRF status is enabled by default.
To turn on CSRF status, run the CLI command "store gui csrf_status on".
Turning on CSRF status (403 permission errors) will make the Guardium system
more secure but less user-friendly.
See the CLI command, store gui [port | session_timeout | csrf_status] for more
information on Cross-site Request Forgery (CSRF).
The option XSS (Cross-Site Scripting) is also enabled by default on upgraded
systems.

Check Microsoft Internet Explorer Settings


Internet Explorer 6 (IE6) is not fully supported in this version. A warning message
will appear when first accessing the Guardium GUI with IE6.
If you use Microsoft Internet Explorer as your Web browser, please check the
setting of the Show friendly HTTP error messages option, as described in the
procedure below.
Microsoft Internet Explorer is typically configured by default to show friendly
HTTP error messages. This means that instead of seeing any explanatory error
messages produced by the appliance software, you will receive friendly (but not
very informative) messages output by Microsoft Internet Explorer.
To check or modify this setting, follow the procedure outlined below:
1. Open Microsoft Internet Explorer.
2. Select Tools > Internet Options to open the Internet Options panel.

18

Help Book Guardium V9.0

3. Click the Advanced tab in the Internet Options panel.


4. Scroll down in the Settings box to the Show friendly HTTP error messages
setting.
5. Clear the Show friendly HTTP error messages checkbox if it is marked.
6. If you cleared the checkbox, click the Apply button to save the settings.
7. Click the OK button to close the Internet Options panel.
Note: Following a software upgrade, the color pattern or other attributes of your
appliance portal may appear strange, because your browser may be fetching some
items from your local PC cache. If this happens, clear the cache (from the Internet
Explorer Tools menu).

Menu in GUI can not finish loading


Sometimes, under normal circumstances, a menu in the GUI will never finish
loading. The circle icon will appear and start spinning, but it will never stop. To
correct this, the user should click refresh in the GUI. This will aid in finishing the
menu reload. This situation has been observed in Google Chrome and Internet
Explorer browsers.

Log in to the appliance


1. Open the Login Page in your browser. If you have not saved the page location,
type its address in the Address box of the browser window, in the following
format:
https://ip-address:port

v Note that the address begins https (the secure hypertext transmission
protocol, not the more common http protocol).

2.
3.
4.
5.

v Substitute for the ip-address and port components of the address as


appropriate, using the values given to you by your appliance access manager
or administrator. ip-address is the Internet address or the DNS name of the
appliance, and port is the port assigned for the appliance user interface,
which by default is 8443.
v For example: https://192.168.3.47:8443
or
https://guard23.com:8443
After typing the address, press Enter to open the Login Page.
Enter your appliance user name in the Username box.
Enter your appliance password in the Password box.
Click the Login button. This opens your appliance portal, which displays the
tabs and panes you are authorized to use.

Login notes
Your appliance access manager and appliance administrator will determine which
login and password options are enabled for your system. Depending on your
configuration:
v The first time that you log in, you may be prompted to change your password.
v You may be required to change your password on a periodic basis (after every
30 days, for example).
v Your user account may be disabled automatically after a certain number of days
of inactivity. (Contact your access manager to re-enable it.)
v By default, each user can log into a system from only one IP address at a time. If
the same user attempts to log in concurrently from two IP addresses, the second
attempt will not be allowed.
Getting Started with the Guardium GUI

19

There must be a valid license in order to use various functions within the
appliance. When a license has been entered after the system is started a restart
of the GUI is needed before being new functionality is recognized. See System
Configuration for further information.

Standard Portal Controls


The top of the portal contains the controls explained below. Place the cursor over
the icon. Tool tips will appear to show the name of the icon.

Table 6. Standard Portal Controls


Control

Description

You have ...

If there are items on your Audit To-Do List, this message displays in the
upper-left portion of the window. Click the "You have..." link to open your
To-Do List in a separate window.

Edit Account
...

Click the Edit Account... link to edit your user account (to change your
password or email address, for example).

Customize

Click the Customize link to add a tab to the outermost row of tabs on your
portal.
Click on the Customize link to change the look of choices from tab pane to
menu pane. For example, as an admin user, click on the Customize link.
Select Tools, and switch the appearance of Configuration & Control and
Report Building from tab pane to menu pane. After making the change in
pane, click Apply twice to return to the main screen of the GUI.

Logout

Click the Logout link to log out.

About

Click the About link to show all the functions that are enabled for the
particular appliance.

Portal Search

Opens a search window. Enter the report or application name, or part of


the name in the text box, and click the Search button. Then click on any of
the displayed portlets to navigate to that portlet in the main window.
Hint: This search operation searches for each word that you enter,
separately. To limit the list of portlets returned, enter only the most
important word or words from the name of the portlet you are looking for.

Portal Map

Opens a graphical map of your portal. Navigate the tabs and menu entries
as you would with a directory listing.

Help System

Clicking on this icon opens the Help System in a separate browser


window.
Use quotation marks around words or phrases to precisely define search
terms.
Search will display ranked topics that contain search keywords. The search
results appear as links in the Search tab of the navigation pane. The search
keywords are highlighted in the topic pane.
By default, ten search results appear at a time. However, the maximum
number of search results can be specified.
Breadcrumb navigation links appear at the top right of a Help topic page
and lists what separate help book .PDF file the topic belongs to.

20

Help Book Guardium V9.0

Table 6. Standard Portal Controls (continued)


Control

Description

Standalone
Unit

The unit type (Standalone, Central Manager, Aggregator) is displayed in


the upper right portion of the panel.

Change Layout, Edit Account, Customize


Use the Change Layout feature in combination with the Edit Account choice and
Customize choice at the top of the main Guardium screen, to create alternate
layouts for users. Use the Customize choice to add or remove tabs. On the Edit
Account menu, there is a button called Layout that opens to a screen where
different layouts can be named. After these steps, manage the layout for users from
the accessmgr user interface. Click on the Change Layout choices in the User
Browser menu to open a screen where the previously created alternate layouts can
be selected.
See Manage Users for more information.

Navigate the Portal


Regardless of how your portal is defined, you navigate using the same types of
components: tabs, menus and portlets.
Table 7. Navigate the Portal
Components

Description

Navigate tabs

Each tab completely defines the entire area


below the row of tabs on which it is defined.
The tabs thus overlay one another, with only
the active tab layout visible. The active tab
title on each row of tabs is highlighted. On
each row of tabs, only the active tab has a
Customize button.
Click the Customize button to customize the
layout of the tab. See Portal Customization
for detailed instructions on how to
customize your layout. If a tab layout
contains one or more reports, clicking the
tab title refreshes all reports on that tab.

Navigate menus

Some tabs contain menus. Each item on a


menu completely defines the area to the
right of the menu. The menu items thus
overlay one another and only the active
menu item can be seen. The active menu
item is highlighted. The menu also contains
a Customize button, which you can click to
customize the menu. (See Portal
Customization for detailed instructions on
how to customize your layout.)

Portlet Layouts
The area to the right of a menu, or the area or below a tab if the tab has no menu
or nested tabs, contains portlets. A portlet can be an application or a report, and
there can be multiple portlets on a pane, arranged in rows or columns. Each portlet
Getting Started with the Guardium GUI

21

pane (whether an application or report) contains the buttons illustrated and


described below. Place the cursor over the icon. Tool tips will appear to show the
name of the icon.
Table 8. Portlet Layouts
Button

Description

Customize

Customize - On a report portlet, click the Customize button to set the


run-time or presentation parameters. To change the menu, tab, or overall
layout, use the Customize button on a menu or tab, or use the Customize
link in the upper right portion of the portal.

Print

Print-Friendly Format - Click to display the panel contents in a


printer-friendly format (which minimizes the use of curved lines).

Information

Information - Click to display information about the portlet.

Close

Close - Click to close the portlet. This removes the portlet from your layout.
(It does not delete the definition of the underlying component - an
application or report, for example.) If you remove a portlet by mistake, you
can re-add it easily (see Portal Customization).

Minimize

Minimize - Click to minimize the portlet. When minimized, the Minimize


and Maximize buttons are replaced by the Restore button, as illustrated
below: Click the Restore button to return the portlet to its normal size.

Maximize

Maximize - Click to expand this portlet to fill the work area. When
maximized, the Close, Minimize, and Maximize buttons are replaced by the
Restore button. Click the Restore button to return the portlet to its normal
size and location.

Report Portlet Toolbar Controls


Each report contains a toolbar at the bottom, with the controls described below.
Place the cursor over the icon. Tool tips will appear to show the name of the icon.

Table 9. Report Portlet Toolbar Controls

22

Button

Description

First or previous page

Go to the first or previous page, respectively.

Records:

Enter a record number to jump to (they are


numbered from top to bottom).

Next or last page

Go to the next or last page, respectively.

Re-run

Re-run the query to refresh the report data.

Download

Download the data currently displayed on


the portlet, in CSV format.

Download

Download the entire report, in CSV format.

Open

Open the complete report in a separate


window, formatted for printing.

Download

Download a PDF file version of the report.

Edit

Edit the query this report is based upon.


(You must be authorized to edit that query.)

Help Book Guardium V9.0

Overview Tab
The default user layout contains an Overview Tab, containing many predefined
reports. See the Predefined Reports appendix for details on what these reports are.

Override Default Aliases Setting


By default, for any new report, or for any report contained in a default layout,
aliases are not used.
An alias provides a synonym that substitutes for a stored value of a specific
attribute type. It is commonly used to display a meaningful or user-friendly name
for a data value. For example, Financial Server might be defined as an alias for IP
address 192.168.2.18.
To display aliases for an individual report, you can open its Customize Portlet
panel and mark the Show Aliases On button.
If more often than not, you would rather see aliases by default, you can change the
default aliases setting for all reports, as follows:
1. Select Administration Console > Global Profile to open the Getting Started with
the GUI panel.
2. Mark the Use Aliases in Reports unless otherwise specified checkbox.
3. Click Apply.

Independent Updating of Information in Current Status Monitor


In the past, all the contributing reports that make up the Current Status Monitor
on the System View updated at the same time, impacting the amount of time
needed to display this information, depending on the size of the report data
retrieval. Now, all the contributing reports update or refresh independently and
thus appear quicker in the Current Status Monitor.

Predefined Content
At installation time the appliance is configured with a number of predefined
components. These are described on the following pages:
v Predefined Groups on page 1097
v Predefined Alerts on page 1105
v Predefined admin Reports on page 1109

Guardium Developerworks Forum


Access the Guardium Developerworks Forum for the latest questions and answers
to Guardium technical issues.
http://www.ibm.com/developerworks/forums/forum.jspa?forumID=2648

Getting Started with the Guardium GUI

23

24

Help Book Guardium V9.0

Aliases
Use this help topic to understand the use of aliases.
The following subjects are covered in this help topic:
Aliases Overview
Open the Alias Finder
Define Aliases Using the Alias Builder
Alias Quick Definition from a Report
Alias Quick Definition from the Group Builder
Define Aliases Using a Query
IP-to-Hostname Aliasing (This topic appears in the Guardium Administration
help book)
v View the Aliases Defined
v
v
v
v
v
v
v

Aliases Overview
An alias provides a synonym that substitutes for a stored value of a specific
attribute type. It is commonly used to display a meaningful or user-friendly name
for a data value. For example, Financial Server might be defined as an alias for IP
address 192.168.2.18. Once an alias has been defined, users can display report
results, formulate queries, and enter parameter values using the alias instead of the
data value. Note, however, that you cannot sort reports on alias values; sorts
always use actual data values.
There is only one set of aliases. If multiple users define aliases for the same value
of an attribute, the most recently defined alias is the one that will be seen by all
users.
Aliases can be defined in a number of ways:
v Alias Builder Use this method to define aliases manually. See Define Aliases
Using the Alias Builder.
v Alias Quick Definition from a Report Use this method to define aliases for one
or more specific values displayed on a report. See Alias Quick Definition from a
Report.
v Alias Quick Definition from the Group Builder Use this method to define
aliases for any set of members in a group, or for the group name itself. See Alias
Quick Definition from the Group Builder.
v Alias Definition from Query - Use this method to define aliases either from a
custom table that has been uploaded to the Guardium appliance, or from
observed data. See Define Aliases Using a Query.
v Generate Hostname Aliases for IP Addresses - Use this method to generate
hostname aliases for IP addresses, by accessing the DNS. By default, this
function can be performed only by users with the admin role. See
IP-to-Hostname Aliasing.
Note: Aliases changes on the Central Manager or managed units will not be
available on other systems until either GUI is restarted or any aliases changes are
made through their GUI.

25

Open the Alias Finder


1. Do one of the following to open the Alias Finder panel:
v Administrators: Click the Select Tools tab, click the Config & Control tab, and
select Alias Builder from the menu.
v All Others: Click the Monitor/Audit tab, click Build Reports, and click the
Alias builder button in the lower right portion of the panel.
2. Select the attribute type for which you want to define aliases, from the Group
Type list (USERS, for example).

Define Aliases using the Alias Builder


Use this procedure to add, modify, or remove alias definitions for any attribute
type for which aliases can be defined.
1. If the Alias Finder is not open, see Open the Alias Finder, above.
2. Select the attribute type for which you want to define aliases, from the Group
Type list (USERS, for example).
3. Do one of the following:
v To display all aliases for the selected attribute type, click the Search button
(without entering anything in the Value or Alias boxes).
v To display a subset of the values and aliases defined, enter values (%
wildcard characters are allowed) in the Value and/or Alias fields, and click
the Search button.
Either of the above actions opens the Alias Builder panel, listing all selected
values and/or aliases.
4. To add or replace an alias for a listed value, enter the alias in the Alias box to
the right of that value, and click the Apply button. Note that if you searched
for a specific alias value, and replace that value, when you click the Apply
button the entry will "vanish", since it no longer meets the search criteria for
the panel.
5. To add an alias for a value not listed:
v Enter the value in the Value box.
v Enter the alias for that value in the Alias box to the right of it.
v Click the Add button.
Note: If you attempt to define a second alias for a value, the system will
prevent you from doing so.
6. Optionally click the Comments button to add comments (see Commenting).
7. Optionally click the Delete button to delete an alias.
8. Repeat steps 4-7 above as necessary, and click the Done button when finished
making all changes.
Note: Limits
The limit for the buttons when viewing a report (generate PDF, generate CSV, and
printable) is 30,000 rows. This is non-customizable.
The limit for the Populate From Query in Group and Alias Builder when run via
Run Once Now is 5,000 rows. This is non-customizable.

26

Help Book Guardium V9.0

The limit for the Populate From Query in Group and Alias Builder when run via
Scheduling is 20,000 rows. This limit is customizable, via the CLI command,
show/store populate_from_query_maxrecs.

Alias Quick Definition from a Report


Use this procedure to add, modify, or remove the definition of an alias for any
value displayed in a report.
1. Verify that Aliases: ON displays in the lower left corner of the report portal. If
not, click the Customize button on the report panel tab, to open the Customize
Portlet panel for the report, mark the Show Aliases On button, and click
Update.
2. Double-click on any row of the report to open the drill-down menu, and select
Alias Definition from the menu. The Alias Definition panel will list all columns
of the report for which aliases are allowed, with the value of the selected row
displayed. Enter a value in the Alias box to the right of any Value for which
you want to define an alias.
3. Click Apply when you are done.
4. To view the report with the new aliases, click the Refresh button.

Alias Quick Definition from the Group Builder


If the Group Builder is not open, see Open the Group Builder, above.
v In the Modify Existing Groups panel, select a group for adding or editing
aliases.
v Click the Aliases button to open the Alias Quick Definition window.
v Enter aliases in the Alias column. The first value shown is always the group
name. If an alias is defined for the group name, the alias displays in reports that
are grouped by objects.
v When done applying all aliases, click the Apply, and then click the Close this
window link.

Define Aliases Using a Query


Use this method to create aliases from a query. This is most often used when a
custom table has been uploaded to the Guardium appliance, and that table can be
used to map aliases to specific values.
1. If the Alias Finder is not open, see Open the Alias Finder, above.
2. Select the attribute type for which you want to define aliases, from the Group
Type list (USERS, for example).
3. Click Populate From Query to open the curiously named Builder Alias From
Query Set Up panel. Initially, only the Query list box displays in the Set Up
Query To Run pane.
4. From the Query list, select the query to be run. From the Choose Column for
Value Column list, select the query column to be used for the attribute value.
5. From the Choose Column for Alias Column list, select the query column to be
used for attribute aliases.
6. After making selections for both lists, the remaining run-time parameters will
be displayed (From Date, To Date, Remote Source, and any additional
parameters for the selected query). Enter all run-time parameters, as
appropriate for the query.
7. Click the Save button to save the configuration.
Aliases

27

8. Click Run Once Now to run the query immediately, or click the Modify
Schedule button (see Scheduling) to define a schedule for the query.

View the Aliases Defined


There are no reports for alias definitions. Alias values can only be viewed from the
Alias Builder.
1. If the Alias Finder is not open, see Open the Alias Finder, above.
2. Select the attribute type for which you want to display aliases, from the Group
Type list (USERS, for example).
3. Click the Search button (without entering anything in the Value or Alias boxes).
4. Click the Done button when you are done.

28

Help Book Guardium V9.0

Comments
Comments apply to definitions and to workflow process results.
Comments can be added or viewed by clicking a Comments button or pushpin.
Comments apply to definitions (reports or policies, for example), and to workflow
process results. You can add multiple comments to a component (a report or
policy, for example), and you can add comments to comments, but you cannot
modify or delete existing comments.
Comments are stored in one of two entities: Comments and Local Comments,
depending on whether or not Central Management is used. If no Central Manager
is used, all comments are stored in the Comments entity.
In a Central Management environment, comments will be stored in one of the
following entities, depending on whether they are local to one system, or global to
the Central Management environment.
v Comments Entities - Contain comments that are stored on the Central Manager,
and will be available within that Central management environment, given the
usual constraints regarding roles and permissions.
v Local Comments Entities Are defined on a single unit, and remain local to that
unit. Local Comments from the standalone or managed unit are not stored on
the Central Manager.

Add or View Comments


1. To add or view comments, click the Comment or Add Comment button, or
click the pushpin icon to open the User Comment panel.
2. To add comments:
v Click the Add Comment button.
v Type your comments in the text box.
v Click the Apply button.
After you have added comments to an item, the Comments button or pushpin
for the item will change to indicate that comments have been defined. .

Report Comments
n the Comments reporting domain, there are two entities. See the Overview above
for a more detailed description of the distinction between these two types of
entities.
v The Local Comments entity is used in a Central Manager environment only. It
contains comments that have been defined to remain local to the system on
which they were defined. These are not stored on the Central Manager.
v The Comments entity contains comments that are not defined to be local (see
above). In a Central Manager environment, these comments are stored on the
Central Manager.

29

30

Help Book Guardium V9.0

Datasources
Datasources are used by a number of applications and tools, such as Vulnerability
Assessment and Classification.
A datasource identifies a specific database or file on a remote system. Datasources
can be shared, but access is restricted according to the roles assigned to both the
datasource and the application that uses it.
Note: If a datasource is used for scheduled tasks, the account login information
must be stored with the definition. When defined, this information is encrypted on
the internal Guardium database.
Each datasource is created for a type of application (Classification, for example).
Different Guardium applications require different types of database access. For
example, the Value Change Auditing application requires a very high level of
administrative access to the database, and it would not be appropriate to use that
datasource for other applications not requiring that level of privileges. A label in
parentheses following the datasource name always indicates the type of application
for which the datasource was defined (Security Assessment, or Custom Tables, for
example).
Note:
When using an expiring product license key, or license with a limited number of
datasources, the following message may appear: "Cannot add datasource. The
maximum number of datasources allowed by license has been reached." The
License valid until date and Number of datasources can be seen on the System
Configuration panel of the Administrator Console.
A reasonable connection to the database (in amount of time needed) is required in
order for the datasources to work properly. A latency of more than 60 seconds may
impact functionality.
When exporting a datasource with an open source driver, the open source driver
will not be included in the export. The user needs to first upload the open source
driver into the new system before importing the datasource definition that was
created using it, otherwise the data direct driver will be substituted for the open
source driver when it is imported.

Discovery Agent
Guardium's Discovery Agent is an optional software agent installed on a database
server system. Its purpose is to detect database instances running on the database
server and report them back to the Guardium Appliance for quick and easy
defining of datasources. See Discovery Agent within the Unix S-TAP book for
additional information.

Gather data from flat file


Question: How can data from a flat file delimited by | be gathered, from a remote
machine, by connecting via FTP?

31

Example of flat file - abab.txt


20110415 02:36:01|ABAB|Jones HT|Select|CreditCard|Select * from CreditCard|
20110415 02:38:22|ABAB|Jones HT|Select|CreditCard|Select * from CreditCard|
Solution
The key part of the solution is to define the correct delimiter in the Connection
Property step of Define a Datasource.
Use the following procedure and make customized choices in three different parts
of the procedure:
Specify a Database Type of Text:HTTP (see step 4).
Specify a File Name of CSVFile (see step 15).
Specify Connection Property of _CSV_Separator=| (see step 16).

Define a Datasource
By default, datasources can be defined by any user, at any point where a
datasource must be selected for use by an application. To define a datasource:
1. Do one of the following to open the Datasource Finder panel:
v Administrators: Click the Tools tab, click the Config & Control tab, select
Datasource Definitions from the menu, select the appropriate application for
the datasource from the Application list, and click the Next button.
v All Others: Click the Add Datasource button on the application definition
panel.
2. On the Datasource Finder panel, click the New button to open the Datasource
Definition panel.
3. Enter a unique name for the datasource in the Name box. We suggest
including both the database type and server name in the datasource name.
4. From the Database Type list, select the database or file type. For some
applications, the datasource must be a database (and not a text file).
Depending on the selection made, some subset of the remaining fields on the
panel will be disabled, and the labels of some fields will change depending on
the type selected from the Database Type list.
Note:
In some cases the datasource will fail to connect, due to invalid character set
properties (see the Connection Property field description, below).
Depending on the Application Selection on the first Datasources menu screen,
the Database Type choices will vary.
5. Select from the drop-down list a Severity Classification (or impact level) for
the datasource. If chosen, this severity classification can be used when viewing
various reports/results, such as Security Assessments, to sort, filter, or zero in
on those datasources that are more critical.
6. Enter a Description that identifies this datasource if appropriate.

32

Help Book Guardium V9.0

7. Mark the Share Datasource box to share this datasource with other
applications. To share the datasource with other users, assign security roles
(see below).
8. Mark the Save Password box to save the password (encrypted) on the
Guardium appliance. This is required if any application using this datasource
will run as a scheduled task (as opposed to an on-demand, run-once-now job).
When this box is marked, the Login Name and Password (below) are
required.
9. In the Login Name box, enter a database user account on this datasource.
Depending on the use intended for this datasource, this account may need to
have administrator privileges.
10. In the Password box, enter a password for the above Login Name. The
password will be encrypted on the Guardium appliance, and will never be
stored or displayed in clear text.
11. Do one of the following:
v For a non-text Database Type, in the Host Name/IP box, enter the host
name or IP address for the datasource.
v For a text Database Type, in the Host Name/IP box, enter the host or IP
address of the text file, followed by an optional port number, and the
directory for the file (the file name will be entered below, in the File Name
box).
12. Enter the port number in the Port box. If omitted, the port number defaults to
one of the following, based on the database type:
v DB2: 50000
v DB2 for i:: 446
v DB2 for z/OS: 446
v Informix: 1526
v
v
v
v
v

MS SQL Server (DataDirect): 1433


MySQL: 3306
Netezza: 5480
Oracle (DataDirect): 1521
PostgreSQL: 5432

v Sybase: 4100
v Sybase IQ: 2638
v
v
v
v
v
v
v

Teradata: 1025
Text: 0
Text:HTTP: 8000
Text:FTP: 21
Text:SAMBA: 445
Text:HTTPS: 8443
N_A: 0

v MS SQL Server (open source): 1433 (use Admin Console > Customer
Uploads to upload these JDBC drivers, see Subscribed Groups Upload)
v Oracle (open source): 1521 (use Admin Console > Customer Uploads to
upload these JDBC drivers, see Subscribed Groups Upload)
13. Depending on the database type
v If DB2, enter the database name in the Database Name box
v If DB2 ISERIES or Oracle, enter the service name in the Service Name box
Datasources

33

14. If Informix, enter the Informix server name in the Informix Server box
15. Do one of the following:
v For a non-text Database Type, in the Database box, enter the database name
(Informix, Sybase, MS SQL Server, PostgreSQL, or Teradata only). If left
blank for Sybase or MS SQL Server, it defaults to master.
v For DB2, DB2 ISERIES, or Oracle enter a valid schema name in the Schema
box to use
v For a text file Database Type, in the File Name box, enter the file name.
16. Use the Connection Property box only if additional connection properties
must be included on the JDBC URL to establish a JDBC connection with this
datasource. The required format is property=value, where each property and
value pair is separated from the next by a comma. Known uses for this
property are described below:
v For a Sybase database with a default character set of Roman8, enter the
following property: CHARSET=utf8
v For an Oracle Encrypted Connection you need to define a Connection
Property as:
oracle.net.encryption_client=REQUIRED;oracle.net.encryption_types_client=RC4_40
(Replacing with an encryption algorithm required by the monitored
instance, regardless of its type)
NOTE that 3DES168 encryption is problematic. A datasource defined to use
3DES168 encryption will incorrectly throw an "ORA-17401 protocol error" or
"ORA-17002 checksum error" when it encounters any SQL error. Thereafter,
the connection simply won't work until it is closed and reopened.
v For a DB2 Encrypted Connection you need to define a Connection Property
as: securityMechanism=13
v For a DB2 iSeries Connection, define a Connection Property as:
property1=com.ibm.as400.access.AS400JDBCDriver;translate binary=true
In Oracle, sys is an Oracle default user, is owner of the database instance, and
has super user privileges, much like root on Unix. SYSDBA is a role and has
administrative privileges that are required to perform many high-level
administrative operations such as starting and stopping the database as well
as performing such operations as backup and recovery. This role (SYSDBA)
can also be granted to other users. The phrase "sys as SYSDBA" refers to the
connection method required to connect as the sys user.
v For monitor values for Oracle 10 and above (sys as SYSDBA) (this is for the
Oracle open source driver), enter the following: internal_logon=sysdba
v For DataDirect (Oracle driver), enter the following: SysLoginRole=sysdba
17. Enter a Custom Url (optional) connection string to the datasource; otherwise
connection is made using host, port, instance, properties, etc. of the previously
entered fields.
When filling in a Custom URL field with the Oracle Open Source format, use:
jdbc:guardium:oracle://;SID=<SID>
18. Enter CAS information.
Because vendors offer flexibility during installation, users should be asked to
help in determining the two fields required on the datasource definition.
CAS needs two pieces of information: a database instance account to run some
of the database tools on Unix, and the name of the database instance directory
in order to find the files it is to monitor. Generally, if the Database Instance

34

Help Book Guardium V9.0

Account and Directory are not correctly entered in the Datasource Definition,
you will see "No CAS data available" messages for tests where CAS could not
find data.
Enter a Database Instance Account (software owner) and a Database Instance
Directory (directory where database software was installed) that will be used
by CAS.
Below are hints / suggestions for how to find the needed information to fill in
the CAS information for datasources. This information may vary from one
installation to another. One of the ways used on Unix is to list the
/etc/passwd file for specific database installations that can be used to identify
the database instance account and instance directory. Sometimes during the
installation an environment variable is defined in the database instance
account identifying the instance directory, such as ORACLE_HOME. In this
case, enter $ORACLE_HOME in the database instance directory field of the
datasource definition form and the variable will be expanded to find the
correct directory name on the database server.
Table 10. Database Instances
Database Instance
Database Type Account
DB2

Often "db2inst1"

Database Instance Directory/ Additional Hints


Home directory of "db2inst1" or "C:\Program Files\IBM\SQLLIB" on
Windows
The program "db2cmd.exe" must be on the system path, or in the "bin"
subdirectory of the Database Instance Directory.

Informix

Often "informix"

Something like "/opt/IBM/informix" on Unix, or "C:\Program


Files\IBM\Informix". An environment variable INFORMIXDIR may be
defined.
The program "<servicename>".cmd must be on the system path where
<servicename> is the value entered in the "Informix Server" of the
Datasource Definition.

Oracle

Often "oracle", or version


specific such as "oracle9"
or "oracle10"

For example, "/home/oracle9" on Unix, or "C:\oracle\product\10.2.0\


db_1" on Windows. An environment variable ORACLE_HOME may
be defined.
On Windows, environment variables PERL5LIB and ORACLE_HOME
must be defined, and the program "opatch.bat" must be on the system
path.

Datasources

35

Table 10. Database Instances (continued)


Database Instance
Database Type Account
SQL Server

Not needed unless


Windows Authentication is
being used. In that case, it
must be in the form
acceptable to Windows
Authentication,
DOMAIN/Username.

Database Instance Directory/ Additional Hints


There are two scenarios when populating "Database instance
Directory" for CAS usage in SQL Server.
If the datasource is being used for Vulnerability Assessment Tests, then
this column needs to be populate with the DATABASE INSTANCE
HOME DIRECTORY.
Examples
MSSQL2000, Name instance on a 64bit server.
C:\Program Files (x86)\Microsoft SQL Server\MSSQL$MSSQL2000
MSSQL2000, default instance on a 32bit server.
C:\Program Files\Microsoft SQL Server\MSSQL
MSSQL2005
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL
MSSQL2008
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\
MSSQL
If the datasource is being used for NON Vulnerability Assessment
Tests, but for CAS monitoring files or registry.
Then this column will be the "Microsoft SQL Server" directory with
"Program Files"
Examples C:\Program Files (x86)\Microsoft SQL Server
or
C:\Program Files\Microsoft SQL Server
Note: You must have two datasources if you want to do Vulnerability
Assessment Tests and CAS file monitoring

Sybase

Often "sybase"

For Unix "/home/sybase", or "C:\sybase" for Windows. An


environment variable SYBASE may be defined.

MySQL

An environment variable MYSQL_HOME may be defined.

Teradata

Not needed. The installations all look the same.

Netezza

Not needed. The installation is in the same location on all machines.

PostgreSQL

This is the most flexible of the installations. The user is required to


define two environment variables on the Postgres database server:
"PostgreSQL_BIN" should be the location of the binaries for the
installation, and "PostgreSQL_DATA" the location of the data.

Note: Note: If an environment variable is to be used within the Database


Instance Directory field, that environment variable must be defined on the
database server.
19. Click the Apply button to save the datasource definition (you cannot add roles
or comments until the definition has been saved).

36

Help Book Guardium V9.0

20. Optionally click the Roles button to assign roles for the datasource. See Assign
Security Roles.
21. Optionally click the Add Comments button to add comments to the definition.
See Commenting.
22. Optionally click the Test Connection to test connectivity of the defined
datasource.
23. Click the Done button when you are finished with the definition.
Note: When using Teradata as a datasource and turning off "Comprehensive
Search", "Select top n" is used to select records. It does not guarantee that the first
n records are selected.

Select Datasources
The Datasource Finder panel displays all datasources that are available. If multiple
datasources can be selected for the application from which the Finder was opened,
there is a message at the bottom of the list box: Select multiple items using Shiftor Ctrl-click If that message does not appear, only one datasource may be selected
for this application. A datasource can be created (new), modified, cloned or
removed from this panel. If the datasource you want to use does not display in the
list, and you believe that one has been defined for the purpose, there are several
possible explanations:
v If a datasource is defined without the Shared Datasource box marked, and that
datasource was created for an application (Classifier, for example) other than the
current application Value Change Auditing, for example), that datasource will
not be listed.
v If a datasource has user roles assigned, and you do not have one of those roles
assigned to your Guardium user account, that datasource will not be listed.
Contact your Guardium administrator for more information.
After selecting one or more datasources, click the Add button to close the panel
and return to the application from which the Datasource Finder was opened. The
selected datasources will be added to the component definition.

Datasource Reports
There are two special predefined reports relating to datasources, that are available
to all users:
v The Data Sources report lists all datasources defined.
v The Data Source Version History report lists database version and patch
information (if available) for the database.
The queries these reports are based upon are internal to Guardium, and cannot be
modified. Access to the reports depends on the Guardium role assigned.

user Role Access to Datasource Reports


1. Click the Discover tab.
2. Click the DB Discovery tab
3. Select Data Sources or Data Source Version History from the menu.

admin Role Access to Datasource Reports


1. Click the Daily Monitor tab, and select Datasources from the menu.

Datasources

37

2.

38

To view the Data Source Version History report, double-click on any row of
the Datasources report, and select Data Source Version History.

Help Book Guardium V9.0

Dates and Timestamps


Use a calendar tool to select an exact date, and a relative date picker to select a
date that is relative to the current time.
There are two tools that are used to populate date fields: a calendar tool to select
an exact date, and a relative date picker to select a date that is relative to the
current time (now -1 day, for example). In addition, exact or relative dates can be
entered manually. See any of the topics above to Enter or Select a date.
Be aware that when selecting or entering dates, the date on the system on which
you are running your browser may not be the same as the date on the Guardium
appliance to which you are connected.

Timestamps in Queries
Cautions need to be taken when including Timestamps in queries.
First, be aware of the distinction between a timestamp (lowercase "t") and a
Timestamp (uppercase "T").
v A timestamp (lowercase t) is a data type containing a combined date-and-time
value, which when printed displays in the format yyyy-mm-dd hh:mm:ss (e.g.,
2005-07-17 15:40:25). When creating or editing a query, most attributes with a
timestamp data type display with a clock icon in the Entity List panel.
v A Timestamp (uppercase T) is an attribute defined in many entity types. It
usually contains the time that the entity was last updated.
Including a Timestamp attribute value in a query will produce a row for every
value of the Timestamp. This may produce an excessive amount of output. To get
around this, use the count aggregator when including the Timestamp in a query,
and then drill down on a report row, to view the individual Timestamp values for
the items included in that row only, in a drill-down report. See Aggregate Fields in
Queries.
When displaying a Timestamp value in a query that contains Timestamp attributes
in multiple entities, be careful to select the Timestamp attribute from the
appropriate entity type for the report. For example, if the query will display
information from both the Client/Server and the Session entities, with the Session
selected as the main entity, you can display a Timestamp attribute from one or
both entities. If you include the Client/Server Timestamp, you will see the same
value printed for every Session for a given client-server connection it will always
be the time at which that particular Client/Server was last updated. If you include
the Timestamp attribute from the Session, you will see the time that each Session
listed was last updated.
Tip: If your report displays times that are all the same when you expect them to be
different, you have probably included a Timestamp attribute from an entity too
high in the entity hierarchy for the level of detail you want on the report.

Select an Exact Date from Calendar


To use the Calendar Window to select an exact date:

39

1. Click the Calendar button beside the field where you want to insert a date. This
opens a calendar in a separate window.
v Click the left arrow button to display the previous month in the calendar
window.
v Click the right arrow button to display the next month in the calendar
window.
2. Click on any date to select that day. The calendar window will close and the
selected date will be inserted into the date field beside the calendar tool that
was clicked.
Note: The default time for a date selected using the calendar is always 00:00:00
(the start of the day). To specify any other time of day, type over this value,
entering the desired time in 24-hour format: hh:mm:ss, where hh is the hour of
the day (0-23), and mm and ss are minutes and seconds respectively (both
0-59).

Enter an Exact Date Manually


1. Click the field where you want to enter the date and enter the date in
yyyy-mm-dd format, where:
v yyyy is optional and may be any positive integer value. If omitted, yyyy
defaults to the current year. If a one- or two-digit year is entered, the century
portion of the date defaults to 19.
v mm is the month (1-12)
v dd is the day of the month (1 to 28, 29, 30, or 31, depending on the month)
2. If no time is entered, the time defaults to 00:00:00 (the start of the day). To
specify any other time of day, type over this value, entering the desired time in
24-hour format: hh:mm:ss, where hh is the hour of the day (0-23), and mm and
ss are minutes and seconds respectively (both 0-59).

Select a Relative Date from Date Picker


Rather than specify an exact date, it is often more convenient to specify dates
relative to either the current date (now) or some other date (the first Monday, for
example). For example, to always include information from the previous seven
days in a query, its more convenient to define relative dates (e.g., start = now
minus seven days and end = now). The Relative Date Picker tool can be used to
select a relative date for many types of tasks.
1. Click the Relative Date Picker button beside any field where a relative date is
allowed. This opens the Relative Date Picker window.
2. Select Now, Start, or End from the list. Regardless of your choice, the display
changes to provide for additional selections. The list from which you just made
the selection becomes the left-most list of three lists.
3. From the middle list, select this, last, or previous, which is relative to the unit
(day, week, month, or day of the week selected in the next list) as follows:
v This is the current unit
v Last is the current unit minus one
v Previous is current unit minus two
4. From the right-most list, select day, week, month, or a specific day:
Monday-Friday.
5. Click the Accept button when you are done. The relative date will be inserted
into the field beside the Relative Date Picker button that was clicked.
6.

40

Help Book Guardium V9.0

Enter a Relative Date Manually


To enter a relative date manually, follow one of the procedures outlined below.
Upper or lower case is permitted when entering keywords (NOW or now, for
example), and each component must be separated from the next by one or more
spaces.
There are three general formats you can use to enter a relative date:
NOW minus a specified number of minutes, hours, days, weeks, or months
OR
The Start or End of the current, last or previous day, week, or month
OR
The Past or Previous day of the week (Sunday, Monday, Tuesday, etc.)

Relative to NOW
1. Click in the field where you want to enter the relative date.
2. Enter the keyword NOW.
3. Enter a negative integer specifying the relative number of hours, days, weeks,
or months (no space is allowed between the minus sign and the integer).
4. Enter a keyword for the units used: HOUR, DAY, WEEK, or MONTH. Be aware
that the plural (hours, days, etc.) is not allowed. Example: now -14 day

Relative to a Day, Week or Month


1. Click in the field where you want to enter the relative date.
2. Enter the keywords START OF or END OF.
3. Enter THIS or LAST, followed by DAY, WEEK, or MONTH. Example: end of
last week

Relative to a Day of the Week


1. Click in the field where you want to enter the relative date.
2. Enter the keywords START OF or END OF.
3. Enter LAST or PREVIOUS, followed by SUNDAY, MONDAY, TUESDAY,
WEDNESDAY, THURSDAY, FRIDAY, or SATURDAY. Example: start of previous
Tuesday

Dates and Timestamps

41

42

Help Book Guardium V9.0

Groups
Grouping can simplify the process of creating policy and query definitions.
It is often useful to group elements of the same type. It can also make the
presentation of information on reports more straightforward.
For example, assume that your company has 25 separate data objects containing
sensitive employee information, and you need to report on all access to these
items. You could formulate a very long query testing for each of the 25 items.
Alternatively, you could define a single group called sensitive employee info,
containing those 25 objects. That way, in queries or policy rule definitions, you
only need to test if an object is a member of that group.
An additional benefit of groups is that they can ease maintenance requirements
when the group's composition changes. To continue the example, if your company
decides that two more objects need to be added to the sensitive employee info
group, you only need to update the group definition, and not all of the queries,
reports, policies, etc. that reference the group.
Note: If a group used by the installed security policy changes, the security policy
must be re-installed to pick up the changed group membership. This allows you to
update a group without having an instantaneous effect on the installed security
policy.
Groups are used by all subsystems, and all users share a single set of groups. You
should, therefore, be very careful when making changes to or deleting groups,
since you may inadvertently affect other users. A common best practice is to clone
a group. Then make changes to it, tagging it with your name as part of the group's
name, to clarify that you own this group.

Tuple
A "tuple" allows multiple attributes to be combined together to form a single group
member. Some groups contain members that are a composite of a pair of value
attributes, sometimes referred to as tuple. Three of an ordered set of values are
called 3-tuple. An n-tuple is one with an n-set of value attributes. This simplifies
the specification of conditions for reporting and policy rules. Examples of tuple
groups are:
v Tuple groups - Object/Command, Object/Field, Client IP/DB User, Server
IP/DB User.
v 3-tuple groups - Client IP/Source Program/DB User, DB User/Object/Privilege
v 5-tuple group - Client IP/Source Program/DB User/Server IP/Service Instance
"Tuple" supports the use of one slash and a wildcard character (%). It does not
support the use of a double slash.

Groups type
The term "Group Type" refers to expectations on the type of data designated by the
label. Three examples: Group Type Server IP expects data arranged as an IP

43

address (example, 198.162.1.0); Group Type Users expects to see names of users on
the application; and Group Type Server IP/Service Name/DB User expects data
from multiple attributes.

Options for Populating Groups with Members


Using the Group Builder, you can populate a group with members either by
entering them one at a time manually, or automatically as follows:
v By importing information from an LDAP server
v By analyzing stored procedure definitions on a database server
v By analyzing database dependencies, such as Functions, Java classes, Packages,
Procedures, Synonyms, Tables, Triggers and/or Views.
v By observing stored procedure definitions and calls in database traffic
v By running a query on the data logged by Guardium or on a custom table
v By cloning an existing group
v By running a classification process
Once you have configured a group to be populated automatically using any of the
above options, you can run the job on demand, or you can schedule it to run at a
specific time or on a periodic basis. With any of the automatic group population
mechanisms, members may be added to existing groups, but members will not be
removed.
Regardless of how a group is populated, you can always edit the group
membership manually.

Overlapping of Exclusive Group Membership


In some cases you will want to define groups with overlapping membership. For
example, two predefined groups: Create Commands and DDL Commands both
have a member named CREATE TABLE. Since both groups contain a member with
the same name, these groups are said to have overlapping membership. If you are
querying for either one group or the other, all of the Create Table commands from
the reporting period will be counted in that group (as expected).
In some cases you may want to define a set of groups such that each member
belongs to only one group. These groups have exclusive membership. For example,
suppose that for reporting purposes you need to group database users into one of
two groups: Employees or Consultants. You would define each of those groups
with the same sub-group type (Employee-Status, for example). When a sub-group
type is specified, the system will not allow you to define a member with the same
name that has already been defined in another group with the same sub-group
type.

Predefined Groups
There are a number of groups predefined on the Guardium appliance. For a list
and description of these, see Predefined Groups in the Predefined Content
appendix.
Predefined groups of group type DB User/DB Password are allowed only to users
with the role of admin. Users can, if preferred, add other roles or even allow the
groups to all roles.

44

Help Book Guardium V9.0

Manage Members in Hierarchical Groups


A group can consist of a number of other groups in a hierarchical arrangement.
This "group of groups" functionality is detailed in a topic below. Changes in the
sub-groups are synchronized with the "group of groups" through a "flatten the
content" button. The term "flatten" is not associated with "flat log". Hierarchical
groups also have a scheduling button to automate the flatten process.

Wildcards in Members
Members can include wildcard (%) characters for use when the group is used in a
query condition or policy rule. See the examples in the table below.
Table 11. Wildcards in Members
Member

Matches

Does NOT Match

aaa%

aaa

zzzaaa

aaazzz

aaz

bbb,zzbbb

bb

%bbb

bbbzzz
%ccc%

ccc

cc

ccczz

zzzccczzz

zzzccczzz

Use Groups in Queries


There are several conditional operators that apply to groups. These operators are
available whenever the attribute included in the condition may be a member of a
group. Each conditional operator is described below:
v IN GROUP - If the value matches any member of the selected group, the
condition is true. IN ALIASES GROUP, this operator works on a group of the
same type as IN GROUP, however assumes the members of that group are
aliases. Note that the IN GROUP/IN ALIASES GROUP operators expect the
group to contain actual values or aliases respectively. Query Builder will look for
records with database values matching the aliases value in the group.
v NOT IN GROUP - If the value does not match any member of the selected
group, the condition is true. NOT IN ALIASES GROUP, this works on a group
of the same type as NOT IN GROUP, however assumes the members of that
group as aliases.
v IN DYNAMIC GROUP - If the value matches any member of a group that will
named as a run-time parameter, the condition is true. IN DYNAMIC ALIASES
GROUP, this works a group of the same type as IN DYNAMIC GROUP,
however assumes the members of that group as aliases.
v NOT IN DYNAMIC GROUP - If the value does not match any member of a
group that will named as a run-time parameter, the condition is true. NOT IN
DYNAMIC ALIASES GROUP, this works a group of the same type as NOT IN
DYNAMIC GROUP, however assumes the members of that group as aliases.
Note: The group may contain either aliases or actual values according to the
operator used (IN GROUP OR IN ALIASES GROUP) can not be used at the
same time.
Groups

45

v LIKE GROUP - If the value is like any member of the selected group, the
condition is true (see the note below for the definition of "like"). This condition
enables wildcard (%) characters in the group member names.
Note: A like member value uses one or more wildcard (%) characters, and matches
all or part of the value. For a like comparison, alphabetic characters are not case
sensitive. For example, %tea% would match tea, TeA, tEam, or steam.

Use Groups in Policy Rules


In a policy rule, there are several ways groups can be used either alone or in
combination to control when the rule is fired. Wherever a group can be selected, a
new group can be defined (and then selected) by clicking the Group tool button.
Be aware that the members of the group may contain wildcard (%) characters, so
that in the examples below where a group is selected, an individual member may
match multiple values.
The examples below are for the DB User attribute, but apply to all attributes where
the group may be selected.
To match any member of a group
Select a group from the group list box:
A single combined count of matches will be maintained for all members of the
specified group. So if the rule is defined to fire after the third match in a specified
timeframe, three different users or the same user could trigger the rule.
To match the specified value or any member of a group
A single combined count of matches will be incremented each time that the named
DB User or any member of the selected group satisfies the rule. This is similar to
the above case in that a combined count is maintained.
To match any member of a group, but count matches for each member
individually
Enter a dot (period) character in the text box, and select a group:
A separate count will be kept for every member of the selected group, and the rule
will be triggered whenever the minimum count for the rule is met by an
individual member.

Distribute Compliance Workflow Automation Results to Groups


When a USERS group is selected as a receiver in a workflow automation
definition, every user of the group will receive a set of results. For any task within
the process that is associated with specific users (either by using the special
./LoggedUser value as a run-time parameter or via a custom domain), that task
will be run separately for each user of the group, so that each user will receive
results for their account only.

Open the Group Builder


Do one of the following:

46

Help Book Guardium V9.0

v Administrators: Click the Tools tab, click the Config & Control tab, and select
Group Builder from the menu.
v All Others: Click the Monitor/Audit tab, click Build Reports, and click the
Group builder button in the lower right portion of the panel.
v From a rule builder panel, click the Group builder button beside any field that
allows groups.
The pull down menu with the groups will display only the groups that meet the
filter and will be sorted by group description. In addition, the category and type
will be displayed near the group name. Category will be added to all the
pre-defined groups (the column is already there).
Category will be displayed in the members update screen (below the Group type)
and will be enterable to allow users to change the category of an existing group.
Note:
When a user attempts to remove a group, the user will be alerted if the group is
used, and will not be allowed to remove groups that are being used. The warning
message includes exactly what objects (queries, policies, etc.) are using that group.
Changing the group type when editing a group has the following consequence
(similar as category modification): When the group being edited with filter on and
the filter involves group type, once the group type is updated, the group
disappears from the filtered list.
Role permissions can be applied to Groups. By default and for upgrade purposes,
all predefined and existing admin and user-defined groups are allowed all roles. A
Roles button has been added to the Modify Existing Groups to define which roles
have permissions to see/change each group. All pull down menus to choose
groups (for example, Query Builder, Rules Definitions, Classifier Definition, etc.)
will be filtered to show the groups allowed to the user ONLY.
After filling in these items (or not, since access to the next screen is not dependent
on a choice), click on the Next Button to go to two further panels. Both the admin
user and user see the two panels.
Go to Create a New Group or Modify a Group below and select one of the modify
or populate topics.

Create a New Group


1. Open the Create New Group panel. (See Open the Group Builder, above.)
2. In the Group Description field, enter a unique description for the new group.
Do not include apostrophe characters in this field.
3. Select a Group Type Description from the list.
4. If sub-types have been defined for the selected group type, an Existing
Sub-types field appears in the panel.
5. Optionally, enter a Group Sub Type Description. A sub type is used to collect
multiple groups of the same group type, where the membership of each group
is exclusive. For example, assume that you have database servers located in
three data centers, and that you want to group the servers by location. You
would define a separate group of database servers for each location, and define
all three groups with the same sub type.

Groups

47

6. Optionally, enter a Category, which is an optional label used to group items like
policy violations and groups for reporting.
7. Optionally, enter a Classification, which is another optional label used for
policy violations and groups.
Note: Before clicking the Add button to save the new group definition, be
aware that you cannot change any of the information entered on this panel. If
you need to change anything later, you will need to clone the group.
8. Click the Add button. This opens the Manage Members for Selected Group
panel. See the topic Manually Edit Group Members below for a description of
how to add, modify, and remove members of the group. Once you have added
a group definition, you cannot change any of the settings on the Create New
Group panel.
Note: Click on the Group Filter button to go back to the initial Group Filter page.

Modify an Existing Group


1. Open the Group Builder. (See Open the Group Builder, above.)
2. Select the group you want to modify.
Note: Click on the Group Filter button to go back to the initial Group Filter
page.
3. Click the Modify button. This opens the Manage Members for selected Groups
panel.
Note: Group members can be filtered ad-hoc (enter a string and retrieve only
members like filter%). Click on the Show All icon to reverse a group member
filtering.
4. Do one of the following:
v Manually Edit Group Members
v Populate a Group from LDAP
v Reports Showing Group Membership
v Populate a Group from Stored Procedures
v Populate a Group from a Query
v Alias Quick Definition from the Group Builder
v Manage Members for Selected Hierarchical Group

Manually Edit Group Members


See the Manage Members for Selected Group panel to manually edit group
members. If that panel is not open, see Open the Group Builder, select the group
you want to edit, and click the Modify button.

To Add Members
1. Do one of the following:
v Enter the new member name in the Create & add a new Member named box.
v Select an available member name from the Add an existing Member to
Group box.
2. Click the Plus button to the right of the item just entered or selected.
3. Click the Done button when you have finished making all changes.

48

Help Book Guardium V9.0

Note: When adding to a group of objects, valid member names may be composed
of object_name, schema.object_name, use a wildcard such as %object_name, or a
combination of all three.

To Rename Members
1. In the Group Members list, select the member to be renamed. It will display in
the Rename Selected Member to box.
2. In the Rename selected Member to box, edit the name.
3. Click the checkmark button to the right of the box. The updated name will
replace the old name in the list. Because the list is alphabetized, the new name
may not appear in the same position as the old one.
4. Click the Done button when you have finished making all changes.

To Remove Members
1. n the Group Members list, select the member to be removed.
2. Click the X button beside Delete Selected Member.
3. Click the Done button when you have finished making all changes.
Note: All of the "automatic" options that can be used to populate groups (LDAP
import, group import from the Administrator Console, member population from
stored procedures, or member population from a query), add members to groups,
but never remove members.

To Reset to Predefined Membership


Click the Reset to Predefined button to completely replace the current group
members with the set of predefined members for this group.

Populate a Group from LDAP


You can populate groups from an LDAP server. Do this for:
v Guardium is able to import large user lists for access manager and group
members.
v Exception handling when loading certificates during active directory setup.
v LDAP configuration through the Manager in federated environments. See
Central Management.
v CLI commands to show and store the LDAP parametersallowing a custom
mapping for the LDAP server schema. See CLI section for details on the
show/store ldap-mapping command.
To populate groups from an LDAP server, first define a group, and then configure
an import operation to obtain the appropriate set of members from an LDAP
server. You can run the import operation on demand, or schedule it to run at a
specific time or on a periodic basis. When you run the import on demand, you are
presented with the set of LDAP entries that satisfy your search criteria, and you
must select which ones should be added to the group. When run on a scheduled
basis, all entries returned by your search will be added to the group.
Note:
An LDAP import operation adds members to a group. It does not delete members.

Groups

49

Guardium administrators use a separate LDAP Import function to define


Guardium users and roles from an LDAP server. See LDAP User Import.
In order to configure LDAP user import, accessmgr user must have the privilege to
run Group Builder. In certain situations, when changes are made to the role
privilege, accessmgr's privilege to Group Builder can be taken away. This results in
an inability to save or run successfully LDAP user import. Go to the access
management portal, select Role Permissions from the choices in the left-hand pane.
Choose the Group Builder application and make sure that there is a checkmark in
the all roles box or a checkmark in the accessmgr box.

User and Groups Import from Query and LDAP


The following capabilities facilitate the import of Users and Groups from Query
and LDAP:
v Keep existing attributes / Override existing attributes gives the ability to retain
Keep existing attributes unchanged even if they appear different on LDAP or
overwrite them.
v Disable user if not on the import list gives the ability to disable users not
found on the LDAP import list by default.
v Enable New Imported Users gives the ability to choose if new members will
show up as disabled or enabled by default.
v Added new options for LDAP and Query Import Group Members.
v Clear existing members in the group when import Gives the ability to either
keep or remove existing LDAP user group members with the newly imported
LDAP/Query items.
Note:
Important: Scheduled imports should be reviewed as this functionality change may
affect the behavior of already scheduled imports.
On both imports of group members, Run Once Now will not be allowed without
first saving the configuration.
To configure a group-member import from an LDAP server:
1. Configure LDAP Authentication via Administration Console > Portal >
Authentication Configuration > LDAP.
2. If the Group Builder is not open, see Open the Group Builder, above.
3. In the Modify Existing Groups panel, select the group to which you want to
add members.
4. Click the LDAP button to open the Set Up LDAP Import panel.
5. In the LDAP Host Name box, enter the IP address or host name for the LDAP
server to be accessed.
6. In the Port box, enter the port number for connecting to the LDAP server.
7. Select the LDAP server type from the Server Type list.
8. Mark the Use SSL Connection checkbox if Guardium is to connect to your
LDAP server using an SSL (Secure Socket Layer) connection.
Note: Consult with your LDAP administrator regarding the setup within your
LDAP infrastructure to determine the connection method used in your
environment.

50

Help Book Guardium V9.0

9. In the Base DN box, specify the node in the tree at which to begin the search.
For example, a company tree might begin like this:
DC=encore,DC=corp,DC=root

10.
11.
12.
13.

Note: Be careful of cut & paste errors when specifying the Base DN
information. For example, a dc=zone1 in the Base DN box must match the
similar value dc=zone1 in the Log In As box.
Select Clear existing group members before Importing to indicate if the
content of the group should be deleted prior to the import of new members.
In the Log In As box, enter the user account to use for the connection from the
Guardium server.
In the Password box, enter the password for the above user.
In the Search Filter box, optionally enter LDAP search criteria. Typically,
imports will be based on membership in an LDAP group, so the filter might
use the memberOF keyword and look something like this:
memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root See your LDAP
server documentation if you need help in this area.
It is also possible to import group members from LDAP using multiple LDAP
queries. Each LDAP SearchFilter may contain up to two parameters (':1' and
':2'). When parameters are used, a 2nd group must be created that is named
the same as the target group with a '_bindValues' suffix. For example, a
'myDBAs' group would require the 2nd group to be called
'myDBAs_bindValues'. The LDAP search will then iterate over all the values
in the 'my_DBA_bindValues' group and query LDAP on each of them. For
each item in the 'bindValues' group the 'populate from LDAP' would consider
the filter string supplied by the user (with the parameters) and the items on
the 'bindValues' group to create the actual filter string to be sent to LDAP.
The result of the queries will be added to the target group following the logic
below:

Table 12. Search Filter


groupMember
filterWithParm

actualizedFilter

member Prefix

A\B

... CN=:1 ...

... CN=:A\B ...

n/a - - - >
memberName

... CN=:1 ...

... CN=D ...

n/a - - - >
memberName

A\B

... CN=:1 ... dc=:2 ...

... CN=B ...dc=A ...

"A\"- - - >
A\memberName

... CN=:1 ... dc=:2 ...

... CN=D ...dc=* ...

"%" - - - >
%\memberName

A\B

... CN=:2 ...

... CN=B ... ...

n/a - - - >
memberName

memberOF=

memberOF=

n/a - - - >
%memberName
CN=:2,CN=Users,DC=encore,DC=corp,DC=root
CN=:2,CN=Users,DC=encore,DC=corp,DC=root

14. For Search Filter Scope, select One-Level to apply the search to the base level
only, or Sub-Tree to apply the search to levels beneath the base level.
15. In the Limit box, enter the maximum number of items to be returned. We
recommend that you use this field to test new queries or modifications to
existing queries, so that you do not inadvertently load an excessive number of
members.

Groups

51

16. In the Attribute to Import box, enter the LDAP attribute to be used to
populate the group member. The default is cn. If there are multiple values for
the attribute, each value will be imported to a separate member. If the
attribute contains one or more secondary attributes, and you want to import a
secondary attribute only, use the following syntax in the Attribute to Import
box:
primary-attribute-name secondary=secondary-attribute-name
Where primary-attribute-name is the name of the primary attribute, and
secondary-attribute-name is the name of the secondary attribute. For example,
assume the uid attribute contains both cn and dc secondary attributes. A set of
uid attributes might appear as follows:
uid: cn=Robert Stone, dc=guard, dc=com
uid: cn=James Cooper, dc=guard, dc=com
uid: cn=Nick Taylor, dc=guard, dc=com
If the Attribute to Import is specified as uid, the group members imported
would be:
cn=Robert Stone, dc=guard, dc=com
cn=James Cooper, dc=guard, dc=com
cn=Nick Taylor, dc=guard, dc=com
If only the cn attribute value is wanted, the Attribute to Import would be
specified as:
uid secondary=cn
And the group members imported would be:
Robert Stone
James Cooper
Nick Taylor
If a value of the secondary attribute specified can be dereferenced from the
primary attribute, that value will be returned. If a secondary attribute is
specified and it cannot be dereferenced from the primary attribute (for
whatever reason), the value of the primary attribute will be returned as is.
For example, assume that the Attribute to Import is specified as:
engid secondary=sAMAccountName
The engid attributes contain distinguished names:
engid: nc=Robert Stone, dc=guard, dc=com
engid: cn=James Cooper, dc=guard, dc=com
engid: cn=Nick Taylor, dc=guard, dc=com
The first two elements above can be dereferenced to elements containing the
sAMAccountName attributes:
..., sAMAccountName=rStone, ...
..., sAMAccountName=jCooper, ...
But the third primary element listed above does not contain the
sAMAccountName attribute in its dereferenced element.
For this example, the following three group members will be returned:
rStone
jCooper
cn=Nick Taylor, dc=guard, dc=com

52

Help Book Guardium V9.0

17. Click the Apply or Update button to save the configuration. (After you have
saved the configuration once, the Apply button becomes an Update button.)
Run Once Now is not permitted until the configuration has been saved.
Note: After saving an LDAP import configuration, you can perform the
following tasks, each of which is described in a separate section. Because it is
easy to miscode LDAP queries, we suggest that you test each new or modified
query by using the Limit field (described above) and by running the query
once on demand (see below), to verify that the correct set of members is being
returned.
18. Perform one of the following procedures:
v Schedule LDAP Import
v Run an LDAP Import On Demand

Run an LDAP Import on Demand


When you run an LDAP import on demand, you have the opportunity to accept or
reject each of the members returned by the query. This is especially useful for
testing purposes.
1. If the Group Builder is not open, see Open the Group Builder, above.
2. In the Modify Existing Groups panel, select the group to which you want to
add members.
3. Click the LDAP button to open the Set Up LDAP Import panel.
4. Click the Run Once Now button. (If you have made any changes, the button
will be disabled until you have applied the changes.)
5. After the task completes, the set of members satisfying your selection criteria
will be displayed in the LDAP Query Results panel.
6. Mark the items you want to add to the group, and click Import, or click Cancel
to return without importing any members.
You can verify the group members by returning to the Modify Existing Groups
panel, selecting the appropriate group from the list, and clicking Modify, or you
can use a predefined report to list the group members. The latter approach
provides more information, as it shows the timestamp when each member was
added to the group. See Reports Showing Group Membership below.

Schedule an LDAP Import


When you schedule an LDAP import to run at a specific time or on a periodic
basis, all of the LDAP entries that satisfy your search criteria will be imported to
the group. In contrast, when the query is run on demand (see the previous topic),
you have the opportunity to accept or reject each entry returned from the LDAP
server.
1. If the Group Builder is not open, see Open the Group Builder, above.
2. In the Modify Existing Groups panel, select the group for which you want to
schedule an LDAP import task.
3. Click the LDAP button to open the Set Up LDAP Import panel.
4. Click the Modify Schedule button. (If you have made any changes to the LDAP
import configuration for this group, the button will be disabled until you have
applied the changes.)
For instructions on how to use the general-purpose task scheduler, see
Scheduling.

Groups

53

Once a schedule has been defined, a Pause button appears on the Set Up LDAP
Import panel. If you click that button, the schedule is paused, and the Pause
button is replaced by a Resume button.
Once a scheduled task has run, you can verify the group members by returning
to the Modify Existing Groups panel, selecting the appropriate group from the
list, and clicking Modify, or you can use a predefined report to list the group
members. The latter approach provides more information, as it shows the
timestamp when each member was added to the group. See Reports Showing
Group Membership below.

Reports Showing Group Membership


You can check a group's membership by opening it in the Modify Existing Groups
pane of the Group Builder (as described above), but it can be difficult to view large
groups that way, and you are limited to displaying one group at a time.
Alternatively, you can use the predefined Guardium Group Details Report, which
lists groups and members.
Guardium Group Details Report
The predefined Guardium Group Details report is on the default administrator
layout, on the Guardium Monitor tab, and it can be added to a user layout from
the Custom Reporting tab (click Monitor/Audit, then Build Reports). You can use
the Group Description or Group Type run-time parameters to control what groups
will be listed.

Populate a Group from Stored Procedures


On the Modify Existing Groups panel, select the starting group, click the Auto
Generated Calling Prox button, and select one of the following options:
v
v
v
v
v

Using Database Sources


Using Database Dependencies
Using Reverse Dependencies
Using Observed Procedures
Generate Selected Object

This opens the Analyze Stored Procedures panel for your choice.
The Group Builder can automatically populate Command or Object groups by
analyzing and extracting member names from stored procedures. It can do this in
two ways:
v By analyzing stored procedure source code. To use this option, Guardium must
access the database on which the stored procedures have been defined, and the
stored procedures must not be stored in encrypted format.
v By analyzing stored procedures in database traffic that has been monitored and
logged by Guardium. To use this option, the Guardium appliance must be
inspecting the appropriate database streams, and logging the information (as
opposed to, for example. using ignore session or skip logging actions), and the
analysis task must run while the data is still on the unit (as opposed to, for
example, after an archive/purge operation).
There are two groups involved when populating a group from stored procedures:
v The receiving group is the one to which members will be added.

54

Help Book Guardium V9.0

v The starting group must be an existing Commands or Objects group. The


members of the starting group will be used when examining stored procedures.
If a member of the starting group is detected in a stored procedure, that stored
procedure name will be added to the receiving group. The search-and-add
process is recursive. For example, if the stored procedure named prox_one is
added to the receiving group, and prox_one is referenced in prox_two, prox_two
will also be added to the receiving group, and so forth.
To get started:
1. If the Group Builder is not open, see Open the Group Builder, above.
2. In the Modify Existing Groups panel, select the group, which must be either a
Commands or Objects group.
3. Click the Auto Generated Calling Prox button, and you will be presented with
options:
v Using DB Sources - Populate the group by analyzing the stored procedure
definitions from one or more databases.
v Using Database Dependencies - Populate a group of objects or a group of
qualified objects by analyzing Functions, Java classes, Packages, Procedures,
Synonyms, Tables, Triggers and/or Views.
v Using Reverse Dependencies - Populate the group by computing a set of
objects used when starting from a set of objects.
v Using Observed Procedures - Populate the group by analyzing the CREATE
PROCEDURE and ALTER PROCEDURE commands as they are observed in
the database traffic.
v Generate Selected Object - Populate the group by reverse analysis of
observed stored procedures.

Populate a Group Using Database Sources


Guardium will analyze the stored procedure source code, on one or more database
servers. To use this option:
v You must know where the stored procedures of interest are defined.
v The sources must not be stored in encrypted format.
v You must have access to the stored procedure sources on those databases.
Select a group and then run the "Auto Generated Calling Prox" process to scan
your stored procedures. This process will check the selected group to see if any of
the objects in that group can be accessed or if any of the commands in that group
can be executed. Any matches will be added to a new group.
To populate a group using database sources:
1. On the Modify Existing Groups panel, select the starting group, click the Auto
Generated Calling Prox button, and select the Using DB Sources option, as
described above. This opens the Analyze Stored Procedures panel.
2. Click the Add Datasource button to open the Datasource Finder window. (See
Datasources for detailed instructions on how to define and use datasources.)
3. Select a datasource from the list, and click the Add button. The selected
datasource will appear in the Datasources pane of the Analyze Stored
Procedures panel.
4. Use the Query Parameters (Optional) pane to restrict the operation, as
described below. If a box is not available for the selected database type, it will
not appear on the pane.
Groups

55

v For Sybase, MS SQL Server, and Informix only. In the Database Name box,
enter a database name to restrict the operation to that database. If left blank
for a Sybase or MS SQL Server database, all stored procedures in the master
database will be analyzed.
v For MySQL, Oracle or DB2 only. In the Schema Owner box, enter a schema
name to restrict the operation to databases owned by that schema. For
MySQL only, the Schema Owner is in the form user_name@host, where host
can be a specific IP or it can be a % to specify all hosts. So to get all hosts,
enter the schema name followed by %.
v For MySQL, Oracle or DB2 only. In the Object Name box, enter a stored
procedure name, with wildcard characters if desired, to restrict the operation
to a specific set of procedure names. For example, if only interested in the
procedures beginning with the letters ABC, enter ABC% in the Object Name
box.
5. In the Source Detail Configuration pane, mark the Flatten Namespace checkbox
to create member names using wildcard characters, so that the group can be
used for LIKE GROUP comparisons. For example, if sp_1, is discovered, the
member %sp_1% will be added to the group, and in a LIKE GROUP
comparison, the values sp_101, sp_102, sss_sp_103, etc. would all match.
6. Do one of the following:
v Mark the Append box to add members to an existing group, and then select
that group from the Existing Group Name list.
v Enter a new group name in the New Group Name box. Do not include
apostrophe characters in a group name.
7. Click the Analyze Database button. Because the operation may take an
extended amount of time, you are prompted to continue. When the analyze
database operation completes, you will be informed of the results.

Populate a Group Using Database Dependencies


Use this option to populate groups based on Database Dependencies such as
Functions, Java classes, Packages, Procedures, Synonyms, Tables, Triggers and/or
Views.
This option will work on groups of type Object or Qualified Object (A Qualified
Object requires five value attributes be specified - server IP, instance, DB name,
owner and object - that fully describes this object. This is also called a 5-tuple
object.). This option does not work on groups of type Command because
dependency information in the database is only related to objects.
Note: This Database Dependencies option is available only for Oracle. Its use with
an Oracle database is without restriction. The error message, "Dependency analysis
unsupported for selected database type" will appear if trying to use any other
database.
To populate a group using Database Dependencies:
1. Start from the Group Builder screen. See the earlier Create New Group for
instructions on how to fill in the menu choices of Application Type, the Name
for this new group and Group Type. For Group Type, choose Objects or
Qualified Objects. Follow the instructions in Create New Group for all other
menu choices. When finished, click the Add button.
2. At the next screen, Manage Members for Selected Group, Create and add new
members. If the Group Type is Qualified Objects, Creating and Add a New
Member will require five value attributes - server IP, instance (environment),

56

Help Book Guardium V9.0

DB name, owner, and object. This also known as a 5-tuple object. When
finished, click the Add button. An example of what a Qualified Objects group
member looks like is 192.168.1.0+guardium+oracle+admin+fininacial object.
3. Click the Done button.
4. On the Modify Existing Groups panel, select the group just created, click the
Auto Generated Calling Prox button, and select the Using Database
Dependencies option, as described above. This opens the Analyze Stored
Procedures panel.
5. Add a datasource.
6. Query parameters (Schema owner and Object name) are optional.
7. In the Source Detail Configuration section, do one of the following:
v Mark the Append box to add members to an existing group, and then select
that group from the Existing Group Name list.
v Enter a new group name in the New Group Name box. Do not include
apostrophe characters in a group name.
v Check New Group is fully qualified if it fully describes an object (see
5-tuple group specification above)
8. In the Source Detail Configuration section, mark the Flatten Namespace
checkbox to create member names using wildcard characters, so that the
group can be used for LIKE GROUP comparisons. For example, if sp_1, is
discovered, the member %sp_1% will be added to the group, and in a LIKE
GROUP comparison, the values sp_101, sp_102, sss_sp_103, etc. would all
match.
9. In the Include Types section, select database dependencies: Functions, Java
classes, Packages, Procedures, Synonyms, Tables, Triggers and/or Views.
10. Click the Done button to save the configuration. Click the Analyze Database
button to populate the group. You will be informed of the results.

Populate a Group Using Reverse Dependencies and Generate


Selected Object
These options from the Group auto-populate menu compute a set of objects used
when starting from a set of objects. For example, starting from a set of stored
procedures, compute all the tables that these procedures use (directly or indirectly).
Note: This Reverse Dependencies option is available only for Oracle.
Generate Selected Object populates the group through reverse analysis of observed
stored procedures.

Populate a Group Using Observed Procedures


Guardium will populate the group by inspecting all changes or additions to stored
procedures. This keeps the mapping information up-to-date through continuous
analysis of changes to stored procedures. Therefore, this function can be used to
augment the static analysis described in the previous section.
To populate a group using observed procedures:
1. On the Modify Existing Groups panel, select the starting group, click the Auto
Generated Calling Prox button, and select the Using Observed Procedures
option, as described above. This opens the Analyze Observed Stored
Procedures panel.

Groups

57

2. Multiple analysis operations can be defined and scheduled, with each


previously defined configuration available for editing from the Source Details
list. To edit an existing configuration, select it from the Source Details list.
3. In the Access Information pane, select all of the database servers to be
analyzed. You can mark any combination of check-boxes.
4. In the Source Detail Configuration pane, mark the Flatten Namespace checkbox
to create member names using wildcard characters, so that the group can be
used for LIKE GROUP comparisons. For example, if sp_1, is discovered, the
member %sp_1% will be added to the group, and in a LIKE GROUP
comparison, the values sp_101, sp_102, sss_sp_103, etc. would all match.
5. Do one of the following:
v Mark the Append box to add members to an existing group, and then select
that group from the Existing Group Name list.
v Enter a new group name in the New Group Name box. Do not include
apostrophe characters in a group name.
6. Click the Save button to save the configuration.
7. Click Run Once Now to run the query immediately, or click the Modify
Schedule button (see Scheduling) to define a schedule for the operation. If you
run the task immediately, you will be informed of the results.

Populate a Group from a Query


This option of populating groups is most useful after the external data correlation
has uploaded a custom table to the Guardium appliance. Note: When using
"Populate Group By Query" feature with a query that contains a group name as a
run-time parameter, a drop-down list of groups to select from will appear.
1. If the Group Builder is not open, see Open the Group Builder, above.
2. In the Modify Existing Groups panel, select the group to which you want to
add members.
3. Click the Populate From Query button to open the Populate Group From
Query Set Up panel. Initially, only the Query list box displays in the Set Up
Query To Run pane.
4. From the Query list, select the query to be run. Depending on the type of
group being populated, either one or two additional list boxes will appear in
the pane. For most group types, the Fetch Member From Column list box will
appear; for paired attribute groups (Object/Command, Object/Field, or Client
IP/DB User), two list boxes will appear: Choose Column for Attribute 1 and
Choose Column for Attribute 2. Select the column (or columns) to be used to
populate the group. The run-time parameters for the query will then be added
to the pane.
5. For Import Mode, select Clear existing group members before Importing to
indicate if the content of the group should be deleted prior to the import of
new members.
6. Enter the required From Date and To Date run-time parameters, and any
additional run-time parameters for the query.
7. Optionally select a remote source (only available from a Central Manager).
8. Click Save to save the definition.
9. Click Run Once Now to run the query immediately, or click the Modify
Schedule button (see Scheduling) to define a schedule for the operation. If you
run the task immediately, you will be informed of the results.
10.

58

Help Book Guardium V9.0

Limits - The limit for the buttons when viewing a report (generate PDF, generate
CSV, and printable) is 30,000 rows. This is non-customizable.
The limit for the Populate From Query in Group and Alias Builder when run via
Run Once Now is 5,000 rows. This is non-customizable.
The limit for the Populate From Query in Group and Alias Builder when run via
Scheduling is 20,000 rows. This limit is customizable, via the CLI command,
show/store populate_from_query_maxrecs.

Alias Group Definition from the Group Builder


1. If the Group Builder is not open, see Open the Group Builder, above.
2. In the Modify Existing Groups panel, select a group for adding or editing
aliases.
3. Click the Aliases button to open the Alias Quick Definition window.
4. Enter aliases in the Alias column. The first value shown is always the group
name. If an alias is defined for the group name, the alias displays in reports
that are grouped by objects.
5. When done applying all aliases, click the Apply, and then click the Close this
window link.

Manage Members for Selected Hierarchical Group


This function allows a group to be defined as a "group of groups". It also has a
way to incorporate changes in members in individual groups to be easily reflected
in the greater "group of groups".
Note:
Clicking the Flatten button will update ALL hierarchical groups that exist in Group
Builder, not just the selected group. There is also a Scheduling button to automate
the timing of the Flatten process for hierarchical groups.
The Done button acts the same as Back.
1. Create new group, (for example, Application Type:Security Assessment
Builder, Group Description: BP-Commands-Security, Group Type Description:
Commands).
2. Click to place a checkmark in the Hierarchical choice. Click Add button.
3. To Add Members, select an available member name from the Add an existing
Member to Group box. Add existing members, for example CREATE
Commands, ALTER Commands, GRANT Commands, RESTORE commands,
REVOKE Commands, EXECUTE Commands.
4. Click the Add button to the right of the item just entered or selected.
5. Click the Done button when you have finished making all changes.
6. The application returns to the menu screen called Modify Existing Groups.
Select the group BP-Commands-Security.
7. Click the Flatten button to consolidate the sub-groups under the "group of
groups".
8. Go to Guardium Monitor, Guardium Group Details. Go to the group
BP-Commands-Security and see 105 group members (double-click on
BP-Commands-Security for list of group members).

Groups

59

9. To see how changes to individual groups can be reflected in the "group of


groups", go into individual groups (for example, CREATE Commands) and
add new members, for example, create context bp and create database bp.
10. Click the Done button (for the individual group)
11. Go back to the group BP-Commands-Security at the Modify Existing Groups
menu screen. Select the group BP-Commands-Security.
12. Click the Flatten button to update the changes. Note: Changes in membership
of the sub-groups do not automatically change the membership of the "group
of groups". Clicking the Flatten button will update ALL hierarchical groups
that exist in Group Builder, not just the selected group. There is also a
Scheduling button to automate the timing of the Flatten process for
hierarchical groups.
13. Go to Guardium Monitor, Guardium Group Details and see 107 group
members (double-click on BP-Commands-Security for list of group members).

Delete a Group
1. Open the Group Builder. (See Open the Group Builder, above.)
2. Select the group you want to delete.
3. Click the Delete button and respond to the prompt to confirm the action.

60

Help Book Guardium V9.0

Notifications
When e-mail or other notifications are required for alerting actions, follow the
procedure outlined below for each type of notification to be defined.

SNMP
1. Select SNMP from the Notification Type list.
2. Click the Add button.

Mail
1. Before using the choices from alerting actions, email (SMTP) must be
configured via Alerter found under Administration Console. At a minimum, IP
Address/Host name, port and return email address must be specified.
2. Select Mail from the Notification Type list. If the Severity of the message is
HIGH, the Urgent flag will be set.
3. Select a user (which can be an individual or group) from the Alert Receiver list.
Additional receivers for real-time email notification are Invoker (the user that
initiated the actual SQL command that caused the trigger of the policy) and
Owner (the owner/s of the database). The Invoker and Owner are identified by
retrieving user IDs (IP-based) configured via Guardium APIs.
4. Click the Add button.

Custom
For information about developing custom alerting classes, see Custom Alerting in
the Monitor/Audit help book.
1. Select CUSTM from the Notification Type list.
2. Select the custom notification from the list.
3. Click the Add button.

SYSLOG
1. Select SYSLOG from the Notification Type list. The priority of the syslog
message will be set according to the Severity of the Guardium alert.
2. Click the Add button.
There are several ways that the Guardium administrator can view the syslog file.
For appliances that are managed by a Central Manager, it can be viewed directly
from the Central Manager panel.
For any Guardium appliance, the syslog file can be displayed using the diag CLI
command (System Interactive Queries/ File Summary & Export).
In addition, the Guardium administrator can direct syslog output to remote
systems, directing messages by a combination of facility.priority to various remote
systems. See the store remotelog CLI command in the Configuration and Control
CLI Commands topic, for more information.
Note: The maximum SYSLOG message size is 2000. CSV results will be truncated
over this limit.

61

62

Help Book Guardium V9.0

Customize the Portal


By default, the overall layout of the Guardium portal includes tabbed panes that
display Guardium applications, tools, reports, and monitors.
It is recommended to use the default tabbed layout.

Portal Layout Components


The Guardium portal window contains one or more panes. Each pane defines the
layout of some portion of the window. Each pane may contain one or more other
panes. The default layout contains three different types of panes: tab panes, menu
panes, and portlet panes, each of which is described below.
A tab pane defines a row of tabs. Each tab contains the name of a dependent pane
that completely defines the area beneath the row of tabs on which it is defined.
Within a tab row, the tab contents overlay one another, with the contents of only
one tab called the active tab visible at any given time. The active tab in each
tab row is highlighted.
A menu pane contains a vertical list of selections on the left side of the pane. Each
menu selection completely defines the remainder of the pane to the right of the
list. Therefore, as is the case with tab panes, only one menu selection is active at a
time. The active menu selection is highlighted.
A portlet pane contains application or report portlets, or perhaps both; the only
restriction being that a portlet pane layout may not contain multiple applications.
The Guardium administrator or access manager can generate a default layout for a
role. After that, any new user who is assigned that role will have that layout after
logging in for the first time. See Generate New Layout in the CLI Reference
appendix.

Create a Tab
1. Open the Customize Pane for the tab pane on which you want to add a tab,
by doing one of the following:
v To add a tab to the outer-most row of tabs, click the Customize link at the
top of the Guardium window.
v To add a tab to any other tab pane, make that tab the active tab by clicking
its title, and then click the Customize button on the tab title.
2. In the Customize Pane panel, make sure that Tab pane is selected from the
Layout list. If Tab pane is not available in the Layout list, you have opened a
layout that contains portlets (reports or applications). You cannot change a
portlet layout to a tab or menu layout, unless you first delete all portlets in
the layout.
3. Click the Add Pane button, and you will be prompted to supply a name for
the new pane.
4. Enter a name for the new pane, and click the Apply button. In the Customize
Pane panel, the new entry will be added to the list of tabs.

63

5. To change the order of the tabs, click the Up button to move the
corresponding tab to the left in the row of tabs or click the Down button to
move the tab to the right in the row of tabs.
6. To remove a tab from the row: Click the Delete button for that tab.
Note: You will not be prompted to confirm a deletion.
7. Click the Apply button when you are done.
8. To define the contents of the new tab, click on it to make it the active tab, and
then click its (Customize) button, to open the Customize Pane. The default
layout for a new pane is One column. This is one of several possible portlet
layouts (as opposed to a tab or menu layout).
9. Do one of the following:
v To define the new pane as a menu layout, see Create a Menu, below.
v To add portlets to the layout, see Add Portlets to a Pane, below.
v To add a nested row of tabs below the pane just added, select Tab pane
from the Layout list, and then for each tab in the new row of tabs:
Click the Add Pane button.
Enter a name for the pane.
Click the Apply button to save the new pane.
10. When you are done adding all panes, click the Save and Apply button to close
the Customize Pane.

Create a Menu
You can create a new menu on any tab that contains no portlets. To create a new
menu:
1. Click on the tab title of the tab on which you want to create the menu.
2. Click the (Customize) button on the tab title to open the Customize Pane for
that tab.
3. Select Menu pane from the Layout list. If Menu pane is not available in the
Layout list, you have opened a layout that contains portlets (reports or
applications). You cannot change a portlet layout to a menu (or tab) layout,
unless you first delete all portlets in the layout.
4. To save the menu pane layout (you can add menu selections later), click the
Apply button, or to add menu selections now, see Add Menu Selections, below.

Add Menu Selections


This procedure describes how add menu selections to a menu. If you have not yet
created a menu, see Create a Menu, above. A menu selection simply provides a
label for the pane to the right of the menu. After defining a menu selection, you
will need to define the contents of the pane, usually by adding report portlets (see
Add Portlets to a Pane, below).
To add menu selections to a menu:
1. Navigate to the menu to which you want to add selections.
2. Click the Customize button at the bottom of that menu.
3. Click the Add Pane button. You are prompted to supply a name for the new
menu selection.
4. Enter a name for the selection, and click the Apply button. In the Customize
Pane panel, the new selection will be added to the list of menu selections.

64

Help Book Guardium V9.0

5. To change the order of the menu selections, click the Up button to move the
selection up one position in the menu, or click the Down button to move the
selection down one position.
6. To remove a selection from the menu, click the Delete button for that selection.
Note: You will not be prompted to confirm a deletion.
7. Click the Apply button when you are done.
8. To define the layout of the menu selection just defined, see Add Portlets to a
Pane, below.

Add Portlets to a Pane


This section describes how to customize a portlet pane by defining its layout and
adding portlets. You cannot add portlets to menu panes.
1. Navigate to the tab or menu to which you want to add one or more portlets.
2. Click the Customize button for that pane (on the tab title or at the bottom of
the menu) to open the Customize Pane.
3. Click the name of the pane to which you want to add one or more portlets. If
you have nested tabs or nested menus, you may have to repeat this step. The
Add Portlet button should be enabled.
4. Select a portlet layout for the pane from the Layout box. The default is One
column. If this pane does not yet contain anything, the Menu pane and Tab
pane options will be available, but do not select either of these if you intend
to add portlets to this pane.
5. Click the Add Portlet button to add one or more portlets to the layout. You
can add more portlets later. The Customize Pane panel changes to display the
list of available portlets
6. Use the Filter portlets by category list to limit the display of portlets.
7. Use the Next and Previous buttons to navigate through the list of portlets, and
mark the Add checkbox for each portlet to be added to the layout.
8. After selecting all portlets to include, click the Apply button. (You can add
more portlets to the pane later.) The Customize Pane will re-display with all
selected portlets displayed in an approximation of the layout selected. For
example, if you selected a two-column layout, the portlets will be listed across
two columns.
9. If there are multiple portlets in the layout, you can move them using the
buttons in the title bar for each portlet. The arrow buttons move the portlet in
the indicated direction (Left, Right, Up, or Down). In addition, the standard
Remove button can be used to remove the portlet.
10. Click the Save and Apply button when you are done. If the pane being
updated is several tabs or menus, deep, you may have to click Apply or Save
and Apply one or more times to close the Customize Pane.
11. If you have just added one or more report portlets, you will need to define
run-time parameters to view report output. (Click the (Customize) button for
each report portlet, and supply the run-time parameters.)
12.
Note: It is possible for a user to lock themselves out of the ability to customize,
remove, etc. in a portlet via the Security ID selection. If this happens, the user
should delete and re-add the portlet they have locked themselves out of from the
Customizer of the pane containing that portlet.

Customize the Portal

65

66

Help Book Guardium V9.0

Regular Expressions
Regular expressions can be used to search traffic for complex patterns in the data.
The InfoSphere Guardium implementation of regular expressions conforms with
POSIX 1003.2. For more detailed information, see the Open Group web site:
www.opengroup.org. Regular expressions can be used to search traffic for complex
patterns in the data. See Policies for examples.
This help topic provides instructions for using the Build Regular Expression Tool,
and several tables of commonly used special characters and constructs. It does not
provide a comprehensive description of how regular expressions are constructed or
used. See the web site referenced above for more detailed information.
The important point to keep in mind about pattern matching or XML matching
using regular expressions, is that the search for a match starts at the beginning of a
string and stops when the first sequence matching the expression is found.
Different or the same regular expressions can be used for pattern matching and
XML matching at the same time.
Note: InfoSphere Guardium does not support regular expressions for non-English
languages.

Using the Build Regular Expression Tool


When an input field requires a regular expression, you can use the Build Regular
Expression tool to code and test a regular expression.
To open the Build Regular Expression tool, click the (Regex) button beside the field
that will contain the regular expression. If you have already entered anything in
the field, it will be copied to the Regular Expression box in the Build Regular
Expression panel.
1. Enter or modify the expression in the Regular Expression box.
2. To test the expression, enter text in the Text To Match Against box, and then
click the Test button:
v If the expression contains an error (a missing closing brace, for example), you
will be informed with a Syntax Error message.
v The Match Found message indicates that your regular expression has found
a match in the text that you have entered.
v If no match is found, the No Match Found message displays.
3. We suggest that you repeat the above step a number of times to verify that
your regular expression both matches and does not match, as expected for your
purpose.
4. To enter a special character at the end of your expression, you can select it from
the Select element list. To enter a special character anywhere else, you will have
to type it or copy it there.
5. When you are done making changes and testing, click the Accept button to
close the Build Regular Expression panel and copy the regular expression to the
definition panel.

67

Special Characters and Constructs


The following table provides a summary of the more commonly used special
characters and constructs.
Table 13. Special Characters and Constructs
Character How do I do ...

Example

Matches

No Match

literal

Match an exact sequence of characters


(case sensitive), except for the special
characters described below

can

can

Can cab caN

. (dot)

Match any character including


carriage return or newline (\n)
characters

ca.

can cab

c cb

Match zero or more instances of


preceding character(s)

Ca*n

Cn Can Caan

Cb Cabn

Match string beginning with following ^C.


character(s)

Ca

ca a

Match string ending with preceding


character(s)

C.n$

Can Cn

Cab

Match one or more instances of


preceding character(s)

^Ca+n

Can Caan

Cn

Match either zero or one instance of


preceding character(s)

Ca?n

Cn Can

Caan

Match either the preceding or


following pattern

Can|cab

Can cab

Cab

(x ...)

Match the sequence enclosed in


parentheses

(Ca)*n

Can XaCan

Cn CCnn

{n}

Match exactly n instances of the


preceding character(s)

Ca{3}n

Caaan

Caan Caaaan

{n,}

Match n or more instances of the


preceding character(s)

Ca{2,}n

Caan Caaaan

Can Cn

{n,m}

Match from n to m instances of the


preceding character(s)

Ca{2,3}n

Caan Caaan

Can Caaaan

[a-ce]

[C-FL]an
Match a single character in the set,
where the dash indicates a contiguous
sequence; for example, [0-9] matches
any digit

Can Dan Lan

Ban

[^a-ce]

Match any character that is NOT in


the specified set

[^C-FL]an

aan Ban

Can Dan

[[.char.]]

Match the enclosed character or the


named character from the Named
Characters Table, below

[[.~.]]an or [[.tilde.]]an ~an

@an

[[:class:]]

Match any character in the specified


character class, from the Character
Classes Table, below

[[:alpha:]]+

ab3

abc

Named Characters Table (English)


The following table describes the standard character names that can be used within
regular expression bracket pairs ([[.char]] - see above). Character names are
location specific, so non-English versions of Guardium may use a different set of
character names.

68

Help Book Guardium V9.0

Name

Value

NUL

\0

SOH

\001

STX

\002

ETX

\003

EOT

\004

ENQ

\005

ACK

\006

BEL

\007

alert

\007

BS

\010

backspace

\b

HT

\011

tab

\t

LF

\012

newline

\n

VT

\013

vertical-tab

\v

FF

\014

form-feed

\f

CR

\015

carriage-return

\r

SO

\016

SI

\017

DLE

\020

DC1

\021

DC2

\022

DC3

\023

DC4

\024

NAK

\025

SYN

\026

ETB

\027

CAN

\030

EM

\031

SUB

\032

ESC

\033

IS4

\034

FS

\034

IS3

\035

GS

\035

IS2

\036

RS

\036
Regular Expressions

69

IS1

\037

US

\037

space

''

exclamation-mark

quotation-mark

"

number-sign

dollar-sign

percent-sign

ampersand

&

apostrophe

\'

left-parenthesis

right-parenthesis

asterisk

plus-sign
comma

hyphen
hyphen-minus
period

full-stop

slash

solidus

zero

one

two

three

four

five

six

seven

eight

nine

colon

semicolon

less-than-sign

<

equals-sign

70

greater-than-sign

>

question-mark

commercial-at

left-square-bracket

backslash

\\

reverse-solidus

\\

right-square-bracket

Help Book Guardium V9.0

circumflex

circumflex-accent

underscore
low-line
grave-accent

left-brace

left-curly-bracket

vertical-line

right-brace

right-curly-bracket

tilde

DEL

177

NULL

Named Character Class Table (English)


The following table describes the standard character classes that you can reference
within regular expression bracket pairs ([[:class:]] - see above). Note that character
classes are location specific, so non-English versions of Guardium may use a
different set of character names.
Class

Characters Included

alnum

Alphanumeric (a-z, A-Z, 0-9)

alpha

Alphabetic (a-z, A-Z)

blank

Whitespace (blank, line feed, carriage return)

cntrl

Control

digit

0-9

graph

Graphics

lower

Lowercase alphabetic (a-z)

print

Printable characters

punct

Punctuation characters

space

Space, tab, newline, and carriage return

upper

Uppercase alphabetic

xdigit

Hexadecimal digit (0-9, a-f)

Regular Expression Examples


You can copy and paste any of the expressions from the right-hand column to a
field requiring a regular expression. When using any of these examples, we
strongly suggest that you experiment by using it in the Build Regular Expression
tool, entering a variety of matching and non-matching values, so that you
understand exactly what is being matched by the expression.

Regular Expressions

71

Table 14. Regular Expression Examples


Description

Regular Expressions

Social Security Number (must have hyphens)

[0-9]{3}-[0-9]{2}-[0-9]{4}

Phone Number

\(?[0-9]{3}\)?[-. ]?[0-9]{3}[-. ]?[0-9]{4}

(North America - Matches 3334445555,


333.444.5555,
333-444-5555,
333 444 5555,
(333) 444 5555,
and all combinations thereof)
Postal Code - (Canada)

[ABCEGHJKLMNPRSTVXY][0-9][A-Z] [0-9][A-Z][0-9]

Postal Code - (UK)

[A-Z]{1,2}[0-9][A-Z0-9]? [0-9][ABD-HJLNP-UW-Z]{2}

Zip Code (US)

[0-9]{5}(?:-[0-9]{4})?

(5 digits required, hyphen followed by four


digits optional)l
Credit Card Numbers

72

Help Book Guardium V9.0

[0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4}

Scheduling
The general purpose scheduler is used to schedule many different types of tasks
(archiving, aggregation, workflow automation, etc.).
Depending on the type of task being performed, not all of the features described
here may be available - for example, the schedules for some types of tasks can be
paused, while others cannot be (they can only be stopped or started).
Note: Be aware of scheduling anomalies that can occur when scheduling tasks
during Daylight Savings Time.

Define or Modify a Schedule


1. In a task (for example, Audit Process Builder), click the Define Schedule or
Modify Schedule button to open the Schedule Definition panel.
2. Fill in the Start Time. The default is 12 a.m. (Midnight).
3. Optionally, to run the task more than once a day:
v Select a value from the Restart list (every hour up to every 12 hours). The
default is Run only once, meaning the task will not be restarted during the
day.
v Select a value from the Repeat list (every minute up to every 59 minutes).
The default is Do not repeat.
4. From the Schedule by list, select one of the following:
v Day/Week to define a schedule based on one or more days of the week
(Monday, Tuesday, Wednesday, etc.).
v Month to define a schedule based on one or more days of the month, for
every month or specific months.
If you selected Day/Week from the Schedule by list, mark each day of the
week you want the task run, or click Every day to select all days (or to clear all
days if they are already selected).
OR
If you selected Month from the Schedule by list, do one of the following:
v To select a numbered day (the 15th, for example):
Select the Day button.
Select a day: 1-31, depending on the month selected.
Select Every month, or one or more specific months.
v To select a weekday occurrence within the month (the first Monday, for
example):
Select the lower button (beside the word The).
Select a week relative to the start of the month: First, Second, Third, etc.
Select a weekday: Sunday, Monday, Tuesday, etc.
Select either Every month, or one or more specific months.
5. From the Schedule Start Time list, select the hour and minute at which you
want to run the task. If a time is chosen earlier than NOW, the Scheduler Start
Time will revert to NOW.
6. Click the Apply button.

73

Pause a Schedule
Note: Note that not all types of scheduled tasks provide a pause option.
1. Click the Pause button and
2. Confirm the action.

Remove a Schedule
After a schedule has been defined, a Remove button appears in the Schedule
Definition panel.
1. Click the Define Schedule or Modify Schedule button to open the Schedule
Definition panel.
2. Click the Delete button.

74

Help Book Guardium V9.0

Security Roles
Security roles are used to grant access to data (groups, queries, reports, etc.) and to
grant access to applications (Group Builder, Report Builder, Policy Builder, CAS,
Security Assessments, etc).
By default, when a component is initially defined, only the owner (the person who
defined it) and the admin user (who has special privileges) are allowed to access
and modify that component.
You can allow other users to access the components you define by assigning
security roles. For example, if you assign a security role named DBA to an audit
process, all users assigned the DBA role will be able to access that audit process.
Note: In order to configure LDAP user import, accessmgr user must have the
privilege to run Group Builder. In certain situations, when changes are made to the
role privilege, accessmgr's privilege to Group Builder can be taken away. This
results in an inability to save or run successfully LDAP user import. Go to the
access management portal, select Role Permissions from the choices in the
left-hand pane. Choose the Group Builder application and make sure that there is a
checkmark in the all roles box or a checkmark in the accessmgr box.

Assign Security Roles


1. Open or select the item to which you want to assign one or more security roles
(a report definition, for example).
2. Click the Roles button.
3. In the Assign Security Roles panel, mark all of the roles you want to assign
(you will only see the roles that have been assigned to your account).
4. Click Apply.

Define a new Security Role


By default, only the special accessmgr user is allowed to create or remove security
roles.
1.
2.
3.
4.

Select Security Role Browser from the Access Management menu.


Click the Add Role link at the bottom of the table of roles.
In the Role Form panel, enter a new role name in the Role Name box.
Click the Add Role button.

Remove a Security Role


By default, only the special accessmgr user is allowed to create or remove security
roles. To remove a role assigned to a component, see Assign security roles to a
component, above.
1. Select Security Role Browser from the Access Management menu.
2. Click the Delete link for the role in the table of roles, and confirm the action.

Manage Security Roles (accessmgr role function)


See Manage Roles on page 719 on determining security roles.

75

76

Help Book Guardium V9.0

Time Periods
Policy rules and query conditions can test for events that occur (or not) during
user-defined time periods.
There is a set of pre-defined time periods (7x24, After Hours Work, Before Hours
Work, Evening, Regular Work Day, Saturday, Sunday, and Week End), and users
can define their own.

Add a Time Period


1. Navigate to the Time Period panel:
v Users: Monitor/Audit > Build Reports > Time Period builder.
v Administrators: Tools > Config & Control > Time Period Builder.
2. Expand the Add Time Period pane by clicking the + button.
3. Enter a unique description for the period in the Time Period Description box.
Do not include apostrophe characters in the description.
4. Optionally mark the Contiguous box to define a single time period that may
span multiple days. Leave this box cleared to define a fixed time period on
one or more days.
Example: Contiguous vs. Non-Contiguous Time Periods
The following two time periods both begin 09:00 Monday and end 17:00
Friday:
v Workweek is defined Contiguous.
v Workday is defined Non-Contiguous.
The first time period, Workweek, defines a single 164-hour period beginning
at 9 AM on Monday and ending at 5 PM on Friday, whereas the second time
period, Workday, defines five separate eight-hour time periods (9 AM 5 PM),
on five consecutive days (Monday Friday)
5. Enter a beginning time in hours (00-24) and minutes (00-59) in the Hour From
box.
6. Enter an ending time in hours (00-24) and minutes (00-59) in the Hour To box.
7. Select a beginning day of the week in the Weekday From box.
8. Select an ending day of the week in the Weekday To box.
9. Optionally click the Comments button to add comments (see Commenting).
10. Click the Add button.

Remove a Time Period


1. Navigate to the Time Period panel:
v Users: Monitor/Audit > Build Reports > Time Period builder.
v Administrators: Tools > Config & Control > Time Period Builder.
2. Mark the Select checkbox for the time period you want to remove.
3. Click the Delete button. You will be prompted to confirm the deletion. Note
that you cannot delete a time period that is used by an existing policy rule.

77

78

Help Book Guardium V9.0

Portlet Editor
A portlet is a small window on a portal page. Portlet technology allows a portal
page to be customized by the end user.
The choice of Portlet Editor in the Tools tab permits the admin user to define a
.psml structure that becomes the default .psml for that user, admin or role.
Note:
The admin user is specifically blocked from editing the role of the Accessmgr in
the Accessmgr portlet.
PSML is an acronym for Portal Structure Markup Language. It manages content
structure and abstraction within the GUI.
The edited .psml for user becomes the default .psml after the user exits its current
.psml.
The menu choices are as follows:
Use Filter string when there are many users or roles to limit the display of portlets
by User or Role.
See Customize the Portal on page 63 for further information on portal pages.

User
In the GUI, the items under User are the current layouts/profiles (default.psml) for
all users who have logged in to the portal and thus had a layout/profile created.
For example, if "johnsmith" was a user who had logged in at some time before, an
entry linking to his current profile would be under the User section and would
provide the admin access to browse it and make modifications. At the same, time,
user "johnsmith" or any other user listed may have made any number of
customizations to their layout and thus it can be quite different than whatever
their original role-based default version was.

Role
The default .psml for admin includes System View, Administration Console, Tools,
Daily Monitor, Guardium Monitor, Tap Monitor, Incident Management and Access
Management.
The default .psml for user includes tabs for View, Quick Start, Monitor/Audit,
Discover, Assess/Harden, Comply and Protect.
The default .psml for Inv (used with a Guardium Aggregator appliance) includes
Reports, Auditing and Volume Management.
The default .psml for review-only includes Reports and Audit Results. The default
.psml for cli includes System Status.

79

80

Help Book Guardium V9.0

Basic Information for IBM Support


Question - When using InfoSphere Guardium (collector, aggregator, Central
Manager; UNIX/Linux S-TAP; Windows S-TAP), what basic information is needed
before calling IBM Software Support? - Version 8.01 or higher.
Answer - Starting with Version 8.01, there are some simple "support must_gather
commands" that can be run by the user through the CLI, or scripts that generate
specific information about the state of any Guardium system.
This information can be uploaded from the Guardium system and sent to IBM
Support whenever a PMR is logged.

Must Gather for Guardium Appliance


InfoSphere Guardium Collector, Aggregator or Central Manager
In Guardium versions less than V8.2, in order to run these CLI commands, the
appropriate "support must_gather" patch must be installed. In Guardium versions
8.2 and greater, these CLI commands are available without a patch.
Once the correct patch is installed, the "must gather" commands can be run at any
time by the user through the CLI. See the steps below.
1. Open a Putty session (or similar) to the appropriate collector, aggregator or
Central Manager.
2. Log in as user cli
3. Depending on the type of issue, paste the relevant "must_gather" commands
into the CLI prompt. More than one "must_gather" command may be needed in
order to diagnose the problem.
support must_gather system_db_info
support must_gather purge_issues
support must_gather audit_issues
support must_gather agg_issues
support must_gather cm_issues
support must_gather alert_issues
The following may take a few minutes to run to completion:
support must_gather miss_dbuser_prog_issues
support must_gather sniffer_issues
For the following commands, a prompt will appear asking how long to run the
debugger while you are reproducing the problem :
support must_gather backup_issues
support must_gather scheduler_issues
support must_gather app_issues
Output is written to the must_gather directory with filename(s) along the lines
of this example
must_gather/system_logs/.tgz
4. Send the resulting output to IBM Support.
By using fileserver you can upload the tgz files and send to IBM Support.

81

Send via email or upload to ECUREP using, for example, the standard data
upload specifying the PMR number and file to upload.

Must Gather for UNIX/Linux S-TAP


If your Guardium S-TAP is V8.2, then guard_diag script can be run via the GUI
with S-TAP logging set to 7.
guard_diag script information
=============================
This script produces many statistics on the server that will help Guardium with
diagnostics.
Explanation of guard_diag:
Diagnostic Script (guard_diag)
General Overview:
There is now a diagnostics script (guard_diag) that is shipped in versions >= 8.2. It
runs out of /usr/local/guardium/guard_stap/guard_diag when STAP logging is
set to level 7 from the GUI. It is also possible to transfer this script to a machine
running STap < 8.2 and run it by hand.
Usage: ./guard_diag output_dir
If the script cannot automatically determine where STAP is installed, it will prompt
for the location. Runtime is about 1.5 minutes and if no output directory is
specified on the command line the default is to place the generated tarball in
/tmp. When run by enabling logging from the GUI, the tarball is placed in
/var/tmp.
General System Data Collected:
uname -a
list of kernel modules installed
output of top for 1 cycle
uptime
processor number and type
dump of most recent syslog
netstat output
IPC list
disk free statistics
copy of /etc/services

82

Help Book Guardium V9.0

directory listing of /etc


various platform specific information (linux only at the moment)
contents of /etc/inittab
STap Data Collected:
stap version
contents of guard_tap.ini
ls -l on the ktap devnodes
30s trace of stap
ktap statistics
list of all the files in the installation directory
ktap khash
verbose debug log for ktap (2) and stap (4) for 60s
Known Issues:
tusc is not installed on all hp-ux platforms, so tracing the STap PID will not
work
gzip isn't always installed on the system. we fall back to using compress (final
extension of .tar.Z) and failing that, we don't use any compression utility and just
leave the .tar in the output directory.
topas output on AIX is best left interpreted by the terminal since it contains
control codes that makes it mostly unintelligible when opened in an editor.
non-root STap has a number of issues in regards to the diagnostics script
linux's /var/log/messages is only readable by root.root, so we can only collect
the dmesg output
some solaris machines might not be configured correctly and as a result, netstat
will print an error instead of any useful output
the path for the non-root user is rather basic, so some commands may not
execute at all. notably, this happens on hp-ux with gzip.
Platforms Supported:
The script has been tested on the following
Linux
HP-UX (11.11, 11.23, 11.31)
AIX (>=5.3)
Basic Information for IBM Support

83

Solaris (>= 5.8)


Requirements for STAP < 8.2: Needs to be run as root
Requirements for Linux: None
Requirements for AIX: topas
Requirements for Solaris: top, prtdiag, psrinfo
Requirements for HP-UX: tusc
For the latest version of the UNIX/Linux S-TAP script, see http://www01.ibm.com/support/docview.wss?uid=swg21579891

Must Gather for Windows S-TAP


Running this script will generate the following text files in the current directory:
stap.txt
tasks.txt
system.txt
evtlog.txt or evtlog2008.txt
reg.txt
Notes:
1. This diag script can be run with any STAP version. However, the OS needs to
be Windows 2003 server and above.
2. Rename the diag script to diag.bat and place it under directory where STAP
was installed. (For example, "C:Program FilesGuardiumGUARDIUM STAP").
You can then run it manually from there. It will generate text files with
diagnostic information.
3. Submit the results to Guardium L3 Support/R&D.
The script will collect the following data:
content of %system%guard_tap.ini
the guardium stap installation log
All running Tasks
List of all installed kernel drivers
OS information collected from the systeminfo utility
ipconfig /all
netstat -nao
ping and tracert results from the db server to the guardium appliance

84

Help Book Guardium V9.0

cpu usage for guardium_stapr, overall system cpu usage


guardium_stapr process handle count and memory usage
event log messages generated by STAP
system event log messages of type Error and warning
the following registry entries:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall?
HKLMSYSTEMCurrentControlSetServices?
HKLMSYSTEMCurrentControlSetControlGroupOrderList?
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLServer
For the latest version of the Windows S-TAP script, see http://www-01.ibm.com/
support/docview.wss?uid=swg21579969

Basic Information for IBM Support

85

86

Help Book Guardium V9.0

Monitor and Audit Help Book


This help book details monitoring and auditing.
This book describes how to create and use:
v
v
v
v
v
v
v

Audit & Report Overview


Queries
Reports
External Data Correlation
Privacy Sets
User Identification
Application User Translation

v Custom Identification Procedures


v Flat Log Process
v Custom Alerting
v Value Change Auditing
Select a topic from the Contents entry page, or use the Search function on the PDF
version of the online help (last entry on Contents entry page, after help-index) or
use the help-index.

87

88

Help Book Guardium V9.0

Audit and Report


Guardium organizes the data it collects into a set of domains. Each domain
contains a different type of information relating to a specific area of concern: data
access, exceptions, policy violations, and so forth.
All domains and their contents are described in the Domains, Entities, and
Attributes appendix.
There is a separate query builder for each domain, and access to each query
builder is controlled via security roles. Regardless of the domain, the same
general-purpose query-builder tool is used to create all queries. For detailed
instructions on how to build queries, see Queries, below.
In addition to the standard set of domains, users can define custom domains to
contain information that can be uploaded to the Guardium appliance. For example,
your company might have a table relating generic database user names (hr23455 or
qa4872, for example) to real persons (Paula Smith, John Doe). Once that table has
been uploaded, the real names can be displayed on Guardium reports, from the
custom domain. For more detailed information on how to define and use custom
domains, see External Data Correlation.

89

90

Help Book Guardium V9.0

Queries
Use the Query Builder to define and modify queries.
There is a distinction between queries and reports:
v A query describes a set of information to be obtained from the collected data; for
example: find all clients updating a specific database during weekend hours.
v A report describes how the data returned by a query is presented. Most often,
the report is in tabular form, but Guardium provides extensive graphical
reporting capabilities as well.
Use the Query Builder to define and modify queries. There is a separate Query
Builder for each domain, and it is opened from the Query Finder for that domain
(see Open the Query Finder). By default, the Query Builder panel name is Custom
Reporting for a user portal, but for admin role users, the Query Builder panel takes
its name from the menu selection used to open the query builder (Access Tracking,
Exceptions Tracking, Alert Tracking, etc).
The query builder contains three panes:
v The Entity List pane on the left-hand side identifies all entities and attributes
contained in the domain. Entities are represented as folders, and attributes are
the items within. Click on an entity folder to display its attributes, or click again
to hide them. For a description of all entities and attributes, see Entities and
Attributes in the Domains, Entities, and Attributes appendix.
v The Query Fields pane lists all fields to be accessed, what is to be displayed for
that field (its value, a count, minimum, maximum, or average), and the sort
order. For more information about using this pane, see the Query Fields
Overview, below.
v The Query Conditions pane specifies any conditions for selecting the fields listed
above (for example, where VERB = UPDATE). For more information about
using this pane, see the Query Conditions Overview, below.
The title line for the query displays the query name and the main entity, and
contains two controls:
v Once the query has been saved, the Item comments button appears to the left of
the query title. Click the button to add comments to the query definition (see
Comments on page 29 if you need additional help defining comments).
v The Sorted by occurrences checkbox can be marked to indicate that the rows of
data returned by the query are to be sorted by occurrences, from most to least.

The Main Entity


The entities within a domain are related to one another, usually in a hierarchical
order. For example, in the Data Access domain, the Client/Server entity contains
Session entities, which contain Access Period entities, and so forth.
The main entity that you select for a query determines:
v The level of detail for the report. There will be one row of data for each
occurrence of the main entity included in the report. The location of the main
entity within the hierarchy of entities is important in terms of what values can
be displayed. The attributes for any entities below the main entity can be

91

counted, but not displayed (since there may be many occurrences for each row).
To choose this level of detail, there is a check box (Sort by Count) in the upper
right corner of the screen.
v The total count, added as the last column of the report, which is a count of
instances of the main entity included on that row of the report. To add or drop
the count column of the report (Add Count) (this may result in the query/report
performance boost in some cases), there is a check box in the upper right corner
of the screen.
v In the upper right hand corner of the screen, there is a check box to add or drop
the ability to display one-row-per-value in the report (this may result in the
query/report performance boost in some cases). This selection is called Add
Distinct, and yields condensed reports.
v The time fields against which the Period From and Period To run-time
parameters will be compared to select the rows of the report. When defining a
Query (in the QueryBuilder) the system uses the main entity (among other
parameters) to determine which time fields will be used when defining the
Period From and Period To of the report/alert using this query. This may be
important for long running sessions (as when pooled sessions are kept open by
an application server). When applicable the Period Start/Period End from the
'Access Period' entity is usually used, in other cases it will chose period values
according to the main entity:
Session - the timestamp used is for the last update made to the session entity
Session Start - the starting time of the session entity will be used.
Session End - the ending time of the session entity will be used.
Full SQL - timestamp from 'Full SQL' domain; query will include rows from
'Full SQL' domain even if not linked to values (for example - when 'Log Full
Details' is set, there are no values)
Full SQL Values - timestamp from 'Full SQL' domain; query will include
rows only if they have values from 'Full SQL' domain even if not linked to
the Field domain
Field SQL Values - timestamp from 'Full SQL' domain; query will include
rows only if they have values from 'Full SQL' domain and they're linked to
the Field domain
Note: Note: The Main Entity drop-down list includes only primary entities.
However access to secondary entities (for example Session Start and Session End)
can be done through its corresponding primary entity (for example, Session for
Session Start and Session End). See Entities and Attributes for further information.

Sorting
By default, query data is sorted in ascending order by attribute value, with the sort
keys ordered as the attributes appear in the query. If aliases are being used, they
are ignored for sorting purposes; the actual data values are always used for
sorting. Attributes for which values are computed by the query (Count, Min, Max,
or Avg) cannot be sorted.
To change the default sort order:
1. Mark the Order-by box.
2. Enter a number in the Sort Rank box (1 is the most major sort key).
3. Optionally, mark the Descend box to sort the values of that attribute in
descending sequence.

92

Help Book Guardium V9.0

As mentioned elsewhere, the last column of a tabular report is a count of main


entity occurrences. To sort on this count in descending sequence (in other words,
listing the greatest number occurrences first), mark the Sorted by occurrences
checkbox above the Query Fields title bar.

Timestamps
A timestamp (lowercase t) is a data type containing a combined date-and-time
value, which when printed displays in the format yyyy-mm-dd hh:mm:ss (for
example, 2012-07-17 15:40:25). When creating or editing a query, most attributes
with a timestamp data type display with a clock icon in the Entity List panel.
A Timestamp (uppercase T) is an attribute defined in many entity types,
containing the time that the entity was last updated. For many timestamp
attributes, you can print the date, time, weekday or year components separately, by
referencing additional Timestamp attributes (Date, Time Weekday, or Year).

Query Fields Overview


The Query Fields pane basically lists the columns of data to be returned by the
query.
There are two ways to add a field to the Query Fields pane:
v Pop-Up Menu Method:
1. Click on the field to be added.
2. Select Add Field from the pop-up menu.
v Drag-and-Drop Method:
1. Click on the icon to the left of the field (not on the field name).
2. Drag the icon to the Query Fields list and release it.
Regardless of the method used, the field will be added to the end of the list.

Move or Remove Fields in the Query Fields Pane


To move a field in the Query Fields pane:
1. Mark the checkbox in the left-most column for the field.
2. Use the following buttons to move the field to the desired location:
v Click Up button to move the field up one row.
v Click Down button to move the field down one row.

Aggregate Fields
The Field Mode list selection indicates what to print for the field: its Value, or the
Count (count is a count of distinct values), Min, Max, Average (AVG) or Sum for
the row. The Value option is not available for attributes from entities lower than
the main entity in the entity hierarchy for the domain.

A Caution about Full SQL Attributes in Queries


Beware of using the Full SQL attribute in a query. It may produce excessively large
reports, because each distinct value of the attribute (the complete SQL query string
in this case) will be returned in a separate row.

Queries

93

On the other hand, the report may contain no information at all, or many blank
columns where you are expecting Full SQL strings. Guardium captures Full SQL
only when directed to do so by policy rules - and the rules may not have been
triggered during the reporting period.
Do not confuse the Full SQL attribute with the ability to drill down to the SQL for
most queries in the Data Access domain having anything to do with SQL requests.

Query Conditions Overview


The Query Builder allows you to create complex query conditions by adding
multiple attributes to the Query Conditions pane. Each attribute added defines an
additional test that will be AND'd, OR'd (multiples permitted) defined with left
and right parentheses or HAVING, with the other tests, as described below.

Add AND condition or OR condition at the end or in the middle of the condition
list by using the add-condition menu or drag-drop the attribute's icon. All
conditions are independent. Group the conditions together by adding the left
parentheses and right parentheses around the conditions. Select and remove
conditions by pressing the remove button. Save the query. If the generated SQL
query is invalid, it will not be saved and an error message will result.
If there are conditions selected, pressing the left parentheses button will add one
left parentheses condition before the first selected one and pressing the right
parentheses button will add one right parentheses condition after the first selected
one. If there is no condition selected, pressing these buttons will have no effect.
Note: When creating a query condition that uses parenthesis, the parenthesis
appear in the GUI BEFORE the operator. But they actually are applied AFTER the
operator. For example, a query condition is displayed as "this (AND that OR
another)". However, the actual logic is "this AND (that OR another)".
There are two parts in the condition display panel: one starts with a WHERE
condition and another one starts with a HAVING condition.
In the HAVING part, the aggregate field has options: Count, Min, Max and AVG.
The option SUM also applies to certain entities with "ID" in name (Session ID,
Global ID, Full SQL ID, Instance ID). If the HAVING button is not checked, the
condition will be inserted into the WHERE part with the aggregate field as empty
string. If the HAVING button is checked, the condition will be inserted into the
HAVING part and the aggregate field will have options. After adding or removing
a condition, the condition option will be updated. Press SAVE button, it will
generate a SQL. The SQL will be validated before saving it. If validation failed (for
example. syntax error), it will generate an alert error message and put a more
detailed error description in the log. If adding a condition at the wrong part, (for
example, HAVING button is set, and drop the attribute icon on the WHERE part,
or vice versa) it will generate a not-matched alert message. If the selected condition
is in WHERE part, but the HAVING button is set, the adding condition will fail
because the setting is not matched.

94

Help Book Guardium V9.0

Placing conditions on any of the following attributes - Total Access, Failed SQLs,
and Successful SQLs - can be added only under a HAVING clause (not the
WHERE clause).
Allowed queries must have one timestamp column and either at least one column
with Mode=Count OR the count flag set (or both). The query column to be
evaluated by the query must be one of the columns with Mode=Count OR the
total access column (if the count flag is set).

Add or Remove a Query Condition


1. To remove a query condition, mark the checkbox in the row for that condition,
and click X in the Query Conditions pane title bar.
2. To add a condition, first create a row in the Query Conditions list for the
appropriate field from the Entity List pane. The way you do this depends on
whether you are creating an AND condition or an OR condition.
To add an AND condition, do one of the following:
v Click on the field in the Entity List pane and then select Add Condition from
the pop-up menu.
v Drag the field icon (not the field name) from the Entity List pane, and release
it on the Query Conditions pane title bar.
To add an OR condition, do one of the following:
v Drag the field icon (not the field name) from the Entity List pane, and release
it on top of the condition for which it will be an OR condition.
v Mark the checkbox for the condition to which you want to add the OR
condition, click on the field in the Entity List pane, and then select Add
Condition from the pop-up menu.
3. Optional. Use the Aggregate drop-down to select an aggregate of the attribute
to be used for the query condition: Count, Min (minimum value), Max
(maximum value), or AVG (average value). Restrictions apply, as follows:
v You cannot use an aggregate in an ORd condition.
v You cannot add an ORd condition to one that contains an aggregate.
4. Select the operator for the new condition from the list below. Not every
attribute type will have the same set of operators available, for example,
attributes that cannot be associated with groups will not have any of the group
options (IN GROUP, LIKE GROUP, etc.). However, when adding tuples
(multiple attributes combined together to form a single group) as a condition of
a query, all operators for new condition will be available for selection.
Table 15. Operator for New Condition
Operator

Description

<

Less than

<=

Less than or equal to

<>

Not equal to

Equal to

>

Greater than

>=

Greater than or equal to

CATEGORIZED AS

Member of a group belonging to the category selected from the drop-down list to the
right, which appears when a group operator is selected.

CLASSIFIED AS

Member of a group belonging to the classification selected from the drop-down list to
the right, which appears when a group operator is selected.

Queries

95

Table 15. Operator for New Condition (continued)


Operator

Description

IN DYNAMIC GROUP

Member of a group that will be selected from the drop-down list in the runtime
parameter column to the right, which appears when a group operator is selected.

IN GROUP

Member of the group selected from the drop-down list in the runtime parameter
column to the right, which appears when a group operator is selected. IN GROUP or
IN ALIASES GROUP can not both be used at the same time.

IN DYNAMIC ALIASES
GROUP

The operator works on a group of the same type as IN DYNAMIC GROUP, however
assumes the members of that group are aliases.

IN ALIASES GROUP

The operator works on a group of the same type as IN GROUP, however assumes the
members of that group are aliases. Note that the IN GROUP/IN ALIASES GROUP
operators expect the group to contain actual values or aliases respectively. An alias
provides a synonym that substitutes for a stored value of a specific attribute type. It is
commonly used to display a meaningful or user-friendly name for a data value. For
example, Financial Server might be defined as an alias for IP address 192.168.2.18.

IS NOT NULL

Attribute value exists, but may be blank or unprintable

IS NULL

Empty attribute

IN PERIOD

For a timestamp only, is within the selected time period

LIKE
LIKE GROUP

Matches a like value specified in the boxes to the right. A like value uses the percent
sign as a wildcard character, and matches all or part of the value. Alphabetic characters
are not case sensitive. For example, %tea% would match tea, TeA, tEam, steam. If no
percent signs are included, the comparison operation will be an equality operation (=).

NOT IN DYNAMIC
GROUP

Not equal to any member of a group, selected from the drop-down list in the runtime
parameter column to the right, which appears when a group operator is selected.

NOT IN DYNAMIC
ALIASES GROUP

The operator works on a group of the same type as NOT IN DYNAMIC GROUP,
however assumes the members of that group are aliases.

NOT IN GROUP

Not equal to any member of the specified group, selected from the drop-down list in
the runtime parameter column to the right, which appears when a group operator is
selected.

NOT IN ALIASES
GROUP

The operator works on a group of the same type as NOT IN GROUP, however assumes
the members of that group are aliases.

NOT IN PERIOD

For a timestamp only, not within the selected time period

NOT LIKE

Not like the specified value (see the description of LIKE, above)

NOT REGEXP

Not matched by the specified regular expression

REGEXP

Matched by the specified regular expression For detailed information about how to use
regular expressions, see Regular Expressions.

Note: There four special words that are not allowed as the name of a
parameter: user; group; role; page
An error will result, if an attempt is made to save a query with any of these
words in the parameter. There are two types of conditions where this applies:
v If creating a query condition with an operator such as "=", "<", "LIKE", etc,
and then selecting Parameter. When this is done, this field does not allow
the special words.
v If creating a query condition with a DYNAMIC GROUP type operator (IN,
NOT IN, IN ALIAS, etc), this field does not allow the special words.
5. For a group operator, select a group from the list that appears to the right of
the operator.

96

Help Book Guardium V9.0

For most other operators, you must supply a value for the condition, or
indicate that a runtime parameter value (not containing '!!') will be supplied
later (when the query is executed). In these cases, a drop-down with three
options appears to the right of the operator. Do one of the following:
v Select Value and enter an exact value in the box to the right.
v Select Parameter and enter a name for the runtime parameter in the box to
the right (the name must not contain spaces).
v Select Attribute and select another attribute to match the selected one (for
example, this can be used to test for local traffic by matching the client and
server IP addresses).
There is an Add Expression icon to the right of the Value, Parameter, Attribute
selections. Use this icon to enter Query Conditions including user-defined
string and mathematical expressions.
Use this feature where the user needs to add a condition that is based not on
the entire content of the attribute as is, but on part of the attribute, a function
of the attribute, or a function that combines more than one attribute.
An example is: INSTR(:attribute, '150.1') = 5, which will return all instances of
Client IP matching the five characters listed. Type the character 5 is in the entry
box next to the Add Expression icon. Type the INSTR(:attribute, '150.1')
expression in the separate Build Expression window. Test the validity of the
expression in the Build Expression window. Another example is:
LENGTH(:attribute) >= 40, which will return the length of any SQL statement
greater than 40 characters. The expression may (or may not) contain references
to the actual attribute and can also contain references to other attributes.
6. When you are done adding all conditions, remember to save the definition.

Build Expression on Query condition


The Add Expression icon is to the right of the Value, Parameter, Attribute
selections.
Use this icon to enter Query Conditions including user-defined string and
mathematical expressions.
Use this feature where the user needs to add a condition that is based not on the
entire content of the attribute as is, but on part of the attribute, a function of the
attribute, or a function that combines more than one attribute.
An example:
Return the location of the string "150.1", from the value 192.150.1.x., where the
string "150.1" is at the 5th character of the value. The string "150.1" represents all
instances of Client IP matching the five characters listed.
When the function is run in the "Expression" field, it returns a value, and that
value should be in the "entry box".
Use the function, INSTR(:attribute, '150.1') with a "5" value in the entry box next to
the Add Expression icon to return the records with "150.1" in the 5th location.
If the function is INSTR(:attribute, '150.1') = 5 then it becomes a boolean phrase,
and the only values in the entry box are '0' or '1'.

Queries

97

Type the INSTR(:attribute, '150.1') expression in the separate Build Expression


window.
Test the validity of the expression in the Build Expression window.
Another example:
LENGTH(:attribute) >= 40, which will return the length of any SQL statement
greater than 40 characters. The expression may (or may not) contain references to
the actual attribute and can also contain references to other attributes.

Groups of Types other than Types defined in Attribute


Validation on group type is often restrictive. See Groups on page 43 for examples
of Group Types. Using Query Conditions, Query Builder, a group of types other
than the type defined for the attribute in the group condition is permitted. These
additional choices are only for the operators IN GROUP and IN DYNAMIC
GROUP. The selection of types other than the type defined for the condition is
performed in the Run-time parameter of the tabular report.
1. As admin user, go to Tools > Group Builder to create a group. Specify a
Group Name and choose OBJECTS for Group Type.

2.

3.
4.

5.

6.
7.

All others, go to Comply > Group Builder to create a group. Specify a Group
Name and choose OBJECTS for Group Type.
As admin user, go to Tools > Report Building > Access Tracking and click on
the New button.
All others, go to Comply > Access Tracking Builder and click on the New
button.
Specify a query name and click on the OBJECT folder from the Entity List in
order to see more choices.
Highlight Object Name and left-click once in order to get the ADD
CONDITION choice. Click Add Condition so that a line is added to the Query
conditions section in the main body of the menu screen.
Go to the drop-down selection besides the attribute Object name and choose,
in the Operator column, IN GROUP or IN DYNAMIC GROUP. In the second
drop-down selection at the far right (Run-time Parameter column), choose the
group that you created in step 1.
Save your work. Click on the Generate Tabular button and then click on the
Add to My New Reports Pane.
Go to the My New Reports tab and highlight the report you created in step 3.

8. Click on the Customize button next to the report name at the top of report.
This opens a tab called Customize Portlet (Run-time Parameters).
9. Just below the heading Run-time Parameters is the name you gave to
Run-time Parameters in the Query Conditions section of the Query Builder.
Open up the drop-down selection and the groups of the type corresponding to
the entity being tested will appear at the top of the list, then a double dash
line, and then the rest of the groups. This is where different groups can be
selected.
10. Save your work by clicking Update.

98

Help Book Guardium V9.0

Table 16. Buttons


Buttons

Steps

Remove

1. Select the query to be deleted.


2. Click the Remove button.

Clone

1. Select the query to be cloned.


2. Click the Clone button.
3. Enter a new name for the cloned query.

Roles

See Manage Roles on page 719. Assigning roles to reports while in Query
Builder (Tracking) only assigns the role to the Query, not the report. Assign
roles to reports in Report Builder. See Reports on page 103.

Save

Click Save when you have finished all the tasks required on the menu screen.

Back

Move back between menu screens of a multi-screen Guardium task or


function using the Back button at the bottom of each screen. The back arrow
in the web browser does not work for navigation between menu screens.

See the section below "Generate a Tabular Report Quickly" for further information
on the Generate Tabular, Regenerate, Add to Pane and Add to My New Reports
buttons.

Open the Query Finder


There is a separate Query Builder for each reporting domain, so it is important to
open the correct Query Builder. Otherwise, you will not see the information you
want! All domains are described in the Domains topic of the Domains, Entities and
Attributes Appendix.
After determining which domain to use, do one of the following to open the Query
Finder for that domain:
v Users with the admin role: Select Tools > Report Building, and then select one of
the Query Builders from the menu. The Query Builders all end with the word
Tracking (Access Tracking, for example).
v All Others: Select Monitor/Audit > Build Reports, and select one of the Query
Builder buttons from the left column of the panel.
Either one of these options opens the Query Finder for the selected domain. If not,
see the Problems topic, just below. Otherwise return to the top of this topic to
begin defining a new query, or modifying an existing one.

Problems opening or finding the Query Builder?


If you attempt to open a Query Builder for which your Guardium account is not
authorized, you will receive an error message:
Error: You do not have the privileges to run this application.

Check with your Guardium administrator if you receive this message, but believe
you should have access to the domain.
If you do not see the Query Builder you want to use, you may need to add it to a
custom tab. Not all Query Builders are included on the default user layout. See
Customize the Portal on page 63 for instructions on how to add a Query Builder
to your layout.
Queries

99

Search for a Query


To locate and view a query definition in the Query Builder, there are several
options:
1. Use the Query Finder - see Use the Query Finder, below
2. From a report portlet based on the query, click Edit this Report's Query in the
tool bar at the bottom of the report.
3. If the query is used in a report on your portal, and you know some portion of
the report name, use the Portal Search tool, and then open the query as
described in the bullet above. See Search for a Report in the Reports topic.
4. From the Customize Portlet panel for a report based on the query, click Edit
this Query beside the query name at the top of the panel.

Use the Query Finder


1. Open the Query Finder for the appropriate domain (see Open the Query
Finder, above).
2. Optional. If you know the Main Entity for the query, select it from the list.
3. Click Search.
v If there is only one query defined for the selected Main Entity, that query
opens immediately in the query definition panel.
v If there are multiple queries defined for the selected Main Entity, or if no
Main Entity was selected, a list of queries will display in the Query List
panel.
v If a Main Entity was selected for which no queries have been defined, you
will be informed.
4. Do one of the following:
v To open the Query Builder panel for one of the listed queries, click on it.
v To define a new query, click New.

Create a Query
1. Open the Query Finder for the appropriate domain (see Open the Query
Finder, above).
2. Click the New button to open the New Query Overall Details panel.
3. Type a unique query name in the Query Name box. Do not include apostrophe
characters in the query name.
4. Select the main entity for the query from the Main Entity list. Remember that
the main entity controls the level of detail that will be available for the query,
and that it cannot be changed. Basically, each row of data returned by the
query will represent a unique instance of the main entity, and a count of
occurrences for that instance.
5. Click the Next button. The new query opens in the Query Builder panel. To
complete the definition, see one of the following topics:
v Query Builder Overview
v Modify a Query

Modify a Query
1. Open the Query Finder for the appropriate domain (see Open the Query
Finder, above).
2. Use the Query Finder to open the query to be modified.

100

Help Book Guardium V9.0

3. Refer to the Query Builder Overview topic above to modify any component of
the query definition.

Clone a Query
1. Open the Query Finder for the appropriate domain (see Open the Query
Finder, above).
2. Use the Query Finder to open the query to be cloned.
3. Click the Clone button at the bottom of the panel. The original query name will
be replaced by a text box.
4. Type a unique name for the cloned query in the text box. Do not include
apostrophe characters in the query name.
5. Click the Save button at the bottom of the panel.
6. To complete the definition, see one of the following topics:
v Query Builder Overview
v Modify a Query

Remove a Query
1. Open the Query Finder for the appropriate domain (see Open the Query
Finder, above).
2. Use the Query Finder to open the query to be removed.
Note: You cannot remove a query that is being used by some other component.
To delete such a query, you must first delete all components that use it (reports
or correlation alerts, for example). When attempting to delete a query, the
reports and correlation alerts dependent on the query will be listed.
3. Click the Delete button near the bottom of the panel. You will be prompted to
confirm the action.

Generate a Tabular Report Quickly


Once a query has been defined, there are several options for adding a tabular
report based on that query to an existing menu layout, quickly. These options
apply only for tabular reports, and those reports can only be added to menu
layouts.
1. Open the Query Finder for the appropriate domain (see Open the Query
Finder, above).
2. Use the Query Finder to open the query to use for the report.
3. Do one of the following:
To add a tabular report to the end of an existing menu layout, first click the
Generate Tabular button and then the Add to Pane buttons, both at the bottom
of the panel. Then navigate to the desired menu layout, and click on it. To redo
an existing tabular report, click on the Regenerate button.
To add a tabular report to the My New Reports tab, click the Add to My New
Reports button at the bottom of the panel. (If no tabular report portal has been
generated yet for the query, you will need to click the Generate Tabular button
first.)
Note: The default user portal contains a My New Reports pane, but the default
admin portal does not. If your portal does not contain a My New Reports pane,
you will receive an error message. If it does not exist, you can create this pane
anywhere on your portal (see Customize the Portal on page 63. If you create
a My New Reports pane, be sure to:
Queries

101

v Use the exact spelling shown.


v Define the pane with a Menu pane layout.
In order to see meaningful data in the tabular report within My New Reports
pane, Click on the customize button next to the title of the tabular report in
order to access the run-time parameters (change the time from and now).

102

Help Book Guardium V9.0

Reports
A report defines how the data collected by a query is presented.
The default report is a tabular report that reflects the structure of the query, with
each attribute displayed in a separate column. All presentation components of a
tabular report (the column headings, for example) can be customized using the
Report Builder. All graphical reports are defined using the Report Builder. In
addition to the start and from dates (query from and query to), parameters and
values can now be displayed between the top of the page and start of the table in
all reports.
Before using the Report Builder, create a query using the Query Builder. See
Queries on page 91.
The fastest way to create and view a report is by using the steps in this topic for
Create a Report, then Place a Report on a Pane and then View Reports.

Report Size Limitation


Tabular reports are limited to 5,000 rows of output, but when included in a
workflow process, any number of rows can be exported from the report task to a
CSV or CEF file. See Compliance Workflow Automation on page 255.

Find a Report for Editing


To access a report definition, your Guardium user account must be assigned a
security role that is also assigned to that report definition. Reports that you cannot
access will not display in a list of reports.
Do one of the following to open the Report Finder:
v Users with the admin role: Select Tools > Report Building > Report Builder.
v All Others: Select Monitor/Audit > Build Reports > Report builder.
Search for a report by taking one or more of the actions described below. The
results display in the Report Search Results panel.
v To locate a specific report, select that report from the Report Title list. The
selected report will display immediately in the Report Search Results panel.
For the remaining types of search, click the Search button after making entries in
one or more fields, or just click the Search button to list all reports available for
your Guardium account.
v To list all reports that use a specific query, select that query from the Query list.
v To list monitor reports only, mark the Monitor box. Monitored reports are those
that aggregate counts over consecutive periods of time. These reports have a "is
monitored" checkbox, which can be turned on and off. At the same time, there
are reports than can never be monitored, due to the nature of the contents. For
those reports, the "is monitored" checkbox is never visible.
v To list all reports for a specific chart type, select it from the Chart Type list.
To locate a specific report, select that report from the Report Title list. The selected
report will display immediately in the Report Search Results panel.

103

For the remaining types of search, click the Search button after making entries in
one or more fields, or just click the Search button to list all reports available for
your Guardium account. To list all reports that use a specific query, select that
query from the Query list. To list monitor reports only, mark the Monitor box.
Monitored reports are those that aggregate counts over consecutive periods of
time. These reports have a "is monitored" checkbox, which can be turned on and
off. At the same time, there are reports than can never be monitored, due to the
nature of the contents. For those reports, the "is monitored" checkbox is never
visible. To list all reports for a specific chart type, select it from the Chart Type list.
If the search locates any reports, they display in the Report Search Results panel.
Click any of the following buttons:
v New - See Create a Report.
v Clone - See Clone a Report.
v Modify - See Modify a Report.
v Roles - See Security Roles. Assign roles to reports in Report Builder. Assigning
roles to reports while in Query Builder (Tracking) only assign the role to the
Query, not the report.
v Remove - See Remove a Report.
v Comment - See Comments.
v Add to My New Reports - See Generate a Tabular Report Quickly, under the
Queries topic.
v Add to Pane - See Generate a Tabular Report Quickly, under the Queries topic.
v Regenerate Portlet - Click this button after changing the runtime parameters for
the query on which the report is based.
v API Assignment - See API Assignment
v Drilldown Control - See Modify the Drill-Down Reports Menu for a Report.

Create a Report
1. Do one of the following to open the Report Finder:
v Users with the admin role: Select Tools - Report Building - Report Builder.
v All Others: Select Monitor/Audit - Build Reports - Report builder.
2. Click the New button to open the Create Report panel.
3. From the Query list, select a query value to be used by the report (for example,
Guardium Logins)
4. Enter a unique name for the report in the Report Title field.
5. Do one of the following:
v To create a default tabular report (default column headings, runtime
parameter prompts, etc.), click the Generate Tabular button and continue
with Create a Default Tabular Report, below.
v To customize presentation components, click the Next button and continue
with Customize the Report Presentation, below.

Create a Default Tabular Report


Follow the step procedures to create a default tabular report.
1. To add the report to the My New Reports layout, click Add to My New
Reports.

104

Help Book Guardium V9.0

2. To add the report to any other layout, navigate to that layout, click the
Customize button, and refer to the Portal Customization topic in the Common
Tools book for instructions on how to add a portlet to a layout.
3. To use the report in an Audit Process, Compliance Workflow Automation on
page 255.
4. Optionally assign roles to the report (see Manage Roles on page 719).

Customize the Report Presentation


Follow the step procedures to customize the report presentation.
1. In the Report Column Descriptions panel,
v Optionally override the Report Title. The default is from the report definition
(see above). You can modify the title on most subsequent panels.
v Optionally override any Column Description (the column headings).
2. Click the Next button to open the Report Parameter Description panel, and
optionally override any parameter description.
3. Click the Next button to open the Report Attributes panel:
v Optionally enter a Refresh Rate (in seconds) for the report. The default value
for refresh rate is zero.
v Mark the Tabular or Chart button.
v Click Next. If creating a graphical report, go to Create a Graphical Report
below to compete the graphical report definition.
4. In the Report Color Mapping pane for a tabular report, set the background fill
color for each column to have special coloring, as follows:
v Select a column from the Column list.
v Select an operator from the Operator list. The choices are =, IN GROUP, or
NOT IN GROUP for tabular reports and >= and <= for graphical (for
example, bar chart) reports.
v In the Value column, enter a specific value (a number or a user name), or if
IN GROUP or NOT IN GROUP has been selected as the operator, select the
group from the list. Without a value chosen, there will no results in the
report table.
v Click on the Color box and select the color you want from the pop-up Color
Picker window. It is recommended to choose light colors so text can be seen
through the color chosen.
v Click the Add button.
Note: Colors will be visible when viewed in My New Reports, when viewed
as a PDF, and when the report is used in the Audit process
5. Click the Next button to open the Submit Report panel, and continue with the
Submit Report Definition procedure, below.
6.

Create a Graphical Report


Follow the step procedures to create a graphical report.
1. Follow the previous steps in Customize the Report Presentation for Report
Column Descriptions, Report Parameter Descriptions and Report Attributes.
2. In the Report Chart Type panel, select the Chart Type and click the Next
button. The choices are Area, Bar, Bar Area, Bar Line, Column, Date Area, Date
Column, Date Line, Distributed Label Line, Individual Bar, Individual Column,
Line, Pictogram, Pie, Polar, Speedo and Stack Bar. Choose one and click Next.
Reports

105

There is a preview function at the next menu screen, Presentation Parameters.


Use this preview function to review the different types of chart types. Pie,
Polar, Speedo and Stack Bar are recommended. Examples of other chart types
are presented after the step procedures.
Move back and forth between menu screens using the Back and Next buttons
at the bottom of each screen. The back arrow in the web browser does not
work for navigation between Guardium screens.
3. If working with a report that can also be a monitor, the Report Observations
Parameter panel displays (if it does not display, skip to the next step):
v In the Number of Observations box, enter the number of observations to
display.
v Click the Next button to continue to the Report Chart Type panel.
4. If the Report Chart Type panel is not displayed, skip this step (all necessary
data has been entered). Select the type of chart for the report from the Chart
Type list.
5. Click the Next button to open the Report Presentation Parameters panel.
v Review the parameters, which will vary for each type of chart.
v Optionally override any of the default settings for the chart type selected.
v Optionally click the Preview button to display the chart layout with the
current parameters selected. Repeat this process until the chart has the
desired attributes.
Note: When graphical reports are exported for use on other systems, the
presentation parameter settings (for example, colors, fonts, titles, etc.) are not
exported. Graphical reports that are imported use the default presentation
parameter settings for the Guardium system doing the importing.
6. Click the Next button to continue to the Submit Report panel, and continue
with the Submit Report Definition procedure, below.
Note:
A refresh icon appears in all graphical reports next to the help icon. See below for
Refresh Report Data icon colors.
Selection of a graphic report to use in a report task, in Audit Process Builder, will
result in the display of a tabular report. A graphical report can be displayed as a
graphical report if it is added to a pane. See the Add a Report to a Pane section
below.

Submit Report Definition


1. Optionally add comments (see Comments).
2. Optionally assign roles (see Security Roles).
3. Click the Save button.

Examples of Graphical Report Displays


The following seven examples of graphical reports demonstrate how to display the
collected data.

106

Help Book Guardium V9.0

1- Area

This illustration is an Area graph using the Number of db per type' query. The
query has a count and two fields - client-server IP (joined pair) and server type.
The resulting chart has server types on the x-axis, count (of each type) on y-axis,
and two datasets - one showing number of servers for each type and the second is
the number of different clients connecting to those servers).

2- Bar

This illustration has the same information as 1-Area, with a Bar chart type. Note
the graph is rotated so that the x-axis is vertical and y-axis horizontal, but this is
merely a configurable display preference.

3- Column

The Column illustration is very similar to the Bar type. Default rotation has it
with the x-axis on the bottom as shown here. For this chart, the showLegend
was turned on. It is off by default.

4- Date Line does not work for a non-date X axis

Using the same query as before, we see Date Line chart type does not work. This
is expected, based on the information used.

5-Label Line

Reports

107

Using the same query information, this Label Line chart type works fine as it is not
expecting ascending dates along the x-axis.

6- Pie cannot plot two datasets

Using the same query as before does not work for Pie type. This is because there
are two datasets (client counts and server counts). We would need two pie charts
to display that much information properly.

7- Pie chart with a single dataset

After cloning and modifying the query from before, deleting the second query
field, we now have just a single dataset and the Pie type can display appropriately.
The biggest thing to know is that when the independent variable (the x-axis) is
time, many chart types do not make sense and do not work. This usually leaves
the user with an empty portlet.
For the three "Date" chart types, Date Line, Date Area (line graph filled
underneath), and Date Column (a bar graph), if the x-axis is NOT time, the chart
will not work.
Outside of the date axis, there are a few other considerations for certain chart
types. The Pie chart example above illustrates one of these. Pie charts can only
handle one dataset.
Another example of limitation is when using the Speedometer (Speedo) chart. Not
only is a Speedo limited to one dataset, but it is also restricted to only show one
data point (y value).
Seeking to use a Speedo chart, and attempting to reuse the single-dataset version
of the query used in 7-Pie, we would have to add a strict condition so that it could
only return one count. For example, adding a condition to the query of with a db
type of ORACLE, would provide data which is valid for a Speedo type chart.

Bar Area and Bar Line


Bar Area is a chart that layers bars over areas with a shared axes.
Bar Line is a chart that layers lines over bars with a shared axes.
Note: Graphical charts can not display double byte character sets (DBCS).

108

Help Book Guardium V9.0

Modify a Report
1. Find the report to be modified. See Find a Report for Editing, above.
2. Click the Modify button to open the Report Columns panel.
3. Continue with Customize the Report Presentation, above.

Clone a Report
1. Find the report to be cloned. See Find a Report for Editing, above.
2. Click the Clone button to open the Report Columns panel.
3. Enter a new name for the cloned report, in the Report Title box. You can enter
the new name on any of the subsequent screens - the only requirement is that
the new name must be entered before the cloned report can be saved.
4. Continue with Customize the Report Presentation, above.

Remove a Report
Be aware that you cannot remove predefined reports, and you cannot remove
reports that are used in Audit Processes.
1. Find the report to be removed. See Find a Report for Editing, above.
2. Click the Delete button to remove the report.

Place a Report on a Pane


Once a report has been saved and a portlet generated, follow the procedure
outlined below to place the report on a pane. All run-time parameters are empty in
a report definition. Therefore, after placing a report on a pane, you need to set
run-time parameters for the report before it will be populated with data (see Set
Report Parameters, below).
For more comprehensive information about customizing your portal by defining
tabs, menus and portlet layouts, see Portal Customization in the Common Tools
book.
To place a report on a pane:
1. As a user with the admin role, select Customize at the top of the menu screen.
Follow steps 3 - 8 below.
2. As non-admin user, select Monitor/Audit > Build Reports, and click the Place
report on portal page button. Follow steps 3-8 below.
3. The Customize Pane panel displays. Click the Add Pane button. You are
prompted to supply a name. Enter a new name, and click the Apply button.
The new pane is added to the list of panes. To place a portlet on the new pane,
click its name to open the Customize Pane panel for this pane.
4. Click the Add Portlet button to open a list of all portlets available. Optionally
use the Filter portlets by category button to limit the number of portlets
displayed. If there are more portlets than can be displayed on a single page,
scroll through the list of portlets using Previous and Next buttons at the bottom
of the panel.
5. Mark the checkbox beside the portlet you to be included on the pane, and click
the Apply button. This action places the portlet in the default location for the
pane being customized.
6. Click the Save and Apply button, which returns to the list of panes in the
Customize Pane panel.

Reports

109

7. Click the Apply button to save the modified pane. The new pane name will
appear as a new tab.
8. Click on the new tab to open the new pane. This pane contains only the portlet
that was just added. As mentioned earlier, when placing a portlet on a page, all
run-time parameters are empty, including the date range for the report. To run
the report, you will need to set the date range and possibly set other run-time
parameters.
Note: From a Central Manager portal you can view reports that use data on a
managed unit. If the managed unit becomes unavailable (due to a network
outage, for example), the pane on which the report resides cannot be re-drawn.
For this reason, when using remote data sources for a report, it is best to use a
menu layout, with one report per menu entry, so that the unavailability of one
remote source does not prevent any other reports from being displayed.

Set Report Parameters


There are two types of report parameters:
v A run-time parameter provides a value to be used in a query condition. There is
a default set of run-time parameters for all queries (see the table below), and
any number of run-time parameters can be defined in the query used by the
report (see Queries on page 91 (Query Conditions Overview).
v A presentation parameter describes a physical characteristic the report; for
example whether a graphical report includes a legend or labels, or what colors
to use for an element. All presentation parameters are provided with initial
settings when you define a report.
To set report parameters:
1. Click the Customize button on the report tab.
2. In the Customize Portlet panel, enter run-time and presentation parameters in
the boxes provided, as necessary for the task to be performed.
3. Click the Update button at the bottom of the panel.

Standard Run-time Parameters


The following run-time parameters are present for all reports.

110

Run-time Parameter

Default and Description

QUERY_FROM_DATE

None for a new report, varies for default


reports. The starting date for the report is
always required.

QUERY_TO_DATE

None for a new report, varies for default


reports, though the default is almost always
NOW. This is the ending date for the report,
and is always required.

REMOTE_SOURCE

None. In a Central Manager environment,


you can run a report on a managed unit by
selecting that Guardium appliance from the
Remote Data Source list.

Help Book Guardium V9.0

Run-time Parameter

Default and Description

SHOW_ALIASES

None (meaning the system-wide default will


be used). Select the On button to always
display aliases, or the Off button to never
display aliases. Select the default button to
revert to the system-wide default (controlled
by the administrator) after either the On or
Off button has been used.

Standard Presentation Parameters (Tabular Report)


For tabular reports, there are two standard presentation parameters, and these are
described in the table below. For graphical reports, there are many additional
presentation parameters, but the set used varies depending on the type of graph
being produced (bar chart, pie chart, etc.). Those are not described here.
Presentation Parameter

Default and Definition

fetchSize

20. The number of rows to display in the


report portal panel.

refreshRate

0 (zero). The number of seconds after which


the data is to be refreshed. Zero means that
the data will not be refreshed.

View Reports
To view a report, select the tab or menu entry for the report.
Note:
When viewing reports that display Oracle information, occasionally the '?' question
mark character will be used to inform the viewer that the login information was
not available. Again when viewing reports that display Oracle information, the
appearance of the number "-1" signifies that an unknown number of records are
affected.
All Oracle sessions are recorded, even with missed logins.
If Data User Security is enabled, through the Global Profile, check boxes will be
displayed that allow users to control / toggle rows in the result set in accordance
to the Filtering defined.
While viewing the report, the following options are available:
v Find a Report on the Portal
v Modify the Drill-Down Reports Menu for a Report
v
v
v
v
v

API Assignment
View Drill-Down Reports
Refresh Report Data
Re-Sort Tabular Data
Download Report Data to a CSV or PDF File

v Print a Report
v Open Query for Editing from Report Portlet
Reports

111

Limits
The limit for the buttons when viewing a report (generate PDF, generate CSV, and
printable) is 30,000 rows. This is non-customizable.
The limit for the Populate From Query in Group and Alias Builder when run via
Run Once Now is 5,000 rows. This is non-customizable.
The limit for the Populate From Query in Group and Alias Builder when run via
Scheduling is 20,000 rows. This limit is customizable, via the CLI command,
show/store populate_from_query_maxrecs.

Find a Report on a Portal


To locate a report portlet that has already been placed on the portal, use either of
the following tools in the upper right portion of the portal:
Tools

Description

Portal Search

Opens a search window. Enter the report or


application name, or part of the name in the
text box, and click the Search button. Then
click on any of the displayed portlets to
navigate to that portlet in the main window.
Hint: This search operation searches for each
word that you enter, separately. To limit the
list of portlets returned, enter only the most
important word or words from the name of
the portlet you are looking for.

Portal Map

Opens a graphical map of your portal.


Navigate the tabs and menu entries as you
would with a directory listing.

Modify the Drill-Down Reports Menu for a Report


By default, the drill-down menu for a report includes all reports with run-time
parameters that can be supplied by attributes from the report, given the usual
security role restrictions. To disable or enable any reports on the drill-down menu
for a report:
1. Locate the report (see Find a Report for Editing, above).
2. Click the Drilldown Control button to open the reports Drilldown Control
panel.
3. Mark the checkbox for any report to be disabled, or clear the checkbox for any
report to be enabled.
4. Click the Apply button. The system displays a message saying your changes
were applied successfully.
5. Click the Done button when you are finished.

API Assignment
By default, the Guardium application comes with setup data that links many of the
API functions to reports; providing users, through the GUI, with "prepared" calls
to APIs from reporting data. Use API Assignment to link additional API functions
to predefined Guardium reports or custom reports.

112

Help Book Guardium V9.0

For more information on using linked API functions, see the documentation on
GuardAPI Input Generation.
1. Locate the report (see Find a Report for Editing, above).
2. Click the API Assignment button to open the API Assignment panel; showing
the current API functions that are mapped to the selected report.
3. Click on an API function to display a pop-up window of the current API to
Report Parameter Mappings; showing the API parameters, if the API
parameters are required, any default values, and if any of the report fields are
currently mapped to those parameters.
If there are no fields in the report that are linked to API parameters it may be
irrelevant to link an API function to a report. The mapping of API parameters
to report fields can be accomplished through both the GUI and the Guardium
CLI. For additional information on mapping API parameters to report fields,
see Mapping GuardAPI Parameters to Domain Entities and Attributes in the
GuardAPI Input Generation section of the Appendices help book.
4. Click the greater-than sign '>' to add the selected API function to the current
list of functions assigned to this report.
5. Click the Apply button to save the changes.

Refresh Report Data


There are several ways to refresh report data on the portal:
v Click the Refresh button on the toolbar at the bottom of the report.
v Click the tab title or the menu entry for the pane containing the report, or do
anything else to navigate away from the pane and back to it, taking care not to
click the Customize button on a tab, menu or report, since that opens the
Customize Portlet panel.
v Use any toolbar button to print a report, download report data, or write the
report to a PDF file (the report data will be refreshed before performing any of
these actions).
v Set a time interval for periodic refreshing, by setting the refreshRate parameter
value in the Customize Portlet panel. To perform this task:
Click the Customize button for on the report title tab.
In the Customize Portlet panel, set the refreshRate parameter to the number
of seconds after which the report data is to be updated. The default value of
zero indicates that the report data will not be refreshed on a scheduled basis.
Click the Update button.

Refresh Rate of Reports


When you view a report that has a non-zero Refresh Rate, the color of the Circular
Arrows Refresh icon for this report is green, indicating that the report is refreshing
itself automatically.
At a certain point, the report will stop refreshing if no further changes are made to
the report and the color of the refresh icon will turn from green to red. The point
in time where the color changes is equal to half of the GUI session timeout (which
can be found by running "show session timeout" in CLI).
For example, if the session timeout is the default 900 seconds, the Circular Arrows
Refresh icon on the Request Rate report (found under System View, admin user)
will be green for 450 seconds, then will turn red.
Reports

113

Re-sort Tabular Data


To change the sorting sequence of tabular data, click the column label for the
column to be used as a sort key. The data will be re-displayed, sorted in ascending
sequence on the column selected. To sort the data in descending sequence, click the
column heading a second time.
Note that sorting is always performed on the actual data values, ignoring any
aliases that may have been defined.

View Drill-Down Reports


To determine if drill-down reports are available for a report displayed on the
portal, hold the mouse pointer over any row of data on the report. If drill-down
reports are available, the message Double click for drill down and record details
displays.
To be available as a drill-down report:
v All of the run-time parameters for the drill-down report must be available from
the report being viewed.
v If security roles have been assigned, you must have access to the drill-down
report.
On the popup menu for a default tabular report, all of the reports that satisfy the
above criteria will be available, but the person defining the report (using the report
builder) can limit what drill-down reports will be included in the drop-down
menu.
To open a drill-down report for any row of data:
1. Double-click on that row.
2. Select a report from the popup menu.
In addition to any user defined or pre-defined reports that may be available, the
popup menu may contain several additional items, as follows:
v Record Details - A special report that displays the details of what is being
counted, either for the main entity, or if sub totaling is being performed by
group type, for each group member.
v Alias Definition - If aliases are enabled for the report, this drill-down menu
selection opens the alias Quick Definition window, which allows you to define
an alias for any value displayed.
v Show SQL, or Show SQL with Values - If the inspection engine has been
configured to capture values, complete SQL statements (including values
representing potentially sensitive information) will be displayed. If the
inspection engine or the policy rule (depending on the situation) is not
configured to capture values, no values can be displayed.
In many cases, you can continue to drill down to get additional information.

Download Report Data to a CSV or PDF File


There are several options for downloading tabular report data to a CSV
(comma-separated value) file or a PDF file. The buttons described below are
located on the toolbar at the bottom of the report panel.

114

Help Book Guardium V9.0

v Click Download displayed records to download the data currently displayed on


the portal, in CSV format.
v Click Download All Data to download the entire report, in CSV format.
v Click Download PDF File to download the entire report. Adobe Acrobat Reader
is required to view PDF files.
Note:
Each time the Download All Data or Download PDF File button is clicked, the
report data is refreshed.
When generating a large PDF, best practices dictate either the increasing of the GUI
timeout or generating the PDF through an audit process to avoid a GUI timeout
and unsuccessful PDF generation.
If "Compress" is checked under this task and "Download All" is clicked, the
resulting file will be compressed. If "Compress" is checked under this task, and
"Download Displayed Records" is clicked, the resulting file will not be compressed.
Displayed Records is always small, so there is no need to compress this file.

Print a Report
Follow the steps to print a report.
1. Do one of the following to reformat the report data in a separate window:
v To print only the data displayed on the page, click the Print Friendly Format
button on the report tab.
v To open the complete report in a separate window that is formatted for
printing, click the Full Printable Report button on the toolbar at the bottom
of the report.
2. Do one of the following:
v For any report, use your browser Print command to print the report.
v For a tabular report, click the Print Page button in the upper right corner of
the report.

Open Query for Editing from Report Portlet


1. Open a report portlet for any report based on the query to be edited.
2. Click Edit this Report's Query in the tool bar at the bottom of the report. You
must be authorized to modify the query that the report is based upon.

How to Access Predefined Reports


At installation time the Guardium appliance is configured with a number of
predefined reports.
Predefined reports are described in the following help topics.
Use search to go to the specific report directly or work through these topics
indirectly:
v Predefined admin Reports
v Predefined user Reports
v Predefined Reports - Common

Reports

115

116

Help Book Guardium V9.0

External Data Correlation


This topic covers the Custom Domain Builder/Custom Query Builder/Custom
Table Builder selections under Tools > Report Building (admin user) and under the
Comply tab (user).
Many customers have valuable information in many different databases in their
environment. It is extremely useful for an audit report, to correlate relevant
information need to make these reports easy and useful to understand. The
External Data Correlation allows users to create custom tables on the Guardium
appliance for enterprise information that is needed in addition to the existing
Guardium internal data. This can be done either manually within the GUI or based
on an existing table on a database server. Queries and reports can then be created
for this information just as if it were pre-defined data.
There is a distinction between a custom table, a custom domain, and a custom
query. Use the hyperlinks above for information and step processes on these
different Guardium functions.
For example, perhaps a table exists on a database servers containing all employees,
their database usernames, and the department to which they belong (for example,
Development, Financial, Marketing, HR, etc.). If the customer were to upload this
table and all its data they could cross-reference this table with Guardium's internal
tables to see, for example, which employees from Marketing are accessing the
financial database (which may constitute a suspicious activity).
For an example, see "How to incorporate external security within Guardium
security" in the How-to Guide.

Custom Tables
A custom table contains one or more attributes that you want to have available on
the Guardium appliance. For example, you may have an existing database table
relating encoded user names to real names. In the network traffic, only the
encoded names will be seen. By defining a custom table on the Guardium
appliance, and uploading data for that table from the existing table, you will be
able to relate the encoded and real names.
Before defining a custom table, first verify that the data you need from the existing
database is a supported data type. Data type is supported if it is taken as one of
the following SQL type by underlying JDBC driver: INTEGER, BIGINT,
SMALLINT, TINYINT, BIT, BOOLEAN, DECIMAL, DOUBLE, FLOAT, NUMERIC,
REAL, CHAR, VARCHAR, DATE, TIME, TIMESTAMP. The following table
summarizes some of the supported and unsupported data types for uploading to a
custom table.

Supported and Unsupported Data Types for Custom Tables


Table 17. Supported and Unsupported Data Types for Custom Tables
Databases

Supported Data Types

Unsupported Data Types

Oracle

float number char varchar2 date nchar nvarchar2

long clob raw nclob longraw bfile rowid urowid


blob

117

Table 17. Supported and Unsupported Data Types for Custom Tables (continued)
Databases

Supported Data Types

Unsupported Data Types

DB2

char varchar bigint integer smallint real double


decimal date time timestamp

blob clob longvarchar datalink

Sybase

char nchar varchar nvarchar int smallint tinyint


datetime smalldatetime

text binary varbinary image timestamp

MS SQL

bigint bit char datetime decimal float int money


nchar numeric nvarchar real smalldatetime
smallint tinyint smallmoney varchar unique
identifier

text

Informix

char nchar integer smallint decimal smallfloat


text
float serial date money varchar nvarchar datetime

MY SQL

bigint decimal int mediumint smallint tinyint


double float date datetime timestamp time year
char binary enum set

longtext tinyblob tinytext blob text mediumblob


mediumtext longblob longtext

Custom Domains
A custom domain contains one or more custom tables. If it contains multiple
tables, you define the relationships between tables when defining the custom
domain. For a list of predefined domains, see the separate help topic, Custom
Domains on page 1011.

Custom Queries
A custom query accesses data from a custom domain. You use the Custom Query
Builder to create queries against custom domains. Custom queries can then be
used like any other query to generate reports or audit tasks, populate groups, or to
define aliases.

Database Entitlement Reports


DB Entitlement Reports use the Custom Domain feature to create links between the
external data on the selected database with the internal data of the predefined
entitlement reports. See topic, Link External Data to Internal Data, below on this
subject. See Database Entitlement Reports on page 1025 for further information
on how to use predefined database entitlement reports. To see entitlement reports,
log on the user portal, and go to the DB Entitlements tab.

Create a Custom Table


There are a few different methods to opening the Custom Table Builder panel.
1. Click on the Comply tab.
2. Click on the Custom Table Builder from the left hand column menu items.
or
1. Click on the Monitor/Audit tab.
2. Click on the Build Reports tab.
3. Click on the Custom Table Builder from the left hand column menu items.
or
1. Click on the Tools tab.

118

Help Book Guardium V9.0

2. Click on the Report Building tab.


3. Click on the Custom Table Builder from the left hand column menu items.

Upload a Table Definition


Creating a custom table can be accomplished by the uploading of a table definition
by accessing its metadata from the database server on which it is defined.
Note: Custom Tables uploaded to Guardium are optional components enabled by
product key. If these components have not been enabled, the Custom Tables
choices listed below will not appear in the Custom Table Builder selection.
1. Open the Custom Table Builder.
2. Click on the Upload Definition button to open the Import Table Structure
panel. It is not necessary to select an item
3. Enter a description for the table in the Entity Desc field. This is the name you
will use to reference the table when creating a custom query.
4. Enter the database table name for the table in the Table Name field. This is the
name you will use to create the table in the local database.
5. Enter a valid SQL statement for the table in the SQL Statement field. The result
set returned by the SQL statement must have the same structure as the custom
table defined. For example, if the custom table contains all columns from the
table named my_table, enter select * from my_table.
Note:
Do not include any newline characters in the SQL statement.
All columns must be explicitly named; making use of a column alias if
necessary.
6. Click Add Datasource to open the Datasource Finder in a separate window.
This will allow us to define where the external database is located, and the
credentials needed to retrieve the table definition and content later in the
process.
7. Use the Datasource Finder to identity the database from which the table
definition will be uploaded. See Datasources on page 31 for assistance.
8. Click the Retrieve button to upload the table definition. This will execute the
SQL Statement and retrieve the table structure. The SQL request will come from
the Guardium Appliance to the external database. Remember that only the
definition is being uploaded and you can upload data later.

Manually Define a Table Definition


1. Open the Custom Table Builder.
2. Click on the Manually Define button to open the Define Entity panel.
3. Enter a description for the table in the Entity Desc field. This is the name you
will use to reference the table when creating a custom query. Use of the
special characters: \$|&;'`" are not allowed in the entity desc.
4. Enter the database table name for the table in the Table Name field. This is the
name you will use to create the table in the local database.
5. For each column in the table to be defined:
v Enter a name in the Column Name box. This will be the name of the column
in the database table.

External Data Correlation

119

v Enter a name in the Display Name box. This is the name you will use to
reference the attribute in the Custom Domain Builder and the Custom Query
Builder.
v Select a data type (Text, Date, Integer, Float, or TimeStamp).
v For a Text attribute, enter the maximum number of characters in the Size
box. (The Size box is not available for other data types.)
v If uniqueness is to be enforced on the column, check the Unique box.
v If the attribute being defined corresponds to a group type, select that group
type from the Group Type list.
v Click the Add button to add the column.
6. Use the Entity Key drop-down list to identify which column will be used as the
entity key. The Entity Key is used in query builder when select count, the count
field will be Entity Key.
7. If additional changes are made after the Add button, such as deletion of a
column, or changing an attribute, Click on the Apply button to save any
changes.
8. Click the Done button when you have added all columns for the table.

Modify a Table Definition


If you modify the definition of a custom table, you may invalidate existing reports
based on queries using that table. For example, an existing query might reference
an attribute that has been deleted, or whose data type has been changed. When
applying changes to a custom table, if any queries have been built using attributes
from that table, the Queries are displayed in the Query List panel. Note: You can
also use the Modify to view and validate the table structures that were imported.
1. Open the Custom Table Builder.
2.
3.
4.
5.

Choose a custom table by clicking on the entity label and highlighting it


Click on the Modify button to open the Modify Entity panel.
See Defining a Table Manually for assistance.
When applying changes to a custom table, if any queries could be invalided
due to modification to attribute from that table, the queries are displayed in the
Query List panel. Use the Query List panel to choose and change queries. You
do not have to make all changes immediately as you can always come back
and use the Check for Invalid Queries option.

Check for Invalid Queries


If you modify the definition of a custom table, you may invalidate existing reports
based on queries using that table. For example, an existing query might reference
an attribute that has been deleted, or whose data type has been changed. It is a
good idea to check for invalid queries after the table modification process.
1. Open the Custom Table Builder.
2. Click on the Invalid Queries button.
3. The queries are displayed in the Query List panel. Use the Query List panel to
choose and change queries.

Purge Data from Custom Table


Data can be purged from custom tables on the Guardium server on demand, or on
a scheduled basis.
1. Open the Custom Table Builder.

120

Help Book Guardium V9.0

Choose a custom table by clicking on the table name and highlighting it


Click on the Purge button to open the Custom Table Data Purge panel.
Click the Purge All button to purge now.
In the Configuration panel, enter the age of the data to be purged, as a number
of days, weeks or months prior to the purge operation date.
6. Click Run Once Now to run a schedule purge operation once.
7. Click the Modify Schedule button to open the standard Schedule Definition
panel and schedule a purge operation.
8. Click Done to close the panel.
2.
3.
4.
5.

Upload Data to a Custom Table


For tutorials on this subject, see the How-to Guide:
v How to correlate data from Custom Domains
v How to create custom reports from stored data
1. Open the Custom Table Builder.
2. Choose a custom table by clicking on the name of the table and highlighting it
3. Click on the Upload Data button to open the Import Data panel.
4. In the SQL Statement box, enter a valid SQL statement for the table. The result
set returned by the SQL statement must have the same structure as the custom
table defined. For example, if the custom table contains all columns from the
table named my_table, enter select * from my_table. The following fields,
which are internal to Guardium, are available for use within SQL statements:
v ^FromDate?^ and ^ToDate?^ where the value is equal to the previous
upload date and the current upload date respectively.
v ^fromID^ and ^toID^ where, when used with Id Column Name consist of
the maximum value of the Id Column from the previous upload and the
maximum value of the current upload respectively.
Note: Do not include any newline characters in the SQL statement.
5. Specify, if needed, a column name in the Id Column Name (from the table
defined within the datasource) will be used and allow for tracking by ID and
be used in conjunction with the internal Guardium fields ^fromID^ and
^toID^.
6. In the DML command after upload box, enter a DML command (an update or
delete SQL statement) with no semicolon, to be executed after uploading the
data. Note: Do not include any newline characters in the SQL statement.
7. Check the Overwrite per upload box if you wish to have data purged in the
custom table before the upload. Check the Overwrite per datasource if you
wish to have data for that datasource purged before the upload from it
8. Check the default purge button (in the Upload Custom Data screen) to be part
of the "Default Custom Table Purge Job" purge object which has an initial
default age of 60 days. To add a purge schedule for this table, go to initial
Custom Table Builder page, select a Custom Table and click on the Purge
button to go to a Custom Table Data Purge configuration screen.
9. Check the Use default schedule box only if uploading tables from previous
versions of Guardium. This check box only appears in a Central Manager
view and only for predefined custom tables CM Buffer Usage Monitor,
Enterprise View No Traffic, Enterprise View S-TAP Changes and S-TAP Info.
10. Click Add Datasource to open the Datasource Finder in a separate window.
Use this window to identify one or more databases from which the table data
External Data Correlation

121

will be uploaded. You may add multiple datasources to upload from multiple
sources. Note: For a Central Manager, in the Import Data page there is a read
only check box called "Include default source". If this check box is checked,
upload data will iterate through all online registered managed units. Note:
When adding a datasource, the application can not be scheduled to run
without specifying the user name and password of the selected datasource.
11. You can click Check/Repair to compare the schema of the custom table to the
schema of the meta-data. For central management environments: In a central
management environment, the custom table definition resides on the central
manager, and the custom table may not exist on the local (managed unit)
database. Click the Check/Repair button to check if the custom table exists
locally, and create one if it does not.
12. Click Verify Datasources to test the external database connection. An
acknowledgement screen will appear.
13. Click the Apply button.
14. To upload data to this custom table, do one of the following:
v Click the Run Once Now button to upload data manually.
v Check the Modify schedule button to configure the schedule.

Schedule Custom Data Uploads


Once a custom table definition is in place, data can be uploaded to custom tables
on the Guardium appliance on a scheduled basis.
Note: New installations do not automatically start Enterprise reports.
Note: There is one upload schedule for each custom table. The total amount of
disk space reserved on the Guardium appliance for custom tables is 4GB.
1. Open the Custom Table Builder.
2. Choose a custom table by clicking on the entity label and highlighting it
3. Click on the Upload Data button to open the Import Data panel.
4. Mark the Use Default Schedule checkbox to upload this table using the default
schedule. Otherwise, this custom table uses its own upload data schedule.
5. Click the Modify Schedule button to open the standard Schedule Definition
panel and modify the schedule.
6. Click Done when you are finished.
The Enterprise reports custom upload are like other jobs. There are two ways to
enable them.
1. In the Custom Table Upload GUI.(requires license for custom upload)
2. Use GuardAPI from the CLI:
grdapi add_schedule
jobName=CustomTablePurgeJob_CM_SNIFFER_BUFFER_USAGE
jobGroup=customTableJobGroup
Enterprise S-TAPs Changed:
grdapi add_schedule jobName=customTableDataUpload_106

122

Help Book Guardium V9.0

jobGroup=customTableJobGroup
CM Buffer Usage Monitor:
grdapi add_schedule jobName=customTableDataUpload_104
jobGroup=customTableJobGroup
S-TAP Info:
grdapi add_schedule jobName=customTableDataUpload_80
jobGroup=customTableJobGroup

Create a Custom Domain


After defining one or more custom tables, define a custom domain so that you can
perform query and reporting tasks using the custom data. The information
collected is organized into domains, each of which contains a different type of
information relating to a specific area of concern: data access, exceptions, policy
violations, etc. There is a separate query builder tool for each domain. Custom
domains allow for user defined domains and can define any tables of data
uploaded to the Guardium appliance. For a complete listing of custom entitlement
domains that support predefined queries/reports, Custom Domains on page
1011. The usage for these custom entitlement (privileges) domains are for
entitlement reports which are found if logged in as a user. To see these reports, go
to the user tab, "DB Entitlements".
Note: DB Entitlements Domains are optional components enabled by product key.
If these components have not been enabled, the choices listed in the Custom
Domains help topic will not appear in the Custom Domain Builder selection.
1. Open the Custom Domain Builder.
2. Click the Domains button to open the Domain Finder panel.
3. Click the New button to open the Custom Tables Domain panel.
4. Enter a Domain Name. Typically, you will be including a single custom table in
the domain, so you may want to use the same name for the domain.
5. The Available Entities box lists all custom tables that have been defined (and to
which you have access). Select an entity. Optionally, click the (Filter) tool to
open the Entity Filter and enter a Like value to select only the entities you
want listed, and click Accept. This closes the filter window and returns you to
the Custom Tables Domain panel, with only those entities matching the Like
value listed in the Available Entities box. Select the entity you want to include.
6. Click the right arrow button to move the entity selected in the Available
Entities list to the Domain Entities list.
7. To add an entity to a domain that already has one or more tables, follow the
procedure outlined below. You will need to use the Join Condition to define the
relationship between the entities.
For each additional entity:
v From the Domain Entities box on the right, select an entity. All of the
attributes of that entity will become available in the field drop-down list
below the Domain Entities box. Select the attribute from that list that will be
used in the join operation.

External Data Correlation

123

v From the Available Entities list on the left, select the entity you want to add.
All of the attributes of that entity will become available in the field
dropdown list below the Available Entities box. Select the attribute from that
list that will be used in the join operation.
v Select = (the equality operator) if you want the join condition to be equal
(e.g., domainA.attributeB = domainC.attributeD). Select outer join if you
want the join condition to be an outer join using the selected attributes.
v Click Add Field Pair. Add Field Pair can be used to add more attributes pairs
of these two entities to the join condition.
v Repeat the above steps for any additional join operations.
Note: When data level security is on, internal entities added to the custom
domain cannot belong to different domains with filtering policies.
8. Select the Timestamp attribute for the custom domain entity.
Note: At least one entity with a timestamp must be used, since a timestamp is
required to save a custom domain.
9. Click the Apply button.

Modify a Custom Domain


The goal is to create a linkage between external data and the internal data.
1. Open the Custom Domain Builder.
2. Choose the Custom Domain that you wish to clone
3. Click the Modify button to open the Custom Tables Domain panel.
4. See Open Custom Domain Builder and Linking External Data to Internal Data
for assistance
5. Click the Apply button to save the changes.

Remove a Custom Domain


1.
2.
3.
4.

Open the Custom Domain Builder.


Choose the Custom Domain that you wish to clone
Click the Domains button to open the Domain Finder panel.
Click the Delete button to remove the custom domain.

Clone a Custom Domain


1.
2.
3.
4.
5.

Open the Custom Domain Builder.


Choose the Custom Table that is in the domain you wish to clone
Click the Domains button to open the Domain Finder panel.
Click the Clone button to open the Custom Tables Domain panel.
Change the Domain Name to reflect the new domain

6. See Open Custom Domain Builder and Linking External Data to Internal Data
for assistance
7. Click the Apply button to save the changes.

Link External Data to Internal Data


The goal is to create a linkage between external data and the internal data.
1. Open the Custom Domain Builder.
2. Choose the Custom Table that has your external data

124

Help Book Guardium V9.0

3.
4.
5.
6.
7.
8.
9.
10.
11.

Click the Domains button to open the Domain Finder panel.


Click the Modify button to open the Custom Tables Domain panel.
Click the Filter icon next to the Available Entities
Un-check the Custom box for the filter and optionally fill in a Like condition
to filter entity names, click the Accept button
Select an entity from the Available Entities that you would like to link with
your external data
Select the Field that will be used to join data with your external data
Highlight the table from the Domain Entities that contains your external data
Select the Field that will be used to join data with the internal data
Click the Add Field Pair to add the relationship

12. Click the double arrow ">>" to add the internal table to the Domain Entities
list.
13. Click the Apply button to save the changes.

Working with Custom Queries


This section describes how to open the Custom Query Builder. See Building
Queries and Building Reports for assistance in defining a query and building a
report. Use the Custom Query Builder to build queries against data from custom
domains, which contain one or more custom tables.
1. Click the Tools tab.
2. Click the Report Building tab.
3. Click the Custom Query Builder item in the left column menu to open the
Domain Finder.
4. Select a custom domain from the list
5. Click the Search button to open the Query Finder
6. To view, modify or clone an existing query, select it from the Query Name list,
or select a report using that query from the Report Title list.
7. To view all of the queries defined for a specific custom table, select that custom
table from the Main Entity list and click the Search button (only the custom
tables included in the selected custom domain will be listed).

Bidirectional Interface to and from InfoSphere Discovery


Both InfoSphere Guardium and InfoSphere Discovery have the capability to
identify and classify sensitive data, such as Social Security Numbers or credit card
numbers.
A customer of the InfoSphere Guardium product can use a bidirectional interface
to transfer identified sensitive data information from one product to another. Those
customers who have already invested the time in one InfoSphere product can
transfer the information to the other InfoSphere product.
Note: In InfoSphere Guardium, the Classification process is an ongoing process
that runs periodically. In InfoSphere Discovery, Classification is part of the
Discovery process that usually runs once.
The data will be transferred via CSV files.
The summary of Export/Import procedures is as follows:
External Data Correlation

125

v Export from Guardium - Run the predefined report (Export Sensitive Data to
Discovery) and export as CSV file.
v Import to Guardium - Load to a custom table against CSV datasource; define
default report against this datasource.
Follow these steps
Export from Guardium
Export Classification Data from InfoSphere Guardium to InfoSphere Discovery
1. As an admin user in the Guardium application, go to Tools > Report Building
>Classifier Results Tracking > Select a Report > Export Sensitive Data to
Discovery.
Note: Add this report to the UI pane (it is not by default).
2. Click on "Customize" icon on Report Result screen and specify the search
criteria to filter the classification results data to transfer to Discovery.
3. Run the report and click on "Download All Records" icon.
4. Save as CSV and import this file to Discovery according to the InfoSphere
Discovery instructions.
Import to Guardium
Import Classification Data from InfoSphere Discovery to InfoSphere Guardium
1. Export the classification data as CSV from InfoSphere Discovery based on
InfoSphere Discovery instructions.
2. As an admin user in the Guardium application, go to Tools > Report Building
>Custom Tables screen, select ClassificationDataImport and click on Upload
Data button.
3. In Upload Data screen, click on Add Datasource, click on "New" button, define
the CSV file imported from Discovery as new datasource (Database Type =
Text).
Note: Alternatively you can load the data directly from Discovery database if
you know how to access the Discovery database and Classification results data.
4. After defining the CSV as Datasource, click on "Add" button in Datasource list
screen.
5. In Upload data screen click on Verify Datasource and then Apply.
6. Click on Run Once Now button to load the data from the CSV.
7. Go to Report Builder, select "Classification Data Import" report, Click on Add to
Pane to add it to your Portal and then navigate to the report.
8. Access the Report, click on Customize to set the From/To dates and execute the
report.
The report result has the classification data imported from InfoSphere Discovery.
Double click to invoke APIs assigned to this report. The data imported from
Discovery can be used for the following:
v Add new Datasource based on the result set.
v Add/Update Sensitive Data Group.
v Add policy rules based on datasource and sensitive data details.
v Add Privacy Set.

126

Help Book Guardium V9.0

CSV Interface signature


Interface Signature

Example

Type

DB2

Host

9.148.99.99

Port

50001

dbName (Schema name for DB2 or Oracle, db name for others) cis_schema
Datasource URL
TableName

MK_SCHED

ColumnName

ID_PIN

ClassificationName

SSN

RuleDescription

Out-of-box algorithm of InfoSphere Discovery

HitRate

70% - not available for export in Guardium Vers. 8.2

ThresholdUsed

60% - not available for export in Guardium Vers. 8.2

External Data Correlation

127

128

Help Book Guardium V9.0

Privacy Sets
A privacy set is a collection of elements that can be used to do special monitoring.
It consists of one or more object-field pairs - for example, the salary field of the
employee table, or all fields of the salary history table. All access to these elements
within a given timeframe can be reported.
Select any of the topics above to work with privacy sets.

Open the Privacy Set Builder


To access a privacy set definition, your Guardium user account must be assigned a
security role that is also assigned to that privacy set definition. Privacy sets that
you cannot access will not display in a list of privacy sets.
1. Do one of the following to open the Identify Privacy Set panel:
v Users with the admin role: Select Tools > Config & Control > Privacy Set
Builder.
v All Others: Select Monitor/Audit > Privacy Sets > Privacy Set builder.
2. Do one of the following:
v Click the New button to define a new privacy set (see Create a Privacy Set).
v Select a privacy set from the list, and click one of the following buttons:
Clone - See Clone a Privacy Set.
Modify - Use this button to modify the definition or to run a report based
on that definition. See Modify a Privacy Set, or Run a Privacy Set Report.
Remove - See Remove a Privacy Set.

Create a Privacy Set


1. Do one of the following to open the Identify Privacy Set panel:
v Users with the admin role: Select Tools > Config & Control > Privacy Set
Builder.
v All Others: Select Monitor/Audit > Privacy Sets > Privacy Set builder.
2. Click the New button to open the Privacy Set Definition panel.
3. In the Privacy Set Description box, enter a unique name for the privacy set. Do
not include apostrophe characters in the name. This is the name that will
display in the Identify Privacy Set panel.
4. From the Security Classification drop-down list, optionally select a security
classification for this privacy set.
5. In the Elements in this Privacy Set pane, for each element pair to include:
v Enter an object name in the Object box.
v Enter a field name in the Field box, or mark the Any Field in this Object box
to include all fields contained in the specified object (above).
v Click the Add this new Object Field Pair button.
6. When all elements have been added, click the Save button.
7. Optionally click the Roles button to add Roles. See Manage Roles on page
719.

129

8. Optionally click the Comments button to add comments. See Comments on


page 29.

Modify a Privacy Set


1. Open the privacy set to be modified, in the Privacy Set Builder. See Open the
Privacy Set Builder.
2. Make any changes to the privacy set definition, as necessary. For a description
of all fields, see Create a Privacy Set, above.
3. Click the Save button.
4. Click the Done button when finished.

Clone a Privacy Set


1. Open the privacy set to be cloned, in the Privacy Set Builder. See Open the
Privacy Set Builder.
2. The cloned privacy set will be named COPY OF selected privacy set. We
suggest that you change this to something more meaningful. Do not include
apostrophe characters in the name.
3. Make any additional changes to the privacy set definition, as necessary. For a
description of all fields, see Create a Privacy Set, above.
4. Click the Save button.
5. Click the Done button when finished.

Remove a Privacy Set


If a auditing process is running, you cannot remove a privacy set. Stop the
auditing process, then follow the steps below to remove the privacy set.
1. Select the privacy set to be removed, in the Identify Privacy Set panel. See
Open the Privacy Set Builder.
2. Click the Delete button and confirm the action.
3. Click the Done button.

Run a Privacy Set


This procedure describes how to run a privacy set report on demand. To schedule
a privacy set report, include it in a compliance workflow (see Compliance
Workflow Automation).
1. Open the privacy set for the report, in the Privacy Set Builder. See Open the
Privacy Set Builder.
2. Click the Run button.
3. In the Task Parameters pane, enter the starting and ending times for the task.
4. Select Report by Access Details, or Report by Application User, to specify how
the results should be displayed. The first option is the default, in which case a
count of accesses is shown for each combination of client IP, server IP, server
(name), server type, database protocol, source program name, and database
user name. If Application User is selected, the report will contain a separate
column with that name (following DB User Name) and the output will be
additionally qualified by the application user.
5. Click the Run Once Now button. After the report has been executed, it will be
displayed in a separate window.
6. Click the Done button.

130

Help Book Guardium V9.0

User Identification
Guardium provides several methods to identify application users, when the actual
database user is not apparent from the database traffic.
Some database applications are designed to use or share a small number of
database user accounts. These applications manage their users independently of
the database management system, which means that when observing database
traffic from outside of the application, it can be difficult to determine the
application user who is controlling a database connection at any given point in
time. However, when questionable database activities occur, you need to relate
specific actions to specific individuals, rather than to an account shared by groups
of individuals. In other words, you must know the application user, not just the
database user.
Guardium provides several methods to identify application users, when the actual
database user is not apparent from the database traffic:
v Identify Users via Application User Translation - For some of the most popular
commercial applications (Oracle EBS, PeopleSoft, SAP, etc.), Guardium can
identify users automatically.
v Identify Users via API - The Application Events API allows you to signal
Guardium when an application user takes or relinquishes control of a
connection, or when any other event of interest occurs. (This can be used for
more than just identifying users.)
v Identify Users via Stored Procedures - Many applications use database stored
procedures to identify the application user. In these cases, user information can
usually be extracted from the stored procedure parameters.
Within the enterprise, it may be necessary to employ several methods to identify
users, depending on the applications used.

131

132

Help Book Guardium V9.0

Identify Users via Application User Translation


Some applications manage a pool of database connections. In such three-tier
architectures the pooled connections all log into a database using a single
functional ID, and then manage all application users internally when a user
session needs access to the database it acquires a connection from the pool, uses it
and then releases it back to the pool. When this happens, Guardium can see how
the application interacts with the database, but it cannot attribute specific database
actions to specific application users.
For some widely used applications, Guardium has built-in support for identifying
the end-user information from the application, and thus can relate database activity
to the application end-users.
To use this facility, follow the procedure outlined below:
1. Define an Application User Translation configuration for the application. See
Configure Application User Detection, below.
2. Populate any pre-defined groups required for that application. See Populate
Pre-Defined Application Groups.
3. Regenerate any portlets for special reports for that application, and place the
portlets on a page. See Regenerate Special Application Report Portlets.

Selective Audit Trail and Application User Translation


If the installed data access policy uses the selective audit trail feature to limit the
amount of data logged, there are two important considerations that apply to
application user translation:
v The policy will ignore all of the traffic that does not fit the application user
translation rule (for example, not from the application server).
v Only the SQL that matches the pattern for that security policy will be available
for the special application user translation reports.

Configure Application User Detection


1. Select Administration Console > Application User Translation.
2. Click the Add button to expand the Add App User Translation panel.
3. In the Application Code box, enter a unique code to identify the application.
Note: Under Central Management, you must use different application codes
on different managed machines. This prevents aliases generated for the users
from conflicting with each other. (Under Central Management, there is one set
of aliases that is shared by all managed units.)
4. From the Application Type list, select the application type:
v BO-WI - Business Objects / Web Intelligence
v EBS - Oracle E-Business Suite
v PeopleSoft
v SAP Observed
v SAP DB
v SIEBEL Observed
v SIEBEL DB

133

5. In the Application Version box, enter the application version number (11, for
example).
6. From the Database Type list, select the database type. Only the types available
for the selected Application Type and Version (see above) will be displayed.
7. In the Server IP box, enter the IP address the application uses to connect to
the database.
8. In the Port box, enter the port number the application uses to connect to the
database.
9. In the Instance Name box, enter the instance name the application uses to
connect to the database.
10. In the DB Name box, enter the database name for the application. (Required
for some applications, not used for others.)
11. Mark the Active box to enable user translation. (Nothing will be translated
until after the first import of user definitions see below).
12. Enter a User Name for Guardium to use when accessing the database. Enter a
Password for Guardium to use when accessing the database.
13. Mark the Responsibility box if you want to associate responsibilities
(Administration, for example) with user names. Or clear the Responsibility
box to just record user names. When the box is cleared, all activities
performed by a user will be grouped together, regardless of the responsibility
at the time the activity occurred.
14. If Application Type is EBS (Database Type is Oracle), then two additional
choices appear - Connect to Server IP and Connect to User Name. If
populated, the system will connect using that IP and username in order to
retrieve the Responsibility and User names.
15. Click the Add button to save the Application User Translation definition.
16. Continue on to the procedures listed below - Populate Pre-defined Application
Groups and Regenerate Special Application Report Portlets.
17. After the previous step is done, go to the Administration Console, select the
Inspection Engines, and click Restart Inspection Engines in the Inspection
Engine Configuration panel.
18. After performing the tasks specified in the two procedures in step 16, return
to Application User Translation and click Run Once Now to import the user
definitions for this application (and any others defined).
19. Later, after verifying that the data import operation worked successfully (see
step 20), return to this panel and click the Modify Schedule button to define
an import operation to run on a regular basis. You should schedule the
importing of user definition data at whatever interval is suitable for your
environment. The maximum time that a new application user name will not
be available is the time between executions of the import operation. For
instructions on how to use the scheduler, see Scheduling, in the Common
Tools book.
20. The data import of Application User Translation can be confirmed by looking
at predefined reports, e.g.,SAP Application Access. Go to Tools > Report
Building > Report Builder and choose the report SAP Application Access.
Regenerate this report and add to a pane, then set the date range to rather
large (for example, go back a year for data).
Note: The first time Run Once Now is clicked after installing the Application User
Translation setting(s), it retrieves the last update-date for the tables it looks at.
After that, it imports only new data. Otherwise, we could find ourselves
needlessly importing decades worth of data and filling many tables/databases.

134

Help Book Guardium V9.0

Populate Pre-defined Application Groups


When Application User Translation has been configured, you must populate at
least two pre-defined groups with information that will be specific to your
environment. The table below identifies the groups that must be populated for
each application type. For instructions on how to populate a group, see Groups in
the Common Tools book.
Application Pre-Defined Group Group Type
EBS

PeopleSoft

Siebel

SAP

EBS App Servers

Client IP

EBS DB Servers

Server IP

PSFT App Servers

Client IP

PSFT DB Servers

Server IP

PeopleSoft Objects

Objects

SIEBEL App Servers Client IP


SIEBEL DB Servers

Server IP

SAP App Servers

Client IP

SAP DB Servers

Server IP

SAP - PCI

Objects

Regenerate Special Application Report Portlets


For some application types, one or more special report portlets must be
regenerated. For example, there are two pre-defined EBS reports, and two
pre-defined PeopleSoft reports. These reports cannot be modified. After populating
the pre-defined application groups, as described above, follow the procedure
outlined below to regenerate the predefined application portlets and place them on
a page.
The examples in this section are for the EBS portlets, but the procedure is identical
for other application types.
1. Do one of the following to open the Report Finder: Users with the admin role:
Select Tools - Report Building - Report Builder. All Others: Select
Monitor/Audit - Build Reports - Report builder.
2. Click the Search button to open the Report Search Results panel.
3. Select a report portlet for the application type (EBS Application Access, for
example, and click the Regenerate Portlet button. You will be informed that
the portlet has been regenerated
4. Repeat the above step for each application report (EBS Processes Database
Access, or the PSFT Processes Database Access report, for example). Now add
a tab to your layout, and include the two regenerated portlets on that tab.
5. Click the Customize link at the top of the Guardium window, to open the
Customize Pane (a standard user tabbed pane layout is illustrated below and
is used for the remainder of this section).
6. Click the Add Pane button to define a new tab.
7. Enter a name for the tab - EBS Reports, for example - and click Apply. The
new tab appears as the last tab in the list.
8. Click on the new tab name to edit that pane.
Identify Users via Application User Translation

135

9. Click the Add Portlet button, and click the Next button until you locate the
reports you want (the EBS reports, for example), and mark the checkbox
beside each desired report
10. Click Apply, and then click Save and Apply and then click Save to save the
new pane layout. The new tab will appear at the end of the first row of tabs.
11. Click on the new tab name to open the tab.
12. Now click the Customize button at the right side of the portlet panel to set the
run-time parameters (date range and Show Aliases, for example). If you need
help setting run-time parameters, see Reports in the Common Tools help
book.

Unwilling to give DB_USER PASSWORD for EBS application


In some cases customers do not want to use the Oracle EBS DB_USER for
translating EBS traffic. Under this scenario, when setting up Oracle EBS and
wanting to translate traffic with Application User Translation, there are two choices
to make it work:
v Supply the username and password that EBS uses to talk to Oracle (often
APPS/$passwd).
v If the customer does not want to supply/enter the password for the DB_USER
EBS uses to access Oracle, it is still possible to get Application User Translation,
however the process is more complicated.
1. Make/choose a login for Oracle that will permit access to the database for
gathering aliases/users/responsibilities. That user needs access to the table
[APPLSYS.]FND_USER and the view FND_RESPONSIBILITY_VL which
combines two tables: APPLSYS.FND_RESPONSIBILITY and
APPLSYS.FND_RESPONSIBILITY_TL.
(
CREATE VIEW FND_RESPONSIBILITY_VL AS SELECT /* $HEADER$ */ B.ROWID ROW_ID ,
B.WEB_HOST_NAME ,
B.WEB_AGENT_NAME , B.APPLICATION_ID , B.RESPONSIBILITY_ID ,
B.RESPONSIBILITY_KEY , B.LAST_UPDATE_DATE , B.LAST_UPDATED_BY
, B.CREATION_DATE , B.CREATED_BY , B.LAST_UPDATE_LOGIN ,
B.DATA_GROUP_APPLICATION_ID , B.DATA_GROUP_ID , B.MENU_ID ,
B.START_DATE , B.END_DATE , B.GROUP_APPLICATION_ID ,
B.REQUEST_GROUP_ID , B.VERSION , T.RESPONSIBILITY_NAME ,
T.DESCRIPTION
FROM FND_RESPONSIBILITY_TL T, FND_RESPONSIBILITY B
WHERE B.RESPONSIBILITY_ID = T.RESPONSIBILITY_ID
AND B.APPLICATION_ID = T.APPLICATION_ID
AND T.LANGUAGE = USERENV(LANG)
)

2. Run the following SQLs directly from the Guardium appliance : select
RESPONSIBILITY_ID, RESPONSIBILITY_NAME from
FND_RESPONSIBILITY_VL order by RESPONSIBILITY_ID; and SELECT
USER_ID, USER_NAME from FND_USER ORDER BY USER_ID;

136

Help Book Guardium V9.0

Once the user is set up so that those two statements successfully run, two
different Application User Translation entries are needed. Both need to have
the same server IP, port, and instance name, (and of course EBS and Oracle
chosen for APP type and APP server type).
It does not matter if the Application Code is identical or not. One entry needs
the username that EBS uses to connect to the database (usually APPS), but you
can put in an incorrect (dummy) password. The second entry needs the
username and password that has been created to access those tables.
3. Once both are entered with Active and Responsibility selected, click Run Once
Now, and start or restart EBS (assuming there is an Inspection Engine (S-TAP
or net) looking at the traffic). The collection of data and the assignment of
APPS user names to that data for the EBS traffic will now take place.

Oracle privs needed for the Oracle EBS App User


Translation:
1. Grant select on the following tables to Custom DB User:
APPLSYS.FND_USER
APPLSYS.FND_RESPONSIBILITY
APPLSYS.FND_RESPONSIBILITY_TL
2. Create a private synonym FND_USER on APPLSYS.FND_USER for Custom DB
User.
3. Create a view called FND_RESPONSIBILITY_VL for Custom DB User. You can
find this view under the APPS user to use as your template.

How to Validate SAP Stack for Application User Translation


When supporting InfoSphere Guardium SAP Application User Translation, there is
a difference between the ABAP Stack and Java Stack.
Note:
ABAP Stack and Java Stack have different kernel specifications.
ABAP Stack and Java Stack systems will have different tables.
ABAP Stack
Traditional ECC (Enterprise Core Components) SAP systems are written in ABAP
code and are predominantly accessed via the SAP GUI, although web access is
possible.
SAP ABAP systems have direct (read/write/update) access to traditional SAP
databases. The databases are very large and contain all the sensitive data. This is
where InfoSphere Guardium will be best utilized.
The following screen will appear when you enter the SAP GUI (ABAP Stack):

Identify Users via Application User Translation

137

1-SAP GUI (ABAP Stack)


To validate the ABAP Stack SAP Kernel module for Application User Translation,
follow these steps:
1. Login to SAP.
2. Go to System > Status

2-System Status (ABAP Stack)

138

Help Book Guardium V9.0

3. Click the Other Kernel Info button at the bottom of the System Status screen.

3-System Kernel Information (ABAP Stack)


In this example, the kernel is 700.
SAP with a DB2 backend is also available for SAP kernel 640, but the user needs to
set DB6_DBSL_ACCOUNTING=1 (in kernel 700 and up, this
DB6_DBSL_ACCOUNTING value is 1 by default). SAP for Oracle backend requires
a kernel of 710 or higher.
Data gets put into the app user field and the app event string.
Java Stack
SAP Portal systems are written in Java code and are the front end web applications
utilizing pre-canned queries to display SAP related web pages.
Portal systems can only be accessed via a web browser. Portal system databases are
much smaller with only a few tablespaces.
The following screen will appear when you enter SAP Portal System (Java Stack).

Identify Users via Application User Translation

139

4-SAP Portal System (Java Stack)


To validate the Java Stack SAP Kernel module for Application User Translation,
follow these steps: 1. Click on System Information.

5-System TCJ (Java Stack)


In this example, the SAP Kernel version is 7.00.
SAP for either DB2 or Oracle requires a kernel of 7.02 or higher.
SAP sets similar client properties in the Java stack as it did for ABAP Stack.

140

Help Book Guardium V9.0

Identify Users via API


For some applications that manage users internally, the application user cannot be
identified from the traffic. When this happens, you can use the Guardium
Application Events API
. The Application Events API provides simple no-op calls that can be issued
from within the application to signal Guardium when a user acquires or releases a
connection, or when any other event of interest occurs.
The syntax for each Guardium Application Events API is described below.
Note: If your Guardium security policy has Selective Audit Trail enabled, the
Application Events API commands used to set and clear the application user
and/or application events will be ignored by default, and the application user
names and/or application events will not be logged. To log these items so that
they will be available for reports or exceptions, you should include a policy rule to
identify the appropriate commands, specifying the Audit Only rule action.

Set the Application User via GuardAppUser


Use this call to indicate that a new application user has taken control of the
connection. The supplied application user name will be available in the
Application User attribute of the Access Period entity. For this session, from this
point on, Guardium will attribute all activity on the connection to this application
user, until Guardium receives either another GuardAppUser call or a
GuardAppUserReleased call (which clears the application user name, as described
below).
To signal when other events occur (you can define event types as needed), use the
GuardAppEvent call, described in the following section.
Syntax: SELECT GuardAppUser:user_name FROM location
user_name is a string containing the application user name. This string will be
available as the Application User attribute value in the Access Period entity.
FROM location is used only for Oracle, DB2, or Informix. (Omit for other database
types.) It must be entered exactly as follows:
v Oracle: FROM DUAL
v DB2: FROM SYSIBM.SYSDUMMY1
v Informix: FROM SYSTABLES

Clear the Application User via GuardAppUserReleased


Use the GuardAppUserReleased call to signal that the current user has
relinquished control of the connection. Guardium will clear the application user
name, which will remain empty for the connection until it receives another
GuardAppUser call.
Syntax: SELECT GuardAppUserReleased FROM location

141

FROM location is used only for Oracle, DB2, or Informix. (Omit for other database
types.) It must be entered exactly as follows:
v Oracle: FROM DUAL
v DB2: FROM SYSIBM.SYSDUMMY1
v Informix: FROM SYSTABLES

Set an Application Event via GuardAppEvent


This call provides a more generic method of signaling the occurrence of application
events. You can define your own event types and provide text, numeric, or date
values to be stored with the event both when the event starts and when it ends.
You may want to use this call together with the GuardAppUser call described
above. Guardium will attribute all activity on the connection to this application
event, until it receives either another GuardAppEvent:Start command or a
GuardAppEvent:Released command.
Syntax:
SELECT GuardAppEvent:Start|Released,
GuardAppEventType:type,
GuardAppEventUserName:name,
GuardAppEventStrValue:string,
GuardAppEventNumValue:number,
GuardAppEventDateValue:date FROM location
Start | Released - Use the keyword Start to indicate that the event is taking control
of the connection or Released to indicate that the event has relinquished control of
the connection.
type identifies the event type. It can be any string value, for example: Login,
Logout, Credit, Debit, etc. In the Application Events entity, this value is stored in
the Event Type attribute for a Start call, or the Event Release Type attribute for a
Released call.
name is a user name value to be set for this event. In the Application Events entity,
this value is stored in the Event User Name attribute for a Start call, or the Event
Release User Name attribute for a Released call.
string is any string value to be set for this event. For example, for a Login event
you might provide an account name. In the Application Events entity, this value is
stored in the Event Value Str attribute for a Start call, or the Event Release Value
Str attribute for a Released call.
number is any numeric value to be set for this event. For example, for a Credit
event you might supply the transaction amount. In the Application Events entity,
this value is stored in the Event Value Num attribute for a Start call, or the Event
Release Value Num attribute for a Released call.
date is a user-supplied date and optional time for this event. It must be in the
format: yyyy-mm-dd hh:mm:ss, where the time portion (hh:mm:ss) is optional. It

142

Help Book Guardium V9.0

may be the current date and time or it may be taken from a transaction being
tracked. In the Application Events entity, this value is stored in the Event Date
attribute for a Start call, or the Event Release Date attribute for a Released call.
FROM location is used only for Oracle, DB2, or Informix. (Omit for other database
types.) It must be entered exactly as follows:
v Oracle: FROM DUAL
v DB2: FROM SYSIBM.SYSDUMMY1
v Informix: FROM SYSTABLES
The GuardAppEvent call populates an Application Events entity (see Application
Events Entity in the Entities and Attributes section of the Appendices). When
creating Guardium queries and reports, you can access the Application Events
entity from either the Access Tracking domain or the Policy Violations domain.
If any Application Events entity attributes have not been set using the
GuardAppEvent call, those values will be empty.
Regarding the two date attributes:
v Event Date is set using the GuardAppEvent call, or from a custom identification
procedure as described in the following section.
v Timestamp is the time that Guardium stores the instance of the Application
Event entity.

Identify Users via API

143

144

Help Book Guardium V9.0

Identify Users via Stored Procedures


In many existing applications, all of the information needed to identify an
application user can be obtained from existing database traffic, from stored
procedure calls. Once Guardium knows what calls to watch for, and which
parameters contain the user name or other information of interest, users can be
identified automatically.
In the simplest case, an application might have a single stored procedure that sets
a number of property values, one of which is the user name. A call to set the user
name might look like this:
set_application_property(user_name, JohnDoe);

In a custom procedure mapping (described later), you can tell Guardium to:
v Watch for a stored procedure named set_application_property, with a first
parameter value of user_name.
v Set the application user to the value of the second parameter in the call
(JohnDoe, in the example above).
There may be multiple stored procedures for an application: one to start an
application user session, one to end a session, and others to signal key events
particular to that application. Guardiums custom identification procedure
mechanism can be used to track any application events you want to monitor.
Since each of your applications may have a different way of identifying users, you
may have to define separate custom identification procedure mappings for each
application. To do that, follow the procedure outlined, below.

Define a Custom Identification Procedure Mapping


1. Select Administration Console > Custom ID Procedures.
2. To view an existing mapping, hold the mouse pointer over the More Info
column icon for the row containing the map you want to view.
3. To add a mapping, click on the Add Mapping pane title to expand that pane.
4. In the Custom Map Name box, enter the name to be used for this mapping.
5. In the Procedure Name box, enter the name of the database procedure that
will supply information.
6. Select Set or Clear from the Action list to indicate whether the procedure call
will set or clear application values. The Event Type Position field has a special
use when the Clear action is selected (see below).
7. If application information can be obtained from an existing stored procedure
call, but only under one or two conditions:
v Use a Condition Location box to specify which stored procedure call
parameter is to be tested
v Use the corresponding Condition Value box to specify the value that must
be matched to set application information from one or more of the other
parameters.
v For example, assume that a stored procedure named set_context is used by
an application to set a number of values, one of which is the user name.
The procedure is passed three parameters: an application name, a property
name, and a value. Three typical calls are illustrated below:

145

set_context('publishing_application', 'role_name', 'manager');


set_context('publishing_application', 'user_name', 'jsmith');
set_context('publishing_application', 'company', 'guardium');
v In the examples above, the second statement illustrates the format of the
call we are interested in. The second parameter (the property name) is the
parameter that needs to be tested, so 2 would be entered in the Condition1
Location box, and user_name in the Condition1 Value box.
v If a second format of the call also sets the user name, then the Condition2
Location and Value boxes can be used. For example, assume that the
following format of the procedure call is sometimes used to set a user
name:
set_context('admin_application', 'admin_name', 'wjones');
v To use this procedure, to set the application user name, enter 2 in the
Condition2 Location box, and admin_name in the Condition2 Value box.
Note: If two conditions are used, the user name or any other information
being extracted (see below) must be in the same parameter position for both
types of calls.
8. For a Clear action:
v Use only the Event Type Position and Application Username Position fields.
v Do one of the following:
To clear the application event: set the Event Type Position to 1, and set
the Application Username Position to 0.
To clear the application user: set the Event Type Position to 0, and set the
Application Username Position to 1.
9. For a Set action, use the Parameter Position pane to indicate which stored
procedure parameters map to which Guardium application event attributes.
The first procedure parameter is numbered 1. Use 0 (zero the default) for all
attributes that are not set by the call. Application Username Position Enter
the parameter position of the application user name you want associated with
database activity from this point forward (until reset, as described previously).
Event String Value Position Enter the parameter position of a string value
for the event (for a login, this might be a user or account name). Event
Number Value Position Enter the parameter position of a numeric value for
the event (for a transaction, this might be a dollar amount). Event Type
Position Enter the parameter position of a name for the event type (Login,
Logout, Credit Request, etc.). Event Date Position Enter the parameter
position of a date/time value for the event. The format must be yyyy-mm-dd
hh:mm:ss. The time portion (hh:mm:ss) is optional, and if omitted will be set
to 00:00:00.
10. In the Server Information pane: Select the database server type from the
Server Type list. Enter the database user name in the DB Username box.
Optional: Enter a database name in the Database Name box. If omitted, all
databases will be monitored. Optional: Identify one or more servers. If no
server is specified, all servers will be monitored. To select a specific server
only, enter the server IP address and network mask in the Server IP and
Server Net Mask boxes; or, to select a group of servers, select a server group
from the Server IP Group list or click the Groups button to define a new
group of servers.
11. When you are done, click the Add button to add the mapping to the list.

146

Help Book Guardium V9.0

Flat Log Process


The Flat Log option is a process to allow the Guardium appliance to log
information without immediately parsing it in real-time.
This saves processing resources, so that a heavier traffic volume can be handled.
The parsing and amalgamation of that data to Guardium's internal database can be
done later, either on a collector or an aggregator unit.
This task is performed from the Administration Console.
Note: Rules on flat does not work with policy rules involving a field, an object,
SQL verb (command), Object/Command Group, and Object/Field Group. In the
Flat Log process, "flat" means that a syntax tree is not built. If there is no syntax
tree, then the fields, objects and SQL verbs cannot be determined.
The following actions do not work with rules on flat policies:
LOG_FULL_DETAILS; LOG_FULL_DETAILS_PER_SESSION;
LOG_FULL_DETAILS_VALUES; LOG_FULL_DETAILS_VALUES_PER_SESSION;
LOG_MASKED_DETAILS.
Selection of this feature involves the Policy Builder menu and Flat Log Process
menu in Admin Console > Configuration.
When Log Flat (Flat Log) checkbox option listed in Policy Definition screen of
Policy Builder is checked (see Policies on page 295):
v Data will not be parsed in real-time
v The flat logs can be seen on a designated Flat Log List report
v The offline process to parse the data and merge to the standard access domains
is configured through the Administration Console.
1. Select Administration Console > Configuration > Flat Log Process.
2. Select the activity to perform:
v Process - Merge the flat log information to the internal database.
v Archive/Aggregation/Purge - Archive or aggregate, and optionally purge,
the flat log.
v Purge only - Purge the flat log data
3. Click Apply to save the configuration.
4. For a Process activity, optionally do one of the following:
v Click Run Once Now to merge the flat log information to the internal
database immediately.
v Click Modify Schedule to define a schedule for this activity. See Scheduling
in the Common Tools book.

147

148

Help Book Guardium V9.0

Custom Alerting
Alert messages can be distributed via e-mail, SNMP, syslog, or user-written Java
classes. The last option is referred to as custom alerting.
When an alert is triggered, a custom alerting class can take any action appropriate
for the situation; for example, it might update a Web page or send a text message
to a telephone number.
To create a custom alerting class, first contact Technical Support to obtain the
necessary interface file. The following topic describes how to implement the
interface. See Use the Custom Alerting Interface, and also the following topic
which contains an example: Sample Custom Alerting Class.
Once the class has been compiled, it must be uploaded to the Guardium appliance
from the Administration Console. See Manage Custom Classes.
For guidelines on testing a custom alerting class, see Test a Custom Alerting Class.

Use the Custom Alerting Interface


The custom alerting class must be in the com.guardium.custom package and must
implement the com.guardium.custom.CustomerDefinedAlertingIfc interface:
package com.guardium.custom
public class YourClassNameHere implements CustomerDefinedAlertingIfc {
}

The interface contains the five methods described below.


Table 18. processAlert Method
Method 1
Description

Process a single alert message.

Syntax

public void processAlert (String message, Date timeStamp)

Parameters

A String containing the message generated by the alert.


A java.util.Date for the time the alert message was created.

Table 19. getMessage Method


Method 2
Description

Return the alert message

Syntax

public String getMessage ()

Parameters

A String containing the alert message.

Table 20. getTimeStamp Method


Method 3
Description

Return the timestamp associated with the alert message.

Syntax

public Date getTimeStamp ()

Parameters

A java.util.Date for the time the alert message was created.

149

Table 21. setMessage Method


Method 4
Description

Set the alert message.

Syntax

public void setMessage (String inMessage)

Parameters

A String containing the alert message.

Table 22. setTimeStamp Method


Method 5
Description

Set the timestamp associated with the alert message.

Syntax

public void setTimeStamp (Date inDate)

Parameters

A java.util.Date for the time the alert message was created.

Sample Custom Alerting Class


The following sample program implements the five methods described in the
previous section. For the processAlert method, this program simply writes the alert
message and timestamp to the system console.
/*
* Sample Custom Alerting Class
*
*/
package com.guardium.custom;
import java.text.DateFormat;
import java.util.Date;
public class HandleAlerts implements CustomerDefinedAlertingIfc {
private String message = "";
private Date timeStamp = null;
public void processAlert(String message, Date timeStamp){
setMessage(message);
setTimeStamp(timeStamp);
System.out.println(getMessage() + " on " +
DateFormat.getDateInstance(). format(getTimeStamp()));
}
public void setMessage(String inMessage){
message = inMessage;
}
public String getMessage(){
return message;
}
public void setTimeStamp(Date inDate){
timeStamp = inDate;
}
public Date getTimeStamp(){
return timeStamp;
}
}

Test a Custom Alerting Class


After compiling a custom alerting class, follow the procedure outlined below to
test it.
1. Upload the custom class to the appliance. This is an administration function
that is performed from the Administrator Console. See Manage Custom Classes.

150

Help Book Guardium V9.0

2. Define a correlation or real-time alert to use the custom alerting class.


Regardless of which alert type generates the alert, testing is easier if you assign
a second notification type (email, for example) against which you can compare
the custom alerting results.
3. Check the environment by doing one of the following:
v For a correlation alert:
Check that the Anomaly Detection polling interval is suitable for testing
purposes and that Anomaly Detection has been started. If the polling
interval is too long (it may be 30 minutes or more), you may have a long
wait before the query runs.
Check that the Alerter polling interval is suitable for testing purposes and
that the Alerter has been started.
Check that the alert to be tested has been marked Active.
v For a real-time alert:

Check that policy containing the rule with the custom alert action is the
installed policy.
Verify that the inspection engine was restarted after the updated policy
was installed.
Check that the Alerter polling interval is suitable for testing purposes and
that it has been started.
4. Take whatever action is necessary to trigger the alert (generate a number of
login failures, for example).

Custom Alerting

151

152

Help Book Guardium V9.0

Value Change Auditing


Guardiums Value Change Auditing feature tracks changes to values in database
tables.
Guardiums Value Change Auditing feature tracks changes to values in database
tables. For each table in which changes are to be tracked, you select which SQL
value-change commands to monitor (insert, update, delete). Each time a
value-change command is executed against a monitored table, before and after
values are captured. On a scheduled basis, the change activity is uploaded to a
Guardium appliance, where all of Guardiums reporting and alerting functions can
be used. The basic steps to perform to use the Value Change Auditing feature are:
1. From the Administration Console, create an audit database on the database
server. This is where value-change data will be stored until it is uploaded to
the Guardium appliance. See Create an Audit Database on page 157.
2. Identify the tables to be monitored, and for each table select the value-change
commands (insert, delete, update) for which changes will be recorded. To
record the changes, a trigger will be created for each table to be monitored, and
that trigger will write the value-change data to the audit database. To allow
updates to the audit database (via the trigger), all users with update privileges
for the monitored table will be given appropriate privileges for the audit
database. This has implications for users who may be given update privileges
for that table later (see step 4, below). For detailed instructions on how to
define the monitoring activities, see Define Monitoring Activities, below.
3. Schedule uploads to transfer value-change data from the database server to the
Guardium appliance. See Schedule Value-Change Uploads, below.
4. Maintain audit database access privileges. After a trigger has been created, a
new user may be given access to the table on which the trigger is based. If that
user issues a monitored value-change command, it will fail because that user
will not have appropriate privileges to update the audit database. See Maintain
Privileged Users Lists.
5. Monitor change activity from the administrator console, or use the Value
Change Tracking query domain to create custom reports on the Guardium
appliance. See Value-Change Reporting.

Oracle Streams Alternative for Before and After Values Tracking


In addition to the native facilities within the Guardium product used for showing
before and after values of DML, getting before/after values for Oracle can be
accomplished through the use of Oracle Streams and through the use of
Guardiums External Data Correlation (upload) facility. Streams are used to create
change records for any change that affects a sensitive column, and the upload job
is used to bring the data into the Guardium repository, where you can issue
reports, combine the data with other details, and add these reports into the sign-off
process.
Note: Oracle Streams requires that the Oracle database being monitored is in
ARCHIVELOG mode.
1. Define a datasource. Click on Value Change Auditing Builder and fill in the
blocks under Datasource Definition: Name; Database Type (Oracle); Share
Datasource (Checkmark); Save Password (Checkmark); Login Name, Use sys;

153

Password; Connection Property field with value SysLoginRole=SYSDBA: Host


Name/IP; Port, 1521 (for Oracle); Service Name. Get Host Name/IP, Port and
Service Name from the Oracle database.
2. Test Connection (see button at bottom of screen). If successful, click on Save
and click on Done.
3. Configure the audit database. Click on Value Change Auditing Builder. Attach
the Datasource that you built in step 1, by clicking on Add Datasource.
4. Click on Choose Tables to Monitor. A pop-up screen will appear where a choice
between two monitoring methods is presented. Choose Stream. And then click
on the Apply button. Go to the next section.

Define Monitoring Activities


After defining an audit database, use the Value Change Auditing Builder to
identify the tables to be monitored, and to select the types of changes (inserts,
updates, deletes) to be recorded.
1. Do one of the following to open the Value Change Auditing Builder:
v Administrators, select Tools > Config & Control > Value Change Auditing
Builder.
v Users, select the Value Change Auditing Builder from a custom tab. (This
application is available to users, but does not appear on a default layout. To
add this application to a custom tab, see Portal Customization in the
Common Tools book.)
2. Click Add Datasource to open the Datasource Finder panel.
3. Select a datasource on which an audit database has been defined. If an audit
database has not yet been defined, see Create an Audit Database on page
157.
4. Click Add to close the Finder and add the selected datasource to the Value
Change Audit panel.
5. Optionally enter a Schema Owner and/or Object Name to limit the number of
tables that will be displayed when choosing the tables to be monitored. You
can use the % (percent) wildcard character. For example, to limit the display
to all tables beginning with the letter a, enter a% in the Object Name box.
6. Click Choose Tables To Monitor to open the Define Data Audit panel.
7. Mark the Select box for each table to be monitored.
Note: You cannot define a trigger for a table that contains one or more
user-defined data types.
The Trigger Defined column indicates if a trigger has already been defined for
the table. The Audit Insert, Audit Delete, and Audit Update checkboxes
indicate if the trigger will record changes for that command.
If the Trigger Defined column is not marked, marking the Select checkbox for
a table automatically marks all three the Audit checkboxes (Audit Insert,
Audit Delete, and Audit Update). If you do not want to monitor one or two of
those commands, clear the appropriate checkbox.
8. Click the Add Selections button to define triggers for the selected tables. You
will be informed of the action taken.
9. Click OK to close the message box and re-display the Define Data Audit
panel. The selected tables remain selected, and the Trigger Defined column is
now marked for those tables. Note: The instant a trigger is defined for a table,
it is active and recording changes for the selected commands in the audit
database. The configuration of triggers is done entirely on the database server,

154

Help Book Guardium V9.0

which is unlike most other Guardium configurations, which are defined on


the Guardium database, and then activated or deactivated as a separate task.
10. To define additional actions, repeat the steps above, or remove triggers by
marking the appropriate Select checkboxes and clicking Remove Selections.
11. Click Done after you have completed all changes.
Note: Be aware that the Cancel button does not back out any changes that
you have made to triggers using the Add or Remove Selections buttons.

After Defining Monitoring Activities


If you have added value-change monitoring activities to a datasource for the first
time, you should schedule uploads for this datasource, because the audit database
will be emptied only after the data recorded there has been uploaded to the
Guardium appliance. See the next section.

Schedule Value-Change Uploads


1. Do one of the following to open the Audit Datasource Finder:
v Administrators, select Tools > Config & Control > Value Change Auditing
Builder.
v Users, select the Value Change Auditing Builder from a custom tab. (This
application is available to users, but does not appear on a default layout. To
add this application to a custom tab, see Portal Customization in the
Common Tools book.)
2. Select the audit datasource for which you want to schedule uploads, and click
Schedule Upload to open the general purpose task scheduler. If you need help
defining a schedule, see Scheduling in the Common Tools book.

Maintain Privileged Users Lists


When the value-change feature adds a trigger for a database table, all current users
with permission to update that table will be granted permission to update the
audit database table as well. This is required because the trigger updates the audit
database with new and/or old values. If a new user is granted update permission
for a monitored table, when that user attempts an update, the update will not be
allowed because that user will not also have permission to update the audit
database. When this happens, follow the procedure outlined below to update the
audit database privileged users list via the Value Change Auditing Builder.
Be aware that to update the audit database privileged users list, the database user
ID that is used to log into the monitored database must be the creator of any role
to which new users have been added. Otherwise, the members of that role will not
be available.
1. Do one of the following to open the Value Change Auditing Builder:
v Administrators, select Tools > Config & Control > Value Change Auditing
Builder.
v Users, select the Value Change Auditing Builder from a custom tab. (This
application is available to users, but does not appear on a default layout. To
add this application to a custom tab, see Portal Customization in the
Common Tools book.)
2. Click Add Datasource to open the Datasource Finder panel, select the
appropriate Datasource from the list, and click Add.

Value Change Auditing

155

3. Click Update Audit Tables Privileged Users. The permissions for all users who
may execute triggers to update the audit database tables will be updated, and
you will be informed when the operation completes.
4. Click OK to close the message box.

Value-Change Reporting
You can view value-change data from the default Values Changed report, or you
can create custom reports using the Value Change Tracking domain. By default, the
Value Change Tracking domain is restricted to users having the admin role.
For a description of the entities and attributes of the Value Change Tracking
domain, see the Domains, Entities, and Attributes section of the Appendices help
book.
For instructions on how to build reports and queries, see these topics in the
Monitor and Audit help book.

Values Changed Default Report


There is one default report available on the administrator portal (select Daily
Monitor > Values Changed), and one drill-down report available from that one
(Values Changed Details).
The main entity for the Values Changed report is the Changed Columns entity. In
most cases, there will be a separate row of the report for every column change
detected for every audit action (Insert, Update, Delete). However, for MS SQL
Server and Sybase, if the monitored table does not have a primary key, there will
be two rows per change, with the old and new values displayed on separate rows.

156

Help Book Guardium V9.0

Create an Audit Database


Create an audit database and perform value-change monitoring activities.
To create an audit database and perform value-change monitoring activities, you
will need to have a user account with appropriate permissions to:
v Create a database on the server
v Create a database user account on the server
Log in to each database to be monitored Create tables and triggers on each
database to be monitored

Before Defining an Audit Database under Informix or Sybase


For Informix and Sybase (except for Sybase IQ, which does not support triggers)
and depending on the operating system for the database server, you must perform
one of the following procedures before defining the audit database.

Informix Setup - Locate or Create a New Database Space


This topic applies for Informix (9.4 or later). Under Informix, we strongly
recommend that you avoid using the default root database space, root_dbs. You
cannot drop this space or reduce its size.
You should use any other database space that has been defined, or to create a new
database space, perform one of the following procedures (depending on the
operating system).

Informix - Create an Informix Database Space on a Windows


Server
This procedure is performed outside of the Guardium GUI, and applies for
Informix version 9.4 or later.
1. Verify that the database server is online and listening.
2. Create a zero-byte file named guardium_dbs_dat.000 in the
C:\IFMXDATA\server-name directory (sever-name is the name of the Informix
server or the service name). You can do this by saving an empty text file, and
then renaming the file, replacing the txt suffix with 000.
3. Make the following directory the working directory:
C:\Program Files\Informix\bin
4. Execute following command:
C:\Program Files\Informix\bin>onspaces -c -d guardium_dbs -p
C:\IFMXDATA\server-name\guardium_dbs_dat.000 -o 0 -s 150000
If the file is created successfully, you will receive the following messages:
Verifying physical disk space, please wait ...
Space successfully added.
** WARNING ** A level 0 archive of Root DBSpace will need to be done.
5. Restart the Informix server, and use a suitable tool (Aqua Data Studio remote
client, for example) to connect and verify that the space named guardium_dbs
has been created. Your first connection attempt may fail with a message about

157

the server running in Quiescent Mode. If this happens, attempt to re-connect


at least two more times, and it should work fine.
6. To verify that the guardium_dbs database space has been created, use Aqua
Data Studio, and look under Storage.

Informix - Create an Informix Database Space on a Unix Server


This procedure is performed outside of the Guardium GUI, and applies for
Informix version 9.4 or later.
1. From a command-line window, enter the following commands:
su - informix
cd demo/server
vi guardium_dbs => save it to create an empty file.
2. Without adding any text, save the empty guardium_dbs file.
3. Enter the following commands:
chmod 660 guardium_dbs
cd ../../bin
onspaces -c -d guardium_dbs -p /home/informix10/demo/server/
guardium_dbs -o 0 -s 100000

Sybase Setup - Initialize Disks


This topic applies for Sybase servers only (except for Sybase IQ, which does not
support triggers). Depending on the operating system of the database server,
perform one of the following procedures to initialize disks.

Sybase - Initialize Disks on a Windows Sybase Server


1. Connect to the server on which you want to create the Guardium audit
database: guardium_audit.
2. Create a folder named guardium_audit, under the c: drive.
3. Connect to the database.
4. Execute the following commands:
use master
go
disk init name="guardium_auditdev",
physname="c:/guardium_audit/guardium_auditdev", size=8192
go
disk init name="guardium_auditlog",
physname="c:/guardium_audit/guardium_auditlog", size=8192
go

Sybase - Initialize Disks on a Unix Sybase Server


1. Connect to the database.
2. Execute the following statements:
use master
go
disk init name = 'guardium_auditdev', physname
='/home/sybase/data/guardium_auditdev', size = 8192
go

158

Help Book Guardium V9.0

disk init name = 'guardium_auditlog', physname


='/home/sybase/data/guardium_auditlog' , size = 8192
go

Create the Database


For an Informix or Sybase database, be sure to perform the preliminary tasks
described above, before performing this procedure.
1. Do one of the following to open the Value Change Database Builder:
v Administrators, select Tools > Config & Control > Value Change Audit
Database Creation.
v Users, select the Value Change Audit Database Creation from a custom tab.
(This application is available to users, but does not appear on a default
layout. To add this application to a custom tab, see Portal Customization in
the Common Tools book.)
2. Click Add Datasource to open the Datasource Finder panel. Datasources that
have been defined from the Value Change Auditing application are labeled
Monitor Values. Datasources that have been defined for other applications will
have different labels (Listener, or DBanalyzer, for example), and those
datasources may not have the appropriate set of database access permissions
for Value Change Auditing application, which requires a user account having
database administrator authority. If a suitable datasource is not available, click
the New button to define a new one for the database to be monitored (see
Datasources in the Common Tools book for detailed information on defining
datasources).
Note: If a GUARDIUM_AUDIT database is already created on this dbserver,
another one cannot be created. The GUARDIUM_AUDIT database/user must
be dropped before a new one can be created.
3. Select a datasource that uses an administrator account, and click Add, to add it
to the Datasources pane on the Create Value Change Audit Database panel.
4. Enter an Audit Datasource Name. This is the name that will be used to identify
the datasource later, to define monitoring tasks and to upload data. Do not
confuse this name with the name of the Datasource from the Datasources panel.
5. Optionally mark the Share Datasource box to share this datasource with other
applications (Classification, for example). The default is not to share the
datasource. This type of datasource requires administrator privileges, so you
may not want to share this datasource with other applications.
Note: To share a datasource with other users, assign security roles to that
datasource.
6. For any database type other than DB2, there will be additional fields in the
Audit Configuration pane. All fields are required. Referring to the following
table, enter the appropriate values.
Table 23. Additional Audit Configuration Fields Table
Database Type

Field: Description

Informix

Database Space: Enter the name of an existing database space to use,


or enter the name of the database space you created for the audit
database (guardium_dbs in the example shown previously). If you
leave this blank, the default root_dbs space will be used, which we do
not recommend.

Create an Audit Database

159

Table 23. Additional Audit Configuration Fields Table (continued)


Database Type

Field: Description

MS SQL Server

Audit User Name: Enter a new database user name to use when
accessing the audit database. This user will be given the sysadmin role.
Audit Password: Enter a password for the above.

Oracle

Audit Password: Enter the password for the system user, which will be
the database account used to access the audit database.
Default Tablespace: Enter a name for the default tablespace.
Temp Tablespace: Enter a name for the temporary tablespace.

Sybase

Audit User Name: Enter a new database user name to use when
accessing the audit database. This user will be granted the sa_role.
Audit Password: Enter a password for the above.
Data Device Name: Enter the same data device name used when
initializing the disk for the audit database (guardium_auditdev in the
disk initialization procedure described earlier).
Log Device Name: Enter the same log device name used when
initializing the disk for the audit database (guardium_auditlog in the
disk initialization procedure described earlier).

7. Click the Create Audit Database button to create the audit database.
8. Use the selection Value Change Audit Database Update and Upload on the
Config and Control tab to select the actions in the table below.
Action

Description

Delete

Click to remove the datasource from the Datasources pane.

Modify

Schedule Upload

Click to edit this datasource definition in the Datasource Definition


panel Datasources in the Common Tools help book for detailed
information on defining datasources).
Click to schedule the upload of this audit datasource.

After Defining the Audit Database


After an audit database has been created on a database server, it will be available
for use by the Value Change Auditing Builder, which is the tool that is used to
build triggers. See Value Change Auditing on page 153.

160

Help Book Guardium V9.0

Discover help book


This help book describes the Database Auto-Discovery and Classification
applications.
Select a topic from the Contents entry page, or use the Search function on the PDF
version of the online help (last entry on Contents entry page, after help-index) or
use the help-index.

161

162

Help Book Guardium V9.0

Classification
This section describes how to define classification policies and processes.

Classification Overview
For this overview, when we refer to the corporate database, we are referring to the
collection of all of the individual databases owned by the corporation (the
customer).
As the size and organization of the corporate database grows, sensitive information
like credit card numbers and transactions, or personal financial data, may be
present in multiple locations, without the knowledge of the current owners of that
data. This frequently happens in corporations that have experienced mergers and
acquisitions and in older corporations where legacy systems have outlasted their
original owners. Even in the best of cases, integration and enhancement projects
between disparate systems can easily leave sensitive data unknown and
unprotected.
Guardium provides the Classification feature to discover and classify sensitive
data, so that you can make and enforce effective access policy decisions.

Classification Terminology
A classification policy is a set of rules designed to discover and tag sensitive data
elements (database tables or files). You can define a set of actions to be taken for
each rule. An action might be to generate an email alert, or to add a member to a
(Guardium) group. Each time a rule is satisfied, that event is logged, and thus can
be reported upon (unless ignore is specified as the action to be taken, in which
case there is no logging for that rule).
A datasource identifies a specific database instance, and its definition on the
Guardium appliance can optionally store account information and any other
parameters required to access the database. Datasource definitions can be shared,
and can be used by other applications in addition to classification. For detailed
information about datasources, see Datasources .
A classification process defines a job consisting of a classification policy and one or
more datasources. The process can be submitted to be run once, or it can be
scheduled to run on a periodic basis, as a task in a compliance workflow
automation process.
See the following topics to define and use classification policies and processes:
v Classification Policies on page 165 (how to define classification policies)
v Classification Process on page 175 (how to define and run classification
processes)

163

164

Help Book Guardium V9.0

Classification Policies
This topic describes how to build a classification policy.
For general reference on policy rules and rule actions, see Policies on page 295.

Create a Classification Policy


1. Do one of the following to open the Classification Policy Finder:
v Users with the admin role: Select Tools > Config & Control > Classifier
Policy Builder.
v All Others: Select Discover > Classification > Classifier Policy Builder.
2. Click New to open the Classification Policy Definition panel.
3. Enter a unique name in the Name box.
4. Enter a category in the Category box, and a classification in the Classification
box. Both are required. Both are used to group and organize data on reports.
5. Optionally enter a Description.
6. Click Save.
7. Optionally enter comments. (These can be entered at any time after the policy
has been saved.) See Comments in the Common Tools help book.
8. Click Edit Rules to define rules (and their associated actions). See Define
Classification Policy Rules, below, for detailed instructions.

Modify a Classification Policy


1. Do one of the following to open the Classification Policy Finder:
v Users with the admin role: Select Tools > Config & Control > Classifier
Policy Builder.
v All Others: Select Discover > Classification > Classifier Policy Builder.
2. Select the classification policy to be modified, and do one of the following:
v To modify policy rules, click Edit Rules and see Define Classification Policy
Rules, below.
v To modify any other element of the definition, click the Modify button.
3. Type over any of the items in the top portion of the panel, as appropriate.
4. To modify policy rules, click Edit Rules and see Define Classification Policy
Rules, below.
5. Click Save to save any changes, and click Done when you are finished.

Clone a Classification Policy


1. Do one of the following to open the Classification Policy Finder:
v Users with the admin role: Select Tools > Config & Control > Classifier
Policy Builder.
v All Others: Select Discover > Classification > Classifier Policy Builder.
2. Select the classification policy to be cloned, and click the Clone button.
3. Type over any of the items in the top portion of the panel, as appropriate for
the cloned policy. We recommend that you replace the default name for the
clone, which is the name of the selected policy prefixed with Copy of.
4. Click the Save Clone button to save the new classification policy. The policy
will be re-displayed in the Classification Policy Definition panel.

165

5. See Modify a Classification Policy, above, for instructions on how to change


components of the new classification policy definition.

Define Classification Policy Rules


1. If the Classification Policy Rules panel is not open:
a. Do one of the following to open the Classification Policy Finder:
v Users with the admin role: Select Tools > Config & Control > Classifier
Policy Builder.
v All Others: Select Discover > Classification > Classifier Policy Builder.
b. Select the classification policy, and click the Edit Rules button.
2. Use the Classification Policy Rules panel to view or modify classification policy
rules. The following table describes how to use the controls on this panel. For a
description of how to define each type of classification policy rule, see one of
the following topics:
v Define a Catalog Search Rule
v Define a Search by Permissions Rule
v Define a Search for Data Rule
v Define a Search for Unstructured Data Rule

Classification Policy Rules Panel Controls


Control

Description

Add Rule

Click to add a rule. See Add a New Classification Policy Rule,


below.

Remove Selected

Click to remove the selected rule

Expand All

Click to expand the definitions of all rules

Collapse All

Click to collapse all expanded definition

Select All

Click to mark the Select checkboxes for all rules

Unselect All

Click to clear the Select checkboxes for all rules

Rule Type: Rule


Name

Each rule is labeled with a number, the rule type and rule name.
For example, the second rule above is labeled:
2. Search For Data: SSN Pattern

+ or - icon

Click to expand or collapse the associated rule definition

check box icon

Mark to select the associated rule

edit icon

Click to edit the associated rule

pin icons

Click to add a user comment to the rule definition. See Comments


in the Common Tools help book. If the rule already contains
comments, a slip of paper displays beneath the push-pin as shown
in the pushpin to the right.

up or down icon

Click to move the rule up or down in the list of rules.

Cancel

Click to close the panel without saving any changes since the last
save.

Done

Click to close the panel without saving any changes since the last
save.

Add a New Classification Policy Rule


1. Click the Add Rule button to open the Classification Rule definition panel.
2. Enter a Rule Name.

166

Help Book Guardium V9.0

3. Optionally enter a new Category and/or Classification for the rule. The
defaults are taken from the Classification Policy Definition for the policy.
4. If the next rule in the classification policy should be evaluated after this rule is
matched, mark the Continue on Match checkbox. The default is to stop
evaluating rules when a rule is matched.
5. Select a Rule Type. For a new rule, no Rule Type is selected. Once a Rule Type
is selected, the panel expands to include the fields needed to define that type of
rule. For the specifics of how to define each type of rule, click one of the links
below:
v Define a Catalog Search Rule - Search the database catalog for table or
column name
v Define a Search by Permissions Rule - Search for the types of access that
have been granted to users or roles
v Define a Search for Data Rule - Match specific values or patterns in the data
v Define a Search for Unstructured Data Rule - Match specific values or
patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba)
Note: The database authentication (user/password) defined within the
datasource definition being used should have adequate levels of permission for
the rule/search being defined. For example, in Oracle, a user with an
appropriate role (such as SYSTEM or DBA) can properly search an access right
within the database catalog.
6. Click the New Action button to add an action to be taken when this rule is
matched. See Add a Classification Rule Action.
7. 7. Click Accept to add the rule to the policy.

Define a Catalog Search Rule


A catalog search rule searches the database catalog for table and/or column names
matching specified patterns. Wildcards are allowed: % for zero to any number of
characters, or _ (underscore) for a single character.
1. In the Table Type row, mark at least one type of table to be searched: Synonym,
Table, or View. (Table is selected by default.)
2. Optionally enter a specific name or a wildcard based pattern in the Table Name
Like box. If omitted, all table names will be selected.
3. Optionally enter a specific name or a wildcard based pattern in the Column
Name Like box. If omitted, all column names will be selected.
4. Click the Accept button when you are done.

"Fire only with" Marker


The "Fire only with" Marker allows for the grouping of Classifier rule types by the
same exact name. Additionally, all returned rules using a marker must return data
based on the same table name. If two, or more, rules are defined with the same
marker then those rules will fire together and together such that if both rules fire
on the same table then they both will be logged and their actions invoked. If on
the other hand only one of them fires on a table then neither of the rules will be
logged or have their actions invoked. Being able to have multiple rules fire
together becomes important when you care about sensitive data appearing together
within the same table. For example, you may want to know when a table has both
a social security number and a Massachusetts drivers license.

Classification Policies

167

The "fire only with" Marker is a constant value, can be named any value, and must
have the exact same value across rules you want to group. This means that if one
rule has a marker of ABC then the other rule that you want to group it with must
also have a marker named ABC. Any other marker value and the rules are no
longer grouped.
You must use at least two rules of any values based on looking for data within the
same table name.
The "Fire only with" Marker is also based on the Continue on Match. As an
example, if the following rules were defined such that Rule 3 does not match the
Continue on Match then no results will be returned regardless if all three marker
rules were positive. This is because you didn't get to run Rule 4 and the grouping
will not fire because all "Fire only with" Markers must execute and with positive
results.
Rule 1. Firemarker rule "ABC" (continue on match)
Rule 2. Firemarker rule "ABC" (continue on match)
Rule 3. non-firemarker rule type (continue on match)
Rule 4. Firemarker rule "ABC" (continue on match)

Define a Search by Permissions Rule


A search by permissions rule searches the database catalog for various tables based
on permissions granted to users and/or roles.
Note: Search by Permissions rules will not work for MySQL datasource lookups
1. In the Table Type row, mark at least one type of table to be searched: Synonym,
Table, or View. (Table is selected by default.)
Note: For Synonyms, currently Oracle is the only datasource supported
2. In the Users row, optionally enter a specific user name and/or select a group of
users. If both are omitted, all users will be considered. If both are specified, the
user name will be merged with the group of user names. You can also click the
(Groups) button to open the Group Builder in a separate window, to define a
new group of users (which you can then select from the drop-down list).
3. In the Roles row, optionally enter a specific role name and/or select a group of
roles. If both are omitted, all roles will be considered. If both are specified, the
role name will be merged with the group of role names. You can also click the
(Groups) button to open the Group Builder in a separate window, to define a
new group of roles (which you can then select from the drop-down list).
4. From the Grant Type list, select one or more types of grants. Use the CTRL and
SHIFT keys for multiple selections.
Note: Grant all is a particular type of grant. Selecting All in this list selects
only the grant all type of grant. It does not select all types of grants.
5. Mark With Admin Option checkbox to include only permissions that are
granted with the admin option (which allows that person to grant access).

168

Help Book Guardium V9.0

Define a Search for Data Rule


A search for data rule searches one or more columns for specific data values.
Wildcards are allowed: % for zero to any number of characters, or _ (underscore)
for a single character. For example, the Rule Type is Search for Data, the Table
Type is Table, and the Table Name Like is CREDIT%.
1. In the Table Type row, mark at least one type of table to be searched:
Synonym, Table, or View. (Table is selected by default.)
2. In the Table Name Like row, optionally enter a specific name or a wildcard
based pattern. If omitted, all table names will be selected.
3. In the Data Type row, select one or more data types to search.
4. In the Column Name Like row, optionally enter a specific name or wildcard
pattern. If omitted, all column names will be selected.
5. Optionally enter a Minimum Length. If omitted, no limit.
6. Optionally enter a Maximum Length. If omitted, no limit.
7. In the Search Like box, optionally enter a specific value or a wildcard based
pattern. If omitted, all values will be selected.
8. In the Search Expression box, optionally enter a regular expression to define a
pattern to be matched. To test a regular expression, click the (Regex) button to
open the Build Regular Expression panel in a separate window. For detailed
information about how to use regular expressions, see Regular Expressions
on page 67. See the section below about Luhn algorithm.
9. In the Evaluation Name, optionally enter a fully qualified Java class name that
has been created and uploaded. The Java class will then be used to fire and
evaluate the string.
Note: There is no validation that the class name entered was loaded and
conforms to the interface.
See Custom Evaluation and Manage Custom Classes for more information on
creation and uploading of Java class files.
10. Optionally enter a "Fire only with" Marker name. See "Fire only with" Marker.
11. In the Hit Percentage field, optionally enter a percentage of matching data that
should be achieved for this rule to fire. Data is returned if the percentage of
matching data examined is greater than or equal (>=) then the percentage
value entered, noting that an empty entry means it is not a condition and will
not affect whether the rule fires or not and return data to the view screen, a 0
percentage will cause the rule to fire for this condition and return data to the
view screen, and a percentage of 100 requires that all must match.
12. In the Compare to Values in SQL field, optionally enter a SQL statement. The
SQL entered, which must be based on returning information from one and
only one column, will then be used as a group of values to search against the
tables and/or columns selected.
Note: If used, the Compare to Values in SQL should follow the following
rules:
v The SQL statement MUST begin with SELECT
v The SQL statement SHOULD NOT utilize the ';' semi-colon
v The SQL entered MUST specify a schema value name in order to be
accurate in returning results.
v Good examples:

Classification Policies

169

SELECT
select
select
SELECT

ename FROM scott.emp


EMPNUMBER from SYSTEM.EMP where EMPNUMBER in(5555,4444)
DNAME from SCOTT.DEPT where DNAME like A%G
ZIP from SCOTT.FOO where ZIP in (SELECT ZIP FROM SCOTT.FOO)

13. In the Compare to Values in Group field, optionally select a group. The group
selected will then be used as a group of values to search against the tables
and/or columns selected. As long as one of the values within a group, that is
either a public or a classifier group, matches, then the value rule will return
data.
14. Mark the Show Unique Values checkbox to add, to the Comments, details on
what values matched the classification policy rules and fired. Use regular
expressions in the Unique Values Mask field to redact the unique values. For
example, mark the Unique Values checkbox and use ([0-9]{2]-[0-9]{3})-[0-9]{4}
in the Unique Values Mask field to log the last four digits and redact the
prefix digits.

Classification with Luhn algorithm


When a rule name begins with "guardium://CREDIT_CARD", and there is a valid
credit card number pattern in the Search Expression box, the classification policy
will use the Luhn algorithm (a widely-used algorithm for validating identification
numbers such as credit card numbers), in addition to standard pattern matching.
The Luhn algorithm is an additional check and does not replace the pattern check.
A valid credit card number is a string of 16 digits or four sets of four digits, with
each set separated by a blank. There is a requirement to have both the
guardium://CREDIT_CARD rule name and a valid [0-9]{16} number in the Search
Expression box in order to have the Luhn algorithm involved in this pattern
matching.

Define a Search for Unstructured Data Rule


A Search for Unstructured Data rule examines a non-database file.
1. In the Search Like box, optionally enter a specific value or a wildcard based
pattern. If omitted, all values will be selected.
2. In the Search Expression box, optionally enter a regular expression to define a
pattern to be matched. To test a regular expression, click the (Regex) button to
open the Build Regular Expression panel in a separate window. For detailed
information about how to use regular expressions, see Regular Expressions
on page 67.
3. Optionally enter a marker name. See "Fire only with" Marker above.

Add a Classification Rule Action


1. After a rule has been saved, click the (Customize) button for that rule to return
to the rule definition panel, from which you can add one or more rule actions.
2. Click the New Action button to open the Action panel.
3. Enter an Action Name.
4. Optionally enter a Description.
5. Select an Action Type from the list. Depending on the action selected, a
different set of fields will appear on the panel. For the Ignore and Log Result
actions, no additional information is needed. For all other actions (see below),
additional fields will appear on the panel, and you will have to enter additional
information.
v Ignore - Do not log the match, and take no additional actions.
v Log Result - Log the match, and take no additional actions.

170

Help Book Guardium V9.0

v For all other actions, refer to the appropriate topic below:


Add To Group Of Object-Fields Action
Add To Group Of Objects Action
Create Access Rule Action
Create Privacy Set Action
Log Policy Violation Action
Send Alert Action
6. After actions have been added to the Classification Rule panel, the controls in
the table below can be used to modify the actions defined.
7. Click Accept when you are done working with the rule definition.
Classification Rule Actions Panel Controls
edit icon

Click to edit the associated action definition

x icon

Click to remove the action from the rule definition

up or down icon Click to move the action up or down in the list of actions

Add To Group Of Object-Fields Action


Each time the classification rule is matched, a member will be added to the
selected Object-Field group on the appliance. You have the option of replacing all
members, or adding new members.
For a database file, the object component of the member will be the database table
name, and the field component will be the column name.
For an unstructured data file, the object component of the member will be the file
name (in quotes), and the field component will be the column name, but if column
names cannot be determined, the columns will be named column1, column2, etc.
1. Do one of the following:
v Select an Object-Field Group from the list, or
v Click the (Groups) button, define a new group using the Group Builder (see
Groups in the Common Tools help book), and then select that group from
the list.
2. Optionally mark the Replace Group Content box to completely replace the
membership of the selected group with members returned by this rule. By
default, this box is not marked, which means that new members will be added
to the group, but no members will be deleted. For a job that is run on demand,
this box is ignored, and you are given the opportunity to add or replace
members on the view results panel.
3. Click the Save button to add the action to the rule definition, close the Action
panel, and return to the rule definition panel.

Add To Group Of Objects Action


Each time the classification rule is matched, a member will be added to the
selected Object group on the appliance.
For a database file type, the member will be the database table name. For an
unstructured file type, the member name will be the file name.

Classification Policies

171

You have the option of replacing all entries, or only adding new entries.
1. Do one of the following:
v Select an Object Group from the list, or
v Click the (Groups) button, define a new group using the Group Builder (see
Groups in the Common Tools help book), and then select that group from
the list.
2. Optionally mark the Replace Group Content box to completely replace the
membership of the selected group with members returned by this rule. By
default, this box is not marked, which means that new members will be added
to the group, but no members will be deleted. For a job that is run on demand,
this box is ignored, and you are given the opportunity to add or replace
members on the view results panel.
3. From the Action Member Content drop-down list select the naming convention
that will be used when adding the member to the group where 'Full' is the
schema.tablename and 'Name' is the tablename.
4. Click the Save button to add the action to the rule definition, close the Action
panel, and return to the rule definition panel.
Note: To use aliases with groups generated from Classifier - Open up Group
Builder, select the Object group generated by Classifier and then click the Modify
button. Click on the Aliases button in Group button to change the name of the
Object Group.

Create Access Rule Action


Each time the classification rule is matched, an access rule will be inserted into an
existing security policy definition. The updated security policy will not be installed
(that task is performed separately, usually by a Guardium administrator).
1. Select an Access Policy from the list. You must be authorized to access that
policy.
2. Enter a rule name in the Rule Description box.
3. Select an action from the Access Rule Action list. For a detailed description of
Access Rule actions, See Rule Actions Overview, in the Policies on page 295
topic.
4. Optionally select a Commands Group, or click the (Groups) button, define a
new Commands group using the Group Builder (see Groups in the Common
Tools help book), and then select that Commands group from the list.
5. To log field values separately, mark the Include Field checkbox. Otherwise, only
the table will be recorded (the default).
6. To include the server IP address, mark the Include Server IP checkbox.
7. If you have selected an alerting action, a Receiver row appears on the panel,
and you must add at least one receiver for the alert. Click the Modify Receivers
button to add one or more receivers. (See Notifications in the Common Tools
book.)
8. Click the Accept button to add the action to the rule definition, close the Action
panel, and return to the rule definition panel.

Create Privacy Set Action


Each time the classification rule is matched, the selected privacy set's object-field
list will be replaced.

172

Help Book Guardium V9.0

For a database file, the object component of the privacy set will be the database
table name, and the field component will be the column name.
For an unstructured data file, the object component of the privacy set will be the
file name (in quotes), and the field component will be the column name, but if
column names cannot be determined, the columns will be named column1,
column2, etc.
1. Select the previously defined Privacy Set whose contents you want to replace.
2. Click the Accept button to add the action to the rule definition, close the Action
panel, and return to the rule definition panel.

Log Policy Violation Action


Each time the classification rule is matched, a policy violation will be logged. This
means that classification policy violations will be logged (and can be reported)
together with access policy violations (and optionally correlation alerts) that may
have been produced.
1. Select a Severity code from the list.
2. Click the Accept button to add the action to the rule definition, close the Action
panel, and return to the rule definition panel.

Send Alert Action


Each time the classification rule is matched, an alert will be sent.
1. Select a Notification Type code from the list.
2. Click the Modify Receivers button to add one or more receivers. (See
Notifications in the Common Tools book.)
3. Click the Accept button to add the action to the rule definition, close the Action
panel, and return to the rule definition panel.
Note: The specified receiver will be get one mail per datasource per rule per
action. So, if a datasource has three rules and each rule has two actions (that have
at least one match), then the user will get 2 * 3 = 6 mails.

Classification Policies

173

174

Help Book Guardium V9.0

Classification Process
A classification process defines a job consisting of a classification policy and one or
more datasources.

Classification Process Overview


Any classification process can be run on an ad-hoc basis. If a datasource referenced
by that process has not stored login information, you will be prompted to supply
the necessary login parameters. If login information has been stored for all
datasources used in a classification process, that process can be included as a
classification task in a compliance workflow automation process, which can be run
on an on-demand or scheduled basis (see Compliance Workflow Automation on
page 255).
How the Classification Process Works
When a classification process runs, it should have very little impact on the
database server.
To prevent overloading the server when scanning data, the classification process
always samples the database, never reading more than 1,000 rows. It begins by
scanning sets of 50 consecutive rows returned by the database server, beginning
with the first row. The second set of 50 begins with the 1000th row. Thereafter, it
skips ahead by powers or two, such that the next block of 50 begins 2K, 4K, 8K,
16K, 32K, and so forth. During this process, if any query takes longer than 10
seconds, the skip interval is multiplied by 10, so if the current sequence is 640K,
the next will be 6.4M, and so forth (until 1,000 rows have been sampled or there
are no more rows in the table). If the row limit on the Search for Data rule is set
higher than 1000, the same sampling technique will be used. Unless the table is
quite large (greater than 262,144,000 rows), the sampling process will run out of
rows before the maximum row limit is exceeded.
The Classifier also throttles itself to periodically idle so that it does not overwhelm
the database server with requests.
If any one query takes longer than 12 minutes, the query will be cancelled, a
message logged, and no more data will be sampled for that table. If any rows were
acquired while sampling, they will be used to evaluate the rule for that table. This
usually only happens on servers that are experiencing performance problems in
general.
If, for some reason, an operation on the Processor takes over approximately 30
minutes, the entire process will be halted, a message will be logged with the
process statistics, and the next Classification Process will be started.
In general, if there are many rules that are sampling data, the load on the database
server should remain constant, but the process may take additional time to run.

Create a Classification Process


1. Do one of the following to open the Classification Process Finder:

175

2.
3.
4.
5.

6.

v Users with the admin role: Select Tools > Config & Control > Classifier
Process Builder.
v All Others: Select Discover > Classification > Classifier Process Builder.
Click New to open the Define Classification Process panel.
Enter a name for the process in the Process Description box.
Select a Classification Policy from the list.
Click the Comprehensive search check box; only relevant when the number of
records in a table exceeds the Sample size (below), checking/setting
Comprehensive Search to true will randomly search "Sample size" records in
the table for a match. This is a high quality search because the results are
more likely to be representative of the data. Unchecking / unsetting
Comprehensive search to false will search the first "Sample size" records for a
match. This type of search can be much faster than a comprehensive search
but it may sacrifice the quality of the results.
Enter a Sample size when searching for data (see Define Classification Policy
Rules / Define a Search for Data Rule), if the number of records in a table is
<= to "Sample size", then all those records are searched for a match. When the
number of records in a table exceeds "Sample size", then Comprehensive
search, as defined above, may be used.

7. Click the Add Datasource button to add one or more datasources. See
Datasources on page 31 for information about using and defining
datasources.
8. Click the Save button. This completes the definition of the classification
process.
9. Optionally add comments to the definition. See Comments in the Common
Tools help book.
10. Optionally add security roles. See Security Roles in the Access Management
help book.
11. Optionally submit the classification process for execution. See Run a
Classification Process, below.
12. Click the Done button when you are finished.

Run a Classification Process


There are two ways to run a classification process:
v On demand from the Classification Process Builder (see below)
v As a task within a compliance workflow automation process (see Compliance
Workflow Automation on page 255).
1. Do one of the following to open the Classification Process Finder:
v Users with the admin role: Select Tools > Config & Control > Classifier
Process Builder.
v All Others: Select Discover > Classification > Classifier Process Builder.
2. Select the process to run, and click Modify to open the Classification Process
Builder.
3. Click the Run Once Now button to submit the job. This places the process on
the Guardium Job Queue, from which the appliance runs a single job at a time.
Administrators can view the job status by selecting Guardium Monitor >
Guardium Job Queue. See View the Guardium Job Queue, below
4. Click the Done button when you are finished.

176

Help Book Guardium V9.0

View Classification Results


1. Do one of the following to open the Classification Process Finder:
v Users with the admin role: Select Tools > Config & Control > Classifier
Process Builder.
v All Others: Select Discover > Classification > Classifier Process Builder.
2. Select the process that created the results to be viewed, and click Modify to
open the Classification Process Builder.
3. Click the View Results button. The results will open in a separate window.
4. On any row of the Process Run Log, click (details) to display more information.
5. Click Close this window when you are done viewing the results.
Note: If Data User Security is enabled, through the Global Profile, check boxes will
be displayed that allow users to control / toggle rows in the result set in
accordance to the Filtering defined

View the Guardium Job Queue


The Guardium Job Queue is available from the administrator portal only.
To view the report, select Guardium Monitor > Guardium Job Queue to open the
Guardium Job Queue panel.

Classification Process

177

178

Help Book Guardium V9.0

Database Auto-discovery
Guardium's Auto-discovery application can be configured to probe the network,
searching for and reporting on all databases discovered.

Database Auto-discovery Overview


Sometimes a new database is introduced into a production environment outside of
the normal control mechanisms. For example, the new database might be part of
an application package from a software vendor. In older installations some
databases may have been left unmonitored and "forgotten," because the data
and/or activities performed on it were not seen as a risk when the database was
implemented.
Or in another case a rogue DBA might create a new instance of the database and
do with it as he or she pleases, without being monitored.
Guardium's Auto-discovery application can be configured to probe the network,
searching for and reporting on all databases discovered.
Once an auto-discovery process has been defined, it can be run on demand or
scheduled to be run on a periodic basis. There are two types of jobs that can be
scheduled for each process:
v A scan job scans each specified host (or hosts in a specified subnet), and
compiles a list of open ports from the list of ports specified for that host. A scan
job must be run before running the second type of job.
v A probe job uses the list of open ports compiled during the latest completed
scan only. The probe job determines if there are database services running on
those ports. You can view the results of this job on the Databases Discovered
predefined report (described later).
The two jobs can be scheduled individually, or the auto-discovery process can be
defined to run the probe job as soon as the scan job completes.
Because the processes of scanning and probing ports can take time, the progress of
an auto-discovery process can be displayed at any time (by clicking the
Progress/Summary button).
Once the jobs have been completed, the results can be viewed using predefined
reports.
To summarize, the following steps outline the procedure for using the Database
Auto-discovery application:
1. Configure one or more Auto-discovery processes to search specific IP addresses
or subnets for one or more ports. See Create an Auto-discovery Process.
2. Run the Auto-discovery process on demand or an a scheduled basis. See Run
or Schedule an Auto-discovery Process.
3. View Auto-discovery reports, or create custom reports. See Auto-discovery
Reports.
Note: A separate patch must be installed on the appliance in order to activate the
database discovery functionality in version 8.

179

Create an Auto-discovery Process


1. Do one of the following to open the Auto-discover Process Selector:
v Users with the admin role: Select Tools > Config & Control >
Auto-discovery Configuration.
v All Others: Select Discover > DB Discovery > Auto-discovery Configuration.
2. Click New to open the Auto-discovery Process Builder.
3. Enter a Process name, which must be unique on the Guardium system.
4. Optionally mark the Run probe automatically after scan box, to run the probe
job immediately after the scan job completes. (Database auto-discovery is a
two-job process, which is described in more detail, under the Run an
Auto-discovery Process topic, below.)
5. For each host or subnet to be scanned, repeat the following steps to configure
a scan task. While doing this, watch the message that displays above the
Hosts title bar. It will display how many hosts and ports will be scanned. If
the number increases dramatically, you may need to adjust your host and/or
port specifications.
v Enter a comma-separated list of host IP addresses, optionally using
wildcard * (asterisk) characters; for example: 192.168.2.* will select all
addresses beginning with 192.168.2.

6.

7.
8.
9.

v Enter a comma separated list of one or more ports. You can also enter
ranges of ports by specifying a - (dash) between the first and last port
numbers in the range (4100-4102, for example).
v Click the Add button.
To modify a Host or Port, type over it, and be sure to click the Apply button,
which will be activated when you make any modifications to the Host or Port
entries.
To remove a task, click the (Delete this task) button. If the task has been run
and has scan results dependent upon it, it cannot be deleted.
Optionally, with the Run Once Now buttons, Scan for open ports or Probe
ports found open by latest Scan, for DB services.
Optionally, with the Modify Schedule buttons, schedule a Scan for open ports
or Probe ports found open by latest Scan, for DB services. See Scheduling
on page 73 if you need help defining a schedule.

10. Optionally assign roles. See Security Roles in the Access Management help
book.
11. Optionally add comments. See Comments in the Common Tools help book.
12. Click the Done button when you are done.

Update an Auto-discovery Process


Note that when an auto-discovery process definition changes, the statistics for that
process will be reset.
1. Do one of the following to open the Auto-discover Process Selector:
v Users with the admin role: Select Tools > Config & Control > Auto-discovery
Configuration.
v All Others: Select Discover > DB Discovery > Auto-discovery Configuration.
2. Select the process to be modified from the list.
3. Click Modify to open the Auto-discovery Process Builder, and refer to Create
an Auto-Discovery Process, above, to modify the process definition.

180

Help Book Guardium V9.0

Remove an Auto-discovery Process


1. Do one of the following to open the Auto-discover Process Selector:
v Users with the admin role: Select Tools > Config & Control > Auto-discovery
Configuration.
v All Others: Select Discover > DB Discovery > Auto-discovery Configuration.
2. Select the process to be removed from the list.
3. Click Delete. You will be prompted to confirm the action.

Run or Schedule an Auto-discovery Process


1. Do one of the following to open the Auto-discovery Process Selector:
v Users with the admin role: Select Tools > Config & Control > Auto-discovery
Configuration.
v All Others: Select Discover > DB Discovery > Auto-discovery Configuration.
2. Select the auto-discovery process to run from the list
3. There are two types of jobs that can be run or scheduled (see the overview
above for a description of the two job types).
v To run a job immediately, click its Run Once Now button.
v To schedule a job, click its Modify Schedule button, and see Scheduling on
page 73 if you need help defining a schedule.
4. After starting or scheduling a job, you can click the Progress Summary button
at any time to display the status of this process.
5. Click the Done button when you are finished.

Auto-discovery Reports
On the user portal, the auto-discovery reports can be viewed on the Discover > DB
Discovery tab. Also from that tab, you can create custom reports using the
Auto-discovery Query Builder.
The following sections describe the Auto-discovery Tracking Domain and all
default reports. The procedures for creating custom reports are described in the
Audit and Report help book, and are not repeated here.

Auto-discovery Tracking Domain


The Auto-discovery Tracking domain contains all of the data reported by
auto-discovery processes. It contains the entities described below. Click any entity
name to display its attributes (from the Entities and Attributes Appendix).
Auto-discovery Tracking Domain Entities
Entity

Description

Auto-discovery Scan

Provides a timestamp for each scan operation

Discovered Host

Provides the IP address and host name for each discovered host

Discovered Port

For each port discovered open, provides a timestamp, identifies the


port, and provides the database type, if applicable

Databases Discovered Report


Do one of the following to open the Databases Discovered report:
v Users with the admin role: Select Tools > Daily Monitor > Databases Discovered.
Database Auto-discovery

181

v All Others: Select Discover > DB Discovery > Databases Discovered.


The main entity for this report is the Discovered Port entity. There will be a
separate row of the report for each individual port found with a supported
database type listening.
For the reporting period, for each database discovered, this report lists the Time
Probed, Server IP address, Server Host Name, DB Type, Port, Port Type (usually
TCP) and a count of occurrences for the row.
There are no special runtime parameters for this report, but it excludes any
discovered ports with a database type of Unknown.
When an auto-discovery process definition changes, the statistics for that process
will be reset.
There are no drill-down reports available on this reporting domain.

182

Help Book Guardium V9.0

Assess and Harden help book


This help book describes all vulnerability assessment and CAS (Configuration
Auditing System) functions and reports.
Select a topic from the Contents entry page, or use the Search function on the PDF
version of the online help (last entry on Contents entry page, after help-index) or
use the help-index.

183

184

Help Book Guardium V9.0

Introducing Guardium Vulnerability Assessment


This help book introduces vulnerability assessments
This chapter describes:
v
v
v
v
v
v
v

What is Guardium Vulnerability and Threat Management


How does Guardium Vulnerability Assessments Work
What are the Essential Security Testing Methods
What are Predefined Assessment Tests
What are Behavioral Tests
What are Configuration Tests
What are Query Based Tests

What is Guardium Vulnerability and Threat Management


The Guardium Vulnerability and Threat Management solution is the first step in
the security and compliance lifecycle management for any IT environment. A set
predefined and custom, along with a process workflow, allow organizations to
identify and address database vulnerabilities in an automated fashionproactively
improving configurations and hardening infrastructures.
Included in the Guardium Vulnerability and Threat Management solution are:
v Database Auto-Discovery performs a network auto-discovery of the database
environment and creates graphical representation of interactions among database
clients and servers.
v Database Content Classifier automatically discovers and classifies sensitive
data, such as 16-digit credit card numbers and 9-digit Social Security
numbershelping organizations quickly identify faulty business or IT processes
that store confidential data.
v Database Vulnerability Assessment scans the database infrastructure for
vulnerabilities and provides evaluation of database and data security health,
with real time and historical measurements.
v CAS (Configuration Auditing System) tracks all changes to items such as
database structures, security and access controls, critical data values, and
database configuration files.
v Compliance Workflow Automation automates the entire compliance process
through starting with assessment and hardening, activity monitoring to audit
reporting, report distribution, and sign-off by key stakeholders.
Note: When using an expiring product license key, or license with a limited
number of datasources, the following message may appear: "Cannot add
datasource. The maximum number of datasources allowed by license has been
reached." The License valid until date and Number of datasources can be seen on
the System Configuration panel of the Administrator Console. A Vulnerability or
Classification process with N datasources are counted as N scans every time they
run.

185

Note: Guardium Vulnerability Assessments requires access to the databases it


evaluates. To do this, Guardium provides a set of SQL scripts (one script for each
database type) that creates users and roles in the database to be used by
Guardium.
Note: The Guardium Vulnerability Assessment solution is not supported for DB2
on z/OS or AS/400

How does Guardium Vulnerability Assessments Work


The Guardium Vulnerability Assessment application enables organizations to
identify and address database vulnerabilities in a consistent and automated
fashion. Guardiums assessment process evaluates the health of your database
environment and recommends improvement by:
v Assessing system configuration against best practices and finding vulnerabilities
or potential threats to database resources, including configuration and behavioral
risks. For example, identifying all default accounts that havent been disabled;
checking public privileges and authentication methods chosen, etc.
v Finding any inherent vulnerabilities present in the IT environment, like missing
security patches,
v Recommending and prioritizing an action plan based on discovered areas of
most critical risks and vulnerabilities. The generation of reports and
recommendations provide guidelines on how to meet compliance changes and
elevate security of the evaluated database environment

What are the Essential Security Testing Methods


Guardiums Database Vulnerability Assessment combines three essential testing
methods to guarantee full depth and breadth of coverage. It leverages multiple
sources of information to compile a full picture of the security health of the
database and data environment.
1. Agent-based-Using software installed on each endpoint (e.g. database server).
They can determine aspects of the endpoint that cannot be determined
remotely, such as administrators access to sensitive data directly from the
database console.
2. Passive detection-Discovering vulnerabilities by observing network traffic.
3. Scanning-Interrogating an endpoint over the network through credentialed
access.

What are Predefined Assessment Tests


Predefined tests are designed to illustrate common vulnerability issues that may be
encountered in database environments. Because of the highly variable nature of
database applications and the differences in what is deemed acceptable in various
companies or situations, some of these tests may be suitable for certain databases
but totally inappropriate for others (even within the same company). Most of the
predefined tests are customizable to meet requirement of your organization.
Additionally, to keep your assessments current with industry best practices and
protect against newly discovered vulnerabilities, Guardium distribute new
assessment tests and updates on quarterly bases as part of its Database Protection
Subscription Service. Please refer to Guardium Administration Guide for more
details.

186

Help Book Guardium V9.0

What are Behavioral Tests


This set of tests assesses the security health of the database environment by
observing database traffic in real-time and discovering vulnerabilities in the way
information is being access and manipulated.
As an example, some of the behavioral vulnerability tests included are:
v Default users access
v Access rule violations
v Execution of Admin, DDL, and DBCC commands directly from the database
clients
v Excessive login failures
v Excessive SQL errors
v After hours logins
v Excessive administrator logins
v Checks for calls to extended stored procedures
v Checks that user ids are not accessed from multiple IP addresses

What are Configuration Vulnerability Tests


This set of assessments checks security-related configuration settings of target
databases, looking for common mistakes or flaws in configuration create
vulnerabilities.
As an example, the current categories, with some high-level tests, for configuration
vulnerabilities include:
v Privilege
Object creation / usage rights
Privilege grants to DBA and individual users
System level rights
v Authentication
User account usage
Remote login usage
Password regulations
v Configuration
Database specific parameter settings
System level parameter settings
v Version
Database versions
Database patch levels
v Object
Installed sample databases
Recommended database layouts
Database ownership

What are Query Based Tests


A query based tests are user defined tests that can be quickly and easy created by
defining or modifying a SQL query, which will be run against database datasource
Introducing Guardium Vulnerability Assessment

187

and results compared to a predefined test value.

188

Help Book Guardium V9.0

Vulnerability Assessment
This section describes vulnerability assessment and threat management.
v Vulnerability Assessment Overview
v Vulnerability Assessment Tests
v CVE Compatibility

Vulnerability Assessment Overview


The Guardium Vulnerability and Threat Management solution is the first step in
the security and compliance life-cycle management for any database environment.
Tests, along with a process workflow, allow organizations to identify and address
database vulnerabilities in an automated fashion, pro-actively improving
configurations and hardening infrastructures.
Database Vulnerability Assessment is included in the Guardium Vulnerability and
Threat Management solution to scan the database infrastructure for vulnerabilities
and provide evaluation of database and data security health, with real time and
historical measurements.
The Guardium Vulnerability Assessment application enables organizations to
identify and address database vulnerabilities in a consistent and automated
fashion. Guardiums assessment process evaluates the health of your database
environment and recommends improvement by:
v Assessing system configuration against best practices and finding vulnerabilities
or potential threats to database resources, including configuration and behavioral
risks. For example, identifying all default accounts that havent been disabled;
checking public privileges and authentication methods chosen, etc.
v Finding any inherent vulnerabilities present in the IT environment, like missing
security patches,
v Recommending and prioritizing an action plan based on discovered areas of
most critical risks and vulnerabilities. The generation of reports and
recommendations provide guidelines on how to meet compliance changes and
elevate security of the evaluated database environment
Integration with CAS
CAS plays an important role in the identification of vulnerabilities and threats.
Guardium pre-configured and user-defined CAS templates can be used in the
Assessment test and bring a holistic view of the customers database environment;
With CAS, Guardium can identify vulnerabilities to the database in the OS level
such as file permissions, ownership and environment variables. These tests can be
seen through the CAS Template Set Definition panel and have the word
'Assessment' in their name.
Note: Vulnerability Assessment (VA) and Configuration Auditing System (CAS)
are only supported in English.

189

Vulnerability Assessment Tests


Guardium provides over two hundred Predefined Tests to check database
configuration parameters, privileges, etc.
A Vulnerability Assessment may contain one or more of the following types of
tests.
v Query-Based Tests
v CAS-base Tests
v CVE Tests

Predefined Tests
Predefined tests are designed to illustrate common vulnerability issues that may be
encountered in database environments. Because of the highly variable nature of
database applications and the differences in what is deemed acceptable in various
companies or situations, some of these tests may be suitable for certain databases
but totally inappropriate for others (even within the same company). Most of the
predefined tests are customizable to meet requirement of your organization.
Additionally, to keep your assessments current with industry best practices and
protect against newly discovered vulnerabilities, Guardium distributes new
assessment tests and updates on a quarterly basis as part of its Database Protection
Subscription Service. Please refer to Guardium Administration Guide for more
details.
Predefined Tests include:
v Behavioral Tests
v Configuration Tests

Behavioral Tests
This set of tests assesses the security health of the database environment by
observing database traffic in real-time and discovering vulnerabilities in the way
information is being access and manipulated.
As an example, some of the behavioral vulnerability tests included are:
v Default users access
v Access rule violations
v Execution of Admin, DDL, and DBCC commands directly from the database
clients
v Excessive login failures
v Excessive SQL errors
v After hours logins
v Excessive administrator logins
v Checks for calls to extended stored procedures
v Checks that user ids are not accessed from multiple IP addresses

Configuration Tests
This set of assessments checks security-related configuration settings of target
databases, looking for common mistakes or flaws in configuration create
vulnerabilities.

190

Help Book Guardium V9.0

As an example, the current categories, with some high-level tests, for configuration
vulnerabilities include:
v Privilege
Object creation / usage rights
Privilege grants to DBA and individual users
System level rights
v Authentication
User account usage
Remote login usage
Password regulations
v Configuration
Database specific parameter settings
System level parameter settings
v Version
Database versions
Database patch levels
v Object
Installed sample databases
Recommended database layouts
Database ownership

Query-based Tests
A query based tests is either a pre-defined or user-defined test that can be quickly
and easy created by defining or modifying a SQL query, which will be run against
database datasource and results compared to a predefined test value. See Define a
Query-based Test for additional information on building a user defined
query-based test.

CAS-based Tests
A CAS-based test is either a pre-defined or user-defined test that is based on a
CAS template item of type OS Script command and uses CAS collected data.
Users can specify which template item and test against the content of the CAS
results. See Create a New Template Set Item for assistance on creating an OS Script
type CAS template.
Guardium also comes pre-configured with some CAS template items of type OS
Script that can be used for creating a CAS-based test. These tests can be see
through the CAS Template Set Definition panel and have a name which contains
the word 'Assessment'. For instance, the Unix/Oracle set for assessments is named
'Guardium Unix/Oracle Assessment'. Additionally, any template that is added that
involves file permissions will also be used for permission and ownership checking.
See Modify a Template Set Item for viewing these template sets and seeing those
items with type OS Script.
Whether using a Guardium pre-configured or defining your own, once defined,
these tests will appear for selection during the creation or modification of
CAS-based tests. See Define a CAS-based Test for additional information.

Vulnerability Assessment

191

CVE Tests
Guardium constantly monitors the common vulnerabilities and exposures (CVE)
from the MITRE Corporation and add these tests for the relevant database related
vulnerabilities.

CVE Compatibility
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names
(i.e., CVE Identifiers) for publicly known information security vulnerabilities.
CVEs common identifiers makes it easier to share data across separate network
security databases and tools, and provide a baseline for evaluating coverage such
that, if a report incorporates CVE Identifiers, users may quickly and accurately
access fix information in one or more separate CVE-compatible databases to
remediate the problem.
Numerous organizations have made their information security products and
services "CVE-compatible" by incorporating CVE Identifiers. Guardium constantly
monitors the common vulnerabilities and exposures (CVE) from the MITRE
Corporation and add these tests for the relevant database related vulnerabilities.
To aid in the finding of individual vulnerabilities while viewing the CVE names
for specific databases, the user, when configuring tests through Security
Assessment Builder, can select the CVE radio button for the desired database and
then select and add the appropriate CVE identifier. Additional information can
always be found on the master copy of the CVE list maintained by the MITRE
Corporation.
To keep CVEs current within the Guardium solution, Guardium will download
and use the most current CVE database to populate a database table with all
current CVE entries and candidates. Guardium the programmatically compares the
downloaded CVE data with the CVE data already in the Guardium Vulnerability
Assessment repository; producing a list of new CVEs for review. Guardium
Database Security Team then manually reviews these candidates for the Guardium
Vulnerability Knowledgebase, tests them and adds the relevant ones to the GA
Guardium Vulnerability Assessment Knowledgebase. These tests are tagged with
the appropriate CVE number, and once in the GA repository, these tests can
automatically run using the Guardium Vulnerability Assessment application.

VA Summary
The following table list information per test and database key displayed in the VA
summary table: test result by unique identifier; cumulative failed age; first failed
date/ last failed date; last passed date; and, last scanned date. This information is
tracked and users can create a report on this information.
The key may include, in addition to the three original elements, the datasource
Name. The default is Host, port and Instance Name.
Use VA Summary Tracking in Query Builder to define queries and reports.
This table can be exported/imported. Import Data will override existing data on
the Guardium system (per key).

192

Help Book Guardium V9.0

Table 24. VA Summary


Table Column

Type

Description

VA_SUMMARY_ID Int

Auto-increment primary key

DATA_SOURCE_HASH
Varchar(40)

Hash for the Key

DB_TYPE

Varchar

Database Type

SERVICE_NAME

Varchar

Database instance Name (if part of the key, "N/A"


otherwise)

DB_PORT

Varchar

Database Port (if part of the key, "N/A" otherwise)

DB_HOST

Varchar

Host / IP (if part of the key, "N/A" otherwise)

TEST_ID

Int

Id of the Test

FIRST_EXECUTION DateTime

First time the test was executed

LAST_EXECUTION DateTime

Last time the test was executed

FIRST_FAIL

DateTime

First time the test failed on this DB

LAST_FAIL

DateTime

Last time the Test failed on this DB

FIRST_PASS

DateTime

First time the Test passed on this DB

LAST_PASS

DateTime

Last time the Test passed on this DB

CURRENT_SCORE varchar

Pass / Fail / Error

CURRENT_SCORE_SINCE
Datetime

Date Since the test is in the current status

CUMULATIVE_FAIL_AGE
Int

Cumulative fail age (in days)

CUMULATIVE_PASS_AGE
Int

Cumulative pass age (in days)

The CLI commands are: store va_test_show_query and show va_test_show_query.


Use export va_summary to export this information.
The GuardAPI commands to change or display the key are: grdapi
modify_va_summary_key and grdapi reset_va_summary_by_key. The GuardAPI
command to reset cumulative ages, both pass and fail, is grdapi
reset_va_summary_by_id. Use grdapi export_va_summary to export this
information.
An additional parameter, datasourceName, has been added to grdapi
reset_va_summary_by_key and grdapi modify_va_summary_key.
The VA Summary entity has an additional attribute, Datasource Name, that is
populated ONLY if the datasource name is part of the key.
Note: The GrdAPI command, modify_va_summary_key, will allow the key to be
empty by calling the GrdAPI with all four parameters: useHost, usePort,
useServiceName, useDatasourceName, equal to false. In this case, when the key is
empty, the VA Summary calculation is disabled (no summary data will be
calculated, updated or saved).

Guardium Vulnerability Assessment (VA) Test Exceptions


These are exception groups created by Guardium and pre-populated in order to
enhance the experience of users working with these tests. This is important
because users generally do not know what exceptions are available for what tests.

Vulnerability Assessment

193

The list is not categorized by DBMS type or test name. But the exception group
name itself are very obvious indicating what DBMS type it is and the test name.
Use the query below to retrieve this list from the Guardium system.
SELECT GROUP_DESCRIPTION FROM GROUP_DESC where APPLICATION_ID
= 8 AND GROUP_TYPE_ID NOT IN (51,52,66) AND GROUP_ID < 20000 ORDER
BY 1;

194

Help Book Guardium V9.0

Creating and Running an Assessment


The Security Assessment Finder panel is the starting point for creating or
modifying assessments.
After logging into the Guardium interface:
1. Click on the Assess/Harden tab to display the Assess/Harden process flow.
2. Click on the Vulnerability Assessment tab to bring up the Database Security
Assessment panel
3. Click on Assessment Builder to open the Security Assessment Finder
4. A process flow for Assessments will be displayed.
Or, as the admin user:
1. Click on the Tools tab
2. Click on the Config & Control link in the left hand column menu
3. Click on the Security Assessment Builder link in the left hand column menu
From the Security Assessment Finder panel, you can, by selecting an appropriate
security assessment and clicking the appropriate button, do one of the following:
v Create a New Security Assessment
v Modify a Security Assessment
v Configure Tests for a Security Assessment
v Add Comments to a Security Assessment
v Clone a Security Assessment
v Remove a Security Assessment
v Run a Security Assessment
v View Results of a Security Assessment
v Define a Query-based Test for a Security Assessment
v Define a CAS-based Test for a Security Assessment
Note: No quotes are allowed in the assessment description or in the name of any
created CAS-based or SQL-based tests for an assessment.

Create a New Security Assessment


1. Click on the New button to open the Security Assessment Builder panel.
2. Enter a unique name for the assessment in the Description box.
3. Enter the Observed Test Parameters. These observed test parameters apply only
to observed tests but the Period From (start date) and To (end date) are
mandatory even if no observed tests are included in the assessment.
a. Enter the Period From (starting date) for the assessment using the calendar
tool or relative date picker tool. See Selecting or Entering Dates for
assistance
b. Enter the Period From (starting date) for the assessment using the calendar
tool or relative date picker tool. See Selecting or Entering Dates for
assistance
c. (optional) Indicate which client IP addresses in the Client IP or IP subnet
box are to be selected for the assessment by doing one of the following:

195

v Leave the Client IP address or subnet box empty to select all clients
v Enter a complete IP address to select only a specific client
v Select a subnet from which all clients are to be included by using a
wildcard character (asterisk or percent) in the appropriate location. For
example, to include all clients whose IP address begin with 192.168 enter
192.168.*.*
d. (optional) Indicate which Server IP address in the Server IP or IP subnet box
are to be selected for the assessment by doing one of the following:
v Leave the Server IP address or subnet box empty to select all servers
v Enter a complete IP address to select only a specific server
v Select a subnet from which all servers are to be included by using a
wildcard character (asterisk or percent) in the appropriate location. For
example, to include all servers whose IP address begin with 192.168 enter
192.168.*.*
4. Security assessments are run against datasources. Click on the Add Datasource
button to bring up the Datasource Finder, select the datasource(s) to be used for
tests other than observed tests, and click the Add button. See Datasources on
page 31for assistance. See the GuardAPI command, create_test_exception, for
more information on the use of Test Exceptions.
5. Do one of the following:
v Click the Back button to cancel changes and return to previous screen
v Click the Apply button to save the assessment
After saving an assessment the user may, by clicking the appropriate button, do
one of the following:
v Assign Roles - Define who can use the assessment
v Add Comments - Create comments to document or log what and why changes
to assessments were made
v Revert - Undo recent changes and revert to last saved changes
v Configure Tests - Add tests to an assessment
v CAS Support - Configure CAS to supply appropriate data for an assessment

Assign Roles
Adding Roles to an assessment can be done after the Apply button has been
pressed in creating a new assessment or through the modification of an
assessment. Assessments are protected by Security Roles and only users with the
specified role are allowed to use or view the assessments. Likewise, with no roles
assigned, the assessment owner will the only authorized user able to access this
definition. To allow other users to access this assessment you will need to grant
access to one or more roles.
From the Assign Security Roles panel.
1. Click on the boxes to select/de-select the roles you would like to have assigned
for this assessment. See Manage Roles in the Access Management help book for
assistance
2. Click the Apply button to save the role assignments
3. Click the Back button to return to the Security Assessment Builder panel.

196

Help Book Guardium V9.0

Add Comments
Comments can be attached to an assessment to help log and keep track of changes
made to assessments.
From the User Comment panel:
1. Click on the Add Comments button to begin adding comments See Comments
in the Common Tools help book for assistance
2. Click the Apply button to save the comments
3. Click the Save button to return to the Security Assessment Builder panel.

Revert
Use the Revert button to undo the changes made to the Description, Observed Test
Parameter fields, or addition of datasources since the last Apply.

Configure Tests
The group of tests added to an assessment represent those items that are of
concern to check and safeguard a database environment. Adding assessment tests
can be done after the Apply button has been clicked in creating a new assessment
or during the modification or cloning of an assessment.
From the Assessment Test Selections panel:
1. Click on the radio button for the type (predefined, query based, CVE, or all) of
assessment to add.
See one of the following types for assistance:
v Predefined Tests
v Query Based Tests
v CVE Tests
2. Click on a database tab (DB2, INFORMIX, MS SQL SERVER, MYSQL,
NETEZZA, ORACLE, POSTGRESQL, SYBASE, TERADATA) to view and select
assessments specifically for those database environments. Test defined for a
specific database type will be executed on all database sources of that type.
Tests marked with a '*' are CAS based. CAS tests, when added to the list of
tests for an assessment, are displayed in italics and have a hover feature that
displays a tooltip. This tooltip provides information about which template must
be activated to provide the necessary information for the test. Additionally you
may click on the Observed tab for observed tests.
3. From the available list of available tests, shown in the bottom section of the
Assessment Test Selections panel, click and highlight the tests you would like
to add to this assessment.
Note: TERADATA, For test "PRIV: Teradata Profile In Use" relies on the
"Teradata Profile" group. Members should be added to this group if this VA test
is to be used.
Note: Oracle, The test "PRIV: Only DBA Access To Any X$" has been removed
in 8.0 and will stop working. After upgrading to version 8.0 an error will
indicating the test has been deprecated will be displayed along with the
recommendation to delete it from any assessments that use it.

Creating and Running an Assessment

197

Note: The Oracle "Weak Passwords are Screened" Vulnerability Assessment test
supports Oracle verification functions using exceptions (for example, "raise
application error") instead of returning "1" to indicate the password is OKAY.
This test will consider exception numbers added to the exception group that
the Oracle verification function may raise to indicate the password is not strong
enough. Any other exception will appear as an error and will be displayed.
4. Click the Add Selections button to add the tests to the assessment. The newly
added tests, or the tests that have already been assigned to this assessment,
appear in the top section of the Assessment Test Selections panel.
5. Predefined Guardium tests that are assigned to an assessment may also be
edited to meet individual customer requirements and trigger the assessment
test. Users can set fields such as severity, thresholds, runtime parameters, and
exception groups to be in line with what would be considered to be a concern
or vulnerability for their particular environment. An assessment test is based on
a reference to the Center for Internet Security (CIS) or Common Vulnerabilities
and Exposures (CVE) through the External Reference field.
(optional) Click on the Edit icon in the Tuning column, for the selected
assessments that appear in the top section of the Assessment Test Selections
panel, to bring up the Assessment Test Tuning panel and adjust the available
test parameters
For those tests that allow an exception group to be designated, use the
Exception group drop down list to select a group of exceptions (that do not
effect the failure of a test) for the selected test.
Check the Save as Default if you have changed a value and want the new
value to become the default setting.
After adjusting the tuning parameters you may click on the:
v Cancel button to abort your changes
v Add Comments button if you would like to add a comment definition to the
test. These comments will then show up when viewing ANY RESULT PAST
OR PRESENT for executions of the test, including each instance of the test
when it runs multiple times in an assessment or other assessments that use
the test
v Restore Default to put tuning parameters back to their original values
v Accept button to save your changes
6. (optional) Click the Groups button to modify or create groups.
A set of groups are preloaded with the Guardium application for specific use
with Assessments and any groups created here will only be available for use
with assessments. For example there are groups defined that will check for
database version and patch level. See Groups on page 43 for additional
assistance on Modify Existing Groups, and Manage Members for Selected
Groups.
Database Version+Patches: For example the Database Version+Patches
preloaded group is used for database version and patch level tests. These
groups can be updated through Guardium's DPS service and can be edited and
customized to adhere to a companies own internal version and patch levels as
it would not be appropriate to test for an Oracle version 11 when you are
satisfied with Oracle version 10. The valid format for Version+Patches follows
either <version> or <version>+<patch-level> where <patch-level> must be a
value (space if you need it to be blank).
Exceptions group can contain a regular expression or just a member. If regular
expression, the group member must start with (R) (case sensitive), and the
records in the detail will be checked against the regular expression after the (R).

198

Help Book Guardium V9.0

For example if a group member is: (R)SYSTEM.[a-z]+ each detail record will be
checked using pattern: SYSTEM.[a-z]+ If the member does not start with (R) the
detail record will be considered an exception only if it is equal to the group
member. Note a group may contain a mix of regular expressions and specific
exceptions.
7. (optional) The user can remove selected tests that appear in the top section of
the Assessment Test Selections panel, by checking the check box next to an
assessment test and then clicking the Remove Selected button.
8. Do one of the following:
v Click the Save button to save changes, OR
v Click the Back button to cancel changes and return to the Security
Assessment Builder panel.
Note: There is a limitation, by default, of 10000 test results allowed per
assessment. As tests or datasources are added, an estimation of the number of
results is calculated and limited to 10000.

CAS Support
From the CAS Assessment Support panel:
1. From the drop-down list, Select a Template Set and click the Add button to add
the template set to the Assessment

Modify a Security Assessment


Select a security assessment from the Security Assessment Finder panel and click
the Modify button to make changes to a saved assessment. The modification of an
assessment is similar to the creation of an assessment. Therefore see Create a New
Assessment to assist in changing information.

Clone a Security Assessment


Select a security assessment from the Security Assessment Finder panel and click
the Clone button to create a copy of an assessment Clicking the Clone button will
create a copy of the selected assessment and place the user in modify/edit mode
for the new assessment -- giving the assessment a new description that is prefixed
with 'COPY OF'. The user should:
1. Change the Description for the new assessment
2. Click the Apply button to save the change and then begin modifying the newly
created assessment
The cloning of an assessment is similar to the creation of an assessment.
Therefore see Create a New Assessment to assist in changing information

Remove a Security Assessment


Select a security assessment from the Security Assessment Finder panel and click
the Remove button will delete the selected assessment.
Note: After an assessment is run and results are produced, you cannot remove the
definition of that assessment. To prevent other users from accessing or running an
assessment you no longer use, you can have the administrator define a special
security role for inactive assessments, then assign that role to the assessment, but
to no users.

Creating and Running an Assessment

199

Define a Query-based Test


A query based tests are user defined tests that can be quickly and easy created by
defining or modifying a SQL query, which will be run against database datasource
and results compared to a predefined test value; allowing the user to check items
such as database internals, structures, parameters, and even application data.
1. From the Query-based Test Finder panel the user has four options:
v New - Create a new Query-based Test
Clone - Clone a Query-based Test
Modify - Modify a Query-based Test
Remove - Remove a Query-based Test
Back - Cancel changes and return to previous screen

v
v
v
v

When creating, cloning, or modifying a Query-based Test follow


the remaining steps:
1. Enter a unique Test Name for the assessment.
2. From the drop-down box select the Database Type.
3. From the drop-down box select the Category.
4. From the drop-down box select the Severity.
5. (optional) Enter a Short Description for the test.
6. (optional) Enter an External reference for the test.
7. Enter the Result text for pass that will be displayed when the test passes.
8. Enter the Result text for fail that will be displayed when the test fails.
9. Enter the Recommended text for pass that will be displayed when the test
passes.
10. Enter the Recommended text for fail that will be displayed when the test fails.
11. Enter the SQL statement that will be executed for the test.
Group Support within a SQL Statement
Use the following convention to add and reference group members within a
SQL statement:
For example:
To reference a group of users defined for the group MyUsersGroup and
replace it with the actual members of the group use:
Select ... from DBA_GRANTS where ... AND USER in
(~~G~MyUsersGroup~~) and ...
This will result in a SQL Statement such as the following where U1, U2, etc
are the members of the MyUsersGroup group:
Select ... from DBA_GRANTS where ... AND USER in ('U1','U2','U3',...) and ...
Alias Support within a SQL Statement
Use the following convention to replace a reference to a specific alias (of a
specific group type) with the actual alias:
For example:
Select ... from USER_OBJECTS where ... AND OBJECT_TYPE =
'~~A~GroupType~TYPE~~'
If there is an alias to TYPE of group type GrouptType it will replace the string
and the resulting SQL will look like:
Select ... from USER_OBJECTS where ... AND OBJECT_TYPE = 'TYPE'
where TYPE is the actual ALIAS

200

Help Book Guardium V9.0

12.
13. (optional) Enter a SQL Statement for Detail, a SQL statement that retrieves a
list of strings to generate a detail string of Detail prefix + list of strings. See
example below under Detail prefix.
Note: The detail generated is only displayed when the query-based test fails;
allowing the user to enter a SQL statement that can retrieve the information
that caused the test to fail and help identify the cause of failure.
Note: Detail string can be seen within a Security Assessment Results by
clicking on the Assessment Test Name and also queried through the Result
Details attribute of the Test Result Entity.
14. (optional) Enter a Detail prefix that will appear at the beginning of the detail
string.
Example for SQL Statement for Detail & Detail prefix:
Test that checks for objects with certain grants.
Detail prefix: "Objects found with certain GRANT:"
SQL Statement for Detail: SELECT object FROM....--returning 4 records:
Obj1
Obj2
Obj3
Obj4
==> Details: Objects found with certain GRANT: Obj1, Obj2, Obj3, Obj4

15. (optional) Check the "Bind output variable" checkbox if the entered text in
SQL statement is a procedural block of code that will return a value that
should be bound to an internal Guardium variable that will be used in the
comparison to the "Compare to" value.
Example (Oracle):
declare
retval integer := 0;
strval varchar2(255) := ;
nver number;
sver varchar2(255) := ;
begin
select VERSION
into sver
from V$INSTANCE;
nver := to_number(substr(sver,1,(instr(sver,.,1,2) - 1)));
if nver >= 11.1 then
select VALUE
into strval
from V$PARAMETER
where NAME = sec_case_sensitive_logon;
end if;
if (nver < 11.1 or strval = TRUE) then
retval := 0;
else
retval := 1;
end if;
? := retval;
end;

16. From the drop-down box select the Return type that will be returned from the
SQL statement.
17. From the drop-down box select the operator that will be used for the
condition.
18. Enter in Compare value that will be used to compare against the return value
from the SQL statement using the compare operator. It is this comparison that
determines whether this test have passed or failed. You may also click on the

Creating and Running an Assessment

201

RE (regex) to define a regular expression for the compare value. For detailed
information about how to use regular expressions, see Regular Expressions
on page 67.
19. Do one of the following:
v Click the Back button to cancel changes and return to previous screen
v Click the Apply button to save the Query-based assessment
This newly create query test can now be used when adding tests to an assessment.

Define a CAS-based Test


Vulnerability Assessments utilize the CAS mechanism to run OS level tests on the
database server, and identify vulnerabilities. The user may create new OS level
scripts, use existing predefined CAS templates, or create new CAS templates to test
files, permissions, etc.
CAS-based tests allow users to define custom tests based on a CAS template item
of type OS Script command. Users can specify which template item and test
against the content of the CAS results. See Create a New Template Set Item for
assistance on creating an OS Script type CAS template.
Guardium also comes pre-configured with some CAS template items of type OS
Script that can be used for creating a CAS-based test. These tests can be seen
through the CAS Template Set Definition panel and have a name which contains
the word 'Assessment'. For instance, the Unix/Oracle set for assessments is named
'Guardium Unix/Oracle Assessment'. See Modify a Template Set Item for viewing
these template sets and seeing those items with type OS Script.
Whether using a Guardium pre-configured or defining your own, once defined,
these tests will appear for selection during the creation or modification of
CAS-based tests. Note the CAS template must be activated on the node
corresponding to the data source and the test will be executed for all datasources
of the same database type as defined for the test. S-TAP and CAS must be installed
and running on examined database server in order for the CAS assessment test to
work.
1. From the CAS-based Test Finder panel the user has four options:
a. New - Create a new CAS-based Test
b. Modify - Modify a CAS-based Test
c. Remove - Remove a CAS-based Test
d. Back - Cancel changes and return to previous screen

When creating or modifying a CAS-based Test follow the


remaining steps:
1. Enter a unique Test Name for the assessment
2.
3.
4.
5.
6.
7.
8.

202

From the drop-down box select the Database Type


From the drop-down box select the Category
From the drop-down box select the Severity
(optional) Enter a Short Description for the assessment
(optional) Enter an External reference for the assessment
Enter the Result text for pass that will be displayed when the test passes
Enter the Result text for fail that will be displayed when the test fails

Help Book Guardium V9.0

9. Enter the Recommended text for pass that will be displayed when the test
passes
10. Enter the Recommended text for fail that will be displayed when the test fails
11. From the drop-down list select the CAS Template to use for the test.
12. From the drop-down box select the operator that will be used for the
condition.
13. Enter the Search string to use that will be used to compare against what is
returned from the CAS template using the operator. It is this comparison that
determines whether this test have passed or failed. You may also click on the
RE (regex) to define a regular expression for the search string. For detailed
information about how to use regular expressions, see Regular Expressions
on page 67.
14. (optional) Check the Fail if match box if you would like to force a failure
when a match is made with the compare.
15. Do one of the following:
v Click the Back button to cancel changes and return to previous screen.
v Click the Save button to save the Query-based assessment
This newly create CAS test can now be used when adding tests to an assessment.

Run a Security Assessment


The assessments run in a serialized mode one after the other. If more than one
assessment is scheduled to run they will have to be queued. This queue can be
viewed through the Guardium Job Queue report.
Clicking the Run Once Now button will enter the assessment into the queue for
immediate. A short period of time is required for the job to be executed and
become viewable. See View Results of an Assessment to assist in viewing results of
an assessment.
You can optionally define and schedule an automated process for running of an
assessment definition. The Audit Process finder panel is the starting point for
creating or modifying an audit process schedule. See Compliance Workflow
Automation on page 255 for assistance in defining an audit process.

View Results of an Assessment


Clicking the View Results button will bring up the Security Assessment Results
screen for the selected assessment from the Security Assessment Finder panel. See
Interpreting the results of an Assessment to assist in viewing results of an
assessment.
Users may also view results:
1. When the Audit Process result is assigned to a user the user can go see the
results of that audit process
2. By defining a report in the Security Assessment Report Tracking domain where
an Assessment report can be built and displayed through a customized pane
with a portlet. The process of creating a query for reporting is done by:
a. Logging into the Guardium application as the admin user
b. Click Tools tab
c. Click Report Building tab
Creating and Running an Assessment

203

d. Select Security Assessment Report Tracking from the left hand column
options to bring up the Security Assessment Result and Query Finder panel
e. See Building Queries and Building Reports in the Monitor and Audit help
book for assistance in defining a query and building a report
On the Assessment results screen, use a button for query-based tests (Test Query
Results) to allow a user to see what query was sent to the database.
Note: This feature must be turned on via the CLI command, store
va_test_show_query, and the test must be query-based and has something to show
in the Assessment results screen.

Export to SCAP or AXIS


In the Assessment results viewer, near the top of the screen right-hand side, use
the Download XML button to open two menu choices: Download as SCAP xml or
Download as AXIS xml. Choose one of these selections in order to download to
your workstation a SCAP XML or AXIS XML file representing the viewed
Assessment results.
SCAP is Security Content Automation Protocol. AXIS is Apache EXtensible
Interaction System and is used by QRadar.

Interpreting the Results of an Assessment


An Assessment evaluates multiple tests based on multiple reports. The overall
results are displayed in a separate browser window entitled Security Assessment
Results and have the following sections:

Assessment Identity
The top portion of the Assessment results identifies:
v The assessment name
v The date and time the assessment was run
v The time period for the assessment
v The Client and Server IP addresses or subnets

Assessment Selection
In the upper right-hand corner of the window, there is a drop-down list that you
can use to select and display past results for an assessment. The latest result is
displayed by default.

Download a PDF Copy


You can generate a PDF version of Assessment result by clicking the Download
PDF button in the upper right section of the report.

Assessment Results History


The Assessment Results History shows the percentage of tests passing over a
period of time. Further recommendations to improve the percentage of passing
tests are given under the Assessment Test Results section.

204

Help Book Guardium V9.0

View log
When clicked, the Execution Log will be displayed in a new window that shows
the runtime execution of the assessment test. A timestamp, along with events, and
messages can aid in the debugging of issues that might have caused certain tests to
fail.

Results Summary
A tabular graph summarizes all the tests that were executed within this
assessment. The X-axis represents the tests severity (CRITICAL, MAJOR, MINOR,
CAUTION, or INFOrmational). The Y-axis represents the type of test (Privilege,
Authentication, Configuration, Version, or Other). Within the grid is the
representation of the number of tests that have either Passed, Failed, or had an
Error when trying to execute. These numbers are directly related to the detail for
the assessment tests that is given under the Assessment Test Results section.

Current filtering applied


Just to the right of the Results Summary is displayed the current filtering options
that are in effect. Use the following two filtering options to filter or sort the
assessment test results:
Reset Filtering - Removes all filtering options selected through the Filter / Sort
Controls options.
Filter / Sort Controls - Use this link to open a filter/sort options for the report.
Options allow you to filter by Severities, Datasource Severity Classification (DS sev.
class), Scores (pass, fail, or error), and Test Types (Observed/Database type). The
sort option allows you to sort across combinations of severity, score, and
datasource. Click on the Apply button when you would like the chosen filter/sort
options to take effect.

Assessment Test Results


The Assessment Test Results section provides a detail description of the test taken,
information about the target datasource and datasource severity classification, and
the test's Pass/Fail status, severity, the external reference, and reason for the
current status. Each test name is clickable and will filter all information off the
report except for relevant information about that particular test. A hover-over
feature on the Reason field will display the recommendation to help remedy failed
or tests in error.

Datasource Details
When expanded, the Datasource Details section will show all of the datasources
that were referenced within this assessment including the datasource's specific
environmental information.

CVE and CVSS information


CVE Records and CVSS information will display in the Assessment test result
viewer.
The reference links are clickable (opens new window). Either section will be absent
when there is no corresponding record for a result.
Creating and Running an Assessment

205

The CVSS fields of interest are:


v CVSS Score
v Access Complexity
v Availability Impact
v Confidentiality Impact
v
v
v
v
v

206

Integrity Impact
Authentication
Access Vendor
Source
Generated on Datetime

Help Book Guardium V9.0

Configuration Auditing System


CAS tracks such changes and reports on them. The data is available on the
Guardium appliance and can be used for reports and alerts.

Configuration Auditing System Overview


Databases can be affected by changes to the server environment; for example, by
changing configuration files, environment or registry variables, or other database
or operating system components, including executables or scripts used by the
database management system or the operating system. CAS tracks such changes
and reports on them. The data is available on the Guardium appliance and can be
used for reports and alerts.
For this version, the following changes take effect:
1. CAS server runs now as a standalone process (controlled by inittab).
2. CAS server will use only X processors out of all available collector processors.
X is calculated at runtime by dividing the max number of processors by a new
CAS parameter (default value is "2", which means only half of the processors
will be used by CAS server):
file :cas.server.config.properties
parameter name : divide_num_of_processors_by
3. With the specified setup, CAS can use 100% CPU on the allocated processors,
while leaving the rest of the processors for the other applications.
4. new entry in inittab: casl:2345:respawn:/bin/su tomcat -c "/usr/local/
guardium/scripts/guard-cas.sh"
5. CAS logger remains /var/log/guard/cas.log
6. CAS GUI is not affected by these changes.
7. CAS clients are not affected by these changes.
8. Tomcat is NOT controlling CAS anymore.
9. CAS will track permissions of Window files.
Note: Vulnerability Assessment (VA) and Configuration Auditing System (CAS)
are only supported in English.

CAS Agent
CAS is an agent installed on the database server and reports to the Guardium
appliance whenever a monitored entity have changed, either in content or in
ownership or permissions. You install a CAS client on the database server system,
using the same utility that is used to install S-TAP. CAS shares configuration
information with S-TAP, though each component runs independently of the other.
Once the CAS client has been installed on the host, you configure the actual
change auditing functions from the Guardium portal.

CAS Server Authentication


In addition to the basic security SSL provides, Guardium provides CAS Server
authentication support on the CAS client that runs on the database server. This

207

will guarantee that CAS client communicates only with Guardium's CAS server.
Unauthenticated connections and Common Names (CN) mismatches will be
reported in the CAS log file.
When configured, when the CAS server starts it will load a signed certificate as
well as a private key and assigns them to a server socket on which it accepts
connections. On the database server side the CAS client will support the following
connection modes:
1. Non-secure connection (use_tls=0')
2. Secure connection without authentication (use_tls ='1',
guardium_ca_path=NULL). This mode forces the use of SSL as the means of
communication with the CAS server (i.e. uses SSL without server
authentication).
3. Secure connection with server authentication ( use_tls ='1',
guardium_ca_path=<public key location>). The public key is used by the CAS
client in order to authenticate the CAS server. The public key (ca.cert.pem) is
going to be located under <install_dir>/etc/pki/certs/trusted.
ca.cert.pem - is a file containing Root Certificate Authorities certificates (which
are self signed). In a browser equivalent those would be trusted CA certificates,
such as VeriSign's, etc.
All gmachine certificates are issued/signed by the root authority - that's how
they are validate and how the chain of trust is established.
It is possible to set guardium_ca_path with either the full path including the
actual public key file name , or just the directory name (<install_dir>/etc/pki/
certs/trusted), in which all the public keys within this directory will be used in
order to authenticate the server. If guardium_ca_path is set with a file or
directory that doesn't contain the public key, the connection attempt will fail.
4. Secure connection with server authentication and common name verification.
This mode has an additional check in which the certificate CN from the server
is compared with the one set in the parameter sqlguard_cert_cn. If
sqlguard_cert_cn is NULL or empty this check will be disabled. Otherwise it
needs to be set with the same CN Guardium's self signed certificate has
('gmachine').
Note: All the parameters mentioned are from guard_tap.ini, see Default Unix
S-TAP configuration file on page 463.

Template Set
A CAS template set contains a list of item templates, bundled together, share a
common purpose such as monitoring a particular type of database (Oracle on
Unix, for example), and is one of two types:
v Operating System Only (Unix or Windows)
v Database (Unix-Oracle, Windows-Oracle, Unix-DB2, Windows-DB2, etc.)
A database template set is always specific to both the database type and the
operating system type.

CAS Template Item


The definition or set of attributes of a monitoring task over a single Monitored
Entity. Users can define new CAS test to construct new CAS templates or use
predefined templates for each OS and each database type; optionally modifying to
meet specific database monitoring requirements.

208

Help Book Guardium V9.0

A template item is a specific file or file pattern, an environment or registry


variable, the output of an OS or SQL script, or the list of logged-in users. The state
of any of these items is reflected by raw data, i.e. the contents of a file or the value
of a registry variable. CAS detects changes by checking the size of the raw data, or
computing a checksum of the raw data. For files, CAS can also check for system
level changes such as ownership, access permission, and path for a file.
In a federated environment where all units (collectors and aggregators) are
managed by one manager, all templates are shared by both collectors and
aggregators and CAS data can be used in reporting or vulnerability assessments.
When the collector and aggregator (or host where archived data is restored) are not
part of the same management cluster the templates are not shared and therefore
CAS data cannot be used by vulnerability assessments even when the data is
present, to remedy this use export/import of definitions to copy the templates
from the collector to the aggregator (or restore target).
Note: CAS should not be asked to monitor more than 10,000 files per client.
Note: It is recommended to configure CAS to handle no more than 1,000
monitored files per hour.

Monitored Entity
The actual entity being monitored, can be A File (its content and properties), Value
of an Environment Variable or Windows Registry, Output of an OS command or
Script or SQL statement

CAS Instance
Application of a CAS Template Set on a specific Host (creating an Instance of that
Template Set and applying it on a specific host)

CAS Configuration
A CAS configuration defines one or more CAS instances, each of which identifies a
template set to be used to monitor a set of items on that host.

Default Template Sets


For each operating system and database type supported, Guardium provides a
preconfigured, default template sets for monitoring a variety of databases on either
Unix or Windows platforms. A default template set is one that will be used as a
starting point for any new template set defined for that template-set type. A
template-set type is either an operating system alone (Unix or Windows), or a
database management system (DB2, Informix, Oracle, etc.), which is always
qualified by an operating system type - for example, UNIX-Oracle, or
Windows-Oracle. Many of the preconfigured, default template sets are used within
Guardium's Vulnerability Assessments where, for example, known parameters, file
locations, and file permissions can be checked. See Vulnerability Assessment on
page 189 for additional information.
The Guardium default template sets all begin with the word Guardium. You
cannot modify a Guardium default template set, but you can clone it and modify
the cloned version. Each of the Guardium default template sets defines a set of
items to be monitored. Make sure that you understand the function and use of
each of the items monitored by that default template set and use the ones that are
Configuration Auditing System

209

relevant to your environment. After defining a template set of your own, you can
designate that template set as the default template set for that template-set type.
After that, any new template sets defined for that operating system and database
type will be defined using your new default template set as a starting point. The
Guardium default template set for that type will not be removed; it will remain
defined, but will not be marked as the default.

Rationale for creating template sets to meet specific database


configurations
Although Guardium supplies predefined CAS template sets for each database type,
the wide variety of possible database configurations make means that you may
have to tweak the predefined template sets or create new ones to meet all of your
needs in a production environment -- particularly as regards database software and
data file locations. You should plan on creating additional templates if you want
CAS to monitor ownership of, permissions on, and changes to your database files.
For example, the predefined CAS template set for Oracle contains these templates,
among others:
v
v
v
v

$ORACLE_HOME/oradata/../.*dbf
$ORACLE_HOME/oradata/../.*ctl
$ORACLE_HOME/oradata/../.*log
$ORACLE_HOME/../init.*.ora

As you can see, these file-pattern templates all start with the same root,
$ORACLE_HOME (NOTE: This is not necessarily the $ORACLE_HOME
environment variable defined on your database server; by preference, CAS uses the
datasource field Database Instance Directory as the value for $ORACLE_HOME).
It is possible that in a production environment your Oracle data files will not be in
the same directory tree -- or even on the same device as your log files, and your
Oracle configuration files might be in still another location.
Using the example above, you might create additional CAS templates using
absolute paths to allow CAS to find and monitor all of your Oracle files, e.g.
v /u01/oradata/mydb/*.dbf
v /u02/oradata/mydb/*.dbf
v /u03/oradata/mydb/*.dbf
v /u01/oradata/mydb/*.ctl
v /u02/oradata/mydb/*.ctl
v /u03/oradata/mydb/*.ctl
v /home/oracle11/admin/mydb/bdump/*.log
v /home/oracle11/product/11.1/db_1/dbs/init*.ora
You can even use additional environment variables that are defined in your Oracle
instance account. As an example, if you have variables defined as $ORA_DATA1,
$ORA_DATA2 and $ORA_SOFT you can use:
v $ORA_DATA1/mydb/*.dbf
v $ORA_DATA2/mydb/*.dbf
v $ORA_DATA1/mydb/*.ctl
v $ORA_DATA2/mydb/*.ctl
v $ORA_SOFT/admin/mydb/bdump/*.log

210

Help Book Guardium V9.0

v $ORA_SOFT/product/11.1/db_1/dbs/init*.ora

Database Templates
Each database has a set of defined CAS templates, each of which are describe here
for the different monitored database type and available for use in the assessment
tests.
v
v
v
v
v
v
v

CAS
CAS
CAS
CAS
CAS
CAS
CAS

templates
templates
templates
templates
templates
templates
templates

DB2
Informix
MySQL
Netezza
Oracle
PostgreSQL
SQL Server

v CAS templates - Sybase


v CAS templates - Teradata

CAS templates - DB2


OS Script
Designates an OS script to be executed. Must begin with the variable $SCRIPTS,
which refers to the scripts directory beneath the CAS home directory, and identify
the script to be executed, e.g., $HOME/ db2_spm_log_path_group_test.sh". The
script itself must, of course, reside in the CAS $SCRIPTS directory. Output from
the script is stored in the Guardium database to be used by security assessments.
This can be either a shell/batch script to be run, or a set of commands that could
be entered on the command line. Because of the fickle nature of Java's parsing it is
suggested that any but the simplest commands be put into a script rather than run
directly. On Unix the script is run in the environment of the OS user entered. Three
environment variables will be defined for the run environment which the user
could use in writing scripts: $UCAS is the DB username, $PCAS is the DB
password, and $ICAS is the DB instance name. For Windows these three values
will be appended as the last three arguments to the batch file execution. For
example, if you had an OS Script template "%SCRIPTS%\MyScript.bat my-arg1
my-arg2", then %3, %4 and %5 would be the DB username, password, and instance
name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to
the file can be absolute, or relative to the $INSTHOME variable. The value of the
$INSTHOME variable is the value you set in the Database Instance Directory field
of the Datasource Definition panel. This is assumed to name a single file.
Environment variables from the OS user environment can be used in the file name
and will be expanded. For example, "$HOME/START.sh" will name the startup
script in the DB2 user's home directory.
File Pattern
Designates a group of files to be tracked and monitored by security assessments.
The path to the files can be absolute, or relative to the $INSTHOME variable. The
value of the $INSTHOME variable is the value you set in the Database Instance
Directory field of the Datasource Definition panel. A ".." in the path indicates one
Configuration Auditing System

211

or more directories between the portion of the path above it and the portion of the
path below it. A ".+" in the path indicates exactly one directory between the
portion of the path above it and the portion of the path below it. For example:
"$INSTHOME/sqllib/../db2.*" This is just a short-hand for creating many single
file identifications from a single identification string, a file pattern which will
match all files in the directory. A file pattern can be viewed as a series of regular
expressions separated by /'s. A file is matched if each element of its full path can
be matched by one of the regular expressions in order. If an element of the pattern
is an environment variable, it is expanded before the match begins. If ".." is one of
the elements of the pattern, it will match zero or more directory levels. For
example, "/usr/local/../foo" will match "/usr/local/foo" and "/usr/local/gunk/
junk/bunk/foo". Using more than one ".." element in a file pattern should not be
necessary and is discouraged because it makes the pattern very slow to expand.
Because of the confusion with its use in regular expressions "\" cannot be used as
a separator as it might be in Windows.
Additionally, the "Guardium Unix/DB2 Assessment: UNIX - DB2" for Unix set
includes the following templates:
Db2govd Setuid Bits Is Not Set
This test monitors that the SETUID bit on DB2GOVD has been disabled
Db2start Setuid Bits Is Not Set
This test monitors that the SETUID bit on DB2START has been disabled
Db2stop Setuid Bits Is Not Set
This test monitors that the SETUID bit on DB2STOP has been disabled
File ownership
This test monitors file ownership, and changes thereto, of DB2 files.
File permissions
This test monitors file permissions, and changes thereto, of DB2 files.

CAS templates - Informix


OS Script
Designates an OS script to be executed. Must begin with the variable $SCRIPTS,
which refers to the scripts directory beneath the CAS home directory, and identify
the script to be executed, e.g., $HOME/ informix_rootpath_owner.sh". The script
itself must, of course, reside in the CAS $SCRIPTS directory. Output from the
script is stored in the Guardium database to be used by security assessments. This
can be either a shell/batch script to be run, or a set of commands that could be
entered on the command line. Because of the fickle nature of Java's parsing it is
suggested that any but the simplest commands be put into a script rather than run
directly. On Unix the script is run in the environment of the OS user entered. Three
environment variables will be defined for the run environment which the user
could use in writing scripts: $UCAS is the DB username, $PCAS is the DB
password, and $ICAS is the DB instance name. For Windows these three values
will be appended as the last three arguments to the batch file execution. For

212

Help Book Guardium V9.0

example, if you had an OS Script template "%SCRIPTS%\MyScript.bat my-arg1


my-arg2", then %3, %4 and %5 would be the DB username, password, and instance
name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to
the file can be absolute, or relative to the $ INFORMIXDIR variable. The value of
the $ INFORMIXDIR variable is the value you set in the Database Instance
Directory field of the Datasource Definition panel. This is assumed to name a
single file. Environment variables from the OS user environment can be used in the
file name and will be expanded. For example, "$HOME/START.sh" will name the
startup script in the Informix user's home directory.
Additionally, the "Guardium Unix/Informix Assessment" for Unix set includes the
following templates:
Scan log files for errors
This test monitors for error in the online.log file
File ownership
This test monitors file ownership, and changes thereto, of Informix files.
File permissions
This test monitors file permissions, and changes thereto, of Informix files.

CAS templates - MySQL


OS Script
Designates an OS script to be executed. Must begin with the variable $SCRIPTS,
which refers to the scripts directory beneath the CAS home directory, and identify
the script to be executed, e.g., "$SCRIPTS/mysql_mysqld_user.sh". The script itself
must, of course, reside in the CAS $SCRIPTS directory. Output from the script is
stored in the Guardium database to be used by security assessments.
File
Designates a file to be tracked and monitored by security assessments. The path to
the file can be absolute, or relative to the $MYSQL_HOME variable. The value of
the $MYSQL_HOME variable is the value you set in the Database Instance
Directory field of the Datasource Definition panel.
File Pattern
Designates a group of files to be tracked and monitored by security assessments.
The path to the files can be absolute, or relative to the $MYSQL_HOME variable.
The value of the $MYSQL_HOME variable is the value you set in the Database
Instance Directory field of the Datasource Definition panel. A ".." in the path
indicates one or more directories between the portion of the path above it and the
portion of the path below it. A ".+" in the path indicates exactly one directory
between the portion of the path above it and the portion of the path below it. For
example: "$MYSQL_HOME/../data/.+/*.MYD"
Configuration Auditing System

213

The default Guardium Unix/MySQL template set includes the following templates
supporting the tests indicated (note that some templates support more than one
test, while some tests require more than one template):
File Ownership
This test monitors ownership, and changes thereto, of the MySQL data files.
v $MYSQL_HOME/../data/.+/*.MYD
v $MYSQL_HOME/../data/.+/*.MYI
v $MYSQL_HOME/../data/.+/*.frm
File Permissions
This test monitors file permissions, and changes thereto, on the MySQL data files.
v $MYSQL_HOME/../data/.+/*.MYD
v $MYSQL_HOME/../data/.+/*.MYI
v $MYSQL_HOME/../data/.+/*.frm
MySql Does Not Run Under Root
This test checks that the owner of the running mysqld process is a user other than
the OS root user.
v $SCRIPTS/mysql_mysqld_user.sh
Scan log files for errors
This test monitors the MySQL error log for occurrences of the string "error".
v find $MYSQL_HOME -name *.err -exec grep -i -l error {} \;
datadir Owner Is the MySql Owner
This test checks that the owner of the MySQL data directory is the OS User you
specified when you configured the CAS host.
v $SCRIPTS/mysql_datadir_owner.sh

CAS templates - Netezza


File Ownership
This test checks whether the files are owned and belongs to the correct group
according to the definition within the CAS template.
File Permission
This test checks whether the file permission is properly set according to the
definition within the CAS template.
Scan Log files for errors
This test checks for these events (FATAL, ERROR, DEBUG, ABORT and PANIC) in
these two log files. /nz/kit/log/postgres/pg.log and /nz/kit/log/startupsvr/
startupsvr.log

214

Help Book Guardium V9.0

CAS templates - Oracle


OS Script
Designates an OS script to be executed. Must begin with the variable $SCRIPTS,
which refers to the scripts directory beneath the CAS home directory, and identify
the script to be executed, e.g., "$SCRIPTS/oracle_user.sh". The script itself must, of
course, reside in the CAS $SCRIPTS directory. Output from the script is stored in
the Guardium database to be used by security assessments. (This can be either a
shell/batch script to be run, or a set of commands that could be entered on the
command line. Because of the fickle nature of Java's parsing it is suggested that
any but the simplest commands be put into a script rather than run directly. On
Unix the script is run in the environment of the OS user entered. Three
environment variables will be defined for the run environment which the user
could use in writing scripts: $UCAS is the DB username, $PCAS is the DB
password, and $ICAS is the DB instance name. For Windows these three values
will be appended as the last three arguments to the batch file execution. For
example, if you had an OS Script template "%SCRIPTS%\MyScript.bat my-arg1
my-arg2", then %3, %4 and %5 would be the DB username, password, and instance
name respectively. )
File
Designates a file to be tracked and monitored. The path to the file can be absolute,
or relative to the $ORACLE_HOME variable. The value of the $ORACLE_HOME
variable is the value you set in the Database Instance Directory field of the
Datasource Definition panel. (This is assumed to name a single file. Environment
variables from the OS user environment can be used in the file name and will be
expanded. For example, "$HOME/START.sh" will name the startup script in the
Oracle user's home directory.)
File Pattern
Designates a group of files to be tracked and monitored. The path to the files can
be absolute, or relative to the $ORACLE_HOME variable. The value of the
$ORACLE_HOME variable is the value you set in the Database Instance Directory
field of the Datasource Definition panel. A ".." in the path indicates one or more
directories between the portion of the path above it and the portion of the path
below it. A ".+" in the path indicates exactly one directory between the portion of
the path above it and the portion of the path below it. For example:
"$ORACLE_HOME/oradata/../*.dbf" (This is just a short-hand for creating many
single file identifications from a single identification string, a file pattern. A file
pattern can be viewed as a series of regular expressions separated by /'s. A file is
matched if each element of its full path can be matched by one of the regular
expressions in order. If an element of the pattern is an environment variable, it is
expanded before the match begins. If ".." is one of the elements of the pattern, it
will match zero or more directory levels. For example, "/usr/local/../foo" will
match "/usr/local/foo" and "/usr/local/gunk/junk/bunk/foo". Using more than
one ".." element in a file pattern should not be necessary and is discouraged
because it makes the pattern very slow to expand. Because of the confusion with
its use in regular expressions "\" cannot be used as a separator as it might be in
Windows. The file pattern shown above is not correct because "*.dbf" is not a valid
regular expression. It should be ".*dbf".)
Additionally, the default Guardium Unix/Oracle template set includes the
following templates:
Configuration Auditing System

215

ADMIN_RESTRICTIONS Is On
This test monitors that the listener.ora parameter ADMIN_RESTRICTIONS is set
properly.
File ownership
This test monitors file ownership, and changes thereto, of the Oracle data files,
logs, executables, etc.
File permissions
This test monitors file permissions, and changes thereto, on the Oracle data files,
logs, executables, etc.
Scan log files for errors
This test scans the Oracle log files for occurrences of error strings.
SPOOLMAIN.LOG Does Not Exist
This test checks the existence of the Oracle SPOOLMAIN.LOG.

Configuration for Oracle RAC systems


This is the required configuration for Oracle RAC systems.
Change guard_tap.ini on each node installed with stap:
unix_domain_socket_marker=<key>
where <key> value can be found in listener.ora in the IPC protocol definition
Example 1:
If the following is a description in the listener.ora
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ORCL))))
Then change the following parameter accordingly
unix_domain_socket_marker=ORCL
Example 2:
In the case where there is more than one IPC line in listener.ora, use a common
denominator of all the key
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1))))
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2))))
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))
Guardium uses a string search in the path so "LISTENER" will work for all
fourand should be used in this case:
unix_domain_socket_marker=LISTENER

216

Help Book Guardium V9.0

CAS templates - PostgreSQL


Note: It is very important that PostgreSQL_BIN and PostgreSQL_DATA
environment variables are defined correctly. An invalid setting will cause other
CAS assessment tests not to work properly or at all.
File Ownership
This test checks whether the files are owned and belongs to the correct group
according to the definition within the CAS template.
File Permission
This test checks whether the file permission is properly set according to the
definition within the CAS template.
PostgreSQL_BIN environment variable defined
This test check if the $PostgreSQL_BIN environment variable is defined in your
database server. This variable need to be defined under the root account for
Unix/Linux or you can add to .profile for root login. For Windows OS, it needed
to be defined for the Administrators login. For Red Hat Linux, PostgreSQL BIN
folder is usually in /usr/bin. For Solaris, it is usually something like
/data/postgres/postgres/8.3-community/bin/64. Setting this environment
variable is very important as other assessment tests relied on the location of this
folder.
PostgreSQL_DATA environment variable defined
This test check if the $PostgreSQL_DATA environment variable is defined in your
database server. This variable need to be defined under the root account for
Unix/Linux or you can add to .profile for root login. For Windows OS, it needed
to be defined for the Administrators login. For Red Hat Linux, the default for
DATA folder is usually in /var/lib/pgsql/data. For Solaris, there is no consistent
location. Setting this environment variable is very important as other assessment
tests relied on the location of this folder to find the correct configuration files.

CAS templates - SQL Server


OS Script
Designates an OS script to be executed. Output from the script is stored in the
Guardium database. This can be either a shell/batch script to be run, or a set of
commands that could be entered on the command.
Registry Variable
Search Windows registry for specific key value that are required by security
assessments test.

CAS templates - Sybase


OS Script
Designates an OS script to be executed. Must begin with the variable $SCRIPTS,
which refers to the scripts directory beneath the CAS home directory, and identify
Configuration Auditing System

217

the script to be executed, e.g., $HOME/sybase_sysdevice_type_test.sh". The script


itself must, of course, reside in the CAS $SCRIPTS directory. Output from the
script is stored in the Guardium database to be used by security assessments. This
can be either a shell/batch script to be run, or a set of commands that could be
entered on the command line. Because of the fickle nature of Java's parsing it is
suggested that any but the simplest commands be put into a script rather than run
directly. On Unix the script is run in the environment of the OS user entered. Three
environment variables will be defined for the run environment which the user
could use in writing scripts: $UCAS is the DB username, $PCAS is the DB
password, and $ICAS is the DB instance name. For Windows these three values
will be appended as the last three arguments to the batch file execution. For
example, if you had an OS Script template "%SCRIPTS%\MyScript.bat my-arg1
my-arg2", then %3, %4 and %5 would be the DB username, password, and instance
name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to
the file can be absolute, or relative to the $SYBASE variable. The value of the
$SYBASE variable is the value you set in the Database Instance Directory field of
the Datasource Definition panel. This is assumed to name a single file.
Environment variables from the OS user environment can be used in the file name
and will be expanded. For example, "$HOME/START.sh" will name the startup
script in the Sybase user's home directory.
File Pattern
Designates a group of files to be tracked and monitored by security assessments.
The path to the files can be absolute, or relative to the $SYBASE variable. The
value of the $SYBASE variable is the value you set in the Database Instance
Directory field of the Datasource Definition panel. A ".." in the path indicates one
or more directories between the portion of the path above it and the portion of the
path below it. A ".+" in the path indicates exactly one directory between the
portion of the path above it and the portion of the path below it. For example:
"$SYBASE/../.*dat" This is just a short-hand for creating many single file
identifications from a single identification string, a file pattern. A file pattern can
be viewed as a series of regular expressions separated by /'s. A file is matched if
each element of its full path can be matched by one of the regular expressions in
order. If an element of the pattern is an environment variable, it is expanded before
the match begins. If ".." is one of the elements of the pattern, it will match zero or
more directory levels. For example, "/usr/local/../foo" will match "/usr/local/foo"
and "/usr/local/gunk/junk/bunk/foo". Using more than one ".." element in a file
pattern should not be necessary and is discouraged because it makes the pattern
very slow to expand. Because of the confusion with its use in regular expressions
"\" cannot be used as a separator as it might be in Windows.
Additionally, the "Guardium Unix/Sybase Assessment : UNX - SYBASE" set
includes the following templates :
Scan log files for errors
This test monitors for errors in Sybase log files.
sysdevice Owner is 'sysbase'
This test monitors for ownership of sysdevice.

218

Help Book Guardium V9.0

File ownership
This test monitors file ownership, and changes thereto, of Sybase files.
File permissions
This test monitors file permissions, and changes thereto, of Sybase files.

CAS templates - Teradata


File Ownership
This test checks whether the files are owned and belongs to the correct group
according to the definition within the CAS template.
File Permission
This test checks whether the file permission is properly set according to the
definition within the CAS template.

Configuration Auditing System

219

220

Help Book Guardium V9.0

CAS Start-up and Failover


Various failover and connect parameters can be modified through S-TAP Control
Change Auditing.
When the CAS client starts on the host, it looks for a checkpoint file that it may
have written to the system. This file tells CAS what it was doing the last time it
was running. CAS then connects to its Guardium appliance. If it has found a
checkpoint file, CAS will ask the Guardium appliance to verify its version of its
monitoring assignment against what is stored in the Guardium database. While the
CAS client and the Guardium appliance have been disconnected, there may have
been changes to the assignment. When any differences are resolved, CAS will
resume monitoring. If CAS does not find a checkpoint file, it will ask the
Guardium appliance what it should do. If the Guardium appliance finds the CAS
host in its database, then the associated template sets will be sent to the CAS
client, expanded into monitored items, and monitoring will begin. If the Guardium
appliance cannot find the CAS host in its database, it will add it to the database
and send the default template set for the CAS host operating system.
When connectivity is lost between the CAS client and Guardium appliance it may
take the CAS client and Guardium appliance up to 5 minutes (the wait time for a
CAS client to expect a message from the Guardium appliance) to discover that it
has lost contact with the primary Guardium appliance but may happen sooner if
the communication error is detected.
If the CAS client loses its connection to the Guardium appliance or cannot make an
initial connection, it opens a failover file and begins writing the messages that it
would have sent to the Guardium appliance, to the failover file. The path to this
fail over file is stored in guard_tap.ini with the name 'cas_fail_over_file'. When
communication is reestablished the CAS client shuts down and restarts, sends all
messages stored in the failover file to the Guardium appliance, and deletes the file.
If the CAS client was unable to make the initial connection, it will use the
checkpoint file to determine what to monitor, and continues doing what it was
doing before communication failed.
When communication is lost, the client also starts a thread which periodically tries
to reconnect with the primary Guardium appliance. The number of times CAS will
attempt to reconnect, and the average time interval between reconnect attempts,
are configurable parameters. It will try to reconnect for a period of time set in
guard_tap.ini with the name 'cas_server_failover_delay'. After that time has passed,
the client will also try to connect to any secondary servers identified in
guard_tap.ini. The secondaries will be tried in the order of the value of the
'primary' attribute listed in the SQL_Guard sections of guard_tap.ini. When
'primary' is not 1, it is a secondary. While the client is connected to a secondary
server it will continue to try to reconnect to the primary server.
If the reconnect attempt limit is met, the CAS client stops trying to reconnect, but
continues to write data to a failover file. To cap disk space requirements on the
database server, there are actually two failover files. CAS writes to one file until it
reaches its maximum failover file size (which is configurable), and then switches to
the other, overwriting any previous data on that file. The default failover file size is
50MB (for each of the files).

221

You can specify one or more secondary Guardium appliances when configuring the
CAS client. In failover mode, CAS only tries to reconnect only to its primary server
until the time specified by 'cas_server_failover_delay' in guard_tap.ini is exceeded.
At that time, CAS begins trying to connect to any of the secondary servers, as well
as its primary server (which is always the first server it tries to connect with
during any reconnect attempt). While it is connected to a secondary server, CAS
continues to try to reconnect to its primary server.
Changes to the CAS client configuration can only be made from the primary server
and only while the host is online. Whenever the configuration of the CAS client is
changed on the primary server and Guardium appliance is in standalone
configuration, an export file is saved on the host. If the CAS client connects to a
secondary server, the saved export file is imported from the host to the secondary
server.
There is no need to separately maintain configurations on both primary and
secondary servers. However, if on the primary server, the parameters for an
individual monitored item have been changed from those defined in the template,
then these changes will not be transferred to the secondary server. For example,
even if the test interval on a particular file was changed from the template default
of 1hr to 10min, the test interval on the secondary server will again be 1hr.
Essentially, monitored items are regenerated from the templates of the imported
configuration. The delay before searching for secondary servers is based directly on
time rather than failover file size. The delay is set with a parameter
(cas_server_failover_delay) in guard_tap.ini and has a default of 60 minutes.
Various failover and connect parameters can be modified through S-TAP Control
Change Auditing.
As with S-TAP, CAS connectivity outages create exceptions on the Guardium
appliance, so alerts can be issued within moments of detecting the outage.

Setting Up and Maintaining Secondary Servers


In the S-TAP/CAS configuration file on the database server system, one or more
secondary Guardium servers can be defined. If the primary Guardium server
becomes unavailable, CAS on that database server system will connect to a
secondary Guardium appliance (as described above, see Start Up and Failover).

Rules of Failover
The CAS client gets its list of secondary servers from the guard_tap.ini file. A
secondary connection will be accepted by the Guardium appliance only if it
follows the rules.

222

Rule# Guardium appliance Fails over to

Valid

stand alone

stand alone

Yes

managed

managed (same manager)

Yes

managed

managed (different manager) No

managed

stand alone

No

stand alone

managed

No

Help Book Guardium V9.0

CAS Failover Limitations


1. CAS instances will not be relocated to the failed-over Guardium appliance
when the source Guardium appliance is a managed unit and the target
Guardium appliance is either:
v a stand-alone Guardium appliance
v a managed unit which is being managed by a different manager
2. CAS import/export option will be limited to manager and stand-alone
machines only.

Exporting CAS Hosts


1. From the Administration Console tab, under Guardium Definitions, click
Export to open the Definitions Export panel.
2. Under Type, select CAS Hosts. A list of the CAS Hosts defined on this system
will be displayed.
3. Select each CAS Host to be exported.
4. Click the Export button. A file named exp_<date>_<time>.sql will be saved on
your system. This file will contain the definitions of all CAS hosts selected, and
the definitions of any template sets used by those CAS hosts.

Importing CAS Hosts


1. From the Administration Console tab, under Guardium Definitions, click
Import to open the Definitions Import panel.
2. Enter the name of the file containing the exported definitions or click the
Browse button to select that file.
3. Click the Upload button. You are notified when the operation completes and
the CAS host definitions contained in the file will be displayed.
v Click (Import this set of Definitions) to import the definitions.
v Click (Remove this set of Definitions without Importing) to remove the
uploaded file without importing the definitions.
4. Confirm the selected action (or not).
Note: An import operation does not overwrite an existing definition. If you
attempt to import a definition with the same name as an existing definition,
you are notified that the item was not replaced. If you want to overwrite an
existing definition with an imported one, you must delete the existing
definition before performing the import operation.
5. Click the Done button to close the panel when you have finished importing or
removing all uploaded files.

Maintaining Secondary Servers for a CAS Host


CAS configurations can also be maintained through the use of export and import
operations. Since the import operation will not replace an existing definition, on
each secondary server you must delete the old CAS host definition before
importing the new one, as explained below.
Be sure to perform this procedure only while the selected CAS host is connected to
its primary server.
1. On the primary server, from the Guardium administrator portal, export the
definition of the CAS host (see Exporting CAS Hosts, above).
2. On each secondary server, from the Guardium administrator portal:
CAS Start-up and Failover

223

v Delete the old CAS host definition that you want to replace.
v Import the definitions that were exported from the primary server (see
Importing CAS Hosts, above).

CAS Client Installation


The CAS client agent is typically installed together with the S-TAP agent. It can be
installed later under Windows from the installation DVD, or under Unix by
running the installation script, install_cas.sh, which is located in the S-TAP
installation directory, which by default is: /usr/local/guardium/guard_stap.

CAS Client Ignore Change Alerts


The CAS client agent can avoid sending change notifications to the CAS server
based on a predefined settings.
The CAS client agent will now look for a new parameter ("ignore_change_alerts"
)in the CAS client agent's cas.client.config.properties configuration file.
If the parameter is not found or not set, the CAS client will work without any
changes and the "ignore change alerts" functionality will not be enabled (for
example, the CAS client will alert on any file change).
If the new parameter is set, CAS client agent will ignore sending change
notifications based on the change-types specified in the parameter value.
The possible change-types are:
PERMISSION, SIZE, OWNER, GROUP, TIMESTAMP
Ignoring multiple change-types can be set by "+" delimited concatination of any of
the specified change-type.
For example:
In order to avoid sending change notification on OWNER and GROUP changes, set
up the parameter as follows:
ignore_change_alerts=OWNER+GROUP
Note: In the inital installation or when defining a new template, the FIRST scan of
the files will be performed and these files will appear in the CAS changes report
regardless to settings of "Ignore change alerts".

Correcting an invalid non-IP hostname


In case the user installs CAS agent with a bogus tap_ip (guard_tap.ini param) or
CAS_TAP_IP (GIM param), Windows Datasources defined for that host might be
useless (if used for activity that requires accessing the remote database).
If the scenario happens, the user will have to delete the datasource and change the
tap_ip parameter to the correct database server hostname/ip.

224

Help Book Guardium V9.0

CAS Templates
This section describes how to maintain CAS templates

Define a Template/Template Set


v
v
v
v

Create a New Template Set


Modify a Template Set
Clone a Template Set
Delete a Template Set

Create a New Template Set


1. Open the CAS Configuration Navigator
2. Click on the New button to open the Monitored Item Template Definitions
panel.
3. From the drop down list select OS Type.
4. From the drop down list select DB Type. If the template set does not require
any specific DB type then select N_A as the DB Type.
5. Enter a unique name for the Template Set name.
Note: Template Set Names over 128 characters will be truncated
6. Click on the Apply button to save the CAS Template Set Definition.
7. To add items to the new template set, click the Add to Set button and see
Define a Template Set Item.

Finding the Guardium CAS Panel


Access to CAS Configuration Functions, by default, is restricted to the admin user
and to users who have been assigned the CAS role.
For the admin user, select the Tools> Config & Control> CAS Template Set.
For users who have been assigned the CAS role:
1. Click on the Assess/Harden tab.
You will be taken to another panel where a new lower set of tabs will be
displayed for the Assess/Harden process flow.
2. Click on the Config. Change Control tab.
A process flow for CAS will be displayed.

Opening the CAS Configuration Navigator


The CAS Configuration Navigator panel is the starting point for creating or
modifying CAS Template Sets.
To open the CAS Configuration Navigator panel:
1. Open the CAS panel.
See Finding the Guardium CAS panel for assistance.
2. Select Configure CAS templates or CAS template set config.

225

Modify a Template Set


Use the CAS Template Set Definition panel to modify an existing CAS template set.
Once a template set is in use on any CAS host, the modifications that you can
make to that template set are limited. You will be able to make minor changes to
various elements of the definition, but you will not be able to add or remove
templates.
1. Open the CAS Configuration Navigator
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the template set list and finding the template set you would like to modify.
3. Highlight the Template Set you wish to modify and click on the Modify button
to open the CAS Template Set Definition panel.
4. You can modify the unique name for the Template Set name.
5. To add items to the template set, see Define a CAS Template Set Item
6. Click on the Apply button to save the CAS Template Set Definition
7. Click on the Back button to return to CAS Configuration Navigator

Clone a Template Set


1. Open the CAS Configuration Navigator
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the template set list and finding the template set you would like to modify.
3. Highlight the Template Set you wish to modify and click on the Clone button
to open the CAS Template Set Definition panel.
4. Once cloned, use the CAS Configuration Navigator to find the new template
set
5. Highlight the cloned template set and see Modify an Existing Template Set

Delete a Template Set


1. Open the CAS Configuration Navigator
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the template set list and finding the template set you would like to modify.
3. Highlight the Template Set you wish to delete.
4. Click on the Delete to delete the template set

Define a Template Set Item


Once a template set is in use on any CAS host, the modifications that you can
make to that template set are limited. You will be able to make minor changes to
various elements of the definition, but you will not be able to add or remove
templates.
v Create a New Template Set Item
v Modify a Template Set Item
v Delete a Template Set Item

Create a New Template Set Item


1. Open the CAS Configuration Navigator
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the template set list and finding the template set you would like to modify.
3. Highlight the Template Set you wish to modify and click on the Modify button
or double-click to open the Monitored Item Template Definitions panel.

226

Help Book Guardium V9.0

4. Click on the Add To Set button to create a new item


Note: If the Add to Set button is disabled, its because the template set is in
use by a CAS Instance and cannot be added to at this point.
See CAS Item Template Definition Panel for further information

Modify a Template Set Item


1. Open the CAS Configuration Navigator
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the template set list and finding the template set you would like to modify.
3. Highlight the Template Set you wish to modify and click on the Modify button
or double-click to open the Monitored Item Template Definitions panel.
4. Select the items that you wish to modify and click on the Edit Selection button
or double-click a single item to open the Monitored Item Template Definition
panel.
See CAS Item Template Definition Panel for further information
5. Click on the Apply button to save any changes

Delete a Template Set Item


1. Open the CAS Configuration Navigator
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the template set list and finding the template set you would like to modify.
3. Highlight the Template Set you wish to modify and click on the Modify button
or double-click to open the Monitored Item Template Definitions panel.
4. Select the items you wish to delete.
5. Click on the Delete Selected button to delete these template set items

CAS Item Template Definition Panel


The following table describes the components in the CAS Item Template Definition
panel and also columns that show up within the CAS Configuration Navigator.
The Template Definition Panel is displayed when a new template item is being
added through the Add To Set button or Edit Selected buttons. The items
Permission Limit, File Owner, and File Group are only effective when the template
is used as part of a Vulnerability Assessment Test. They set expected values for file
parameters during the running of the test.
Component

Description

OS Type

The operating system type: Windows or Unix. You can change this selection when the
template set is empty, but you cannot change it if the template set contains one or more
items.

DB Type

The database type (Oracle, MS-Sql, DB2, Sybase, Informix, etc.) or N/A for an operating
system template set. You can change this selection when the template set is empty but you
cannot change it if the template set contains one or more items.

Description

An optional name for the item used in reports and to identify the item in other CAS panels
(the CAS Template Set Definition for example). If omitted, the item name defaults to the
file name or pattern, variable name, or script as appropriate for the Type

Type

One of the following: SQL Query, OS Script, Environment Variable, Registry Variable,
Registry Variable Pattern, File, and File Pattern.
See Template and Audit Types for further information.
Note: If being used with CAS-based assessment tests this must be of type OS Script.
CAS Templates

227

Content

Type dependant text defining the specific item to monitor or how to find generate it.
See Template and Audit Types for further information.
Note: For an OS script CAS will wait for a script to complete. To limit the time allowed for
an OS script to run and allowing CAS to terminate the script, use the cas_command_wait
guard_tap.ini parameter. The default wait time is 300 seconds or 5 minutes. When changing
this parameter there is no need to restart CAS.

Permission Limit

For File and File Pattern Type only.


Used for Unix only - the permissions that this file should not exceed

File Owner

For File and File Pattern Type only. The owner of the file(s).

File Group

For File and File Pattern Type only. The group owner of the file(s).

Period

The maximum interval between tests, specified as a number of minutes(m), hours(h), or


days(d). Data becomes available after the initial period is realized and up to and before the
next period begins.

Keep Data

If marked a copy of the actual data is saved with each change. For example, for a file item,
a copy of the file is saved. If marked but the size of the raw data for the item is greater
than the Raw Data Limit configured for this CAS host, no data will be saved

Use MD5

Indicates whether or not an additional comparison is done by calculating a checksum of


the raw data using the MD5 algorithm. Computing the MD5 checksum is time consuming
for large character objects. However, it is a better indicator of change than just the size. The
default is not to use MD5. If MD5 is used but the size of the raw data is greater than the
MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be
skipped.

Enabled

Indicates whether or not the item will be checked for changes. It is marked by default.

Template and Audit Types


Type

Description

SQL Query

The content should be a valid SQL statement. The result returned by the statement will be
compared to the result returned the last time the query was run. The query will be run
with the parameters specified in the Datasource that is being used: username, password,
DB port, and so forth. Care should be taken when filling out these parameters in the
Datasource, or the query will fail to return a result.

OS Script

The content can be a valid command line entry, or the name of a file containing an OS
executable script. The script is executed in the environment of the OS user specified in
the Database Instance Account field of the Datasource definition.

Environment Variable

The content should name an environment variable that is defined in the context of the OS
user specified in the Database Instance Account field of the Datasource definition.

Registry Variable

The content is interpreted as the path to a variable in the Windows Registry of the host.
The value found on that path is compared to the value found the last time the path was
traced.

Registry Variable
Pattern

The content is a sequence of regular expressions that is used to match the components of
paths in the Windows Registry. The pattern is used to develop Registry Variable type
monitored items which will be treated as described above. The regular expressions are
joined by / so that the pattern resembles a Registry path. The more familiar \ character
cannot be used, since that is a special character in the syntax of Java regular expressions.
If a / is needed in one of the regular expressions, it must be escaped with a \. (e.g.
U\/235 would be used to match U/235). The pattern .. can be used to match zero or more
components within a path. (e.g. HKLM/Software/../buzz will match HKLM\Software\
buzz, or HKLM\Software\one\two\three\buzz) This type of pattern can lead to a
computationally expensive Registry search, so use it carefully. Other than these exceptions,
the regular expressions follow the syntax of Java regular expressions.

228

Help Book Guardium V9.0

File

The content is interpreted as an absolute file path on the host. The characteristics of the
file found on the path will be compared to the characteristic found the last time the path
was traced. The path may include environment variables which will be expanded in the
context of the OS user specified in the Datasource. The path may also begin with a
substitution variable, like $SYBASE_HOME, which will be replaced by the value entered
in the Database Instance Directory field of the Datasource definition.

File Pattern

The content is a sequence of regular expressions that is used to match the components of
file paths and to generate File type monitored items. The regular expressions are joined by
/ so that the pattern resembles an actual file path. As with Registry patterns, the \ cannot
be used for Windows files because of the regular expression syntax. If the pattern begins
with ?: on a Windows machine, the pattern match will be started on each of the drives of
a multi-drive machine. The .. construction described with Registry patterns can also by
carefully used in a File pattern. Environment variables from the context of the OS user can
be used in a File pattern and will be expanded before the expansion of the regular
expressions.

GuardAPI commands
1. To create a template set use:
grdapi create_cas_template_set --help=yes
ID=0
function parameters :
dbType - String - required
isDefault - Boolean
isEditable - Boolean
osType - String - required
templateSetLabel - String - required
2. To add monitored items to a template set (templateSetLabel ) use (you can use
this command multiple times to add more monitored items to a template set):
grdapi create_cas_template --help=yes
ID=0
function parameters :
auditType - String - required
enabled - Boolean
isEditable - Boolean
period - Integer
saveData - Boolean
template - String - required
CAS Templates

229

templateSetLabel - String - required


useMD5 - Boolean
3. To create a datasource use :
grdapi create_datasource --help=yes
ID=0
function parameters :
application - String - required - Constant values list
conProperty - String
customURL - String
dbInstanceAccount - String
dbInstanceDirectory - String
dbName - String
description - String
host - String - required
name - String - required
owner - String - required
password - String
port - Integer
serviceName - String
severity - String - Constant values list
shared - String - Constant values list
type - String - required - Constant values list
user - String
4. to create an instance use:
grdapi create_cas_host_instance --help=yes
ID=0
function parameters :
datasourceName - String - required

230

Help Book Guardium V9.0

templateSetLabel - String - required


api_target_host - String
Related GuardAPI commands
clear_cas_template_set
clone_cas_template_set
create_cas_template_set
delete_cas_template_set
list_cas_template_sets
create_cas_template
delete_cas_template
list_cas_templates
update_cas_template

CAS Templates

231

232

Help Book Guardium V9.0

CAS Hosts
A CAS host configuration defines one or more CAS instances.
Once you have defined one or more CAS template sets, and have installed CAS on
a database server, you are ready to configure CAS on that host. A CAS host
configuration defines one or more CAS instances. Each CAS instance specifies a
CAS template set, and defines any parameters needed to connect to the database.
For each database server on which CAS is installed, there is a single CAS host
configuration, which typically contains multiple CAS instances - for example, one
CAS instance to monitor operating system items, and additional CAS instances to
monitor individual database instances.
v Define a CAS Instance
v Modify a CAS Instance
v Delete a CAS Instance
v Disable a CAS Instance

Define a CAS Instance


1. Open the CAS Configuration Navigator
The Hosts box lists all database servers where CAS has been installed and this
host has connected to the Guardium appliance.
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the host list and finding the host you would like to modify.
3. Highlight the Host you wish to modify and click on the Modify button or
double-click to open the Host Instance Definitions panel.
4. Use the drop down box to Select a Template Set
Note: CAS Instance cannot be defined if the host is off line or this is a
secondary Guardium appliance for the host.
5. Click on the Add Datasource button to open the Datasource Finder panel
Note: If no compatible datasource is available for this template set on this host
you may click on the New button to open the Datasource Definition panel and
add a datasource
6. Select a Datasource for this Template Set
7. Click Add to add this datasource to this template set

Finding the Guardium CAS Panel


Access to CAS Configuration Functions, by default, are restricted to the admin
user, and available to users who have been assigned the CAS role.
As a CAS user:
1. Click on the Assess/Harden tab.
You will be taken to another panel where a new lower set of tabs will be
displayed for the Assess/Harden process flow.
2. Click on the Config. Change Control tab.
A process flow for CAS will be displayed.

233

Open the CAS Configuration Navigator


The CAS Configuration Navigator panel is the starting point for creating or
modifying CAS Hosts.
To open the CAS Configuration Navigator panel:
As a CAS user:
1. Open the CAS panel.
See Finding the Guardium CAS panel for assistance.
2. Select Configure CAS hosts or CAS host config.
As an admin user:
1. Click on the Tools tab
2. Click on the Config & Control tab
3. Select CAS Host Config from the menu

Modify a CAS Instance


1. Open the CAS Configuration Navigator
The Hosts box lists all database servers where CAS has been installed and this
server has been configured as the primary host.
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the host list and finding the host you would like to modify.
3. Highlight the Host you wish to modify and click on the Modify button or
double-click to open the Host Instance Definitions panel.
A list of defined CAS instances associated with the selected host will be
displayed with the following information and editing options:
Table 25. Modify a CAS Instance
Component

Description

Disable/Enable Instance Click the Disable Instance icon to disable/enable the CAS
Icon
instance
Delete Instance Icon

Click the Delete Instance icon to delete the CAS instance

Datasource

Identifies the datasource used by the instance. Click on the


Datasource to open the Datasource Definition panel to edit the
datasource definition

Template Set

Identifies the CAS template set used by the instance. Click this
link to open the Monitored Item Template Definitions panel to
view or modify the template set definition.
See Modify a Template Set for more information

Monitored Items

A count of items currently monitored by the instance. Click this


link to open the Monitored Items Definitions panel which
displays the list of all items currently monitored
See Viewing Monitored Items Lists
Note: There is a default of 10,000 monitored items that are
viewable for reports regardless of the number of monitored items
defined. It is suggested that multiple instances be defined when
the number of monitored items approach this limit.

234

Help Book Guardium V9.0

Delete a CAS Instance


1. Open the CAS Configuration Navigator
The Hosts box lists all database servers where CAS has been installed and this
server has been configured as the primary host.
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the host list and finding the host you would like to modify.
3. Highlight the Host you wish to modify and click on the Modify button to open
the Host Instance Definitions panel.
4. Click on the Delete Instance icon to delete a CAS instance. All collected change
data will be deleted as well.

Disable a CAS Instance


1. Open the CAS Configuration Navigator
The Hosts box lists all database servers where CAS has been installed and this
server has been configured as the primary host.
2. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering
the host list and finding the host you would like to modify.
3. Highlight the Host you wish to modify and click on the Modify button or
double-click to open the Host Instance Definitions panel.
4. Click on the Disable Instance icon to disable a CAS Instance. Change data will
not be collected until the instance is enabled by again clicking on the icon.

View Monitored Item Lists


On the Host Instance Definitions panel, when you click on a Monitored Items link,
the complete list of items monitored opens in the Monitored Items Definitions
panel. The following table describes the components seen on the Monitored Items
Definitions panel for this Host Configuration.
All the monitored items refer to raw data, a character object on the host, the result
of a SQL query, the output of an OS script, or the contents of a file. The size of that
character object is computed. If the item is file, then the permissions, owner, group,
and last modified time are also checked. If any of these has changed since the last
time the item was checked, the change will be noted.
Table 26. View Monitored Item Lists
Component

Description

Select Box

Check the Select Box if you'd like to edit a monitored item


individually or as a group.
Double click on any monitored item to edit that item.

Item

The name of the monitored item from the description in the CAS
Item Template Definition Panel

CAS Hosts

235

Table 26. View Monitored Item Lists (continued)


Component

Description

Type

One of the following: OS Script, SQL Query, File, Environment


Variable, or Registry Variable
OS Script or SQL Script: The actual text or the path to an
operating system or SQL script, whose output will be compared
with the output produced the next time it runs
File or File Pattern: A specific file or a pattern to identify a set of
files
Environment Variable or Registry Variable: An environment
variable or a (Windows) registry variable

Period

The average interval between tests, specified as a number of


seconds(s), minutes(m), hours(h), or days(d).

Keep Data

If marked a copy of the actual data is saved with each change.


For example, for a file item, a copy of the file is saved. If marked
but the size of the raw data for the item is greater than the Raw
Data Limit configured for this CAS host, no data will be saved

Use MD5

Indicates whether or not the comparison is done by calculating a


checksum of the raw data using the MD5 algorithm. Computing
the MD5 checksum is time consuming for large character objects.
However, it is a better indicator of change than just the size. The
default is not to use MD5. If MD5 is used but the size of the raw
data is greater than the MD5 Size Limit configured for the CAS
host, the MD5 calculation and comparison will be skipped.

GuardAPI Commands
delete_cas_host
list_cas_hosts
create_cas_host_instance
delete_cas_host_instance
list_cas_host_instances
update_cas_host_instance

236

Help Book Guardium V9.0

CAS Reporting
This section describes CAS reporting.
The admin user has access to all query builders and default reports. The admin
role allows access to the default CAS reports, but not to the CAS query builders.
The cas role allows access to both the default CAS reports and the query builders.
v Accessing CAS Query Builders
v Accessing Default CAS Reports
v CAS Reporting Domains

Accessing CAS Query Builders


This section describes how to access the CAS Query Builders from the
administrator and user portals. For help on how to use the query builders or
report builders, see Queries or Reports in the Monitor and Audit help book.
From the administrator portal:
1. Click on the Tools tab
2. Click on the Report Building tab
3. Select one of the following menu items from the left hand column menu
v CAS Changes Tracking
v CAS Host History Tracking
v CAS Config Tracking
v CAS Templates Tracking
From the user portal:
1. Click on the Assess/Harden tab.
You will be taken to another panel where a new lower set of tabs will be
displayed for the Assess/Harden process flow.
2. Click on the Config. Change Control tab.
3. Select one of the following items in the process flow
v Track CAS Results or CAS results tracking builder
v Track changes to CAS configuration or CAS config. tracking builder

Accessing Default CAS Reports


From the administrator portal:
1. Click on the TAP Monitor tab
2. Click on the CAS tab
3. Select one of the following CAS reporting domains from the left hand column
menu
v CAS Deployment
v Changes
v Host History
v Configuration
v Templates

237

From the user portal:


1. Click on the Assess/Harden tab.
You will be taken to another panel where a new lower set of tabs will be
displayed for the Assess/Harden process flow.
2. Click on the Change Reports tab.
3. Select one of the following CAS reporting domains from the left hand column
menu
v CAS Deployment
v Changes
v Host History
v Configuration
v Templates

CAS Reporting Domains


For each of the CAS reporting domains described in the table below, the following
sections describe the entities (template items), attributes and default reports.
Table 27. CAS Reporting Domains
Domain

Description

CAS Templates

Track CAS template definitions. Templates identify items to be


monitored for changes. Monitored items can be files, environment or
registry variables, OS or SQL script output sets, or the set of logged on
users.

CAS Config

Tracks CAS host configurations, where a configuration is the application


of one or more template sets to a specific database server host. From
configuration instances you can see which items within template sets are
enabled or disabled, or exactly which files are selected and monitored
(or not) by file name pattern templates.

CAS Host
History

Tracks CAS host events (server down, client up, etc.)

CAS Changes

Tracks changes to monitored items (files, registry variables, etc.)

CAS Templates Domain


The CAS Templates domain tracks CAS templates.
CAS Templates Domain Entities
Entity

Description

Template Set

Describes a template set definition

Template

Describes a template item within a template set

Template Set Entity


A Template Set entity is created for each template set, which is a set of template
items for a particular operating system or database.
Template Set Entity Attributes

238

Help Book Guardium V9.0

Attribute

Description

Template Set Id

A unique identifier for the template set, numbered sequentially

OS Type

Operating system: Unix or Windows

DB Type

Database Type (Oracle, MS-SQL, DB2, Sybase, Informix, etc.) or N/A


for an operating system template

Template Set Name The template name


IsDefault

Indicates whether or not this template is the default for the specified
OS Type and DB Type combination

Editable

Indicates whether or not this template can be modified. The default


Guardium templates cannot be modified. In addition once a template
set has been used in a CAS instance, it cannot be modified. In any
case, a template set can always be cloned and the cloned set can be
modified

Timestamp

Date and time the template was last updated

Template Entity
A template entity is created for each template item within a template set.
Template Entity Attributes
Attribute

Description

Template Id

A unique identifier for the item template within the set of all item
templates

Access Name

Depending on the Audit Type, this is the OS or SQL script,


environment or registry value, or a file name or a file name pattern

Audit Type

The type of monitored item

Audit Frequency
(Min)

The maximum interval (in minutes) between tests

Use MD5

Indicates whether or not the comparison is done by calculating a


checksum using the MD5 algorithm and comparing that value with
the value calculated the last time the item was checked. The default is
to not use MD5. If MD5 is used but the size of the raw data is greater
than the MD5 Size Limit configured for the CAS host, the MD5
calculation and comparison will be skipped. Regardless of whether or
not MD5 is used, both the current value of the last modified
timestamp for the item and the size of the item are compared with
the values saved the last time the item was checked.

Save Data

Indicates if the Keep data checkbox has been marked. If so, previous
versions of the item can be compared with the current version

Description

Optional description of the template

Timestamp

Date and time this template was last updated

CAS Templates Domain Default Reports


Default Report

Description

CAS Templates
Report

Lists CAS templates

CAS Reporting

239

CAS Templates Report


This report lists CAS templates. By default, all template items are listed. You can
limit the output by using any of the following runtime parameters, all of which
select all values by default.
Runtime Parameters
Entity

Attribute

Operator Default Value

Template

Access_Name

Like

Template Set Template_Set_Name Like

Template

Audit_Type

Like

CAS Config Domain


The CAS Config domain tracks CAS Instances and their association to the various
host as well as which CAS Items are enabled or disabled.
CAS Config Domain Entities
Entity

Description

Host

Identifies a CAS host (a database server) and the current status of


CAS (online/offline). This entity is also available in the CAS Host
History domain

Instance Config

For each host, an Instance Config entry describes a CAS instance,


which contains database connection parameters (if needed) and
identifies the template set used by the instance. It provides current
status of the instance (in use, enabled, or disabled) and the date of
the last revision

Monitored Item
Details

Identifies an item (a file or an environment variable, for example)


monitored by a CAS instance. It contains the item definition and
indicates whether or not the item is enabled

Host Entity
A Host entity is created the first time that CAS is seen on a database server host. It
is updated each time that the online/offline status changes.
Host Entity Attributes
Attribute

Description

Host Name

Database server host name (may display as IP address)

OS Type

Operating system: UNIX or WIN

Is Online

Online status (Yes/No) when record was written

Instance Config Entity


An Instance Config entity is created each time that an instance configuration is
defined. This entity defines how the CAS instance connects to the database (if
necessary), and identifies the template set used by the instance. It provides current
status of the instance (in use, enabled, or disabled) and the date of the last
revision.

240

Help Book Guardium V9.0

Instance Config Entity Attributes


Attribute

Description

DB Type

Database Type (Oracle, MS-SQL, DB2, Sybase, Informix, etc.) or


N/A for an operating system instance

Instance

The name of the instance

User

The user name that CAS uses to log onto the database; or N/A for
an operating system instance.

Port

The port number CAS uses to connect to the database; or empty for
an operating system instance

DB Home Dir

The home directory for the database; or empty for an operating


system instance

Template Set Id

Identifies the template set used by this instance

Monitored Item Details Entity


A Monitored Item Details entity is created for each monitored item in a CAS
instance.
Monitored Item Details Entity Attributes
Attribute

Description

Template ID

Identifies the item template for this monitored item

Monitored Item

Depending on the Audit Type, this is the OS or SQL script,


environment, or registry variable, or file name. Regarding a file
pattern defined in an item template, there will be a separate
monitored item detail entity for each file that matches the pattern,
but there is no monitored item details entity for the file pattern
itself. If a file pattern is used, it is always available in the Template
Content attribute.

Audit Type

Type of monitored item:


OS Script or SQL Script: The actual text or the path to an operating
system or SQL script, whose output will be compared with the
output produced the next time it runs
Environment Variable or Registry Variable: An environment
variable or a (Windows) registry variable
File: A specific file or a pattern to identify a set of files

Enabled

Indicates whether or not the template is enabled

In Synch

Indicates whether or not the template item definition on the server


matches the template item definition on the CAS host

Audit Frequency

The maximum interval at which the item is to be tested

Use MD5

Indicates whether or not the comparison is done by calculating a


checksum using the MD5 algorithm and comparing that value with
the value calculated the last time the item was checked. The default
is to not use MD5. If MD5 is used but the size of the raw data is
greater than the MD5 Size Limit configured for the CAS host, the
MD5 calculation and comparison will be skipped. Regardless of
whether or not MD5 is used, both the current value of the last
modified timestamp for the item and the size of the item are
compared with the values saved the last time the item was checked.

CAS Reporting

241

Save Data

When marked, previous version of the item can be compared with


the current version

Description

Optional description of the instance

Template Content

The template entry that is the basis for this monitored item, set
from the Template entity Access Name attribute when the instance
was created. Typically this will be the same as the monitored item,
but in the case where a file pattern was used in the template, this
will be the file pattern

CAS Config Domain Default Reports


Default Report

Description

CAS Instances

Lists CAS instances

CAS Instance Config

Lists CAS instance configuration changes

CAS Instances Report


This report lists CAS instance definitions (a CAS instance applies a template set to
a specific CAS host). The default sort order for this report is non-standard. The sort
keys are, from major to minor: Host Name (ascending), Instance (ascending) and
Last Status Change (descending). You can limit the output by using any of the
following runtime parameters, which select all values by default.
Runtime Parameters
Entity

Attribute

Operator Default Value

Host

Host_Name Like

Host

OS_Type

Like

Instance Config DB_Type

Like

Instance Config Instance

Like

CAS Instance Config Report


This report lists CAS instance configuration changes. The default sort order for this
report is non-standard. The sort keys are, from major to minor: Host Name
(ascending), Instance (ascending) and Last Status Change (descending). You can
limit the output by using any of the following runtime parameters, which select all
values by default.
Runtime Parameters
Entity

Attribute

Operator

Default Value

Host

Host_Name

Like

Host

OS_Type

Like

Like

Monitored Template_Id
Item Details

242

Help Book Guardium V9.0

Drill-Down Reports
Report

Description

Report
Details

Displays the monitored items included in the count of monitored item


column

CAS Host History Domain


The CAS Host History domain tracks CAS host events (Client up, Server down,
etc).
CAS Host History Domain Entities
Entity List

Domain Description

Host

Identifies a CAS host (a database server) and the current status of CAS
(online/offline). This entity is also available in the CAS Config domain

Host Event

Date and time of an event in the CAS client/server relationship (Client up,
server down, etc.).

Host Entity
A single (CAS) host entity is created the first time that the named host is seen. It is
updated each time that the online/offline status changes. This entity is also
available in the CAS Config domain.
Host Entity Attributes
Attribute

Description

Host Name

Database server host name

OS Type

Operating system: Unix or Windows

Is Online

Current online status (Yes/No)

Host Event
A host event entity is created each time an event is detected or signaled (see the
event types, below).
Host Event Entity Attributes
Attribute

Description

Event Time

Date and time that the event was recorded

CAS Reporting

243

Event Type

Identifies the event being recorded:


Client Down, CAS stopped on database server host
Client Up, CAS started on database server host
Failover Off, A server is available (following a disruption), so CAS data is
being written to the server
Failover On, The server is not available, so CAS data is being written to the
failover file
Server Down, The database server stopped
Server Up, The database server started

CAS Host History Domain Default Reports


Default
Report

Description

CAS Host
History
Report

Lists CAS events for each CAS host

CAS Host History Report


This report lists CAS host events. The default sort order for this report is
non-standard. The sort keys are, from major to minor: Host Name (ascending),
Instance and Event Time (descending). You can limit the output by using any of
the following runtime parameters, which select all values by default.
Runtime Parameters
Entity

Attribute

Operator

Default Value

Host

Host_Name

Like

Host

OS_Type

Like

Host Event

Event_Type

Like

CAS Changes Domain


The CAS Changes domain records changes to monitored items.
CAS Changes Domain Entities

244

Entity

Description

Monitored
Changes

Created each time a monitored item changes

Host
Configuration

Identifies a monitored item within the CAS instance

Saved Data

Contains saved data for the change

Help Book Guardium V9.0

Monitored Changes Entity


This entity is created each time a monitored item changes. It identifies the
monitored item within the CAS instance, and points to the saved data for the
change.
Monitored Changes Entity Attributes
Attribute

Description

Change
Identifier

Unique identifier for the change

Sample Time

Timestamp (date and time on host) that sample was taken

Saved Data Id Identifies the Saved Data entity for this change
Audit State
Label Id

Identifies the Host Configuration entity for this change

Timestamp

Date and time this change record was created on the server (Guardium
appliance server clock)

Owner

Unix only. If the item type is a file, the file owner

Permissions

Unix only. If the item type is a file, the file permissions

Size

File size, but there are special values as follows:


-1, File exists, but has zero bytes
0, File does not exist, but this file name is being monitored (it never
existed or may have been deleted)

Last Modified

Timestamp for the last modification, taken from the file system at the
sample time

Last Modified
Date

Date for the last modification

Last Modified
Time

Time for the last modification

Last Modified
Weekday

Day of week for the last modification

Last Modified
Year

Year for the last modification

Group

Unix only. If the item type is a file, the group owner

Host Configuration Entity


A Host Configuration entity is created for each item in a CAS instance.
Host Configuration Entity Attributes
Attribute

Description

Audit State
Label Id

Unique numeric identifier for the configuration item

Host Name

Database server host name or IP address

OS Type

Operating system: Unix or Windows.

DB Type

Database Type (Oracle, MS-SQL, DB2, Sybase, Informix, etc.) or N/A if the
change is to an operating system instance

CAS Reporting

245

Instance
Name

Name of the template set instance

Type

Type of monitored item that changed.


OS Script or SQL Script: A change triggered by the OS script contained in
the monitored item template definition.
Environment Variable: An environment variable (Unix only)
Registry Variable: A registry variable (Windows only)
File: A specific file. There is no host configuration entity for a file pattern
defined in the template set used by the instance. Instead, there is a
separate host configuration entity for each file that matches the pattern.

Monitored
Item

The name of the changed item, from the Description (if entered), otherwise
a default name depending on the Type (a file name, for example).

Saved Data Entity


A Saved Data entity is created each time a change is detected for an item being
monitored, if the Keep data box is marked for that item in the item template
definition.
Saved Data Entity Attributes
Attribute

Description

Saved Data Id Unique numeric identifier for the saved data item
Saved Data

The actual data saved

Timestamp

Timestamp for when the saved data entity was recorded in the server
database

Change
Identifier

Identifies the monitored changes entity for this saved data entity

CAS Changes Domain Default Reports


Default Report Description
CAS Change
Details

For each monitored item, lists changes by owner

CAS Saved
Data

For monitored items with the optional Keep data box checked, lists the
data for each changed detected

CAS Change Details


For each monitored item, the changes are listed in order by owner. You can limit
the output by using the following runtime parameter, which selects all values by
default.
Runtime Parameters
Entity

Attribute

Host
DB_Type
Configuration

246

Help Book Guardium V9.0

Operator

Default Value

Like

Host
Host_Name
Configuration

Like

Host
Instance_Name Like
Configuration

Host
Monitored_Item Like
Configuration

Host
OS_Type
Configuration

Like

Host
Type
Configuration

Like

Drill-Down Reports
Report

Description

Record Details

Displays the saved data included in the Count of Saved Data column

CAS Saved Data


For monitored items with the optional Keep data box checked, this report lists the
data saved for each change detected. This report is sorted by host name, and then
by the most recent modification time. You can limit the output by using the
following runtime parameters, each of which by default selects all values.
Runtime Parameters
Entity

Attribute

Operator

Default Value

Host
Configuration

Host_Name

Like

Host
Configuration

Monitored_Item Like

Monitored
Changes

Saved_Data_Id

Like

Drill-Down Reports
Report

Description

View
Difference

Displays the difference between the selected data and prior version

CAS Reporting

247

248

Help Book Guardium V9.0

CAS Status
To monitor CAS status, select CAS Status in the Local Taps section of the
Administration Console to open the Configuration Auditing System Status panel.
By default, the functions described in this topic are available to the admin user,
and users with the admin role. Open the Administrator portal and locate the Local
Taps section of the Administration Console. If there is no Local Taps section, the
unit type setting for this Guardium appliance needs to be changed. See the
description of the CLI command, store unit type, the Configuration and Control
CLI Commands in the Appendices help book for instructions on how to enable the
Local Taps menu.
To monitor CAS status, select CAS Status in the Local Taps section of the
Administration Console to open the Configuration Auditing System Status panel.
For each database server where CAS is installed and running, and where this
Guardium appliance is configured as the active Guardium host, this panel displays
the CAS status, and the status of each CAS instance configured for that database
server.
Regarding the sets of status lights on the Configuration Auditing System Status
panel: when you hover the mouse over a set of status lights, a pop-up text box
displays the current status. If you have trouble distinguishing the colors on your
monitor, for all status light sets, the left-most light is always red, the right-most
light is green, and on sets of three lights, the middle light is yellow.
Configuration Auditing System Status Panel
Component

Description

Red/Green light

On the top row only of the panel, displays the CAS status on
the Guardium appliance.
Red: CAS is not running on this Guardium appliance.
Green: CAS is active on this Guardium appliance.

Red/Green light

For each CAS host where this Guardium appliance is the active
Guardium host, the status lights indicate whether CAS is
connected:
Red: Host and/or the CAS agent is offline or unreachable.
Green: Host and CAS agent are online.
Yellow: The Guardium appliance is a secondary for the CAS
host.

Reset (circle arrow)

Reset the CAS agent on this monitored system. This stops and
restarts the CAS agent on the database server.
Note: This will also reset checkpoint files; allowing for a fresh
start and rescanning of files from scratch.

249

Delete (X)

Remove this monitored system from CAS and also deleting the
data on the appliance that was associated with the CAS client.
This button is disabled if the CAS agent is running on this
system. You must stop the CAS agent to use this button. See
Stopping and Starting the CAS Agent, below.

Red/Yellow/Green light) Each set of lights indicates the status of a CAS instance on the
monitored system. If the owning monitored system status is red
(indicating that the CAS agent is offline), ignore this set of
status lights.
Red: The instance is disabled.
Green: The instance is enabled and online, and its configuration
is synchronized with the Guardium appliance configuration.
Yellow: The instance is enabled, but the instance configuration
on the Guardium appliance does not match the instance
configuration on the monitored system (it has been updated on
the Guardium appliance, but that update has not been applied
on the monitored system).
Refresh

Click the Refresh button to re-check the status of all servers in


the list. This button does not stop and/or restart CAS on a
database server it only checks the connection between CAS on
the Guardium appliance and CAS on each database server.

Note: The TAP_IP entry in the guard_tap.ini file is required. If TAP_IP is missing
CAS will not start and an error message will be logged in the log file on the CAS
client.

Stopping and Starting the CAS Agent


There are several situations where you may need to stop or start the CAS agent on
a monitored system. Follow the procedures outlined below.
Note: If all you want to do is stop and restart the CAS agent, you can do that
from the Administrator Console of the Guardium appliance, using Reset button see above.
Stopping CAS on a Unix Host
1. Edit the file /etc/inittab.
2. Find the CAS respawn line:
cas:2345:respawn:/usr/local/guardium/guard_stap/cas/bin/run_wrapper.sh /usr/local/guardium/guard_stap/cas/bin

3. Comment out the line by inserting the # (pound sign) character in the first
character position.
4. Save the file.
5. Enter the following command:
init -q

6. Enter the following command:


ps -er | grep cas

7. Note the PID of each of the processes listed.


8. For each of the processes listed, issue the following command:
kill -9 <pid>

250

Help Book Guardium V9.0

9. In the Configuration Auditing System Status panel of the Guardium


administrator portal, the status light for this CAS host should be red, and the
Remove button should be enabled (which allows you to remove data from this
CAS host from the Guardium appliance internal database).
Starting CAS on a Unix Host
Use this procedure to restart the CAS agent only when it has been stopped by
editing the /etc/inittab file as described above.
1. Edit the file /etc/inittab.
2. Find the line:
#cas:2345:respawn:/usr/local/guardium/guard_stap/cas/bin/run_wrapper.sh /usr/local/guardium/guard_stap/cas/bin

3. Uncomment the line, in our example (step 2.), by removing the # (pound sign)
character in the first character position. Depending on the operating system the
comment character may be something else.
4. Save the file.
5. Enter the following command to restart the CAS agent:
init -q

Starting and Stopping CAS on a Windows Host


On Windows CAS runs as a System Service.
1. In the Services panel, highlight the Configuration Auditing System Client item.
2. Select either Start or Stop from the Action menu.

CAS Status

251

252

Help Book Guardium V9.0

Comply Help Book


This help book describes how to build and use audit processes.
Select a topic from the Contents entry page, or use the Search function on the PDF
version of the online help (last entry on Contents entry page, after help-index) or
use the help-index.

253

254

Help Book Guardium V9.0

Compliance Workflow Automation


Streamline the compliance workflow process by consolidating, in one spot, the
following database activity monitoring tasks: asset discovery; vulnerability
assessment and hardening; database activity monitoring and audit reporting; report
distribution; sign-off by key stakeholders; and, escalations.
Automate and integrate the following audit activities into a compliance workflow:
v The ability to group multiple audit tasks (reports, vulnerability assessments, etc.)
into one process.
v Schedule these processes to run on a regular basis.
v Run these tasks in the background.
v Write the task results to a comma-separated value (CSV) file or ArcSight
Common Event Format (CEF) file and/or forward the results to other systems
using Syslog.
v Add comments and notations.
v Assign the process to its originator for viewing (he/she will get a new item in
their To-Do list once the result is ready).
v Assign the process for other users or to a group of users or a role.
v Create the requirement that these assignees sign on the result.
v Allow escalation of the result (assign to someone outside of the original audit
trail).
Transform the management of database security from time-consuming manual
activities performed periodically to a continuous, automated process that supports
company privacy and governance requirements, such as PCI-DSS, SOX, Data
Privacy and HIPAA.
Export audit results to external repositories for additional forensic analysis
Syslog, CSV/CEF files, external feed.
The Audit Process Log report, shows a detailed activity log for all tasks including
start and end times. This report is available for admin users via the Guardium
Monitor tab. Audit tasks show start and end times, however the start and end of
Security Assessments and Classifications (which go to a queue) is the same.
The results of each workflow process, including the review, sign-off trails, and
comments can be archived and later restored and reviewed through the
Investigation Center. See Investigation Center on page 531 in the Aggregation
and Central Management Help Book for more information.
A compliance workflow automation process answers the following questions:
v What type of report, assessment, audit trail, or classification is needed?
v Who should receive this information and how are signoffs handled?
v What is the schedule for delivery?
Further elements of the compliance workflow automation process include:
v A process definition
v A distribution plan, which:

255

Defines receivers, who can be individual users, user groups, or roles. (See
Process Receivers, below.)
Defines the review/sign responsibility for each receiver.
Defines the distribution sequence by setting the Continuous flag.
v A set of tasks (see Process Task Types, below)
v A schedule - The audit process can be run immediately, or a schedule can be
defined to run the process on a regular basis

Process Task Types


A workflow process may contain any number of audit tasks:
v Reports, custom or pre-defined. Guardium provides hundreds of predefined
reports, with more than 100 regulation-specific reports.
v Security assessment report, The security database assessment scans the database
infrastructure for vulnerabilities, and provides an evaluation of database and
data security health, with both real-time and historical measurements. It
compares current environment against preconfigured vulnerability tests based on
known flaws and vulnerabilities, grouped using common database security best
practices (like STIG and CIG1), as well as incorporating custom tests. The
application generates a Security Health Report Card, with weighted metrics
(based on best practices) and recommends action plans to help strengthen
database security.
v An entity audit trail, A detailed report of activity relating to a specific entity is
produced (for example, a client IP address or a group of addresses).
v A privacy set, A report detailing access to a group of object-field pairs (a Social
Security number and a date of birth, for example) is produced during a specified
time period.
v A classification process, The existing database metadata and data is scanned,
reporting on information that may be sensitive, such as Social Security numbers
or credit card numbers.
v An external feed, Data can be exported to an external specialized application for
further forensic analysis.
Note: The Optional External Data Feed is an optional component enabled by
product key. If this feature has not been enabled, this choice will not appear in
Audit Task selection and the Feed Type list will be empty.
v Also see Monitored Table Access on page 283 which uses a predefined
External Feed map, on how to use "Table Last Referenced" functionality in
conjunction with Optim Designer.

Workflow Processes, Central Management and Aggregation


On a Central Manager, reports can reference data from remote datasources
(managed units). Audit processes that use these reports will be accessible from the
Central Manager only, and will not be visible from managed units. For more
information, see Central Management on page 511.
Workflow Automation (audit processing) for the Aggregator server now includes
the capability to create ad-hoc databases for each Aggregator task and specify only
the relevant days for that task.
Note: The ad-hoc databases for the Aggregation server may be kept in the system
for up to 14 days (depending on the value of the CLI command,

256

Help Book Guardium V9.0

drop_ad_hoc_audit_db) for post-run analysis by Guardium support services if


required. See Aggregator CLI Commands on page 761 in the Appendices help
book.
When defining reports in Audit Process, the number of days of the report (defined
by the "FROM-TO" fields) should not exceed a certain threshold (one month by
default). If this threshold is exceeded, a run-time error will result when trying to
run the audit task on the Aggregator.
It is permissible to create an audit task with a FROM-TO range that is wider than
the max_audit_reporting value (set in CLI) because Audit processes defined on
the Aggregator may be executed on managed collectors (when this aggregator is a
manager). Audit tasks run on collector unit, do not have a max_audit_reporting
limitation.
So, it is valid to save tasks beyond the allowed range, but you will get a Run Time
Exception when the task is executed on the Aggregator.
The Audit Report threshold can be configured using the CLI command, show
max_audit_reporting or store max_audit_reporting. See Configuration and Control
CLI Commands on page 781. There is no warning message when a report is
created with an invalid FROM-TO range. Instead a fixed message appears at the
top of the Task Parameters panel in the Audit Process setup menu screen
(Tools/Audit Process Builder. open up Audit Tasks to display Task Parameters).
The fixed message is: On aggregators, only reports not exceeding the allowed
time range (CLI: max_audit_reporting) will be executed.
Note: When running a patch install, all audit processes are stopped.

Stop an audit process


Stopping an audit process can be performed only if the audit tasks have not been
run or are running. Stopping an audit process will not execute any more tasks that
have not started. Stopping an audit process does not deliver partial results. The
audit process stops and a stopped error message is the result. However, if tasks are
complete, stopping an audit process will not stop the sending of results.
Stop an audit process by using invoking GuardAPI (place the cursor on any line
and double-click for a drill-down) from the Audit Process Log Report (on the
Guardium Monitor tab).
For any user, stopping an audit process, will display only the line belonging to that
user (just the tasks, not all the details). An admin user can see all the details and
can stop anyone's audit processes. A user can only stop their own audit processes.
Note:
Queries using a remote source can not be stopped. Online reports using a remote
source can not be stopped.
Stopping an audit processes does not apply to Privacy Sets Audit Tasks or External
Feed Audit Tasks. If the Privacy Set or External Feed tasks have started, they will
finish even if the process is stopped.

Compliance Workflow Automation

257

Results Distribution
Audit process receivers will be notified via e-mail and/or their To-Do list of
pending audit process results. You can designate any receiver as a signer for a
process, in which case the results can optionally be held at that point on the
distribution list, until that receiver electronically signs the results or releases them.
Receivers can be individual users, user groups, or roles.

Process Receivers
You can define any number of receivers for a workflow automation process, and
you control the order in which they receive results. In addition, receivers can notify
additional receivers, using the Escalate function. It is also possible to run an audit
process with no defined receivers. For example, an audit process with no receivers
that writes to syslog and has no need to review (or sign) the results.

Who can be a receiver?


On the Process Definition panel, the drop-down list of receivers includes all
Guardium users, user groups, and roles (groups and roles are labeled as such).
When a group or role is selected, all users belonging to the group or having that
role will receive the results.
If a group receiver is selected, and any workflow automation task uses the special
run-time parameter ./LoggedUser in a query condition, the query will be executed
separately for each user in the group, and each user will receive only their results.
For example, assume that your company has three DBAs, and each DBA is in
charge of a different set of servers. Using the Custom Data Upload facility, upload
the areas of responsibilities of each DBA (with server IPs) to the Guardium
appliance, and correlate that to the database activity domain, and then use a report
in this custom domain as an audit task. If a user group that contains the three
DBAs is designated as the receiver, each DBA will receive the report relevant for
his or her collection of servers only.
If a group receiver is selected, and sign-off is required, each group member must
sign the results separately (as explained above, each member of the group may be
looking at a different set of results).
A receiver can be solely an email address and results will be sent to that email
address. When entering an email address, the user will be required to enter a user
that will be used to filter the data. The user must be the same user that is logged
in or a user under the user that is logged in the data hierarchy.
If a role receiver is selected, only one user with that role will need to sign the
results, and other users with that role will be notified when the results have been
signed.
Note:
When a workflow event is created, every status used by that event can be assigned
a role (meaning that events can only be seen by this role when in this status).
When an event is assigned to an audit process, it is important that every role that
is assigned to a status of this event have a receiver on this audit process.
Otherwise, it is possible that an audit result row can be put into a status where
none of its receivers are able to see this row or change its status.

258

Help Book Guardium V9.0

If the above were to occur, the admin user (who is able to see all events, regardless
of their roles) would be able to see the row and change its status. However, if
data level security is on, the admin user may not be able to see this row. The
admin user would need to either turn data level security off (from Global Profile)
or have the dataset_exempt role. It is important to configure the audit process so
that all roles who must act on an event associated with this audit process are
receivers of this audit process.

E-mail Notification
Optionally, receivers can be notified of new process results via e-mail, and there
are two options for distributing results via e-mail:
v Link Only - The e-mail notification will contain a hypertext link to the results
stored on the Guardium appliance. For the link to work, you must access your
mail from a system that has access to the Guardium appliance. See the following
section for more information about e-mail links.
v Full Results - A PDF file or generated CSV file containing the results will be
attached to the email, except for an Escalation that specifies a receiver not
included in the original distribution list, in which case no PDF or CSV file will
be attached. When the Full Results option is selected, care must be taken, since
sensitive and private data may be included in the PDF or CSV file. When
running an audit process, if there is a receiver with Full Results with CSV
checked, it does not generate CSV files for tasks of type Assessment, Classifier
or External Feed. These task types also can not generate CSV/CEF/PDF files for
export. Only for tasks of type Report, Privacy Set or Entity Audit Trails, and if
there is a receiver with Full Results via CSV checked, will CSV files be
generated.
Note: When viewing audit results, if a generated PDF already exists, a "Recreate
PDF" button will appear for the user to recreate and download the regenerated
PDF.

Hypertext Links to Process Results


In e-mail messages, there are conditions where links to process results on the
Guardium appliance will not work. For example:
v If you are accessing e-mail from a location where you cannot normally access
the Guardium appliance, the links will not work. For example, when out of the
office, you may have access to your e-mail over the Internet, but not to your
company's private network or LAN, where the appliance is installed.
v If you have not accessed your e-mail for a longer period of time than the report
results are kept, those results will not be available when you click the link. For
example, if the results are kept for seven days but you have been on vacation for
two weeks, your e-mail may contain links to results older than seven days, and
those links will not work.

About Frozen Receivers Links


Once a process has been run, the existing receiver list is frozen, which means:
v You cannot delete receivers from the list.
v You cannot move existing receivers up or down in the list.
v You can add receivers to end of the list at any time, and reposition the new
receivers at that time.

Compliance Workflow Automation

259

v If the Guardium user account for a receiver on the list is deleted, the admin user
account (which is never deleted) is substituted for that receiver. Thus the admin
user receives any e-mail notifications that would have been sent to a deleted
receiver, and the admin user must act upon any results released to that receiver.
v If you need to create a totally different set of receivers for an existing process,
deactivate the original process, make a clone of it, and then make the
modifications to the receivers list in the cloned version before saving it.

How Results are Released to Receivers


Results are released to the Guardium users listed on the receivers list, proceeding
from top to bottom, subject to the Continuous checkbox, as follows:
v If the Continuous checkbox is marked, distribution continues to the next receiver
on the list without interruption.
v If the Continuous checkbox is cleared, distribution to the next receiver is held
until the current receiver performs the required action (review or sign).
For example, assume you want to define a workflow process as follows:
v DBAs - All DBAs should receive their results at the same time, with each DBA
receiving a different result set based on the server IPs associated with him/her
v Only when ALL DBAs have signed, the DBA Manager should see the results
v Only when DBA Manager releases the report, the Auditors should see the results
v All Auditors should receive the reports at the same time, but only one of them
(any of them) needs to sign each result. The others will be updated when a
result was signed.
v An auditor can escalate a result to the Audit Manager.
To define this flow:
v The DBAs group would be named as the first receiver, with sign-off required
before continuing.
v The DBA Manager would be next on the list, with sign-off required before
continuing.
v The Auditors role (not group) would be next on the list. Any Auditor could sign
and others will be notified. Also, any auditor can escalate a results set to the
Audit Manager.
Note: Process results that are exported to CSV or CEF files are sent to another
network location by the Guardium archiving and exporting mechanism. These
results are not subject to the receivers list or to any signing actions. They are
subject to the Guardium CSV/CEF export schedule (if any is defined), and they
are subject to the access permissions that have been granted for the directory in
which they are ultimately stored.

Exporting Audit Task Output to CSV, CEF or PDF Files


Reports containing information that can be used by other applications, or reports
containing large amounts of data, can be exported to other file formats. Report,
Entity Audit Trail, and Privacy Set task output can be exported to CSV (Comma
Separated Value) files, and output for database activity reports can be exported to
an ArcSight Common Event Format (CEF) file. See CEF Mapping on page 1163
for information about how Guardium data is mapped to the CEF format.

260

Help Book Guardium V9.0

In addition, CEF and CSV file output can be written to syslog. If the remote syslog
capability is used, this will result in the immediate forwarding of the output
CEF/CSV file to the remote syslog locations. The remote syslog function provides
the ability to direct messages from each facility and severity combination to a
specific remote system. See the remotelog (syslog) CLI command description in the
Configuration and Control CLI Commands on page 781 of the Appendices help
book for more information.
Each record in the CSV or CEF file represents a row on the report.
The exported file is created in addition to the standard task output, it does not
replace it. These files are useful when you need to:
v Integrate with an existing SIEM (Security Incident and Event Manager) in your
infrastructure (Qradar, ArcSight, Network Intelligence, LogLogic, TSIEM, etc.).
v Review and analyze very large compliance task results sets. (Task results sets
that are intended for Web presentation are limited to 5,000 rows of output,
whereas there is no limit to the number of rows that will be written to an
exported CSV or CEF file.)
Exported CSV and CEF files are stored on the Guardium appliance, and are named
in the format:
process_task_YYYY_MMM_DD-HHMMSS.<csv | cef>

Where process is a label you define on the audit process definition, task is a
second-level label that you can define for each task within the process, and
YYYY_MMM_DD-HHMMSS is a date-time stamp created when the task runs.
You cannot access the exported CSV or CEF files directly on the Guardium
appliance. Your Guardium administrator must use the CSV/CEF Export function
to move these files from the Guardium appliance to another location on the
network. To access those files, check with your Guardium administrator to
determine the location to which they have been copied.
The fact that exported files are sent outside of the Guardium appliance has two
important implications:
v The release of these files is not connected to the results distribution plan defined
for the audit process. These files are exported on a schedule defined by the
Guardium administrator.
v Once the CSV/CEF Export function runs, all exported files will be available to
anybody (Guardium user or not) who can access the destination directory
defined for the CSV/CEF Export operation. For this reason, your Guardium
administrator may want to schedule additional jobs (outside of the Guardium
system) to copy sets of exported files from the Guardium CSV/CEF Export
destination directory, to directories with appropriate access permissions.
CSV/CEF Export activity is available in the Aggregation/Archive Activity report.
Note: If observed data level security has been enabled (see Global Profile on
page 611 settings), then audit process output (including files) will be filtered so
users will see only the information of their assigned databases. Files sent to an
email receiver as an attachment will be filtered. However, files downloaded locally
on the machine and then moved elsewhere using the Results Export function from
Administration Console are not subject to data level security filtering. See

Compliance Workflow Automation

261

CSV/CEF Export later in this topic for further information on CSV/CEF Export.
See Data Security - User Hierarchy and Database Associations on page 735for
further information on data level security.
The following table summarizes what happens when exporting an Audit Process
file to CSV/CEF/PDF.
Table 28. Exporting Audit Task Output to CSV, CEF or PDF Files
Function

Level

CSV

CEF

PDF

Attach to email

Receiver

Full Details radio -->


PDF checkbox

N/A

Full Details radio -->


PDF checkbox
The radio buttons are
only for receiver PDF

Export file

Task

Export CSV file


checkbox

Export CSV file


checkbox

Export CSV file


checkbox

Report empty and


Approve if Empty =
yes

Receiver

Export not affected


(empty files will be
exported)

Export not affected


(empty files will be
exported)

Export not affected


(empty files will be
exported)

Attachment, no email Attachment, no email Attachment, no email


attachment
attachment
attachment
Zip attachment

Audit Process

If no file generated,
nothing to zip
Merge all CSVs into
one ZIP file

Compress (export)

Task

N/A

If no file generated,
nothing to zip
PDF is not zipped

Compressed, separate Compressed, separate PDF is not


file for each CSV file file for each CSV file compressed

How Zip for Email and Compress work for Audit Task Output
Zip for Email is the highest level of control for Audit Task Export. Zip for email
produces a set of CSV or CEF files. PDF is not ever zipped and is not ever
compressed.
Compress works on individual files and is below Zip for Email in the control of
Audit Task Export.
Note: For CSV attachments, when Zip for Email is unchecked, Compress can still
be applied. And Compress can be per task. Thus one Audit Task may send a .csv
file while another may send a .csv.gz file, in the same email.
The interaction of Zip for Email and Compress is as follows:
v With Zip for email checked (regardless of whether Compress is also checked),
the attachment is one zip file of CSV files.
v With Zip for email not checked, and Compress checked, the attachment is a set
of csv.gz files.
v With Zip for email not checked, and Compress not checked, the attachment is a
set of csv files.
v With Compress checked, Download All will be csv.gz.
v With Compress unchecked, Download All will be csv.
v With Compress checked or unchecked, Download displayed will still be csv.

262

Help Book Guardium V9.0

v With Compress checked, export of CSV/CEF files will be gzipped.


v With Compress unchecked, export of CSV/CEF files will not be gzipped.

Export to SCAP or AXIS


In the Audit Process Definition, in the section on Add New Task, when choosing a
Task Type of Security Assessment, a number of choices will appear: Export AXIS
xml and Export SCAP xml. Choose one of these selections in order to save the
Audit Process results and to transfer the XML file to the destination set up for
Results Export (Admin console > Data Managment > Results export. Further
choices are for configuring the PDF format: Report, Difference, Report and
Difference.
SCAP is Security Content Automation Protocol. AXIS is Apache EXtensible
Interaction System and is used by QRadar.

Creating or Changing Reports


Use Report Builder to create or customize reports. Applying color to highlight
rows is done through Report Builder. For the admin user, go to Tools > Report
Building > Report Builder. For non-admin user, click on the Comply tab, and then
select Report Builder. See Reports on page 103 for complete information on
creating and changing reports.

Create an Audit Workflow Process


1. Do one of the following to open Audit Process Finder:
v Users with the admin role: Select Tools > Config & Control > Audit Process
Builder.
v All Others: Select Comply > Audit Process builder.
2. Click the New button to open the Audit Process Definition panel The Audit
Process Definition panel is divided into three sections: General, Receivers and
Tasks.
3. Go to the Tasks section first. You must define at least one audit task before
you can save the process. Work your way through each task in setting choices.
Perform the appropriate procedure for each audit task you want to include in
the audit process. The task choices detailed in this section are:
v Define a Report Task
v Define a Security Assessment Task
v Define an Entity Audit Trail Task
v Define a Privacy Set Task
v Define a Classification Process Task
v Define an External Feed Task
4. Go to the Receivers section. Open the drop-down box and add the receivers
for the process. See Add Receivers below. Checkoffs are needed to determine
action required, additions to To-do list, notification via email notifications and
continuous distribution. Again see Add Receivers below for complete
information in setting these choices.
5. Go to the General section. Enter a name in the Description box. Do not
include apostrophe characters.
6. Check the Active box to associate a schedule with this process.

Compliance Workflow Automation

263

7. Mark the Archive Results box if you want to store the results offline after the
retention period (described below) has expired. When results have been
archived, you can restore them to the appliance for viewing again, later.
8. In the Keep for a minimum of (n) days or (n) runs boxes, specify how long to
keep the results, as either a number of days (0 by default) or a number of
runs (5 by default). After that, the results will be archived (if the above box is
marked) and purged from the appliance.
9. If one or more tasks create CSV or CEF files, you can optionally enter a label
to be included in all file names, in the CSV/CEF File Label box. These files
can also be compressed, or Zipped, by clicking on the Zip for mail box to add
a checkmark.
Note: There is a limit on export of CSV/CEF file sizes greater than 10240 MB
(10.240 GB). It is a recommended best practice to check the box "Zip for mail".
10. The Email Subject field in the Audit Process definition is used in the emails
for all receivers for that audit process. The subject may contain one (or more)
of the following variables that will be replaced at run time for the subject:
v %%ProcessName will be replaced with the audit process description
v %%ExecutionStart will be replaced with the start date and time of the first
task.
v %%ExecutionEnd will be replaced with the end date and time of the last
task.
Upon entering a subject, it will check whether any variable (starting with %%
is present) and will ensure all are valid variables.
11. Optionally assign security roles. See Assign Security Roles in Security Roles
on page 75.
12. Optionally add comments. See Add or View Comments in Comments on
page 29.
13. Click the appropriate buttons to Schedule or Run an Audit Workflow Process.
14. Click Save. Do not leave this menu screen to perform another configuration
before saving your work. Work-in-progress is not saved and not held in
half-created suspension if you leave this section to go create something else
needed for the audit task.
For example, to define an assessment task in Audit Process Builder, it is first
necessary to go to Security Assessment Builder to create assessment tests and
then to Datasource Definitions to identify the database(s) to be assessed. Save
your work when creating Audit Workflow and then go to other tasks or
perform those other tasks first and then create the Audit Workflow Process.

Add Receivers
1. In the Receiver column, select a receiver from the drop-down list of Guardium
individual users, groups, or roles. If you select a group or a role, all members
of the group or users with that role will receive the results; and if signing is
required, only one member or user will need to sign the results.
2. In the Action Required column, select one option:
v Review (the default) - Indicates that this receiver does not need to sign the
results (see below).
v Review and Sign - Indicates that this receiver must sign the results
(electronically, by clicking the Sign Results button when viewing the results
online).

264

Help Book Guardium V9.0

3. In the To-Do List column, either mark or clear the Add checkbox to indicate
whether this receiver should be notified of pending results in their Audit
Process To-Do List.

4.

5.

6.
7.

8.

Note: To send files on an external server without sending email and without
adding results to the to-do list, define an audit process without receivers. Also
un-check the to-do list checkbox in the Add Receiver section and remove/ do
not add any receiver in the receiver section in order not to add results to To-do
list.
In the E-mail Notification column, select one option:
v No - E-mail will not be sent to the receiver.
v Link Only - E-mail will contain a hypertext link to the results (on the
Guardium appliance).
v Results - E-mail will contain a copy of the results in PDF or CSV format. Be
aware that the results from Classification or Assessment tasks may return
sensitive information.
The checkbox in the Continuous column controls whether or not distribution of
results continues to the next receiver (the default), or stops until this receiver
has taken the appropriate action (Review or Review and Sign). If the
Continuous box is cleared, and this receiver is a group or a role, when any user
who is a member or that group or role performs the selected action, the results
will be released to the next receiver on the list.
Click the Add button to add the receiver to the end of the list, and repeat these
steps for each receiver. (One receiver is required.)
Receivers who are not users will be permitted. Chose: Email and then enter an
email address, and the results will be sent to that email address. When entering
a non-user email address, there is a requirement that a user name that will be
used to filter the data. The user must be the same user that is logged in or a
user under the user that is logged in the hierarchy. This user will be saved in a
new column in the Receivers section of the screen.
Approve if Empty - When this checkbox is checked, if all the reports of the task
are empty, it will do the following: automatically sign the result (and/or mark
it as viewed); automatically click the "continue" (if relevant); will NOT send the
notification email; will NOT add the task to the To-Do list of that user; will
NOT generate any PDF/CSV/CEF files. With this checkbox, empty audit
results will be signed automatically and the results will still look like any other
complete (viewed/signed) audit results when looking at the audit result logs.
This action will apply to empty reports and the empty security assessment
results. See table summarizing what happens when Approve If Empty = YES in
the section Exporting Audit Task Output to CSV, CEF or PDF Files above.

Export a CSV or CEF File


Report, Entity Audit Trail, and Privacy Set audit task output can be exported to
CSV files, and Report audit task output can be exported to a CEF file. From the
Report, Entity Audit Trail or Privacy Set section under Audit Tasks, work through
the following:
1. Select title.
2. Enter an optional label for the file in the CSV/CEF File Label box. The default
is from the Description for the task. This label will be one component of the
generated file name (another will be the label defined for the workflow
automation process).
3. Mark either Export CSV file or Export CEF file.
Compliance Workflow Automation

265

Note: CEF file output is appropriate for data access domain reports only
(Access, Exceptions, or Policy Violations, for example). Other domains like the
Guardium self-monitoring domains (Aggregation/Archive, Audit Process,
Guardium Logins, etc.) do not map to CEF extensions. See CEF Mapping on
page 1163for a description of what Guardium attributes map to which CEF
fields.
4. If Export CEF file was selected, optionally mark the Write CEF to Syslog box to
write the CEF records to syslog. If the remote syslog facility is enabled, the CEF
file records will thus be written to the remote syslog.
5. If the Compress box is checked, then the CSV/CEF files to be exported will be
compressed.
6. If the Export PDF file box is checked, then a PDF file (with similar name as
CSV Export file) for this Audit Task is created and exported together with the
CSV/CEF files.
Note: The Export PDF file will not be compressed, even if the Compress box in
the previous step is checked.

Define a Report Task


If you have not yet started to define compliance workflow automation process, see
Workflow Builder on page 281 to Create a Workflow Process before performing
this procedure. If the report to be used has not yet been defined, do that first - see
Audit and Report Overview in Reports on page 103.
1. If the Add New Task pane is not open, click Add Audit Task.
2. Click the Report radio button.
3. There a number of choices for CSV/CEF File Label, Export CSV/CEF, Export
PDF, Write to Syslog, and Compress. See Export a CSV or CEF File above.
4. The selection of PDF Options are: Report (the current results), Diff (difference
between one earlier report and a new report) and Reports and Diff (both).
Note: The selection of PDF Options applies to both PDF attachments and PDF
export files. The Diff result only applies only AFTER the first time this task is
run. There is no Diff with a previous result if there is no previous result. The
maximum number of rows that can be compared at one time is 5000. If the
number of result rows exceeds the maximum, the message "(compare first 5000
rows only)" will show up in the diff result.
5. Enter all parameter values in the Task Parameters pane. The parameters will
vary depending on the report selected.
6. Click Apply.

API for automatic execution


By default, the Guardium application comes with setup data that links many of the
API functions to reports, providing users, through the GUI, with "prepared" calls
to APIs from reporting data. Use API Assignment in Reports to link additional API
functions to predefined Guardium reports or custom reports. See GuardAPI Input
Generation on page 925 in the Appendices help book for further information on
using linked API functions. The menu choice API for automatic execution will
appear in the Add Audit Task: Report when selecting an appropriate predefined
Guardium report or custom report that have fields in the report that are linked to
API parameters. Examples of predefined reports where the API for automatic
execution menu choice will appear are Access Policy Violations, Databases
Discovered, and Guardium Group Details.

266

Help Book Guardium V9.0

Workflow Builder
The formal sequence of event types created in Workflow Builder is managed by
clicking on the Event and Additional Column button at the bottom of the Audit
Tasks window. This button will appear after an audit task has been created and
saved. This additional button will not appear until the audit task is saved.
Configure these workflow activities when Adding An Audit Task:
1. Create and save an Audit Task. After saving, an additional button will appear,
Events and Additional Columns.
2. Click this additional button.
3. At the next screen, place a checkmark in the box for Event & Sign-off. The
workflow created in Workflow Builder will appear as a choice in Event &
Sign-off.
4. Highlight this choice. Apply (save) your selection.
5. If additional information (such as company codes, business unit labels, etc.) is
needed as part of the workflow report, add this information in the Additional
Column section of the screen and then click Apply (save). In order to select the
predefined or created groups column, change the Type column to Group. When
done, close this window.
6. Apply (save) your Audit Task. Apply (save) the entire Audit Process Definition.
This Event and Additional Column button appears in all audit tasks. By placing
the cursor over this button, an information balloon will appear telling the user if
the audit task has an Event or a Sign-off column linked to the specific audit task.
See Workflow Builder on page 281for further information on creating a
customized workflow.
Note:
If data level security at the observed data level has been enabled (see Global
Profile on page 611settings), then audit process output will be filtered so users
will see only the information of their databases.
Under the Report choices within Add an Audit Task are two procedural reports,
Outstanding Events and Event Status Transition. Add these two reports to two
new audit tasks to show details of all workflow events and transitions These two
reports will not be filtered (observed data level security filtering will not be
applied). These two reports are available by default in the list of reports only to
admin user and users with the admin role.
The Additional Columns button is disabled for Classification tasks.
Clone an Audit Task - If you are cloning a process, and you made changes to a
cloned task before the cloned process is saved, the workflow associated with the
original task will not be cloned.
Deletion of a event status is permitted only if the status is not in the first status of
any events, and if it not used by any action. The validation will provide a list of
events/actions that prevent the status from being deleted.
The owner/creator of a workflow event can always see all statuses of this event,
regardless of what roles have been assigned to these statuses.

Compliance Workflow Automation

267

Define a Security Assessment Task


f you have not yet started to define a compliance workflow automation process,
see Workflow Builder on page 281 to Create a Workflow Process before
performing this procedure. If the assessment to be used has not yet been defined,
do that first - see Creating and Running an Assessment on page 195.
1. If the Add New Task pane is not open, click Add Audit Task.
2. Click the Security Assessment button.
3. Select a security assessment from the Security Assessment list.
4. The selection of PDF Content are Report (the current results), Diff (difference
between one earlier report and a new report) and Reports and Diff (both).
5. Click Apply.
Note:
If data level security at the observed data level has been enabled (see Global
Profile on page 611settings), then audit process output will be filtered so users
will see only the information of their databases.
If a security assessment task is empty (for example, a security assessment with a
set of no roles), this empty security assessment will not show up in the drop-down
list in Audit Builder.

Define an Entity Audit Trail Task


If you have not yet started to define a compliance workflow automation process,
see Workflow Builder on page 281 to Create a Workflow Process before
performing this procedure.
1. If the Add New Task pane is not open, click Add Audit Task.
2. Click the Entity Audit Trail button.
3. Select the type of entity to be audited. Depending on the type selected, you will
be required to supply the following information:
v
v
v
v
v

Object: Enter an object name.


Object Group: Select an object group from the list. See Groups on page 43.
Client IP: Enter a client IP address.
Client Group IP: Select a client IP group. See Groups on page 43.
Server IP: Enter a server IP address.

v Application User Name: Enter an application user name.


4. There a number of choices for CSV/CEF File Labels, Write CEF to Syslog,
Compress and Export PDF. See Export a CSV or CEF File above.
5. In the Task Parameters pane, supply run-time parameter values (only the From
and To periods are required).
6. Click Apply.
Note: If data level security at the observed data level has been enabled (see
Global Profile on page 611 settings), then audit process output will be filtered so
users will see only the information of their databases.

Define a Privacy Set Task


f you have not yet started to define a compliance workflow automation process,
see Workflow Builder on page 281 to Create a Workflow Process before

268

Help Book Guardium V9.0

performing this procedure. If the privacy set to be used has not yet been defined,
do that first - see Privacy Sets on page 129.
1. If the Add New Task pane is not open, click Add Audit Task.
2. Click the Privacy Set button.
3. Select a privacy set from the Privacy Set list.
4. Select either Report by Access Details or Report by Application User to indicate
how you want the results sorted and displayed.
5. There a number of choices for CSV/CEF File Labels, Write CEF to Syslog,
Compress and Export PDF. See Export a CSV or CEF File above.
6. Enter starting and ending dates for the report in the Period Start and Period
End boxes.
7. Click Apply.
Note: If data level security at the observed data level has been enabled (see
Global Profile on page 611 settings), then audit process output will be filtered so
users will see only the information of their databases.

Define a Classification Process Task


If you have not yet started to define a compliance workflow automation process,
see Workflow Builder on page 281 to Create a Workflow Process before
performing this procedure. If the classification process to be used has not yet been
defined, do that first - see Classification Process on page 175. Create a
Classification Policy, then a Classification Process before following the steps of this
task.
1. If the Add New Task pane is not open, click Add Audit Task.
2. Click the Classification Process button.
Note: You will be alerted that classification processes may return sensitive data,
and those results will be appended to PDF or CSV files.
3. Select a classification process from the Classification Process list. Click Apply.
Note: If data level security at the observed data level has been enabled (see
Global Profile on page 611 settings), then audit process output will be filtered so
users will see only the information of their databases.

Define an External Feed Task


This type of workflow automation task feeds data collected by Guardium to an
external application, mapping the data to a format recognized by that application.
This task type is an extra-cost feature, enabled by a patch.
Note: If this feature is used in a Central Manager environment, the External Feed
Patch must be installed on the Central Manager, and on all managed units on
which the task will run.
For more information about how the data is mapped from Guardium to the
external application, refer to the documentation for the option that was purchased.
If you have not yet started to define a compliance workflow automation process,
see Workflow Builder on page 281 to Create a Workflow Process before
performing this procedure.
1. If the Add New Task pane is not open, click Add Audit Task.
Compliance Workflow Automation

269

2. Click External Feed.


3. Select a feed type from the Feed Type list.
4. The controls that appear next depend on the feed type selected. See Optional
External Feed on page 279for additional information on specific External
Feed Types.
5. Select an event type from the Event Type list.
6. Select a report from the Report list. Depending on the report selected, a
variable number of parameters will appear in the Task Parameters pane.
7. In the Extract Lag box, enter the number of hours by which the feed is to lag,
or mark the Continuous box to include data right up to the time that the audit
task runs.
8. In the Datasources pane, identify one or more datasources for the external
feed. For instructions on how to define or select datasources, see
Datasources on page 31 in the Common Tools book.
9. Enter all parameter values in the Task Parameters pane. The parameters will
vary depending on the report selected.
10. Click Apply.

View or Sign Results


1. Open the Compliance Workflow Automation results. (See Open Workflow
Process Results on page 277.)
2. If signing is required, click the Sign Results button.
3. Optional. To forward these results to another user, click Escalate, and see
Forward Results to Additional Receivers (in Escalation section below).
4. Click the Close this window link (bottom, left).
Note: If there are outstanding events, then the results can not be signed either
from the audit viewer or from the To-do list. If there are outstanding events and an
attempt is made to sign the results, the following message appears:
Audit process cannot be signed - has pending events.
Please update all outstanding events prior to signing this result.

Note: When viewing audit process results, if a result has events associated with it,
the Sign Results button is not available on this result until all events are in a Final
state or cannot be seen by this user (due to data-level security).
Note: This report also contains a date or Last Action Time, located in a column
between Receiver and Status. This report shows that the result was signed by user
AAA, but also when this user AAA signed this result.

Release Results without Signing or Viewing


1. Open your To-Do List panel. (See Open the To-Do List on page 273.)
2. Click the Continue button for the results you want to release to the next
receiver on the distribution list.
3. Click the Close this window link (bottom, left).

View Results Distribution


1. Open the compliance workflow automation results. (See Open Workflow
Process Results on page 277.)
2. Expand the Distribution Status panel by clicking the (Show Details) button.
3. Click the Close this window link (bottom, left).

270

Help Book Guardium V9.0

View Receiver Comments Added to Results


1. Open the compliance workflow automation results. (See Open Workflow
Process Results on page 277.)
2. Expand the Comments panel by clicking the Show Details button.
Note: These are the comments that were attached to the results when the
report page was retrieved from the Guardium appliance. If you add comments
of your own, or if other receivers are adding comments simultaneously, you
will not see those comments until you refresh your page (using your browser
Refresh function).
3. Click the Close this window link (bottom, left).

Escalate Process Results


A receiver of process results can forward the results notification for review and/or
sign-off to additional receivers. If you escalate the results to a receiver outside of
the original audit and sign-off trail, and the results include a CSV file, that file will
not be included with the notification.
Regardless of who is a receiver of an audit result, an escalation can involve any
user on the system, provided the Escalate result to all users box is checked in the
Admin Console > Global Profile menu. A check mark in this box escalates audit
process results to all users, even if data level security at the observed data level is
enabled. The default setting is enable. If the check box is disabled (no check mark
in the check box), then audit process escalation will only be allowed to users at a
higher level in the user hierarchy. If the check box is disabled, and there is no user
hierarchy, then no escalation is permitted.
Also, depending on event permissions, if for example, the infosec user can only see
events in status1 and dba user can only see events in status2, the dba user will
receive a different result than the result the infosec user saw when the infosec user
clicked Escalate. It is possible that infosec will escalate to dba, and dba will
receive an audit result with 0 rows in it.
1. If the compliance workflow automation results you want to forward are not
open, open them now. (See Open Workflow Process Results on page 277.)
2. Click the Escalate button.
3. Select the receiver from the Receiver list.
4. In the Action Required column, select Review (the default) or Review and Sign.
5. Click the Escalation button to complete the operation.
Note:
Audit process results cannot be escalated to a group of users, only to users or
roles.
When escalating to an user who already has the result in the user's to-do list, a
popup message will appear, asking if an additional email should be sent. If yes, an
additional email will be sent to the user, but the to-do list will not be incremented.

Schedule or Run a Compliance Workflow Automation Process


1. Do one of the following to open Audit Process Finder:
v Users with the admin role: Select Tools > Config & Control > Audit Process
Builder.
Compliance Workflow Automation

271

v All Others: Select Comply > Audit Process builder.


2. Select the process from the Process Selection List.
3. Click Modify to open the Audit Process Definition panel.
4. To run the process once, click Run Once Now, or to define a schedule for the
process, click Modify Schedule. See Scheduling on page 73 for instructions on
using the general purpose scheduling module.
Note: After a schedule has been defined for a process, the process runs
according to that schedule only when it is marked active. To activate or
deactivate an audit process, see the next section.

Activate or Deactivate a Compliance Workflow Automation


Process
After a schedule has been defined for an audit process, it runs according to that
schedule, only when it is marked active.
To activate or deactivate an audit process:
1. Do one of the following to open Audit Process Finder:
v Users with the admin role: Select Tools > Config & Control > Audit Process
Builder.
v All Others: Select Comply > Audit Process builder.
2. Select the audit process from the Process Selection List.
3. Click Modify.
4. In the Audit Process Definition panel, mark the Active box to start running the
process according to the schedule; or clear the Active box to stop running the
process (ignoring any schedule defined).
Note: If you are activating the process but there is no schedule, click Modify
Schedule to define a schedule for running the process.
5. Click Save.

272

Help Book Guardium V9.0

Open the To-Do List


This section describes the steps required to open the To-Do List.
To open the To-Do List, do one of the following:
v If you have workflow process results pending action, click the link in the upper
left portion of your portal window: You have 1 item on your To-Do list
v In an e-mail notification, you will receive a message like the following: A process
result for your review/signature has been added to your To-Do List: The report
is available online.
Click the To-Do List link to open your To-Do List. Alternatively, click the report
link to open the results. In either case, you must be accessing your e-mail from a
location where the Guardium appliance can be accessed. If you are not currently
logged in, you will be prompted to log into the Guardium appliance.
v On the user portal, select Comply > To-do list (near the bottom left corner of the
Auditing Application panel).
v On the administrator portal, select Tools > Config & Control > Audit Process
To-do List from the menu.
The Audit Process To-Do List panel opens with your To-Do List. As an
administrator, you can open another user's To-Do List by selecting that user from
the View To-Do-List of drop-down list (available from menu choices in Guardium
Monitor tab). Any actions you perform on that user's To-Do list will be logged as
actions performed by your user ID (not the user's ID).

273

274

Help Book Guardium V9.0

Audit Process To-Do List


This section describes the steps required to open the Audit Process To-Do List.
1. Go to Tools/ Configuration and Control and select Audit Process To-Do List.
2. Select the user whose To-Do list you want to open, either by opening up the
drop-down menu or clicking on the Search Users button. You will be informed
if the list is empty.
3. As an administrator, you can perform any actions on any to-do list entry. Any
actions you perform will be logged, indicating that the action was performed
on behalf of the user by the administrator.
4. The choices available per to-do list entry are View, Download as PDF and Sign
viewed results.
The selection of PDF Content are: Report (the current results), Diff (difference
between one earlier report and a new report) and Reports and Diff (both).
Note: The selection of PDF Content applies to both PDF attachments and PDF
export files. The Diff result only applies only AFTER the first time this task is
run. There is no Diff with a previous result if there is no previous result. The
maximum number of rows that can be compared at one time is 5000. If the
number of result rows exceeds the maximum, the message "(compare first 5000
rows only)" will show up in the diff result.
5. Click on the icon of arrows circling to "Refresh the set."
Note: To send files on an external server without sending email and without
adding results to the to-do list, define an audit process without receivers. Also
un-check the to-do list checkbox in the Add Receiver section and remove/ do not
add any receiver in the receiver section in order not to add results to To-do list.

To-Do Lists and Data Level Security


The To-Do list has a pull-down menu to see the to-do lists of other users. Unlike
the pull-down menu of users with role admin, the pull-down menu for the rest of
the users will include ONLY users under the current user in the Data Level
Security (DLS) hierarchy. If the user has the exempt role, then all the users are
shown in the pull-down menu. Users with role admin can see all users in the
pull-down menu.
When a user accesses another user's results, the data presented in the report is
filtered according to the Data Level Security and the role of the user selected (for
example, in the case of a custom workflow, the data is filtered according to the role
of the user selected and the status defined for that role).
If a user with role admin accesses a result of a user that is UNDER in the
hierarchy, then it behaves as explained in the previous paragraph. If administrator
accesses a result of a user which is NOT under in the hierarchy, then it will show
the result using the Data Level Security of the administrator and will show for all
roles.
When a result is added to a user's to-do list because a change in a status of an
event, if the result was not in the to-do list previously, then an email is sent to the
user. The email will not contain a PDF, just a notification and link.

275

If a user goes to some other user's to-do list, a message will indicate which user is
determining the DLS filtering.

276

Help Book Guardium V9.0

Open Workflow Process Results


Use View to see the Workflow Process Results
Do one of the following:
v Open your Workflow Automation To-Do List panel (see Open the To-Do
List)and click View for the results set you want to view or sign.
v If you have received an e-mail notification containing hypertext links to your
To-Do List or the results, click one of those links to open your To-Do List or the
results directly from the e-mail. You must have access to the Guardium
appliance at the location from which you are accessing your e-mail (or these
links will not work). If you are not logged in, you will be prompted to log in to
the Guardium appliance.

277

278

Help Book Guardium V9.0

Optional External Feed


External Feed is available only after a mapping project is done (by Guardium's
Technical Support) to map Guardium's schema to the remote schema.
Once that project is done, the External Feed option will be available in the GUI.
Use of this feature requires a custom External Feed mapping. Consult with
Technical Support for this custom mapping.
The first time that an optional external feed task runs, the necessary internal
representation of the audit sources will be created. One limitation is that data that
is time-stamped with a date earlier than the audit source creation date cannot be
stored. This means that the first time the task runs, it will only export data for the
current date. On subsequent executions of the task following that date, any data
from that date forward can be exported. (In other words, the next day, you will be
able to export that day's data plus the prior day's data.)

Create an Optional External Feed Task


If you have not yet started to define a compliance workflow automation process,
see Create a Workflow Process before performing this procedure.
1. If the Add New Task pane is not open, click Add Audit Task.
2. Click External Feed.
3. Select the appropriate feed type from the Feed Type list. (The controls that
appear next depend on the feed type selected.) There are no predefined feed
types.
Note: Use of this feature requires a custom External Feed mapping. Consult
with Technical Support for this custom mapping.
4. Select an event type from the Event Type list.
5. Select a report from the Report list. Depending on the report selected, a
variable number of parameters will appear in the Task Parameters pane.
6. In the Extract Lag box, enter the number of hours by which the feed is to lag,
or mark the Continuous box to include data right up to the time that the audit
task runs.
7. In the Datasources pane, identify one or more datasources for the external feed.
For instructions on how to define or select datasources, see Datasources in the
Common Tools book.
8. Enter all parameter values in the Task Parameters pane. The parameters will
vary depending on the report selected.
9. Click Apply.

279

280

Help Book Guardium V9.0

Workflow Builder
The Workflow Builder is used to define customized workflows (steps, transitions
and actions) to be used in the Audit Process.
For additional information, see Compliance Workflow Automation on page 255.
Follow the steps below to:
v Define the workflow steps (Event Status),
v Define the flow of transit from one step to another (Actions)
v Define which actions require sign-off
v Assign roles to each status, to define the users permitted to view each status
Relevant Terms for this feature
Event Type - Custom workflow
Event Status - State/status of the workflow.
Event Action - Action/Transition
Note: Workflow Builder is an optional component enabled by product key.

Create a Workflow Process


1. Do one of the following to open the Workflow Builder:
v Users with the admin role: Select Tools > Config & Control > Workflow
Builder.
v All Others: Select Comply > Workflow Builder.
2. At the first screen (Event Type), click the Event Status button at the bottom of
the menu to go to the Event Status configuration.
3. Click on Add Event Status to define a new Event Status. A multiple of Event
Status are expected. Fill in the status description and place a check mark in
the Is Final check box if the task is a final task in the workflow. When done,
go to the next step.
4. Click on the Event Type button and then click on the Add button of Add
Event Type Definition to define a new Event Type.
5. Fill in the description and designate the first task in the workflow.
6. Then choose all the Allowed Status for the workflow from the Available Status
list, by highlighting the Status item and clicking on the > button between the
Available Status List and Allowed Status List.
7. When done, click the Save button. Note: the Save button (or Cancel button)
only apply to changes made to name, default event or available events.
8. Go to the Defined Event Actions section of the Event Type menu screen.
Defined Event Actions involves designating the separate Event Actions of the
workflow.
9. Click the New button.
10. Fill in the Event Action Description and designate Prior status, Next status
and if Sign-off of this event action is required. Click the Apply button.
11. Repeat Steps 9 and 10 until all event actions are described and designated.

281

12. Go to the Roles section of the Event Type menu screen. Roles involve defining
who can see the event when it is in a particular Event Action. For example,
who can see events that are "Under Review" and who can see events that are
"Approved".
13. Select the Event Type Status and click the Roles button.
14. In the Assign Security Roles panel, mark all of the roles you want to assign
(you will only see the roles that have been assigned to your account). Click
Apply to save security role choices. Click the Back button.
15. Repeat steps 13 through 14 until all event type status have had roles defined.
16. The configuration effort from Workflow Builder is done.
17. Users with admin role: Select Tools > Config & Control > Audit Process
Builder to schedule the workflow and build and show workflow reports. See
the Audit Process Builder steps under Define a Report Task. All others: select
Comply > Audit Process Builder.
There is a usage scenario, Workflow Builder Workflow Example in the Appendices.
Note: If the task type in Audit Process Builder is Classification Process, then
Workflow Builder can not create customized workflows.
Warning Note: When a workflow event is created, every status used by that event
can be assigned a role (meaning that events can only be seen by this role when in
this status). When an event is assigned to an audit process, it is important that
every role that is assigned to a status of this event have a receiver on this audit
process. Otherwise, it is possible that an audit result row can be put into a status
where none of its receivers are able to see this row or change its status.
If the above were to occur, the admin user (who is able to see all events, regardless
of their roles) would be able to see the row and change its status. However, if data
level security is on, the admin user may not be able to see this row. The admin
user would need to either turn data level security off (from Global Profile) or have
the dataset_exempt role. It is important to configure the audit process so that all
roles who must act on an event associated with this audit process are receivers of
this audit process.
Note: Deletion of a event status is permitted only if the status is not in the first or
final status of any events, and if it not used by any action. The validation will
provide a list of events/actions that prevent the status from being deleted.

Add Default Events only to limited number of records


When running an Audit Process report task, the results of this process task are
saved in the table, REPORT_RESULT_DATA_ROW. This table will have a row for
every row of the report. If this report task also has a default event assigned to it, a
row is added to the table, TASK_RESULT_ADDITIONAL_INFO, for every row of
the report. This may lead to a disk space issue only if default events are used for
large results. Create events only on task results with a limited number of records,
otherwise users will never be able to manage the large number of records. If
default events are used in the intended limited manner, there will not be any disk
space issues nor any usability issues, since it is not easy to close thousands of
events.

282

Help Book Guardium V9.0

Monitored Table Access


This feature adds a Last Assessed field to relevant tables, for interaction with
Optim Designer data lifecycle products.
This feature is also called Table Last Referenced.
This feature uses Guardiums External Feed that is preconfigured with the data (a
predefined External Feed map), and an audit process to run it.

Follow these Steps


1. Create the target (Optim) tables on any Informix database. Use the script below.
2. Open the Tools tab, select Audit Process Builder and edit the process named:
"Table Last Referenced". Add a datasource to the External Feed task (the
Informix datasource that contains the tables) and setup the run-time parameter
for servers group. All the rest is predefined and there is no need to change it.
3. Run (or schedule to run periodically) the audit process.
InfoSphere Guardium can detect external references to database objects, specifically
tables. This capability, in conjunction with Optim Designer, can be used to manage
the retirement of inactive tables or archiving with certain retention policies.
Guardium collects and maintains a list of tables with the date of last reference. The
list is built using policies in Guardium that dictate the interval of last reference and
the frequency to be used for updating the list content. The information captured by
Guardium is referred to as the last reference list and supplies the following
information: What tables are no longer referenced? What table access trends exist
for retirement candidates?
Having the ability to accurately plan for the retirement of applications will help to:
v Plan for hardware retirement or redeployment
v Lower cost of ownership by moving or retiring those resources supporting the
applications (for example, hardware, DBA(s), Application owners, IT operations
such as backups).
v Know what tables are rarely or never accessed
This functionality of InfoSphere Guardium has been added directly to the Optim
Designer user interface.
The information supplied by Guardium to Optim consists of the following
attributes per table entry:
Table 29. Monitored Table Access List Entry
List Entry

Description

Field

Comment

DataSourceDesc

Description

Server IP
Host Name
DB Vendor

for example, Oracle, DB2

283

Table 29. Monitored Table Access List Entry (continued)


List Entry

Description

User Name

for example, for Oracle it mostly defines the schema

Database Name
Schema
Table
Date

Date of last access

Script to create Informix tables in the Optim product


Last_referenced_datasource
create table last_referenced_datasource (
id

serial(1) not null,

datasource_desc

varchar(100),

server_ip

char(39),

host_name

varchar(200),

db_vendor

char(40),

primary key (id) constraint last_referenced_datasource_pk


);
Last_referenced_table
create table last_referenced_table (
id

serial(1) not null,

datasource_id

int not null,

user_name

char(32),

db_name

char(128) not null,

schema_name

char(128) not null,

table_name
last_reference

char(128) not null,


datetime year to second not null,

primary key (id) constraint last_referenced_table_pk,


foreign key (datasource_id) references last_referenced_datasource(id) constraint
last_referenced_table_fk
);

284

Help Book Guardium V9.0

Protect Help Book


This book describes how to create and use: Baselines; Policies; Install Policies;
Correlation Alerts; and, Incident Manager.
Select a topic from the Contents entry page, or use the Search function on the PDF
version of the online help (last entry on Contents entry page, after help-index) or
use the help-index.

285

286

Help Book Guardium V9.0

Baselines
A baseline is a profile of access commands executed in the past, helping to identify
normal activity and anomalous behavior (inconsistent with or deviating from
behavior that is usual, normal, or expected).
The Baseline Builder generates a baseline by examining activity previously logged
and currently available, on the Guardium appliance.
When included in a security policy, the baseline becomes a baseline rule, which
allows all database access that has been included in the baseline.
A baseline rule in a policy has the following characteristics:
v There can be only one baseline rule.
v The baseline rule action is always Allow, which means accept the command and
do not continue to the next rule in the policy.
v When the baseline rule is added to the policy, it is positioned at the top of the
list of rules. It can be moved anywhere in the set of rules (which are evaluated
in sequence), as appropriate for the policy.
v Once a baseline rule has been included in a policy, it cannot be removed.
The Policy Builder can generate suggested policy rules from the baseline. The
suggested rules can be edited and included in the policy ahead of the baseline rule,
so that alternative actions (alerts, for example) can be taken for some commands
that were seen in the baseline period. In addition, an examination of the suggested
rules provides valuable insight into the actual traffic patterns observed (types of
commands and frequency). Suggested rules are described in more detail below.
The Baseline Builder provides the ability to control what gets included in the
baseline, in several ways:
v By specifying a threshold to control how many occurrences of a command must
be seen before the command will be included in the rule. A threshold of one
includes every command observed, while a threshold of 1,000 includes only
those commands occurring 1,000 times or more.
v By controlling sensitivity to one or more attributes. For example, if the baseline
is sensitive to the database user, it will include commands for specific users only.
Users who did not execute the command during the baseline period would not
be allowed by the baseline rule.
v By limiting the connections included to subsets of server and client IP addresses.
The baseline always specifies a single client network mask and a single server
network mask. Each mask can be as inclusive or as exclusive as required.
v By merging data from different time periods. There may be traffic that occurs
during non-contiguous time periods that should be included in the baseline. You
can merge the data from any number of time periods into a single baseline. In
addition, the data can be filtered for specific client and server addresses.

About Baseline Sensitivity


Baseline sensitivity can be based on any combination of the following (each will be
described in more detail, later):
v Database User

287

v
v
v
v
v

Database Protocol
Database Protocol Version
Time Period
Source Program
Sequence

Baseline sensitivity depends on a specified threshold, which defines the minimum


number of times a command must be observed during the baseline period in order
to include that command in the baseline.
With no sensitivity selected, each command that exceeds the threshold will be
included in the baseline.
If a single type of sensitivity is selected, a separate count of each command will be
maintained for each value of the sensitivity type (database user, for example).
If multiple types of sensitivity are selected, separate counts of each command are
maintained for each combination of values for each selected type (for each
combination of database user and source program, for example). Thus for each
type of sensitivity included, the number of combinations can increase dramatically.

About Sequence Sensitivity


If the baseline is sensitive to command sequence, then when included in a policy
the baseline rule will allow only the sequences of commands observed during the
baseline period. To illustrate with a very simple example: if the only two sequences
of commands observed in the baseline period are A-B and B-C, the following table
illustrates which sequences of commands would be allowed by that baseline rule.
Table 30. About Sequence Sensitivity
Command
Sequence

Allowed

A-B

A - everything
else

B-C

B - anything else

Anything but A

About Time Period Sensitivity


When the baseline is sensitive to the time period, separate counts are maintained
for each time period defined. If overlapping time periods are defined (which is a
normal situation), a command will be counted only once, in the most restrictive
time period during which it occurs. If the time-period is non-contiguous for
example, from 00:00 to 08:00 each day of the week only one contiguous segment
of the time period is considered (eight hours in the example).
To illustrate how the Baseline Builder assigns requests to time periods, assume that
Saturday is included in three time periods:
v 24x7 (24 hours, 7 days a week)
v Saturday (24 hours only)

288

Help Book Guardium V9.0

v Week End (48 hours - Saturday + Sunday)


Since the time period named Saturday is the most restrictive (24 hours only), all
requests time-stamped on Saturday will be counted in that time period, and not in
the more inclusive Week End or 7x24 time periods.

About Baselines in Aggregation and Central Manager


Environments
If there are multiple Guardium appliances in an Aggregation and/or Central
Manager environment, there is a single important point to keep in mind when
generating and using baselines:
Baselines are generated using only the data currently available on the appliance
that is generating the baseline.
This means that:
v A baseline generated on a collector will be built using the traffic available on
that unit only.
v A baseline built on an aggregator will be built from the data currently available
on the aggregator, which typically will have been sent from multiple collectors
over a period of time.
v A baseline generated on a Central Manager that is not also an aggregator will be
empty, since a Central Manager does not collect data (unless it is also an
aggregator).
v In a Central Management environment, a baseline generated on a managed unit
will be built using data from that unit only, but the baseline will be stored on
the Central Manager, and it will be available for use on any other unit.
v In a Central Management environment, to generate a single baseline from
multiple managed units, the baseline can be built with data from the first
managed appliance, and then merged using data from the other appliances, one
at a time.

About Suggested Rules


When a baseline is included in a policy, the Policy Builder can generate suggested
rules from the baseline. It will generate the minimum number of rules necessary to
represent everything that is included in the baseline. You can then accept any or all
of the suggested rules, and modify the accepted ones as necessary. In addition to
being a convenient way to generate an explicit policy (rather than an implicit
policy based on a baseline only), this is an important step in validating that a
baseline does not include malicious or erroneous activity that may have occurred
during the baseline period.
You may want to modify the suggested rules if you discover an activity that
occurred during the baseline period that you would like to monitor or alert upon
in the future. You simply tailor the appropriate rule suggested from the baseline,
and assign the desired action. By default, the suggested rules will be positioned
before the baseline rule, so that the action specified will be taken before the
baseline rule executes to allow that command with no further testing of rules.
Note: The Policy Builder can also generate rules from the database ACL. See
Policies on page 295 for more information.

Baselines

289

About Suggested Object Groups


When generating suggested rules from either the baseline or the database ACL
(access control), the Policy Builder minimizes the number of suggested rules by
creating suggested object groups. For example, assume the baseline includes a
particular command that references only three objects: AAA, BBB, and CCC, and
that there is not already an object group defined consisting of only those three
objects. The Policy Builder will create a suggested object group for those objects,
and will generate a single rule for the command, which references the suggested
object group.
You can display the membership of a suggested object group, and you have the
option of accepting or rejecting each group. In the example just given, if you reject
the suggested object group, the single rule that references it will be replaced by
three suggested rules (one each for AAA, BBB, and CCC).

Create a Baseline
1. Navigate to the Baseline Finder:
v Users, select: Protect > Security Policies > Baseline Builder.
v Administrators, select: Tools > Config & Control > Baseline Builder.
2. Click the New button to open the Baseline Builder panel.
3. Enter a unique baseline name in the Baseline Description box. Do not include
apostrophe characters in the baseline description.
4. In the Baseline Sensitivity pane, mark each element to which the baseline will
be sensitive. The more sensitive the baseline, the more complex the testing
that will be done both when creating the baseline and more importantly, when
inspecting traffic. See the Overview above, for more information about
baseline sensitivity.
5. In the Baseline Threshold pane, enter the minimum number of occurrences for
a command during the baseline period for that command to be included in
the baseline. If one or more sensitivity boxes have been marked (see above),
this count applies to the combination of sensitive values.
If the approach you are taking in building your security policy is to always
allow the most commonly issued commands from the past, then set this
number upwards to the appropriate level. If, on the other hand, you want to
ensure that the baseline is comprehensive, then leave this value set to 1. In
either case, you can have the Policy Builder suggest rules from the baseline.
The suggested rules are sorted in descending order by frequency in the
baseline period, so you can decide at that time whether to include or modify
rules for each unique command issued.
6. Use the Baseline Network Information pane to identify the servers and clients
to be included in the baseline. The method used to select which IP addresses
to use to construct the baseline is the same for servers and clients.
For each address encountered in the baseline data, membership in an optional
tagged group is considered first. A tagged group is a specific list of IP
addresses for which baseline constructs will be generated. If a tagged group is
selected, and if an IP address encountered in the baseline data is included in
the corresponding tagged group, that element will be included in the baseline
for that specific IP address. For example, assume that the Tagged Client IP
Group named ZoneAGroup has been selected, and that group includes a
client address of 192.162.14.33. If the baseline generator encounters the
command SELECT abc FROM xyz from that IP address, that command will be
counted for that specific address.

290

Help Book Guardium V9.0

In contrast, if no tagged group is selected, or if an IP address is encountered


in the baseline data that is not a member of the selected tagged group, that
command may be counted with identical commands from other IP addresses
as directed by the corresponding network mask.
The network mask is required to group both client and server IP addresses.
Choices include all the different variations of subnet masks between
255.255.255.255 (all four octets must match) and 0.0.0.0 (all octets can be
anything).
You must always:
v Enter a subnet mask in the Server Network Mask box.
v Enter a subnet mask in the Client Network Mask box.
To illustrate how the baseline builder uses network masks to group addresses,
assume that:
v The Client Network Mask is 255.255.0.0, meaning that the first two octets
must match, but the second two octets can be anything.
v In the baseline data, a request with the client IP address 192.168.3.211 is
encountered.
v That client IP address is not in the selected Tagged Client IP Group (or
there is no Tagged Client IP Group selected).
v The command is SELECT abc FROM xyz.
When generating the baseline, this command will be included in the count of
all SELECT abc FROM xyz commands for all client IP addresses from the
192.168.0.0 subnet.
7. Click the Save button to validity-check and save the baseline definition. If you
have omitted required fields or entered invalid values, the definition will not
be saved and you must resolve any problems before attempting to save again.
8. Optionally click the Roles button to assign roles for the policy. See Assign
Security Roles.
9. Optionally click the Comments button to add comments to the definition. See
Commenting.
10. After a baseline has been saved successfully, the Baseline Generation and
Baseline Log panes appear at the bottom of the panel.
11. Click anywhere on the Baseline Generation pane title to expand the pane.
12. Supply both From and To dates to define the time period from which the
baseline is to be generated. There are a number of ways to enter dates (see
Select or Enter a Date). Regardless of how you enter dates, any minutes or
seconds specified will be ignored.
13. Click the Generate button to generate the baseline. If you have modified the
baseline definition, you will be prompted to save the definition before
generating the baseline.
Note: After you successfully generate the baseline for the first time, additional
fields display in the Baseline Generation panel. These fields allow you to merge
data from additional time periods into the baseline, and to restrict the client and
server IP addresses used during each additional time period. For more
information, see Merge Baseline Information, below.

Merge Baseline Information


To merge baseline information (to include information from additional time
periods and/or from different groups of clients and servers, for example):
Baselines

291

1. Navigate to the Baseline Finder:


v Users, select: Protect > Security Policies > Baseline Builder.
v Administrators, select: Tools > Config & Control > Baseline Builder.
2. From the Baseline Definition list, select the baseline into which additional
baseline information is to be merged.
3. Click the Modify button to open the Edit Baseline panel.
4. Do not modify the Baseline Sensitivity selections. If you modify the baseline
sensitivity, you will be prompted to generate a completely new baseline to
replace the existing one.
5. Optional. Set the Minimum number of occurrences for addition to Baseline
value in the Baseline Threshold pane. The value entered here has no impact
on information previously included in the baseline. Once something has been
added to the baseline, it is not removed during a merge operation.
6. Optional. Enter alternative network information in the Baseline Network
Information pane. The displayed values are from the last generate or merge
operation. If the merged information comes from the same set of servers
and/or clients, leave these fields unchanged. Otherwise, make the appropriate
changes in this pane to select the traffic to be included in the baseline, as
described previously. (See Create a Baseline, above.)
7. Click anywhere on the Baseline Generation pane title to expand the pane.
8. Supply both From and To dates to define the time period from which the
baseline is to be generated. There are a number of ways to enter dates (see
Select or Enter a Date). Regardless of how you enter dates, any minutes or
seconds specified will be ignored.
9. Select the Merge radio button.
10. Optional. In the Filter Selection pane, limit the baseline generation to specific
client and/or server IP addresses by entering an IP address followed by a
network mask. For example, to select all client IP addresses from the
192.168.9.x subnet, enter 192.168.9.1 in the first Client IP box, and 255.255.255.0
in the second box. To include additional addresses, click the Add button, then
enter the additional address information
11. Click the Generate button to generate the baseline. If you have modified the
baseline definition, you will be prompted to save the definition before
generating the baseline.

Modify a Baseline
Caution: Before modifying a baseline definition, be sure that you understand the
implications of modifying it, particularly if the baseline whose definition you want
to modify and re-generate is used in an installed policy. If you modify and
re-generate a baseline contained in an installed policy, when you re-install that
policy it will use the new baseline. To provide a fall-back option for baselines used
by installed policies, consider instead cloning these baselines and policies, and
modifying and generating the cloned definitions. See Clone a Baseline, below, for
more information.
1. Navigate to the Baseline Finder:
v Users, select: Protect > Security Policies > Baseline Builder.
v Administrators, select: Tools > Config & Control > Baseline Builder.
2. From the Baseline Definition list, select the baseline to be modified. Click the
Modify button to open the Edit Baseline panel. Apart from the panel title, this
panel is identical to the Add Baseline panel described above. See Create a
Baseline, above, for instructions on using this panel.

292

Help Book Guardium V9.0

Clone a Baseline
There are a number of situations where you may want to define a new baseline
based on an existing one, without modifying the original definition. See the
caution, above.
1. Navigate to the Baseline Finder:
v Users, select: Protect > Security Policies > Baseline Builder.
v Administrators, select: Tools > Config & Control > Baseline Builder.
2. From the Baseline Definition list, select the baseline to be cloned.
3. Click the Clone button to open the Clone Baseline panel.
4. Enter a unique name for the new baseline in the New Baseline Description box.
Do not include apostrophe characters in the new baseline description.
5. To clone the baseline constructs (the commands, basically) that have been
generated for the baseline being cloned, mark the Clone Constructs checkbox.
6. Click the Accept button to save the new baseline. You can then open and edit
the new baseline via the Baseline Finder. See Modify a Baseline.

Remove a Baseline
1. Navigate to the Baseline Finder:
v Users, select: Protect > Security Policies > Baseline Builder.
v Administrators, select: Tools > Config & Control > Baseline Builder.
2. From the Baseline Definition list, select the baseline to be removed.
3. Click the Delete button. You will be prompted to confirm the action.

Baselines

293

294

Help Book Guardium V9.0

Policies
A security policy contains an ordered set of rules to be applied to the observed
traffic between database clients and servers. Each rule can apply to a request from
a client, or to a response from a server. Multiple policies can be defined and
multiple policies can be installed on a Guardium appliance at the same time.
Each rule in a policy defines a conditional action. The condition tested can be a
simple test - for example it might check for any access from a client IP address that
does not belong to an Authorized Client IPs group. Or the condition tested can be
a complex test that considers multiple message and session attributes (database
user, source program, command type, time of day, etc.), and it can be sensitive to
the number of times the condition is met within a specified timeframe.
The action triggered by the rule can be a notification action (e-mail to one or more
recipients, for example), a blocking action (the client session might be
disconnected), or the event might simply be logged as a policy violation. Custom
actions can be developed to perform any tasks necessary for conditions that may
be unique to a given environment or application. For a complete list of actions, see
Rule Actions Overview below.
A policy violation is logged each time that a rule is triggered (except when the rule
explicitly requests no logging). Optionally, the SQL that triggered the rule
(including data values) can be recorded with the policy violation. Policy violations
can be assigned to incidents, either automatically by a process, or manually by
authorized users (see the Incident Management tab in the Guardium GUI. For
further information, see Incident Management on page 355.
Note: Correlation alerts can also be written to the policy violations domain (see
Correlation Alerts on page 349).
In addition to logging violations, policy rules can affect the logging of client traffic,
which is logged as constructs and construct instances.
v Constructs are basically prototypes of requests that Guardium detects in the
traffic. The combinations of commands, objects and fields included in a construct
can be very complex, but each construct basically represents a very specific type
of access request. The detection and logging of new constructs begins when the
inspection engine starts, and by default continues (except as described below)
regardless of any security policy rules.
v Each instance of a construct detected in the traffic is also logged, and each
instance is related to a specific client-server session. No SQL is stored for a
construct instance, except when a policy rule requests the logging of SQL for
that instance, or for a particular client/server session of instances (with or
without values).
In addition to controlling the inclusion of SQL in client construct instances, a
security policy rule can disable the logging of constructs and instances for the
remainder of a session.
In heavy volume situations, the parsing and aggregating of information into
constructs and instances can be deferred by using the Log Flat (Flat Log) option.

295

When used, the production of alerts and reports will be delayed until the logged
information has been aggregated. See Log Flat discussed later in this topic.
To completely control the client traffic that is logged, a policy can be defined as a
selective audit trail policy. In that type of policy, "audit-only" rules and an optional
pattern identify all of the client traffic to be logged. See Use Selective Audit Trail
discussed later in this topic.

Policy Rule Basics


Within a policy, rules are evaluated in the order in which they appear, as each
element of traffic is analyzed.
There are three types of rules:
v An access rule applies to client requests - for example, it might test for UPDATE
commands issued from a specific group of IP addresses.
v An exception rule evaluates exceptions returned by the server (responses) - for
example, it might test for five login failures within one minute.
v An extrusion rule evaluates data returned by the server (in response to requests)
- for example, it might test the returned data for numeric patterns that could be
social security or credit card numbers.

Category, Classification, and Severity


For each rule, an optional Category and/or Classification can be assigned. These
are used to group policy violations for both reporting and incident management.

Minimum Counts and Reset Intervals


Some activities are normal and acceptable when they occur below a certain rate.
But those same activities may require attention when the rate exceeds a tolerable
threshold. For example, if interactive database access is allowed, a consistent but
relatively low rate of login failures might be expected, whereas a sharply higher
rate might indicate an attack is in progress.
To deal with thresholds, a minimum count and a reset interval can be specified for
each policy rule. This can be used, for example, to trigger the rule action after the
count of login failures exceeds 100 (the minimum count) within one minute (the
reset interval). If omitted, the default is to execute the rule action each time the
rule is satisfied.

Continue to Next Rule


By default, the evaluation of access and exception rules for a unit of traffic ends
when a rule is triggered, providing that there is not multiple actions in one rule. In
cases where it is necessary to take multiple actions for the same or similar
conditions, mark the Continue to Next Rule box for that rule.
Note: Continue to Next Rule applies to access rules following access rules and to
exception rules following exception rules, but not to an exception rule following an
access rule or an access rule following an exception rule.
Extrusion rules will be processed regardless of the end of an access or exception
rule preceding the extrusion rule. See extrusion rules "revoke" in the Rule

296

Help Book Guardium V9.0

Definitions Reference table at the end of this topic for information on excluding
logging a response that has already been selected for logging by a previous rule in
the policy.
As baselines are only relevant to access rules, the use of baselines with exception
or extrusion rules can not limit/stop the continuance to the next rule.

Record Values with Policy Violation


When marked, the actual construct causing the rule to be satisfied will be logged
in the SQL String attribute and is available in reports. If not marked, no SQL
statement will be logged. To include the full values in the policy violation, mark
the Rec. Vals box for that rule.
Note: The full SQL with values will be available only in the policy violation
record, within the policy violations reporting domain. It will not be available in the
client traffic log, or on reports from the data access domain. To include full SQL
(with or without data values) in the client traffic log, use the Log Full SQL rule
actions, described below.
For more information about working with rules, see the following topics:
v View the Policy Rules for the Installed Policy
v Specify Values and/or Groups of Values in Rules
v Filter Rules to Display only a Subset
v Copy Rules
v Using Rules Suggested from the Baseline
v Using Rules Suggested from the Database ACL.
v Add or Edit Rules
v Using the Policy Simulator

Specify Values and/or Groups of Values in Rules


For many rule attributes, you can specify a single value and/or a group value,
using controls like those illustrated for the App User below.
Be aware that a group member may contain wildcard (%) characters, so each
member of a group may match multiple actual values.
When a Group is selected, be aware that the group may contain wildcards.
v Negative Rule: Mark the Not box to create a negative rule; for example, not the
specified App User, or not any member of the selected group, or neither the
specified App User nor any member of the selected group.
v Empty Value: Enter the special value guardium://empty to test for an empty
value in the traffic. This is allowed only in the following fields: DB Name, DB
User, App User, OS User, Src App, Event Type, Event User Name, and App
Event Text.
v To define a new group to be tested: Click the Groups button to define a new
group, and then select that group from the Group list.
v To match any value: Leave the value box blank, and select nothing from the
Group list (be sure that the line of dashes is selected, as in the example above).
v To match a specific value only: Enter that value in the value box, and select
nothing from the Group list.
Policies

297

v To match any member of a group: Leave the value box blank, and select the
group from the list. If the minimum count is greater than 1, there will be a
single counter, and it will be incremented each time any member of the group is
matched.
v To match an individual value or any member of a group: Enter a specific value
in the value box, and select a group from the list. If the minimum count is
greater than 1, there will be a single counter, and it will be incremented each
time the individual value or any member of the group is matched.
v If the minimum count is greater than 1, count each individual value separately:
Enter a dot (.) in the value box, and select nothing from the group list. Note that
the dot option cannot be used for the Service Name or Net Protocol boxes. If the
minimum count is greater than 1, count each member of a group separately:
Enter a dot (.) in the value box, and select a group from the list. Note that the
dot option cannot be used for the Service Name or Net Protocol boxes.

Special Pattern Tests to Detect Sensitive Data


In some cases it is necessary to scan the actual data contained in the SQL traffic,
looking for a recognizable pattern such as a social security number, indicating that
sensitive data may be exposed. Guardium provides a set of special pattern tests
(described below) for this purpose.
Each policy rule can include a single special pattern test. To use one, begin the rule
name with one of the special pattern test names described below. All other
components of the rule (selecting specific client and server IP addresses, for
example) still can be specified.
If a match is found, keep in mind that these tests only match a character pattern,
and that fact alone does not guarantee that the suspected item (a Social Security
number, for example) has been encountered. There can be false positives under a
variety of circumstances, especially if longer sequences of numeric values are
concatenated in the data.

Special Pattern Tests


To use a special pattern test, enter the special pattern test name in the Rule
Description box, followed by a space and one or more additional characters to
make the rule name unique, for example: guardium://SSEC_NUMBER employee.

guardium://CREDIT_CARD
Detects two credit card number patterns. It tests for a string of 16 digits or for four
sets of four digits, with each set separated by a blank.
For example:
1111222233334444
or
1111 2222 3333 4444
For both patterns, this test also checks that the digits are a correct credit card
number using the Luhn Algorithm.

298

Help Book Guardium V9.0

When a rule name begins with "guardium://CREDIT_CARD", and there is a valid


credit card number pattern in the Data pattern field, the policy will use the Luhn
algorithm (a widely-used algorithm for validating identification numbers such as
credit card numbers), in addition to standard pattern matching. The Luhn
algorithm is an additional check and does not replace the pattern check. A valid
credit card number is a string of 16 digits or four sets of four digits, with each set
separated by a blank. There is a requirement to have both the
guardium://CREDIT_CARD rule name and a valid [0-9]{16} number in the Search
Expression box in order to have the Luhn algorithm involved in this pattern
matching.

guardium://PCI_TRACK_DATA
Detects two patterns of magnetic stripe data. The first pattern consists of a
semi-colon (;), 16 digits, an equal sign (=), 20 digits, and a question mark (?).
For example:
;1111222233334444=11112222333344445555?
The second pattern consists of a percent sign (%), the character B, 16 digits, a carat
(^), a variable-length character string terminated by a forward slash (/), a second
variable-length character string terminated by a carat (^), 31 digits, and a question
mark (?).
For example:
%B1111222233334444^xxx/xxxx x^1111222233334444555566667777888?

guardium://SSEC_NUMBER
Detects numbers in Social Security number format: three digits, dash (-), two digits,
dash (-), four digits. The dashes are required.
For example:
123-45-6789

Pattern matching using Regular Expressions


In addition to the special pattern tests described above, regular expressions can be
used to search traffic for complex patterns in the data. The Guardium
implementation of regular expressions conforms with POSIX 1003.2, which differs
from the Unix implementation of regular expressions. Regular expressions are
allowed in any field that is followed by the Build Regular Expression button.
Note: The use of regular expressions are also permitted in the following fields (DB
user, App User, SRC App, Field name, Object, App Event Values Text) by typing
the special value guardium://regexp/(regular expression) in the text box that
corresponds to the specific field listed previously.
Note: IBM InfoSphere Guardium does not support regular expressions for
non-English languages.
For detailed information about how to use regular expressions, see Regular
Expressions on page 67.
Policies

299

Rule Actions Overview


There are a number of factors to consider when selecting the action to be taken
when a rule is satisfied.

Blocking Actions (S-TAP/S-GATE)


This section describes S-TAP Terminate and S-GATE actions.

S-TAP Terminate Action


The S-TAP TERMINATE action will terminate a database connection (a session)
and prevent additional requests on that session. This action is available in S-TAP,
regardless of whether or not S-GATE (see below) is used of not.
Note: With S-TAP TERMINATE, the triggering request usually will not be blocked,
but additional requests from that session will be blocked (on high rate, sometimes
more than one request may go through before the session is terminated).

S-GATE Actions
S-GATE provides database protection via S-TAP for both network and local
connections.
When S-GATE is available, all database connections (sessions) are evaluated and
tagged to be monitored in one of the following S-GATE modes:
v Attached (S-GATE is "on") S-TAP is in firewalling mode for that session, it
holds the database requests and waits for a verdict on each request before
releasing its responses. In this mode, latency is expected. However, it assures
that rogue requests will be blocked.
v Detached (S-GATE is "off") - S-TAP is in normal monitoring mode for that
session, it passes requests to the database server without any delay. In this mode
latency is not expected.
S-GATE configuration in "guard_tap.ini" defines the default S-GATE mode
("attached" or "detached") for all sessions, as well as other defaults related to
S-GATE verdicts when the collector is not responding. Other than the default
S-GATE configuration, S-GATE is controlled through the real-time policy
mechanism using the following S-GATE Policy Rule Actions:
v S-GATE ATTACH: sets S-GATE mode to "Attached" for a specific session.
Intended for use when a certain criteria is met that raises the need to closely
watch (and if needed block) the traffic on that session.
v S-GATE DETACH: sets S-GATE mode to "Detached" for a specific session.
Intended for use on sessions that are considered as "safe" or sessions that cannot
tolerate any latency.
v S-GATE TERMINATE: Has effect only when the session is attached. It drops the
reply of the firewalled request, which will terminate the session on some
databases. The S-GATE TERMINATE policy rule will cause a previously watched
session to terminate.
Note:
v S-GATE/ S-TAP termination does not work on a client IP group whose members
have wild-card characters. S-GATE/S-TAP termination only works with a single
IP address.

300

Help Book Guardium V9.0

v For version 8.0 and higher, S-GATE actions do not support Oracle ASO
encrypted traffic, or shared memory sessions for DB2 or Informix, under Linux.
v For MySQL databases, It should be noted that MySQL's default command line
connection is 'mysql -u<user> -p<pass> <dbname>
In this mode, MySQL will first map all the objects and fields in this database to
support auto completion (with TAB). When a terminate rule on any object or
field that is involved in this mapping, it will immediately disable the connection
session. To avoid this, connect to MySQL with the "-A" flag, which will disable
the"'auto-complete" feature, and will not trigger the "terminate" rule. Another
option is to fine tune the rule and not terminate on ANY access to these
objects/field and instead find a criteria that is more narrow and will not trigger
the rule on the login sequence.

Alerting Actions
Alert actions send notifications to one or more recipients.
For each alert action, multiple notifications can be sent, and the notifications can be
a combination of one or more of the following notification types:
v Email messages, which must be addressed to Guardium users, and will be sent
via the SMTP server configured for Guardium. Additional receivers for real-time
email notification are Invoker (the user that initiated the actual SQL command
that caused the trigger of the policy) and Owner (the owner/s of the database).
The Invoker and Owner are identified by retrieving user IDs (IP-based)
configured via Guardium APIs. The choice Data Security User - Database
Associations (available from accessmgr) displays the mapping (this is similar to
what is displayed if running the Guardium API command
"list_db_user_mapping").
v SNMP traps, which will be sent to the trap community configured for the
Guardium appliance.
v Syslog messages, which will be written to syslog.
v Custom notifications, which are user-written notification handlers, implemented
as Java classes.
Note: Alerts definition and notification are not subject to Data Level Security.
Reasons for this include alerts are not evaluated in the context of user, the alert
may be related to databases associated to multiple users and to avoid situations
where no one gets the alert notification.
Message templates are used to generate alerts. Multiple Named Message Templates
are created and modified from Global Profile. See Named Template on the Global
Profile on page 611 menu on how to create and modify this function. There are
several types of alert actions, each of which may be appropriate for a different type
of situation.
v Alert Daily sends notifications only the first time the rule is matched each day.
v Alert Once Per Session sends notifications only once for each session in which
the rule is matched. This action might be appropriate in situations where you
want to know that a certain event has occurred, but not for every instance of
that event during a single session. For example, you may want a notification
sent when a certain sensitive object is updated, but if a program updates
thousands of instances of that object in a single session, you almost certainly
would not want thousands of notifications sent to the receivers of the alert.
v Alert Only - action that will write only to message and message_text tables.
Policies

301

v Alert Per Match sends notifications each time the rule is satisfied. This would be
appropriate for a condition requiring attention each and every time it occurs.
v Alert Per Time Granularity sends notifications once per logging granularity
period. For example, if the logging granularity is set to one hour, notifications
will be sent for only the first match for the rule during each hour. (The
Guardium administrator sets the logging granularity on the Inspection Engine
Configuration panel.)

Log or Ignore Actions


These actions control the level of logging, based on the observed traffic.
The Log and Ignore commands are generally always available, but the Audit Only
action is only available for a Selective Audit Trail policy. Access rules, exception
rules and extrusion rules differ in what actions are permitted. Click on the Add
Action button for offerings.
v Audit Only: Available for a Selective Audit Trail policy only. Log the construct
that triggered the rule. For a Selective Audit Trail policy, no constructs are
logged by default, so use this selection to indicate what does get logged. When
using the Application Events API, you must use this action to force the logging
of database user names, if you want that information available for reporting
(otherwise, in this case, the user name will be blank).
v Allow: When matched, do not log a policy violation. If "Allow" action is
selected, no other actions can be added to the rule. Constructs are logged.
v Log only: Log the policy violation only. We refer to the fact that the rule was
triggered as a policy violation. Except for the Allow action, a policy violation is
logged each time a rule is triggered (unless that action suppresses logging).
v Log masked details: Log the full SQL for this request, replacing values with
question marks (???). This action is available for access rules and extrusion rules.
v Log full details: Log the full SQL string and exact timestamp for this request.
This log action choice is generally sufficient for most reporting needs.
v Log full details with values: Like Log full details above, but in addition, each
value is stored as a separate element (parse and log the values into a separate
table in the database). This log action uses more system resources as it logs the
specific values of the relevant commands. Use this log action only when you
need to generate reports with specific conditions on these values. Activation of
this log action choice is not available without consulting Technical Services
(admin user/Tools/Support Maintenance).
v Log full details per session: Log the full SQL string and exact timestamp for this
request and for the remainder of the session. The logging happens once per
session.
v Log full details with values per session: See the descriptions of Log full details
with values and Log full details per session above. Activation of this log action
choice is not available without consulting Technical Services (admin
user/Tools/Support Maintenance).
v Skip Logging: When matched, do not log a policy violation, and stop logging
constructs. This is similar to the Allow action, but it additionally stops the
logging of constructs. This action is used to eliminate the logging of constructs
for requests that are known to be of no interest. This feature also applies for
exception rules concerning database error code only, allowing users to not log
errors when an application generates large amounts of errors and there is
nothing that the user can do to stop the application errors.

302

Help Book Guardium V9.0

v Ignore responses per session: Responses for the remainder of the session will be
ignored. This action does not log a policy violation, but it stops analyzing
responses for the remainder of the session. This action is useful in cases where
you know the database response will be of no interest. This action works when
sniffing data from an S-TAP. This action does not work when sniffing data from
a SPAN port.
v Ignore session: The current request and the remainder of the session will be
ignored. This action does not log a policy violation, but it stops the logging of
constructs and will not test for policy violations of any type for the remainder of
the session. This action might be useful if, for example, the database includes a
test region, and there is no need to apply policy rules against that region of the
database. Ignore Session rules provide the most effective method of filtering
traffic. An ignore session rule will cause activity from individual sessions to be
dropped by the S-TAP or completely ignored by the sniffer. Note: connection
(login/logout) information is always logged, even if the session is ignored.
v Ignore S-TAP session: The current request and the remainder of the S-TAP
session will be ignored. This action is done in combination with specifying in
the policy builder menu screen of certain machines, users or applications that
are producing a high volume of network traffic. This action is useful in cases
where you know the database response from the S-TAP session will be of no
interest.
v Ignore SQL per session: No SQL will be logged for the remainder of the session,
except when an exception occurs, in which case all exception data (including the
SQL causing the exception) will be logged.
v Log Extrusion Counter: Available only for extrusion rules, this action updates
the counter, but does not log any of the returned data. This action saves disk
space when the counter value is most important and returned values are the
least important.
v Log Masked Extrusion Counter: Available only for extrusion rules, this action
updates the counter; logs the SQL request, replacing values with question marks;
does not log the returned data (response).
v Quarantine: Available for access, exception and extrusion rules, the purpose of
this action is to prevent the same user from logging into the same server for a
certain period of time. There is one validation item - you cannot have a rule
with a QUARANTINE action without having filled in a value for amount of
time that the user is quarantined. See Quarantine for (minutes) above the Action
section of the application screen to set this quarantine time. If the session is
watched (S-GATE scenario), send a drop verdict. If the session is not watched
(S-TAP TERMINATE scenario), have the S-TAP stop the session. Take the current
time and add to that the number of minutes from the reset interval field. You get
a new timestamp. In a new structure you keep a sorted list (sorted by this
timestamp). Each element has in addition to the timestamp, a server IP, server
type, a DB user name, a service name and a flag saying whether this was a
watched session or not.
v Quick Parse: For access rules only, for the remainder of the session, WHERE
clauses will not be parsed. This reduces parsing time. In this mode all objects
accessed can be determined (since objects appear before the WHERE clause), but
the exact object instances affected will be unknown, since that is determined by
the WHERE clause.
v Redact: For extrusion rules only, this feature allows a customer to mask portions
of database query output (for example, credit card numbers) in reports for
certain users. The selection Replacement Character in the Data Pattern/SQL
Pattern section of the extrusion rule menu choices defines the masking character.
Should the output produced by the extrusion rule match the regular expression
Policies

303

of the Data Pattern, the portions that match sub-expressions between parenthesis
"(" and ")" will be replaced by the masking character. Predefined regular
expressions (fast regexp) can also be used. See Data Pattern in Rule Definition
Reference table at end of this topic.
v Record Values Separately/ Do Not Record Values Separately: This action is a
session-based access rule. Used in Replay function to distinguish between
transactions.
v Mark as Auto-Commit ON/ Mark as Auto-Commit OFF: This action is a
session-based access rule. Used in Replay function due to various auto-commit
models for different databases.
Note:
Redaction (Scrub) on Linux is not supported. For all other Unix, Scrub only with
ANSI character sets is supported.
Redaction (Scrub) rules should be set on the session level (meaning, trigger rules
on session attributes like IPs, Users, etc), not on the SQL level / attributes (like OBJECT_NAME or VERB), because if you set the scrub rule on the SQL that needs
to be scrubbed it probably will take a few miliseconds for the scrub instructions to
make it to the S-TAP where some results may go though unmasked.
To guarantee all SQL is scrubbed, set the S-TAP (S-GATE) default mode to "attach"
for all sessions (in guard_tap.ini). This will guarantee that no command goes
through without being inspected by the rules engine and holding each request and
waiting for the policy's verdict on the request. This deployment will introduce
some latency but this is the way to ensure 100% scrubbed data.
Note:
For HTTP support, there are Policy action limitations. The following policy actions
are not supported for HTTP: S-TAP terminate and Skip logging.
For other actions, the following are not supported by HTTP:
v Ignore Responses Per Session: because HTTP does not support exception and
extrusion.
v Ignore SQL Per Session: because HTTP does not contain SQLs.
v Quarantine: This action is used to quarantine user, but HTTP does not support
DBUser and OSUser.
v Quick Parse: This action is for log SQL.
v SGate Terminate: This action is not supported for Hadoop - all the terminate
actions do not work for HTTP.
For policy conditions - these conditions are not supported for HTTP:
Client MAC; DB Name; DB User; App User; OS User; Src App; Masking Pattern;
Replacement Character; Quarantine for minutes; Records Affected Threshold; XML
Pattern; Event Type; Event User Name; App Event Values Text; App Event Values
Text Group; App Evert Values Text and Group; Numeric; Date.

Further discussion and examples


Log Full Details - By default the Guardium collector will mask all values when
logging a SQL string. For example "insert into tableA (name,ssn,ccn) values ('Bob

304

Help Book Guardium V9.0

Jones', '429-29-2921','29249449494949494')" will be logged as "insert into tableA


(name,ssn,ccn) values (?, ?,?)". This is the default behavior for two reasons.
1. Values should not be logged by default because they may contain sensitive
information.
2. Logging without values can provide for increased system performance and
longer data retention within the appliance. Very often, database traffic consists
of many SQL requests, identical in everything except for their values, repeated
hundreds, thousands, or even millions of times per hour. By masking the
values, Guardium is able to aggregate these repeated SQL requests into a single
request, called a "construct". When constructs are logged, instead of each
individual SQL request/construct being logged separately, it is only logged
once per hour (per session) with a counter of how many times the construct
was executed. This can save a tremendous amount of disk space because,
instead of creating a hundreds (or millions) of lines in the database, only one
new line is added.
With Log Full Details, Guardium logs the data with the values unmasked and each
separate request. Log Full Details also provides the exact timestamp whereas
logging without details provides the most recent timestamp of a construct within
the logging granularity time period (usually 1-hour).
Ignore S-TAP Session - Ignore S-TAP Session causes the collector to send a signal
to the S-TAP instructing it to stop sending all traffic, except for the logout
notification, for specific sessions. For example, if you have a rule that says "where
DBUserName?=scott, Ignore S-TAP Session":
v When Scott logs into the database server, S-TAP sends the connection
information to the collector.
v The collector logs the connection. Session information (log in/log outs) are
always logged.
v The collector sends a signal to S-TAP to stop sending any more traffic from this
specific session. This means that any commands run by Scott against the
database server and any responses (result sets, SQL errors, etc.) sent by the
Database server to Scott will be discarded by S-TAP and will never reach the
collector.
v When Scott logs out of the database server, S-TAP will send this information to
the collector (log in/log out information is always tracked even if the session is
ignored).
v When Scott logs in again, the steps above are repeated. The logic on which
sessions should be ignored is maintained by the collector, not the S-TAP.
It is important to note that Ignore Session rules are still very important to include
in the policy even if using a Selective Audit Trail. Ignore Session rules decrease the
load on a collector considerably because by filtering the information at the S-TAP
level, the collector never receives it and does not have to consume resources
analyzing traffic that will not ultimately be logged. A Selective Audit Trail policy
with no Ignore Session rules would mean that all traffic would be sent from the
database server to the collector, causing the collector to analyze every command
and result set generated by the database server.

Set Character Set


Use an action under a policy extrusion rule in order to attach alternative character
sets to the session.

Policies

305

Special Pattern Rules with character sets


Example of extrusion rule (with hint):
Character set EUC-JP (code 274).
Extrusion rule pattern: "guardium://char_set?hint=274"
As a result extrusion rule will be attached to the session and Analyzer will use
EUC-JP in the session, if there is no other character set.
Example of extrusion rule (with force) :
Character set EUC-JP (code 274).
Extrusion rule pattern: "guardium://char_set?force=274"
As a result extrusion rule will be attached to the session and Analyzer will use
EUC-JP character set in the session in any case. Character set used before will be
substituted by EUC-JP.
Keep in mind that extrusion rules usually attach to the session with some delay.
Therefore short sessions or the beginning of the session are not immediately
changed by a character set change. The above schema works for: Oracle, Sybase,
MY SQL, and MS SQL. See the end of this topic for a list of user defined character
set codes.

Analyzer rules
Certain rules can be applied at the analyzer level. Examples of analyzer rules are:
user-defined character sets, source program changes, and issuing watch verdicts for
firewall mode. In previous releases, policies and rules were applied at the end of
request processing on the logging state. In some cases, this meant a delay in
decisions based on these rules. Rules applied at the analyzer level means decisions
can be made at an earlier stage.

Log Flat
The Log Flat option listed in Policy Definition of Policy Builder allows the
Guardium appliance to log information without immediately parsing it.
This saves processing resources, so that a heavier traffic volume can be handled.
The parsing and merging of that data to Guardium's internal database can be done
later, either on a collector or an aggregator unit.
When Log Flat (Flat Log) is checked:
v Data will not be parsed in real-time
v The flat logs can be seen on a designated Flat Log List report
v The offline process to parse the data and merge to the standard access domains
can be configured through the Administration Console -> Configuration -> Flat
Log Process.

306

Help Book Guardium V9.0

Rules on Flat
This section describes the differences on uses of Rules on Flat.
When Rules on flat is checked:
v Session-Level rules will be examined in real-time.
v No rules will be evaluated when the offline processing does takes place.
When Rules on flat is NOT checked:
v Policy rules will fire at processing time using the current installed policy.
Note: Rules on flat does not work with policy rules involving a field, an object,
SQL verb (command), Object/Command Group, and Object/Field Group. In the
Flat Log process, "flat" means that a syntax tree is not built. If there is no syntax
tree, then the fields, objects and SQL verbs cannot be determined.
The following actions do not work with rules on flat policies:
LOG_FULL_DETAILS; LOG_FULL_DETAILS_PER_SESSION;
LOG_FULL_DETAILS_VALUES; LOG_FULL_DETAILS_VALUES_PER_SESSION;
LOG_MASKED_DETAILS.

Using Selective Audit Trail


Use the Selective Audit Trail option, in the Policy Definition section of Policy
Builder, to limit the amount of logging on the Guardium appliance.
This is appropriate when the traffic of interest is a relatively small percentage of
the traffic being accepted by the inspection engines, or when all of the traffic you
might ever want to report upon can be completely identified.
Without a selective audit trail policy, the Guardium appliance logs all traffic that is
accepted by the inspection engines. Each inspection engine on the appliance or on
an S-TAP is configured to monitor a specific database protocol (Oracle, for
example) on one or more ports. In addition, the inspection engine can be
configured to accept traffic from subsets of client/server connections. This tends to
capture more information than a selective audit trail policy, but it may cause the
Guardium appliance to process and store much more information than is needed
to satisfy your security and regulatory requirements.
When a selective audit trail policy is installed, only the traffic requested by the
policy will be logged, and there are two ways to identify that traffic:
v By specifying a string that can be used to identify the traffic of interest, in the
Audit Pattern box of the Policy Definition panel. This might identify a database
or a group of database tables, for example. Note that an audit pattern is a
pattern that is applied (via regular expression matching) to EACH SQL that the
logger processes to see if it matches. This pattern match is strictly a string
match. It does NOT match against the session variables (DB name, etc) the way
the policy rules do.
v Or by specifying Audit Only or any of the Log actions (Log Only, Log Full
Details, etc.) for one or more policy rules in a Rule Definition panel. With policy
rules you can be extremely precise, specifying exact values, groups or patterns to
match for every conceivable type of attribute (DB Type, DB Name, User Name,
etc.).

Policies

307

If the Guardium security policy has Selective Audit Trail enabled, and a rule has
been created on a group of objects, the string on each element in the group is
checked. If there is a match, a decision is made to log the information and
continue. If the Guardium security policy has Selective Audit Trail enabled, and a
rule has been created on a group of objects using a NOT designation on the object
group, there is still a need to check the string on each element in the group, and
decide to log and continue only if none of the elements match. NOT designated
rules behave the same as normal rules when used with Selective Audit Trail.
This includes:
v OR situations such as rules based on multiple objects or commands;
v Situations with two NOT conditions (for example, NOT part of a group of
objects and NOT part of a group of commands); and,
v Situations with one NOT condition and one YES condition (for example, a NOT
part of a group of objects and a YES part of a group of commands).

Selective Audit Trail and Application Events API


When a selective audit trail policy is used, and application users or events are
being set via the Application Events API, the policy must include an Audit Only
rule that fires whenever a set/clear application event, or set/clear application user
command is encountered. See Identify Users via API on page 141 for information
about setting the application user via the Application Events API.

Selective Audit Trail and Application User Translation


When a selective audit trail policy is used, an Application User Translation is also
being used:
v The policy will ignore all of the traffic that does not fit the application user
translation rule (for example, not from the application server).
v Only the SQL that matches the pattern for that policy will be available for the
special application user translation reports.

Selective Audit Trail and specifying an empty group


Using a selective audit policy and specifying an empty group, with the idea that
anything that does not match one of the group members in the specified group
needs to be filtered out. However, this will result in an attempt to match ANY
rather than NONE. Therefore, since there are no group members, nothing gets
filtered out and everything is logged.

Create a policy
Use this section to create a policy. The steps follow the menu fields on the Policy
Builder screen.
Follow these steps:
1. Open the Policy Finder:
v Users: Protect > Security Policies > Policy Builder.
v Administrators: Tools > Config & Control > Policy Builder.
2. A series of predefined policies (available for policy cloning), with predefined
access, exception and extrusion values, have been created for database events
that demonstrate attempts to defeat the protect mechanisms. Such events that
will generate log actions or alerts are: Failed logins and SQL errors from

308

Help Book Guardium V9.0

3.
4.
5.

6.

certain groups or servers; access of certain database objects by certain users or


groups; attempts to change SQL GRANT commands; and more. These
predefined policies facilitate quicker creation of policies for compliance to
meet demands from Basel II, Data Privacy-PII (personable identifiable
information), Default Sharepoint Auditing, HIPAA, OQCR DB2 to DB2 Traffic,
PCI, PCI Oracle EBS, PCI SAP, SOX Oracle EBS, Vulnerability and Threats
Management, Privileged Users Monitoring.
Clone a predefined policy or Click the New button to open the Policy
Definition panel.
Enter a unique name for the policy in the Policy Description box. Do not
include apostrophe characters in the description.
Optional. Enter a category in the Category box. A category is an arbitrary
label that can be used to group policy violations for reporting purposes. The
category specified here will be used as the default category for each rule (and
it can be overridden in the rule definition).
Optional. Select a baseline to use from the Policy Baseline list. Be sure that the
baseline selected has been generated. If it has not been generated, the Policy
Builder will not be able to suggest rules from that baseline.
Note: If the baseline you want to use does not display in the list, your
Guardium user ID has not been assigned a security role authorized to use that
baseline. Contact your Guardium Administrator for further information.
If the policy includes a baseline, the policy definition will initially contain
only the baseline, and the action for a baseline is always allow without
continuing to the next rule.

When adding a baseline to an existing policy, it will be added as the first rule.
You can move the baseline rule to any location in the policy. (Be aware if
moving the baseline as the last rule, it will have no effect.)
7. Optionally mark Log Flat to indicate that Guardium is to log data, but not
analyze and aggregate the data to the internal database.
8. If Log Flat is selected, optionally mark Rules on Flat to apply the policy rules
to the flat log data (as opposed to the aggregated data).
9. Optionally mark Selective Audit Trail to restrict what will be logged when this
policy is installed:
v When marked, only traffic requested by this policy will be logged. This is
appropriate when the traffic of interest is a relatively small percentage of
the traffic being seen by the inspection engines. When marked, there are
two ways to signal what traffic to log: by specifying a string that can be
used to identify the traffic of interest, in the Audit Pattern box; or by
specifying Audit Only or any of the Log actions for one or more policy
rules (rule actions are described later).
v When not marked (the default situation), the Guardium appliance logs all
traffic that is seen by the inspection engines. This provides comprehensive
audit trail capabilities, but may result in capturing and analyzing much
more information than is needed.
v For more information, see Using Selective Audit Trail.
Note: Selective Audit Trail does not work with Exception rules.
10. Click the Save button to save the policy definition.
11. Optionally click the Roles button to assign roles for the policy. See Security
Roles on page 75.

Policies

309

12. Optionally click the Comments button to add comments to the definition. See
Comments on page 29.

Where to go from here


After creating a new policy definition, use the Policy Finder panel to access that
definition. Complete the policy definition by performing one or more of the
following tasks:
v Create policy rules manually. See Add or Edit Rules below.
v If the policy includes a baseline, have the Policy Builder suggest rules from the
baseline. You can optionally accept or tailor the generated rules as necessary. See
Using Rules Suggested from the Baseline.
v Have the Policy Builder suggest rules from the database access control (ACL)
defined for that database. You can reject, or accept and optionally tailor each
rule as necessary. See Using Rules Suggested from the Database ACL.

Modify/Clone/Remove a Policy
Use this section for the steps on how to modify, clone or remove a policy.

Modify a policy
Use caution before modifying a policy definition, be sure that you understand the
implications of modifying a policy that is in use. If the existing policy has to be
re-installed before all revisions have been completed, the policy may not install, or
it may not produce the desired results when installed. For this reason, it is
preferable to clone the policy, so that the original is always available to reinstall.
See Clone a Policy, below, for more information on cloning a policy.
1. Navigate to the Policy Finder:
v Users, select: Protect > Security Policies > Policy Builder.
v Administrators, select: Tools > Config & Control > Policy Builder.
2. From the Policy Description list, select the policy to be modified.
3. Do one of the following:
v To edit overall policy settings (Category, Log Flat option, etc.) click the
Modify button. To change any of these settings, see Create a Policy, above.
v To edit the rules only, click the Edit Rules button. To modify any components
of the rule definitions, see Add or Edit Rules, above.

Clone a policy
There are a number of situations where you may want to define a new policy
based on an existing one, without modifying the original definition. See the
caution in the Modify a Policy topic, above.
1. Navigate to the Policy Finder:
v Users, select: Protect > Security Policies > Policy Builder.
v Administrators, select: Tools > Config & Control > Policy Builder.
2. From the Policy Description list, select the policy to be cloned.
3. Click the Clone button to open the Clone Policy panel.
4. Enter a unique name for the new policy in the New Name box. Do not include
apostrophe characters in the name.
5. To clone the baseline constructs (the commands, basically) that have been
generated for the baseline being cloned, mark the Clone Constructs checkbox.

310

Help Book Guardium V9.0

6. Click the Save button to save the new policy. You can then open and edit the
new policy via the Policy Finder. See Modify a Policy, above.

Remove a policy
1. Navigate to the Policy Finder:
v Users, select: Protect > Security Policies > Policy Builder.
v Administrators, select: Tools > Config & Control > Policy Builder.
2. From the Policy Description list, select the policy to be cloned.
3. Click the Delete button. You will be prompted to confirm the action.

Add or Edit Rules


Use this section to add or edit rules within a policy.
1. Navigate to the Policy Finder:
v Users, select: Protect > Security Policies > Policy Builder.
v Administrators, select: Tools > Config & Control > Policy Builder.
2. From the Policy Description list, select the policy to be edited.
3. Click the Edit Rules button to open the Policy Rules panel.
4. Do one of the following:
v To edit a rule, click the Edit this rule individually button.
v To add a new rule, click one of the following buttons:
Add Access Rule
Add Exception Rule
Add Extrusion Rule (will only be available if the administrator user has set
the Inspection Engine configuration (in Admin Console) to Inspect Returned
Data)
Extrusion matches allow the user to define how many matched records will
be grouped together when logged and reported on by Guardium. Extrusion
rules must have an action of LOG FULL DETAILS and a rule name that
includes "guardium://(some text)?split=(number)" where (some text) is any
text or one of the predefined words such as "CREDIT CARD" and (number)
is the number of returned data records per Guardium log record.
5. The attributes that can be tested for in each type of rule vary, but regardless of
the rule type, each rule definition begins with the following four items:
v Rule Description - Enter a short, descriptive name for the rule. To use a
special pattern test, enter the special pattern test name followed by a space
and one or more additional characters to make the rule name unique, for
example: guardium://SSEC_NUMBER employee.
v Category - The category will be logged with violations, and is used for
grouping and reporting purposes. If nothing is entered, the default for the
policy will be used.
v Classification - Optionally enter a classification in the Classification box.
Like the category (above), these are logged with exceptions and can be used
for grouping and reporting purposes
v Severity - Select a severity code: Info, Low, Med, or High (the default is
Info).
6. Use the remaining fields of the Rule Definition panel to specify how to match
the rule. Many of the same fields are available for Access, Exception, and
Extrusion Rules; and some fields are available only after selecting various
other options. For an alphabetical reference of all fields available in the rules
Policies

311

definition panels, see Rule Definition Reference, below. Also, for instructions
on how to use combinations of groups and individual values, see Specify
Values and/or Groups of Values in Rules, above.
7. For each type of rule, you can enter one or more regular expressions in a
Pattern box, to match against strings in the traffic. Enter the expression
manually, or click the RE button to open the Build Regular Expression tool,
which allows you to enter and test regular expressions. For more information,
see Regular Expressions on page 67.
8. For exception rules only, select a single exception type to which the rule will
be sensitive, from the Exception Type box. The rule count will be incremented
only when the selected exception type is encountered.
9. When a rule action is selected, the following two fields are enabled:
v Min. Ct. - Enter the minimum number of times the rule must be matched
before the rule action (described below) will be triggered. The count of
times the rule has been met will be reset each time the action is triggered or
when the reset interval (also described below) expires. The default of zero is
identical to 1, meaning that every time the rule is matched the action will
be triggered.
v Reset Interval (minutes) - Used only when the minimum count (Min. Ct.
above) is greater than zero, and required in that case. Enter the number of
minutes after which the rule counter will be reset to zero. The counter is
also reset to zero each time that the rule action is triggered.
10. Mark the Continue to next Rule box to indicate that when this rule is satisfied
and its action is triggered, testing of the same request, exception, or results
should continue with the next rule. This means that multiple rules may be
satisfied and multiple actions taken based on a single request or exception. If
not marked (the default), no additional rules will be tested when this rule is
satisfied.
11. When the Rec. Vals box is marked, the actual construct causing the rule to be
satisfied will be logged in the SQL String attribute and is available in reports.
If not marked, no SQL statement will be logged.
12. Message templates are used to generate alerts. Multiple Named Message
Templates are created and modified from Global Profile. See Named Template
on the Global Profile on page 611 menu on how to create and modify this
function.
13. Select the action to take when the rule is satisfied. See Rule Actions Overview,
above.
14. If an alert action is specified, the Notification pane opens, and at least one
notification type must be defined. For instructions on how to add
notifications, see Notifications on page 61.
15. Click the Save button to save the rule. This closes the Rule Definition panel
and returns to the Policy Rules panel.

Filter Rules to Display Only a Subset


When a policy contains many rules, it can be useful to view a subset of the rules
having common attributes.
The Filter box in the Rules Definition panel can be used for this purpose. The
process of defining a filter is similar to the process of defining a rule. See Specify
Values and/or Groups of Values in Rules, above.
1. Navigate to the Policy Finder:
v Users, select: Protect > Security Policies > Policy Builder.

312

Help Book Guardium V9.0

v Administrators, select: Tools > Config & Control > Policy Builder.
2. From the Policy Description list, select the policy to be viewed or modified.
3. Click the Edit Rules button.
4. In the Filter box (upper right corner of panel):
Do one of the following:
v Select a filter from the Filter list.
v Click the Edit button to modify a filter definition.
v Click the New button to define a new filter.
Once the filtered set of rules displays, you can perform any of the actions
described in this section on the displayed rules.

Copy Rules
Use this procedure to copy selected rules from one policy to another, or to a
different location in the same policy.
All of the rules copied will be copied to a single location - after rule 3, for
example. To copy rules to different locations in the receiving policy, either perform
multiple copy operations, or copy all of the rules in one operation, and then edit
the receiving policy to move the rules as necessary.
1. Navigate to the Policy Finder:
v Users, select: Protect > Security Policies > Policy Builder.
v Administrators, select: Tools > Config & Control > Policy Builder.
2. From the Policy Description list, select the policy from which you want to copy
one or more rules.
3. Click the Edit Rules button.
4. Mark the checkbox for each rule to be copied.
5. Click the Copy Rules button.
6. From the Copy selected rules to policy list, select the policy to receive the
copied rules.
7. From the Insert after rule list, select the rule after which the copied rules
should be inserted, or select Top to insert the copied rules at the top of the
policy.
8. Click the Copy button. You will be informed of the success of the operation.
9. You should now edit the policy to which you copied the rules, to verify that
you have copied the correct rules to the correct location.

Using Rules Suggested from the Baseline


Use Policy Builder to suggest rules from the baseline included in the policy.
1. Navigate to the Policy Finder:
v Users, select: Protect > Security Policies > Policy Builder.
v Administrators, select: Tools > Config & Control > Policy Builder.
2. From the Policy Description list, select the policy to work with. (It must
include a baseline.)
3. Click the Edit Rules button.
4. Set the Rule minimum count value. This is the minimum number of like
commands that the system should find in order to suggest a rule. The default

Policies

313

is zero. The smaller the number entered, the more suggested rules the system
will generate. (Be aware that the Count that displays in the suggested rules
panel does not reflect this value.)
5. Set the Object Group minimum count value, to determine how many instances
of an object group the system should find to generate a suggested object
group. The default is one. The smaller the number entered here, the greater
the number of suggested object groups.
6. Click the Suggest Rules button. The suggested rules display in a separate
window, in the Suggested Rules panel.
The suggested rules are sorted in descending order by the count of
occurrences in the baseline period, which is listed on the right side of the title
bar for each suggested rule. If you select one or more of the suggested rules
and click Save, they are inserted in the same order, just above the BASELINE
rule in the Policy Rules panel. You can then change the order of the suggested
rules or edit them as necessary, from the Policy Rules panel.
8. Expand the rules and check the membership of the suggested object groups.
In the Object column of the Suggested Rules panel, if any suggested object
groups have been created, these begin with the name Suggested Object Group
and display as hypertext links (in blue and underlined). For information about
how to view, accept, or reject suggested object groups, see Using Suggested
Object Groups, below.
7.

9. Mark the Select box for each suggested rule to include in the policy.
10. Click the Save button to accept the selected rules.
11. You can now edit or modify the suggested rules as you would any rules that
you added manually.

Using Suggested Object Groups


The Policy Builder can suggest rules from both the baseline included in the policy
and the database security policy (internal to the DBMS) defined for a server.
In either case, it attempts to generate the minimal set of rules by grouping
database objects (tables, procedures, or views) into suggested object groups. You
can accept or reject the suggested object groups, as described below.
Before accepting a suggested object group, you can edit the generated Group
Description field (Suggested Object Group603-25 11:54, for example) to provide a
more meaningful name. After accepting a suggested object group, you can view its
membership. You can reject the use of that group within any suggested rule, but
you cannot edit the membership of that group.
If you reject a suggested object group, the suggested rule for that group is replaced
with a separate suggested rule for each member of the rejected group. You can
accept or reject each of those suggested rules separately. After accepting a
suggested rule, you can edit that rule.
Viewing Suggested Object Groups
Suggested object groups display in the Object column of the Suggested
Rules panel as hypertext links beginning with the words Suggested Object
Group.
To view a suggested object group's membership, click the hypertext link
for that group. If the group has not yet been accepted, the group
membership displays in the Edit Group panel. If the group has already
been accepted, it displays in the View Group panel.

314

Help Book Guardium V9.0

Accepting Suggested Object Groups


To accept a suggest object group:
1. Enter a meaningful name in the Group Description field in the Edit
Group panel. (Not required, but strongly recommended). Do not
include apostrophe characters in the name. This is the only opportunity
you have to name this group. Otherwise, the group gets a name
beginning with Suggested Object Group and followed by a number, as
described previously.
2. Click the Save button to accept the edited group for the suggested rule,
or click the Save for All button to accept the edited group for all
suggested rules in which it appears. The new object name will replace
the old one in the rule.
Rejecting Suggested Object Groups
When you reject a suggested object group, the use of that group is replaced
by one or more suggested rules. To reject a suggested object group, do one
of the following:
v To reject the group for this suggested rule only: Click the Reject button.
v To reject the group for all suggested rules: Click the Reject for All
button.
Note: If you accept a suggested object group in one rule, open that same
suggested object group again from another rule, and then click the Reject for All
button, that group will be retained in any rule where it was explicitly accepted, but
rejected in the remaining rules in which it was used.

Using Rules Suggested from the Database ACL


For a specified database server, the Policy Builder can suggest access rules using
the security policy defined internally by the DBMS.
The Policy Builder does this by examining the permissions granted to user groups
and database objects (tables, procedures, and views) within the DBMS, then
grouping the database objects into suggested object groups so that the total
number of suggested rules can be minimized. You can accept or reject any
suggested object group (as described above - see Using Suggested Object Groups).
You can also accept or reject any suggested rule.
To have the Policy Builder suggest rules from the database ACL:
Note: When suggesting rules from the database ACL, the system does not use the
Rule minimum count or the Object Group minimum count fields. Those fields are
used only when suggesting rules from the baseline.
1. Click the Suggest from DB button to open the Database Definition panel in a
separate browser window
2. Click the Add Datasource button to select the database from which you want to
access the DB ACL.
Note: If adding an Oracle, DB2 or DB2 for z/OS datasource to access the DB
ACL, the "Query Parameters" section, in the Database Definition pop-up
window, will be disabled.
3. Click the Suggest Rules button to generate the rules. The Suggested Rules panel
opens in a separate window (as described previously, for the Rules Suggested
from Baseline). If you select one or more of the suggested rules and click Save,
Policies

315

they will be inserted in the same order into the list of rules in the Policy Rules
panel, just above the BASELINE rule. If there is no BASELINE rule, they will
be inserted at the top of the list. Once the suggested rules have been inserted
into the Policy Rules panel, you can change the order of the rules or edit them,
as necessary.
4. Check the membership of the suggested object groups. In the Object column,
any suggested object groups that have been created begin with the name
Suggested Object Group and display as hypertext links (in blue and
underlined). For information about how to view, edit, accept, or reject
suggested object groups, see Using Suggested Object Groups), above.
5. Mark the Select box for each suggested rule you want included in the policy.
Click the Save button to accept the selected rules.

Using the Policy Simulator


Use the Policy Simulator to test access rules without installing the policy.
It does not test exception rules or extrusion rules. The simulator replays logged
network traffic and applies all access rules in the policy. It produces a special
report in a separate window, listing the SQL that triggered alert or log only
actions. The report includes the following columns: Timestamp, Category Name,
Access Rule Description, Client IP, Server IP, DB User Name, Full SQL String,
Severity Description, and Count of Policy Rule Violations. Use the CLI command,
store allow_simulation, to make the Policy Simulation button active in the GUI.
The Policy Simulator can be used to test only the following types of access rule
actions:
v Log Only
v Any Alert action: Alert Daily, Alert Once Per Session, Alert Per Match, Alert Per
Time Granularity
The Policy Simulator will not produce any results if the policy includes logging
actions other than Log Only. To use the simulator for such a policy, temporarily
change all logging actions to Log Only.
To use the Policy Simulator:
1. Navigate to the Policy Finder:
v Users, select: Protect > Security Policies > Policy Builder.
v Administrators, select: Tools > Config & Control > Policy Builder.
2. From the Policy Description list, select the policy to work with.
3. Click the Edit Rules button.
4. Click the Policy Simulator button to open the Policy Simulator panel.
5. Supply both From and To dates to define the time period to use for the
simulation.
Note: Historical data can be archived and purged from your Guardium
appliance on a schedule defined by your Guardium administrator. Be sure that
data from the time period you specify is available (and has not been purged).
6. Click the Test button. When the test starts and while it is running, the message
* is running displays in the Policy Simulator panel. When the test completes, a
special report opens in a separate window listing all rule matches that were

316

Help Book Guardium V9.0

logged. If no alert or log only rules were triggered, you will receive a "No Drill
Down Report Available" message. In the latter case, you may not have included
enough data in the test period.

Reference Table of Rule Definition Fields


This table lists and describes all the fields.
Table 31. Reference Table of Rule Definition Fields
Field

Description

Action

Indicates the action to be taken when the rule is true. For a comprehensive
description of all rule actions, see Rule Actions Overview, above.

App Event Exists

Match for an application event only. See the App Event Note, below.

App Event Values

Match the specified application event Text, Numeric, or Date values. Also allow a
Group to be chosen for the event string as an option. See the App Event Note,
below.

(App) Event Type

Match the specified application event. See the App Event Note, below.

(App) Event User Name

Match the specified application event user name only. See the App Event Note,
below.

App Event Note

The above App Event fields cannot be used when the Flat Log box (see above) is
marked.

App. User

Application User. See Specify Values and/or Groups of Values in Rules.

Category

An arbitrary label that can be used to group policy violations for reporting
purposes. A default category can be specified in the policy definition, but the
default can be overridden for each rule.

Classification

An arbitrary label that can be used to group policy violations for reporting
purposes. A default classification can be specified in the policy definition, but the
default can be overridden for each rule.

Client Info

DB2 client info: For access rules only. For z/OS only, a CLIENT INFO field (and
CLIENT_INFO_GROUP_ID) will be visible if DB_TYPE is either "DB2", "DB2
COLLECTION Profile" or "VSAM COLLECTION Profile".
The type of information that can be placed in this field is "USER=x; WKSTN=y;
APPL=z".

Client IP

Clear the Not box to include, or mark the Not box to exclude:
v Any client: Leave all client fields blank. The count will be incremented every
time any client satisfies the rule. (You cannot leave all fields blank if the Not
box is marked.)
v All clients selected by an IP address and mask: Enter a client IP address in the
first box and network mask in the second box. The count will be incremented
each time that any of the specified clients satisfies the rule. For example, to
select all clients in subnet 192.168.9.x, enter 192.168.9.1 in the first box and
255.255.255.0 in the second box. For more information selecting IP addresses,
see Selecting IP Addresses Using a Mask.
v A group of clients: Select a group of client IP addresses from the Group
drop-down list, or click the Groups button to define a new group and then
select that group. The count will be incremented each time that any member of
the selected group satisfies the rule.
v All clients selected by an IP address and mask AND a group of clients: Use
both the Client IP and Group fields, as described above. The count will be
incremented each time that any client specified using either method satisfies the
rule.

Policies

317

Table 31. Reference Table of Rule Definition Fields (continued)


Field

Description

Client IP/Source Program/DB


User/ Server IP/Service Name

5-tuple group type available for access, exception and extrusion rules.
A "tuple" allows multiple attributes to be combined together to form a single
group member.
"Tuple" supports the use of one slash and a wildcard character (%). It does not
support the use of a double slash.

Client MAC

To make the rule sensitive to a single client MAC address, enter the address in
nn:nn:nn:nn:nn:nn format, where each n is a hexadecimal digit (0-F).
OR
Enter a dot (.) in the Client MAC box to indicate that a separate count should be
maintained for each client MAC address.
OR
Leave the Client MAC box empty to ignore client MAC addresses.

Command

The command. See Specify Values and/or Groups of Values in Rules if a


commands group cannot be edited, and the "and/or Group" label changes to
"Collect Only," indicating that commands from only the selected group are to be
selected.

Continue to Next Rule

If marked, rule testing will continue with the next rule, regardless of whether or
not this rule is satisfied. This means that multiple rules may be satisfied (and
multiple actions taken) by a single SQL statement or exception. If not marked (the
default), no additional rules will be tested for the current transaction when this
rule is satisfied.

318

Help Book Guardium V9.0

Table 31. Reference Table of Rule Definition Fields (continued)


Field

Description

Data Pattern

Every type of rule (Access, Exception, Extrusion) can have Data pattern, but it is
required for Extrusion rules.
For use in defining Extrusion Rules - A regular expression to be matched, in the
Data Pattern box. Click the Regex button to open the Build Regular Expression
tool, which allows you to enter and test regular expressions. This enables more
complex masking patterns. Put parentheses around the section that should be
masked. Use this function to mask data retrieved from the database.
For example, a credit card number is expressed as [0-9]{4}[-, ]?[0-9]{4}[-,
]?[0-9]{4}[-, ]?[0-9]{4}. The parentheses in red around this expression example
([0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4})[-, ]?[0-9]{4} mask all but the last four digits.
Note: Redact (SCRUB) masking pattern and Regular Expression (Regex) masking
pattern scrubbing cannot be used in the same session.
Additional regular expressions (Regex) for use only in Data Patterns with an
action of Redact (Scrub):
Use this regular expression Turn this result Into this
SCRUB_SSN_ANSI AAA-AA-AAAA ***-***-AAAA
SCRUB_SSN_UNICODE UUU-UU-UUUU ***-***-UUUU
SCRUB_CC_SPACES_ANSI AAAA AAAA AAAA AAAA A*** **** **** 1234
SCRUB_CC_SPACES_UNICODE UUUU UUUU UUUU UUUU U*** **** **** ****
SCRUB_CC_SOLID_ANSI AAAAAAAAAAAAAAAA A***************
SCRUB_CC_SOLID_UNICODE UUUUUUUUUUUUUUUU U***************
SCRUB_AMEX_SOLID_ANSI AAAAAAAAAAAAAAAA A***************
SCRUB_AMEX_SOLID_UNICODE UUUUUUUUUUUUUUUU U***************
Note:
Regex with Redact - Use of Regular expressions (regex) in the IBM InfoSphere
Guardium solution (including the masking in the policy) are executed on the
appliance, and allow advanced regexp capabilities.
However, the regex library for use with Redaction is executed in the kernel of the
database server and is limited to most basic regex. Only basic regex patterns can
be used with Redaction.
For example, the regular expression nomenclature [0-9]* cannot be used to
indicate any number of digits. It is necessary to use basic regular expression
nomenclature [0-9]-[0-9]-[0-9]... to specify a sequence of digits.
Note: S-TAP will only accept the predefined SCRUB pattern names; ignoring any
other name.
Access rule, data pattern and replacement character - Using a data pattern, for
example, [a-z,2]{3}([_][0-9]{1,2}) with a replacement character of * will change the
values between the parentheses in the data pattern to ***. Use this function to
mask values.
User Defined Character Sets
Available for Oracle, Sybase, MySQL, & MSSQL and for extrusion rules
only, users may influence the character set used by defining special
extrusion rules. These "character set" policy rules are only used to set the
character set a user would like to convert traffic to, setting an action is
irrelevant. In order to have an action for that traffic the user needs to
define additional rules after that "character set" rule. Two examples
Policies of 319
setting a "character set" rule are possible (hint or force) as defined in the
following examples:

Table 31. Reference Table of Rule Definition Fields (continued)


Field

Description

DB Name

The database name. See Specify Values and/or Groups of Values in Rules.

DB Type

Supported DB Types
For access rule: CIFS, DB2, DB2 COLLECTION PROFILE* (only for use with
z/OS), FTP, Hadoop, IBM INFORMIX (DRDA), IBM iSeries, IMS, Informix, MS
SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, TERADATA,
VSAM or VSAM COLLECTION PROFILE* (only for use with z/OS).
For exception and extrusion rules: CIFS, DB2, FTP, IBM INFORMIX (DRDA), IBM
iSeries, Informix, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL,
Sybase, or TERADATA. Note: Informix supports two protocols SQLEXEC (native
Informix protocol) or DRDA (IBM protocol). These protocols are automatically
identified for Informix traffic with no additional settings. The Server Type
attribute will show INFORMIX (for SQLEXEC protocol) and IBM INFORMIX
(DRDA) (for DRDA protocol).
Note: Note: TERADATA has a "silent login" and allows clients to auto-reconnect.
To block Teradata statements in a policy, use the S-TAP firewall function with
default state ON and un-watch safe users.
* See IBM InfoSphere Guardium S-TAP for z/OS on page 537 for further details
on policy push down (z/OS).

DB User

The database user. See Specify Values and/or Groups of Values in Rules.

Error Code

The error code (for an exception). See Specify Values and/or Groups of Values in
Rules.

Exception Type

The type of exception (selected from the list).


Note: A session closed by GUI timeout, in an Exception rule, will not produce a
Session Error (Session_Error).

Field Name

The field name. See Specify Values and/or Groups of Values in Rules.

Min. Ct.

The minimum number of times the condition contained in the rule must be
matched before the rule will be satisfied (subject to the Reset interval, below).

Net. Protocol

The network protocol. See Specify Values and/or Groups of Values in Rules.

Object

The object name. See Specify Values and/or Groups of Values in Rules.
For Sybase and MS SQL Server, there are two groups,
MASKED_SP_EXECUTIONS_SYBASE and
MASKED_SP_EXECUTIONS_MS_SQL_SERVER respectively that include names of
stored procedures. If there is an execution of an included procedure than
everything will be masked.

Object/Command Group

Match a member of the selected Object/Command group.

Object/Field Group

Match a member of the selected Object/Field group.

OS User

Operating system user. See Specify Values and/or Groups of Values in Rules.

Pattern

A regular expression to be matched, in the Pattern box. You can enter a regular
expression manually, or click the (Regex) button to open the Build Regular
Expression tool, which allows you to enter and test regular expressions.

Time Period

To make the rule sensitive to a single time period, select a pre-defined time period
from the Period list or click the (Period) button to define a new time period.

Rec. Vals.

When marked, the actual construct causing the rule to be satisfied will be logged,
and available in reports, in the SQL String attribute. For a policy violation only, if
not marked, no SQL statements will be logged.

320

Help Book Guardium V9.0

Table 31. Reference Table of Rule Definition Fields (continued)


Field

Description

Replacement Character

Define a masking character.


Should the output produced by the extrusion rule match the regular expression,
the portions that match sub-expressions between parenthesis '(' and ')' will be
replaced by the Masking character.

Reset Interval

Used only if the Min. Ct. field (above) is greater than zero. This value is the
number of minutes after which the condition met counter will be reset to zero.

Revoke

This checkbox appears on extrusion rules only. It allows you to exclude from
logging a response that has already been selected for logging by a previous rule
in the policy. In most cases you can accomplish the same result more simply by
defining a single rule with one or more "not" conditions to exclude the responses
you do not want, while logging the remaining ones that satisfy the rule. (The
Revoke checkbox pre-dates "not" conditions, and is provided mainly for backward
compatibility to support existing policies.)

Rule Description

The name of the rule. To use a special pattern test in the rule, enter the special
pattern test name followed by a space and one or more additional characters to
make the rule name unique, for example: guardium://SSEC_NUMBER employee.
(See Special Pattern Tests, above, for more information.)
When displayed, the name will be prefaced with the rule number and the label
Access Rule, Exception Rule, or Extrusion Rule, to identify the rule type. If the
rule was generated using the Suggest Rules (from a baseline) function or the
Suggest From DB function, the generated name is in the form: Suggested Rule
<n>_mm-dd hh:mm, consisting of the following components
n A sequence number for the generated rule
mm-dd The month and day the rule was generated
hh:mm the time the rule was generated

Server IP

Clear the Not box to include, or mark the Not box to exclude:
v Any server: Leave all server fields blank. The count will be incremented every
time any server satisfies the rule. (You cannot leave all fields blank if the Not
box is marked.)
v All servers selected by an IP address and mask: Enter a server IP address in the
first box, and network mask in the second box. The count will be incremented
each time that any of the specified servers satisfies the rule. For example, to
select all servers in subnet 192.168.3.x, enter 192.168.3.1 in the first box, and
255.255.255.0 in the second box.
v A group of servers: Select a group of server IP addresses from the Group
drop-down list or click the Groups button to define a new group and then
select that group. The count will be incremented each time that any member of
the specified group satisfies the rule.
v All servers selected by an IP address and mask AND a group of servers: Use
both the Server IP and Group fields, as described above. The count will be
incremented each time that any server specified using either method satisfies
the rule.

Service Name

The service name. See Specify Values and/or Groups of Values in Rules.

Severity

Select a severity code from the list: INFO, LOW, NONE, MED or HIGH. If HIGH
is selected and email alerts are sent by this rule, the email will be flagged Urgent.

SQL Pattern

A regular expression to be matched, in the Pattern box. You can enter a regular
expression manually, or click the Regex button to open the Build Regular
Expression tool, which allows you to enter and test regular expressions.

Policies

321

Table 31. Reference Table of Rule Definition Fields (continued)


Field

Description

Src app

Application source program. See Specify Values and/or Groups of Values in


Rules.

XML Pattern

A regular expression to be matched, in the Pattern box. You can enter a regular
expression manually, or click the Regex button to open the Build Regular
Expression tool, which allows you to enter and test regular expressions.
A regular expression to be matched can be used in this box. The regular
expression must be entered manually.

Full_SQL return values using


MSSQL

In MSSQL, sp_cursoropen and sp_cursorfetch stored procedures are used for


SELECT database queries.
Sp_cursoropen holds the original statement, while the FULL_SQL return value in
an Extrusion rule will appear as sp_cursorfetech instead of Select * from
___________.

List of possible character set codes


Use the character set codes to influence the character set used by defining special
extrusion rules.
ANSI_X3.4-1968 - 1
ANSI_X3.4-1986 - 2
ASCII - 3
CP367 - 4
IBM367 - 5
ISO-IR-6 - 6
ISO646-US - 7
ISO_646.IRV:1991 - 8
US - 9
US-ASCII - 10
CSASCII - 11
UTF-8 - 12
ISO-10646/UCS2 - 13
UCS-2 - 14
CSUNICODE - 15
UCS-2BE - 16
UNICODE - 17
UNICODEBIG - 18
TSCII - 19
UCS-2LE - 20
UNICODELITTLE - 21
ISO-10646/UCS4 - 22
UCS-4 - 23
CSUCS4 - 24
UCS-4BE - 25
UCS-4LE - 26
UTF-16 - 27
UTF-16BE - 28
UTF-16LE - 29
UTF-32 - 30
UTF-32BE - 31
UTF-32LE - 32
UTF7 - 33

322

Help Book Guardium V9.0

UTF-7 - 34
UTF-8 - 35
UCS2 - 36
UCS2 - 37
UCS4 - 38
UCS4 - 39
UTF8 - 40
UTF8 - 41
CP819 - 42
IBM819 - 43
ISO-8859-1 - 44
ISO-IR-100 - 45
ISO8859-1 - 46
ISO_8859-1 - 47
ISO_8859-1:1987 - 48
L1 - 49
LATIN1 - 50
CSISOLATIN1 - 51
ISO-8859-2 - 52
ISO-IR-101 - 53
ISO8859-2 - 54
ISO_8859-2 - 55
ISO_8859-2:1987 - 56
L2 - 57
LATIN2 - 58
CSISOLATIN2 - 59
ISO-8859-3 - 60
ISO-IR-109 - 61
ISO8859-3 - 62
ISO_8859-3 - 63
ISO_8859-3:1988 - 64
L3 - 65
LATIN3 - 66
CSISOLATIN3 - 67
ISO-8859-4 - 68
ISO-IR-110 - 69
ISO8859-4 - 70
ISO_8859-4 - 71
ISO_8859-4:1988 - 72
L4 - 73
LATIN4 - 74
CSISOLATIN4 - 75
CYRILLIC - 76
ISO-8859-5 - 77
ISO-IR-144 - 78
ISO8859-5 - 79
ISO_8859-5 - 80
ISO_8859-5:1988 - 81
CSISOLATINCYRILLIC - 82
ARABIC - 83
ASMO-708 - 84
ECMA-114 - 85
ISO-8859-6 - 86
ISO-IR-127 - 87
ISO8859-6 - 88
ISO_8859-6 - 89
Policies

323

ISO_8859-6:1987 - 90
CSISOLATINARABIC - 91
ECMA-118 - 92
ELOT_928 - 93
GREEK - 94
GREEK8 - 95
ISO-8859-7 - 96
ISO-IR-126 - 97
ISO8859-7 - 98
ISO_8859-7 - 99
ISO_8859-7:1987 - 100
CSISOLATINGREEK - 101
HEBREW - 102
ISO-8859-8 - 103
ISO-IR-138 - 104
ISO8859-8 - 105
ISO_8859-8 - 106
ISO_8859-8:1988 - 107
CSISOLATINHEBREW - 108
ISO-8859-9 - 109
ISO-IR-148 - 110
ISO8859-9 - 111
ISO_8859-9 - 112
ISO_8859-9:1989 - 113
L5 - 114
LATIN5 - 115
CSISOLATIN5 - 116
ISO-8859-10 - 117
ISO-IR-157 - 118
ISO8859-10 - 119
ISO_8859-10 - 120
ISO_8859-10:1992 - 121
L6 - 122
LATIN6 - 123
CSISOLATIN6 - 124
ISO-8859-13 - 125
ISO-8859-13 - 126
ISO-8859-13 - 127
ISO-8859-13 - 128
L7 - 129
LATIN7 - 130
ISO-8859-14 - 131
ISO-CELTIC - 132
ISO-IR-199 - 133
ISO8859-14 - 134
ISO_8859-14 - 135
ISO_8859-14:1998 - 136
L8 - 137
LATIN8 - 138
ISO-8859-15 - 139
ISO-IR-203 - 140
ISO8859-15 - 141
ISO_8859-15 - 142
ISO_8859-15:1998 - 143
ISO-8859-16 - 144
ISO-IR-226 - 145

324

Help Book Guardium V9.0

ISO8859-16 - 146
ISO_8859-16 - 147
ISO_8859-16:2000 - 148
KOI8-R - 149
CSKOI8R? - 150
KOI8U? - 151
KOI8R? - 152
CP1250 - 153
MS-EE - 154
WINDOWS-1250 - 155
CP1251 - 156
MS-CYRL - 157
WINDOWS-1251 - 158
CP1252 - 159
MS-ANSI - 160
WINDOWS-1252 - 161
CP1253 - 162
MS-GREEK - 163
WINDOWS-1253 - 164
CP1254 - 165
MS-TURK - 166
WINDOWS-1254 - 167
CP1255 - 168
MS-HEBR - 169
WINDOWS-1255 - 170
CP1256 - 171
MS-ARAB - 172
WINDOWS-1256 - 173
CP1257 - 174
WINBALTRIM - 175
WINDOWS-1257 - 176
CP1258 - 177
WINDOWS-1258 - 178
850 - 179
CP850 - 180
IBM850 - 181
CSPC850MULTILINGUAL? - 182
862 - 183
CP862 - 184
IBM862 - 185
CSPC862LATINHEBREW? - 186
866 - 187
CP866 - 188
IBM866 - 189
CSIBM866 - 190
MAC - 191
MACINTOSH - 192
MACUK - 193
CSMACINTOSH - 194
MACIS - 195
MAC - 196
MAC - 197
MAC - 198
MAC - 199
MACUKRAINIAN - 200
MAC - 201
Policies

325

MAC - 202
MAC - 203
MAC - 204
MAC - 205
HP-ROMAN8 - 206
R8 - 207
ROMAN8 - 208
HPROMAN8 - 209
ROMAN8 - 210
ARMSCII-8 - 211
GEORGIAN-ACADEMY - 212
GEORGIAN-PS - 213
KOI8-T - 214
KOI8-T - 215
CP1133 - 216
IBM-CP1133 - 217
ISO-IR-166 - 218
TIS-620 - 219
TIS620 - 220
TIS620-0 - 221
TIS620.2529-1 - 222
TIS620.2533-0 - 223
TIS620.2533-1 - 224
CP874 - 225
WINDOWS-874 - 226
VISCII - 227
VISCII - 228
VISCII - 229
TCVN - 230
TCVN-5712 - 231
TCVN5712-1 - 232
TCVN5712-1:1993 - 233
ISO-IR-14 - 234
ISO646-JP - 235
JIS_C6220-1969-RO - 236
JP - 237
CSISO14JISC6220RO? - 238
JISX0201-1976 - 239
JIS_X0201 - 240
X0201 - 241
CSHALFWIDTHKATAKANA - 242
ISO-IR-87 - 243
JIS0208 - 244
JIS_C6226-1983 - 245
JIS_X0208 - 246
JIS_X0208-1983 - 247
JIS_X0208-1990 - 248
X0208 - 249
CSISO87JISX0208? - 250
ISO-IR-159 - 251
JIS_X0212 - 252
JIS_X0212-1990 - 253
JIS_X0212.1990-0 - 254
X0212 - 255
CSISO159JISX02121990? - 256
CN - 257

326

Help Book Guardium V9.0

GB_1988-80 - 258
ISO-IR-57 - 259
ISO646-CN - 260
CSISO57GB1988? - 261
CHINESE - 262
GB_2312-80 - 263
ISO-IR-58 - 264
CSISO58GB231280? - 265
CN-GB-ISOIR165 - 266
ISO-IR-165 - 267
ISO-IR-149 - 268
KOREAN - 269
KSC_5601 - 270
KS_C_5601-1987 - 271
KS_C_5601-1989 - 272
CSKSC56011987 - 273
EUC-JP - 274
EUCJP - 275
EXTENDED_UNIX_CODE_PACKED_FORMAT_FOR_JAPANESE - 276
CSEUCPKDFMTJAPANESE - 277
MS_KANJI - 278
SHIFT-JIS - 279
SHIFT_JIS - 280
SJIS - 281
CSSHIFTJIS - 282
CP932 - 283
ISO-2022-JP - 284
CSISO2022JP? - 285
ISO-2022-JP-1 - 286
ISO-2022-JP-2 - 287
CSISO2022JP2? - 288
CN-GB - 289
EUC-CN - 290
EUCCN - 291
GB2312 - 292
CSGB2312 - 293
CP936 - 294
GBK - 295
GB18030 - 296
ISO-2022-CN - 297
CSISO2022CN? - 298
ISO-2022-CN-EXT - 299
HZ - 300
HZ-GB-2312 - 301
EUC-TW - 302
EUCTW - 303
CSEUCTW - 304
BIG-5 - 305
BIG-FIVE - 306
BIG5 - 307
BIGFIVE - 308
CN-BIG5 - 309
CSBIG5 - 310
CP950 - 311
BIG5-HKSCS - 312
BIG5HKSCS? - 313
Policies

327

EUC-KR - 314
EUCKR - 315
CSEUCKR - 316
CP949 - 317
UHC - 318
CP1361 - 319
JOHAB - 320
ISO-2022-KR - 321
CSISO2022KR? - 322
IBM037 - 323
IBM038 - 324
IBM256 - 325
IBM273 - 326
IBM274 - 327
IBM275 - 328
IBM277 - 329
IBM278 - 330
IBM280 - 331
IBM281 - 332
IBM284 - 333
IBM285 - 334
IBM290 - 335
IBM297 - 336
IBM367 - 337
IBM420 - 338
IBM423 - 339
IBM424 - 340
IBM437 - 341
IBM500 - 342
IBM775 - 343
IBM813 - 344
IBM819 - 345
IBM848 - 346
IBM850 - 347
IBM851 - 348
IBM852 - 349
IBM855 - 350
IBM856 - 351
IBM857 - 352
IBM860 - 353
IBM861 - 354
IBM862 - 355
IBM863 - 356
IBM864 - 357
IBM865 - 358
IBM866 - 359
IBM866NAV? - 360
IBM868 - 361
IBM869 - 362
IBM870 - 363
IBM871 - 364
IBM874 - 365
IBM875 - 366
IBM880 - 367
IBM891 - 368
IBM903 - 369

328

Help Book Guardium V9.0

IBM904 - 370
IBM905 - 371
IBM912 - 372
IBM915 - 373
IBM916 - 374
IBM918 - 375
IBM920 - 376
IBM922 - 377
IBM930 - 378
IBM932 - 379
IBM933 - 380
IBM935 - 381
IBM937 - 382
IBM939 - 383
IBM943 - 384
IBM1004 - 385
IBM1026 - 386
IBM1046 - 387
IBM1047 - 388
IBM1089 - 389
IBM1124 - 390
IBM1129 - 391
IBM1132 - 392
IBM1133 - 393
IBM1160 - 394
IBM1161 - 395
IBM1162 - 396
IBM1163 - 397
IBM1164 - 398
MSCP949 - 399
EUC-JISX0213 - 400
UJIS - 401
CP852 - 402
EUCJP-MS - 403
IBM902 - 404
IBM921 - 405
WINDOWS-31J - 406
IBM1025 - 407
IBM1140 - 408
IBM1137 - 409
IBM1122 - 410
IBM1141 - 411
IBM1142 - 412
IBM1143 - 413
IBM1144 - 414
IBM1145 - 415
IBM1146 - 416
IBM1147 - 417
IBM1148 - 418
IBM1149 - 419
IBM1153 - 420
IBM1155 - 421
IBM1157 - 422
EBCDICUS - 423
IBM1112 - 424
IBM1158 - 425
Policies

329

437 - 426
500g - 427
500V1g - 428
851g - 429
852g - 430
855g - 431
856g - 432
857g - 433
860g - 434
861g - 435
863g - 436
864g - 437
865g - 438
866NAVg - 439
869g - 440
874g - 441
904g - 442
1026g - 443
1046g - 444
1047g - 445
8859_1g - 446
8859_2g - 447
8859_3g - 448
8859_4g - 449
8859_5g - 450
8859_6g - 451
8859_7g - 452
8859_8g - 453
8859_9g - 454
10646-1:1993g - 455
10646-1:1993/UCS4/ - 456
ANSI_X3.4g - 457
ANSI_X3.110-1983g - 458
ANSI_X3.110g - 459
ARABIC7g - 460
ASMO_449g - 461
BALTICg - 462
BIG-5g - 463
BIG-FIVEg - 464
BIG5-HKSCSg - 465
BIG5g - 466
BIG5HKSCSg? - 467
BIGFIVEg - 468
BS_4730g - 469
CAg - 470
CN-BIG5g - 471
CN-GBg - 472
CNg - 473
CP-ARg - 474
CP-GRg - 475
CP-HUg - 476
CP037g - 477
CP038g - 478
CP273g - 479
CP274g - 480
CP275g - 481

330

Help Book Guardium V9.0

CP278g - 482
CP280g - 483
CP281g - 484
CP282g - 485
CP284g - 486
CP285g - 487
CP290g - 488
CP297g - 489
CP420g - 490
CP423g - 491
CP424g - 492
CP437g - 493
CP500g - 494
CP737g - 495
CP775g - 496
CP803g - 497
CP813g - 498
CP851g - 499
CP852g - 500
CP855g - 501
CP856g - 502
CP857g - 503
CP860g - 504
CP861g - 505
CP863g - 506
CP864g - 507
CP865g - 508
CP866NAVg? - 509
CP868g - 510
CP869g - 511
CP870g - 512
CP871g - 513
CP875g - 514
CP880g - 515
CP891g - 516
CP901g - 517
CP902g - 518
CP903g - 519
CP904g - 520
CP905g - 521
CP912g - 522
CP915g - 523
CP916g - 524
CP918g - 525
CP920g - 526
CP921g - 527
CP922g - 528
CP930g - 529
CP932g - 530
CP933g - 531
CP935g - 532
CP936g - 533
CP937g - 534
CP939g - 535
CP949g - 536
CP950g - 537
Policies

331

CP1004g
CP1008g
CP1025g
CP1026g
CP1046g
CP1047g
CP1070g
CP1079g
CP1081g
CP1084g
CP1089g
CP1097g
CP1112g
CP1122g
CP1123g
CP1124g
CP1125g
CP1129g
CP1130g
CP1132g
CP1137g
CP1140g
CP1141g
CP1142g
CP1143g
CP1144g
CP1145g
CP1146g
CP1147g
CP1148g
CP1149g
CP1153g
CP1154g
CP1155g
CP1156g
CP1157g
CP1158g
CP1160g
CP1161g
CP1162g
CP1163g
CP1164g
CP1166g
CP1167g
CP1361g
CP1364g
CP1371g
CP1388g
CP1390g
CP1399g
CP4517g
CP4899g
CP4909g
CP4971g
CP5347g
CP9030g

332

Help Book Guardium V9.0

538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593

CP9066g - 594
CP9448g - 595
CP10007g - 596
CP12712g - 597
CP16804g - 598
CPIBM861g - 599
CSA7-1g - 600
CSA7-2g - 601
CSA_T500-1983g - 602
CSA_T500g - 603
CSA_Z243.4-1985-1g - 604
CSA_Z243.4-1985-2g - 605
CSA_Z243.419851g - 606
CSA_Z243.419852g - 607
CSDECMCSg - 608
CSEBCDICATDEg - 609
CSEBCDICATDEAg - 610
CSEBCDICCAFRg - 611
CSEBCDICDKNOg - 612
CSEBCDICDKNOAg - 613
CSEBCDICESg - 614
CSEBCDICESAg - 615
CSEBCDICESSg - 616
CSEBCDICFISEg - 617
CSEBCDICFISEAg - 618
CSEBCDICFRg - 619
CSEBCDICITg - 620
CSEBCDICPTg - 621
CSEBCDICUKg - 622
CSEBCDICUSg - 623
CSEUCKRg - 624
CSEUCPKDFMTJAPANESEg - 625
CSGB2312g - 626
CSIBM037g - 627
CSIBM038g - 628
CSIBM273g - 629
CSIBM274g - 630
CSIBM275g - 631
CSIBM277g - 632
CSIBM278g - 633
CSIBM280g - 634
CSIBM281g - 635
CSIBM284g - 636
CSIBM285g - 637
CSIBM290g - 638
CSIBM297g - 639
CSIBM420g - 640
CSIBM423g - 641
CSIBM424g - 642
CSIBM500g - 643
CSIBM803g - 644
CSIBM851g - 645
CSIBM855g - 646
CSIBM856g - 647
CSIBM857g - 648
CSIBM860g - 649
Policies

333

CSIBM863g - 650
CSIBM864g - 651
CSIBM865g - 652
CSIBM868g - 653
CSIBM869g - 654
CSIBM870g - 655
CSIBM871g - 656
CSIBM880g - 657
CSIBM891g - 658
CSIBM901g - 659
CSIBM902g - 660
CSIBM903g - 661
CSIBM904g - 662
CSIBM905g - 663
CSIBM918g - 664
CSIBM921g - 665
CSIBM922g - 666
CSIBM930g - 667
CSIBM932g - 668
CSIBM933g - 669
CSIBM935g - 670
CSIBM937g - 671
CSIBM939g - 672
CSIBM943g - 673
CSIBM1008g - 674
CSIBM1025g - 675
CSIBM1026g - 676
CSIBM1097g - 677
CSIBM1112g - 678
CSIBM1122g - 679
CSIBM1123g - 680
CSIBM1124g - 681
CSIBM1129g - 682
CSIBM1130g - 683
CSIBM1132g - 684
CSIBM1133g - 685
CSIBM1137g - 686
CSIBM1140g - 687
CSIBM1141g - 688
CSIBM1142g - 689
CSIBM1143g - 690
CSIBM1144g - 691
CSIBM1145g - 692
CSIBM1146g - 693
CSIBM1147g - 694
CSIBM1148g - 695
CSIBM1149g - 696
CSIBM1153g - 697
CSIBM1154g - 698
CSIBM1155g - 699
CSIBM1156g - 700
CSIBM1157g - 701
CSIBM1158g - 702
CSIBM1160g - 703
CSIBM1161g - 704
CSIBM1163g - 705

334

Help Book Guardium V9.0

CSIBM1164g - 706
CSIBM1166g - 707
CSIBM1167g - 708
CSIBM1364g - 709
CSIBM1371g - 710
CSIBM1388g - 711
CSIBM1390g - 712
CSIBM1399g - 713
CSIBM4517g - 714
CSIBM4899g - 715
CSIBM4909g - 716
CSIBM4971g - 717
CSIBM5347g - 718
CSIBM9030g - 719
CSIBM9066g - 720
CSIBM9448g - 721
CSIBM12712g - 722
CSIBM16804g - 723
CSIBM11621162g - 724
CSISO4UNITEDKINGDOMg? - 725
CSISO10SWEDISHg? - 726
CSISO11SWEDISHFORNAMESg? - 727
CSISO15ITALIANg? - 728
CSISO16PORTUGESEg? - 729
CSISO17SPANISHg? - 730
CSISO18GREEK7OLDg? - 731
CSISO19LATINGREEKg? - 732
CSISO21GERMANg? - 733
CSISO25FRENCHg? - 734
CSISO27LATINGREEK1g? - 735
CSISO49INISg? - 736
CSISO50INIS8g? - 737
CSISO51INISCYRILLICg? - 738
CSISO58GB1988g? - 739
CSISO60DANISHNORWEGIANg? - 740
CSISO60NORWEGIAN1g? - 741
CSISO61NORWEGIAN2g? - 742
CSISO69FRENCHg? - 743
CSISO84PORTUGUESE2g? - 744
CSISO85SPANISH2g? - 745
CSISO86HUNGARIANg? - 746
CSISO88GREEK7g? - 747
CSISO89ASMO449g? - 748
CSISO90g - 749
CSISO92JISC62991984Bg? - 750
CSISO99NAPLPSg? - 751
CSISO103T618BITg? - 752
CSISO111ECMACYRILLICg? - 753
CSISO121CANADIAN1g? - 754
CSISO122CANADIAN2g? - 755
CSISO139CSN369103g? - 756
CSISO141JUSIB1002g? - 757
CSISO143IECP271g? - 758
CSISO150g - 759
CSISO150GREEKCCITTg? - 760
CSISO151CUBAg? - 761
Policies

335

CSISO153GOST1976874g? - 762
CSISO646DANISHg? - 763
CSISO2022CNg? - 764
CSISO2022JPg? - 765
CSISO2022JP2g? - 766
CSISO2022KRg? - 767
CSISO2033g - 768
CSISO5427CYRILLICg? - 769
CSISO5427CYRILLIC1981g? - 770
CSISO5428GREEKg? - 771
CSISO10367BOXg? - 772
CSKSC5636g - 773
CSNATSDANOg - 774
CSNATSSEFIg - 775
CSN_369103g - 776
CSPC8CODEPAGE437g? - 777
CSPC775BALTICg? - 778
CSPCP852g - 779
CSSHIFTJISg - 780
CSUCS4g - 781
CSWINDOWS31Jg? - 782
CUBAg - 783
CWI-2g - 784
CWIg - 785
DEg - 786
DEC-MCSg - 787
DECg - 788
DECMCSg - 789
DIN_66003g - 790
DKg - 791
DS2089g - 792
DS_2089g - 793
E13Bg? - 794
EBCDIC-AT-DE-Ag - 795
EBCDIC-AT-DEg - 796
EBCDIC-BEg - 797
EBCDIC-BRg - 798
EBCDIC-CA-FRg - 799
EBCDIC-CP-AR1g - 800
EBCDIC-CP-AR2g - 801
EBCDIC-CP-BEg - 802
EBCDIC-CP-CAg - 803
EBCDIC-CP-CHg - 804
EBCDIC-CP-DKg - 805
EBCDIC-CP-ESg - 806
EBCDIC-CP-FIg - 807
EBCDIC-CP-FRg - 808
EBCDIC-CP-GBg - 809
EBCDIC-CP-GRg - 810
EBCDIC-CP-HEg - 811
EBCDIC-CP-ISg - 812
EBCDIC-CP-ITg - 813
EBCDIC-CP-NLg - 814
EBCDIC-CP-NOg - 815
EBCDIC-CP-ROECEg - 816
EBCDIC-CP-SEg - 817

336

Help Book Guardium V9.0

EBCDIC-CP-TRg - 818
EBCDIC-CP-USg - 819
EBCDIC-CP-WTg - 820
EBCDIC-CP-YUg - 821
EBCDIC-CYRILLICg - 822
EBCDIC-DK-NO-Ag - 823
EBCDIC-DK-NOg - 824
EBCDIC-ES-Ag - 825
EBCDIC-ES-Sg - 826
EBCDIC-ESg - 827
EBCDIC-FI-SE-Ag - 828
EBCDIC-FI-SEg - 829
EBCDIC-FRg - 830
EBCDIC-GREEKg - 831
EBCDIC-INTg - 832
EBCDIC-INT1g - 833
EBCDIC-IS-FRISSg - 834
EBCDIC-ITg - 835
EBCDIC-JP-Eg - 836
EBCDIC-JP-KANAg - 837
EBCDIC-PTg - 838
EBCDIC-UKg - 839
EBCDIC-USg - 840
EBCDICATDEg - 841
EBCDICATDEAg - 842
EBCDICCAFRg - 843
EBCDICDKNOg - 844
EBCDICDKNOAg - 845
EBCDICESg - 846
EBCDICESAg - 847
EBCDICESSg - 848
EBCDICFISEg - 849
EBCDICFISEAg - 850
EBCDICFRg - 851
EBCDICISFRISSg - 852
EBCDICITg - 853
EBCDICPTg - 854
EBCDICUKg - 855
EBCDICUSg - 856
ECMA-128g - 857
ECMA-CYRILLICg - 858
ECMACYRILLICg - 859
ESg - 860
ES2g - 861
EUC-CNg - 862
EUC-JISX0213g - 863
EUC-JP-MSg - 864
EUC-JPg - 865
EUC-KRg - 866
EUC-TWg - 867
EUCCNg - 868
EUCJP-MSg - 869
EUCJP-OPENg - 870
EUCJP-WINg - 871
EUCJPg - 872
EUCKRg - 873
Policies

337

EUCTWg - 874
FIg - 875
FRg - 876
GBg - 877
GB2312g - 878
GB13000g - 879
GB18030g - 880
GBKg - 881
GB_1988-80g - 882
GB_198880g - 883
GOST_19768-74g - 884
GOST_19768g - 885
GOST_1976874g - 886
GREEK-CCITTg - 887
GREEK7-OLDg - 888
GREEK7g - 889
GREEK7OLDg? - 890
GREEKCCITTg - 891
HUg - 892
IBM-803g - 893
IBM-856g - 894
IBM-901g - 895
IBM-902g - 896
IBM-921g - 897
IBM-922g - 898
IBM-930g - 899
IBM-932g - 900
IBM-933g - 901
IBM-935g - 902
IBM-937g - 903
IBM-939g - 904
IBM-943g - 905
IBM-1008g - 906
IBM-1025g - 907
IBM-1046g - 908
IBM-1047g - 909
IBM-1097g - 910
IBM-1112g - 911
IBM-1122g - 912
IBM-1123g - 913
IBM-1124g - 914
IBM-1129g - 915
IBM-1130g - 916
IBM-1132g - 917
IBM-1133g - 918
IBM-1137g - 919
IBM-1140g - 920
IBM-1141g - 921
IBM-1142g - 922
IBM-1143g - 923
IBM-1144g - 924
IBM-1145g - 925
IBM-1146g - 926
IBM-1147g - 927
IBM-1148g - 928
IBM-1149g - 929

338

Help Book Guardium V9.0

IBM-1153g - 930
IBM-1154g - 931
IBM-1155g - 932
IBM-1156g - 933
IBM-1157g - 934
IBM-1158g - 935
IBM-1160g - 936
IBM-1161g - 937
IBM-1162g - 938
IBM-1163g - 939
IBM-1164g - 940
IBM-1166g - 941
IBM-1167g - 942
IBM-1364g - 943
IBM-1371g - 944
IBM-1388g - 945
IBM-1390g - 946
IBM-1399g - 947
IBM-4517g - 948
IBM-4899g - 949
IBM-4909g - 950
IBM-4971g - 951
IBM-5347g - 952
IBM-9030g - 953
IBM-9066g - 954
IBM-9448g - 955
IBM-12712g - 956
IBM-16804g - 957
IBM037g - 958
IBM038g - 959
IBM256g - 960
IBM273g - 961
IBM274g - 962
IBM275g - 963
IBM277g - 964
IBM278g - 965
IBM280g - 966
IBM281g - 967
IBM284g - 968
IBM285g - 969
IBM290g - 970
IBM297g - 971
IBM420g - 972
IBM423g - 973
IBM424g - 974
IBM437g - 975
IBM500g - 976
IBM775g - 977
IBM803g - 978
IBM813g - 979
IBM848g - 980
IBM851g - 981
IBM852g - 982
IBM855g - 983
IBM856g - 984
IBM857g - 985
Policies

339

IBM860g - 986
IBM861g - 987
IBM863g - 988
IBM864g - 989
IBM865g - 990
IBM866NAVg? - 991
IBM868g - 992
IBM869g - 993
IBM870g - 994
IBM871g - 995
IBM874g - 996
IBM875g - 997
IBM880g - 998
IBM891g - 999
IBM901g - 1000
IBM902g - 1001
IBM903g - 1002
IBM904g - 1003
IBM905g - 1004
IBM912g - 1005
IBM915g - 1006
IBM916g - 1007
IBM918g - 1008
IBM920g - 1009
IBM921g - 1010
IBM922g - 1011
IBM930g - 1012
IBM932g - 1013
IBM933g - 1014
IBM935g - 1015
IBM937g - 1016
IBM939g - 1017
IBM943g - 1018
IBM1004g - 1019
IBM1008g - 1020
IBM1025g - 1021
IBM1026g - 1022
IBM1046g - 1023
IBM1047g - 1024
IBM1089g - 1025
IBM1097g - 1026
IBM1112g - 1027
IBM1122g - 1028
IBM1123g - 1029
IBM1124g - 1030
IBM1129g - 1031
IBM1130g - 1032
IBM1132g - 1033
IBM1133g - 1034
IBM1137g - 1035
IBM1140g - 1036
IBM1141g - 1037
IBM1142g - 1038
IBM1143g - 1039
IBM1144g - 1040
IBM1145g - 1041

340

Help Book Guardium V9.0

IBM1146g - 1042
IBM1147g - 1043
IBM1148g - 1044
IBM1149g - 1045
IBM1153g - 1046
IBM1154g - 1047
IBM1155g - 1048
IBM1156g - 1049
IBM1157g - 1050
IBM1158g - 1051
IBM1160g - 1052
IBM1161g - 1053
IBM1162g - 1054
IBM1163g - 1055
IBM1164g - 1056
IBM1166g - 1057
IBM1167g - 1058
IBM1364g - 1059
IBM1371g - 1060
IBM1388g - 1061
IBM1390g - 1062
IBM1399g - 1063
IBM4517g - 1064
IBM4899g - 1065
IBM4909g - 1066
IBM4971g - 1067
IBM5347g - 1068
IBM9030g - 1069
IBM9066g - 1070
IBM9448g - 1071
IBM12712g - 1072
IBM16804g - 1073
IEC_P27-1g - 1074
IEC_P271g - 1075
INIS-8g - 1076
INIS-CYRILLICg - 1077
INISg - 1078
INIS8g - 1079
INISCYRILLICg - 1080
ISIRI-3342g - 1081
ISIRI3342g - 1082
ISO-2022-CN-EXTg - 1083
ISO-2022-CNg - 1084
ISO-2022-JP-2g - 1085
ISO-2022-JP-3g - 1086
ISO-2022-JPg - 1087
ISO-2022-KRg - 1088
ISO-8859-9g - 1089
ISO-8859-10g - 1090
ISO-8859-11g - 1091
ISO-8859-16g - 1092
ISO-10646g - 1093
ISO-10646/UTF-8/ - 1094
ISO-10646/UTF8/ - 1095
ISO-IR-4g - 1096
ISO-IR-8-1g - 1097
Policies

341

ISO-IR-9-1g - 1098
ISO-IR-10g - 1099
ISO-IR-11g - 1100
ISO-IR-15g - 1101
ISO-IR-16g - 1102
ISO-IR-17g - 1103
ISO-IR-18g - 1104
ISO-IR-19g - 1105
ISO-IR-21g - 1106
ISO-IR-25g - 1107
ISO-IR-27g - 1108
ISO-IR-37g - 1109
ISO-IR-49g - 1110
ISO-IR-50g - 1111
ISO-IR-51g - 1112
ISO-IR-54g - 1113
ISO-IR-55g - 1114
ISO-IR-57g - 1115
ISO-IR-60g - 1116
ISO-IR-61g - 1117
ISO-IR-69g - 1118
ISO-IR-84g - 1119
ISO-IR-85g - 1120
ISO-IR-86g - 1121
ISO-IR-88g - 1122
ISO-IR-89g - 1123
ISO-IR-90g - 1124
ISO-IR-92g - 1125
ISO-IR-98g - 1126
ISO-IR-99g - 1127
ISO-IR-103g - 1128
ISO-IR-111g - 1129
ISO-IR-121g - 1130
ISO-IR-122g - 1131
ISO-IR-127g - 1132
ISO-IR-139g - 1133
ISO-IR-141g - 1134
ISO-IR-143g - 1135
ISO-IR-150g - 1136
ISO-IR-151g - 1137
ISO-IR-153g - 1138
ISO-IR-155g - 1139
ISO-IR-156g - 1140
ISO-IR-166g - 1141
ISO-IR-193g - 1142
ISO-IR-197g - 1143
ISO-IR-209g - 1144
ISO/TR_11548-1/ - 1145
ISO646-CAg - 1146
ISO646-CA2g - 1147
ISO646-CNg - 1148
ISO646-CUg - 1149
ISO646-DEg - 1150
ISO646-DKg - 1151
ISO646-ESg - 1152
ISO646-ES2g - 1153

342

Help Book Guardium V9.0

ISO646-FIg - 1154
ISO646-FRg - 1155
ISO646-FR1g - 1156
ISO646-GBg - 1157
ISO646-HUg - 1158
ISO646-ITg - 1159
ISO646-JP-OCR-Bg - 1160
ISO646-KRg - 1161
ISO646-NOg - 1162
ISO646-NO2g - 1163
ISO646-PTg - 1164
ISO646-PT2g - 1165
ISO646-SEg - 1166
ISO646-SE2g - 1167
ISO646-YUg - 1168
ISO2022CNg? - 1169
ISO2022CNEXTg? - 1170
ISO2022JPg? - 1171
ISO2022JP2g? - 1172
ISO2022KRg? - 1173
ISO6937g - 1174
ISO8859-11g - 1175
ISO11548-1g - 1176
ISO88591g - 1177
ISO88592g - 1178
ISO88593g - 1179
ISO88594g - 1180
ISO88595g - 1181
ISO88596g - 1182
ISO88597g - 1183
ISO88598g - 1184
ISO88599g - 1185
ISO885910g - 1186
ISO885911g - 1187
ISO885913g - 1188
ISO885914g - 1189
ISO885915g - 1190
ISO885916g - 1191
ISO_2033-1983g - 1192
ISO_2033g - 1193
ISO_5427-EXTg - 1194
ISO_5427g - 1195
ISO_5427:1981g - 1196
ISO_5427EXTg - 1197
ISO_5428g - 1198
ISO_5428:1980g - 1199
ISO_6937-2g - 1200
ISO_6937-2:1983g - 1201
ISO_6937g - 1202
ISO_6937:1992g - 1203
ISO_8859-7:2003g - 1204
ISO_8859-16:2001g - 1205
ISO_9036g - 1206
ISO_10367-BOXg - 1207
ISO_10367BOXg - 1208
ISO_11548-1g - 1209
Policies

343

ISO_69372g - 1210
ITg - 1211
JIS_C6229-1984-Bg - 1212
JIS_C62201969ROg - 1213
JIS_C62291984Bg - 1214
JOHABg - 1215
JP-OCR-Bg - 1216
JSg - 1217
JUS_I.B1.002g - 1218
KOI-7g - 1219
KOI-8g - 1220
KOI8g - 1221
KSC5636g - 1222
L10g - 1223
LATIN-9g - 1224
LATIN-GREEK-1g - 1225
LATIN-GREEKg - 1226
LATIN10g - 1227
LATINGREEKg - 1228
LATINGREEK1g - 1229
MAC-CYRILLICg - 1230
MAC-ISg - 1231
MAC-SAMIg - 1232
MAC-UKg - 1233
MACCYRILLICg - 1234
MIKg - 1235
MS-MAC-CYRILLICg - 1236
MS932g - 1237
MS936g - 1238
MSCP949g - 1239
MSCP1361g - 1240
MSMACCYRILLICg - 1241
MSZ_7795.3g - 1242
MS_KANJIg - 1243
NAPLPSg - 1244
NATS-DANOg - 1245
NATS-SEFIg - 1246
NATSDANOg - 1247
NATSSEFIg - 1248
NC_NC0010g - 1249
NC_NC00-10g - 1250
NC_NC00-10:81g - 1251
NF_Z_62-010g - 1252
NF_Z_62-010_(1973)g - 1253
NF_Z_62-010_1973g - 1254
NF_Z_62010g - 1255
NF_Z_62010_1973g - 1256
NOg - 1257
NO2g - 1258
NS_4551-1g - 1259
NS_4551-2g - 1260
NS_45511g - 1261
NS_45512g - 1262
OS2LATIN1g? - 1263
OSF00010001g - 1264
OSF00010002g - 1265

344

Help Book Guardium V9.0

OSF00010003g - 1266
OSF00010004g - 1267
OSF00010005g - 1268
OSF00010006g - 1269
OSF00010007g - 1270
OSF00010008g - 1271
OSF00010009g - 1272
OSF0001000Ag? - 1273
OSF00010020g - 1274
OSF00010100g - 1275
OSF00010101g - 1276
OSF00010102g - 1277
OSF00010104g - 1278
OSF00010105g - 1279
OSF00010106g - 1280
OSF00030010g - 1281
OSF0004000Ag? - 1282
OSF0005000Ag? - 1283
OSF05010001g - 1284
OSF100201A4g? - 1285
OSF100201A8g? - 1286
OSF100201B5g? - 1287
OSF100201F4g? - 1288
OSF100203B5g? - 1289
OSF1002011Cg? - 1290
OSF1002011Dg? - 1291
OSF1002035Dg? - 1292
OSF1002035Eg? - 1293
OSF1002035Fg? - 1294
OSF1002036Bg? - 1295
OSF1002037Bg? - 1296
OSF10010001g - 1297
OSF10020025g - 1298
OSF10020111g - 1299
OSF10020115g - 1300
OSF10020116g - 1301
OSF10020118g - 1302
OSF10020122g - 1303
OSF10020129g - 1304
OSF10020352g - 1305
OSF10020354g - 1306
OSF10020357g - 1307
OSF10020359g - 1308
OSF10020360g - 1309
OSF10020364g - 1310
OSF10020365g - 1311
OSF10020366g - 1312
OSF10020367g - 1313
OSF10020370g - 1314
OSF10020387g - 1315
OSF10020388g - 1316
OSF10020396g - 1317
OSF10020402g - 1318
OSF10020417g - 1319
PTg - 1320
PT2g - 1321
Policies

345

PT154g - 1322
RK1048g - 1323
RUSCIIg - 1324
SEg - 1325
SE2g - 1326
SEN_850200_Bg - 1327
SEN_850200_Cg - 1328
SHIFT-JISg - 1329
SHIFT_JISg - 1330
SHIFT_JISX0213g - 1331
SJIS-OPENg - 1332
SJIS-WINg - 1333
SJISg - 1334
SS636127g - 1335
STRK1048-2002g - 1336
ST_SEV_358-88g - 1337
T.61-8BITg - 1338
T.61g - 1339
T.618BITg - 1340
TS-5881g - 1341
UHCg - 1342
UJISg - 1343
UKg - 1344
UTF8g - 1345
UTF16g - 1346
UTF16BEg? - 1347
UTF16LEg? - 1348
UTF32g - 1349
UTF32BEg? - 1350
UTF32LEg? - 1351
WCHAR_Tg - 1352
WIN-SAMI-2g - 1353
WINDOWS-31Jg - 1354
WINDOWS-936g - 1355
WINSAMI2g - 1356
WS2g - 1357
YUg - 1358

346

Help Book Guardium V9.0

Install Policies
Use this topic to install the policy and modify schedule.

Multi-policy support
1. Do one of the following to open the Policy Installer:
v Users: Protect > Security Policies > Install Policy.
Note: To see a security policy created for example by an admin user, the
admin user must specify, via Roles, that the user can view and share the
policy.
v Administrators: Administration Console > Policy Installation.
2. Select the policy to be installed from the Policy Description box.
3. Do one of the following:
v Click Install to install the policy immediately.
v Click Modify Schedule to open the general-purpose scheduling utility, to
schedule the policy installation. For instructions on how to use the scheduler,
see Scheduling in the Common Tools book.

View Policy rules for the Installed Policy


More than one installed policy is permitted at the same time. All installed policies
are available for action. There are two limitations: policies defined as selective
audit policies can not be mixed with polices not defined as selective audit policies,
and policies defined as flat log can not be mixed with policies not defined as flat
log. If trying to mix policies, an error message will result when installing these
mixed policies.
Note: Policies defined as baseline policies can be mixed with policies not defined
as baseline policies.
The order of appearance can be controlled during the policy installation, such as
first, last or somewhere in between. But the order of appearance can not be edited
at a later date.
There is also an Unistall policy button to remove a policy previously installed.
The first installed policy has a special meaning, as it sets the value of the global
policy parameters. These parameters are: Global pattern; Is it a selective audit;
Client and Server net mask; Tagged Client and Server group ID.
This multi-policy support is available through the GUI (Admin Console > Policy
Installation) and through GuardAPI.

View Policy rules for the Installed Policy


From the Currently-Installed Policy panel, any user can view the rules of the
installed policy, and in addition, authorized users can open the policy for editing.
1. Do one of the following to open the Currently-Installed Policy panel:
v Users: View > Overview > Installed Policy

347

v Administrators: Administration Console > Policy Installation


2. Click the Installed Policy link to display the policy rules. Authorized users will
have an additional button enabled: To open the policy for editing in the Policy
Builder, click the Edit installed policy button.

348

Help Book Guardium V9.0

Correlation Alerts
An alert is a message indicating that an exception or policy rule violation was
detected.
Alerts are triggered in two ways:
v A correlation alert is triggered by a query that looks back over a specified time
period to determine if alert threshold has been met. The Guardium Anomaly
Detection Engine runs correlation queries on a scheduled basis. By default,
correlation alerts do not log policy violations, but they can be configured to do
that.
v A real-time alert is triggered by a security policy rule. The Guardium Inspection
Engine component runs the security policy as it collects and analyzes database
traffic in real time.
Regardless of how they are triggered, Guardium logs all alerts the same way: the
alert information is logged in the Guardium internal database. The amount and
type of information logged depends on the specific alert type. The Guardium
Alerter component, which also runs on a scheduled basis, processes each new alert,
passing the logged information for each alert to any combination of the following
notification mechanisms:
v SMTP The SMTP (outgoing e-mail) server. The Alerter passes standard email
messages to the SMTP server for which it has been configured.
v SNMP The SNMP (network information and control) server. When SNMP is
selected for an alert notification, the Alerter passes all alert messages of that type
to the single trap community for which the Alerter has been configured.
v Syslog The alert is written to syslog on the Guardium appliance (which may
be configured by the Guardium Administrator to write syslog messages to a
remote system).
Note: For SNMP or SYSLOG, the maximum message length is 3000 characters.
Any messages longer than that will be truncated.
v Custom A user written Java class to handle alerts. The Alerter passes an alert
message and timestamp to the custom alerting class. There can be multiple
custom alerting classes, and one custom alerting class can be an extension of
another custom alerting class.
Note: Alerts definition and notification are not subject to Data Level Security.
Reasons for this include alerts are not evaluated in the context of user, the alert
may be related to databases associated to multiple users and to avoid situations
where no one gets the alert notification.
Note: If there is an alert using a query that contains 30 fields or more (including
counters) the anomaly detection will fail with an "Array out of bound exception"
error message Queries with 30 columns (or more) are can not be used for alerts.
Such queries will not appear in the list of available queries for threshold alerts.

Alerting Tasks for Administrators


Guardium administrators perform the following tasks from the administrator
portal:

349

v Customize the Alert Message Template, using the Global Profile panel of the
Administration Console
v Configure and start the Alerter, from Administration Console, which delivers
messages to SMTP, SNMP, Syslog, or Custom alerting classes
v Start and stop the Anomaly Detection Engine, which runs the correlation alerts
according to the schedules defined
v Upload Custom Alerting Classes to the Guardium appliance
For more information on all of these topics, see the Guardium Administration Help
Book.

Alerting Tasks for Users


Guardium users (and administrators) can perform the correlation alerting tasks
described below:
v Define queries that can be used for correlation alerts (see Queries on page 91)
v Define correlation alerts (see Correlation Alerts on page 349)
v Write custom alerting classes (see Custom Alerting on page 149).

About Correlation Alert Queries


A correlation alert is based on a query in any of the reporting domains. That query
must be defined before the alert can be defined. To be available for use by a
correlation alert, the query must contain at least one date field. For information
about building queries, see Queries on page 91.

Create a Correlation Alert


1. Navigate to the Alert Finder:
v Users with the admin role: Select Tools > Config & Control > Alert Builder.
v All Others: Select Protect > Correlation Alerts > Alert Builder.
2. Click the New button in the Alerts Finder panel to display the Add Alert
panel.
3. Enter a unique name for the alert in the Name box. Do not include apostrophe
characters in the alert name.
Enter a short sentence that describes the alert in the Description box.
Enter an optional category in the Category box.
Enter an optional classification in the Classification box.
Select a severity level from the Severity list. For an email alert, a setting of
HIGH results in the email being flagged as HIGH.
8. Enter the number of minutes between runs of the query (identified below) in
the Run Frequency field.
9. Mark the Active box to activate the alert, or clear the box to save the alert
definition without starting it running (it can be activated later). In a Central
Manager environment, the alert will be activated (or stopped) on all managed
units when this box is marked (or cleared). To disable the alert on a specific
appliance in a Central Manager environment, use the Anomaly Detection
panel of the Administrator Console. (See Anomaly Detection on page 619.)
10. Mark the Log Policy Violation box to log a policy violation when this alert is
triggered. By default, correlation alerts are logged in the Alert Tracking
4.
5.
6.
7.

350

Help Book Guardium V9.0

domain only. By marking this box, correlation alerts and real-time alerts
(issued by the data access security policy) can be viewed together, in the
Policy Violations domain.
11. From the Query list in the Alert Definition panel, select the query to run for
this alert. The list of queries displayed will include all queries defined that:
v Contain at least one date field (timestamp) - a timestamp field is required
v Contain a Count field - a count field is required
v Can be accessed by your Guardium user account
Troubleshooting tips
v If a custom query has been created in any Query Builder in Report
Building, and it does not appear in the Query list, then make sure that the
custom query has a timestamp (date field).
v After selecting a query from the Query list in the Alert Definition panel of
the Add Alert screen, and there is need to edit the query (Edit icon), and
the query can not be edited, then go to Query Builder (Tools > Report
Building) to edit the query.
12. If the selected query contains run-time parameters, a Query Parameters panel
will appear in the Alert Definition pane. Supply parameter values as
appropriate for your application.
13. In the Accumulation Interval box, enter the length of the time interval (in
minutes) that the query should examine in the audit repository, counting back
from the current time (for example, enter 10 to examine the last 10 minutes of
data).
Note: Alerts run on aggregators will be based only on data with the defined
merge period.
14. Mark the Log Full Query results box to have the full report logged with the
alert.
15. If the selected query contains one or more columns of numeric data, select one
of those columns to use for the test. The default, which will be the last item
listed, is the last column for the query, which is always the count of
occurrences aggregated in that row.
16. In the Alert Threshold pane, define the threshold at which a correlation alert
is to be generated, as follows:
v In the Threshold field, enter a threshold number that will apply as
described by the remaining fields in the panel.
v From the Alert when value is list, select an operator indicating how the
report value is to relate to the threshold to produce an alert (greater than,
greater than or equal to, less than, etc.).
v Select per report if the threshold number applies to a report total, or select
per line if the threshold applies to a single line of the report (the report
being the output of the query selected above, run by looking back over the
specified accumulation time).
If there is no data during the specified Accumulation Interval (see above):
If the threshold is per report, the value for that interval is 0 (zero), and an
alert will be generated if the threshold condition is met (for example, if the
condition specified is Alert when value is < 1).
If the threshold is per line, no alert will be generated, regardless of the
specified condition (this is because there are no lines of output).
v Select As absolute limit to indicate that the threshold entered is an absolute
number or select As a percentage change within period (described below) to
Correlation Alerts

351

indicate that the threshold represents a percentage of change within the


time period identified in the From and To fields.
If the As percentage change within period ... option is selected, use the date
picker controls to select the From and To dates.
If the As percentage change for the same "Accumulation Period" on a
relative time is selected , one relative date will be entered and the alert will
execute the query for the current period and for the relative period (using
the same interval), and will check the values as a percentage of the base
period value.
Note: If relative period is used, each time the alert is checked it will
execute the query twice, once for the current period and once for the
relative period.
17. Indicate in the Notification Frequency box how often (in minutes) the Alert
Receivers should be notified when the alert condition has been satisfied.
18. Click the Save button to save the alert definition.
Note: You cannot assign receivers or roles, or enter comments until the
definition has been saved.
19. In the Alert Receivers panel, optionally designate one or more persons or
groups to be notified when this alert condition is satisfied. To add a receiver,
click the Add Receiver button to open the Add Receiver Selection panel. For
information about adding receivers, see Notifications on page 61.
Note: If the receiver of an alert is the admin user then admin needs to be
assigned an email for the alert to fire.
Note: An additional receiver for threshold alerts is Owner (the owner/s of the
database). If the query associated with the alert contains Server IP and Service
name and if the alert is evaluated Per Row, then the receiver can be Owner.
The alert notification must have: Alert Notification Type: Mail, Alert User ID:
0, Alert Destination: Owner. See Alerting Actions in Policies on page 295for
additional receivers for real-time alerts.
20. Optionally click the Roles button to assign roles for the alert. See Security
Roles on page 75.
21. Optionally click the Comments button to add comments to the definition. See
Comments on page 29.
22. Click the Apply button and then the Done button when you have finished.

Modify a Correlation Alert


1. Navigate to the Alert Finder:
v Users with the admin role: Select Tools > Config & Control > Alert Builder.
v All Others: Select Protect > Correlation Alerts > Alert Builder.
2. Select the correlation alert you want to modify, in the Alert Finder panel. See
further information in Predefined Alerts on page 1105.
3. Click the Modify button to open the Modify Alert panel.
4. Referring to Create a Correlation Alert topic above, make changes to the alert
definition.
5. Click the Save button.

352

Help Book Guardium V9.0

Remove a Correlation Alert


1. Navigate to the Alert Finder:
v Users with the admin role: Select Tools > Config & Control > Alert Builder.
v All Others: Select Protect > Correlation Alerts > Alert Builder.
2. Select the correlation alert you want to remove, in the Alerts Finder panel.
3. Click the Delete button. You will be prompted to confirm the action.

Correlation Alerts

353

354

Help Book Guardium V9.0

Incident Management
The Integrated Incident Management (IIM) application provides a business-user
interface with workflow automation for tracking and resolving database security
incidents.
It simplifies incident management by allowing administrators to group a series of
related policy violations into a single incident and assign them to specific
individuals. This reduces the number of separate policy violations that oversight
teams need to review.
Incident generation processes can be defined and scheduled to read the policy
violations log and generate new incidents. From an incident generation process,
each selected incident is:
v Assigned a unique incident number
v Assigned to a user
v Assigned a severity code
v Assigned to a category
In addition, policy violations can be assigned manually (by authorized users) to
new incidents or existing incidents from the Policy Violations / Incident
Management report.
Once an incident has been generated, administrators and other users work with
incidents from the Incident Management tab, which is included on both the admin
and user portals. From there, all other tasks can be performed (assign incidents,
send notifications, assign status, and so forth).
The Incident Management functions can be accessed from the drill-down menus of
the Incident Management reports. Each user may only have a subset of reports or
functions available, depending on the security roles assigned to the user account.
You can create your own copies of the Incident Management reports, but those
copies will not have all of the capabilities available from the pre-configured reports
on the Incident Management tab. To assign incidents, severity codes, and so forth,
use the reports on the Incident Management tab.

Define an Incident Generation Process


An incident generation process executes a query against the policy violations log,
and generates incidents based on that query. By default, the definition and
scheduling of incident generation processes is restricted to users with the admin
role.
1. On the Administrator portal, select Administration Console > Incident
Generation to open the Incident Generation Processes panel.
2. Click the Add Process button to open the Edit Incident Generation Process
panel.
3. Select a query from the Query list. There are several restrictions that apply to
queries used in an incident generation process. We suggest that you open the
query in the Query Builder to verify that it satisfies the following criteria:
v The query must be from the Policy Violations domain.

355

v The query must have the Add Count checkbox checked. See Query Builder
Overview in Queries on page 91 for more information.
v The main entity for the query must be the Policy Rule Violation entity.
v The query fields for the query must not include a SQL string (from either
the SQL entity or the Full SQL String attribute of the Policy Rule Violation
entity).
4. Select a Severity for the incident (defaults to Info).
5. Optionally enter a Category for the incident (defaults to none).
6. Optionally enter a Threshold for generating the incident. The default is one,
meaning every "row" returned by the query will generate an incident.
7. From the Assign to User list, select the user to whom the incident will be
assigned.
8. Enter the From and To Dates for the query. For a scheduled query, use relative
dates (for example: now -1 day and now).
9. Click Save to save the process definition. You cannot run or schedule the
process until it has been saved.
10. To run the query now, click Run Once Now.
11. To schedule the query, click Modify Schedule to open the general-purpose
scheduling utility. For instructions on how to use the scheduler, see
Scheduling in the Common Tools book.

Assign/Reassign to Incident
1. Double-click on the policy violation to be assigned or reassigned, in one of the
Incident Management reports.
2. Select Assign/Reassign to incident from the drill-down menu. When selected,
this menu will be replaced by a new menu containing a list of open incidents
(for example, Assign to Incident #123), and one additional option: Assign to a
new incident.
3. Select an incident to assign this violation to, or select Assign to a new incident
to assign this Policy Violation to the next incident number available (they are
numbered in sequence).
A message displays when the change has been completed, and the Incident
Management panel will be refreshed. If a new incident has been created, it will
be listed at the top of the Open Incidents report.

Assign to User
1. Double-click on the incident to be assigned to another user, in one of the
Incident Management reports.
2. Select Assign to user from the drill-down menu. When selected, this menu will
be replaced by a new menu containing a list of users, and one additional
option: Unassign.
3. Select a user, or select Unassign to remove the current user assigned. When a
user is assigned, the Status Description will be Assigned, and when unassigned
the Status Description will be Open.
A message displays when the change has been completed, and the Incident
Management panel will be refreshed.

Change Severity
1. Double-click on the incident on which the severity is to be changed, in one of
the Incident Management reports.

356

Help Book Guardium V9.0

2. Select Change Severity from the drill-down menu. When selected, this menu
will be replaced by a new menu containing a list of severity codes: Info, Low,
Med, and High.
3. Select the desired severity code.
A message displays when the change has been completed, and the Incident
Management panel will be refreshed.

Notify
1. Double-click on the incident a user is to be notified about, in one of the
Incident Management reports.
2. Select Notify from the drill-down menu. When selected, this menu will be
replaced by a new menu containing a list of users.
3. Select a user.
A message displays when the user has been a notification.

Change Status
1. Double-click on the incident on which the status is to be changed, in one of the
Incident Management reports.
2. Select Change Status from the drill-down menu. When selected, this menu will
be replaced by a new menu containing a list of status codes:
v ASSIGNED - Once an incident has this status, it cannot have additional
policy violations added to it. To add policy violations, change the incident
status back to Open, add the violations, and then change the status back to
Assigned.
v CLOSED - Once an incident is marked Closed it cannot be modified, and is
no longer listed.
v OPEN - This is the initial status for a new incident.
3. Select the desired status code.
A message displays when the change has been completed, and the Incident
Management panel will be refreshed.

Add Comments
1. Double-click on the incident to which comments are to be added, in one of the
Incident Management reports.
2. Select Comments from the drill-down menu, to open the User Comment
window. For instructions on how to add comments, see Commenting in the
Common Tools book.

Incident Management

357

358

Help Book Guardium V9.0

S-TAP help book


This help book describes how to install, configure and use S-TAP.
Select a topic from the Contents entry page, or use the Search function on the PDF
version of the online help (last entry on Contents entry page, after help-index) or
use the help-index.

359

360

Help Book Guardium V9.0

S-TAP administration guide


Guardium's S-TAP is an optional, lightweight software agent installed on a
database server system.
S-TAP monitors database traffic and forwards information about that traffic to a
Guardium appliance.

S-TAP Overview
v S-TAP can monitor database traffic that is local to that system. This is important
because local connections can provide "back door" access to the database - and
all such access needs to be monitored and audited.
v S-TAP can be used to monitor any network traffic that is visible from the
database server on which it is installed. It can thus act as a collector on remote
network segments, where it is not practical to install a Guardium appliance.
v S-TAP can be installed remotely from the command line on both Windows or
Unix servers as well as installed through the Guardium Installation Manager.
Upgrades can be configured to be applied at the next server reboot. Under
Linux, S-TAP takes care of upgrading S-TAP kernel components at boot time
--adjusting to kernel upgrades in Linux environments.

Failover processing
S-TAP collects and sends data to a Guardium host in near real time. S-TAP buffers
the data, so that it can continue to work if the Guardium host is momentarily
unavailable. If the primary host is unavailable for an extended period of time (time
can be shorter if the buffer is filling up), S-TAP can fail over to a secondary
Guardium host. It will continue to send data to the secondary host until either that
appliance becomes unavailable, until the S-TAP is restarted (which will attempt to
connect to its primary host first), or a connection to the primary server has been
reestablished and remains up for a period of 5*connection_timeout_sec seconds
(configurable in guard_tap.ini file, default is 60 seconds). In this case STAP will fail
over from secondary Guardium host back to Primary Guardium host.
Note: While S-TAP is normally deployed on a database server, S-TAP can be
installed on client side systems such as application servers and database clients.
Note: If STAP is installed both on the application side (see note above) and on the
database server, additional precautions should be taken so as to not monitor
duplicate traffic.

Session Data Failover


When a failover of S-TAP occurs, session information can also be sent over to the
current active Guardium host. See Edit the S-TAP Configuration File for more
information for setting tap_failover_session_size (0 will disable feature) and
tap_failover_session_quiesce.

Restartability
Valid when wait_for_db_exec > 0, When S-TAP restarts, either from a system
reboot or user initiated S-TAP stop / start commands, S-TAP will poll all databases

361

that have been configured to be monitored and begin monitoring them when
available. Any configuration anomalies (either on the database side or the S-TAP
side) that limits S-TAP ability to monitor a database will not limit S-TAP from
monitoring other databases with valid configurations. Instead, S-TAP will start
successfully, monitor all valid configurations, and continue to poll other databases
until they become available and then start monitoring them as well. It is advisable
that users use existing alerts and reports to monitor and report on any failed
statuses.
For Oracle, after relinking Oracle BEQ traffic will not be logged for 15 minutes,
this is the time it takes for S-TAP to check if an Oracle device node has been
changed.

Proxy Firewall
While S-TAP is normally deployed on a database server, a K-TAP based firewall
can be deployed to a proxy server. By setting the parameter app_server=1 and
utilizing S-GATE, you can monitor traffic that originates from the proxy server. See
Edit the S-TAP Configuration File and S-GATE Actions (Blocking Actions) in the
Policies help topic for more information on setting app_server and using S-GATE
within Policies.

S-TAP Installation Overview


The information required to install S-TAP on a database server consists of:
1. IP address of the database server
2. IP address of the Guardium host that will receive data from S-TAP
Once the S-TAP agent has connected to the Guardium host, all of the remaining
S-TAP configuration parameters can be set from the Administration Console on the
Guardium appliance.
Note: During the setup installation, the S-TAP installer checks if the KTAP is
available for the kernel version. If KTAP cannot be installed or does not start up, a
query is presented to the user whether to continue installation.
Before installing an S-TAP agent, check the Supported Database Environments
matrix below, to make sure that your database and operating system versions are
supported, and that you have enough disk space on the database server.
There are two major tasks you need to perform to install and start using S-TAP.
1. Install the S-TAP agent on a database server. See one of the following topics,
depending on the database server operating system type:
v Unix S-TAP
v Windows S-TAP
2. Once you have installed an S-TAP agent on the database server, see the
following topic to configure the agent to monitor the appropriate traffic:
v Complete the S-TAP configuration from the administrator portal

S-TAP Installation Prerequisites


The following tables list database components that must be installed, at a certain
release or patch level, or configured to support S-TAP.

362

Help Book Guardium V9.0

Table 32. Database components


Component

Prerequisite

CAS under HPUX

Java 1.5 or higher is required, see Get Java Information, in the


Unix S-TAP topic.

CAS under any other


Unix

Java 1.4.2 or higher is required, see Get Java Information, in the


Unix S-TAP topic.

CAS under Windows

If CAS will monitor the MS SQL Server event log, the dumpel.exe
program from the Microsoft Windows Resource Kit must be
installed on the database server. Check if this program exists in
the c:\Program Files\Resource Kit\ directory. If not, you can
download it from Microsoft.

S-TAP, all Unix

If the Tee monitoring method is used, Perl 5.8.0 or later, see Get
Perl Information, in the Unix S-TAP topic.

Oracle ASO, SSL AIX - v LDR_PRELOAD (32-bit) or LDR_PRELOAD64 (64-bit) must be


all
installed
v bash must be version 3.0 or later.
Oracle ASO, HPUX
11.11

LD_PRELOAD must be installed. It is installed by patch


PHSS_28436 or later.

TLS

For S-TAP on a Unix server, either /dev/random or


/dev/urandom must be present on the server.
For both Unix and Windows servers, see Guardium Port
Requirements, below, and check the TLS port requirements

Note: During installation / upgrade, for Java 1.6.0, an error may be generated by
the JVM that indicates it is unable To Locate DLL, The dynamic link library
MSVCR71.dll could not be found in the specified path. This error can be remedied
by implementing one of the two workarounds: 1) use a different (another release )
JVM (if one is available on the system) or 2) download the DLL from Microsoft
and dump it in the windows system directory.
Table 33. Requirement Type per platform
Requirement

Platform

Platform

Platform

Platform

Type

HPUX

SOLARIS

AIX

LINUX

file exist

/bin/sh

/bin/sh

/bin/sh

/bin/sh

/bin/sed

/bin/sed

/bin/sed

or

or

or

or

/usr/bin/sed

/usr/bin/sed

/usr/bin/sed

/usr/bin/sed

file exist

tar, awk

tar, awk

tar, awk

tar, awk

file exist

prealloc

dd

dd

dd

and

and

and

/dev/zero

/dev/zero

/dev/zero

isainfo

bootinfo

gcc or cc (only
for x64
machines)

file exist

file exist

/bin/sed

getconf

S-TAP administration guide

363

Table 33. Requirement Type per platform (continued)


Requirement
file exist

software ver

Atap software
ver

Platform

Platform

Platform

Platform

uudecode in

uudecode in

uudecode in

/usr/bin or

/usr/bin or

/usr/bin or

/usr/bin or

/tmp or perl
exist

/tmp or perl
exist

/tmp or perl
exist

/tmp or perl
exist

sed > 4.x

sed > 4.x

sed > 4.x

sed > 4.x

(requires support
for in place
substitution (sed
-i) )

(requires support
for in place
substitution (sed
-i) )

(requires support
for in place
substitution (sed
-i) )

(requires support
for in place
substitution (sed
-i) )

uudecode in

/bin/sh is bash
> 3.x

Operating Systems and Database Types Supported


See the latest System Requirements for IBM InfoSphere Guardium V9.0 from the
IBM website. Search for these keywords "System Requirements for IBM InfoSphere
Guardium".

S-TAP and CAS - Disk Space Requirements


Table 34. Disk Space Requirements
Disk Space

Description

S-TAP Program files

AIX: 115 MB HP-UX: 360 MB Linux: 225 MB Solaris: 185


MB Tru64: 115 MB Windows: 13 8MB

CAS Program files including


Java (see below)

AIX: 309 MB HP-UX: 630 MB Linux: 405 MB Solaris: 390


MB Tru64: 309 MB Windows: 277 MB

Buffer file

100 MB by default. S-TAP uses the buffer file to stage data


for transmission to the Guardium appliance. The size is
controlled by the buffer_file_size configuration file
parameter.

Java

If CAS is used, Java is required. On a Unix server, you


must obtain and install Java yourself (due to licensing
constraints). In either case, installing Java will require a
certain amount of disk space. For space requirements or to
download Java, see java.sun.com.

Perl

Unix only. If the Tee data collection mechanism and its


optional Hunter component is used, Perl is required. If it
has not been installed previously, you must obtain and
install it yourself. For space requirements or to download
Perl, see the Perl Directory at perl.org.

Guardium Port Requirements


If there is a firewall between Guardium components (for example, a Guardium
appliance and an S-TAP or CAS agent on a database server), you must verify that
the ports used for connections between those components are not being blocked.
Referring to the table below, use your firewall management utility to check (and
possibly open) the appropriate ports. On a Unix system, you can check for
connectivity using the nmap tool. See Check Network Address and Port (Unix).

364

Help Book Guardium V9.0

Ports Used for Unix Database Server Connections


Table 35. Port Requirements
Port

Protocol

Guardium appliance connection to ...

16016

TCP

Clear Unix S-TAP

16017

TCP

Clear Unix CAS

16018

TLS

Encrypted Unix S-TAP

16019

TLS

Encrypted Unix CAS

Ports used for Windows Database Server Connection


8075

UDP

Windows S-TAP heartbeat signal


Note: The Unix S-TAP agent does not use UDP for
heartbeat signals, so there is no corresponding Unix
port for this function.

9500

TCP

Clear Windows S-TAP

9501

TLS

Encrypted Windows S-TAP

16017

TCP

Clear Windows CAS

16019

TLS

Encrypted Windows CAS

Check Network Address and Port (Unix)


When installing an S-TAP or CAS agent on a database server, it is useful to
verify that there is connectivity between the two systems. On a Unix
system, you can use the nmap command to check for connectivity, using
the following options:
nmap -p <port> <ip_address>

To check that port 16018 (the port Guardium uses for TLS) is reachable at
IP address 192.168.3.104, you would enter the following command:
nmap -p 16018 192.168.3.104
Starting nmap V. 3.00
Interesting ports on g4.guardium.com (192.168.3.104):
Port
State
Service
16018/tcp open
unknown

Secondary Guardium Hosts for S-TAP Agents


If the Guardium appliance designated as the primary host for S-TAP becomes
unavailable, S-TAP can fail over to a secondary host. It remains connected to the
secondary host until either that connection is lost, until the S-TAP is restarted
(which will attempt to connect to its primary host first), or a connection to the
primary server has been reestablished and remains up for a period of
5*connection_timeout_sec seconds (configurable in guard_tap.ini file, default is 60
seconds).
S-TAP restarts under slightly different conditions, depending on the database
server operating system:
v Unix: S-TAP restarts each time configuration changes are applied from the active
host.
Before designating a Guardium appliance as a secondary host for S-TAP, verify the
following:

S-TAP administration guide

365

v The Guardium appliance must be configured to manage S-TAPs. To check this


and re-configure if necessary, see Configure Guardium Appliance to Manage
Agents.
v The Guardium appliance must have connectivity to the database server where
S-TAP is installed. When multiple Guardium appliances are used, they are often
attached to disjointed branches of the network.
v The Guardium appliance must not have a security policy that will ignore session
data from the database server where S-TAP is installed. In many cases, a
Guardium security policy is built to focus on a narrow subset of the observable
database traffic, ignoring all other sessions. Either make sure that the secondary
host will not ignore session data from S-TAP or modify the security policy on
the Guardium appliance as necessary.
To define secondary hosts for an S-TAP, see Define Secondary Guardium Hosts for
an S-TAP, under Configure S-TAPs from the GUI.
Note: While S-TAP is normally deployed on a database server, S-TAP can be
installed on client side systems such as application servers and database clients.

S-TAP and Certificates


Note: Guardium does not provide Certificate Authority (CA) services and will not
ship systems with different certificates than the one installed by default. A
customer that wants their own certificate will need to contact a third party CA
(such as VeriSign or Entrust).
Note: In addition to ensuring that the S-TAP feed to a collector is encrypted, the
S-TAP client can also be configured to authenticate the Guardium system it is
trying to talk to. This way, in addition to ensuring that the traffic is encrypted, it is
ensuring that the S-TAP is not feeding information to a non-authorized server.
S-TAP Setup
In order to enable Guardium system authenticity verification, three settings need to
be enabled in guard_tap.ini in addition to use_tls=1":
1. guardium_ca_path
If guardium_ca_path is set to point to a file containing one or more trusted
CA self-signed certificates in PEM format, a verification of the Guardium
system is performed.
A "system" certificate installed on the Guardium system has to be signed by
one of the CAs provided in the file, and the Guardium system has to have the
correct corresponding key.
By default, a Guardium self-signed root certificate is provided in our STAP
installation (either classic or GIM based). Pointing guardium_ca_path to the file
provided by Guardium will ensure that the Guardium system has a
key/certificate pair signed by Guardium.
In order to use a third party signed certificates and keys, the guardium_ca_path
needs to be set to a file containing the CA certificates of the given third party
(for example, Verisign). The Guardium system in that case has to have the
key/certificate pair signed by the same third party.
2. sqlguard_cert_cn

366

Help Book Guardium V9.0

In addition to verifying the Guardium system certificate's signature and its


possession of the respective private key, a customer can chose to accept
certificates whose CN (Common Name) doesn't match a regular expression
pattern set by sqlguard_cert_cn.
Note: The same certificate/key pair can be installed on several machines. The
customer does not have to buy N certificate for N machines.
3. guardium_crl_path
If this path points to a PEM-encoded file with Certificate Revocation List from
the CA, any Guardium system certificate that has been revoked will be rejected.
The Guardium CRL is provided in the STAP installation (or GIM) and can be
and will be updated via software patches and upgrades.
In addition a customer can manually install a CRL provided by the CA
(Guardium or third party).
Since Guardium systems are not assumed to have internet access, no web-based
CRL servers are queried automatically.
Guardium system CLI System Certificate-related Commands
There are five CLI commands related to "system" key and certificate management:
v show system certificate
This command will print the system certificate in a text format, followed by the
Base64 encoded PEM form encoding. The text format only serves the purpose of
viewing the certificate details (in particular the CN and the Signer/Serial that
can be filtered by the S-TAP). The PEM encoded part between '---BEGIN
CERTIFICATE---' and '---END CERTIFICATE---' is the one that should be used to
backup/store/email the certificate to other machines and parties ( BEGIN and
END delimiters should always be included together with the Base64 encoded
part).
v show system key
This command enables a user to backup/copy the key to other machines.
Internally, the key is encoded with Guardium password, but before the KEY is
displayed to the user in PEM format, the user is required to enter an encryption
password. This password is then used to re-encrypt the key with a user
provided password.
Finally, the KEY is presented in PEM format enveloped with DES3 encryption
using the user supplied password. The user can than store the key relatively
safely for backup and distribution to other Guardium systems that are
designated to use the same key/certificate pair.
The KEY should always include the '---BEGIN RSA PRIVATE KEY---', lines in
between and the '---END RSA PRIVATE KEY---' delimiter.
v store system certificate {console | import}
This command enables a user to set the system certificate used by the Guardium
system (in communication with S-TAP). The certificate can either be pasted from
the console or imported via one of the standard import protocols. The
certificate should format should be PEM and should include the BEGIN and
END delimiters. This certificate needs to be signed by a CA whose self-signed
certificate is available to STAP software through the guardium_ca_path.
v store system key {console | import}
This command enables a user to set the system key used. The key needs to
match the public part in the certificate. In addition the key needs to be in an
encrypted envelope. The user password used to encrypt it needs to be supplied
S-TAP administration guide

367

during the store process. The store command re-encrypts the key using the
Guardium's internal code before finally storing it in the system.
Note: Only once both the certificate and the matching key are available on the
Guardium system can S-TAP successfully perform Guardium system
authentication.
v create system csr
This command can be used to create a Certificate Signing Request in PEM
format. The command will internally generate the 2048bit key and issue a set of
questions to the user to fill out the CSR form (Country, State/Province,
Locality/City, Organization and Organizational Unit). Finally the user needs to
provide the 'Common Name' As a rule, the common name should include only
letters, digits, underscores and dots. It should be a unique identifier for a
particular installation and include the company name, department, cluster or
Guardium system specific name. However, the instructions from the external CA
override those recommendations. For example:
GCluster1DataCenterGuardiumIBM - which stands for GCluster1 in the
DataCenter at Guardium, an IBM company
SqlGuard1DataCenterGuardiumIBM - which stands for SqlGuard1 machine
system (might have a failover too)
Provide a valid email when asked, so that you can be contacted by support
personnel.
You can leave the challenge password and optional company name blank.
Finally the Certificate Signing Request will be displayed in the readable and
PEM encoded forms.
You should verify the details and send the PEM encoded part (between
'---BEGIN CERTIFICATE REQUEST---' and '---END CERTIFICATE REQUEST---',
inclusively) to the CA for signing.
Note: At this point, the system has a new, internally generated key, that does
not correspond to the system certificate previously installed. This is to ensure
that S-TAPs will not feed the information while the certificate is being submitted
for signing. If you need to ensure continuous operation and S-TAP feed, you will
need to disable the Guardium system authentication on the S-TAP side during
this period.
Once CSR has been verified the CA will issue the signed certificate in the PEM
format. You need to install this certificate using the store system certificate
command.
At this point the new certificate and the internally generated key (during the
create system csr command) will be matching and ready to use for Guardium
system authentication by S-TAPs.
Ensure that all certificate-related parameters in the S-TAP configuration file are
correct.
If you need to install the same key/certificate on more than one Guardium
system, you can use the show system certificate | key command to export and
back them up.
Be extra careful when storing the key (which is encrypted by a user-supplied
password) on an external computer or device. Use non trivial passwords when
asked by the "show system key".

368

Help Book Guardium V9.0

Configure Guardium appliance to manage agents


Any Guardium appliance that acts as an S-TAP or CAS host must be configured
with the stap unit type.
To verify this, and to change the unit type if necessary, follow the procedure
outlined below.
1. Log on to the administrator portal of the Guardium appliance and check if the
Administration Console menu contains a Local Taps section between the
Central Management and Guardium Definitions sections.
v If the menu does contain a Local Taps section, its unit type is set correctly to
manage S-TAP and CAS agents. Skip the remainder of this procedure.
v If the menu does not contain a Local Taps section, complete this procedure to
enable the management of S-TAP and/or CAS agents.
2. Log out of the Guardium administrator portal.
3. From an SSH client window, log in to the Guardium appliance CLI, as the cli
user.
ssh l cli 192.168.2.16

See CLI Overview for more information on using the Guardium appliance CLI.
4. Enter the following two commands:
store unit type stap
restart inspection-core

See Configuration and Control CLI Commands and Inspection Engine CLI
Commands respectively for more detailed information on these two commands.
5. Enter the quit command to log out of the Guardium appliance CLI.
6. Log on to the administrator portal of the Guardium appliance again, and verify
that the Local Taps section now appears in the Administration Console menu.

369

370

Help Book Guardium V9.0

Unix S-TAP
Use this section for Unix S-TAP configuration and installation information.
Note: Because of the complexity and diversity of environments, this section
contains quite a few notes that could, if not read carefully and followed, cause
installations/upgrades to fail or work improperly. While not all inclusive, for the
ease of finding some of these notes, the following sections are listed to aid the
reader in pinpointing areas that require careful and special attention.
v Live vs. Non-Live K-Tap upgrade (Solaris, AIX, HP-UX)
v
v
v
v
v

UID Chains (Solaris Zones, AIX WPAR, Solaris 8/9, Solaris 11 SPARC)
Before Installing S-TAP on a Unix Host (Solaris Zones)
Maintain Unix S-TAP with GIM (IBM DB2 pureScale)
Install Unix S-TAP (Linux, AIX)
Upgrade Procedure Utility (SUSE 11, HP-UX)

v Remove Previous Unix S-TAP (Manual) (HP-UX, AIX WPAR)


v A-Tap Installation (Solaris Zones)
v A-Tap Configuration (Oracle, DB2)
v A-Tap DB Instance Activation (Solaris Zones)
v A-Tap Configuration Pitfalls and Mistakes (Oracle, DB2, Informix)
v A-Tap Procedure to help ensure A-Tap works under Solaris Zones/Aix Wpars
(Solaris Zones, AIX WPAR, Solaris 10/11)
v A-Tap Procedure when working with Oracle Patch Installations (Solaris, Solaris
Zones)

Unix S-TAP monitoring mechanisms


Depending on how it is installed and configured, Unix S-TAP collects traffic using
a variety of mechanisms. Regardless of the mechanism used, the traffic is filtered,
so that only database related traffic for specific sets of client and server IP
addresses is collected.
PCAP PCap is a packet-capturing mechanism that listens to network traffic from
and to a database server. In a Unix environment, since K-Tap captures all
network traffic, PCap is rarely used. In a Windows environment PCap is
used to capture non-encrypted network traffic (except for IA64). Also, on
Linux, PCap is used to capture local TCP/IP traffic on the lo device.
KTAP
K-Tap is the recommended mechanism to collect local and network traffic
on a Unix database server. Unlike the Tee (see below), with K-Tap you do
not need to change how database clients connect to the server. K-Tap is a
kernel module that is installed into the operating system. Once installed, it
can be enabled or disabled using a configuration file setting. When
enabled, it observes access to a database server by hooking the
mechanisms used to communicate between the database client and server.
When K-Tap is disabled, the Tee can be used to monitor local traffic (see
below). K-Tap and Tee are almost always mutually exclusive - to monitor
local access you either use K-Tap or the Tee.

371

At installation time, you will choose whether or not to load the K-Tap
kernel module to the server operating system. This is the only way to load
that module. If you do not load K-Tap initially, and decide later that you
want to use it (instead of the Tee - described below), you will need to
remove S-TAP, and then re-install it.
Note: If K-Tap fails to load properly during installation, possibly caused
by hardware or software compatibility, Tee will be installed as the default
collection mechanism. To switch back to K-Tap, after compatibility issues
have been resolved, follow the steps outlined in Switching from Tee to
K-Tap.
Note: On Solaris 11 only - If "Tee" is not installed initially, a re-install is
required. Or TEE should be installed manually.
ATAP
Some traffic can only be tapped at the database server application level.
This may be required because the DBMS uses its own encryption, or
because of other internal database implementation details. For these cases,
the A-Tap (application-level tapping) mechanism monitors communication
between internal components of the database server. A-Tap depends on
K-Tap (uses K-Tap as a proxy to pass data to S-TAP), and it must be
configured separately for each database instance to be monitored.
A-Tap is used for monitoring the following:
v ASO encrypted traffic for Oracle (versions 9, 10 and 11) on AIX, HPUX,
Solaris and Linux
v SSL encrypted traffic for Oracle (versions 10 and 11) on Linux, AIX,
Solaris and HPUX (platforms supporting LD_PRELOAD)
v SSL encrypted traffic for Sybase(version 15) on AIX(AIX 5.3 with
LDR_PRELOAD patch or newer only), Solaris(SPARC), and Linux(32bit).
v Shared memory traffic for DB2 and Informix on Linux
A-TAP configuration on AIX, part 1
On AIX, there is a step in the configuration of ATAP that does not exist on
other platforms - instrumentation. This step is only used for the Oracle
database (the step is also called Oracle relink). This extra step must be
done prior to activating ATAP.
Instrumentation is required in the following cases: Oracle versions 7, 8, 9,
10, and 11.1; and, Oracle version 11.2 for SSL encryption
Instrumentation is not required in the following case: Oracle version 11.2
for ASO encryption
To configure ATAP with instrumentation (overview):
v authorize the user with 'guardctl authorize'
v instrument with 'guardctl instrument', specifying "db-useinstrumented=yes"
v activate either (1) manually, with 'guardctl activate', specifying
"db-use-instrumented=yes" or (2) automatically, by setting 'encryption=1'
in the inspection engine
To configure ATAP without instrumentation (overview):
v authorize the user with 'guardctl authorize'

372

Help Book Guardium V9.0

v activate either (1) manually, with 'guardctl activate', specifying


"db-use-instrumented=no", or (2) automatically, by setting 'encryption=1'
in the inspection engine.
A-TAP and AIX Support, part 2
Note: In a GIM installation, when configuring A-TAP, always run guardctl
from this directory: <installdir>/modules/ATAP/current/files/bin/
guardctl
For all versions of AIX, authorize the user first - for example, "guardctl
authorize_user oracle11".
In previous versions,
Version 8.1, run the instrument command as the DB User, and the activate
command as root for All AIX versions AIX 5.2, 5.3, 6.1, 7.1
Version 8.2, run the instrument and activate commands as root For All AIX
versions AIX 5.2, 5.3, 6.1, 7.1
Version 9.0
For AIX 5.2 : No support for ATAP (if needed, use v8.2).
For AIX 5.3 with oslevel <=4. No support for ATAP (if needed, use v8.2)
For AIX 5.3 with oslevel => 5, AIX 6.1, 7.1
For Oracle 11.1, static instrumentation (Oracle relink) is required.
On Oracle 11.2, if the user is using Oracle ASO encryption, then no
instrument step is needed. However, if the user is using SSL encryption,
then the instrument step IS needed.
(1) For Oracle 8/9/10/11.1 to install ATAP you need to: authorize the user
(guardctl authorize), instrument the database (guardctl instrument), and
either (a) set encryption=1 in tap.ini or (b) activate the database (guardctl
activate with db-use-instrumented=yes).
(2) For Oracle 11.2 to install ATAP you need to authorize the user (guardctl
authorize), and either (a) set encryption=1 in tap.ini or (b) activate the
database (guardctl activate with db-use-instrumented=no).
Note that method (1) will work for Oracle 11.2 as well and can be safely
used in all cases.
For WPAR: run activate command as root using guardctl utility
To show the technology level, use the "oslevel -s" command
Tee
Tee is a proxy mechanism that reads and forwards traffic from local clients
to a database server. As the Tee receives database traffic, it forwards one
copy to the database server and one copy to S-TAP. When the Tee is used,
database clients must connect to the Tee listening port instead of the
database listening port. This means that you must either modify how the
database client connects to the server, or how the database server accepts
client connections. In either case, this is usually a minor configuration
change to one or two files (depending on the database type) and the end
result is that, as far as the clients are concerned, the Tee is the database,
and as far as the database is concerned, the Tee is the client. All this is
transparent to both the clients and the server - but the configuration
change is required to ensure that the connection is made through the Tee.
Unix S-TAP

373

When the Tee is used, database clients can bypass the Tee by connecting to
the database listening port (instead of the Tee listening port), or by using
named pipes, shared memory, or other inter-process connection
mechanisms depending in the database type. For detailed information
about configuring clients to connect to the Tee, see Prepare for Local
Clients to Use the Tee.
We refer to any connections that are not made through the Tee listening
port as rogue connections. When the Tee is used, you can enable an
optional component called the Hunter to watch for, report upon, and
optionally disable rogue connections. The Hunter runs at random intervals,
so it may not detect all such connections, and while it can report on rogue
connections and optionally disable them, it cannot audit what actions were
performed by those connections. Another aspect of the Hunter is that when
it wakes up to hunt for rogue connections, it can be CPU-intensive, so if
you look at the Hunter process at that instant, it may appear to be
consuming a lot of a server CPU resource. (The CPU use will drop quickly
after a momentary spike.)
Note: To use the Hunter, version 5.8.0 or later of Perl must be installed in
the /usr/bin/ directory.
K-Tap upgrades - live vs. non-live
K-Tap upgrades support a live and reboot-less upgrade through the use of
the mandatory parameter KTAP_LIVE_UPDATE. This parameter must be
set during every upgrade and is controlled through the GUI or
BUNDLE-STAP/KTAP installers.
v Before running live update, either through GIM or shell installers, you
must make sure no process is using the K-Tap device. S-TAP must be
stopped and A-Tap must be deactivated. Run "fuser /dev/ktap_xxx" or
"lsof | grep ktap_xxx" (where xxx is the old version number) to see if
any process is holding the device open. Failure to do so can result in
unpredictable behavior.
v From the GUI the new KTAP parameter KTAP_LIVE_UPDATE will be
initialized (blank) every time we want to upgrade. Just like any other
uninitialized mandatory parameter, the parameter must be set before
continuing with the upgrade process.
The valid values for the new parameter are:
Y/y For a live (reboot-less) KTAP upgrade
N/n non-live KTAP upgrade (requires system reboot in order to
complete the upgrade)
v When upgrading KTAP by running the KTAP/BUNDLE-STAP installers
directly on the DB server. The new feature will impose specifying a new
argument in the installer command line where the argument name is
--live_update [Y|N].
v After a K-Tap live upgrade:
The first SQL for an existing session after updating K-Tap will not be
captured.
Existing ATAP session on Solaris local zone will not be logged.
It is possible that some processes will still referencing memory in the
old K-Tap module. Under this scenario, the module will refuses to
free the resources to prevent future instability. When this happens, the

374

Help Book Guardium V9.0

user should, after those resources are no longer being used, try a
manual cleanup by running the guard_ktap_cleanup that is kept in
the ktap directory.
On HP-UX 11.11, the old K-Tap module will no longer be installed,
but it will still show up as registered when you execute 'kmadmin -s
| grep tap'. The module needs to be manually unregistered with
'kmmodreg -U ktap_<version>'.
On Solaris and AIX, the old devnodes will not be automatically
deleted after a reboot and they need to be removed manually.
Exceptions:
v If the DB server is installed with a version that was not installed
through GIM, and the non-GIM KTAP version is not the same with
installing KTAP version, the value of the KTAP_LIVE_UPDATE will be
ignored, since an upgrade from a non-GIM version requires system
reboot
v In scratch installation KTAP_LIVE_UPDATE value will be ignored
v If the system is being "upgraded" from a non-GIM version to the same
GIM version, the system doesn't need to be rebooted
v You can NOT reinstall a previously installed K-Tap version without
rebooting the machine
Error Handling:
v In the event of a failure, it's extremely important to check the GIM
Events List report, since some failures will require system reboot in
order to fully recover.
K-Tap and UID Chains
UID chain is a mechanism which allows S-TAP (by way of K-Tap) to track
the chain of users that occurred prior to a database connection. For
example, a user may have changed users several times before connecting
to the database; perhaps he ran "ssh informix@barbet" then "su - db2inst1"
then "su - " then "su - oracle9" before finally running "sqlplus
scott/tiger@onora1". With UID Chains, Guardium can trace this process
back to the process that called it and so on back to the original (offending)
user.
Note:
v For Solaris Zones, we may have the user ids instead of user names in
the UID Chain.
v For Solaris Zones and AIX WPAR, db2bp_path in the guard_tap.ini file
should point to the full path of the db2bp executable, the full path of the
relevant db2bp as seen from the global zone/wpar
v No UID Chains for Inter-process Communication (IPC) on Solaris 8/9.
v When using any database, the UID chain is not logged for all sessions if
the session is very short.
v Setting of hunter_trace is required for TCP/IP connections on UNIX
S-TAP and should be set according to:
For regular installations, setting hunter_trace = 1 will enable
uid_chain for local TCP/IP connections
For appserver connections, need to set hunter_trace to 2
For Solaris zones and AIX WPARs, need to set hunter_trace=3 to
capture zones/WPARs connections
Unix S-TAP

375

Purging of UID Chain Records


UID Chain Records older than 2 hours are purged when the regular
inference process runs. Also, the purge objects process will purge every
night records older than 1 day.
Discovery Agent
Guardium's Discovery Agent is an optional software agent installed on a
database server system. Its purpose is to detect database instances running
on the database server and report them back to the Guardium Appliance.
For Discovery Agent to work the following steps / prerequisites must be
performed / adhered to:
v GIM client must be installed on the database server
v S-TAP bundle must be installed first on the database server utilizing the
GIM installation method
v All databases on the database server that you would like discovered
must be started
v Install the Discovery bundle through GIM
v On Solaris zones architecture, when DB2 instances are running on slave
zones, Discovery will not discover the DB2 shared memory parameters
After the Discovery Agent has been installed newly discovered databases
can be seen in the Discovered Instances report. From this report,
datasources and inspection engines can quickly be added to using the
GuardAPI Input Generation tools.
If databases on the database server are not operational (started) or will be
added later, the Discovery Agent can still discovery these instances if the
Discovery Agent is cycled (disabled and then enabled) on that database
server. See the GIM - GUI on page 557(Guardium Installation Manager)
for more information on modifying parameters for modifying installed
module parameters. For the Discovery Agent this would require the
modification of the discovery_enabled parameter to 2-disabled and then
back to 1-enabled to cycle properly.
Note: The Discovery Agent reports its findings back to the primary S-TAP
target, NOT to the system listed as GIM_URL or secondary S-TAP target.

Before Installing S-TAP on a UNIX Host


Note: During the setup installation, the S-TAP installer checks if the KTAP is
available for the kernel version. If KTAP cannot be installed or does not start up, a
query is presented to the user whether to continue installation.
v If you are installing on a Guardium appliance, the install will install into
/usr/local/guardtap instead of the normal default of /usr/local/guardium on
database servers. This should be taken into consideration when reading this, or
other, documentation that refers to the default location for database servers. As
an example, for a Guardium appliance the default configuration file and
uninstall script would be at /usr/local/guardtap/guard_stap/guard_tap.ini, and
/usr/local/guardtap/guard_stap/uninstall respectively.
v If you are upgrading S-TAP, you can remove the previous version first, see
Remove Previous Unix S-TAP, below, or you can use the new Unix upgrade
procedure, also below: Upgrade Procedure Utility
v When installing S-TAP in a Solaris zones configuration, regardless of the zone in
which the database runs, S-TAP must be installed on the master zone (global

376

Help Book Guardium V9.0

zone) since the local zones shares information from the master zone. Also, both
"DB Install Dir" path and "Process Name" in the Inspection Engine has to be
from the global zone also. (From the global zone, S-TAP monitors access to
databases in all zones.)
Note: At the end of the installation :
K-Tap will not be loaded on the local zone as it is only loaded on the global
but is visible on the local zones
S-TAP will not be running on the local zones
v Obtain the IP address of the database server on which you are installing S-TAP.
If virtual IPs are used, note those as well (you will need to configure those later,
when completing the configuration from the administrator portal).
v Obtain the IP address of the Guardium appliance that will control this S-TAP,
and to which this S-TAP will report.
v If there is a firewall between the Guardium appliance and the database server,
verify that the ports used for connections between those components are not
being blocked. See Guardium Port Requirements in the S-TAP Installation
Overview.
v Choose the monitoring method to be used by S-TAP:
K-Tap is a kernel module, and it supports all protocols and connection
methods (TCP, TLI, SHM, Named Pipes, etc.)
TEE is not a kernel module, and supports only TCP connections. In this
configuration there is an option to alert on rogue connections. See the
description of the S-TAP monitoring mechanisms, in the Overview topic
above. This option requires Perl. See Get Perl Information, below, to verify
that you have the correct version of Perl.
v Decide if you want to install the CAS agent. (The Configuration Auditing
System is a separate product.) If so, see Get Java Information, below, to verify
that you have the correct distribution and version of Java, and to obtain the
JAVA_HOME directory location.
v Decide if you need to install A-Tap, which is an add-on product. If so, see
Configure A-Tap, below.
v Check the S-TAP Prerequisites topic in the S-TAP Overview to see if any
additional software components must be installed or configured in a particular
way for S-TAP.
v For Oracle, TCP redirect is not captured unless "tcp_redirect" is used for the
intercept_types parameter in the guard_tap.ini file. See Default Unix S-TAP
configuration file on page 463for details.
v If you decide to have S-TAP runs as the guardium user, this will cause some
database/protocol stop working because of permission levels. The solution to
solve these issues is to either have S-TAP runs as the root user or to make sure
the database path or exec file has permission that allow for the user guardium to
read. Below are the limitations that, depending on your environment, you may
experience:
wait_for_db_exec may not work. So for cluster, check the database path or
exec file for permission that allow for guardium user to read
Database on AIX Wpar and Solaris Zones may not work, check the
permission to access install path or exec file
For Oracle BEQ, S-TAP should be restarted after database is started/restarted
For Informix shared memory, S-TAP should be restarted after database is
started/restarted
Unix S-TAP

377

For db2 shared memory, if shmctl failed because of permission issue, then in
most cases S-TAP should be changed to run as root
- If shared memory segment has read permission by group, then make sure
the db2 instance has been added to user (guardium) group. But still on
each server, only one set of configuration of DB2 can be supported.
- If shared memory segment has read permission by db2 user only, then
S-TAP has to run as root. (eg. open a db2 shared memory session, run
command "ipcs -ma", check MODE on the output)

Maintain Unix S-TAP with GIM


The automatic and simplistic installation capabilities of the Guardium Installation
Manager (GIM) makes it the primary installation method for Guardium modules
such as S-TAP and CAS in a Unix environment. After a simple wizard-driven
installation of a GIM Client on the database server, installation of modules can
easily be scheduled from the Guardium appliance (GIM Server).
See Installing GIM on the Database Server (Unix) and Guardium Installation
Manager (GIM) - GUI for additional information on installing and using GIM to
install Guardium components in a Windows environment.
Note: If A-Tap is being used, A-Tap must first be disabled on the database server
before performing a GIM-based S-TAP upgrade or uninstall.
Note: In an IBM DB2 pureScale environment, perl must be accessible during a
reboot to ensure S-TAP is started.

Maintain UNIX S-TAP without GIM


Maintain Unix S-TAP without GIM
While GIM has been provided for ease of installation and management of
Guardium components, there are still environments that may benefit from a more
manual approach or need to fine-tune the installation at a lower level of
granularity. The following section is provided for those environments.
v Install Unix S-TAP
v Install S-TAP from the Command Line
v Install CAS from the Command Line
v
v
v
v
v
v
v

Upgrade Procedure Utility


Remove Previous Unix S-TAP (Manual)
Command Line Update for K-Tap (Manual)
Stop Unix S-TAP
Restart Unix S-TAP
Determine Unix S-TAP Version Number
Use Unix S-TAP Native Installers

Install UNIX S-TAP


To install Unix S-TAP, run the appropriate installation script, as described below. If
any stage of the installation fails, undo all of the steps up to that point. Do not
leave S-TAP partially installed.
1. Log on to the database server system using the root account.

378

Help Book Guardium V9.0

2. Some companies require the use of native installers to register packages on the
system, or to perform other house-keeping functions. If this is a requirement
for you, see Use Unix S-TAP Native Installers, below, before continuing with
the next step.
3. Copy the appropriate S-TAP installer script from the Guardium Installation
DVD (or network), to the local disk on the database server. The installer script
name identifies the database server operating system. See full list of Unix
Installer Files to select the correct file.
4. For Linux only. STAP installer includes all possible modules specific to the
different Linux kernels. In case if the particular module is not included in the
modules built with the S-TAP installer the module file can be copied to the
system via FTP/SSH and then use the --modules option to specify, including
the full path, the ktap module.
As an example, assuming modules will be in the /tmp directory:
./guard-stap-guard-8.0.xx_r20992_1-rhel-5-linux-x86_64.sh -- --modules /tmp/modules-guard-8.0.xx_r20992_1.tgz"

or for none interactive installation:


./guard-stap-guard-8.0.xx_r20992_1-rhel-5-linux-x86_64.sh -- --modules /tmp/modules-guard-8.0.xx_r20992_1.tgz --ni --tls 1 -k --dir /usr/local -

5. For any modules needed that are not supported in the current distribution,
obtain via FTP the modules-<stap version>.tgz file and copy it to the /tmp/
folder on the destination server.
6. Decide how you will run the installer:
v Non-interactive mode is recommended for larger S-TAP deployments (10 or
more servers). To use this mode, skip the remainder of this procedure and
go to Install Unix S-TAP from the Command Line, below.
v Interactive mode is recommended for smaller deployments (less than 10
servers). Continue with this procedure for interactive mode.
7. Run the installer and respond to the legal notification and other prompts, as
directed by the installer. We suggest that you accept all of the supplied
defaults.
The installer opens the S-TAP configuration file for editing, under vi.
Although you can modify all of the configuration file properties at this time,
we strongly recommend that you modify only the properties described below.
Setting these properties will allow you to start the S-TAP and connect to the
Guardium appliance. After that, you can complete the configuration from the
administrator portal of the Guardium appliance, which is the easier and safer
than editing the configuration file manually.
8. After the installer opens the configuration file under vi, locate and set the
following required parameters:
tap_ip=your_physical_database_server_ip_address Enter the symbolic name or
IP address of the physical database sever
sqlguard_ip=guardium_appliance_ip_address Enter the IP address of the
primary Guardium host for this S-TAP. The primary host is the one that S-TAP
will try to connect with each time that it restarts. You can identify secondary
(failover) Guardium hosts later, from the Guardium administrator portal.
Note: If a hostname entered for tap_ip, or alternate_ips, is configured to
resolve to the loopback IP, it needs to either be changed to resolve to a real IP
or the real IP needs to be entered.

Unix S-TAP

379

Note: Additional parameters might need to be set depending on your


intended configuration and environment. See additional sections in this guide
as well as the Default Unix S-TAP configuration file for parameters and their
usage.
9. Depending on the monitoring method to be used, set the two parameters as
shown in the following table:
K-Tap Monitoring

Tee Monitoring

Kernel module installed.


No kernel module installed. Monitor only TCP connections.
Monitor all local
connections to the database.
ktap_installed=1
tee_installed=0

ktap_installed=0 tee_installed=1

10. Use the wq command to save the configuration file and quit vi. The install
program will check the parameter values you have set. If OK, it will continue
to the next prompt. Otherwise, you will need to correct any erroneous
parameters and then save the file again.
11. Respond to the CAS installation prompt, and if installing CAS enter the name
of the JAVA_HOME directory (see Get Java Information, below).
12. For AIX only. Restart the database service and the listener if on AIX. All others
can skip this step.
13. Complete the S-TAP configuration from the administrator portal. See
Configure S-TAPs from the GUI.
14. If you are using the Tee to monitor local connections, perform the appropriate
procedure below:
v Prepare for Local Unix DB2 Clients to Use the Tee
v Prepare for Local Unix Informix Clients to Use the Tee
v Prepare for Local Unix Oracle Clients to Use the Tee
v Prepare for Local Unix Sybase Clients to Use the Tee
15. Once S-TAP is installed, for database instances that need to be monitored by
ATAP, add the database user to the guardium group. This group is created by
the S-TAP installer and users can be added by the system administrator using
the usermod utility.
As an example, Where Oracle is the user ID of the OS user for the Oracle
database and sybase15 is the user ID of the OS user for Sybase 15 database:
usermod -a -G guardium oracle
usermod -a -G guardium sybase15

Install S-TAP from the Command Line


You can supply all of the parameters needed to install Unix S-TAP from the
command line. In fact, if you are installing the same operating-system version of
S-TAP on multiple database servers, you can perform the task by running a single
command, using the -tapfile parameter.
Installer Script Command Line Syntax
Variables are shown enclosed in angled brackets: < >. Each component is described
below.

380

Help Book Guardium V9.0

usage: guard-stap-setup -- [--modules <linux modules files>] [--ni] [--tls


<0|1>|-k|-t|--dir <dir>|--tapip <tapip>|--sqlguardip <sqlguardip>|--tapfile
<file>|--ktap_allow_module_combos] [--presets <presets-file> |
<preset-option-list>...]
<guard-stap-setup> is the name of the script file.-- is required at the beginning of
the command line for compression
--modules is the tgz file, with all the compiled kernel modules, include full path to
tgz file
--ni indicates that the shell is being run in non-interactive mode.
The --tls flag does the following:
--tls 0 sets use_tls to 1 and failover_tls to 0 (this is the same as in v8.2)
--tls 1 sets use_tls to 1 and failover_tls to 1 (this is the same as in v8.2)
--tls force sets use_tls to 1 and failover_tls to 0
--tls failover sets use_tls to 1 and failover_tls to 1
--tls none sets use_tls to 0 (this is the default if --tls is not specified)
Usage: [--tls force | failover | none]
--tls specifies that the S-TAP and collector communication is in TLS protocol with
failover 0 or 1.
0 - do not failover. If fails to connect to collector, keep on trying using TLS.
1 - failover to non-tls protocol, if fails to connect to collector, failover to non-secure
protocol
-k indicates that K-Tap should be installed, or
-t indicates that the Tee should be installed. -dir <s-tap_dir> identifies the S-TAP installation directory
--tapip <ip_address> specifies the IP address of the database server. Omit if
--tapfile is used.
--sqlguardip<guardium_ip> specifies the IP address of the Guardium appliance.
Omit if --tapfile is used.
--tapfile <file> identifies a text file listing one or more servers on which the S-TAP
agent is to be installed. Using the non-interactive install for UNIX S-TAP, the
parameter tapfile uses the format of guard_tap_ini file. For example, the content of
a tapfile can be: tap_ip=suse32, sqlguard_ip=x04. tap_ip is the IP address of the
database server, and sqlguard_ip is the IP address of the Guardium appliance.
There is another parameter, --ipfile, to process the hostname list.
There are now two parameters:
Unix S-TAP

381

--tapfile, accepts an old guard_tap.ini file, and extracts information from that file
and
--ipfile, accepts a file with many hostname/ip address entries
The --ipfile is an ascii text file, with as many lines as desired. Each line is of this
form: hostname hostip sqlguardip
For instance: loki 9.70.144.116 9.70.148.105 waxwing 9.70.144.162 9.70.148.105 If
there are multiple lines containing the same hostname, the first one is used.
--presets may be a file that contains a subset of global guard_tap.ini options or an
option list; keeping in mind that:
v A list of presets can be given on the command line provided the '--presets'
argument and option list is at the end of the command line and the options do
not contain any spaces
v When a file name is provided, it should be a full path and should be in the
guard_tap.ini format
v Only parameters in the 'global TAP section' will be used and updated
v This will only update parameters that are already included in the original
(current) guard_tap.ini. New parameters introduced in the new 'guard_tap.ini'
(the parameter) will be silently ignored

--ktap_allow_module_combos enables loader flexibility during a non-interactive mode. See Loader Flexibility for additional information and the use of lo

As an example, assuming modules will be in the /tmp directory:


./guard-stap-guard-8.0.xx_r20992_1-rhel-5-linux-x86_64.sh -- --modules /tmp/modules-guard-8.0.xx_r20992_1.tgz"

or for none interactive installation:


./guard-stap-guard-8.0.xx_r20992_1-rhel-5-linux-x86_64.sh -- --modules
/tmp/modules-guard-8.0.xx_r20992_1.tgz --ni --tls 1 -k --dir /usr/local --tapip
19.12.144.102 --sqlguardip 19.12.148.109"
Loader Flexibility
Loader Flexibility aids in the installation of currently built modules when an exact
match between module and kernel version does not exist.
v Loader flexibility is only enabled if explicitly requested at installation time
v Pass the option of --ktap_allow_module_combos when using the non-interactive
installer
v If installing interactively, answer "y" to the question poised after editing the
guard_tap.ini (and setting ktap_installed=1) The loader flexibility default is
disable. This means that the K-TAP will be disabled, if the booted kernel is not
directly supported or tested as working with another module.
v If you wish to switch from not allowing the loader to try module combinations,
you will need root access on the database machine and perform the instructions
printed in /var/log/messages when it was detected that no module is available
for the running kernel
v When performing a K-Tap live update, whatever was specified to the question of
whether or not to try module combinations (implicitly or explicitly) will be
applied to the K-Tap installed as part of the update. The same procedure applies
for switching from not allowing module combinations as is printed in
/var/log/messages.

382

Help Book Guardium V9.0

v When non-exact match combos are found, a warning message is printed in the
ktap-install.log in the guard_stap/ktap directory and in the /var/log/messages
noting the current kernel and module extracted being loaded

Install CAS from the Command Line


You can supply all of the parameters needed to install Unix CAS from the
command line.
Installer Script Command Line Syntax
Variables are shown enclosed in angled brackets: < >. Each component is described
below.
usage: guard-cas-setup -- install --java-home <JAVA_HOME> --install-path <INSTALL_PATH> --stap-conf <FULL_PATH_TO_GUARD_TAP_INI>
usage: guard-cas-setup -- uninstall
<guard-cas-setup> is the name of the script file
-- install indicates an install of CAS
-- uninstall indicates an uninstall of CAS
--java-home <JAVA_HOME> identifies the JAVA_HOME directory. See Get Java Information.
--install-path identifies the installation path
--stap-conf <FULL_PATH_TO_GUARD_TAP_INI>identifies where the guard_tap.ini file is located after an S-TAP installation.

Starting and Stopping CAS


Depending on the install / uninstall scenario, you may need to start and stop CAS
from the command line. One scenario might be not supplying the --stap-conf path
to the guard_tap.ini file as this is an optional parameter; resulting in CAS not
starting. Use the following methods when needing to start or stop CAS:
1. Log on to the database server system using the root account.
2. For Red Hat Enterprise Linux 6
a. Stop / Start CAS using the 'stop cas' or 'start cas' commands
3. All others:
a. Comment out (if stopping CAS) or remove comment (if starting CAS) the
cas agent entry in the /etc/inittab file. In a default installation, this
statement should look like this:
cas:<nnnn>::respawn:/usr/local/guardium/guard_stap/cas/bin/
run_wrapper.sh /usr/local/guardium/guard_stap/cas/bin
b. Save the /etc/inittab file.
c. Run the init q command
4. You may validate if CAS is running or not by issuing the 'ps -fe | grep cas'
command
Control CAS Load on Guardium Appliance
There is a CAS configuration parameter (cas_sender_pause) that will aid in
controlling the CAS load on the Guardium appliance. As long as there are less than
100 CAS client agents connected to a single collector then no special setup is
required and setting the cas_sender_pause parameter can be skipped. For those
installations where there are more than 100 CAS client agents use the following to
edit the configuration file and modify the cas_sender_pause parameter:
Configuration file location : /usr/local/jakarta-tomcat-4.1.30/webapps/ROOT/
WEB-INF/conf

Unix S-TAP

383

Configuration file name :cas.server.config.properties


Parameter name : cas_sender_pause
Recommended setting for cas_sender_pause
100-199 CAS client agents : cas_sender_pause=100
200-299 CAS client agents : cas_sender_pause=200
300-399 CAS client agents : cas_sender_pause=300
400-499 CAS client agents : cas_sender_pause=400
500 and above : cas_sender_pause=400
Changes will be picked up by CAS server automatically and there is NO need to
restart tomcat.

Upgrade S-TAP/K-Tap without reboot


S-TAP/K-Tap may be upgraded without a reboot when using the
"guard-stap-update" utility. The "guard-stap-update" utility is for S-TAP/K-Tap live
update from 8.X.X to any other version higher then previous one. The
"guard-stap-update" utility must be download alone with a newer S-TAP installer
and copied to a directory on the database server where it will be executed
Usage:
./guard-stap-update <full_path_Guard-Installer.sh> <existing Guard-Install-Dir> [<Linux-Kernel-Module>]

Place the latest installer along with the "guard-stap-update" utility in the database
server folder "/var/tmp" and specify the install directory for the existing S-TAP of
"/usr/local/guardium".
./guard-stap-update /var/tmp/Stap_installer_name /usr/local

Upgrade S-TAP at next reboot with the Upgrader utility


Upgrader is a utility that gives the administrator the option to upgrade to a higher
S-TAP version the next time that the system is rebooted.
Note: For SUSE 11, startpar must be disabled
Note: In order to use the upgrader utility and upgrade to version 7.0 S-TAP, 6.1
S-TAP must still be installed and the S-TAP daemon/service must be running.
Note: If you have installed A-Tap, you must deactivate it before attempting any
upgrade/install operations; see the description of the A-Tap deactivation
command, in the Configure A-Tap topic, below.
Note: gzip must be installed in /usr, /usr/bin, /sbin, or /usr/local/bin for
upgrader to work. It is also feasible to create a symbolic link from one of the
mentioned directories to the actual location of gzip.
Note: When upgrading bundle-STAP, any changes made to the guard_tap.ini file
between the time bundle-STAP's status was switched to IP-PR within the GUI and

384

Help Book Guardium V9.0

the actual database server reboot will not be ported to the new upgraded version.
The user should then make changes to the guard_tap.ini file manually after the
upgrade.
To use the upgrader utility:
1. Transfer the following files to the same directory on the database server
machine:
v g-upgrader
v upguard
v guard_tap.ini
2. Transfer the appropriate installation file for the database server to the same
directory as above. For example: guard-stap-doberman_r<build_number>_1-<os>-<os_version>-<os_name>-<processor>.sh. See the full list of Unix Installer
Files to select the correct file.
3. Grant 754 permissions to the upgrader files and the installer file.
4. For HPUX 11.00 ONLY
a. Stop Unix S-TAP
b. Reboot machine
c. uncomment "utap" process in the /etc/inittab
5. Run the following command (see the example below):
g-upgrader --dir "full path of current install dir"
--ini "full path and name of the ini file for the new version"
--installer "full path and name of the installer"
[ -c --jdir "java dir"]

As an example, Assume that the installer file named guard-stapdoberman_r<build_number>_1--<os>-<os_version>-<os_name>-<processor>.sh and


the two installer files (g-upgrader & upguard) have been placed in /var/tmp.
To run the upgrader utility for an installation without CAS, the following
command would be used:

g-upgrader --dir /usr/local/guardium/guard_stap --ini /usr/local/guardium/guard_stap/guard_tap.ini --installer /var/tmp/ guard-stap-doberman_r<build_

To run the upgrader utility for an installation with CAS, the following command
would be used:

g-upgrader --dir /usr/local/guardium/guard_stap --ini /usr/local/guardium/guard_stap/guard_tap.ini --installer /var/tmp/ guard-stap-doberman_r<build_

After running the upgrader the system must be rebooted in order for the upgrade
to take place. Note that the 'reboot' command cannot be used in some operating
systems as a trigger for the upgrade process - instead, the following commands
needs to be executed (per OS):
v Linux Redhat : shutdown -r
v Linux SuSe : reboot
v HP : shutdown -r
v Solaris : shutdown -i [6|0]
Note: '0' can be used only if shutdown is done from the terminal server)
v AIX : reboot
Note: The upgrader does not currently support OSF1/Tru64 platforms.
Upgrader Log Files
Unix S-TAP

385

The upgrader performs a full un-install and then a full scratch install. After the
system is up, two log files can be found in the directory where the installer in
located:
v ginstall.log
v guinstall.log
Upgrader Recovery
The upgrader will not rollback following a failure. Manual steps will have to be
taken in order to reinstall the previous version.

Command Line Update for K-Tap (Manual)


A command line update is available for K-Tap, when used, the user should save
the output from the script.
guard-ktap-update-doberman_r19987_1-sunos-5.9-solaris-sparc.sh <guard_stap path> <current version of ktap> <updating version of ktap>

As an example:
guard-ktap-update-doberman_r19987_1-sunos-5.9-solaris-sparc.sh 2>&1 | tee /tmp/output.save.txt

Remove Previous Unix S-TAP (Manual)


Perform this procedure before installing a new version of S-TAP if you want to
save the old configuration file. For an upgrade, we recommend that you use the
Upgrade Procedure Utility described above.
If S-TAP was previously installed, there will be a directory named:
/usr/local/guardium/guard_stap.
Note: If you have installed A-Tap, you must deactivate it before attempting any
upgrade/install operations; see the description of the A-Tap deactivation
command, in the Configure A-Tap topic, below.
If you are removing a previous version of S-TAP that used K-Tap, you will need to
reboot the database server as described below. If K-Tap has been installed, you will
have a device file named: /dev/guard_ktap.
1. Log on to the database server system using the root account.
2. If uninstalling version 6.0 or later of S-TAP
a. For Red Hat Enterprise Linux 6
1) Stop S-TAP using the 'stop utap' command
b. All others:
1) Remove the utap agent entry in the /etc/inittab file (regardless of
whether or not it has been commented). In a default installation, this
statement should look like this:
utap:<nnnn>:respawn:/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini

2) Save the /etc/inittab file.


3) Run the init q command
c. You can then run ps - ef | grep stap to verify that S-TAP is no longer
running.
3. Copy the S-TAP configuration file to a safe location (a non-Guardium
directory). By default, the full path name is:
/usr/local/guardium/guard_stap/guard_tap.ini

386

Help Book Guardium V9.0

You can use this file later if you have to re-install this version of the software,
or you can refer to it when configuring an updated version of S-TAP. Do not
ever use an older configuration file directly with a newer version of the
software - newer properties may be missing, and the defaults taken may result
in unexpected behavior when you start S-TAP.
4. Run the uninstall script. For example, if the default directory has been used:
[root@yourserver ~]# /usr/local/guardium/guard_stap/uninstall

Note: Do not run the uninstall program with S-TAP running. Be sure that you
have stopped S-TAP as described above.
5. If your previous version of S-TAP included K-Tap, reboot the database server
now.
6. This step applies to HP-UX servers only (skip for all others). If you are
uninstalling a previous version of S-TAP that included K-Tap:
a. Run the uninstall script again
7. This step applies to AIX Wpars only (skip for all others). If you are uninstalling
a previous version of S-TAP that included K-Tap, issue the following
commands from the master node:
rm -f /wpars/<server>/dev/ktap*
rm -f /wpars/<server>/dev/guard_ktap*
where /wpars/<server> is the path from the master node to the Wpar

8. If upgrading, upgrade the Guardium appliance that serves as the S-TAP host,
before upgrading S-TAP.
9. Return to the installation procedure: Install Unix S-TAP.

Stop Unix S-TAP


Depending on the method of S-TAP installation you may stop S-TAP by:
GIM Installation
GIM allows you to stop S-TAP without ever having to log into the
database server. Use the following steps to change the STAP_ENABLED
parameter and schedule the change on the database server.
1. Navigate to Client Search Criteria; select Administration Console >
Module Installation > Setup By Client
2. Enter Client Search Criteria if desired to perform a filtered search of
registered clients
3. Click the Search button to perform filtered search and display the
Clients panel
4. Select the Clients that will be the target for the desired action
(stopping S-TAP)
v If there are more than 20 clients then the list of clients will be split
onto additional pages

5.
6.
7.
8.
9.

Note: Clicking the Select All button will only select the clients on
the current page being viewed
Click the Next button to bring up the Common Modules panel
Select the Module for S-TAP
Click the Next button to bring up the Module Parameters panel
Select the client that will be the target for the desired action (stopping
S-TAP)
Scroll right and change the STAP_ENABLED parameter to 0 (zero)
Unix S-TAP

387

10. Click the Apply to Clients to apply to the targeted clients


11. Click the Install/Update button to schedule the update to the targeted
clients. This update can be scheduled for NOW or some time in the
future.
Non-GIM Installation
1. Log on to the database server system using the root account.
2. For all non-Red Hat Enterprise Linux 6
a. Open the /etc/inittab file for editing.
b. Locate and comment the following two statements in the
/etc/inittab file, by inserting a comment character (colon (:) for AIX,
pound sign (#) for all others) at the start of each statement:
utap:2345:respawn:/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini

c. Optional. If you are using the TEE monitoring mechanism, comment


the following two statements by inserting a comment character
(colon (:) for AIX, pound sign (#) for all others) at the start of each
statement. Note that these processes are not used in the default
configuration, so the statements may be commented already.
#utee:2345:respawn:/usr/local/guardium/guard_stap/guard_tee /usr/local/guardium/guard_stap/guard_tap.ini
#hsof:2345:respawn:/usr/local/guardium/guard_stap/guard_hnt

d. Run the init q command to restart the S-TAP processes.


3. For Red Hat Enterprise Linux 6
a. Stop each of the agents that might be running using the 'stop
<agent>' command where agent would be the /etc/inittab entries
noted in step 2 for non-Red Hat Enterprise Linux 6
4. Run ps -ef | grep stap to verify that the S-TAP processes have been
stopped.
5. From the administrator portal of the Guardium appliance to which this
S-TAP was reporting, verify that the Status light in the S-TAP control
panel is now red.

Restart Unix S-TAP


Depending on the method of S-TAP installation you may stop S-TAP by:
GIM Installation
GIM allows you to start S-TAP without ever having to log into the
database server. Use the following steps to change the STAP_ENABLED
parameter and schedule the change on the database server.
1. Navigate to Client Search Criteria; select Administration Console >
Module Installation > Setup By Client
2. Enter Client Search Criteria if desired to perform a filtered search of
registered clients
3. Click the Search button to perform filtered search and display the
Clients panel
4. Select the Clients that will be the target for the desired action (starting
S-TAP)
v If there are more than 20 clients then the list of clients will be split
onto additional pages
Note: Clicking the Select All button will only select the clients on
the current page being viewed

388

Help Book Guardium V9.0

Click the Next button to bring up the Common Modules panel


Select the Module for S-TAP)
Click the Next button to bring up the Module Parameters panel
Select the client that will be the target for the desired action (starting
S-TAP)
9. Scroll right and change the STAP_ENABLED parameter to 1 (one)
10. Click the Apply to Clients to apply to the targeted clients
11. Click the Install/Update button to schedule the update to the targeted
clients. This update can be scheduled for NOW or some time in the
future.
5.
6.
7.
8.

Non-GIM Installation
1. Log on to the database server system using the root account.
2. For all non-Red Hat Enterprise Linux 6
a. Open the /etc/inittab file for editing.
b. Un-comment the following two statements by deleting the comment
character (colon (:) for AIX, pound sign (#) for all others) at the start
of each line:
#utap:2345:respawn:/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini

c. Optional. If you are using the TEE monitoring mechanism,


un-comment the following two statements by deleting the comment
character (colon (:) for AIX, pound sign (#) for all others) at the start
of each line. Note that these processes are not used in the default
configuration, and must not be started if you are using the K-Tap
monitoring mechanism.
#utee:2345:respawn:/usr/local/guardium/guard_stap/guard_tee /usr/local/guardium/guard_stap/guard_tap.ini
#hsof:2345:respawn:/usr/local/guardium/guard_stap/guard_hnt

d. Run the init q command to restart the S-TAP processes.


3. For Red Hat Enterprise Linux 6
a. Stop each of the agents that might be running using the 'stop
<agent>' command where agent would be the /etc/inittab entries
noted in step 2 for non-Red Hat Enterprise Linux 6
4. Run ps -ef | grep stap to verify that S-TAP is running.
5. From the administrator portal of the Guardium appliance to which this
S-TAP reports, verify that the Status light in the S-TAP control panel is
green.

Stop and start S-TAP using Solaris services in Solaris 10 and 11


Solaris 10 and 11 no longer use inittab
Instead, Solaris services are used to stop and start the S-TAP
Use the the "svcadm" utility:
Stop
-bash-3.00# svcadm -v disable guard_utap
svc:/site/guard_utap:default disabled.
-bash-3.00# ps -eaf | grep stap
root 2375 1930 0 14:25:36 pts/2 0:00 grep stap

Unix S-TAP

389

-bash-3.00#
Restart
-bash-3.00# svcadm -v enable guard_utap
svc:/site/guard_utap:default enabled.
-bash-3.00# ps -eaf | grep stap
root 2379 1 0 14:25:57 ? 0:00
/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/
guard_stap/guard_
root 2396 1930 0 14:26:00 pts/2 0:00 grep stap
-bash-3.00#
-bash-3.00# svcs guard_utap
STATE STIME FMRI
online 14:25:56 svc:/site/guard_utap:default
-bash-3.00#

Determine Unix S-TAP Version Number


From the administrator portal of a Guardium server for an S-TAP, the S-TAP
version number displays in the S-TAP Status Monitor report on the System View
tab.
If the administrator portal is not available, you can display the S-TAP version
number from the Unix command line of the database server, by running the
guard_stap binary with the -version or --version argument.
To check the Unix S-TAP version, assuming S-TAP has been installed in the default
installation directory, enter the following command:
-bash-3.2# <guardium_base>/modules/STAP/current/guard_stap --version
or
-bash-3.2# <guardium_base>/guard_stap/guard_stap --versiohn
STAP-doberman_r20511_1-20100728_0514

Note: For an S-TAP version prior to 7.0, the -version or --version argument are not
recognized.

Configure A-Tap
A-Tap Support Matrix
The following database versions are currently supported by A-Tap on the following
platforms
OS

Oracle

Informix

DB2

Linux

9, 10, 11 8, 9, 10, 11 8.1, 8.2, 9.1, 9.5, 9.7

Sybase

Solaris 9, 10, 11

15 (SPARC only)

HP-UX 9, 10, 11

15

AIX

15 on AIX 5.3, 6.1, 7.1

390

9, 10, 11

Help Book Guardium V9.0

Note: A-Tap needs to be deactivated before an upgrade of a database service and


then re-activated after the upgrade.
Note: A-Tap is installed as an added product and requires separate configuration
on the database machine itself.

ATAP Control
A-Tap can be controlled from the guard_tap.ini parameter file, by the guardctl
utility, or on some platforms ATAP can also be activated from STAP configuration
(please see ATAP Activation from Guardium Appliance).
The guardctl utility is installed under <guardium_base>/bin directory where
<guardium_base> is the directory where Guardium software is installed. By
default <guardium_base> is /user/local/guradium. In the case of a GIM
installation guardctl will be installed under <guardium_base>/modules/ATAP/
current/files/bin
The guardctl utility provides commands that facilitate different aspects of A-Tap
installation, activation, deactivation, uninstallation and upgrade.
To use the guardctl utility, you must log in as root, since it requires superuser
privileges.
Note: The guardctl utility requires version 3 or greater of bash. (issuing 'bash
--version' at the command prompt will display the version
Syntax
<guardium_base>/xxx/bin/guardctl [<name>=value>] [<name>=<value> ...] [command]

Commands
v help - default command, prints the list of supported commands, parameters and
their default values
v store-conf - allows storing parameter values as defaults
v list-active - lists DB instance user names of all active DB instances
v is-active - returns 1 if there is at least one active instance, 0 otherwise
v activate - activates DB instance. Requires DB-specific parameters (see details
below)
v deactivate - deactivates one DB instance
v deactivate-all - deactivates all active DB instances
v instrument - Create relinked instrumented Oracle for AIX ATAP activation
v deinstrument - remove instrumented Oracle
v is-user-authorized - checks if db-user is authorized to log information
v authorize-user - adds the user to 'guardium' authorization group
For most of these commands the db_instance parameter is mandatory. See
description of individual commands below for details on other parameters.

A-Tap Installation
A-Tap installs as a part of S-TAP installation.

Unix S-TAP

391

Note: ATAP depends on KTAP, so please make sure that KTAP is installed as well.
In particular, ktap_installed parameter has to be set to 1 in guard_tap.ini file.
Note: For the installation procedure on Solaris Zones see "Procedure to Make
ATAP Work Under Solaris Zones" Note: The guardctl utility DOES NOT
automatically add db-user to group guardium. That behavior matches the behavior
of guard_tap.ini encryption=1 ATAP based activation, i.e. database OS user is never
added automatically to group 'guardium'
Note: If the software is installed with GIM - ATAP expects GIM_ROOT_DIR to be
defined as an absolute path to the 'modules', for example /usr/local/guardium/
modules. Otherwise when activating ATAP through guard_tap.ini encryption=1
will silently fail (guard_stap log will show that guard-atap-ctl failed). This is
especially important when running guard_stap manually - be sure you have
defined this environment variable when running guard_stap.
v If A-Tap is not a member of group 'guardium' it will not be able to open the
K-Tap device and you will see the following syslog message; indicating : ATAP
[UID= GID= EUID= EGID=] Opening ktap '' [OWNER UID= GID= PERMS=]:
Permission denied
v If the UID or EUID are not members of OWNER group GID, the reason for
'permission denied' is that the user matching UID or EUID does not belong to
group matching OWNER GID.
v To make it easier, not having to handle different OS syntaxes for adding users
and groups, while disabling the automatic addition to group 'guardium', two
commands are available within guardctl which can be used irrespective of the
method you use to activate ATAP (i.e. guardctl or guard_tap.ini):
#/path/to/guardium/bin/guardctl is-user-authorized
#/path/to/guardium/bin/guardctl authorize-user ...
Note: The database must be stopped when either a user is being added to the
guardium group or when activating ATAP using the guardctl utility
Note: The database must be restarted after performing an upgrade for modules
that include ATAP such as a full upgrade (S-TAP, ATAP, & KTAP) or when ATAP is
enabled through enabling encryption through guard_tap.ini
Note: Group 'guardium' can be removed on most OSs with 'groupdel guardium'.
However, after removal, only the guard_ktap_loader can correctly recreate it and
change the KTAP device permissions.

ATAP Configuration
Once installed, A-Tap must be configured separately for each instance of the
database on the server.
The following table summarizes the configuration parameters that have to be
specified for different databases.

392

Help Book Guardium V9.0

Table 36. A-TAP Configuration


DB (db_type)

Parameter

Common

Oracle (oracle)1

Informix (informix)

DB2 (db2)2

Default Value

Description

Mandatory?

db_instance

DB instance - unique
identifier of the
instance. For Oracle,
use $ORACLE_SID
value, for Informix
and DB2 use OS user
name or DB instance
name.

yes

db_user

OS user name for this yes


DB instance. Has to
be specified explicitly
even if the user name
is used as
db_instance .

db_type

DB type (oracle,
informix or db2 )

yes

db_base

db_user 's home


directory

DB instance user
home directory

no

db_bits

guessed based on DB
executable

DB instance
architecture (32 for
32-bit, 64 for 64-bit)

no

db_home

$ORACLE_HOME
value if defined,
db_base otherwise

Where DB software is yes


installed

db_version

any (has to be set to


numerical value on
AIX )

DB instance version

db_relink

no (yes on AIX )

ATAP activation
method

db_use_instrumented

no (yes on AIX )

ATAP activation uses no


relinked version of
Oracle previously
created with
instrument command.

db_home

db_base

Where DB software is no
installed

db_version

any (has to be set to


numerical value)

DB instance version

yes

db_info

/INFORMIXTMP/
.inf.sqlexec

Additional DB info
file

no

db_home

db_base

Where DB software is no
installed

db2_shmsize

131072

DB2 shared memory


size

yes

db2_c2soffset

61440

DB2 shared memory


client-to-server area
offset

yes

db2_header_offset

20

DB2 shared memory


header offset

yes

db_version

any

DB instance version

no

no
(yes on AIX )
no

Unix S-TAP

393

Table 36. A-TAP Configuration (continued)


DB (db_type)

Parameter

Default Value

Description

Mandatory?

Sybase (sybase)

db_home

db_base

Where DB software is no
installed

db_version

any (has to be set to


numerical value)

DB instance version

yes,
has to be set to 15

If the Oracle Listener and all Oracle instances are not running under the same
user, all users must belong to the same group (a shared one) in order to capture
Oracle TCP traffic. In addition, in HPUX, HP-2005-security-patch is required.

The DB2 shared memory-related parameters should be determined at installation


time using the procedure described under the DB2 Linux S-TAP Configuration
Parameters topic, below.
store-conf Command
Use the store-conf command to name and store the configuration of an instance of
the database for future use. These stored configurations may later be used for
A-Tap activation and deactivation.
Syntax

<guardium_base>/xxx/bin/guardctl db_instance=<instance> [<name>=<value> ...] store-conf

The value specified for instance (db_instance parameter) can be used later to
reference this configuration in other guardctl commands.
The stored configuration may be later retrieved using default command:
<buardium_base>/xxx/bin/guardctl db_instance=<instance>

ATAP DB Instance Activation


Use the activate command to activate A-Tap. A-Tap must be activated for each DB
instance to be monitored on the server. Note the following:
v ATAP cannot be activated or deactivated while DB instance is up and running.
v ATAP activation relies on stored configuration for given instance.
v ATAP parameters may also be specified on the command line. Command line
parameters override the stored ones.
v OS users for the DB instances have to be completely logged off from the system
during DB instance activation.
v ATAP has to be deactivated prior to any upgrade of the Database server.
v On AIX and Oracle, instrument command must be used before activating ATAP
either thru activation command or setting encryption=1 in ini file.
v Setting encryption=1 in ini file will NOT WORK under AIX, Linux and Solaris
Zones.
v In a GIM installation, every zone has to be populated with libguard-* as well
(see Solaris Zones 2.)
v For a multi-instance configuration where a single executable is used for all of the
instances, guardctl activate should only be done once as it will be effective for
all instances.
v For Solaris Zones and WPARS, to make ATAP to work on a zone architectures,
the file system /usr/local on the sub-zone system has to be read and write

394

Help Book Guardium V9.0

Instrument Command
To instrument an Oracle executable (needed on AIX) use the following syntax:
Syntax
<guardium_base>/xxx/bin/guardctl db_instance=<instance> [ <name1=value1> ... <nameN=valueN> ] instrument

activate Command
ATAP activation can either be done from the guard_tap.ini (via the encrypted=1)
on Solaris (not on Solaris zones) and HPUX, only, or by issuing the following
command:
Syntax
<guardium_base>/xxx/bin/guardctl db_instance=<instance> [ <name1=value1> ... <nameN=valueN> ] activate

Note: Command line parameters (if specified) supersede those stored for given
instance. The parameters are stored for future use, overwriting previously specified
ones.
Note: After Oracle instrument has been issued the monitoring has to be activated
as well.

ATAP Deactivation
deactivate Command
Use the deactivate command to deactivate A-Tap for a specific database instance.
Note the following:
Syntax
<guardium_base>/xxx/bin/guardctl db_instance=<instance> deactivate [ --force-action=yes ]

If the optional --force-action parameter is specified and its value is set to yes,
forced deactivation will be attempted. In particular, it will try to deactivate a DB
instance even if it is running or the OS user is logged in. This can be beneficial to
use if a normal deactivate attempt is unsuccessful.
In addition, the --force-action option may be used to clean up leftovers of previous
activations; for example. if a database instance has been uninstalled or reinstalled
without deactivation, the --force-action switch instructs guardctl to clean up its
records and get rid of stale information.
v ATAP cannot be activated or deactivated while DB instance is up and running.
v DB users have to be completely logged off from the system during DB instance
deactivation.
deinstrument Command
On instrumented instances the deinstrument should be run as well:
Syntax
<guardium_base>/xxx/bin/guardctl db_instance=<instance> deinstrument [ --force-action=yes ]

deactivate-all Command

Unix S-TAP

395

Use the deactivate-all command to deactivate A-Tap for all database instances on
the server
Syntax
<guardium_base>/xxx/bin/guardctl deactivate-all [ --force-action=yes ]

Note: Note: The --force-action parameter may be specified if any of the instances
fail to deactivate after a normal deactivate-all is attempted.

ATAP Uninstallation/Upgrade
ATAP is uninstalled/upgraded by standard S-TAP uninstall/upgrade tools.
However, in order to uninstall, ATAP has to be deactivated first on all DB
instances.
list-active Command
The list of currently active instances may be obtained by the following command:
Syntax
<guardium_base>/xxx/bin/guardctl list-action

is-active Command
Also, the following command returns true if there is at least one active instance
and false otherwise:
Syntax
<guardium_base>/xxx/bin/guardctl db_instance=<instance_name> is-active

ATAP Environment Control Variables


The following environment can be set to control the ATAP reopening attempts of
the K-Tap device:
ATAP_KTAP_REOPEN_ATTEMPT_MAX=<number>
v the maximal amount of times ATAP will try to reopen ktap (this defaults to
ULONG_MAX)
ATAP_KTAP_REOPEN_ATTEMPT_WAIT_SEC=<sec>
ATAP_KTAP_REOPEN_ATTEMPT_WAIT_USEC=<usec>
v minimal time interval between trying to reopen (defaults to 5secs)
ATAP_KTAP_REOPEN_TEST_INTERVAL=100
v minimal number of database packets/messages between reopen attempts
(defaults to 100)
v if this value is 0 - there will be no attempts
v if this value is 1 - the time interval (above) is what determines the intervals
between attempts
v Note that in this case the time interval will be checked on every single packet
handled by ATAP(this can significantly downgrade the database performance)
v if this value is greater than 1 - then the time interval will be checked only
every TEST_INTERVAL number of packets

396

Help Book Guardium V9.0

v Note that in this case if the traffic volume is very low it can take more than
the time interval for a open retry to occur
ATAP_KTAP_BUMP_FD=
v if this value is greater than 0 an attempt will be made to switch the
filedescriptor used for ktap to another value
v for example if ATAP_KTAP_BUMP_FD=256, then an attempt will be made to
search for a filedescriptor / div 2 (256, 128, 64, 32, 16) to use for ktap
communication, instead of the initial one.
v this feature is provided since ATAP is initialized very early in the database
execution process, and ktap fd can take place of a file descriptor with a low
value that is assumed by database to have other meaning (for example terminal
connection).
ATAP_KTAP_DEV_PATH=
v can be used to override ktap device path
ATAP_LOG_LEVEL=
v log level (defaults to -1 = off) - additional log for each instrumented process
ATAP_LOG_PATH=
v log path format - should include reference to two integers (%d) - the first one
is PID, the second TID (defaults to /var/log/guard/atap/pid%05d-thr%08d)
ATAP_INSTR_<func>
v for ATAP libraries using atap_instr, all function instrumentation can be turned
off and on via these variable values of 0 and 1, respectively.
ATAP_ASO_CYPHER_TABLE_SYMBOL_NAME=
v defaults to 'naeeta' for Oracl