Extra 10.1.2 Parte 2

To enable instance discovery, use the following flags during S-TAP installation:
• Noninteractive install flag: -use-discovery
• GIM installation: set STAP_USE_DISCOVERY to 1
When installation is completed, S-TAP will be configured with Inspection Engines for all
running databases.

However, random sampling may run incur a slight performance penalty when compared
to sequential sampling. For both random and sequential sampling, the default sample
size is 2000 rows or the total number of available rows, whichever is fewer. Larger or
smaller sample sizes may be specified.

will terminate a database connection (a session) and
prevent additional requests on that session. This action is available in S-TAP, regardless
of whether S-GATE is used or not.

• Attached (S-GATE is "on") – S-TAP is in firewalling mode for that session, it
holds the database requests and waits for a verdict on each request before
releasing its responses.
Detached (S-GATE is "off") - S-TAP is in normal monitoring mode for that
session, it passes requests to the database server without any delay

Attached: when a certain criteria is met that raises the need to
closely watch (and if needed block) the traffic on that session
Detach: for use on sessions that are considered as "safe" or
sessions that cannot tolerate any latency
TERMINATE:has effect only when the session is attached. It drops
the reply of the firewalled request, which will terminate the session on some
databases.
*note: S-GATE/ S-TAP termination does not work on a client IP group whose
members have wild-card characters

includes an advanced Machine Learning
algorithm to aid in the early detection of possible attacks during operation.

stop utap

We recommend starting with a ratio of eight collectors to one aggregator

The amount of traffic that is logged and sent from the collectors to the
aggregators and the retention needs of the aggregators determine whether you
need more aggregators.

• Syslog forwarding (the most common method for alerts and events)
• Using the CLI command, store remotelog, to specify the Syslog forwarding to
facility/priority, and host (destination).
• Using Guardium templates for ArcSight, Envision, and QRadar
• SCP/FTP (CSV or CEF Files sent to an external repository and the SIEM system
must upload and parse from this external repository.)

CEF is only used for ArcSight. The other SIEM products have a different format and do
not use CEF.

los mismos de siempre

• grdapi gim_assign_latest_bundle_or_module_to_client
• grdapi gim_update_client_params
Updates a single module parameters in a specific client. The command can be executed
multiple times based on number of parameters changed
• grdapi gim_schedule_install

create_datasource command is used to define a new datasource. application which identifies the application for which the datasource is
being defined. It must be one of the following:....
you need to
use SecurityAssessment parameter

support reset-password root
restart mysql
restart stopped_services
restart system
restore pre-patch-backup
restore system

• SCP - defined by default and accessible via CLI and the GUI
• FTP - defined by default and accessible via CLI and the GUI
• Centera - can be added to the GUI by logging into CLI and running the following
command, store storage centera backup on
• TSM - can be added by logging into CLI and running the following command,
store storage tsm backup on
• AMAZON S3 - is defined by default and accessible via CLI and GUI. It is
accessible from CLI as long as it is defined in the GUI.
• Softlayer - Softlayer cloud backup
• Cleversafe - CleverSafe Functionality: Storing backups in a similar fashion to
Amazon S3. Will draw a list of available buckets for you directly to the GUI. The
first listed name is the name of the bucket you saved to the DataBase. Note: You
cannot make new buckets nor delete any buckets (from the Guardium UI/CLI)

• create csr alias - This command creates a certificate request with an alias.
• create csr gui - This command creates a certificate request for the tomcat.
• create csr sniffer - This command creates a certificate request for the sniffer.

• store certificate gim - This command stores GIM certificates in the keystore.
• store certificate gui - This command stores tomcat certificates in the keystore.
• store certificate keystore - This command asks for a one-word alias to uniquely
identify the certificate and store it in the keystore.
• store certificate mysql - This command stores mysql client and server
certificates.
• store certificate stap - This command stores S-TAP certificates.
• store certificate sniffer - This command stores sniffer certificates

• The x-axis represents the period start time
• When multiple metrics are being charted and the values for the metrics
are in the same range, one y-axis is drawn. For example, both MySQL
disk usage and /var disk usage are expressed as percentages and are
drawn with the same y-axis.
• When multiple metrics are being charted and the values of the metrics
are not similar, two y-axes are drawn. For example, MySQL disk usage
is expressed as a percentage and flat log requests is expressed as an
integer, so two y-axes are drawn: one displaying percentages and one
displaying integers.
• If the value of a metric falls outside the range of a y-axis, that value is
displayed at the bottom of the chart. This behavior accommodates
scenarios where different metrics are expressed with similar units but
significantly different values: for example, integers in the range of
thousands versus millions.

• Overall
• Connectivity
• Unit utilization
• Aggregation
The
view is available at Manage > System View > Deployment Health Table

• Service is running/scheduled: paloma verde
• Service is paused: equis roja
• Service is off: equis gris

• If daily exports or archives are failing a temporary file may be left in the
system for each day
• Some old large patch files may be left in the /var/log/guard/patches directory
You may need to work with IBM Technical Support (via a PMR) to carefully check
for large files and consider ones for deletion
The following cli commands can be used to identify large files (larger than 10MB
older than 0 days )
show filesystem usage
support show large_files 10 0
consider the ones listed at the end (the largest ones)

Using Ignore S-TAP Session action on more traffic in the policy
• Moving S-TAPs to a less loaded collector
• Load balancing traffic between more than one collector
• Adding more collectors to the environment

Data Archive and Results Archive can be found by clicking Manage > Data Management
• Data Archive backs up the data that has been captured by the Guardium system,
for a time period. When configuring Data Archive, a purge operation can also be
configured.
• Results Archive backs up audit tasks results (reports, assessment tests, entity
audit trail, privacy sets, and classification processes) as well as the view and
sign-off trails and the accommodated comments from workflow processes.

The export, archive, and purge functions can work
on the same data, but not the same date ranges. For example, you may want to export and
archive all information older than one day and purge all information older than one month, thereby
always leaving one month of data on the sending unit
Note: When setting the schedule of import on an aggregator, it should be planned to run after
export is completed on all collectors.
CAS data is also aggregated and archived.
Note: The alert for no traffic is inactive for aggregator servers

--Function-Compress the data of a single day (midnight to midnight, typically -
yesterday) into an encrypted file and send it to the aggregator (or to an
external repository on Archive).
--Schedule-Executed on a daily basis.
Starts immediately after midnight (00:10) to include full day’s data.
Assumed to take up to 2 hours to complete (Average – dependent on amount
of data)
-High Level
Process--Create a temporary database.
Load the relevant data (last day’s activity) to the tmp db.
Update auto-increment IDs in tmp db to ensure uniqueness.
Create an encrypted compressed export file of the tmp database.
Copy the export file to the aggregator (or to an external repository on
Archive)

--Function:Import and merge the imported data into the internal databases of the
Aggregator.
--Schedule:Executed on a daily basis.
Starts at 02:00 (or after export has ended).
Assumed to take up to 3 hours to complete
--High Level Process (for each purged day):Construct the delete command for each purged table (tables and the purge
conditions defined in AGG_TABLES).
Execute the delete commands for each of the tables

--Purge Function:Delete old records from appliance (typically - older than 60 days) to free up
space and speed up access operation to the internal database.
Purging is based on dates (deleting whole days’ worth of data), but will not
delete records that are still “in use” (for example: open sessions)
--Schedule:The default purge activity is scheduled every day at 5:00 AM.
Collectors, after the export/archive.
Aggregator, after the import.
Assumed to take up to 2 hours to complete
--High Level Process (for each purged day): Purge configuration is used by both Data Archive and Data Export.
Use the Purge data older than field to specify a starting day for the purge
operation as a number of days, weeks, or months prior to the current day,
which is day zero
--Default purging: The default value for purge is 60 days
The default purge activity is scheduled every day at 5:00 AM.
For a new install a default purge schedule will be installed that is based on the
default value and activity

If the expiration date is changed (set to keep the data for shorter/longer period - it won't
affect the date this data is available for orphan cleanup. Customer should pay attention
for this especially if they change the expiration period to be longer - in order not to lose
data), then the rest of the data on the machine will be available for orphan cleanup as
first designed.

1. Click Reports > Guardium Operational Reports > Aggregation/Archive Log to
open the Aggregation/Archive Log.
2. Check to ensure that each Archive/Purge operation has a status of Succeeded.

1. Navigate to Manage > Reports > Data Management > Aggregation/Archive Log
to open the Aggregation/Archive Log.
2. Define a query and build a report.

1. Click Manage > Data Management > Data Restore to open Data Restore.
2. Enter a date in the From box, to specify the earliest date for which you want data.
3. Enter a date in the To box, to specify the latest date for which you want data.
4. In the Host Name box, optionally enter the name of the Guardium appliance from
which the archive originated.
5. Click Search.
6. In the Search Results panel, mark the Select box for each archive you want to
restore.
7. In the Don't purge restored data for at least box, enter the number of days that
you want to retain the restored data on the appliance.
8. Click Restore.
9. Click Done when you are finished

1. Using an SSH client, log in to the Guardium system as the CLI user.
2. If the backup files are on a remote system, import the files by entering the following
command: import file
You will be prompted to information for the system that contains the backup files and the
location of the files.The import process copies the backup data files to the /var/dump
directory.
3. Begin the restore process by entering the following command: restore db-from-prevversion.
When you receive prompts to "Update portal layout (panes and menus structure) to the
new default ...", note the following options:
o Answering y (yes) will result in all customized reports and panes being
compressed into one pane with the name of "9.* Custom Reports."
o Answering n (no) will result in all panes being restored to what they were in the
prior release.

• Reinstall the accelerators.
• Reload the MS SQL Server and Oracle .jar file for open sources.
• If a DPS file is in a waiting state from a previous Guardium version when the restore
process is performed, the DPS file will no longer be available. Upload the DPS file again
before performing the DPS import function for v9.5.
• Company logos uploaded before the restore process must be reloaded after the process
is complete. To reload a customer logo, use the Global Profile page.

When importing LDAP users:
• The Guardium admin user definition will not be changed in any way.
• Existing users will not be deleted (in other words, the entire set of users is not
replaced by the set imported from LDAP).
• Guardium passwords will not be changed.
• New users being added to Guardium:
o Will be marked inactive by default
o Will have blank passwords
o Will be assigned the user role

To resolve the problem,
a. Run "delete scheduled-patch" to remove the problematic patch installation. Then
upload and install the patch again. If it doesn't resolve the issue, proceed to the
next step.
b. Run "support must_gather patch_install_issues". Extract the must gather file
(patch_install.YYYYMMDD.tgz) and check the inittab file to see if "pins" section is
remarked with #. If yes, open a PMR and provide the information to IBM technical
support. IBM technical support will remove the # and install the patch again.

• Resolving the problem
o To install the new Guardium patch, stop any processes from interfering
with the installation.
o Delete the patch that is stuck by using the command delete scheduledpatch.
o Restart the system by using the command restart system.
o After the system restarts, stop the GUI and inspection core by using the
commands stop gui and stop inspection-core.
o Reinstall the patch and restart the GUI and inspection core by using the
commands restart gui and start inspection-core.

Verify that
TCP port 3306 is open bidirectional

You must ensure that quick search is enabled. Search is enabled by default on new
installations of 64-bit systems, or you can use the command grdapi enable_quick_search.
You can also review outliers in the Analytic Outliers List report

A domain provides a view of the data that Guardium stores. Each domain contains one or
more entities. An entity is a set of related attributes, and an attribute is basically a field
value.

Log the policy violation only. We refer to the fact that the rule was triggered as
a policy violation. Except for the Allow action, a policy violation is logged each time a rule
is triggered (unless that action suppresses logging)

The most likely cause is that Guardium missed
some of the login packets while monitoring the database due to high traffic on the
collector.

Stop an audit process by using invoking GuardAPI (place the cursor on any line and
double-click for a drill-down) from Comply > Tools and Views > Audit Process Log report.
Alternatively they can be stopped bu clicking “Actions” in the top right corner,
stop_audit_process then pick the specific audit.

Use a test exception to exclude specific members of a group from a security assessment.
This is useful if you do not want to or are not
authorized to change group settings.

6.6.1 Use the different tools available in guardium to collect Collect Guardium troubleshooting
information for technical assistance.

6.6.1.1 Apply the functionality to generate specific information about the status of any
guardium system through the Central Manager GUI or also through the CLI, so that it can
be sent to IBM Support whenever a Problem Management Report (PMR) is registered.

6.6.1.2 Choose the command to be sent to the S-TAP agent from the GUI and obtain
diagnostic information from S-TAP