InfoSphere Guardium V9 Technical Training, ERC_ 2.1 Student Excercises

InfoSphere Guardium V9 Technical Training Student Exercises GU202G, ERC: 2.1 3721, Version 001-1 GU2022XSTUD

InfoSphere Guardium V9 Technical Training Student Exercises GU202G, ERC: 2.1 3721, Version 001-1 GU2022XSTUD

V8.2

cover

IBM Training Front cover Student Exercises InfoSphere Guardium V9 Technical Training Course code GU202 ERC 2.1

Student Exercises

Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. The following are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide: AIX® DB2® InfoSphere® Tivoli®

AS/400® Guardium® S-TAP® z/OS®

DB™ Informix® System z®

Adobe is either a registered trademark or a trademark of Adobe Systems Incorporated in the United States, and/or other countries. Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. VMware and the VMware "boxes" logo and design, Virtual SMP and VMotion are registered trademarks or trademarks (the "Marks") of VMware, Inc. in the United States and/or other jurisdictions. Netezza® is a trademark or registered trademark of IBM International Group B.V., an IBM Company. Other product and service names might be trademarks of IBM or other companies.

August 2014 edition The information contained in this document has not been submitted to any formal IBM test and is distributed on an “as is” basis without any warranty either express or implied. The use of this information or the implementation of any of these techniques is a customer responsibility and depends on the customer’s ability to evaluate and integrate them into the customer’s operational environment. While each item may have been reviewed by IBM for accuracy in a specific situation, there is no guarantee that the same or similar results will result elsewhere. Customers attempting to adapt these techniques to their own environments do so at their own risk.

© Copyright International Business Machines Corporation 2011, 2014. This document may not be reproduced in whole or in part without the prior written permission of IBM. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

V8.2 Student Exercises

TOC

Contents Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Exercises description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Exercise 1. Using the Guardium CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Exercise 2. Creating Guardium Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Exercise 3. Archiving Collected Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Exercise 4. Installing GIM and S-TAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Exercise 5. Creating Guardium Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Exercise 6. Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Exercise 7. Updating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Exercise 8. Installing and Configuring CAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Exercise 9. Running a Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Exercise 10. Creating a Simple Query and Report . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Exercise 11. Creating a Query with Drill-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Exercise 12. Creating Multiple Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Exercise 13. Creating a Compliance Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

© Copyright IBM Corp. 2011, 2014 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Contents

iii

Student Exercises

iv

InfoSphere Guardium V9 Technical Training

© Copyright IBM Corp. 2011, 2014

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.


TMK

Trademarks The reader should recognize that the following terms, which appear in the content of this training document, are official trademarks of IBM or other companies: IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. The following are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide: AIX® DB2® InfoSphere® Tivoli®

AS/400® Guardium® S-TAP® z/OS®

DB™ Informix® System z®

Adobe is either a registered trademark or a trademark of Adobe Systems Incorporated in the United States, and/or other countries. Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. VMware and the VMware "boxes" logo and design, Virtual SMP and VMotion are registered trademarks or trademarks (the "Marks") of VMware, Inc. in the United States and/or other jurisdictions. Netezza® is a trademark or registered trademark of IBM International Group B.V., an IBM Company. Other product and service names might be trademarks of IBM or other companies.

© Copyright IBM Corp. 2011, 2014 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Trademarks

v

Student Exercises

vi





pref

Exercises description This course includes the following exercises: • Using the Guardium CLI • Creating Guardium Users • Archiving Collected Data • Installing GIM and S-Tap • Creating Guardium Groups • Creating a Policy • Updating a Policy • Running a Vulnerability Assessment • Creating a Simple Query and Report • Creating a Query with Drill-down • Creating Multiple Queries • Creating a Compliance Workflow In the exercise instructions, you can check off the line before each step as you complete it to track your progress. Most exercises include required sections which should always be completed. It might be necessary to complete these sections before you can start later exercises. Some exercises might also include


Exercises description


vii

Student Exercises

optional sections that you might want to complete if you have sufficient time and want an extra challenge. • • •

viii





EXempty

Exercise 1. Using the Guardium CLI What this exercise is about In this first exercise, you will spend a little time familiarizing yourself with the virtual machines, followed by some short activities using the Guardium Command Line Interface (CLI) to inspect the current Guardium configuration (there will be nothing for you to change here since the actual product configuration was performed when Guardium was first installed).


Exercise 1. Using the Guardium CLI


1-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance if necessary. Warning Remember that Linux commands and arguments are case sensitive. Type commands, usernames, and passwords exactly as shown.

__ 1. Access the Guardium Red Hat Linux image: a. In the elab portal, double click on the Putty icon. The PuTTY Configuration window will open. b. Under “Saved Sessions”, select collector and click on the Load button. Then click on the Open button. c. At the login prompt, enter the username cli (all lower case letters) and press Enter. The password will be provided by your instructor.

Information You will often see the IBM InfoSphere Guardium product referred to as SQL Guard (or SQLGuard). SQL Guard is the old name of the product before it was changed to IBM InfoSphere Guardium – not all references have yet been updated. In these materials, we will just refer to the product as Guardium.

1-2





EXempty

__ 2. Following a successful login, you will arrive at the CLI prompt as shown below:

The prompt is made up of the machine hostname and domain name - these were configured when Guardium was installed. You can inspect these directly by entering the following CLI commands (press Enter at the end of each command to view the results): v9collector01.ibm.com> show system hostname v9collector01.ibm.com> show system domain Information Most Guardium CLI commands consist of a command word followed by one or more arguments. The argument can be a keyword or a keyword followed by a variable value (for example, an IP address, subnet mask, date, and so on). Commands and keywords are not case sensitive, but element names are. In the above example, which just uses the show command and subsequent keywords, entering SHOW SYSTEM HOSTNAME would work just as well.

__ 3. The basic show command can be used to inspect many different configuration parameters. For example, enter the following commands to inspect the network configuration: v9collector01.ibm.com> show network interface all

Guardium CLI commands may also be abbreviated if required - usually to a minimum of 3 characters (to ensure no ambiguity). For example the above command can be abbreviated to: v9collector01.ibm.com> sho net int all




1-3

Student Exercises

__ 4. If you cannot remember all the command arguments, then the Guardium CLI will list them for you. For example, just enter the show command by itself (or show ?):

This lists all the possible arguments that can follow the show command. Similarly, just entering show network will list the possible arguments that can follow the show network command:

__ 5. Entering ? at the CLI prompt will list all possible commands:

Information All Guardium CLI commands are documented in the CLI Reference Appendix. This is included in the IBM InfoSphere Guardium Version 9.0 Appendices document (available in pdf format) that accompanies the product software.

Enter the following command to exit from the Guardium CLI. v9collector01.ibm.com> exit

1-4





EXempty

__ 6. Information In a real world situation, it is likely that you will be accessing the Guardium CLI remotely via something like ssh, rather than directly using the console as you have been doing so far (ssh or Secure Shell is a network protocol that allows data to be exchanged using a secure channel between two networked devices).

In this step, we will launch the second VMware image (which also fulfills the database server role) and use that to access Guardium. Access the SUSE Linux image: a. In the elab portal, double click on the Xming icon. The SUSE Linux window will open. b. At the login prompt, enter the username root (all lower case letters) and press Enter. Enter the password guardium (all lower case letters) and press Enter. __ 7. Right-click in an open area of the Windows desktop and select Open Terminal from the pop-up menu. Test the connection to the Guardium image using the ping command: dbserver01:~ # ping 192.168.169.9 Verify that you can ping successfully. Press CTRL-c to terminate the ping command. __ 8. From the terminal window, login to the Guardium image as the cli user using ssh: dbserver01:~ # ssh [email protected] When prompted (it takes around 30 seconds initially), enter the same password as before. If you are prompted about the authentication of the host, respond yes to continue. __ 9. When you are successfully logged in to the Guardium CLI, use the CLI ping command to ping the database server (there needs to be two-way communication between Guardium and the database server): v9collector01.ibm.com> ping 192.168.169.8 Verify that you can ping successfully. Press CTRL-c to terminate the CLI ping command. __ 10. For the remaining activities in this class, we will use the Guardium Console Web application rather than the CLI to configure Guardium. To make life a little easier, the Web application's password validation has been disabled, and password expiration and Web session timeouts have been extended. Verify this as follows:




1-5

Student Exercises

v9collector01.ibm.com> show password validation Confirm that password validation is set to off. v9collector01.ibm.com> show password expiration gui Confirm that password expiration is set to 90 days. The CLI refers to the Guardium Console Web application as the "GUI". Enter the show timeout command for the cli_session: - v9collector01.ibm.com> show timeout cli_session - Confirm the cli timout is set to 600 seconds. - Repeat this process to determine the timeout value for fileserver_session and for db_connection. __ 11. Enter the exit command to exit the Guardium CLI and the ssh session: v9collector01.ibm.com> exit Close the terminal window (use the exit command again). __ 12. The SUSE Linux image functions as an IBM DB2 database server. You will now inspect the DB2 setup on this virtual machine. It is easier if we do this as the DB2 administrative user rather than root. Follow the instructions below to logoff the root user and logon as the DB2 administrator. In the SUSE Linux image, click Computer (in the task bar at the bottom left of the screen) and choose Log Out… from the pop-up menu. Click OK to confirm the log out. Log back on with the username db2inst1, password guardium. __ 13. Information To be able to explore Guardium's functionality, we need at least one active database instance and an actual database to monitor for activity.

Open a terminal window (right-click and Open Terminal) and enter the command db2cc & to start the IBM DB2 Control Center application in a separate window. Select Advanced and click OK to dismiss the startup configuration dialog. Expand the tree view on the left of the application by selecting All Systems->GUARDIUM TRAINING->Instances->db2inst1->Databases->SAMPLE->Tables. The display will look similar to the screenshot shown.

1-6





EXempty

Notice that there is a running DB2 instance called db2inst1 with a single database called SAMPLE which contains a number of tables. It is this instance and database that we will subsequently monitor.




1-7

Student Exercises

__ 14. Under the SAMPLE database, expand the User and Group Objects node and click DB Users.

Notice that a number of database users have been defined (9 in total). We will refer to these in subsequent activities. __ 15. Close the DB2 Control Center application and the terminal window. Log out the db2inst1 user and log back on as root (password guardium). __ 16. Information It will greatly assist you in understanding Guardium's capabilities if the database instance you are monitoring is in constant use – preferably with multiple users performing a variety of different tasks. We have simulated this in our training environment using a continuously running Linux cron job that is constantly executing a number of different database scripts. You will briefly inspect these scripts so that you are aware of the nature of this activity.

Open a terminal window and navigate to the /home/db2inst1/db2scripts directory: dbserver01:~ # cd /home/db2inst1/db2scripts/ __ 17. Inspect the shell script cron-01.sh stored in this directory using the cat command: dbserver01:/home/db2inst1/db2scripts # cat cron-01.sh

1-8





EXempty

sleep 10 /home/db2inst1/db2scripts/db2-priv-users1.sh 1 sleep 60 /home/db2inst1/db2scripts/db2-dml-nonpriv.sh 1 sleep 60 /home/db2inst1/db2scripts/db2-priv-users1.sh 1 sleep 60 /home/db2inst1/db2scripts/db2-select.sh 2 sleep 60 /home/db2inst1/db2scripts/db2-storedprox.sh 1 sleep 60 /home/db2inst1/db2scripts/db2-exceptions.sh 1 sleep 60 /home/db2inst1/db2scripts/db2-priv-users2.sh 1 sleep 60 /home/db2inst1/db2scripts/db2-setup.sh 1 This script is being constantly run as a cron job. Cron is a time-based job scheduler in UNIX operating systems. cron enables users to schedule jobs – commands or shell scripts – to run periodically at certain times or dates. Our cron job executes a number of other scripts (which reside in the same directory) between specified sleep intervals. It is these scripts which actually perform a variety of tasks against the DB2 database. Inspect one or two of these scripts using the cat command. Do not worry about the exact commands that these scripts are running – just satisfy yourself that they are indeed performing a variety of different database tasks using a number of different users (those you saw earlier in the DB2 Control Center). __ 18. Close any terminal windows that you have open.

End of exercise




1-9

Student Exercises

1-10 InfoSphere Guardium V9 Technical Training




EXempty

Exercise 2. Creating Guardium Users What this exercise is about In this exercise, you will use the Guardium Console Web application to create Guardium users and assign them to appropriate roles. We will use these users in later activities.


Exercise 2. Creating Guardium Users


2-1

Student Exercises

Exercise instructions __ 1. In the SUSE Linux image, start the Firefox Web browser (either enter the command firefox https://192.168.169.9:8443 & in a terminal window or click Computer in the task bar and choose Firefox from the list of Favorite Applications). __ 2. Firefox's home page is set to the Guardium Console web application's url https://192.168.169.9:8443. Click OK to accept the certificate warning and progress to the Guardium login page.

Enter the user name accessmgr, password guardium.

2-2





EXempty

You will be prompted to change the password. Set the new password to ibm.

Information Guardium comes with two built-in users that you can use to access the Guardium Console Web application administratively: accessmgr: A member of the accessmgr role. Use this user to create other users and roles, and to set role memberships. admin: A member of the admin role. Use this user for all other administrative functions. You cannot delete these users, nor can you remove them from their default roles.

__ 3. Once you have successfully logged on as accessmgr, you will be presented with two tabs – Access Management and Data Security. Access Management should be selected by default (if it is not, then select it). Click the User Browser link to see the list of current Guardium users. There will be only two users defined so far - the built-in accessmgr and admin users.




2-3

Student Exercises

Click the Add User button and enter the following information: Username

User01

Password

guardium

First Name

Henry

Last Name

Xavier

Email

[email protected]

Disabled

Un-checked

Remember to uncheck the Disabled check box (it will be checked by default). You can disregard the text about the password characteristics since, as we saw in the previous activity, password validation has been disabled. Click Add User.

__ 4. Repeat this process to create the remaining three users (all with password set to guardium): User02, Tracy Yuen, [email protected] User03, Dan Charles, [email protected] User04, Pat Deacy, [email protected] __ 5. When you are done adding the users, the display on your browser should look something like this:

2-4





EXempty

Click the Roles link for User01 and add the user to the infosec role by checking the appropriate checkbox (you will see that User01 is already a member of the user role – leave this checked).

Click Save to persist the change. Add further role memberships as follows: User02 – Roles infosec and user User03 – Roles dba and user User04 – Roles audit and user __ 6. Click the User & Role Reports link to display summary information about user and role memberships.




2-5

Student Exercises

Double-click on individual users or roles and then select Record Details from the pop-up menu. This will show you further information about that user’s role memberships or the users assigned to a specific role. This report does not display details of the admin user or role.

2-6





EXempty

__ 7. Logout of the Guardium Console Web application and close the browser.

End of exercise © Copyright IBM Corp. 2011, 2014



2-7

Student Exercises

2-8





EXempty

Exercise 3. Archiving Collected Data What this exercise is about In this exercise, you will use the Guardium Console Web application to archive some pre-existing data stored previously by the Guardium collector. Since there is no external permanent storage mechanism available to you in this training environment, you will simply archive the data to a flat file on the SUSE Linux image to allow you to see how to setup the mechanism and easily view the result.


Exercise 3. Archiving Collected Data


3-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance if necessary. __ 1. In the SUSE Linux image, log on as root. Start Firefox and log on to the Guardium Console Web application as admin. The beginning password is guardium. You will be prompted to change the password; change it to ibm. Information Notice that the screen is very different from the previous exercise where you logged in as accessmgr. The accessmgr user is a member of the accessmgr role and is restricted to the few tabs and pages related mostly to user and role access to Guardium. The admin user is a member of the admin role which exposes all the administrative functions available (except for those associated with user and role access management). There are numerous tabs and pages associated with these functions.

__ 2. Before we look at data archiving, let us enable IP to hostname aliasing for this setup (this will tell Guardium to show the actual hostname corresponding to an IP address if available). This will not actually have much effect in this training environment because we do not have a DNS (Domain Name Server); however, it is an example of something that you would normally do in a real world installation. • Click the Administration Console tab to access the Adminstration Console pane, and then expand Configuration and click IP-to-Hostname Aliasing.

• Check both checkboxes (as shown). Click OK to accept the warning about existing aliases being overridden. • Click Apply to commit the change. 3-2





EXempty __ 3. Information Simply applying this configuration setting does not actually do much (other than saving the setting to the Guardium database, of course). You still need to instruct Guardium to actually do the aliasing. You can either do this immediately by clicking the Run Once Now button or schedule the activity on a periodic basis. Let us do both options.

Click the Define Schedule… button.

Set the activity to start at 10 pm every day (this is the start time recommended by the Guardium Implementation Best Practices Guide to avoid potential conflicts with other scheduled activities).

Save your changes (click the Save button). © Copyright IBM Corp. 2011, 2014



3-3

Student Exercises

Notice that the traffic light symbol has now turned green to indicate a scheduled activity.

Click the Run Once Now button to execute the process immediately. A dialog box will tell you the process may take some time to perform; click OK to acknowledge this. You will get a confirmation message when the process is complete. Click OK to continue. __ 4. Information Now let us get to the data archiving part. In this exercise, you will configure the system to archive data to a folder on the SUSE Linux image. You would normally archive data older than 1 day and ignore data older than 2 days to just archive the previous day's activity; however, in this training environment, it is likely that this would result in nothing being archived. So to see some effect from this activity, you will extend the archive data set well into the past to pick up some previously collected data. You will also disable any purging of collected data for the purposes of this exercise (it will be useful to you in later exercises to have some past data to work on). Again, this is not something you would normally do. Usually collected data should be regularly purged from the system once it has been archived to save space.

• In the Administration Console, click Data Management, then Data Archive. • Check the Archive checkbox and change the settings to archive data older than 1 day and to ignore data older than 60 days (you might need to go further back than this - check with your instructor). 3-4





EXempty

• Select the SCP protocol (we are just sending the data to a file system) and enter the following data: Host

192.168.169.8

Directory

/root

Username

root

Password

guardium

• Uncheck the Purge checkbox if checked.

• Apply your changes (click the Apply button). Wait until you see this message before moving on:

Click on OK to continue.




3-5

Student Exercises

__ 5. Information At this point, you would normally want to schedule the archive and purge activity to run overnight on a regular basis (the Guardium Implementation Best Practices Guide recommends a 1:30 am start time dependent on your specific requirements); however, that is a long time to wait to see some effect. You will run the activity immediately so you can observe the result.

Click the Run Once Now button (it should have become active once the Apply completed) to execute the activity immediately.

When the system prompts you that the operation is complete, click OK to continue. __ 6. To see what is going on, use the Guardium Monitor pages to report on the activity. Click the Guardium Monitor tab to access the Guardium Monitor pane, and then click the Aggregation / Archive Log link.

3-6





EXempty

This built-in report shows activity by default from the previous week. After a short delay, you should see messages similar to those shown indicating that archiving has successfully completed. __ 7. Confirm that the data has been successfully filed in the specified /root folder. Minimize the web console window. Open a terminal window if one is not already open. Since you are logged on to the SUSE Linux machine as the root user this should take you directly to the /root folder. Enter the following command to list any archived data files: # dbserver01:~ # ls *.enc

In this example, the archive activity resulted in the creation of a total of 11 files corresponding to 11 days of archived data. Data is always collected and archived on a daily basis. Your number of files may vary. For reference, the file naming convention is as follows:

Close the terminal window and maximize the web console window. __ 8. Guardium maintains a catalog of archived data files. The catalog can be used if you ever need to restore any archived data to the system. Let us check that your archived data files show up in the Guardium catalog.




3-7

Student Exercises

• Access the Administration Console pane • Click Data Management, then Catalog Archive The Catalog Archive Search Criteria will initially be blank. You can leave the Host Name field empty (it will automatically return cataloged data for all known Guardium collectors); however, you must enter both start and end date criteria (From/To). You can enter absolute dates (for example, 2013-07-19) directly or pick them using the usual Calendar icon; however, Guardium also supports relative dates which can also be typed in directly or picked using the Relative date selector. In the example below, the previous 2 months of cataloged data files are being searched.

• Click the Search button to return a list of archived data files:

Verify that your archived data files are present in the Guardium catalog. __ 9. Logout of the Guardium Console and close the browser. Exit any open terminal sessions.

3-8





EXempty

End of exercise




3-9

Student Exercises





EXempty

Exercise 4. Installing GIM and S-TAP What this exercise is about The database server image you are using (the SUSE Linux one) does not currently have any Guardium software installed. Although we have a running Guardium collector, it is not currently collecting any data from the database server. In this exercise, you will first install the Guardium Installation Manager tool (the GIM), and then use that to install the S-TAP which will monitor local and network database traffic and forward it to the Guardium collector. As a further part of this exercise, you will also use GIM to install the Database Instance Discovery module and subsequently use it to automatically configure an inspection engine.


Exercise 4. Installing GIM and S-TAP


4-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance if necessary. __ 1. Open the SUSE Linux image and log on as user root / password guardium. First, you will apply the license keys and install the GIM. __ 2. Open the console web interface, and log in as admin / ibm. __ 3. Navigate to Administration Console – Configuration – System.

__ 4. Minimize the console web interface window. On the desktop, locate the Keys folder. Double click on the Keys folder to open it. __ 5. In the Keys folder, locate the file named Collector V9 Base Key. Open this file by double clicking on it. __ 6. In the gedit window that opens, highlight the collector key value and select EDIT – COPY.

4-2





EXempty

__ 7. Close the gedit and Keys folder windows, and maximize the console web interface window. Paste the Collector license key into the License Key prompt area using EDIT – PASTE.

__ 8. Scroll to the bottom of the screen and click on the Apply button. Nothing may appear to happen, but if you scroll back up you should see that the License Key prompt area is blank. __ 9. Repeat this process for the DAM Standard V9 append key and also for the DAM Advanced V9 append key. __ 10. Scroll to the bottom of the screen and click on the Restart button. At the “Are you sure” prompt, answer by clicking the OK button. It will take about 5 minutes for your Guardium appliance to reboot. You will know it is complete when the web console interface launches properly. After the reboot is done, log back on to the console web interface as admin/ibm. __ 11. First, you will install the GIM. The installation media has already been copied to a folder on the SUSE Linux image. Open a terminal window on the SUS Linux image and navigate to the /root/GIM folder: dbserver01:~ # cd /root/GIM List the folder contents:




4-3

Student Exercises

dbserver01:~/GIM # ls guard-bundle-CAS-v81_r24276_1-suse-10-linux-i686.gim guard-bundle-DISCOVERY-v81_r24276_1-suse-10-linux-i686.gim guard-bundle-GIM-v81_r24276_1-suse-10-linux-i686.gim.sh guard-bundle-STAP-v81_r24276_1-suse-10-linux-i686.gim The GIM installation media is highlighted above. This folder also contains installation media for the S-TAP, the instance DISCOVERY module and the Configuration Auditing System (CAS) module. You will use GIM to install the first two of these shortly (and the third in a later exercise). __ 12. You will install the GIM into the folder /usr/guardium - this folder already exists. To install the GIM, you will enter a command with the following syntax: ./guard-bundle-GIM-guard-.sh -- --dir --sqlguardip --tapip In this exercise, you will install GIM into the /usr/guardium directory. The collector IP is 192.168.169.9 and the database server IP is 192.168.169.8. So your command will appear as follows: dbserver01:~/GIM # ./guard-bundle-GIM-v81_r24276_1-suse-10-linux-i686.gim.sh ---dir /usr/guardium/ --sqlguardip 192.168.169.9 --tapip 192.168.169.8

Warning Be careful that you type this command correctly – it is easy to make a mistake here.

4-4





EXempty

After scrolling through the license agreement (or press q to skip to the end), you will see the following messages: Installing modules .... Installation completed successfully The installation should complete very quickly. __ 13. There should now be two running processes created and started by the installation. The GIM client process (gim_client.pl) and the GIM supervisor (guard_supervisor). Verify that these processes are running using the following command: dbserver01:~/GIM # ps -ef | grep guard /usr/bin/perl /usr/guardium/modules/GIM/8.1.00_r24276_1-1298979196/gim_client.pl /usr/guardium/modules/perl /usr/guardium/modules/SUPERVISOR/8.1.00_r24276_1-1298979201/guard_supervisor

These processes are maintained by the Linux init process. Entries should have been added to the /etc/inittab file to enable this. Enter the following command and verify their presence: dbserver01:~/GIM # tail -5 /etc/inittab

__ 14. After successfully completing the GIM installation, the two GIM processes should be visible from the Guardium Console. • Exit the terminal window and maximize Firefox. You should still be logged into the console web interface as admin/ibm.




4-5

Student Exercises

• Click the Administration Console tab and select Module Installation > Process Monitoring.

You should see a GIM process and a SUPERVISOR process running on your database server. __ 15. Information It is your objective in this exercise to use GIM to install the S-TAP and DISCOVERY modules on the database server. You saw earlier that the installation media for these modules reside in the /root/GIM folder. For GIM to be able to install these modules, they must first be uploaded to the Guardium collector.

• Click the Upload link under Administration Console > Module Installation. • Click Browse… and browse to the /root/GIM folder. • Select guard-bundle-STAP-v81_r24276_1-suse-10-linux-i686.gim and click Open. • Click Upload to upload the file to the Guardium collector. Repeat this for the guard-bundle-DISCOVERY-v81_r24276_1-suse-10-linux-i686.gim file.

4-6





EXempty

Your screen should look like the above screenshot at this point. Click the checked icon (import this module) for each of the uploaded files. Click OK to accept the import and OK (again) to confirm its completion.

__ 16. Information The next step is to actually install the S-TAP and DISCOVERY modules on the database server. The tool provides two (very similar) ways of doing this; Setup By Client – choose one or more client systems and then install a selected module on those clients; or Setup By Module – choose a specific module and then install on one or more client systems. In the following steps, you will install the S-TAP module using Setup By Client and the DISCOVERY module using Setup By Module – so that you can see both mechanisms.




4-7

Student Exercises

• Click the Setup By Client link and then click Search (you can leave all the search criteria fields empty - since we only have one client we do not need to refine the search in any way).

• Check the box for your database server (there will be only one in this case - if you have multiple servers, you can select as many as you like). • Click Next.

• Highlight the module you want to install (BUNDLE-STAP_8.1.00_r24276_1)

4-8





EXempty

__ 17. Now, uncheck the box for Display Only Bundles. Information Notice that the two modules you uploaded are visible here (BUNDLE-DISCOVERY… and BUNDLE-STAP…), along with their individual components. Although you can choose install individual components, by far the simplest, safest, and quickest way to install or uninstall modules is by using bundles; guaranteeing automatic dependency and order resolution.




4-9

Student Exercises

• Click Next. Information The next page allows you to enter a set of parameters to configure the module that you are about to install. The screen is split into two sections – a set of common module parameters (this would be applied to all clients if you had selected multiple database servers previously) and a set of Client Module Parameters to allow you to set parameters for a specific client. You will be changing settings under the Client Module Parameters section.

You will only need to enter values into three of the parameters. a) Set KTAP_LIVE_UPDATE to Y. Hint Scroll to the right. KTAP_LIVE_UPDATE will be the first field highlighted in a yellow-orange color.





EXempty

This setting allows subsequent upgrades to S-TAP without the necessity of re-booting the database server (not something that will bother you in this training environment but a good habit to get into in the real world). b) Scroll further to the right and set STAP_SQLGUARD_IP to 192.168.169.9 (this is the IP address of the Guardium Collector). Hint You can use CTRL+F to access the Linux FIND feature.

c) Nearby to the right, set STAP_TAP_IP to 192.168.169.8 (the IP address of the database server).

After making these changes, click Apply to Clients (click OK to confirm the change). __ 18. Next click Install/Update. A scheduling window will appear:




4-11

Student Exercises

Schedule the install immediately by entering NOW into the Schedule Date and click Apply. Click OK to dismiss the confirmation dialog.

__ 19. You can monitor progress using the GIM Event List page under the Guardium Monitor tab.





EXempty

Installation will normally take a minute or so. Verify successful installation in the GIM Event List. Hint The refresh button is an icon with two yellow arrows.

__ 20. Your S-TAP should now be up and running and recognized by the Guardium Collector. You can verify this by clicking the System View tab.

You should see the running S-TAP highlighted in green.




4-13

Student Exercises

Information Although your S-TAP is running, it will not be doing very much as it is not yet aware of any database instances running on your database server. It needs to have one or more inspection engines configured. This can be done manually; however, you will use the DISCOVERY module to automate this.

__ 21. Click the Administration Console tab and go to Module Installation > Setup By Module.

There is no need to enter any search criteria, just click the Search button. __ 22. Highlight the BUNDLE-DISCOVERY_8.1.00_r24276_1 module from the list of modules and click Next.





EXempty

__ 23. Select the database server on which you would like to install by checking the box (an easy choice as there is only one) and click Next.

__ 24. As before, the module parameter page is split into two - Common Module Parameters and Client Module Parameters. You will change just one Client Module Parameter. Set DISCOVERY_JAVA_DIR to /opt/ibm/db2/V9.7/java/jdk32/jre.To help you avoid typing errors, this path is stored in a Java setting file on your Linux Desktop so you should be able to copy/paste the path. Hint You can access a typing area by clicking on the pencil icon to the right of the value box. Click Apply after entering the value in this typing area.

Click Apply to Clients to save the change (click OK to confirm). © Copyright IBM Corp. 2011, 2014



4-15

Student Exercises

__ 25. As we did before, click Install/Update. A scheduling window will appear:

Schedule the install immediately by entering NOW into the Schedule Date and click Apply. Click OK to dismiss the confirmation dialog. Installation will take a minute or so.

__ 26. Using the BACK button, return to the Client selection window. Click on the i to the right of the checkbox.





EXempty

__ 27. The Installation Status box will be displayed. Scroll down to locate Discovery, and look at its status. If it is INSTALLED, the installation is complete. If it is anything else, click the Refresh button until it is installed or it generates an error message.

__ 28. Using the BACK button, return to the Client selection window.




4-17

Student Exercises

__ 29. To confirm that the DISCOVERY module has installed successfully, go to the Guardium Monitor tab and click GIM Events List.

__ 30. To view any database instances found by the DISCOVERY module, click the Daily Monitor tab and click the Discovered Instances link (this might take an additional 5 minutes or so).

You should see the single DB2 database instance running. From here, you can quickly create an S-TAP Inspection Engine based on the newly discovered instance.





EXempty

• Double-click the database instance and choose Invoke… from the pop-up menu. • Select create_stap_inspection_engine.

On the next page, confirm that the settings appear correct (you do not need to change any in this case) and click Invoke now.

__ 31. When the task in complete, you will see this completion page:




4-19

Student Exercises

Close this and any other open dialogs. __ 32. Confirm the Inspection Engine creation. Click the Administration Console tab and select Local Taps > S-TAP Control. Expand the Inspection Engines node to see the newly created engine.





EXempty

__ 33. Let us review what you have done here. You first installed the GIM on the database server and used that to install both an S-TAP module and a DISCOVERY module. You then used the DISCOVERY module to “discover” any running database instance (one was found), and to create and configure an inspection engine for that database instance. The Guardium Collector should now be receiving database traffic from the S-TAP. This can be verified using the SYSTEM VIEW tab on the Administrative Console. The existing S-TAP / Inspection Engine should be displayed in green under the S-TAP Status Monitor section. Additionally, the S-TAP numbers for DB2 under the Current Status Monitor section should no longer be 0, but should be an ever-increasing value. (Remember, there is a continuously running cron job generating a variety of database activity from multiple users. The S-TAP / Inspection Engine are monitoring this traffic.) __ 34. Logout of the Guardium Console, close the browser and any open terminal windows.

End of exercise




4-21

Student Exercises





EXempty

Exercise 5. Creating Guardium Groups What this exercise is about In this exercise, you will create a couple of Guardium groups made up of different users that we will make use of in later exercises. You will also add some objects to a pre-defined built-in group.


Exercise 5. Creating Guardium Groups


5-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance, if necessary. __ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as admin/ibm. __ 2. Click the Tools tab and select Group Builder from the list of tools.

You do not need to supply any Group Filter parameters, just click Next. __ 3. You are going to create a new group using manual entry rather than modify one of the existing groups. Enter the following information in the Create New Group area of the screen. (You may need to scroll down to find this area.): Application Type Group Description Group Type Description

Public -tr Trusted Users USERS

Information It is good practice to identify the groups that you create with some sort of prefix (in this case, we have used -tr) to distinguish user added groups from the built-in ones. In addition, the '-' character at the beginning means that your groups appear at the top of the list of groups and are consequently easier to find and select.

5-2





EXempty

Click the Add button to add your new group. __ 4. Add the users HR and APPUSER to your new -tr Trusted Users group. You should be able to pick them from the Add an existing Member to Group drop-down:




5-3

Student Exercises

Note: You may have to click the refresh button (two yellow arrows) to the right of Add an existing Member to Group to populate the drop down list. Click Back to return to the group list (you should see your new group at the top). __ 5. Add a second new group called -tr Privileged Users: Application Type Group Description Group Type Description

Public -tr Privileged Users USERS

Do not add any new users to the group; click the Add button to create the group, and then just click the Back button where you should see your new (but empty) group at the top of the list.

__ 6. Highlight your new -tr Privileged Users group and click the Populate from Query button.

5-4





EXempty

__ 7. Select a pre-existing query called Detailed Sessions List from the query drop-down (we will look at how to build queries later). • Select DB User Name from the Fetch Member from Column drop-down • Set the Date parameters to NOW -1 DAY and NOW (the query will just scan your recently collected data for DB users) • Enter a wildcard search character '%' for the Server IP (as shown) • Click Save to save the query parameters

• Finally, execute the query by clicking Run Once Now




5-5

Student Exercises

__ 8. The query will run and return a list of recent database users. From the results list, just check the A2840 user and the SCOTT user:

Click Import to add the select member to the Group. Click OK to accept the import confirmation. Click Back to return to the Group list. Click the Back button to return to the Group list. __ 9. For your final group, you will add some new members to a built-in group called Sensitive Objects. Highlight the Sensitive Objects group and click the Populate from Query button. This time select a query called Objects List.

5-6





EXempty

Select Object Name from the Fetch Member from Column drop-down and set the date parameters as before. Save your query parameters (click the Save button) and execute the query by clicking Run Once Now. From the list of query results, select the following objects: db2inst1.cc_numbers db2inst1.G_EMPLOYEES db2inst1.G_PRODUCTS v_cc Click Import to add the selected objects to the group. Click OK when prompted with the “successful” dialog. Click Back to return to the Group list.




5-7

Student Exercises

__ 10. The Guardium Monitor tab features a Guardium Group Details page which you can use to view your new groups.

By default, the page will show all group details. To narrow it down to the ones that you have just created, click the pencil icon on the top right of the page to customize the portlet. __ 11. Change the wildcard selection for the group description to read -tr% (as shown below).

Click Update to return to the Group Details page.

__ 12. Logout of the Guardium Console and close the browser.

End of exercise 5-8





EXempty

Exercise 6. Creating a Policy What this exercise is about So far, you have successfully configured the setup to collect database activity from the database server; however, at this point, Guardium isn't really collecting anything and storing it in its database. It hasn't been told WHAT to collect yet. You might want to be fairly selective about what it collects. For example you might decide that you can safely ignore database activity originating from a group of trusted users. In addition, you might want to be specifically alerted to unusual database activity, such as access to a pre-defined group of sensitive database tables. In Guardium, this is achieved by creating a Policy. A policy is made up of one or more rules which allow you to control exactly what sort of database activity is stored by Guardium and, if required, what sort of actions to take if a rule's conditions are triggered. In this exercise, you will create a Policy containing two rules: • Rule 1: Ignore S-TAP Session for Trusted Users This rule will instruct the sniffer process (running on the Guardium Collector) to ignore activity originating from members of this group. When triggered, the sniffer process will instruct the S-TAP to stop sending traffic for that particular session. Only session logouts for these users will subsequently be captured. • Rule 2: Alert on Access to Sensitive Objects This rule will be triggered whenever any privileged user touches one of the sensitive database objects listed in the group. When the rule is triggered, Guardium will also log this as a Policy Violation which will be viewable in Guardium's Incident Management application.


Exercise 6. Creating a Policy


6-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance if necessary. __ 1. In the SUSE Linux image, start Firefox, and log on to the Guardium Console as admin/ibm. __ 2. Before you create any policies, you should notice that there is no default policy created or installed. (We are using an out-of-the-box Guardium system.) To verify this: - Click the Administration Console tab and choose the Policy Installation link. - Notice that the Currently Installed Policy is empty – no policy is currently being enforced.

__ 3. Information In the work you are about to perform, you will create a policy of your own, which will become the currently installed and enforced policy for your Guardium system.

Click the Tools tab and choose Policy Builder from the list of tools.

6-2





EXempty

You will see the list of existing policies - ignore these and create your own by clicking the New… button.

__ 4. Enter a Policy description of -Exercise 6 (the leading '-' character just keeps your policy at the top of the list for convenience) and a Policy category of Training.

Click the Apply button to save your new (but still empty) policy.




6-3

Student Exercises

__ 5. Next click the Edit Rules… button to see the policy rules - there, of course, will not be any listed yet.

Click the Add Access Rule… button.

6-4





EXempty

__ 6. Enter a Description of Ignore S-TAP session for trusted users (good practice to make rule descriptions sensible as they can show up in subsequent reports) for your rule and select -tr Trusted Groups from the DB User Group drop-down.

__ 7. Click the Add Action button and select the IGNORE S-TAP SESSION action from the drop-down.

Click Apply.




6-5

Student Exercises

__ 8. At this point, your rule should look like this:

Click the Save button to save your rule and return to the rules list for your policy. __ 9. Add a second access rule to your policy by clicking the Add Access Rule… button again. __ 10. Enter a Description for your rule Alert on access to sensitive objects, select -tr Privileged Users from the DB User Group drop-down and Sensitive Objects from the Object drop-down.

6-6





EXempty

Also change the Severity to HIGH (this will make it easier to see in the incident log later). __ 11. Click Add Action and select ALERT PER MATCH from the action drop-down. Select SYSLOG as the Notification Type (we do not have any configured SNMP or SMTP servers).




6-7

Student Exercises

Click Add (to add the SYSLOG notification receiver) and then click Apply. __ 12. This rule has two actions. Add the second one now. Click Add Action a second time to add another action. This time select LOG FULL DETAILS from the action drop-down and click Apply. Your rule should look like this:

6-8





EXempty

__ 13. Click Save to save your rule and return to the rules list for your policy.




6-9

Student Exercises

__ 14. Click the Back button twice to see your new policy at the top of the list of available policies:

__ 15. It is time to replace the currently installed policy with your new one. Click the Administration Console tab and select the Policy Installation link. In the Policy Installer section, make sure that your new policy, -Exercise 6, is highlighted and select Install from the drop-down:





EXempty

Click OK. You should see your policy shown as the currently installed policy.

__ 16. Now it is time to admire your results! Let us start with the privileged users rule. Click on the Incident Management tab. Database usersScott and A2840 are privileged users (that is, members fo the -tr Privileged User group that you created earlier). In your policy, you configured the Alert to write to SYSLOG. However, an Alert also shows up as a policy violation, which is displayed here on the Incident Management pane.




6-11

Student Exercises

You might need to wait a few minutes for some results to show up (remember that continuously running cron job?). You might also need to sort by Session Start time (click the Session Start column title) to see the latest sessions on the first page of the report. __ 17. The rule for ignoring trusted user access will be harder to track, since there is no built in report that includes that information. Instead, you will need to create your own query and report – processes we will cover in the upcoming lab exercises. __ 18. Logout from the Guardium Console and close the browser.

End of exercise





EXempty

Exercise 7. Updating a Policy What this exercise is about In this exercise, you will update your new policy to make it a little more complex. Your objective will be to implement the logic described by means of the following flow chart, where the incoming database traffic will be evaluated as follows: • Have there been three failed logins within 5 minutes from a singe user? If yes, alert. If not go to the next rule.

• Note, because this rule is an exception rule and the remaining rules are access rules, this rule could have been placed anywhere. • Does the session information match the Trusted Connection group? If yes, Ignore STAP Session. If no, go to the next rule.

• This should be the first access rule because all of the trusted connections should be ignored. If placed lower in the rule order, some rules might fire inappropriately. • Is the user in the Privileged User group? If yes, Log Full Details and Continue to next rule.

• If the Cont. box is not checked, the policy would stop at this rule for all privileged user activity. So, in order to ensure that rule number 4 is processed for privileged users, you must check the Cont. box. • Is the object in the Sensitive Objects group and is the command in the DML Commands group? If yes, Log Masked Details and Alert Per Match.

• If the user is a privileged user, the Log Full Details action from rule number 3 will take precedence. If none of the above are matched, then log traffic normally.


Exercise 7. Updating a Policy


7-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance, if necessary. __ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Administration Console as admin/ibm. __ 2. Since you are making a change to a policy that is already installed, the easiest way to do this is to use the Currently Installed Policy page. Click the Administration Console tab and choose the Policy Installation link. You will see your installed policy displayed.

Click the Edit Installed Policy button. __ 3. Information Of the two existing rules in your policy, the Ignore S-TAP session for trusted users rule will not need to be changed (you will have to create a new rule immediately before and after it, but let us do that later). The Alert on access to sensitive objects rule will need a little modification - let us do that now.

Edit the Alert on access to sensitive objects rule by clicking the Edit icon (circled in the screenshot).

7-2





EXempty

__ 4. Previously, we restricted the “Alert access to sensitive objects” rule to members of the -tr Privileged Users Group. Remove that restriction using the DB User group drop down as shown below. We do want to add a new restriction though (in addition to the existing Sensitive Objects). Select the group DML Commands from the Command group drop-down.

__ 5. Remove the existing LOG FULL DETAILS action by clicking the Delete icon.




7-3

Student Exercises

Add a new LOG MASKED DETAILS action and use the directional icons to move it to the top of the action list.

So that your action list looks like this:

Save your modified rule by clicking the Save button and returning to the rules list for your policy. __ 6. Add a new exception rule to your policy by clicking the Add Exception Rule… button. Enter the following data: Description Severity DB User Exception Type Minimum Count Reset Interval

Failed login alert MED . LOGIN_FAILED 3 5

Warning Be sure to enter the period character '.' in the DB User field. This tells Guardium to apply the rule to the same user. If you omit the period, then failed logins from completely different users might trigger the rule.

7-4





EXempty

Add the ALERT PER MATCH action with SYSLOG notification and Save your rule. __ 7. Use the directional icons to move your new rule to the top of the list, so that your rule list looks like this:




7-5

Student Exercises

__ 8. To implement the original plan, you need to add one final rule to log details of what any privileged users are up to. Click the Add Access Rule… button. Enter the following data: Description DB User Group Continue to next rule

Privileged users – log everything -tr Privileged Users Check box

Warning Remember to check the Cont. to next rule checkbox. If you do not do this rule processing will stop at this rule.

7-6





EXempty

Add a LOG FULL DETAILS action and Save your rule. __ 9. Finally, adjust the rule order so that the rule you just added is third in the list. Your list of rules should look like this:

__ 10. Click Back to return to the Policy Installation page. Although you have successfully edited your policy, the new version is not actually installed (look carefully at the time part of the Date Installed field on the page and the number of installed rules). To install your modified policy, click the Run Once Now button (observe the installation time and the number of installed rules changes). __ 11. Use the Incident Management application and the existing report to check that your policy is working properly. You might have to wait several minutes before enough data is collected. For example, you should now be able to see two sorts of policy violation logged in the Incident Management page - Alert on access to sensitive objects and Failed login alert, as shown below:




7-7

Student Exercises


End of exercise

7-8





EXempty

Exercise 8. Installing and Configuring CAS What this exercise is about In this exercise, you will install the Configuration Auditing System (CAS) agent on your database server and configure it to monitor a set of operating system and database files based on some pre-defined templates.


Exercise 8. Installing and Configuring CAS


8-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance, if necessary. __ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as admin/ibm. __ 2. Your first task is to upload and install the Configuration Auditing System (CAS) license key. Navigate to Administration Console – Configuration – System, and then minimize the Web window to return to the Windows desktop. On the desktop, locate the Keys folder. Double click on the Keys folder to open it. In the Keys folder, locate the file named CAS Key.txt. Open this file by double clicking on it. In the gedit window that opens, highlight the CAS key value and select EDIT – COPY. Close the gedit and Keys folder windows, and maximize the console web interface window. Paste the CAS license key into the License Key prompt area using EDIT – PASTE. Scroll down and click Apply. __ 3. Scroll to the bottom of the screen and click on the Restart button. At the “Are you sure” prompt, answer by clicking the OK button. It will take about 5 minutes for your Guardium appliance to reboot. You will know it is complete when the web console interface launches properly. After the reboot is done, log back on to the console web interface as admin / ibm. __ 4. Your next task is to install the CAS Agent software on the database server. You will use GIM to do this – the process is similar to the S-TAP installation you performed earlier. Click the Administration Console tab and navigate to the Module Installation > Upload page.

8-2





EXempty

Browse to the /root/GIM folder and locate the guard-bundle-CAS-v81_r24276_1-suse-10-linux-i686.gim file. Click Open (to select it), then Upload (to upload to the Guardium collector).

Click the circled icon to import the module to the Guardium database. Click OK to confirm the import and OK (again) to acknowledge a successful import. __ 5. Click Setup By Client and then click the Search button to locate all database servers (there will be only one). Select your database server (check the box) and click Next.




8-3

Student Exercises

__ 6. Highlight the BUNDLE-CAS_8.1.00_r24276_1 module and click Next.

__ 7. Information The only module parameter you need to set is the Java runtime directory (in the same way that you did earlier for the DISCOVERY module). Remember the directory path is saved in the Java setting file on your Desktop to enable you to copy/paste the value.

Set the CAS_JAVA_DIR parameter to /opt/ibm/db2/V9.7/java/jdk32/jre.

8-4





EXempty

Click Apply to Clients and then click OK to acknowledge the application. Next, click Install/Update. Hint You may need to move the cursor to another field to activate the necessary buttons.

When prompted, enter a Schedule Date of NOW. Click Apply to start the installation, and select OK to acknowledge the application.

__ 8. Click the Guardium Monitor tab and select GIM Events List to check the status of the installation (might take a few minutes to complete). Use the refresh button to update the display.




8-5

Student Exercises

__ 9. Information You will perform the remainder of this exercise as a normal Guardium user - User01 which you created earlier (it is easier to get to the CAS tools as a non-administrative user). First, though, you need to give User01 access to the CAS tools.

Logout of the Administration Console. Log back on as the accessmgr user (password ibm). Click the Roles link for User01.

8-6





EXempty

Add the CAS role to User01. Click Save and then logout of the Administration Console.

__ 10. Login as User01 (password guardium). When prompted, change the password to ibm. The console screen will look quite a bit different from the administrative view that you are used to seeing. Click the Assess/Harden tab and choose Config. Change Control.




8-7

Student Exercises

Click the Configure CAS templates button. __ 11. Information For each operating system and database type supported, Guardium provides pre-configured, default template sets for monitoring a variety of databases on either UNIX or Windows platforms. A default template set is one that will be used as a starting point for any new template set defined for that template-set type. A template-set type is either an operating system alone (UNIX or Windows), or a database management system (DB2, Informix, Oracle, and so on), which is always qualified by an operating system type; for example, UNIX-Oracle, or Windows-Oracle. You cannot modify a Guardium default template set, but you can clone it and modify the cloned version. In this step, you will just take a look at an existing template - you won't actually change anything.

8-8





EXempty

Under the CAS Configuration Navigator, choose UNIX and DB2 under List Filtering.

Let's take a look at one of these. Highlight the first template (Default Unix/DB2 Template Set – Unix –DB2) and click Modify. __ 12. Review the type of information monitored with this template.




8-9

Student Exercises

Click Back when complete. __ 13. Click the Config. Change Control tab again and click the Configure CAS hosts button (the system will take 30 seconds or so to respond).





EXempty

__ 14. Highlight the CAS host (there will be only one) and click Modify.




8-11

Student Exercises

__ 15. Information For a given CAS host, this page allows you to configure one or more templates that CAS will use to monitor your database server. You can see that a default template for the UNIX operating system has already been added for you (this needs no further configuration). However, the database (DB2, in this case) templates need to be configured – specifically, they need to be told how to access a given database. This is achieved by creating a Datasource for use by each template (multiple templates can share the same datasource).

Select Default UNIX/DB2 Template Set: UNX – DB2 from the drop-down and click Add Datasource…





EXempty

__ 16. There are no datasources yet created. So click New.

__ 17. Enter the following information: Name Share Datasource Save Password Login Name Password Port Database Name Database Instance Account Database Instance Directory

SLES10 check Checked db2inst1 guardium 50001 Sample db2inst1 /home/db2inst1

Hint Be sure to use the appropriate upper / lower case letters.




8-13

Student Exercises

Click Apply and then OK to save the data. This will expose a Test Connection button. Click the Test Connection button. Verify that the datasource can connect.

Click OK to acknowledge the confirmation.





EXempty

__ 18. Click Back to return to the Datasource selection page:

Then click Add to add the datasource to the template. Be patient – it might take a minute or so. __ 19. You will see your new datasource/template combination listed.

Select a second template from the drop down – Default UNIX/DB2 Template Set V8.0: UNX-DB2 and add the same datasource to that template (do not create a new datasource - just re-use the one you just created). Your CAS Host Instance Definitions list should now look like this:




8-15

Student Exercises

Hint You may have to click the REFRESH button if one of the entries is in a pending state.

__ 20. At this point, CAS is up and running and monitoring your database server for changes. To see what it is looking at, click Assess/Harden > Change Reports. There will be a lot of information shown initially in these reports as when CAS is newly configured and started it will pretty much report everything as being changed.

After a period of time, it becomes easier to interpret the results. For example, wait a few minutes and then open a terminal window and touch one of the files that CAS is monitoring: 8-16 InfoSphere Guardium V9 Technical Training




EXempty

dbserer01:~ # touch /home/db2inst1/.bashrc Return to the Web interface, and select Customize (the pencil circled in the following image).

Set the “Monitored_Item” value from % (all items) to %bashrc (the file you touched). Scroll down and click the Update button.

You should begin to be able to see how CAS tracks changes to your system:




8-17

Student Exercises

__ 21. Logout of the Guardium Console and close the browser and exit any open terminal windows.

End of exercise





EXempty

Exercise 9. Running a Vulnerability Assessment What this exercise is about In this short exercise, you will run a brief database Vulnerability Assessment so that you understand the process involved in setting one of these up. The results will not be very meaningful in this training environment.


Exercise 9. Running a Vulnerability Assessment


9-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance, if necessary. __ 1. Log on to the SUSE / Linux image as root / guardium. Start Firefox and log on to the Guardium Console as admin / ibm. __ 2. You will need to upload and install the Vulnerability Assessment (VA) license key. Navigate to Administration Console – Configuration – System, and then minimize the Web window to return to the Windows desktop. On the desktop, locate the Keys folder. Double click on the Keys folder to open it. In the Keys folder, locate the file named VA Key.txt. Open this file by double clicking on it. In the gedit window that opens, highlight the VA key value and select EDIT – COPY. Close the gedit and Keys folder windows, and maximize the console web interface window. Paste the VA license key into the License Key prompt area using EDIT – PASTE. Scroll to the bottom of the screen and click on the Apply button. Nothing may appear to happen, but if you scroll back up you should see that the License Key prompt area is blank. __ 3. Scroll to the bottom of the screen and click on the Restart button. At the “Are you sure” prompt, answer by clicking the OK button. It will take about 5 minutes for your Guardium appliance to reboot. You will know it is complete when the web console interface launches properly. After the reboot is done, log back on to the console web interface as User01 / ibm. __ 4. Click the Assess/Harden > Vulnerability Assessment tab and click the Define what database you want assessed button.

9-2





EXempty

__ 5. On the Security Assessment Finder page, click New… to create a new assessment (none exist at this time). __ 6. Enter a name for your assessment in the Description field: DB2 Security Assessment. Click Add Datasource… and add the datasource that you created in the previous exercise (there is no need to create a new one here).




9-3

Student Exercises

Click Apply to save your changes. __ 7. Information At this point, you have created a Security Assessment and told it what database to use; however, you have not told it specifically what tests to perform. You will do that now.

Click the Configure Tests… button.

9-4





EXempty

Click the DB2 tab and highlight one or more tests from the (lengthy) list. You may choose the ones shown in the screenshot or pick your own. Limit your selections to no more than 6 or 7 tests (you want all this to run quickly so you can see the effect). Click the Add Selections button to add your selections to the list at the top of the page. You might need to use the scroll bar at the bottom of the page to see the Add Selections button. __ 8. Click the Back button to return to the Security Assessment Builder page and again to return to the Security Assessment Finder page. __ 9. You are now ready to run the assessment. Click the Run Once Now button.




9-5

Student Exercises

Click OK to accept the successfully queued confirmation.

__ 10. The Guardium Job Queue report on the right of the page shows you the status of your assessment. Refresh the report to see the current status.

9-6





EXempty

When you see the status marked as COMPLETED, click the View Results button to see the results of the assessment tests. Depending on exactly what tests you selected, your report should look something like this:

__ 11. Close the report, logout of the Guardium Console and close the browser.

End of exercise © Copyright IBM Corp. 2011, 2014



9-7

Student Exercises

9-8





EXempty

Exercise 10.Creating a Simple Query and Report What this exercise is about This is the first of three exercises focused on creating your own Guardium queries and reports. In this exercise, you will create your own Console tab to display your report. Then you will create a simple query and a report that uses that query and place that report on your new reports page. The query that you will create will return details of all trusted sessions (sessions open by database users who are members of the -tr Trusted Users group that you created previously). The query will return Database User Name, Client and Server IP addresses and Source Program name.


Exercise 10. Creating a Simple Query and Report


10-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance, if necessary. __ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as User01/ibm. __ 2. First, let us create a new Reports tab. Click the Customize link (top right of your screen).

__ 3. Click the Add Pane button.

Enter a name for the pane: User01 Reports and click Apply. __ 4. Click the link for your new User01 Reports pane.

__ 5. Select Menu pane from the Layout drop-down and click the Save button to save your change.





EXempty

Click Save (again) on the Customize Pane screen to return to the main screen. You should see your new User01 Reports tab listed.

__ 6. Now let us get to the Query creation part. Click Monitor/Audit > Build Reports.

Click the Track data access button.




10-3

Student Exercises

__ 7. On the Query Finder page, click the New… button (there are lots of built-in queries but you are creating your own).

__ 8. Name your query -Trusted Sessions and select Session as the Main Entity.

Click Next. __ 9. Add the following fields to the Query Fields pane: Client IP Server IP DB User Name Source Program These fields are all part of the Client/Server entity. To add the fields, click Client/Server in the Entity List on the left of the screen and either click each field and select Add Field from the pop-up menu or just drag the field to the Query Fields list.





EXempty

__ 10. Use the directional icons to sort the list of fields as shown below. Also determine the ordering of any results by checking the Order by checkboxes for Client IP and DB User Name and setting their Sort Rank so that Client IP is sorted first and DB User Name second.

Finally, check the Add Count checkbox (this will cause the subsequent report to display counts of the sessions rather than details of each individual one). __ 11. Your objective is to return session details for trusted users only. To achieve this, you need to apply a condition to this query. __ 12. Add the DB User Name field to the Query Conditions pane and select IN GROUP from the Operation drop-down.




10-5

Student Exercises

__ 13. Add DB User Name as a Query Condition (as before) and select IN GROUP as the operator. You should now be able to find and select -tr Trusted Users as the group.

Click the Save button to save your query. __ 14. Now that the query has been built, you need to create a report that uses it and add the report to the User01 Reports page that you created earlier. Fortunately, this can be achieved in one step. Click the Add to Pane… button ...





EXempty

and then select User01 Reports from the list of panes. Click OK to acknowledge the change.

Click the User01 Reports tab where you can admire your new report.

Information Although you have been working on a Query pretty much all the time, when you clicked the Add to Pane… button, Guardium automatically created a Report with the same name as the Query. It is the Report that gets placed on the designated User01 Reports pane. The Report is responsible for the look and feel of the results that you see on the screen. The Query is responsible for the content. If you want to see details of the Report that was created, click Monitor/Audit > Build Reports and click the Define how information should be presented button. You should be able to locate and inspect the Report from there (it will have the same name as the query you just created). Do not make any changes at this time.




10-7

Student Exercises

__ 15. By default, the Start Date/End Date settings are for the last 3 hours of data. You can change this if you want by clicking the Customize icon (show circled above) and modify the setting as shown below (NOW-30 HOUR):

Click the Update button to save any changes and re-run the report. __ 16. Logout of the Guardium Console and close the browser.

End of exercise





EXempty

Exercise 11.Creating a Query with Drill-down What this exercise is about In this second query and report building exercise, you will create a query with runtime parameters. Queries structured in this way become available as drill-down reports (from other reports where those parameters are available). The query will return details of all database objects accessed by a specified database user/client IP address combination. Database User and Client IP will be defined in parameter form such that they must be must defined at runtime (either explicitly or using wildcards).


Exercise 11. Creating a Query with Drill-down


11-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance, if necessary. __ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as User01/ibm. __ 2. Navigate to Monitor/Audit > Build Reports > Track data access. Click New… to create a new query. Enter a query name of -Accessed Database Objects and a main entity type of Object.

Click Next. __ 3. Add the following Query Fields: Entity Client/Server Client/Server Client/Server

Attribute Server IP Client IP DB User Name

Entity Client/Server Client/Server Command Object

Attribute Service Name Source Program SQL Verb Object Name

Check the Add Count checkbox. Add the following Query Conditions (AND'ed together). Entity Client/Server Client/Server

Attribute DB User Name Client IP


Operator LIKE LIKE

Runtime Param. Parameter Parameter

DBUser ClientIP




EXempty

Information Runtime parameter names can be anything you like - as long as they don't have spaces in them. They will be visible in the report so best to make them something sensible.

Your query should look like this:

__ 4. Click the Save button to save your query. Then click Add to Pane... to create the corresponding report and add that to your User01 Reports page. __ 5. Navigate to the User01 Reports pane and select the –Accessed Database Objects report. You will need to customize your report a little by adding wildcard % characters for the ClientIP and DBUser runtime parameters.




11-3

Student Exercises

Click Update to save and run the report. You should get results similar to this:

__ 6. Information Testing the drill-down capability using your existing -Trusted Sessions report will not work very well as, if you recall, the policy you created earlier specifically ignored S-TAP sessions for trusted users (captures log on and log out but that is all). You will need to create a brand new query and report which displays session information for users who are not members of the trusted user group. The easiest way to do this is to clone your -Trusted Sessions query into a -Privileged Sessions query.

Navigate to Monitor/Audit > Build Reports > Track data access and select -Trusted Sessions in the query name drop-down. Click the Clone button. This will create a copy (or clone) of your query. Give it a new name -Privileged Sessions and change the Runtime Param. Group drop-down to -tr Privileged Users. Save your query and Add to Pane… as before.





EXempty

__ 7. Your User01 Reports pane should now have three reports on it. Click the -Privileged Sessions report – you will see session information for the two users in that group (A2840 and SCOTT). Double-click the SCOTT record to see the available drill-down reports.




11-5

Student Exercises

Select the -Accessed Database Objects drill-down report. Your report will now pop-up in a separate window showing database object access information just for the SCOTT user:

__ 8. Close the drill-down window, and then Logout of the Guardium Console and close the browser.

End of exercise





EXempty

Exercise 12.Creating Multiple Queries What this exercise is about In this final query building exercise, you will create three additional queries - making them available as reports on the User01 Reports page: • All DML and DDL activity by privileged users. • All activity against sensitive objects, including the most accurate timestamp and the SQL string. • All sessions with runtime parameters for database user, source program and client IP address. Also indicating whether the session is ignored or not. You will also share the reports that you have created with other Guardium users.


Exercise 12. Creating Multiple Queries


12-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance, if necessary. __ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as User01/ibm. __ 2. Navigate to Monitor/Audit > Build Reports > Track data access. Create a query called -Privileged User DML+DLL Activity as follows:

Warning Be careful when adding the third condition - it needs to be an 'OR' condition - not the default 'AND'.

__ 3. Add the query to your User01 Reports pane and verify that it works as expected:





EXempty

__ 4. Create a query called -Activity on Sensitive Objects as follows:





12-3

Student Exercises

Information Notice that full SQL details are not available for all users. This is because the policy you installed in an earlier activity had a rule that only collected full SQL information (LOG FULL DETAILS) for privileged users.

__ 6. Create a query called -Session Details as follows:






EXempty

Hint Be sure to customize the report by setting the DBUser, ClientIP, and SourceProgram parameters’ runtime values to the wildcard %.

__ 8. All the queries and their associated reports that you have created in the last three exercises are only available to the User01 user. Let us make at least some of them available to all users who are members of the infosec role (currently User01 and User02). Information The process is to open the query editor and grant access to the specified role (infosec). The corresponding report also needs to be made accessible to the infosec role. You must do the query first, then the report (you will not be able to do it the opposite order).

Navigate to Monitor/Audit > Build Reports > Track data access. Select -Trusted Sessions from the Query Name drop-down.




12-5

Student Exercises

Click the Roles… button. Check the infosec role.

Click Apply to save your change. Click OK to acknowledge the save, and then click Back to return to the query builder page. Click Back to return to the Query Finder page. __ 9. Repeat this for the following queries: -Privileged Sessions -Accessed Database Objects -Session Details __ 10. Navigate to Monitor/Audit > Build Reports > Define how information should be presented. Select the -Trusted Sessions report from the Report Title drop-down, then click on Search:





EXempty

Click the Roles… button.

Check the infosec checkbox. Click Apply to save your change, and then click OK to acknowledge the update. Click the Back button to return to the Report Search Results page, and then click the Back button (again) to return to the Report Finder page. __ 11. Repeat this for the following reports: -Privileged Sessions -Accessed Database Objects -Session Details © Copyright IBM Corp. 2011, 2014



12-7

Student Exercises

__ 12. Information All members of the infosec role should now have access to the above queries and reports. You could at this point log on as User02 (another user who is a member of the infosec role), create a new Reports pane and start adding the reports to the pane. However, it might be more interesting if User02 could simply have the same layout as User01 (which would, of course, include the User01 Reports pane that you have been using up to now).

• Logout of the Guardium Console and close the browser. • Open a terminal window and ssh to the Guardium Collector CLI. dbserver01:~ # ssh [email protected] • Enter the cli user’s password when prompted. • When successfully connected, enter the following command: v9collector01.ibm.com> generate-role-layout user01 infosec Information The generate-role-layout CLI command is used to generate a new layout for an existing role, based on the layout for the specified user. Once the new role layout has been defined, any users who are assigned that role before they log in for the first time will receive the layout for that role.

The command will take a few minutes to complete (it will stop and re-start the console application – the 'gui'). • When the command is complete, exit the CLI and close the terminal window. v9collector01.ibm.com> exit __ 13. Open Firefox and log in to the Guardium Console Web application as User02 (password guardium). If prompted, change the password for User02 to ibm. If you have not previously logged in as this user, you will see the User01 Reports tab. If you have previously logged in as User02, you will not see the User01 Reports tab. This is because the CLI command in the previous step is only effective for users who have not previously logged in. For users who have previously logged in the following additional steps need to be performed:





EXempty

• Logout of the Guardium Console. • Log in to the Guardium Console as accessmgr/ibm. • Click the Change Layout link for User02. • Click the Reset button in the pop-up window. Click OK to confirm the reset.

• Logout of the Guardium Console. • Log in to the Guardium Console as User02/ibm. The User01 Reports tab should now be visible. __ 14. Click the User01 Reports tab. Verify that you can see all six reports that you created previously. Click each report to run it. You should observe that those reports where you correctly set the query and report access for the infosec role work as normal. You did not grant access to the infosec role to three of the reports: -Privileged User DDL+DML Activity, -Activity on Sensitive Objects, and –Session Details. These reports will not generate any output when you click on them as User02. Information You could, of course, fix this by logging back on as User01 and granting access to these queries and reports for the infosec role. You do not need to do this for the purposes of this exercise - we just wanted you to see the effect of not doing this.





12-9

Student Exercises

OPTIONAL You may recall that in exercise 6, you created a rule (Ignore STAP session for trusted user) that you were unable to test because there was no query / report associated with it. Now that you know how to create queries and reports, create one that will test this rule. Report Name -Sessions Display FieldsSession Start Server IP Client IP DB User Name Session Ignored

End of exercise





EXempty

Exercise 13.Creating a Compliance Workflow What this exercise is about In this last exercise, you will create an audit process definition which will send work (in the form of a couple of reports) to the infosec, dba and audit roles. The process flow will look like this:

Once started, the process will place work in the infosec role's To-Do list (all users in this role will see the work - first one in gets to do it). This work will be marked Continuable – meaning that the system will not wait for the user to complete the work before moving on to the next receiver. The next receiver is the dba role. The work here is marked Review and Sign; the work will not progress until a user in the dba role has done exactly that. In addition, the user must explicitly Continue the work to the next receiver. The next (and final) receiver is the audit role – where again the user must Review and Sign the work and must Continue it to move it on – in this case, to the end of the process. You will also see how to escalate work. In the exercise, the infosec role user (User01) will escalate the work to a specific user (User02) asking that user to both Review and Sign the work. Escalation is not something you design into an audit process – it occurs at runtime at the discretion of the user who is processing the work (we are showing it in the diagram above so that the flow will be clear to you).


Exercise 13. Creating a Compliance Workflow


13-1

Student Exercises

Exercise instructions Follow these instructions to perform the exercise. Ask your instructor for assistance, if necessary. __ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as User01/ibm. __ 2. Click the Comply tab and click the Define an Audit Process button:

__ 3. A built-in audit process called Application Monitoring is always included. You will create your own, though, so click the New… button to go to the Audit Process Definition page.





EXempty

__ 4. An Audit Process Definition is split into four sections:

You will populate most of these sections in the following steps. __ 5. Enter a name for your Audit process (for example, Training01) in the Description field:

__ 6. In the Receiver Table, add the following roles (leave Cont. unchecked for dba and audit. Click the Sign radio button for dba and audit). © Copyright IBM Corp. 2011, 2014



13-3

Student Exercises

For each receiver that you add, you will be warned that SMTP is not configured. Click OK to accept (and ignore) the warnings.





EXempty

__ 7. Under Audit Tasks, set Task Type to Report. Set the Description to Sessions, and then select –Session Details from the Report drop down list. Set the Task Parameters as shown below:

Click the Apply button to save your changes. Click Add Audit Task to start adding a second task to the list.




13-5

Student Exercises

__ 8. Under Audit Tasks, set Task Type to Report. Set the Description to DDL Activity, and then select DDL Commands from the Report drop down list. Enter a From and To period in the Task Parameters section as shown below:

Click the Apply button to save your changes. Click the Close this Task icon to close the audit task definition pane (makes the page a little easier to read).

__ 9. Check the Active checkbox and then click the Apply button (at the bottom of the page). Your completed audit process definition should look like this:





EXempty

__ 10. Click the Run Once Now button to start the process. Click OK to acknowledge the action. Logout of the Guardium Console, and then log back in again (as User01/ibm).




13-7

Student Exercises

Click the To-do link to see the details. __ 11. Click the View button.





EXempty

__ 12. This page lets you inspect any reports associated with the defined audit tasks (click the + icon next to each report name to expand the report and see the details).

The only work that User01 has to do here is inspect the report details and, if required, make a comment (which will be visible to other workflow participants). Click the Comment button. Because no comments have yet been entered, the list will be empty. Click the Add Comments button and add a comment, such as “The reports look good - approved.”, and then click on the Apply button. The comment list will now have one comment in it. Click the Back button. __ 13. User01 is also able to escalate this work to another role or user (maybe he/she wants a second opinion, for example). Click the Escalate button and select User02 as the Receiver. Select the Review and Sign radio button and then click Escalate to create the work item in User02's To-do list.




13-9

Student Exercises

You will be warned that User02 already has this item is his/her To-do list (User02 is also a member of the infosec role). Click OK to accept and ignore the warning. Click Close to close the escalation dialog. __ 14. Click Close this Window (twice) to return back to the main Console page. Logout of the Guardium Console, and then log back in as User01/ibm. Notice that the To-Do item notification link has now disappeared, as you have performed your designated work. Logout of the Guardium Console. __ 15. Log in to the Guardium Console as User03 (a member of the dba role - password should be guardium). When prompted, change the password to ibm. You will notice that this user has an item in the To-do list. Click the link and then click the View button to see the work details. Information Notice that the screen looks a little different from the previous user. In this step in the workflow, you configured this user to both review and sign the work. In addition, this step does not automatically continue (as the previous step did).

Click the + sign next to Distribution Status to view where the work has been (viewed by the infosec role), where it currently is (viewed but not signed by User03 and





EXempty

escalated for review and signature to User02) and where it is going (not yet sent – or distributed - to the audit role).

__ 16. Click the Sign Results button to sign the work. This does not automatically move it on to the next step (sending it to the audit role). You can also add a comment, if you want, at this point. To move the workflow on to the next step, click the Continue button. Close the windows to return to the main Guardium Console screen. Logout of the Guardium Console. __ 17. Login to the Guardium Console as User04/guardium (User04 is a member of the audit role). When prompted, change the password to ibm. Notice that this user has an item in the To-do list. Click the To-do link and click the View button to see the details. Expand Distribution Status and Comments (to see any comments added by previous users).




13-11

Student Exercises

Information Notice that this is the final step in the original audit process definition that you created. When you sign and continue the work here that will be it. However, the process will still be running because of the escalation performed earlier by User01.

Click Sign Results then click Continue. Close the windows and logout of the Guardium Console. __ 18. Finally, log in to the Guardium Console as User02/ibm. This user has a To-do item – open it up to see the details.





EXempty

Information Notice that this user has a Sign Results button, but no Continue button. This is because the work arrived here as a result of an escalation and is not part of the audit process definition. It essentially has nowhere to go after this (unless this user chooses to further escalate it).

Click the Sign Results button to complete the process.

Close the windows to return to the Audit Process To-Do List screen. Verify the notification that “The To-do List is empty.” Close the window to return to the main Guardium Console screen.




13-13

Student Exercises

__ 19. Once a user has processed any items in the To-do list and the notification links have been removed, it is still possible for any user involved to review completed processes. Click the Comply tab and click the To-do list link (shown circled below):





EXempty

As well as showing any active items in the To-do list (there are none now, of course, as you have processed them all), you can also see previous processes (listed under Processes With No Pending Results).




13-15

Student Exercises

__ 20. Click the View button and expand the Distribution Status to see who did what in this process.

__ 21. Close this window, logout of the Guardium Console and close the browser.

End of exercise




V8.2

backpg

Back page

InfoSphere Guardium V9 Technical Training, ERC_ 2.1 Student Excercises

Recommend Documents