Release Notes ================ IBM Security Guardium. Guardium v10.0 GPU p230. Completion Date: 2017-August 18. Guardium v10.1.

Transcription

1 Release Notes ================ Product: Release: Version IBM Security Guardium v Guardium v10.0 GPU p230 Completion Date: 2017-August 18 IBM Guardium offers the most complete database protection solution for reducing risk, simplifying compliance and lowering audit cost. The IBM Security Guardium data protection solutions covered by these release notes includes: IBM Security Guardium Database Activity Monitoring (DAM) IBM Security Guardium Vulnerability Assessment (VA) IBM Security Guardium File Activity Monitoring (FAM) - Use Guardium file activity monitoring to extend monitoring capabilities to file servers. The IBM Guardium products provide a simple, robust solution for preventing data leaks from databases and files, helping to ensure the integrity of information in the data center and automating compliance controls. 1

2 Contents Guardium v Release Notes... 4 Health Check patch... 4 Note on Overwrite... 4 Note: Installing or upgrading to Windows S-TAP... 5 New for features/functions and enhancements Quick Start agent deployment and compliance monitoring Vulnerability Assessment for Cloudera Hadoop SQL Server CVE enhancement New in Guardium S-TAPs for z/os (DB2, IMS, and Data Sets) S-TAP Threading enhancements Teradata Exit ATAP Changes UNIX STAP Discovery Improvements Guardium appliance images for on cloud deployment Enterprise Load Balancer Failover Groups Limited use license of IBM Security Privileged Identity Manager (PIM) Kerberos Additional OS and Databases supported How to access the VA, Entitlement, and Classification scripts using fileserver Notice of intent - Depreciation of functionality After restore, managed unit groups are missing on the Central Manager Known Issues and Limitations Bugs fixed in v (v10.0 GPU patch 230)

3 Bugs fixed, v10.0 patch Guardium UI Login using a Smart card Releases for v10.0 since V (February 2017) Security Patches since V (February 2017) Sniffer Updates since V (February 2017) Links Link to formal Guardium V10.1 product announcement Online help available via Web V Detailed Release Notes (June 2017) V Detailed Release Notes (November 2016) V10.1 Detailed Release Notes (June 2016) Links to System requirements/ Technical requirements for v10.1/10.1.2/ V10.1 and Developerworks IBM Security Learning Academy

4 Guardium v Release Notes General note on upgrading to v v (v10.0 GPU p230) can be installed on any v10.x system regardless of whether it was upgraded from v9.x or built from an earlier v10.x image. The only dependency is that v10.0 Health Check patch 9997 must be successfully installed before installing the Guardium v (v10.0 GPU p230). See the section below on Health Check patch. v (v10.0 GPU p230) includes all previous v10.0 fixpacks, security updates, and sniffer updates, up to and including v10.0 p209 for fixpacks, v10.0 p6023 for security updates, and v10.0 p4026 for sniffer updates. See the section (starting on page 45) later in this document listing v10.x fixpacks, security updates and sniffer-related patches. Health Check patch v10.0 Health Check patch 9997 must be successfully installed before installing the Guardium v (v10.0 GPU p230). This release will not install without FIRST installing the Health Check patch. The name of this file is SqlGuard-10.0p9997_(date).tgz.enc.sig. Always use the latest and newest version of Health Check patch on Fixcentral. Note: v10.0 Health Check patch 9997 installed for an earlier GPU (for example, v10.0 p200) needs to be installed again for v10.0 p230 GPU (make sure to download and install the latest version of v10.0 Health Check patch 9997 prior to running GPU patch). Always use the latest and newest version of Health Check patch on Fixcentral. Note on Overwrite v (v10.0 GPU p230) will overwrite any v10.0 Sniffer update patch greater than v10.0 patch Be sure to re-install any v10.0 Sniffer update patch greater than v10.0 patch 4026 after installing v (v10.0 GPU p230). 4

5 Note: Installing or upgrading to Windows S-TAP Fresh install of v10.1.3, no reboot required Upgrading from v9 to v10.1.3, no reboot required Upgrading from v10.0 and build lower than 83909, reboot is required Upgrading from v10.1.xx (revisions lower than Windows STAP v ), reboot is required 5

6 New for features/functions and enhancements 1. Quick Start agent deployment and compliance monitoring Deploy monitoring agents - Quickly prepare for database monitoring by discovering and activating GIM clients, installing S-TAPs, creating inspection engines, and mapping the S-TAPs to collectors. Set up compliance monitoring - Help meet compliance standards by quickly installing policies, populating groups, and running reports for monitoring database activity. 1. How to launch. From Central Manager, go to Setup, then Quick Start. 6

7 2. To deploy monitoring agents, enter the IP or IPs you want to discover. After they have been discovered, select the ones you want to deploy. 3. Compliance monitoring first screen. From here you can add compliance monitoring by clicking on the '+' sign. 7

8 2. Vulnerability Assessment for Cloudera Hadoop Guardium was the first to provide Vulnerability Assessment in the NoSQL space with its support of MongoDB. Now Guardium is expanding into the Hadoop/Big Data space with support for the Cloudera platform. Figure 1. Architecture of Guardium VA solution for Cloudera Hadoop Figure 1 shows the architecture of the solution. To run the full set of Cloudera tests, you must configure two datasource connections and ensure the Configuration Audit System (CAS) agent is installed: Cloudera Manager: Tests using this datasource include: CVEs and the latest version and patches from quarterly DPS (Cloudera Hadoop CDH, Cloudera Manager) Cloudera Manager security configurations. Cloudera Manager security related users, roles and LDAP groups. The following Cloudera Hadoop security configurations: Hive Impala HDFS CAS agent-based tests supporting OS file permission, ownership and groups. Most Cloudera Manager tests are via Java connection. There is also a very small CAS footprint for some tests. 8

9 Hive: Tests using this datasource include: Hive and Impala privilege tests (objects, databases, servers) using JDBC. Configurations and permissions for the following services using CAS. Note that CAS tests require an agent to be installed on the node. HDFS o Namenode o Datanode YARN Sentry Hive MapReduce CAS OS file permission, ownership and group scan. The Hive datasource supports no-auth and LDAP authentication with SSL and also supports Kerberos authentication. The CAS-based tests support SSL and Kerberos. 3. SQL Server CVE enhancement Pre and v9, to pass a CVE test, Guardium required that you patch your SQL Server to the highest service pack where the security fixes are issued. Beginning , CVE tests for SQL Server will recognize SQL Server fixes in all service packs. You don t have to update to the highest service pack for Guardium VA to pass a particular CVE test. 9

10 4. New in Guardium S-TAPs for z/os (DB2, IMS, and Data Sets) IBM Security Guardium includes new releases of the z/os S-TAPs. A summary of the enhancements delivered in those S-TAPs and to support those enhancements in the Guardium collector are described here. For details on compatibility between S-TAP and collector versions, see this technote: To see the product announcement on IBM Security Guardium S-TAP V for DB2 on z/os, IMS on z/os, and Data Sets on z/os extend IBM z/os data security and privacy protection and enhance performance, click on 01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/6/872/ENUSAP /index.html&lang=en&request_locale=null Common enhancements All three of the z/os S-TAPs include: Collection of CICS Unit of Work information to correlate activity in a transaction. The unit of work identifier, most commonly in CICS transactions, can be used by an auditor to correlate activities across IMS, DB2 and Data Sets. This new reporting field, DB2 z/ims/data SET Unit of Work, is available in the FULL SQL entity of the Query Builder. Policy simulation mode: Test a new collection profile policy without the overhead of sending data to the collector. This is useful to gauge the performance impact of new policy rules on the mainframe without the added complexity of managing the output on the collector. A server-side option to prevent sending private data to the collector: For organizations concerned about the possibility of storing private data on the Guardium collector, a new S-TAP parameter, FORCE_LOG_LIMITED, will prevent sending certain types of information to the collector. o For DB2, host variables will not be collected or sent to the collector for either successful or failing SQL statements. The Guardium collector will mask out literal values using question marks. Important: For DB2, FORCE_LOG_LIMITED requires that the connection between the S-TAP and collector must be over an encrypted connection (AT- TLS) to port If FORCE_LOG_LIMITED is enabled but the connection is not to port 16023, the S-TAP shuts down. o For IMS, the option will not collector or send IMS segment data and concatenated key values. Because there is no PII being sent, an encrypted connection is not enforced. 10

11 o For Data Sets, the option suppresses record level monitoring that may be in effect since key values may contain PII information. Because there is no PII being sent, an encrypted connection is not enforced. The Guardium system has been enhanced to enable collection of basic S-TAP health status for all z/os S-TAPs in the Deployment Health Topology, which was introduced in V10. This provides administrators with an at-a-glance view of the enterprise health. All Guardium components (Central Manager and Managed Units) must be at to obtain S-TAP status information from z/os. As Figure 2 shows, you can click on an S-TAP node in your health view and get more details as to why the S-TAP is showing as red, and you can link directly to the S-TAP status monitor in the connected collector. Figure 2. Deployment Health Topology now includes z/os S-TAPs For more details on enhanced diagnostics capabilities in the z/os S-TAPs, see information included in each S-TAP section below. DB2 for z/os The DB2 for z/os S-TAP includes the following enhancements: Enhanced data protection by providing a new blocking profile policy to block specific authorization ID from access to specific tables. A new parameter and new commands are 11

12 available on the mainframe to control this feature. From the Guardium policy builder, access the blocking profile policy rule builder by specifying DB Type of DB2 z/os BLOCKING PROFILE on an access rule as shown in Figure 3. See the IBM Security Guardium S-TAP for DB2 on z/os User s Guide for more information. Figure 3. New blocking profile policy rule for DB2 for z/os The blocking feature is enabled by default. You can modify the default behavior on the S- TAP configuration using the new STAP_BLOCKING parameter: o STAP_BLOCKING(ENABLED) enables the blocking feature. Blocking is activated if a blocking rule is pushed. (Default) o STAP_BLOCKING(DISABLED) disables the blocking feature. o STAP_BLOCKING(OPERATOR) enables the blocking feature and enables the BLOCKING operator command. Blocking is activated if a blocking rule is pushed. If operator-controlled blocking is enabled, the following command can be used to control blocking: /F agent-name, STAP, BLOCKING <ENABLED DISABLED STATUS> Reduce overhead on the server by moving table-level filtering to stage 1 processing. Lab results show significant, measurable decrease in both DB2 Class 2 and address space CPU Usage of STAP V versus STAP V10.0. Important: These results were obtained in a lab under a particular set of conditions and that your results will not reflect the same level of improvement. 12

13 Ability to collect audit events for bind and rebind commands. Many organizations use static SQL to tightly control changes and reduce risk to applications. By detecting binds and rebinds, organizations can detect if changes are being made to packages and plans that are not authorized. You can add Bind and Rebind to the Command field of the DB2 collection profile rule to collect these events. (Or add as a member to the DB2/Z General Audit type group). Note: Bind and Rebind will be included in a future DPS release to be added to the DB2/Z General Audit group automatically.) Ability to collect commits and rollbacks. This can help organizations determine if a change was actually written to the database. However, because this can possibly generate a significant amount of traffic, the command member to collect this will not added to the DB2/Z General Audit group by default. You must explicitly add the member COMMITS AND ROLLBACKS to the group. Ability to audit and report on statement type static or dynamic. The Statement Type reporting field is available under the Full SQL entity in Query Builder. Enhancement to return more meaningful command (Verb) information when Quick Parse Native is used. The Quick Parse Native option on the collector-side policy can be used to reduce parsing overhead on the collector, because it is obtaining object and command information directly from the S-TAP field rather than parsing that from the full statement text. In prior releases, the command in that separate field was returned as TABLE READ, TABLE UPDATE. With this new release, the command will be SELECT, INSERT, UPDATE, and DELETE. This will improve correlation between the commands and the related full SQL in the reports. Important: This change will take effect immediately with the installation of S- TAP and you will notice these changes in your reports. To ease diagnostics gathering, the S-TAP has a new MODIFY command to issue the execution of a MUST GATHER SNIFFER on the connected Guardium collector. The command is as follows: /F agent-name,stap,mustgather Enhanced diagnostics capability to speed resolution of problems. The MODIFY S-TAP command is expanded to support additional options. You will most likely be using these options under the direction of IBM Service. /F agent-name, S-TAP, option where option can be one of the following: o ALL: View all log information o POLICY: View log information about the active policy 13

14 o COUNTS: View a log of detailed counts o CONFIG: View a log about the current configuration o HISTORY_QUEUE: View log details about the internal events queue o HISTORY_FILTER: View log information about event filter results o HISTORY_IO: View log details about the streaming of events o BLOCKING: View log information about the active blocking policy o QUARANTINE: View log information about the active quarantine policy o GET STATUS: Request the most recent count of events that were received and processed by the collector IMS The IMS S-TAP includes the following enhancements: Additional filtering options to reduce the amount of traffic collected and reduce noise: o LTERM ability to filter on logical terminal. Use of wildcard and INCLUDE/EXCLUDE is supported. For example: INCLUDE/LTERM% Audit events coming from all LTERMs starting with LTERM. EXCLUDE/LTERM001 But not audit events coming from LTERM001. LTERM filtering is Stage 1 filtering, just like PSB and USER ID. o Region Types to Exclude ability to filter on more region types. In prior releases you could filer on Batch Message Processing Region (BMP). Now there are many more filtering types available including: AER Application Execution Region CICS CICS-originating transactions DBCTL Database Control Region IFP IMS FastPath MPP Message Processing Program ODBA Open Database Access 14

15 Figure 4 shows the new LTERM field and the new Region Types to Exclude field in the IMS collection profile policy rule. Figure 4. New filtering options in IMS Collection Policy rule Collect HALDB partition names to include in reporting. Some organizations use partitions in IMS high Availability Large Databases (HALDB) to segregate user data. With this release, the partition name will be included in reporting in the IMS PART/AREA report attribute in the FULL SQL entity. No changes to configurations or policies are needed. Enhanced diagnostic capabilities. IMS S-TAP now has a new command (/F started task name, STATUS) which will display the installed collection profile policy in XML (including IMS definition), capture service dump (DDX), and code module level. This information is also written to the Guardium collector. See the data under Reports > S- TAP Events. To ease diagnostics gathering, the S-TAP has a new MODIFY command to issue the execution of a MUST GATHER SNIFFER on the connected Guardium collector. The command is as follows: /F agent-name,must GATHER To ease diagnostic gathering when the mainframe SYSADM is not available, you can also gather these enhanced diagnostics from the Guardium collector UI. you This same command can be issued from the Guardium collector from the S-TAP Control UI. Go to Manage > Activity Monitoring > S-TAP Control, then navigate to the S-TAP and click 15

16 on the Send Command icon and select STAP Logging. This sends the STATUS command to z/os IMS Agent and issues command. Results are written to Guardium collector and the IMS Agent log. To reduce contention on RECON data sets, the SMF and SLDS collection tasks, if used, can be configured to use alternate or copies of RECON data sets to obtain IMS environment information. For more details, see the IMS Security Guardium S-TAP for IMS on z/os User s Guide. Data Sets The Data Sets S-TAP includes the following enhancements: Enhanced reporting for partitioned data sets (PDS and PDS/E). PDS are used to contain configuration information, so being able to detect changes on a member level is very important. The S-TAP can now detect whether a member has been added, deleted, renamed or replaced. To collect this enhanced data, there are new options you can specify in the Data Set Event field of the Data Set Collection Profile Policy Rule: o MADD Member Add o MREP Member Replace o MREN - Member Rename o MDEL Member Delete o STOWI STOW Initialize (deletes all members of a PDSE) 16

17 Figure 5 shows activity on DB2 system parameters (ZPARMs) including adding a new member (NUACCESS), renaming it (ACCESS) and creation and deletion of member TEMP. Figure 5. Example of Enhanced Member Level Reporting for PDS and PDS/E Data Sets The ability to detect and report on FTP activity against native z/os files by monitoring the UNIX System Services tasks. To collect FTP activity, add OMVS to the Job Type field on the Data Set Collection Profile Policy rule: When looking at reports, an FTP copy of a file from the mainframe would be indicated as a DATA SET CLOSE as the file is moved to the USS address space before being sent to the FTP client. To ease diagnostics gathering, the S-TAP has a new MODIFY command to issue the execution of a MUST GATHER SNIFFER on the connected Guardium collector. The command is as follows: /F agent-name,must GATHER For more details, and to see additional enhancements, see IBM Security Guardium S-TAP for Data Sets on z/os User s Guide. 17

18 5. S-TAP Threading enhancements The S-TAP threading model in UNIX S-TAP allows for more, specifically designated threads, to handle the workload and improve the reliability of S-TAP internal communications. The addition of these additional threads can: Reduce potential slowdowns on the database that could occur with slow verdicts. Improves the enterprise load balancer handling. The new maximum Max number of S-TAP threads in a multithreaded environment depends on the configuration of the S-TAP. In large configurations that include FAM, it could be possible to see up to 67 threads: The original 50 pooled connection as well as threads that are handling specific work such as additional K-TAP readers. 6. Teradata Exit Exit libraries are shared libraries developed in coordination with database vendors for providing a standard method of intercepting traffic for auditing and policy application. Supported for Teradata database and later Supports firewall and terminate Does not support redaction or UID chains Does not support live load/unload of the library Upgrading S-TAP will require database to be shut down to replace the EXIT library, similar to DB2 Fresh Install Pre-reqs gtwgateway is currently running. The Teradata Database must be running in order to run the gtwcontrol command. Steps 1. create TRD_EXIT inspection engine (db_type=trd_exit, db_install_dir=/root) 2. guardctl --db-user=teradata authorize-user 3. /usr/tgtw/bin/gtwcontrol --monitorlib load=yes 18

19 4. restart Teradata (to let authorization take effect) Upgrade Pre-reqs gtwgateway is currently running Steps 1. stop Teradata 2. upgrade STAP 3. start Teradata Deactivating the EXIT library Pre-reqs Steps NOTE: gtwgateway is currently running 1. /usr/tgtw/bin/gtwcontrol --monitorlib load=no 2. restart Teradata After Step 1 during deactivation, exit libraries will not be used, but will remain loaded. After Step 1, if the exit library is disabled, but Teradata is not restarted, the exit library can be reenabled at any point as long as the library has not been changed. It is not recommended to change the library after it has been loaded by Teradata. 19

20 7. ATAP Changes ATAP provides the functionality to intercept traffic after it is decrypted. ATAP also provides interception for shared memory, depending on database and platform. Scripting around guardctl allows customers to abstract away unfamiliar Guardium concepts from the DBAs, but the current guardctl implementation provides some challenges o Return codes vary o Most of the information about what is wrong is only present in the text output o Updating the database while ATAP is active can leave ATAP in a state where manual intervention is required Changes to support scripting o Well defined error codes representing unique problem states Eliminates the need to process the text output to determine corrective action o Option to avoid printing to stdout (-q) o Option to print name/value pairs, including return value of command being run (-v) Together with the previous option allows a wrapper script to use guardctl as an utility interface to ATAP and provide its own user experience (-qv) o Repair option automates the manual steps required to fix the situation when the database was upgraded while ATAP was active. 20

21 8. UNIX STAP Discovery Improvements Guardium, with auto-discovery enabled, gives you the ability to use the power of S-TAP to discover running instances on that server, including the information that you need to automatically populate the inspection engine definitions. In v10.1.3, the improvements significantly improve the ability to generate inspection engines for Oracle RAC, including Oracle Exadata RAC on cloud. 9. Guardium appliance images for on cloud deployment IBM Security Guardium offers Data Activity Monitoring, File Activity Monitoring and Vulnerability Assessment capabilities on the specific clouds listed below. For more information on how to deploy a Guardium instance in the specific cloud, refer to the specific deployment guide below. IBM Security Guardium: Amazon AWS EC2 Deployment Guide IBM Softlayer Cloud Deployment Guide Microsoft Azure Cloud Deployment Guide For more information, go to 21

22 10. Enterprise Load Balancer Failover Groups Provides additional controls over load distribution by enabling use of failover groups. Before v10.1.3, failover only happens within a Managed Unit group. Figure 6 shows a possible configuration using failover groups. Figure 6. MU failover groups in an ELB deployment Benefits Separate collector pools for primary and failover use cases. Automatic relocation of S-TAPs from failover to primary collectors once primary collector is active again. Use cases Allocating collector(s) for an S-TAP Agent 1. S-TAP is starting up and sending an allocation request to ELB. 2. ELB finds that all primary collectors in the MU group are not available for allocation (for example, all of them are loaded or down). 3. ELB allocates collector(s) from the failover group(s). 22

23 Relocating S-TAPs from Failover to Primary collector groups As part S-TAP restart 1. S-TAP is starting up and sending an allocation request to ELB. 2. ELB detects that S-TAP is currently assigned to collector(s) from a Failover group and tries to replace them with collectors from the Primary group. As part of ELB rebalancing 1. ELB detects it is time to rebalance the collectors. 2. If failover rebalancing is enabled (new parameter), it attempts to move S-TAPs that are currently assigned to collectors in the failover group(s) into collectors from the primary groups. 11. Limited use license of IBM Security Privileged Identity Manager (PIM) Guardium v includes a limited use license of IBM Security Privileged Identity Manager (PIM) for use with Guardium. For each collector, there can be up to 50 authorized users mapped to shared IDs in PIM. Among other capabilities, PIM provides checkin/checkout capability of privileged user credentials. Guardium correlates PIM checkin/checkout data with the user s activity on the database server, enabling auditors to understand the real people behind the privileged user activity on the database server. For more information about configuring the integration, see the following article on IBM developerworks: Mitigate insider threats with Guardium and Privileged Identity Manager (PIM) at 23

24 12. Kerberos If your datasource requires authentication using Kerberos, you can specify the information needed for Guardium to obtain a Kerberos ticket before making the connection. This feature supports Mongo and Hive databases. When you assign a KDC to a specific datasource or managed unit group, it provides Guardium authentication. You can define up to five Kerberos Key Distribution Centers (KDC) on a Central Manager, and one on a standalone Guardium. Define the Kerberos configuration in Setup > Tools and Views > Kerberos configuration, then use the KDC definition when you create a datasource definition. Additional OS and Databases supported UNIX S-TAP now supports SuSE 12 for S390. Teradata 16 is supported. MongoDB 3.4 is supported by VA. VA for Cloudera Hadoop is certified by Cloudera. VA is a certified BigData Solution, certified from Cloudera for Hadoop and MongoDB for NoSQL. 24

25 How to access the VA, Entitlement, and Classification scripts using fileserver Guardium provides scripts to make it easier for DBAs to provide the minimum set of privileges required to run Vulnerability Assessment tests, Entitlements, and, new in , classifications (sensitive data finder). In , use the same scripts for both entitlement reporting and Vulnerability Assessment tests. Important: Each DBMS script has very specific instructions in the script header that must be followed. From the CLI, run the following command: fileserver <your desktop IP> 3600 Then go to a browser and enter the URL for the type of scripts you want to upload and choose the file that matches your database type. Vulnerability Assessment: ip>/log/debug-logs/gdmmonitor_scripts/ Entitlements: ip>/log/debug-logs/ gdmmonitor_scripts/ Classification: ip>/log/debug-logs/classification_role/ Notice of intent - Depreciation of functionality In the next Guardium release (v10.1.4), Guardium will be deprecating the following functionalities: Access Map; Baseline; AME Interface for Definition Builder. After restore, managed unit groups are missing on the Central Manager On a Central Manager appliance, when a user executes the "restore db-from-prev-version" command to restore both DATA and CONFIG backups, Guardium will always display this yes/no question: "Would you like to preserve Central-Manager/Manage-Units relationships in the current appliance (y/n)?" If the user replies with a "y", the restore will preserve the existing Central-Manager/Manage- Units relationships on the current appliance. If the user replies with a "n", the restore will overwrite the current Central-Manager/Manage- Units relationships with the ones from the backup. (bug 55613) 25

26 Known Issues and Limitations Issue No. Description Guardium Component Bug # 1. Since V was not translated for supported foreign languages, in Chinese and Japanese versions of the Guardium application, GUI screens that are new as of V will display in English. Translation In particular, these GUI screens will appear in English-only: Setup>Quick Start >Deploy Monitoring Agents and Compliance Monitoring; Manage>System View>Deployment Inventory and Resource Deployment 2. Predefined CAS templates cannot be edited. They have the same restrictions as those that are in use by a CAS host. The customer must clone the CAS template, then edit the cloned copy if they wish to make changes to it. 3. Aggregator orphan_cleanup_flag should not include OFF option To change the type of cleanup: store aggregator orphan_cleanup_flag <flag>, where flag is one of the words < small large analyze > Predefined CAS Templates CLI Aggregator GRD TLS ports now support SHA-2 ciphers Exact condition is DB2 z/os traffic configured to use TLS (encryption ON). 5. Fix segfault in Sniffer-update v10p4025 This race condition is only applicable to zos S-TAP for DB2 customers, configured with TLS (encryption) on. This fix is part of the separate v10.0 p4027 sniffer update. 6. When upgrading from pre GPU200 to GPU230, ANALYTIC_OLD tables are not being dropped z/os S-TAP Sniffer update Outlier detection GRD-6950 GRD-7687 GRD-8316 Note: Important issues in this table will be addressed in future V10.x maintenance releases. 26

27 Known issue - SSL datasource When attempting to connect using an SSL datasource for the first time, you may encounter this error when testing the connection: error Connection unsuccessful Could not connect to: 'jdbc:db2://su11u1x64t-va:55000/va_db' for user: '(DELETE ME) db SSL_DB2(Security Assessment)'. DataSourceConnectException: Could not connect to: 'DB2 (DELETE ME) db SSL :55000' for user: 'db2inst1'. Exception: com.ibm.db2.jcc.am.disconnectnontransientconnectionexception : [jcc][t4][2030][11211][ ] A communication error occurred during operations on the connection's underlying socket, socket input stream, Here is a screen shot of how it will look in the GUI: This message caused by the GUI not having the correct keystore file for the certificate loaded into memory. To correct this, restart the GUI and this error should go away and the connection should be successful. 27

28 Problem: OS user field is empty in IBM Security Guardium reports Note for UNIX/Linux platforms Remote connections: OS user is not a mandatory field to connect to the database. Therefore our ability to capture OS USER depends on the database client sending it with the login packet. If OS USER information is not sent, this field will be empty. If the Client connection string includes information about the process owner, it will be used to populate the OS USER field. Local connections: Same limitation applies for locally run connections. However when connections to the database are made locally, Guardium provides a way to identify OS USER information by enabling the UID chain. Note that the UID chain might be associated with some additional S-TAP overhead and needs to be considered on the case by case basis, when required. UID chain is supported with EXIT protocols (Notes - for DB2 exit, need specific patch level; Teradata exit does not support UID chain). UID chain is supported with ATAP for MongoDB, Teradata, and Sybase ASE (with Real IPs). Windows platform Remote connections: OS user is not a mandatory field to connect to the database. Therefore our ability to capture OS USER depends on the database client sending it with the login packet. If OS USER information is not sent, this field will be empty. Local connections: Windows platform will always pick up the OS user running the process that connected to the database - process owner, (no UID chain is required in Windows). 28

29 Bugs fixed in v (v10.0 GPU patch 230) The list below details many of the bugs fixed in v However, if you are looking for a certain bug, that is not listed, check with your Guardium support team member. Bug# APAR Description 1. GRD-1531 Create a grdapi command to delete inactive staps 2. GRD-4686 GA15918 Audit processes taking much longer after upgrade compared to v10 3. GRD-4711 GA15972 Translation Bug: Query Builder shows an error message after applied. 4. GRD-4761 GA15977 V10 - Guardium is capturing user passwords in DB User field 'Cassandra' 5. GRD-4762 GA16019 SAP access report is empty and app user name is inconsistent 6. GRD-4763 GA16023 Guardium not logging SAP inserts 7. GRD-4770 GA15931 New 10.1 X-series appliance unable to access the network 8. GRD-4775 GA15985 Import fails when Error 1059 Identifier name is too long 9. GRD-4779 GA16140 GPU 200 installation fails at Outlier upgrade 10. GRD-4781 GA15993 Teradata reports dbuser field contains incorrect data 11. GRD-4782 GA15973 With Oracle DB, double quotation marks are added with OBJECT_NAME in report. 12. GRD-4784 GA16100 CREATE OR REPLACE PROCEDURE and CALL PROCEDURE commands on Netezza are not captured 13. GRD-4786 GA16021 The "Analyzer queue length" in Buffer Usage Report appears to be stuck and does not change value 14. GRD-4856 GA15918 Handling of long running sessions in Aggregation / Archive context 15. GRD-4863 IT21138 Orphan Cleanup improvement 16. GRD-4866 GA15902 SAP Application Access report is empty 17. GRD-4873 GA16128 Error reported in CLI 'show nanny remotelog' 18. GRD-4887 IT21054 Default value of "connection_timeout_sec" is different between actual guard_tap.ini and Knowledge center. 19. GRD-4962 GA16135 FAM: Alert and Audit setting are lost in Japanese and Chinese setting. 20. GRD-4965 GA16109 Both arrows are upward arrows on Inspection Engine UI 29

30 Bug# APAR Description 21. GRD-4966 GA16107 Query not getting stopped on managed unit after stopping it from CM 22. GRD-4977 GA16119 "grdapi get_outliers_detection_info" command returns an error message in Japanese environment after p GRD-4979 IT19304 Some RESTapi calls stop after v10p200 is applied 24. GRD-4987 GA16120 Suse 11 : OS failed to reboot with ktap related messages 25. GRD-4999 IT18388 Suse 11 : kernel panic during live update and reboot 26. GRD-5046 GA15953 ALTER LOGIN not showing in captured events 27. GRD-5072 IT17334 "aggregator backup keys file" is not working on v10p32 and v10p GRD-5079 GA15963 GIM stuck in "Pending-Update" state 29. GRD-5081 GA15944 New parameter fam_enabled in the guard_tap.ini is not a grdapi modifiable parameter 30. GRD-5082 GA16112 Group Builder LDAP import throws 'invalid credentials' error 31. GRD-5083 GA15948 LDAP Authentication test fails 32. GRD-5085 IT17307 Inconsistency applying Alias in reports 33. GRD-5090 GA10828 (Question/Request) Meaning of the value "-1" in "Login Succeeded" column. 34. GRD-5091 GA16121 Aggregation/Archive drilldown Error - contact your system administrator 35. GRD-5094 GA16004 Can't reset parameters to blank calling grdapi through the GUI 36. GRD-5095 GA16017 Mistake of Audit Process Builder of Japanese GUI GRD-5096 GA16055 Misspelling on GUI when deleting datasources 38. GRD-5109 GA15956 V10 - Expecting 18 SQL statements, but only seeing GRD-5110 GA15991 V10 P120 - App User Name truncates user 40. GRD-5114 GA16115 Fix serial grub parameter causing long VM bootup. Run the CLI command, store system serialtty. Otherwise the "Afterrpmsinstalled.sh" will not execute and therefore the configgrub.py will not either, so the grub.conf will not be modified. 41. GRD-5115 GA15928 V10 Guardium GUI's API invocation for patch_install incorrectly trigged previous patches to be installed again 42. GRD-5116 GA16135 RegEx pattern not working for all data types 43. GRD-5118 GA16111 Guardium cannot backup to an Amazon Cloud region other than US-EAST-1 30

31 Bug# APAR Description 44. GRD-5121 GA16090 Unable to load Session Inference page in v CM/Aggregator 45. GRD-5122 GA16016 Guardium v Health Dashboard incorrectly reporting unmet requirement CPU cores 46. GRD-5126 GA16129 Query against custom access domain not returning rows for specific from-to time period 47. GRD-5131 GA16022 Several issues/inconsistencies with STAP Statistics reporting 48. GRD-5132 Update openssh to openssh-5.3p1-118 or latest. 49. GRD-5134 GA16122 Windows server stops with the error 0xdeadbeef and the driver causing it is correlator.sys 50. GRD-5137 GA16012 Auto-discovery processes disappear from the GUI 51. GRD-5138 GA16020 Failed logins are displaying the DB user as the OS user or as blank for MS SQL Server 52. GRD-5141 GA16123 Frequent Sniffer Restarts on a 10.1 p4018 Collector Appliance 53. GRD-6187 GA16122 STAP installation flipping network card to 'promiscuous' in Solaris 54. GRD-6433 GA16050 Manage > System View > System Monitor /var Hard Disk Usage gives false alert and error message 55. GRD-6435 GA16048 Default logging does not capture some DB2 commands, log full details does 56. GRD-6518 GA16124 Fix instance of unable to install v10 STAP (shell install) on Linux. 57. GRD-6887 GA16075 A transfer-failed archive file is not resent on the next run after 10.1 (p100). 58. GRD-7020 GA16031 HP Vertica DB SQL 'COPY" is not understood by Guardium. 59. GRD-7021 GA16056 Field names in long SQL are not stored in GDM_FIELD 60. GRD-7022 GA16058 Constant sniffer crashes as the result of heavy POC stress test 61. GRD-7023 GA16051 Local "login_failed" exception not logged AIX 7.1 STAP Oracle GRD-7066 GA16083 Fix sample size input field in the Classification Builder GUI 63. GRD-7068 GA16139 After upgrading to V10.x, customer cannot longer monitor (SNMPWALK) using certain OIDs 64. GRD-7123 GA16117 A 'comma' specified in the Organization changes into a 'period' when it finishes, in a CSR GUI 65. GRD-7124 GA16104 Fix performance issues of restore db-from-previous-version 66. GRD-7127 GA16101 CLI command "store serial" was removed in v10 31

32 Bug# APAR Description 67. GRD-7136 GA16053 Blue Screen Error On Windows Server Due To S-TAP Version GRD-7138 GA16106 Correct results of security test 69. GRD-7140 GA16125 V P DB_USER showing weird characters 70. GRD-7145 GA16113 Unable to setup up RDS Discovery of a Amazon RDS 71. GRD-7148 GA16105 API mapping removes for all functions when try to remove it for any one 72. GRD-7149 GA16046 "Module Set with Latest version" column in GIM Installed Modules always shows 0 value 73. GRD-7150 GA16116 Guardium 10.1 Health Check 9997 for GPU Fails 74. GRD-7157 GA16110 Quick search only shows last 4 days 75. GRD-7159 GA16131 Issues On Chrome browser after Chrome updates to mouse events. After 'Datasource Definitions' page among other things. 76. GRD-7161 GA16132 Windows Database Server crashing regularly (NMPPROXY.SYS) 77. GRD-7368 GA16130 Adding DB2 exit IE from GUI caused duplicates entries in.ini file 78. GRD-8022 Fix instance of wrong default value "unknown" for aggregator orphan_cleanup_flag. The orphan cleanup method used in this case is small. 32

33 Bugs fixed, v10.0 patch 206 Patch# Bug # APAR Description 206 RTC GRD-4863 GA16127 IT21138 Orphan Cleanup improvement Orphan cleanup on aggregators When the aggregator includes restored data, orphans cleanup related to the restored data will be set to run according to the expiration date set when data was first restored. If any changes are done through GuardAPI commands related to the expiration date, this will not affect the date restored data that is available for Orphans cleanup. For example: The user restores data and wants to keep this data for 7 days. This means the expiration date of this data will be in 7 days from today and this data will be available for orphan cleanup after 7 days. If the expiration date is changed (set to keep the data for shorter/longer period - it won't affect the date this data is available for orphan cleanup. Customer should pay attention for this especially if they change the expiration period to be longer - in order not to lose data), then the rest of the data on the machine will be available for orphan cleanup as first designed. Notes for v10.0 patch 206 Install this patch during the "quiet" time on the appliance. If the downloaded package is in.zip format, customers are required to unzip it outside Guardium appliance before uploading/ installing it. This patch restarts: tomcat, nanny, classifier This patch is dependent on v10.0 patch 205. v10.0 patch April 10 33

34 v10.0 p205 release notes= = = = = = == = == = IBM Security Guardium v10.0 p205 February 27, 2017 Guardium UI Login using a Smart card Overview Guardium Smart card support meets the United States government mandate that all vendors must support multi-factor authentication for user access. Smart card authentication is supported only for access to the web-based Guardium user interface (UI). Details of the multi-factor authentication requirement are found in the Identification and Authentication (Organizational Users) (IA-2) section the Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication ) document. NIST is available through the NIST web site: Government applications refer to Personal Identification and Verification Cards (PIV). Civilian applications refer to Common Access Cards (CAC). PIV and CAC cards have different certificate authorities, but the cards are otherwise the same. Guardium Smart card support meets the HIGH confidence PIV assurance level described in the PIV Cardholder Authentication (6) section of the Personal Identity Verification (PIV) of Federal Employees and Contractors (FIPS Publication 201-2) document. FIPS is available through this NIST web site: Prerequisites The device requires the following: Access to the Guardium UI via a web browser that can access the Smart card certificate A Smart card reader A valid PIV/CAC card 34

35 Configure the association of users with Smart cards Learn how to correctly associate Guardium users with Smart cards. About this task This task describes how to correctly associate the information on a Smart card with a Guardium user. Before you begin Create Guardium users to associate with Smart cards. If you want to associate existing users with Smart cards, you do not need to create any new users. For more information about user creation and access management, see Access Management Overview. 1. Login to the Guardium UI as the admin user. 2. Navigate to Setup > Tools and Views > Portal 3. Under the Authentication Configuration section, select the Smart Card option. If the Smart Card option is not present, verify that the Smart card patch is installed. 4. In the Regex Match Pattern field, provide a regular expression (regex) that matches user information on a Smart card. Configure the Mapping of user to Smart card Create users The Guardium application provide various ways for users to be created. It doesn t matter how your users are created, and once you configure your web to use the Smart card for authentication it only uses the Smart card credential to establish SSL/TLS communication (Guardium site uses https). Here is an example how manually create a user: 1. Login as Accessmgr on CM 2. Select Access -> User Browser 3. click Add user button 4. Add Username Test Cardholder X 5. Add password twice 6. Enter first name and lastname same as user 7. Click Add User button 35

36 Now you will configure the mapping so when a Smart card is present the information on the Smart card will be correctly mapped to a user in the system. 1. Login as Admin from CM or standalone. 2. After you login, go to Setup > Tools and Views > Portal If you see the following it confirms that you indeed have the Smart card support patch installed. 36

37 Now use a regular expression to match the user information on the Smart card. Here is an example - see Regex Match Pattern. 37

38 This works with a Smart card with client certificate. The client certificate you selected to send to the webserver to establish HTTPS. On the Smart card you selected this client certificate to give to the webserver when the server requests it, which is exact what happens when this feature is enabled. The client certificate has the follow details which you can see in the certificate details from the browser. In this example you can use one of the following patterns. They both will match the mapping. Pattern 1 is more exact. Pattern 2 depends on your purpose, you can write your own to match your needs. You need to work with someone who is familiar with the data on the Smart card to write efficient mapping patterns. Pattern 1: CN?=?(.*?),?OU?=?Test Agency,?OU?=?Test Department,?O?=?Test Government,?C?=?US 38

39 Pattern 2: CN?=?(.*?) Both of the examples will get the value for CN attribute in the certificate subject which you can see by examine the detail of the certificate from the browser. In this case it is Test Cardholder X. Configure this pattern correctly is probably the most important part to make sure the authentication on Smart card is successful. Note that the regex validation tool currently available for other modules is not available for this purpose. (see Troubleshooting section, items 2 and 3). Now save it. Note, you are not done yet and you need to enable it from CLI since part of the enablement can only be done after the server is shut down, during which there is no GUI. Before you leave GUI for the CLI part, you need to upload the root CA certificate to the trust store. (See section Upload the root CA s certificate to web server s trust store.) 39

40 Upload the root CA s certificate to web server s trust store This part describes how you upload the root CA s certificate into the trust store used by the GUI. You can obtain the root certificate from one of the following sources. If you do not have the root certificate of the CA that signed the certificates on the Smart cards, you can export a root certificate from a CA-signed user certificate or a Smart card that contains one. We assume you obtained the certification either by having it given to you by the customer or exporting it from a Smart card using certification management tools such as certmgr.exe or tools like open SSL. The public root certificate of a trusted CA. This is the most common source of a root certificate in environments that already have a Smart card infrastructure and a standardized approach to Smart card distribution and authentication. Select a certificate to use for Smart card authentication. The signing chain lists a series of signing authorities. The best certificate to select is usually the intermediate authority above the user certificate. 40

41 Enabling the feature from CLI (can only be done in CLI) To check the status, use the CLI command, show system websmartcard. Here you ll see it s not enable and it tells you how to turn it on: CLI> show system websmartcard Portal configured for Websmartcard, run 'store system websmartcard on' Number of Certificates in Trust Store: 1 Trust Store Last Modified: Wed Jan 18 15:21: Now let s enable the feature and do a check afterwards: In case you need to turn it off for, use: CLI>Store system websmartcard off With this command the feature is turned off and GUI is automatically restarted with the system using local authentication. This is also useful when you first deploy the system and the regular expression you set is not quite write and you see error. 41

42 Note, while the Smart card authentication is used to authenticate, the access control (for example, what module a user has access, what navigation the user has is still done through the same way as without Smart card authentication. After enabling the feature: Once the feature is enabled you can only access the site with a valid Smart card (PIV, CAC etc.) Now when you visit the GUI site, you ll see the following prompt: Another example: 42

43 The above details are for an admin to set it up. As for end user, if it is set right, the user just needs to put the card in and the user will go straight to the site content. For a user with a valid Smart card, when the user load the websites, the browser will prompt for Smart card pin. This pin allows the client certificate on the card is access when requested. After the pin is provided, the regular Guardium login page will display with the user field prefilled with the login extracted from the Smart card. Note there is no password used here. The only thing you see in the user field is the extracted user place holder for mapping. For example, if the certificate are valid and the root CA of the Smart card issuer for Test Cardholder X is loaded in Guardium web server (See section Upload the root CA s certificate for how to do it), the user field will be prefilled with Test Cardholder X and prompt you for the Smart card pin. This is to access the client certificate on the Smart card. The client certificate stays on the Smart card and you cannot export it into a file. You may see the prompt twice and just provide the pin. 43

44 Troubleshooting or recovery scenarios 1. After the feature is enabled, when you load Guardium URL, you see an error page shown as follows: Diagnostic: Most likely, your configuration of the matching regular expression is not right or you don t have a valid certificate on the card. 2. You created a matching Regex and it doesn't seem to be working. You remember that Guardium has a regex validation tool and used it thinking that if it works in the tool, it's a good Regex. Unfortunately, while the test is successful in that tool, the Regex pattern doesn't work for Smart Card Configuration. Diagnostic: That tool is to find if an expression can be found inside a text paragraph. So it won't work in this case. This configuration is to extract a piece of text from the certificate text as displayed in the subject as shown in certificate details. 3. You didn t get prompt from the browser to select a certificate at all. Diagnostic: PC/laptop is able to install the card reader and the Smart card. A copy of the certificate in the Smart card gets copied to the certmgr in Windows OS. However, when accessing the site, browser (IE or Firefox or Chrome) does not read the certificate. In other words, all the three browsers are unable to read the certificate and there is no prompt to choose the certificate. This has been noted on all browsers on some laptops we tested. If this is the case, it s not only happening to Guardium site. Other sites that requires Smart card to operate will also experience this. This is rare. Solution: Contact the department that manages your Smart card. v10.0 p205 release notes= = = = = = == = == = 44