Release Notes ================ IBM Security Guardium. Release: v10.1. Version Guardium v10.1 (patch 100) Completion Date:

Transcription

1 Release Notes ================ Product: IBM Security Guardium Release: v10.1 Version Guardium v10.1 (patch 100) Completion Date: IBM Guardium offers the most complete database protection solution for reducing risk, simplifying compliance and lowering audit cost. The IBM Security Guardium solution is offered in two versions: IBM Security Guardium Database Activity Monitoring (DAM) IBM Security Guardium File Activity Monitoring (FAM) - Use Guardium file activity monitoring to extend monitoring capabilities to file servers. The IBM Guardium products provide a simple, robust solution for preventing data leaks from databases and files, helping to ensure the integrity of information in the data center and automating compliance controls. 1

2 Contents Version 10.1 (patch 100) Release Notes... 4 Upgrade... 4 Identify the correct upgrade scenario... 4 Upgrading Summary... 5 Order of Upgrade... 5 Upgrade Paths... 6 Controlled Upgrade Program... 7 Upgrading and Installing - Quick Search for Enterprise... 8 S-TAP Reminders when Upgrading... 8 Limitations of a v9/10.1 Mixed Guardium Environment... 9 New for 10.1 features/functions and enhancements IBM Security Guardium v10.1 Improvements IBM Security Guardium Vulnerability Assessment V10.1 improvements IBM Security Guardium for Files (FAM) V10.1 improvements New features and enhancements for S-TAPs for z/os are available in v10.0 with PTFs S-TAP/ ATAP new features and enhancements in V Relevant Information for V Support for UTF8mb S-TAP doesn't capture traffic in the WfpMonitor driver for open sessions that existed before the driver was started Express DAM New Parameter for Windows S-TAP New CLI command to help control data flow between Parser and Logger

3 Use the Central Manager to assign correlation alerts to individual managed units or managed unit groups Known Issues and Limitations Quick Search for Enterprise Troubleshooting and Limitations Bugs fixed in v10.1 (patch 100) Links Link to formal Guardium V10.1 product announcement Online help available via Web V10.1 Detailed Release Notes (June 2016) Links to System requirements/ Technical requirements for v V10.1 and Developerworks

4 Version 10.1 (patch 100) Release Notes Upgrade The V10.1 (patch 100) upgrade is accomplished by patching V10.0. If your Guardium systems are currently below V10.0, see the V10.0 upgrade doc for information about upgrading to V10.0. Identify the correct upgrade scenario The best approach for upgrading to Guardium depends on multiple factors, including the Guardium version you are upgrading from, the hardware of your system, and any special partitioning requirements you may have. Determine your current Guardium version and patch level by clicking the? icon in the main user interface and selecting About Guardium. See the table on the next page. Use the following to identify the best approach for upgrading your systems to Guardium v10.1. Table 1. v10.1 Upgrade Scenarios Version Architecture Partitioning System Type Action Before version 9 Version 9 before GPU 200 Version 9 GPU 200 or later Any Any Any Upgrade to latest version 9 GPU and then revisit this topic to continue your upgrade to version bit Any Any Visit the Guardium KnowledgeCenter for information about upgrading to version 9 GPU 500 or above. 32-bit Any Any Upgrade to version 10 following a backup, rebuild, and restore upgrade 32-bit Any Any procedure. 64-bit Nonstandard or GPT (GUID Partition Table) Any Standard Central Manager or standalone Upgrade to version 10 using the standard upgrade patch. Managed unit Upgrade to version 10 using the standard upgrade patch. 4

5 Important: SSLv3 must be disabled before upgrading to V10.1. To disable SSLv3 on systems at or above V9 GPU 200 but below V9 GPU 500, download patches 9501 and 9502 from Fix Central and follow the instructions in the patch release notes or upgrade to V9 GPU500. All Guardium systems in your environment must have SSLv3 disabled before upgrading to V10.1. Upgrading Summary Latest Health Check is required. Health Check installed prior to GPU must be re-installed prior to V10.1 upgrade. SSLv3 must be disabled For a discussion of SSLv3 protocol vulnerability and Guardium Central Manager, see page 4 in the Guardium v9.5 release notes (March 2015), Upgrade only supports 64-bit systems Upgrade only supported for v9.0 GPU200 or higher Collector-based Central Managers are not supported in v10.1. Upgrade will convert to Aggregator Manager. Order of Upgrade Upgrade IBM Guardium appliances in following required top-down order: 1. Central Manager 2. Aggregator 3. Collector 4. GIM agent 5. S-TAP agent Please make sure that each step in the sequence above successfully completed before proceeding to the next step. The upgrade process usually cannot be done simultaneously on all appliances (Central Manager, Aggregator, Collector and Managed Units) and all S-TAPs at the same time. During the upgrade transition, the customer will have a hybrid version of different v9.x and v10.1 Guardium systems. While this "hybrid mode" is supported by Guardium, many functions are limited until 5

6 all components are at the same version. Therefore, it is strongly recommended to complete the upgrade in a timely manner and have all Guardium components at the same version and the same patch level. Upgrade Paths Source system v8.2 v9.0 (32-bit) v9.0 (64-bit) Below patch 200 v9.0 (64-bit) Patch 200 and above 1. Create v8.2 system backup. Upgrade Path 2. Rebuild appliance with v9.5 (64 bit) ISO, available from Passport Advantage. 3. Install latest v9.0 GPU (64-bit) Cumulative patch. 4. Restore system backup from pre-upgrade v8.2 system (For collectors upgrade all corresponding S-TAPs to latest v9 before proceeding to the next step). 5. Install v9.0 - v10.1 upgrade patch. (This patch will be made available through the Controlled Upgrade Release program. For more information on this program, please contact Carrie Rogers, carriero@us.ibm.com). 1. Install latest v9.0 GPU (32-bit) Cumulative patch (Install on entire environment before proceeding to next step). 2. Create v9 system backup. 3. Rebuild appliance with v (64-bit) ISO, available from Passport Advantage. 4. Apply v10.0 GPU Restore system backup from v9.0 system. 1. Install latest v9.0 GPU (v9.5) GPU patch (64-bit). 2. Create v9 system backup. 3. Install v9.0 - v10.1 upgrade patch. (This patch will be made available through the Controlled Upgrade Release program. For more information on this program, please contact Carrie Rogers, carriero@us.ibm.com). 1. Create v9 system backup. 2. Install v9.0 - v10.1 upgrade patch (This patch will be made available through the Controlled Upgrade Release program. For more information on this program, please contact Carrie Rogers, carriero@us.ibm.com). V10.0/ V Apply v10.0 GPU

7 Controlled Upgrade Program To ensure overall client success, the Guardium team has put together a team of experts to implement a controlled upgrade program. For a limited time, the Guardium team will work closely with customers that wish to upgrade their Guardium v9 64-bit to v10.1 The effort will include assistance for a small scale environment or a small subset of a larger environment. This initiative will provide IBM a better understanding of the upgrade from the customers point of view thereby enhancing the upgrade experience for all. Note: For the period of time that the controlled upgrade program is running, the upgrade package will not be available on Passport Advantage or on Fix central. For more information on this program, please contact Carrie Rogers, carriero@us.ibm.com Note: An Upgrade v9.x to v10.1 document will be available in July 2016 from the following hyperlink: 7

8 Upgrading and Installing - Quick Search for Enterprise During the installation of 10.1 and on any pre-v9.0p500 upgrades to 10.1, the default search mode for Enterprise search is cm_only, which means that you can do Enterprise search on only the Central Manager and local search on managed collectors. When you click on the search button in the Guardium application GUI on a managed aggregator, you will see the following message in the search window: "Enterprise search may not be enabled, for future information look at the 10.1 documentation section, GuardAPI Quick Search for Enterprise Functions". To enable Enterprise search on the aggregator, you need to run the CLI command, grdapi set_enterprise_search_options distributed_search=all_machines To disable enterprise search on the aggregator and prevent the message, you need to log in to the Central Manager and run the GuardAPI command grdapi set_enterprise_search_options distributed_search=cm_only S-TAP Reminders when Upgrading Make sure that current guard_tap.ini parameters are preserved. If a guard_monitor process is running, turn it off and, after the upgrade, turn it back on. UNIX S-TAP 64-bit session key This function decreases the likelihood of collisions on the key causing traffic losses. A 64-bit session key was introduced in V9.0 with Sniffer Update p4038 to support existing mixed environment configuration. Note: A 10.1 S-TAP and a V9.0 collector is not a generally supported configuration. The collector should be at least the same level as its agents. Note: Upgrading from V10 Beta is not supported. v8.2 S-TAPs are not supported for 10.1 Guardium systems. v8.2 GIM works, but v8.2 S-TAPs will not connect. As a rule for S-TAPs, Guardium supports one version back from the Guardium system version. 8

9 Limitations of a v9/10.1 Mixed Guardium Environment During the upgrade to 10.1, it is possible for the managed environment to enter a mixed state. A mixed environment is comprised of a 10.1 CM and v9 MUs at patch level 200 or above. IBM Security Guardium 10.1 does not support mixed environments with MUs below GPU200. Although a mixed environment is supported, there is an associated set of limitations that must be considered in any upgrade plan, as it means certain capabilities will not be available until the entire environment is brought up to It is for this reason that it is recommended to upgrade the entire environment to 10.1 as soon as possible. The following are the limitations that exist in a mixed environment. 1. Unable to distribute any configurations from 10.1 CM to v9p200+ MU 2. The following reports will result in a SQL error when viewed on v9p200+ managed units: Agg/Archive Log Connections Quarantined Installed Patches Inactive Inspection Engines S-TAP Verification 9

10 3. Unable to register additional v9p200+ MUs after upgrading CM to 10.1 Note: Units registered before the upgrade will remain registered after the upgrade. 4. Unable to distribute policies on v9p200+ MUs via 10.1 CM Note: Policies already installed on the MUs prior to the upgrade will remain unchanged. Portal sync will continue synching between 10.1 CM and v9p200+ MUs. 5. Unable to distribute PATCH BACKUP settings from 10.1 CM to v9p200+ MUs Note: PATCH BACKUP settings defined before the upgrade will remain unchanged. 10

11 6. UI layout customization and distribution is not supported from 10.1 CM to v9p200+ MUs 7. Quick Search for Enterprise will work in a mixed environment that consists of a 10.1 CM managing v9p530+ MUs. The GUI will need to be restarted in order to reinitialize enterprise quick search. Managed units prior to GPU500 will be unable to take advantage of enterprise search, although local Quick Search is still available. 8. Unable to view remote data on 10.1 CM from v9p200+ MUs. This extends to any report that relies on the use of remote data sources. 9. Aside from Enterprise Buffer Usage Monitor, data from v9p200+ MUs is not accessible in the following enterprise reports on the 10.1 CM due to underlying Database changes: 1. Enterprise S-TAP Verification 2. Enterprise Load Balancing Events 11

12 10. Unable to distribute profile configurations to managed units that are not at v10.1 or newer. 12

13 New for 10.1 features/functions and enhancements IBM Security Guardium v10.1 Improvements Infrastructure and platform: Platform hardening with enhanced security, globalization, and accessibility improvements Support for a Guardium appliance running in Hyper-V environment. Hyper-V is a virtualization solution from Microsoft. Improved supportability and management of the Guardium deployment: Stability and reliability are enhanced for the S-TAP agents and the collection parsing. The deployment health view is accessible from any Central Manager and provides an at-a-glance visualization of the entire Guardium environment connected to that Central Manager. S-TAP Watchdog (guard_monitor) for UNIX/Linux and Windows is a process designed to monitor S-TAP performance and responsiveness. If S-TAP CPU utilization exceeds the configured threshold, or if S-TAP does not respond to a console request, the following actions can be taken: Automatically run guard_diag; Automatically kill the S-TAP process; Automatically core dump and kill the S-TAP process. Enterprise readiness enhancements make Guardium components easier to deploy and use in large environments, including: Updates to the automatic load balancing to improve granularity and rebalancing requests, including support for running the load balancer on managed units in environments where direct communication is disallowed between S-TAPs and the Central Manager. Reporting progress alerts for long running jobs More granular access to administration console capability and reports based on roles. Configuration profiles allow you to define configuration and scheduling settings from a central manager and conveniently distribute those settings to managed unit groups without altering the configuration of the central manager itself. Selective aggregation to streamline the reporting on large environments 13

14 Support for 7-element tuple - A tuple group allows multiple attributes to be combined together to form a single composite group member. Example of 7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name Expanded data source coverage: Improved failover, encryption, and reporting from the S-TAP agent on System i Enhanced data collection, failover persistence, and usability for the S-TAP agents for z/os data sources Additional data security functions for more big data platforms: blocking for HortonWorks and integration with Ranger security platform, and Kerberos support for Cassandra Ranger integration phase 1: Ranger offers a centralized security framework to manage fine grained access control and audit for Hadoop components (Hive, HBase, HDFS, Kafka...). Guardium integrates with Ranger to monitor data activity for HDFS, Hive, HBase and Kafka. Guardium is also integrating with the access control features in Ranger or enable blocking. Spectrum Scale/GPFS support for IBM BigInsights if using the Spectrum Scale/HDFS Transparency connector. Support for the S-TAP agent RedHat 7.1 on Power 8 (little endian) architecture. PostgreSQL 9.4 and 9.5 and SSL encryption support Security integration that provides synergistic use cases for the challenging security problems across IT silos: Greater flexibility in Guardium and QRadar bidirectional support. Tuple support added to the integration enables greater flexibility in reacting to QRadar threat intelligence. Built in groups and a sample policy definition simplify the integration.' Attack threat detection analytics and diagnostics There are a wide variety of database attack mechanisms. In Version 10.1 Guardium includes specialized threat detection analytics that scan and analyze audited data to detect symptoms that may indicate the following database attacks: SQL injection, which is usually an attack on the database through improperly coded web applications. These include classic injection techniques such as leveraging the use of escape characters in input fields to inject SQL, blind injection techniques that use automation to piece together information piece by piece based on the logical result of query manipulation, and other SQL injection techniques. 14

15 Malicious stored procedures, such as might be caused by a disgruntled DBA that decides to use a stored procedure to disguise a drop of an important table or extract the contents of a table Unlike some solutions, Guardium does not rely on comparison against a dictionary of attack signatures. Instead, Guardium automates database threat analysis capabilities into the product by analyzing audit data activity, exceptions, and outlier data over time for specific patterns of events that could indicate a SQL injection attack or malicious stored procedure. IBM Security Guardium Vulnerability Assessment V10.1 improvements Updated security awareness with new common vulnerability event (CVE) and other vulnerability tests IBM Security Guardium for Files (FAM) V10.1 improvements Scalability and performance improvements to help deploy in large organizations File Activity Monitor discovery performance improvements Support for FAM discovery on AIX 6.1 and AIX 7.1 ( no classification). Support for shared drive discovery and classification on FAM crawler. 15

16 New features and enhancements for S-TAPs for z/os are available in v10.0 with PTFs STAP for DB2 for z/os Data collection on DB2 for z/os queries when offloaded to IDAA in PTF PI47594 Inclusion of additional Timestamp information on event records in PTF PI59998 (available 30 June 2016) Removal of Utility and IFI traces: 83/87,169 in PTF PI56844 (available 30 June 2016) STAP for Data Sets Keep FAILOVER appliance connections persistent in PTF UI37461 Update documentation to show that Options and Policy can be held in 2 different data sets Add date/time when a policy is pushed to the STAP as a comment in the z/os copy of the policy in PTF UI37461 Expand the OPTIONS member to allow customer to force Record Level Monitoring (RLM) OFF despite specification in policy in PTF UI35905 STAP for IMS Add new AUI$NAP trace option to trace audited events to include field labels while showing hex values in EBCDIC in PTF PI59529 Change the FAILOVER appliance connections from the agent to be persistent in PTF PI

17 S-TAP/ ATAP new features and enhancements in V10.1 Load Balancer Phase III Add support for Proxy feature where it is allowed to use load balancing services (via Proxy) when direct connection to load Balancer (CM) is not available. A note of caution about using the Load balancer and multithreading - the number of MUs assigned is not guaranteed and can change, so failover may not work properly in this scenario. Improvement for Multi-threading: Add support for failover. num_main_thread for multi-threading ( this parameter used to create multiple threaded connections to the same collector). The maximum amount of threads is 5 so the user could have one sqlguard section with num_main_thread=5 or 2 sqlguard sections with one num_main_thread=3 and the other with num_main_thread=2. The total number of threads has to be 5 or less. Support for Oracle Kerberos plugin is now improved. Kerberos supported in two ways: First method is based on libgassip_krb5.so Second method is to use Kerberos cache files Add support for Postgres 9.4, 9.5 Add support for Postgres 9.5, 9.5 SSL on Linux and Solaris Add support for Sybase IQ 16 TLS on Linux Add mechanism in S-TAP to remove the red S-TAP process from GUI of appliance after connecting to a different appliance. Previously, when the S-TAP is reconfigured to point to different collectors, that S-TAP will still show up red in the old collector's GUI. In v10.1, at the point that the S-TAP starts with the new configuration, any collector previously configured for use not in the current configuration is sent an uninstall message to remove the S-TAP from the GUI. This does not apply to the FAM connection, and if the previously configured collector is not able to receive the message for any reason, the S-TAP connection will not be removed and we do not resend the message. 17

18 ATAP enhancements: Automatically instrument Oracle instance depending on the encryption type, OS type and Database version. (Automatically de-instrument upon ATAP deactivation in case it was instrumented.) (You will still need to manually instrument if you are using the encryption in the GUI (that is supported only on non-linux platforms.)) Add ATAP instances status to S-TAP Statistics Add ATAP logs and configuration to S-TAP diagnostics Add specific tap identifier to traffic sessions It is a new parameter in the Inspection engine section. This is a user-configurable string that must not contain any spaces. This will show up in the session table to identify which inspection engine determined that the traffic should be intercepted. If multiple inspection engines overlap in specifying which traffic to intercept, the first one's tap_identifier is used. When changing the tap_identifier, old sessions retain the original identifier. In order for new sessions to get the identifier with ATAP, the DB will need to be stopped, ATAP deactivated, reactivated, and the DB restarted. For the EXIT engines (DB2), just stop and restart the DB after restarting STAP with the new configuration. For the EXIT engines (Informix), make sure db_install_dir is exactly the same with $HOME value in the database. stop ifxguard, then restart the database, then start ifxguard after restarting STAP with the new configuration. When Kernel is NOT supported during S-TAP installation, log error in syslog and S-TAP events In order to make it easier to notice when we are unable to find or create KTAP that matches the running kernel, we now log a message indicating the issue (and the current kernel version) to the syslog and remotely to the appliance which will show up in the STAP events log. These messages are logged every time S-TAP restarts. Once KTAP loads a module successfully, the file in /tmp where we store the message is deleted and S- TAP will no longer log it. Suppress prune messages Improve Ignore response on S-TAP level Add improvement for all databases protocols Add support for DB2 Exit protocol db_ignore_response_resets_per_request is a new option to a set of configuration parameters that are intended to permit configuring a limit to the amount of traffic received in result sets. This new parameter allows the amount of return data to be limited while still capturing SQL errors. It works in conjunction with the existing parameter db_ignore_response_bypass_bytes which dictates the number of response bytes to return 18

19 to sniffer before ignoring the remainder. When db_ignore_response_resets_per_request is set, the bypass counter is reset for every request allowing a configurable amount of return data to be logged while still reducing the overall amount captured Add support For Redhat 7.1 PPC 64 little endian 19

20 Relevant Information for V10.1 Support for UTF8mb4 Enable support for 4-byte UTF-8 encoding (utf8mb4), using the CLI command, store mysql_utf8mb4 This command modifies Guardium sniffer processes and internal databases to correctly capture and store 4-byte UTF-8 characters. Enabling utf8mb4 may be useful if datasources in your environment contain 4-byte characters, for example as used for Chinese, Japanese, and Korean ideographs. Note: Use this command cautiously - once UTF8mb4 support has been enabled, it cannot be disabled without rebuilding your Guardium system. Limitations: Reports saved as PDF do not show characters correctly. Reports used in Datamart do not support Japanese characters. S-TAP doesn't capture traffic in the WfpMonitor driver for open sessions that existed before the driver was started. Traffic is not captured from the open session after upgrade, but it is captured from any new sessions. This is irrelevant of database type. This is a limitation of the V9-to-V10 upgrade process. What's happening is that LHmon is replaced with the WfpMonitor driver. WfpMonitor cannot access any streams that were created before it starts. So it never feeds any of that traffic to S-TAP. The same thing happens whenever you stop the WfpMonitor driver and then start it up again. That's why Guardium does not stop the driver when stopping the S-TAP service. So the same thing will happen in any type of upgrade whether it's V9-to-V10 or V10.0-to-V10.1 (bug 53851) 20

21 Express DAM 1. The Express DAM license keys from will not be valid for version They will not install. 2. If a user already has Express DAM installed on version and upgrades to 10.1, they will not lose it, they will retain Express DAM on the system. New Parameter for Windows S-TAP There is a new parameter in the TAP section of Windows S-TAP. Note: This new parameter applies to FAM only. This new parameter is not relevant if FAM was not used in V10. FAM_USE_INI_HOST=0 Use this parameter for upgrading from v10 to v10.1 Adding this parameter to the S-TAP.ini file will cause the FAM agent to register using the hostname like it did in v10. If this parameter is not set (default), the agent will use the TAP_IP. If there is a mismatch between the original policy setting (hostname) and current client setting (IP), the policy will not work. This should be addressed by the new parameter setting. New CLI command to help control data flow between Parser and Logger The new CLI command, store antlr3_max is an advanced parameter geared towards expert users and Customer Support to help control the data flow between Parser and Logger component of the Sniffer for Oracle, DB2, MySql, and MSSql. This value (default 20,000) will change the number of concurrent parsed SQL statements that the Logger is able to hold in queue. The issues that this could potentially help remedy are Sniffer running out of memory and restarting, or Sniffer not utilizing enough memory. If you notice the sniffer is running out of memory and restarting, lowering the context cap may help to alleviate this. Alternatively, if the Sniffer isn't using enough of the available system memory, raising the context cap can allow it to use more. 21

22 Use the Central Manager to assign correlation alerts to individual managed units or managed unit groups This new feature is for a managed environment. It allows the central manager to assign correlation alerts to individual managed units or managed unit groups. You can either assign it to a unit or group or you can exclude it from a unit or group. You must also specify whether to run it on the Central Manager itself. The groups used are managed unit groups, the same types of groups that are used on the Central Manager page. In the managed environment, on the Central Manager, the alert builder has a new section for "Managed Units". In this section, you specify either single units or groups of managed units to either include or exclude from an alert. You also specify with a checkbox whether that Central Manager itself is included or excluded. The default behavior matches the existing behavior: alerts run everywhere. If you specify that alerts should not run everywhere, verify that the alerts run where you specify. The UI includes four options for including/excluding single units or groups, and dialogs for selecting from the list of management groups and if desired, creating new management groups, or editing existing managed unit groups. On the individual managed units, the alert builder does not show any section on managed units, only the Central Manager can assign alerts to units and groups. If there are entries in the alert not evaluate table on a given managed unit, there will automatically be a system generated group created to exclude that unit for each alert it is excluded from. This will occur when the alerts are started on that managed unit. The alert panes on the anomaly detection page under admin console were used to enable/disable alerts locally. For this feature, the alert panes appear only on the Central Manager. On the managed units, there is now a table showing active alerts and whether they are enabled. (Guardium bug #49156) 22

23 23

24 Known Issues and Limitations Issue No. Description Guardium Component Bug # Fixed in 10.0p In the instance where the Central Manager becomes unresponsive and has to be rebooted and the Solr status of Managed Units is offline, restarting the GUI on the Managed Units of the Central Manager resolves the problem. Central Manager/ Managed Units No fix, Workaround 2. Windows S-TAP 10.1 aborts MARSenabled SQL connections when scrubbing(redaction) is enabled on the connection. 3. Network traffic is marked as local network traffic. Windows S-TAP Network traffic With networked named pipes, there is no remote system information, so all that is logged is the local system information. This is normal behavior as long as the DB_USER is correct. 4. S-TAP doesn't capture traffic in the WfpMonitor driver for open sessions that existed before the driver was started. See further details in Relevant to v10.1 section on page 16. Upgrade Investigation Dashboard does not work on v10.0 p20 managed unit managed by a v10.1 Central Manager This issue occurs because the Central Manager has been upgraded, but the managed unit has not. Once the managed unit is upgraded, the problem will be resolved. Investigation Dashboard Previously IPV6 traffic was captured. But in v10.1, IPV6 traffic is not supported and not captured. IPV6 traffic Installation of S-TAP through GIM is only supported for S-TAPs that match the GIM version. S-TAP/GIM

25 Issue No. Description Guardium Component Bug # Fixed in 10.0p These three bugs describe upgrade restrictions in which the S-TAP build should never be higher than the GIM build and v10.1 GIM modules for both GIM and S-TAP do not work with v9 collectors, Central Manager or managed units. S-TAP/ GIM 53851, 53612, Quick Search for Enterprise troubleshooting - see end of this table. Quick Search Note: Important issues in this table will be addressed in future V10.1 maintenance releases. Quick Search for Enterprise Troubleshooting and Limitations 1. If you encounter issues with Enterprise Search after registering a v10.0 appliance to a v10.1 Central Manager, please follow the steps below: a. Distribute GPU100 from the v10.1 Central Manager to the newly registered v10.0 MU to bring the MU to v10.1 level. b. Verify that Enterprise Search is working on the newly registered MU. 2. Be aware that if Enterprise Search is configured to "all_machines" mode on the Central Manager, registered new units will not inherit this mode unless and until the grdapi command is rerun explicitly on the Central Manager. After you are done registering all the new managed units, run the following grdapi command from the Central Manager: grdapi set_enterprise_search_options distributed_search=all_machines 3. If "all_machines" mode is set but your managed aggregator is unable to use Enterprise Search and you observe the error below, please run the following CLI command on the managed aggregator to reinitialize solr: restart network 25

26 (Related Bug: 53842) 26

27 Bugs fixed in v10.1 (patch 100) Bug# APAR Description Add two tap property parameters( original Bug 36031) Kerberos update to newer library GIM installation fails with "-E- VENDOR VERSION MISMATCH" Kerberos: support missing for AIX 6 and Solaris 10 x86/ Kerberos: DB_USER is empty for Sybase on Solaris FAM S-TAP is capturing too many meaningless system calls Add unix_domain_socket field to Discovered Instances report Configurator.sh do not display secondary sqlguard_ip installer should set ktap_installed=0 automatically in zone envelope during installation Enterprise S-TAP reports do not show if S-TAP is pointed to more than one Guardium system at same time New request: Need to add number of threads to specify per Guardium host when using multithreading Need to allow user to point S-TAP to more than one Guardium system through GIM Improve guardctl to give warning when database is wrong Change location for ktap_install.log to be under /var/log GRDAPI update_stap_config host parameters are case sensitive Warning against old ktaps after live upgrade when activating atap with guardctl Add ATAP information collection to S-TAP diag When adding multiple Inspection Engines from GUI, S-TAP will restart many times which will cause it to go into maintenance mode Scrub SSN with specific format ([0-9][0-9][0-9]-[0-9][0-9]-)[0-9][0-9][0-9][0-9] doesn't scrub SSN when combined with predefined rules S-TAP should print overflow buffer message ones per connection in S-TAP log Kerberos is not working on Oracle DB2 fails to start after r77657 installation on AIX PureScale member with RDMA 27

28 Bug# APAR Description GIM not always uninstalled cleanly in some specific situations IT10788 Supervisor clears the inittab when / is full Adding support for S-TAP multi-treading failover After S-TAP upgrade on SuSe 12 and RHEL 7, S-TAP is not starting automatically Enabling Query rewrite should ignore firewall default state "on" Improvements for locking mechanism for UNIX S-TAP performance UID chain captured by DB2_exit is wrong on Linux platforms db_ignore_response_bypass_bytes is not working for DB2 exit Ignore revocable is not working with DB2 exit GA15543 GRDAPI update_stap_config host parameters are case sensitive With all_can_control=0, we should not be able to update parameters from secondary server through grdapi Sniffer stop with message >61K Activating ATAP on 1 node causes instance restart on other Overall S-TAP performance improvements for v Fix UID chain for DB2 TCP on Linux KTAP built locally on Ubuntu 14 generate a warning in syslog S-TAP discovery may fail if lsof does not find database binary GIM server should treat GIM client's with SAME hostnames/ DIFFERENT IP's as different Guardium systems GIM process need to be restarted after update server hostname S-TAP r71327 on el6.s390x appears to loop - start, came down, restart Failover is not working with v10 S-TAP and v9 Guardium system Enterprise. Load Balancer Phase III - Guardium system changes Sybase SSL on SuSe 32 bit do not work with default db variant ATAP supportability enhancements, check and alert on ATAP activation status S-TAP discovery: discover Oracle when it is configured to use TNS_ADMIN ATAP: automatically instrument database when needed 28

29 Bug# APAR Description S-TAP r80008 caused AIX 6.1 server stop Without DB2 exit configured in S-TAP, DB configured with EXIT lib, DB2 stops Add support for RHEL 7 PPCLE GA15652 V10 S-TAP stops HP-UX server S-TAP adds a mechanism to remove itself from Guardium system that it is no longer configured to point to Start and restart instructions for UNIX S-TAP on RHEL 6 are the same Restarting S-TAP overwrites guard_tap.ini if S-TAP discovery is enabled and GIM "rc" is used Solaris 11 server stopped likely due to Guardium S-TAP Add db_ignore_response_resets_per_request parameter In GIM Remote Activation, blank Collector IP parameter sends hostname to server db_ignore_response parameter is not working for shared memory connection Local build isn't working well, using the wrong objects on Ubuntu Load Balancer Phase III (RTC 32496) db_ignore_response_bypass_bytes should bypass s2c packet merge_ini_file.sh appears to be using high amounts of CPU Solaris 11.2 stops Add timestamp to S-TAP logs info into Sniffer log Add support for SSL encryption monitoring for PostgreSQL database Add support to monitor encrypted data for Sybase IQ databases Enhancements to the classic monitor KTAP setting that enables close fitting module is not preserved during live update KTAP would not attempt to build on Ubuntu Linux kernel version Add identifier to traffic sent from S-TAP to Guardium system Update swidtag file AIX stop caused by aix_ktap Suppress Super Prune messages Near real time alerting for KTAP not loading 29

30 Bug# APAR Description KTAP will not load after reboot for SuSe 12 and Redhat 7 (system with systemd) GIM OS upgrade not changing bundle file names properly Live upgrade from v9 to v10.1 is not working for Sybase iocp S-TAP need to disallow spaces in tap_identifier Change default behavior for S-TAP statistics to be sent once per hour due to ATAP enhancement HP-UX servers are hangs on boot with GIM installation Load balancer should ignore S-TAPs of type FAM_Agent (FAM crawler) Change Kerberos plugin to dynamically load libgssapi On Linux platforms Sybase IQ 16 TLS traffic only captured using Fips S-TAP Discovery does not parse empty parentheses correctly GIM installations failed if DNS resolves hostname to both IPV6 and IPV4 but IPV6 connection not available Sybase 15,16 and sybiq 16 SSL instance with ATAP don't capture exception Fix UID chain for DB2 TCP on Unix S-TAP Discovery should create one Inspection Engine per DB HOME S-TAP discovery stopping on HPUX at startup S-TAP discovery not finding DB2 TCP ports if DB2 is using a sub process for the listener Tomcat's server.xml GIM misconfiguration resulting in high CPU on Guardium system S-TAP discovery not finding a user's home if the user we found is of the form "+<uid>" S-TAP memory leak for Sybase Kerberos connections Informix shared memory sessions are not getting closed on HPUX GIM overloads the collector (Java + Mysql CPU) on loaded sites GIM clients turning red with Dynamic alive if Guardium system is loaded S-TAP discovery not recognizing properly ports for Oracle 12 environments S-TAP discovery should not use ipv6 for Inspection Engine settings S-TAP Discovery should not set connect to IP where Solaris environment does not have slave zones. 30

31 Bug# APAR Description S-TAP Discovery is not populating values for unix_domain_socket_marker in RAC environments Changing Main Threads higher then acceptable number for Guardium Hosts to S- TAP configuration from the GUI corrupting initial config file Local build for kernel versions >= 3.19 fails Shell S-TAP upgrade fails complaining about ATAP S-TAP may stop using TLS when reconnecting to Collector GIM Server needs the source of unrecognized messages GIM server (on CM) should not verify source Guardium system when uploading kernel S-TAP Load Balancer: load_balancer_ip and number for managed units need to be added to update_s-tap_config grdapi S-TAP Load Balancer: document that Load balancer and F5 do not work together Add force install option for non-interactive S-TAP shell installer GIM's configuration file restore doesn't work When uninstalling GIM client, get core file INFORMIX_EXIT and DB2_exit do not pick up tap_identifier in GDM_SESSION.INSP_ENGINE_NAME Running diag stopped Need to add ATAP statistics to report S-TAP statistics in GUI Memory leak due to upload diag S-TAP will not start after installing S-TAP on Redhat 7.1 little endian where Ktap is supported using flex loading Scrub will not work for pre-existing session after live upgrade Scrub(redact) not working with v9 S-TAP and 10.1 Sniffer Upgrade S-TAP will complain about ATAP when isof is not on the system S-TAP with no Ktap on systemd servers (Redhat 7 and Suse12 ) will not run Cannot specify non encrypted ports for ATAP Sybase MongoDB does not restart after ATAP is activated 31

32 Links Link to formal Guardium V10.1 product announcement 01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/9/760/ENUSJP /index.html&lang=en&request_locale=en Online help available via Web The online help is included in the Guardium v10.1 Knowledge Center on the Web at: Search all the product information together at that site. The Knowledge center is updated more frequently than the embedded online help and is the most up-to-date source of information. V10.1 Detailed Release Notes (June 2016) Links to System requirements/ Technical requirements for v10.1 For a list of V10.1 databases and operating systems, go to: V10.1 System Requirements (Platforms Supported) (June 2016) 64-bit V10.1 Software Appliance Technical Requirements (June 2016) 64-bit V10.1 S-TAP filenames and MD5Sums (June 2016) 32

33 V10.1 and Developerworks For more information, see the Guardium V10.1 articles on IBM Developerworks: nityuuid=432a9382-b250-4e55-98d7-8e9ee6cbf90e What's new in IBM Security Guardium V10.1 (Developerworks) Analyze, adapt, and protect June 03 IBM Guardium Version 10.1 Licensed Materials - Property of IBM. Copyright IBM Corp U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information ( 33