Description: InfoSphere Guardium GPU v9.5 (v9.0 patch 500)

Transcription

1 Release Notes ================ Product: IBM InfoSphere Guardium Release: v9.5 Version InfoSphere Guardium GPU v9.5 (v9.0 patch 500) Fix Completion Date: Description: InfoSphere Guardium GPU v9.5 (v9.0 patch 500) Finding the Fix/Patch ============================= This document is intended to provide a reference to the contents of this fix/patch. If applicable, the detailed description of each fix and instructions for applying this fix/patch are contained within the download package. The actual package is available for downloading from the IBM Fix Central web site at Make the following selections on Fix Central: Product Group: Information Management Product: InfoSphere Guardium Installed Version: 9.0/9.5 Platform: Heading: Linux Appliance Patch (GPU and Ad-hoc) Click "Continue", then select "Browse for fixes" and click "Continue" again. ============================= 1

2 Version 9.5 (GPU v9.0 patch 500) Release Notes Installation choices/upgrade/new installation To upload this patch, use the CLI command, fileserver In a slow network scenario, Guardium recommends the use of another CLI command, store system patch install scp. However, be mindful that using the CLI command, store system patch install scp, requires staging the patch on an FTP server. Note: The language pack is separate from GPU patch 500. V9.0 patch 500 (March 2015) supersedes V9.0 patch 300 (September 2014). Notes: 1. V9.0 patch 500 is available as a 32-bit and 64-bit patch from Fix Central. 2. The GPU installer will automatically perform a reboot after successful installation of the patch. Upgrade existing Guardium systems to version 9.0, patch 500 from any V9 release. Two paths for upgrade available - upgrade via patch or rebuild a new system using.iso (64-bit only). Upgrade IBM InfoSphere Guardium appliances in following required top-down order: 1. Central Manager 2. Aggregator 3. Collector 4. GIM agent 5. S-TAP agent Please make sure that each step in the sequence above successfully completed before proceeding to the next step. The upgrade process usually cannot be done simultaneously on all appliances (Central Manager, Aggregator, Collector and Managed Units) and all S-TAPs at the same time. During the upgrade transition, the customer will have a hybrid version of different v9.x Guardium systems. While this "hybrid mode" is supported by Guardium, many functions are limited until all components are at the same version (See the Known Limitations section in this document). Therefore, it is strongly recommended to complete the upgrade in a timely manner and have all Guardium components at the same version and the same patch level. 2

3 Choose the correct upgrade scenario: Upgrade an existing 32-bit Guardium system: download the 32-bit patch from Fix Central and apply it. Refer to the Upgrading section of the Guardium 9.0 Knowledge Center at 01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.nex.igsec.doc/g95_welcome.html Upgrade an existing 32-bit Guardium system to a 64-bit Guardium system: (1) run system backup; (2) rebuild using the 64-bit.ISO image; and, (3) restore backup. Refer to the Upgrading section of the Guardium 9.0 Knowledge Center at 01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.nex.igsec.doc/g95_welcome.html Install a new 32-bit Guardium system: download the 32-bit image from Passport Advantage. The file includes the 32-bit V9.0 image and patch 500. Install the image on the 32-bit hardware and then apply patch 500. Refer to the Installing and Upgrading section of the Guardium 9.0 Knowledge Center at 01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.nex.igsec.doc/g95_welcome.html Install a new 64-bit Guardium system: download the 64-bit image from Passport Advantage. The image contains the 64-bit V9.0 product. Install the.iso image on the 64-bit hardware. Refer to the Installing section of the Guardium 9.0 Knowledge Center at 01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.nex.igsec.doc/g95_welcome.html Health check patch dependency Health check patch 9997 must be installed before installing the v9.0 patch 500 (32-bit or 64- bit). The upgrade patch will not install without FIRST installing the Health Check patch. The name of this file is SqlGuard-9.0p9997.tgz.enc. The latest version of health check patch must be older than March 13, Note: Health check patch 9997 installed for a earlier GPU (for example, v9.0 patch 300) needs to be installed again for v9.0 patch 500 (make sure to download and install the latest version of Health check patch 9997 prior to running GPU patch). The latest version of health check patch must be older than March 13,

4 For further information on health check patch 9997, refer to Central Manager and SSLv3 behavior with v9.5 (patch 500) Guardium and SSLv3 protocol vulnerability POODLE ("Padding Oracle On Downgraded Legacy Encryption") is a SSLv3 protocol vulnerability. It allows attackers to downgrade SSL/TLS protocol to version SSLv3, and then break the cryptographic security (for example, decrypt the traffic, hijack sessions, etc.) The vulnerability is detailed in Java Advisory 2311 and Oct 2014 CPU for Java including CVE , SSLv3 POODLE Attack. Vulnerable Guardium products: GPU versions prior to 9.0p500, 32-bit and 64-bit (for example, GPU p300, 32-bit and 64-bit) Vulnerable components: RedHat OpenSSL library, Java 6, Tomcat Server configuration If conditions Upgrade GPU Upgrade managed units (MU) SSLv3 disabled Upgrade Central Manager (CM) If SSLv3 enabled, keep enabled If SSLv3 disabled, keep disabled.iso installation, with the unit type of Manager Managed units SSLv3 disabled Central Manager SSLv3 enabled Backup Central Manager If SSLv3 enabled, keep enabled If SSLv3 disabled, keep disabled Notes: 1. Guardium recommends that SSLv3 be disabled. 2. However, in dealing with older versions that do not have patch 500 installed, if SSLv3 is disabled, the Central Management functionality will be impaired between the Central Manager and the managed units. 4

5 3. To ensure connectivity and limited downtime, the actions listed above will enable SSLv3. Recommendation - After all systems are patched to v9.0 patch 500, then run the CLI command, store sslv3 off 4. To see if SSLv3 is enabled, run the CLI command, show sslv3. 5. When switching from backup Central Manager to primary Central Manager, SSLv3 will be enabled from the source. The following screenshot displays a system message on SSLv3 enabled or disabled. 5

6 New Features and Enhancements Quick Search enhancement - Investigation Dashboard The search functionality in V9.5 is using Solr instead of Lucene for underlying search engine. This engine change may consume extra memory. A new Investigation Dashboard can be used help reveal patterns, anomalies, and relationships across your data. The dashboard provides interrelated charts for data source-to-user behavior, data source-by-time behavior, data source-to-source program behavior, and other essential relationships. From this default view, you can focus on any specific context (such as a specific data source, user, or date) and all other views refocus around that selected context. Note: Change from previous release of Quick Search -Violation details are now truncated at 30 characters in Quick Search results. For more information, see the help topic in the application, 01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.guardium95.doc/common_tools/topics/en terprise_search.html 6

7 Memory requirements for Quick Search Important: In a managed environment, if the Quick Search engine on CM is not enabled, QS will not run. Central Manager 32-bit Pre-v9.5 QS not supported on CM QS disabled by default 64-bit Pre-v9.5 QS not supported on pre-v9.5 CM QS disabled by default, both engine and interface v9.5 v9.5 QS not supported on CM QS disabled by default Quick Search supported only on v9.5 CM QS supported if 24 GB, 4-core CPU (enforced minimum) QS not supported if RAM is <24 GB or <4-cores CPU QS engine enabled by default QS interface disabled by default Managed Unit Pre-v9.5 Pre-v9.5 QS disabled by default Quick Search - minimum 16 GB (24 GB recommended) v9.5 v9.5 QS engine and interface enabled by default QS disabled by default QS supported if 24 GB, 4-core CPU (enforced minimum) QS engine enabled by default Note: QS interface enabled by default QS not supported if RAM is <24 GB or <4-cores CPU QS engine disabled by default QS interface disabled by default 1. On an upgrade, if a customer has Quick Search enabled pre-v9.5 and the v9.5 memory requirements are not met (24 GB of RAM, 4-cores CPU) for v9.5, the Guardium system will continue to run Quick Search using the older Lucene engine. 7

8 New installation, v9.5 Collector - The Solr search engine will be enabled if the Guardium system, on a collector, if the Guardium system meets the v9.5 requirements of - 24 GB RAM, 64-bit, 4-core CPUs. There is no support for search interface on aggregators or central managers. Upgrade, v9.5 Collector: If the older Quick Search is enabled and the Guardium system meets the minimum v9.5 requirements, see the instructions below on how to switch to the newer engine. The switch from the older search engine to new Solr search engine happens for the amount of days defined in the retention period. The indexing will be done on both engines until there are enough days to meet the number of days defined in the retention period and will then switch to the new Solr index solely. Guardium recommends avoiding heavy processing during this time. There is no support for search interface on aggregators or central managers. Quick Search expected behavior 1. ISO installation, 64-bit system, 24-GB, 4-core CPU (meets requirements) - enabled by default for collector, disabled by default for Central Manager/ Aggregator. 2. ISO installation, 64-bit system, 16-GB, 4 core CPU (does not meet requirements) - Quick Start is disabled. 3. Upgrade from v9.0p300 to v9.5p500, 64-bit system, 16 GB, 4 cores, Quick Start already enabled - remains enabled with the old engine. Switch to new Solr by adding more RAM and then run restart network in a managed environment, starting with Central Manager and then on the managed units. 4. Upgrade from v9.0p300 to v9.5p500, 64-bit system, 24 GB, 4 core CPU, Quick Start already enabled. However, enabled with old Lucene engine. Run restart network in a managed environment, starting with Central Manager and then on the managed units. 5. Upgrade from v9.0p300 to v9.5p500, 64-bit system, 16 GB, 4 core CPU, Quick Start disabled - remains disabled. 6. Upgrade from v9.0p300 to v9.5p500, 64-bit system, 24 GB, 4 core CPU, Quick Start disabled - remains disabled. Run restart network in a managed environment, starting with Central Manager and then on the managed units. 7. To turn Quick Search off for entire environment, run the following CLI command: On Central Manager, use the CLI command, grdapi disable_quick_search all=true On standalone, use the CLI command, grdapi disable_quick_search 8

9 S-TAP load balancer (for new S-TAP installations) S-TAP load balancing currently supports a one-time allocation of managed units to S-TAPs during a new S-TAP installation. This can help ease the burden on administrators who must currently maintain their own tracking of managed unit load. The S-TAP Load Balancer on the Central Manager maintains a load map of all the managed units in the site and, upon request from a new S-TAP installation, allocates a designated managed unit to each of the requesting S-TAP processes. The balancer periodically recalculates the load on all managed units so that it has relatively current data to use in its allocation of managed units. The load balancer provides the capability for administrators to control managed unit allocation by using groups and can be controlled by the GUI and from a GuardAPI command. To use the load balancer, set the sqlguard_ip installer parameters to the Central Manager IP address. No new parameters or special configuration is needed. The S-TAP Load Balancer automates the process of finding an available managed unit for an S- TAP or group of S-TAPs to connect to. It also periodically collects load information and maintains a load map of all the managed units in the site. The S-TAP Load Balancer process runs on the Central Manager, accepts S-TAP requests, and responds with the most available managed unit that it finds. You must put the S-TAPs or managed units into groups to use the S-TAP Load Balancer. Use the GuardAPI or the GUI to control the S-TAP Load Balancer and define the properties of the load balancer. The S-TAP Load Balancer scans the load of all managed units upon initialization. The default check interval is 1 hour ratio per 10 managed units if the Dynamic Load Check Interval is enabled. If the Dynamic Load Check Interval is disabled, the default check interval is 720 minutes and can be changed using the GuardAPI command grdapi set_stap_load_balancer_param paramname=mu_load_check_interval paramvalue=<param value> where <param value> is a positive number represented as minutes. The load information is drawn from the CM_SNIFFER_BUFFER_USAGE and S-TAP INFO report. CM_SNIFFER_BUFFER_USAGE: detects the load level on each managed unit. STAP_INFO: detects how many S-TAPs are connected to each managed unit. 9

10 For more information, see the help topic in the application, 01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.guardium95.doc/stap/topics/stap_load_di stributor.html Outlier Detection enhancement Outlier detection provides anomaly detection algorithms for the early identification of attacks or potential failures during operation. This is done by modeling the normal patterns of database activity based on history data and analyzing new activities as they accumulate. This solution provides Guardium users a way to secure datasources in a "Manage By Exception" manner as opposed to monitoring and tracking huge amounts of normal and repeating activities. For more information, see the help topic in the application, 01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.guardium95.doc/common_tools/topics/ou tliers_detection.html 10

11 Add parameter to control use of custom KTAP modules distribution via GIM GUI Name: GIM_ALLOW_CUSTOM_BUNDLES Valid values: '1' - allow custom bundles installations. '0' - Reject custom bundle installations Default value: During GIM scratch installation (DB server) - User can specify a new optional installation parameter, --install_custom_bundles. If specified, custom bundles installations (for example, custom bundle STAP) will be allowed (GIM_ALLOW_CUSTOMED_BUNDLES will be set to '1') on that DB server. Otherwise won't be allowed (GIM_ALLOW_CUSTOMED_BUNDLES will be set to '0'). During GIM upgrade (via GIM GUI) from a GIM version that did NOT have this parameter - Default value will be '1' (in order not to disable this functionality for customers that might have been using this feature until now). * This parameter can be set to either '1' or '0' when using the configurator utility on the DB server. * This parameter cannot be set to '1' from the GUI if the previous value is '0'. Note: This functionality will be checked during installation time (on the DB server) and NOT while you are assigning or scheduling a bundle installation or a parameter update (like all the other params are validated). Affected features: BUNDLE-GIM, configurator.sh, consolidated installer 11

12 Distributed Reports Target System General Description The Distributed Report feature distributes the query request to the specified Guardium systems, it gathers the data into the Target system, consolidates the results and provides views on the consolidated results. The results are available via the Query Builder for additional queries definition. The Distributed Report feature enables setting the Target system to any Guardium system. The previous version does not allow setting the Target system and it always goes to the Central Manager (CM). Requirement justification In many cases the CM is overloaded (regardless of the Distributed Report) and the CM is sometime used as an Aggregator which adds additional load to the CM. In those cases, customers may wish to set up their own system to use for distributed reporting. Solution A target System can be set for each scheduled distributed report. A CLI command is available to set the optional Target systems. The list set via the CLI is shown in the Distributed Report Builder GUI. Important: This enhancement is only for scheduled distributed reports. It does not apply to ad-hoc distributed reports, which are accessible via the CM only. The distributed report definition is still editable via the CM only. GUI Change A new field "Send Data To" is added to the Distributed Report Builder screen to enable the user to set the target System(s) (either Collector(s) or Aggregator(s)) for the Distributed Report. This field is relevant only in case of Scheduled Mode (otherwise, it is disabled). The default is set to the CM. The list of available Target Systems is limited to the Systems that were set via the CLI (see CLI list below). The Distributed Report definition is editable via the CM and View-Only via the target. The "Add To Pane" of the report (adding the report viewer to the menu) is available from the definition screen on the Target System and CM. 12

13 This option is available on CM even if the CM is not the Target System for that report. It's done to give a possibility to view Distributed Status report on CM but no data will be displayed in the report itself. CLI commands (available via the CM only) 1. Set System as a Target System grdapi set_distributed_report_target target_host_name=[unit host name] 2. Cancel System to be a Target system grdapi cancel_distributed_report_target target_host_name=[unit host name] If there are still distributed reports with this unit as target then returns error and the list of such reports 3. Get list of Target system grdapi get_distributed_report_target_info Notes: This patch must be installed on Central Manager and all affected managed units to be effective. 13

14 Vulnerability Assessment and HALT There are two features that will address the HALT (stop) issues and allow the security assessment to continue running with next tests and datasources rather than HALT and give up. Note these two enhancements are only relevant to VA tests that are created by using the querybased builder. Query-based test created by Guardium are tested within the 2000 ID test range. For customer created, the test ID is >= Enhancement number one, when a test take more than 10 minutes to execute, it will error with timeout message specific to the DBMS type driver. This feature is enabled by default at 10 minutes and can be adjust to users need. Guardium does not recommend setting this parameter more than 30 minutes. CLI-related commands are: show va query_timeout store va query_timeout off store va query_timeout on <min> Enhancement number two, a specific VA test could return so many violations that when sending such information for VA to process, it cause a JAVA memory issue and eventually causes the assessment to HALT. The limit on detail at the JDBC mechanism level is 20,000 rows as output per test. By default this feature is enabled at 20,000 rows limit and the user has the ability to disable this feature or change the default to a smaller or larger number. CLI-related commands are: show va max_detail store va max_detail off store va max_detail on <num> Known issues PostgreSQL DBMS is not supported for this feature. Netezza works with the timeout feature. However, the limit test output by the rows does not work due to current JDBC driver. Informix, timeout per query feature is not supported. DB2 z/os supports both of these features. However if a customer wrote a custom query based test and use FETCH FIRST ## ROWS ONLY in their query along with UNION clause, then it will ignore the limit put by customer query and use what is enforce at the mechanism level. 14

15 In the results, if the facets query is too slow, the UI does not refresh the facets section with empty results. The UI leaves the results of the former query. Refresh the facets section to get the latest results. New database release levels supported in v9.5 Hortonworks HDP 2.2 is supported in v9.5. Greenplum DB 4.3 is supported in v9.5. MongoDB 2.6 is supported in v9.1 and v9.5. Central Manager/Aggregator enforcement Starting with v9.5 (v9.0 patch 500), the application will enforce that a Central Manager has to be an Aggregator-type appliance. This would mean that starting with v9.5, only aggregator-type appliances would be promotable to the Central Manager appliance. Note: existing pre-v9.5 CM appliances are not subject to this change. New Driver, Windows Filtering Platform driver (WfpMonitor) for Windows S-TAP Besides TDI drivers (LHmonProxy/LHmon), there is a new option to use Windows Filtering Platform driver (WfpMonitor) To enable the new driver wfpmonitor, install Windows S-TAP through GIM using GIM parameter START=1 LHMON=0 WFP=1 15

16 Known Issues and Limitations 1. Postgres on Solaris 11 with zones is not supported in this release, due to zone configuration not allowing access from master to slave zones in some directories. 2. The GuardAPI command, gim_update_clients_param cannot be executed on managed units from the Central Manager. As of v9.0 p150, the Central Manager and the managed units are managing different GIM clients. As far as GIM clients are concerned, the Central Manager and managed units are standalone machines. 3. GIM processes are not restarting when manually killed on Solaris servers with SVC. Do not use the kill command as it will cause unexpected behavior for GIM. 4. DB server using kshell cannot be accessed on Solaris 11 after enabling encryption box. In an instance using a Solaris 11 server, kshell and enabling ATAP encryption, a connection to the database server could not be made. This issue is fixed in v9.5. However if the user wants to run live upgrade to v9.5, instead of reinstalling the S-TAP, this issue will persist until the database server is rebooted. 5. The count column in the Quick Search Investigative dashboard is always blank. It should have the same value as total instances. 6. In Quick Search, the following error message may be displayed: ERROR :39:26.115; org.apache.solr.core.corecontainer; CoreContainer was not shutdown prior to finalize(), indicates a bug -- POSSIBLE RESOURCE LEAK This happens when the GUI is restarted, and the Solr engine was not shut down cleanly. It has no effect on Quick Search functionality. 7. When working in a mixed environment (for example, Central Manager is at V9.5 level, but managed units are not yet at v9.5 level), re-installation of existing patches on managed unit systems will not update the date field value. However this does not affect the actual patch installation process. Status of the installation and installation logs are updated as expected. 8. Cannot activate ATAP on Sybase SSL 15.5 on AIX 7, problem with preloading libraries with dataserver - The problem can happen in the following scenarios: When activating ATAP module via guardctl utility to decrypt Sybase SSL traffic and log it into the Guardium appliance via guardctl utility or When activating ATAP module via encryption box during configuration of the inspection engine to decrypt Sybase SSL traffic and log it into the Guardium appliance. For a Guardium alert on this subject, use this external web link, 16

17 9. Restore of the system backup from Guardium v8.2/v9.0 (32-bit) system to v9.5 (64-bit) system could cause operational issues. Issue is under investigation and fix will be released in an ad-hoc patch. (Bugs 45520, 45562, 45568) 10. v9.5 SNMP v2c upgrade causes the "View Unit SNMP attributes" and "Distributed Monitor" functionalities of the Central Manager portal to timeout. Issue is under investigation and fix will be released in an ad-hoc patch. 17

18 Language Pack SqlGuard-9.0p1075_Language_Update_GPU_500 Separate versions for 32-bit and 64-bit SqlGuard-9.0p1075_Language_Update_GPU_500_32-bit.tgz.enc SqlGuard-9.0p1075_Language_Update_GPU_500_64-bit.tgz.enc The language pack is separate from GPU 500. There are changes to some of the JAR files to enable them to be translated. Therefore, the language pack contains some updated JAR files. Since these may conflict with newer versions of the JAR files in later patches (for example, after GPU patch 500), it is important that Guardium users install the language pack before installing any other patches on a system that has GPU patch 500 or the v9.0 ISO. If Guardium users install the language pack after the other patches, they may need to re-install the other patches. On a non-english Guardium system, the language pack must be installed before upgrading to GPU patch 500. Note: The language pack is not needed to install GPU patch 500 on an English Guardium system, but the language pack must be installed on a non-english Guardium system. Question #1: Should V9.0 patch 500 be applied again after the language pack is installed? Answer: No, do not apply V9.0 patch 500 twice. If upgrading a Guardium English system with v9.0 GPU patch 500, install the GPU, then install the language pack, and then run the CLI command, store language, to change the language on what was previously a Guardium English system. On a Guardium non-english system, the language pack must be installed before the GPU. Question #2: Is the language pack dependent on installing the Health Check patch 9997? Answer: No, the language pack is NOT dependent on first installing the Health Check patch

19 Question #3: What happens if a user installs GPU patch 500 before the language pack on a non- English system? Answer: V9.0/9.5 GPU patch 500 will not install on a non-english system that does not have the language pack installed beforehand. Security updates included in V9.5 release Patch name bug # Popular name p9.0p Fix for CVE , CVE , CVE and CVE p9.0p Fix for CVE p 9.0p Upgrade OpenSSL for RHEL5 p9.0p9501/ p9.0p POODLE attack POODLE ("Padding Oracle On Downgraded Legacy Encryption") is a SSL v3 protocol vulnerability. It allows attackers to downgrade SSL/TLS protocol to version SSL v3, and then break the cryptographic security (for example, decrypt the traffic, hijack sessions, etc.) The vulnerability is detailed in Java Advisory 2311 and Oct 2014 CPU for Java including CVE , SSLv3 POODLE Attack. p9.0p Fixes MS-SQL Server CVE tests where "Not/ Applicable for the DB version" reported when actual test grade should be Pass or Fail. p9.0p Implement blacklist featured so that certain components be disabled which will mitigate STIG vulnerability findings p9.0p Vulnerability in Oracle MySQL Server related to the SERVER:CHARACTER SETS component could allow a remote attacker to cause a denial of service. p9.0p GNU C library (glibc) vulnerability (CVE ) P9.0p NTP (Network Time Protocol) vulnerability 19

20 Guardium Patch Update (GPU) 9.0 p500 patches/ bugs fixed Appliance Patch (Fixcentral heading) Includes patches: 200, 300, 241, 242, 243, 244, 245, 1061, 1063, 246, 247, 248, 249, 250, 1066, 301, 251, 303, 1068, 304, 305, 252, 306, 307, 308, 253, 309, 254, 255, 1069, 310, 312, 313, 314, 315, 316, 317, 318, 256, 319, 320, 321, 1070, 322, 1071, 323, 324, 325, 326, 327, 328, 5003, 329, 330, 331, 332, 1072, 257, 1073, 333, 1074, 335, 336, 337, 338, 339, 340, 1076, 5051, 258, 259, 341, 1077, 1078, 342 CVE: 1061, 1063, 6000, , 311, 6003, 6004, 6005, 6006 (see table on previous page) Sniffer Update: 1057, 1058, 1060, 1062, 1064, 1067, 4000, 4001, 4002, 4003, 4004, 4005, 4006, 4007, 4008, 4009, 4010, 4011, 4012, 4014, 4015, 4016, 4017, 4018, 4019, 4020, 4021, 4022, 4024 Fix # Ad-hoc patch# Guardium Bug# Description of Fix Policy installation, importing policies with hierarchical groups Parameter handling to prevent cross site scripting vulnerabilities GDM_ERROR table. Add CLI commands, show log_in_error, store log_in_error Change IP aliasing to use one query instead of several queries so as to not run out of memory on large datasets / Distributed Report UI enhancement / / Fix Sniffer restart and sniffer stuck on DB2, z/os / 42008/ 42011/ 42168/ 40520/ 40262/ Outer-join and meta-data Fix SQL generator outer join when same table appears as dominant table and as outer join Central Manager patch selection performance Change to loop on patch distribution screen, change alias caching to be refreshing from local Add MySQL commands to CLI - support show innodb-status 20

21 Fix # Ad-hoc patch# Guardium Bug# Description of Fix / 301/ Fix GuardAPI command, grdapi update_stap_config Add Linux LDAPsearch tool for LDAP diagnostics / Fix instance when running full System backup from the GUI, config backup completes successfully but DATA backup does not even start. Central Manager GUI. Replace the GuardPooledDatasourceFactory.class file Distributed report UI changes Add script to disable quick search for Aggregators and Central Managers. Fix Central Manager redundancy issues - typo, overwritten certificate, restart Fix instance of failure to import users using LDAP over SSL / / Outer-join and meta-data Fix SQL generator outer join when same table appears as dominant table and as outer join. Fix instance of LDAP certificates NOT pushed as part of Authentication configuration. Change the label on Data Mart Extraction Job error messages from ERROR to WARNING. Fix instance of Purge Object settings not getting exported for Datamart tables. Increase length of regular expressions beyond 255 character limit for classifier. Quick Search - update DM_HEADER set ACTIVE_FLAG=1 where DM_HEADER_ID in (1,2,3,16), so quick search can extract data Change database setup per outliers user feedback Change the setting of UserSyncJob so it runs only on Central Manager. Use CLI command, delete unit type manager, to clear MANAGED_UNIT table. 21

22 Fix # Ad-hoc patch# Guardium Bug# Description of Fix Fix instance of GuardAPI command not moving S-TAP as requested. Use grdapi update_stap_config staphost= updatevalue=sqlguard_0.sqlguard_ip: Fix instance where task parameter values are incorrect for imported audit process Use same subs_certificate module across all releases Fix instance where an audit task CSV cannot be sent if the label of the audit task is more than 38 characters. Fix instance where LDAP certificate is activated successfully, but the certificate is not pushed from the Central Manager to the Managed Unit Fix CLI command, Show slow_log Fix instance where system backup cannot be sent Windows IIS FTP server via virtual hostname Change S-TAP snapshot upload file directory to /var/log/guard Change policy installation to use local groups when possible When installing a policy with groups, a Guardium mechanism will check if the groups on a managed unit are in synch with the groups on the Central Manager. If the groups in question are out of synch with the Central Manager, then the mechanism will fetch the groups from the Central Manager and use them when installing the policy. This mechanism has significant performance changes when a policy installed with local groups (in-synch) or after fetching them from Central Manager (out of synch) Add "Flat Log Requests" to Buffer Usage Monitor Report Time zone data update for Russian time zone changes Export/import QUERY_HINTS with the query / Allow index additions to DATAMART/ Distributed reports Aggregator, comment flush tables Add backup Central Manager patch level check for Central Manager Redundancy and ignore patches installed prior to than latest GPU. 22

23 Fix # Ad-hoc patch# Guardium Bug# Description of Fix Update Group Builder such that when a group is used by policy builder, it cannot be deleted. Add Client Hostname and Server hostname columns to tables ACCESS_RULE and GDM_INSTALLED_POLICY_RULE. SSL Server and Anonymous Authentication Vulnerability Only permit FIPS-mode ciphers for CAS socket Fix the way list of InnoDB tables is retrieved when REMOTE SOURCE is defined on a managed aggregator. Fix instance where SAP application user translation is not working on iseries7.1. Flatten hierarchical groups - Fix instance where the export was failing to add members of hierarchical group to the export file in certain circumstances. Central Manager patch timestamp - Fix instance where patch mechanism using the incorrect time for scheduled patches / Detailed Enterprise S-TAP view report - Fix SQL to remove Union script for patches / / Purge and aggregation Change the engine for DISTRIBUTED_DATAMART_STATUS table InnoDB / Fix instance where Sniffer Buffer Usage script is reporting Analyzer Total Packets as ALP. Differentiate analyzer_load_packet and analyzer_lost_packet Fix drill down from Quick Search SERVER_HOST_NAME and SERVER_IP are NOT interchangeable Fix instance where patch backup and encrypt must gather output from Global Profile settings are not pushed down to managed units from Central Manager. Fix instance where custom query is invalid when using outer join in custom domain Improve performance of Purge function. 23

24 Fix # Ad-hoc patch# Guardium Bug# Description of Fix Update X3550 M4 firmware for network interface lights iseries - fix instance where change of SYSAUDIT_Status stored procedure breaks custom upload if DB2 for i status custom upload. Add the flat log column to buffer usage monitor report and show the right number. Add flat_log_requests to snif_buf_usage Correct CLI command, import file for TSM backup files MSSQL Advanced Verification datasources were showing even before installing patch. Issue was only with Oracle Correct export failure with SCP error: "error closing pipe" Fix instance where "Report Builder" menu is replaced by "Distributed Report Builder. SCP key pair authentication - Fix instance were Archive/backup is broken when using key pair authentication. 24

25 ATAP, KTAP, S-TAP bugs fixed Database Agent (Fixcentral heading) Linux Bug Description Port back the log rotation feature for guard_monitor Port Load Balancer UNIX S-TAP changes Fix instance of guard_ktap_hash prune not working Add support for Debian server using existing Ubuntu installers GIM BUNDLE-STAP installation or upgrade should not remove "guardium" user if this user is present on the system prior install or upgrade Update software tag file in UNIX Update software tag file in GIM Control use of custom KTAP modules distribution via GIM GUI Add new functionality for guardctl to activate ATAP with libs in non default location Firewall will not work for ATAP on Linux kernels less than "LOGIN_FAILED" does not log for Sybase IQ shared memory on Linux platforms GIM Discovery module not working for Postgres database on all Linux platforms S-TAP doesn't capture traffic with active ATAP for Sybase 15 SSL on SuSE Fix instance of Ktap crashes with ATAP and firewall default enabled Correct wrong identification for IPV6 sockets in Sybase IQ Discovery: Postgres is not being discovered on zones ATAP: not detecting correct patch number for Sybase SSL Decrypt Sybase login packets via ATAP using the library provided by SAP Fix instance of kernel panic reboot due to KTAP error AIX STAP Exit routine filling DB2 Diag log Fix instance of Solaris kernel panic potentially caused by KTAP Need to Revise Solaris S-TAP installation to check if CA is on the system. 25

26 Bug Description Correct repeated KTAP errors in syslog Fix instance of S-TAP crashes after stopping DB on local zone Fix instance of Database Node restart as a result of Inspection Engine DB2 exit packet > 64K is not logged. Notes Since live upgrade is supported through the installer itself, there is no need for the "guardstap-update" script and it is no longer included. To support ATAP on Teradata, you will need to install the SqlGuard-9.0p4014 patch, or later, on the collector. To be able to work with STAP load balancer feature, the Central Manager must be installed with v9.0 patch 500. Ubuntu 14 installer is not part of Linux S-TAP meta-installer script. 26

27 Window S-TAP bug fixes Database Agent (Fixcentral heading) Windows Fix instance where stopping S-TAP through GIM parameter update is not working Fix instance where Windows S-TAP impacts I/O time on SQL Server (slows down database reads) Fix LHMON driver issues Fix instance where WFP crashes system when Flow Delete is invoked twice for same flow handle Fix instance where large session count w/ WFP driver causes session timeouts Fix instance where LHMON Driver doesn't deliver TDI_EVT_CLOSE event to S- TAP Fix instance of WFP Driver crashing system in ImageLoad routine Fix WFP Driver crashing system when UNICODE scrubs are enabled Fix Firewall attach failure for named pipe traffic. 27

28 Documentation Bugs fixed in this release v9.5 (v9.0 patch 500) Bug number Description of fix Add database server reboot requirements to S-TAP help book Add details on how to activate ATAP for Teradata Fix CSR and keystore CLI commands for GIM listener / How to proceed with KTAP live upgrade when CA etrust is on the same system and SEOS is active. Refer to this technote: CAS runs ONLY on 32 bit Java Update usage of CLI command, store license Change Alert templates in Global Message Profile in order to create REAL TIME alerts. Control appearance of Prefix subject with Guardium appliance name. Control appearance of subject in body. Add naming template parameter %%appliancehostname so Guardium users can add appliance hostname to Name Templates (any position subject or body). To accomplish this, use two fields in ADMINCONSOLE_PARAMETERS table: APPEND_APPLIANCENAME_SUBJECT APPEND_SUBJECT_IN_BODY Use the following CLI commands to control the content of these fields: show alerter append_name_subject store alerter append_name_subject show or store the flag to append the appliance name in subject 28

29 Bug number Description of fix show alerter append_subject_body store alerter append_subject_body show or store the flag to append subject in the beginning of the body Each time the value in CLI changes, it takes effect immediately on the outgoing s Add CLI command, support show open port, to detect whether ports are open or not Add CLI command, store certificate alias Use this command to store signed intermediate trusted certificate into keystore. This CLI command supports the CLI command, create csr alias, which allows the user to create an intermediate trusted certificate from scratch. Use both of these commands to create intermediate trusted certificates. These intermediate trusted certificates can then be used to sign other certificates, if required Update CLI command, store password expiration Knowledgecenter documentation updated to reflect correct UI paths for "Associate S-TAPs and Managed Units" and "S-TAP Load Balance Properties" tools. 29

30 Online help available via Web The online help is included in the Guardium 9.0/9.5 Knowledge Center on the Web at: 01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.nex.igsec.doc/g95_welcome.ht ml Search all the product information together at that site. The Knowledge center is updated more frequently than the embedded online help and is the most up-to-date source of information. Use this link to retrieve a list of all public URLs for V9.5 (v9.0 patch 500): Links to System requirements/ Technical requirements for v9.5 V9.5 System Requirements (Platforms Supported) (March 2015) 32-bit and 64-bit V9.5 Software Appliance Technical Requirements (March 2015) 32-bit and 64-bit New hardware configurations (6) V9.5 S-TAP filenames and MD5Sums (March 2015) March 25 IBM InfoSphere Guardium Version 9.5 Licensed Materials - Property of IBM. Copyright IBM Corp U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information ( 30