IBM InfoSphere Guardium Version 8.2 IBM InfoSphere Guardium 8.2 offers the most complete database protection solution for reducing risk, simplifying compliance and lowering audit cost. Version 8.2 contains many new and enhanced features touching every aspect of functionality of the IBM InfoSphere Guardium application from reports to System Z support, improvements in UNIX and Windows S-TAPs, SharePoint S-TAP Agent, Sniffer enhancement, adding Traditional Chinese language to the localized list, system modifications that upgrade the RedHat infrastructure, and upgrades to the Tomcat engine. Major changes for this release Mainframe Support for DB2 S-TAP, IMS S-TAP, VSAM S-TAP for z/os The IBM InfoSphere Guardium S-TAP for z/os solution is a tool that collects and correlates data access information for DB2 on z/os, VSAM on z/os or IMS on z/os to produce a comprehensive view of business activity for auditors. The IBM InfoSphere Guardium S-TAP for DB2 on z/os captures DB2 on z/os database traffic and forwards that traffic to a Guardium appliance. Traffic captured by the IBM InfoSphere Guardium S-TAP for z/os is either forwarded directly to the Guardium appliance or, for IFI traffic that is written to data sets, imported into the Guardium appliance where the standard real-time policies can be used. IBM InfoSphere Guardium S-TAP for IMS on z/os is a tool that collects and correlates data access information from IMS Online regions, IMS batch jobs, IMS archived log data sets, and SMF records. IBM InfoSphere Guardium S-TAP for VSAM on z/os provides access to VSAM data sets and security violations as recorded by SMF and Data set operations performed against VSAM data sets such as deletes or renames. Policy push down (only for use with z/os) When the DB2 S-TAP for z/os connects to the Guardium system or when the policy is installed, the installed policy will be sent from the Guardium system to the Mainframe S-TAP. Once the user installs the policy, this will trigger a policy push down to the Agent on the Mainframe collection profile. This applies only to access rules with DB Type of DB2 Collection Profile or VSAM Collection Profile. 1
Oracle on System Z Support Resolved issues with the extraction of information coming from Oracle traffic on IBM System z. Capture/Replay functionality (offered as Beta program to customers that sign on to explore this new feature) Add new Capture-Capture, Capture-Replay, Replay-Replay reports and GuardAPIs. GUI changes to Inspection Engines, Policies, and Replay Builder menus in order to distinguish transactions and how to handle auto-commit schemes in different databases. Support for Oracle PSU Enhanced Oracle CVE tests to support the detection of Oracle CPU (Critical Patch Update) as well as PSU (Patch Set Update) patches; properly checking what patches customers have applied to their databases. Improve Session Memory For Sybase and SQL Server, reduced the allocation of memory required for sessions that make use of bind variables New GuardAPIs for Vulnerability Assessment maintenance GuardAPI commands to Add, delete, update the Security Assessment definition; Add, delete a datasource from an existing Security Assessment; Add, delete tests from an existing Security Assessment (bug 24193) Vulnerability Assessment tests for z/os For DB2, added VA tests to check if unauthorized users have the ACCESSCTRL, CREATE_SECURE_OBJECT, DATAACCESS, EXPLAIN, SDBADM, or SQLADM privilege New Inspection Engine type A new Inspection Engine type "IGNORE" (exclude IE within the GUI and IGNORE through the CLI) has been added, when chosen a port range can be designated that allows traffic between specified clients and servers to be ignored. S-TAP Certification Use this admin function to block unauthorized STAPs from connecting to the Guardium appliance. 2
Modifications and Enhancements to Classifier Add data level security Add the ability to group rules together through the use of a "Fire only with" Marker, enabling all rules with the same marker to fire together and have actions invoked or none at all. Add a new evaluation name to rules that corresponds to a custom algorithm (Java class) that can be uploaded and used for evaluating strings. Custom evaluations can be uploaded through Administration Console -> Custom Classes -> Custom Evaluations -> Update. Add the new Hit Percentage field, a percentage of matching data that should be achieved for this rule to fire. Data is returned if the percentage of matching data examined is greater than or equal (>=) then the percentage value entered, noting that an empty entry means it is not a condition and will not affect whether the rule fires or not and return data to the view screen, a 0 percentage will cause the rule to fire for this condition and return data to the view screen, and a percentage of 100 requires that all must match. Add the new Compare to Values in SQL field. The SQL entered, which must be based on returning information from one and only one column, will then be used as a group of values to search against the tables and/or columns selected. Add the new Compare to Values in Group field. The group selected will then be used as a group of values to search against the tables and/or columns selected. As long as one of the values within a group, that is either a public or a classifier group, matches, then the value rule will return data. Add GuardAPIs for Classification - GuardAPI commands for Classification policy configuration, for test automation and, for simpler scripting of the prerequisite data preparation. Unification of the ISO image for English and all languages User defined character sets Available for Oracle, Sybase, MySQL, & MSSQL and for extrusion rules only, users may influence the character set used by defining special extrusion rules. These "character set" policy rules are only used to set the character set a user would like to convert traffic to, setting an action is irrelevant. In order to have an action for that traffic the user needs to define additional rules after that "character set" rule. Two examples of setting a "character set" rule are possible (hint or force) where with hint will convert the traffic by character set as defined in the extrusion rule of the installed policy ONLY if the regular conversion failed and with force will convert the traffic by character set as defined in the extrusion rule of the installed policy for ALL data. 3
GIM The GIM client must be upgraded first before installing any modules in Version 8.2 The GIM client can now be installed using Tivoli Provisioning Manager (TPM) Data Protection Subscription Through Data Protection Subscription Services, added support for APAR tests. Through Data Protection Subscription Services, added the "PeopleSoft Sensitive Objects" group, group description is present and requires a corresponding license to upload members. Other changes On Guardium Monitor tab, rename Classifier/Assessment Job Queue to Guardium Job Queue Add ability to SCP and FTP over different ports Add Datasource entity to all query domains that use datasources Add date picker to API parameters that are dates Add Enterprise report to see what managed nodes are up/down Add new Vulnerability Tests to check privilege on DB2 reserved schema Notes Anything accessible by a command line (CLI, GuardAPI) is not supported in Chinese and Japanese language translations. In other words, all CLI and GuardAPI commands have not and will not be translated for Version 8.2. When purging a large number of records (10 million or higher), a large batch size setting (500k to 1 million) is the most effective way to go. Using a smaller batch size or NULL causes the purge to take hours longer. Smaller purges finish quickly, so a large batch size setting is only relevant for large purges. Installation of modules on a specific client for the FIRST TIME using the GIM utility must be in the form of a BUNDLE. Future upgrades of specific modules which are part of the installed bundle can be either as single modules or bundles. For Firefox 4.0.1, when editing/viewing an installed policy and using the 'red xross' in the upper right corner the installed policy may remain opened and produce a message that it is being viewed when not, preventing subsequent editing. Teradata sessions will never have host names directly from the traffic. It is a known issue in all current releases of Teradata. Thus, CLIENT_HOSTNAME and SERVER_HOSTNAME are missing in the GDM_ACCESS table, because this information does not exist in the Teradata traffic 4
Windows S-TAP has limited support for IPV6 tunneled over IPV4. The IPV6 traffic is generated by LHMON using the IPV4 addresses of the ISATAP tunnel. In Capture-Capture comparisons, the Workload Exception list will work only if the configurations are replayed. Cross-site Request Forgery (CSRF) and 403 permission errors The Guardium application must ALWAYS know where a URL came from and where it is going to. Thus, there are specific web browser actions accessing the Guardium application that may lead to 403 permission issues, such as: F5/CTRL-R/Refresh/Reload (from the web browser) Back/Forward (from the web browser) Opening multiple tabs in a browser session to the same Guardium system Closing a browser tab to a Guardium system and then trying to connect via a new tab Use the navigation buttons within the Guardium application instead of the selections of the web browser. Also, once a 403 permission error has occurred within a GUI session, this GUI session is corrupted and will cease to work. At this point, the 403 permission error will auto-logout of the GUI. When installing a new Guardium system or machine or upgrading from an earlier version of Guardium, CSRF status is disabled by default. A user must run the CLI command "store gui csrf_status on" after installing/upgrading to turn it on. Turning on CSRF status (403 permission errors) will make the Guardium system more secure but less user-friendly. See the CLI command, store gui [port session_timeout csrf_status] for more information on Cross-site Report Forgery (CSRF). For more information, go to the following online resources: IBM InfoSphere Guardium home page: http://www.ibm.com/software/data/info/guardium/ Technical Support home page: http://www.ibm.com/software/support/ Search for Guardium. Guardium Technical Support web portal, http://www.ibm.com/support/entry/portal/overview/software/information_management/info Sphere_Guardium 16 September 2011 IBM InfoSphere Guardium Version 8.2 Licensed Materials - Property of IBM. Copyright IBM Corp. 2011. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information (www.ibm.com/legal/copytrade.shtml) 5