This post is a summary for those basic IBM Guardium configuration. The IBM Guardium products provide a simple, robust solution for preventing data leaks from databases and files, helping to ensure the integrity of information in the data center and automating compliance controls.
These are the key functional areas of Guardium’s database security solution:
- Vulnerability assessment. This includes not just discovering known vulnerabilities in database products, but also providing complete visibility into complex database infrastructures, detecting misconfigurations, and assessing and mitigating these risks.
- Data discovery and classification. Although classification alone does not provide any protection, it serves as a crucial first step toward defining proper security policies for different data depending on its criticality and compliance requirements.
- Data protection. Guardium addresses data encryption at rest and in transit, static and dynamic data masking, and other technologies for protecting data integrity and confidentiality.
- Monitoring and analytics. This includes monitoring of database performance characteristics and complete visibility in all access and administrative actions for each instance. On top of that, advanced real-time analytics, anomaly detection and security information and event management (SIEM) integration can be provided.
- Threat prevention. This refers to methods of protection from cyberattacks such as distributed denial-of-service (DDoS) or SQL injection, mitigation of unpatched vulnerabilities and other database-specific security measures.
- Access management. This goes beyond basic access controls to database instances. The rating process focused on more sophisticated, dynamic, policy-based access management capable of identifying and removing excessive user privileges, managing shared and service accounts, and detecting and blocking suspicious user activities.
- Audit and compliance. This includes advanced auditing mechanisms beyond native capabilities, centralized auditing and reporting across multiple database environments, enforcing separation of duties, and tools supporting forensic analysis and compliance audits.
- Performance and scalability. Although not a security feature per se, it is a crucial requirement for all database security solutions to be able to withstand high loads, minimize performance overhead and support deployments in high-availability configurations.
The IBM Security Guardium solution is offered in two versions:
- IBM Security Guardium Database Activity Monitoring (DAM)
- IBM Security Guardium File Activity Monitoring (FAM) – Use Guardium file activity monitoring to extend monitoring capabilities to file servers.
login as: cli Pre-authentication banner message from server: | | IBM Guardium, Command Line Interface (CLI) | End of banner message from server [email protected]'s password: Last login: Thu Jul 25 15:22:29 2019 from 10.10.136.2 Welcome cli - your last login was Tue Jul 30 01:30:02 2019 test1-igcm01.51sec.org> show system ntp all 172.21.5.10 172.21.5.11 51Secsrv11.51sec.org 51Secsrv10.51sec.org Enabled ok test1-igcm01.51sec.org> show system ntp USAGE: show system ntp <arg>, where arg is: all, diagnostics, server, state test1-igcm01.51sec.org> show system ntp state Enabled ok test1-igcm01.51sec.org>
test1-igcm01.51sec.org> show system patch installed P# Who Description Request Time Status 600 CLI Guardium Patch Update (GPU) for 2019-06-13 11:10:02 DONE: Patch installation Succeeded. 9997 CLI Health Check for GPU installati 2019-06-13 14:34:13 DONE: Patch installation Succeeded. 620 CLI Update Bundle for v10.0 GPU 600 2019-06-13 14:35:15 DONE: Patch installation Succeeded. ok test1-igcm01.51sec.org> show system patch ava Attempting to retrieve the patch information. It may take time. Please wait. P# Description Version Md5sum Dependencies 9997 Health Check for GPU installation (Apr 11 201 10.0 67dcb683682db202551ad16dd3312a95 620 Update Bundle for v10.0 GPU 600 (Apr 25 2019) 10.0 e6cd80e4b4af11a5bac132a49169f97c 600 ok test1-igcm01.51sec.org>
Alert – SMTP Settings
Data Export (On Collector)
Data Import (On Aggregator or Central Manager)
Data Archive (On Aggregator)
System backup (On Aggregator)
System Portal and LDAP Authentication Integration
AD Explorer from Windows Sysinternals can greatly help you find out right DN settings and filter configuration if you AD admin is not sure how to help you connect a Linux machine with Windows AD.
It supports, CEF, LEEF and others.
From Command line, following commands will add / remove syslog host in the Guardium system.
= High severity in policy
= Med severity in policy
= low severity in policy
51sec-igcm01.51Sectest.dev> store remotelog clear 10.25.14.1 Update the configuration file and restart the service. ok 51sec-igcm01.51sectest.dev> show remotelog host Not configured. ok 51sec-igcm01.51sectest.dev>
store remotelog add non_encrypted daemon.alert 10.2.14.132 udp store remotelog add non_encrypted daemon.err 10.2.14.132 udp store remotelog add non_encrypted daemon.warning 10.2.14.132 udp Restarting syslog server. ok 51sec-igcm01.51sectest.dev> show remotelog host Remote syslog is in non-encrypted mode. Remote syslog format is default. local7.=alert @10.2.14.132 ok
Last step is to configure policy or alert to send syslog to SIEM server, such as Qradar, ArcSight or LogRhythm.
Check the messages log for syslogs sent out
Log into Collector , not aggregator. Alert sent to Syslog server always from Collector.