IBM Guardium Configuration (License, NTP, SMTP, Archive, Backup/Restore, Schedule, LDAP, Syslog) - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, May 19, 2020

IBM Guardium Configuration (License, NTP, SMTP, Archive, Backup/Restore, Schedule, LDAP, Syslog)

This post is a summary for those basic IBM Guardium configuration. The IBM Guardium products provide a simple, robust solution for preventing data leaks from databases and files, helping to ensure the integrity of information in the data center and automating compliance controls.

  • License
  • NTP
  • SMTP
  • Data Archive
  • System Backup/Restore
  • Schedule
  • LDAP
  • Syslog

These are the key functional areas of Guardium's database security solution:
  • Vulnerability assessment. This includes not just discovering known vulnerabilities in database products, but also providing complete visibility into complex database infrastructures, detecting misconfigurations, and assessing and mitigating these risks.
  • Data discovery and classification. Although classification alone does not provide any protection, it serves as a crucial first step toward defining proper security policies for different data depending on its criticality and compliance requirements.
  • Data protection. Guardium addresses data encryption at rest and in transit, static and dynamic data masking, and other technologies for protecting data integrity and confidentiality.
  • Monitoring and analytics. This includes monitoring of database performance characteristics and complete visibility in all access and administrative actions for each instance. On top of that, advanced real-time analytics, anomaly detection and security information and event management (SIEM) integration can be provided.
  • Threat prevention. This refers to methods of protection from cyberattacks such as distributed denial-of-service (DDoS) or SQL injection, mitigation of unpatched vulnerabilities and other database-specific security measures.
  • Access management. This goes beyond basic access controls to database instances. The rating process focused on more sophisticated, dynamic, policy-based access management capable of identifying and removing excessive user privileges, managing shared and service accounts, and detecting and blocking suspicious user activities.
  • Audit and compliance. This includes advanced auditing mechanisms beyond native capabilities, centralized auditing and reporting across multiple database environments, enforcing separation of duties, and tools supporting forensic analysis and compliance audits.
  • Performance and scalability. Although not a security feature per se, it is a crucial requirement for all database security solutions to be able to withstand high loads, minimize performance overhead and support deployments in high-availability configurations.

The IBM Security Guardium solution is offered in two versions:
  • IBM Security Guardium Database Activity Monitoring (DAM)
  • IBM Security Guardium File Activity Monitoring (FAM) - Use Guardium file activity monitoring to extend monitoring capabilities to file servers.



login as: cli
Pre-authentication banner message from server:
| IBM Guardium, Command Line Interface (CLI)
End of banner message from server
[email protected]'s password:
Last login: Thu Jul 25 15:22:29 2019 from
Welcome cli - your last login was Tue Jul 30 01:30:02 2019> show system ntp all
ok> show system ntp
USAGE:  show system ntp <arg>, where arg is:
all, diagnostics, server, state> show system ntp state

System Patch:> show system patch installed
P#      Who       Description                     Request Time         Status
600     CLI       Guardium Patch Update (GPU) for 2019-06-13 11:10:02  DONE: Patch installation Succeeded.
9997    CLI       Health Check for GPU installati 2019-06-13 14:34:13  DONE: Patch installation Succeeded.
620     CLI       Update Bundle for v10.0 GPU 600 2019-06-13 14:35:15  DONE: Patch installation Succeeded.
ok> show system patch ava

Attempting to retrieve the patch information. It may take time. Please wait.

P#      Description                                   Version Md5sum                              Dependencies
9997    Health Check for GPU installation (Apr 11 201 10.0    67dcb683682db202551ad16dd3312a95
620     Update Bundle for v10.0 GPU 600 (Apr 25 2019) 10.0    e6cd80e4b4af11a5bac132a49169f97c    600

Alert-SMTP Setting

    Data Archive

    Data Export (On Collector)

    Data Import (On Aggregator or Central Manager)

    Data Archive (On Aggregator)

    Data Archive (On Collector)

    System Backup / Restore

    System backup


    System Restore
    There are lots of scenario for restoring:

    • Restoring a Guardium system
    • Before you restore your Guardium system
    • Restoring a standalone collector
    • Restoring a collector with an aggregator that is not centrally managed
    • Restoring an aggregator that is not centrally managed
    • Restoring a centrally managed collector
    • Restoring a centrally managed aggregator
    • Restoring a dedicated central manager (no data aggregation)

    Here is the procedure for Restoring a centrally managed collector:

    • Use the appropriate ISO image to build an appliance.
    • Apply all of the patches to bring the appliance to the same patch level as it was when the last backup was taken.
    • Restore the data backup. This step might be optional if there is an aggregator in this environment and data from the collector exists on the aggregator. (It is not required to restore the configuration backup because the definitions are pooled from central manager.)
    • Shared secret must be set to enable communication with central manager. Shared secret is used to encrypt communication of the appliance with central manager. Use CLI command store system shared secret to complete this step.
    • Optional: Restore archive files for missing days, as needed. This step is not required if you are not restoring data backup.
    • Register the newly built collector with central manager (licenses are pooled from central manager).

    Prodcedure for Restoring an aggregator that is not centrally managed
    • Use the appropriate ISO image to build an appliance.
    • Apply all of the patches to bring the appliance to the same patch level as it was when the last backup was taken.
    • Restore the data backup.
    • Restore the configuration backup.
    • Restore the archive files for missing days as needed.
    • Apply the license.
    What to do next
    • When restoring data from an aggregator to a new system with a different hostname, the new system shows collectors from the source aggregator, and the collectors on the new system. After completing the restore:
    • On each of the old collectors define a data export to the new aggregator and Save.
    • Clear the Export checkbox in the data export (that you just defined) and Save.

    Scheduled Jobs

    Scheduled Jobs

    LDAP Integration

    System Portal and LDAP Authentication Integration

    AD Explorer  from Windows Sysinternals can greatly help you find out right DN settings and filter configuration if you AD admin is not sure how to help you connect a Linux machine with Windows AD.

    For User RDN Type, you might want to configure as : samAccountName=51sec-org
    It depends on how your domain name set up. You might want to use Microsoft Tool - AdExplorer to find out settings.

    Once LDAP information configured, you will need to use accessmgr account to log in IBM Guardium to review the users. There is LDAP synchronization task running to import LDAP users from your OU group to IBM Guardium.


    It supports, CEF, LEEF and others.

    For Message Facility: Guardium supports the standard syslogd facilities.
      auth authpriv cron daemon ftp kern lpr mail mark news security syslog user uucp local0...local7
      An all-inclusive facility called “all” will ship all syslog events.
      Message Priority: Guardium supports the standard syslog message priorities:
        alert crit debug emerg err info notice warning
        An all-inclusive priority called “all” will ship logs for any priority.

    Following command will ship all_facility.all_priority logs to on udp port 514. Multiple remote log server supported. You just need to enter this command with a new remote log server ip again.

    • store remotelog add non_encrypted all.all udp

    From Command line, following commands will add / remove syslog host in the Guardium system.

    daemon.alert = High severity in policy
    daemon.err = Med severity in policy
    daemon.warning = low severity in policy> store remotelog clear
    Update the configuration file and restart the service.
    ok> show remotelog host
    Not configured.
    store remotelog add non_encrypted daemon.alert udp
    store remotelog add non_encrypted daemon.err udp
    store remotelog add non_encrypted daemon.warning udp
    Restarting syslog server.
    ok> show remotelog host
    Remote syslog is in non-encrypted mode.
    Remote syslog format is default.
    local7.=alert    @

    Last step is to configure policy or alert to send syslog to SIEM server, such as Qradar, ArcSight or LogRhythm.
    Check the messages log for syslogs sent out
    Log into Collector , not aggregator. Alert sent to Syslog server always from Collector.

    fileserver 600

    Log on to the page fileserver gave to download message log from debug-logs folder

    No comments:

    Post a Comment