Monday, September 30, 2019

IBM Guardium Notes: Basic Configuration Notes (License, NTP, SMTP, Data Related, Backup, Schedule, LDAP, Syslog)

This post is a summary for those basic IBM Guardium configuration. The IBM Guardium products provide a simple, robust solution for preventing data leaks from databases and files, helping to ensure the integrity of information in the data center and automating compliance controls.


These are the key functional areas of Guardium's database security solution:
  • Vulnerability assessment. This includes not just discovering known vulnerabilities in database products, but also providing complete visibility into complex database infrastructures, detecting misconfigurations, and assessing and mitigating these risks.
  • Data discovery and classification. Although classification alone does not provide any protection, it serves as a crucial first step toward defining proper security policies for different data depending on its criticality and compliance requirements.
  • Data protection. Guardium addresses data encryption at rest and in transit, static and dynamic data masking, and other technologies for protecting data integrity and confidentiality.
  • Monitoring and analytics. This includes monitoring of database performance characteristics and complete visibility in all access and administrative actions for each instance. On top of that, advanced real-time analytics, anomaly detection and security information and event management (SIEM) integration can be provided.
  • Threat prevention. This refers to methods of protection from cyberattacks such as distributed denial-of-service (DDoS) or SQL injection, mitigation of unpatched vulnerabilities and other database-specific security measures.
  • Access management. This goes beyond basic access controls to database instances. The rating process focused on more sophisticated, dynamic, policy-based access management capable of identifying and removing excessive user privileges, managing shared and service accounts, and detecting and blocking suspicious user activities.
  • Audit and compliance. This includes advanced auditing mechanisms beyond native capabilities, centralized auditing and reporting across multiple database environments, enforcing separation of duties, and tools supporting forensic analysis and compliance audits.
  • Performance and scalability. Although not a security feature per se, it is a crucial requirement for all database security solutions to be able to withstand high loads, minimize performance overhead and support deployments in high-availability configurations.



The IBM Security Guardium solution is offered in two versions:
  • IBM Security Guardium Database Activity Monitoring (DAM)
  • IBM Security Guardium File Activity Monitoring (FAM) - Use Guardium file activity monitoring to extend monitoring capabilities to file servers.

License



NTP:

login as: cli
Pre-authentication banner message from server:
|
| IBM Guardium, Command Line Interface (CLI)
|
End of banner message from server
[email protected]'s password:
Last login: Thu Jul 25 15:22:29 2019 from 10.10.136.2
Welcome cli - your last login was Tue Jul 30 01:30:02 2019
test1-igcm01.51sec.org> show system ntp all
172.21.1.110
172.21.1.111
oscsrv111.51sec.org
oscsrv110.51sec.org
Enabled
ok
test1-igcm01.51sec.org> show system ntp
USAGE:  show system ntp <arg>, where arg is:
all, diagnostics, server, state
test1-igcm01.51sec.org> show system ntp state
Enabled
ok
test1-igcm01.51sec.org>



System Patch:
test1-igcm01.51sec.org> show system patch installed
P#      Who       Description                     Request Time         Status
600     CLI       Guardium Patch Update (GPU) for 2019-06-13 11:10:02  DONE: Patch installation Succeeded.
9997    CLI       Health Check for GPU installati 2019-06-13 14:34:13  DONE: Patch installation Succeeded.
620     CLI       Update Bundle for v10.0 GPU 600 2019-06-13 14:35:15  DONE: Patch installation Succeeded.
ok
test1-igcm01.51sec.org> show system patch ava

Attempting to retrieve the patch information. It may take time. Please wait.

P#      Description                                   Version Md5sum                              Dependencies
9997    Health Check for GPU installation (Apr 11 201 10.0    67dcb683682db202551ad16dd3312a95
620     Update Bundle for v10.0 GPU 600 (Apr 25 2019) 10.0    e6cd80e4b4af11a5bac132a49169f97c    600
ok
test1-igcm01.51sec.org>





Alert - SMTP Settings

Data Export (On Collector)

Data Import (On Aggregator or Central Manager)


Data Archive (On Aggregator)





System backup (On Aggregator)


Scheduled Jobs



System Portal and LDAP Authentication Integration

AD Explorer  from Windows Sysinternals can greatly help you find out right DN settings and filter configuration if you AD admin is not sure how to help you connect a Linux machine with Windows AD.

For User RDN Type, you might want to configure as : samAccountName=51sec-org
It depends on how your domain name set up. You might want to use Microsoft Tool - AdExplorer to find out settings.

Once LDAP information configured, you will need to use accessmgr account to log in IBM Guardium to review the users. There is LDAP synchronization task running to import LDAP users from your OU group to IBM Guardium.



Syslog

It supports, CEF, LEEF and others.

From Command line, following commands will add / remove syslog host in the Guardium system.

daemon.alert = High severity in policy
daemon.err = Med severity in policy

daemon.warning = low severity in policy 

51sec-igcm01.osc.gov.on.ca> store remotelog clear 10.25.14.1
Update the configuration file and restart the service.
ok
51sec-igcm01.osc.gov.on.ca> show remotelog host
Not configured.
ok
51sec-igcm01.osc.gov.on.ca> 
store remotelog add non_encrypted daemon.alert 10.25.14.132 udp
store remotelog add non_encrypted daemon.err 10.25.14.132 udp
store remotelog add non_encrypted daemon.warning 10.25.14.132 udp
Restarting syslog server.
ok
51sec-igcm01.osc.gov.on.ca> show remotelog host
Remote syslog is in non-encrypted mode.
Remote syslog format is default.
local7.=alert    @10.25.14.132
ok


Last step is to configure policy or alert to send syslog to SIEM server, such as Qradar, ArcSight or LogRhythm.
Check the messages log for syslogs sent out
Log into Collector , not aggregator. Alert sent to Syslog server always from Collector.

fileserver 10.10.10.2 600

Log on to the page fileserver gave to download message log from debug-logs folder

No comments:

Post a Comment