IBM Guardium Upgrade and Patch Installation (GIM, STAP, SNIFFER, GUP, DPS) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, August 18, 2020

IBM Guardium Upgrade and Patch Installation (GIM, STAP, SNIFFER, GUP, DPS)

 This post is to summarize how to upgrade IBM Guardium Components and how to patch system

  • IBM Guardium Patching/Upgrading
  • Install DPS Update
  • S-TAP Installed and Configured but Not Showing in Collector

IBM Guardium Patching/Upgrading

1   Check IBM Guardium Appliance and Agent Version






2   Download Patch / Updates from Fix central
Download a server / agent Patch from IBM Fix Central
Patches explanation:


3   Install Patch for Aggregator from CLI

This method usually is for Central Manager (Aggregator). Once you logged into Web GUI, the notification icon will show a red number to notify you there is a patch available. You can download it from IBM Fix Center by clicking download.


Once the patch is downloaded, the patch will need to upload to the Guardium manager / aggreator. Based on the environment, the patch should either be uploaded to either the Central Manager or the individual collector. It always start from top (Manager / Aggregator) to bottom (Collector).

Note: It is strongly suggested to have a complete system backup prior to installing a patch.

Upgrading steps:

  • Login to the applicance as 'cli'
  • Type the command 'fileserver <<ip_address>> <<duration>> '. This will enable a web server
    • Once the fileserver command is executed, from the web browser, connect to the appliance https://<<appliance_name_or_ip>>:8445


cm01.51sec.org> fileserver 10.10.10.2 1200

Starting the file server...
The file server is ready at https://cm01.51sec.org:8445
The timeout has been set to 1200 seconds and it may timeout during the uploading.

The upload will only be accessible from the IP you are logged in from: 10.10.136.2

Press ENTER to stop the file server.

Stopping process

Register patch files in the directory:
SqlGuard-11.0p100_GPU_Nov_2019_V11.1.tgz.enc.sig
Register succeeded
ok
cm01.51sec.org>



  • Browse the local filesystem to find the downloaded patch file (already unzipped)
  • Click the upload button to upload the patch file (*.sig ) to the appliance




  • Once the patch is uploaded, close the 'fileserver' by simply hitting 'enter'
  • In the cli window, use the patch installation commands to install the patch
    • Show system patch available : shows the available patches that can be installed (You might see some error message because of some old wrong package uploaded)
    • Store system patch install sys now
  • This will start the wizard to install the available patches.


itprosec-tor-igcm01.51sec.org> store system patch install sys

List the files in the patches directory:

1. SqlGuard-10.0p11000_Upgrade_to_Version_11.0_Jun_2019.tgz.enc.sig
2. SqlGuard-10.0p620_Bundle_Apr_25_2019.tgz.enc.sig
3. SqlGuard-10.0p9997.tgz.enc.sig
4. SqlGuard-11.0p12_Bundle_Nov_05_2019.tgz.enc.sig
5. SqlGuard-11.0p4003_Snif_Oct_24_2019.tgz.enc.sig

Please choose patches to install (1-5, or multiple numbers separated by ",", or q to quit): 5
Install item 5

Patch has been submitted, and will be installed according to the request time,
please check installed patches report or CLI (show system patch installed).

Please don't forget to remove your media if necessary.
ok

itprosec-tor-igcm01.51sec.org> show system patch installed
P#      Who       Description                     Request Time         Status
11000   CLI       Upgrade to Version 11.0 (Jun 07 2019-08-30 11:14:11  Phase 5: Migration completed
4003    CLI       Snif Update (Oct 24 2019)       2019-12-04 17:18:45  STEP: Executing Post Install Actions
12      CLI       SqlGuard-11.0p12_Bundle_Nov_05_ 2019-12-04 17:21:01  Preparing to install patch.
ok


Note: Your installation might be failed because of missing dependency, just as show below:

cm01.51sec.org> store system patch install sys

List the files in the patches directory:

1. SqlGuard-10.0p11000_Upgrade_to_Version_11.0_Jun_2019.tgz.enc.sig
2. SqlGuard-10.0p620_Bundle_Apr_25_2019.tgz.enc.sig
3. SqlGuard-10.0p9997.tgz.enc.sig
4. SqlGuard-11.0p100_GPU_Nov_2019_V11.1.tgz.enc.sig
5. SqlGuard-11.0p12_Bundle_Nov_05_2019.tgz.enc.sig
6. SqlGuard-11.0p4003_Snif_Oct_24_2019.tgz.enc.sig

Please choose patches to install (1-6, or multiple numbers separated by ",", or                                                                                                              q to quit): 4
Install item 4

Dependent patches not installed successfully or not available: 9997

Please don't forget to remove your media if necessary.
ok


In above example, latest health_check patch was not installed first. You will need to go to fix center to download this latest health_check patch.
Installing latest health check patch is same as installing other patch:
a. Upload extracted .sig healtch_check patch through fileserver command
b. store system patch install sys : choose the one you just uploaded
c. show system patch installed : checking installation process

Note: For a sniff patch, it usually takes 10 minutes to get it done. But for a bundle package, it will take 30 - 60 minutes to get it done. Sometimes, the installed packages will not remove from the list after the installation. When make selection, you have to clearly know which one you have installed, and which one will need to be installed now.

4  Install Patch from Web GUI for Databases


Push STAP out from Central Manager (Aggregator)


For GIM, you will need to uncheck some filters to show it.



Distribute a patch / Install Patch from Central Manager to Collector

To distribute a patch from a central manager to managed units, one of the following must have taken place:


The patch is installed on the central manager

  • The patch has been made available on the central manager by running the following CLI command: store system patch available
Distribute the patch to managed units using the Central Management page on the central manager.
  1. Navigate to Manage > Central Management > Central Management.
  2. From the Central Management page, select managed units to receive the patch and click the Patch Distribution button.
  3. From the Patch Distribution page, select the patches to distribute.
    • Click Install Patch Now to install the patch immediately.
    • Click Schedule Patch to schedule patch installation for the future.



5  Monitor and verify patch installation

You can monitor and verify the installation of patches in the following ways:

  • Issue the following CLI command: show system patch install.
  • Use the Central Management page on the CM: Manage > Central Management > Central Management > Patch Installation Status.





Install DPS Update

You will need to update the Guardium DPS file after upgrade or restore procedures. Download the latest DPS file, then use the Harden > Vulnerability Assessment > Customer Uploads tool to upload and import the new DPS file.


Click green check mark to import uploaded DPS file.


Delete Stuck Patch Installation

Patch installation might be stuck at certain stage. In my this case, it has been stuck at "Preparing to install patch" for a couple of hours.
guardium-v11.yourcompany.com> show system patch install
P#      Who       Description                     Request Time         Status
200     CLI       Guardium Patch Update (GPU) for 2020-08-16 10:25:16  DONE: Patch installation Succeeded.
4009    CLI       SqlGuard-11.0p4009_Snif_Jul_09_ 2020-08-18 09:14:58  Preparing to install patch.
ok
guardium-v11.yourcompany.com>


guardium-v11.yourcompany.com> delete scheduled-patch
P#      Who       Description                     Request Time         Status
200     CLI       Guardium Patch Update (GPU) for 2020-08-16 10:25:16  DONE: Patch installation Succeeded.
4009    CLI       SqlGuard-11.0p4009_Snif_Jul_09_ 2020-08-18 08:17:40  Preparing to install patch.

Please enter patch number (or q to quit): 4009
Remove the patch number 4009 to install
ok
guardium-v11.yourcompany.com> show system patch inst
P#      Who       Description                     Request Time         Status
200     CLI       Guardium Patch Update (GPU) for 2020-08-16 10:25:16  DONE: Patch installation Succeeded.
ok
guardium-v11.yourcompany.com> store system patch install sys

List the files in the patches directory:

1. SqlGuard-11.0p4009_Snif_Jul_09_2020.tgz.enc.sig

Please choose patches to install (1-1, or multiple numbers separated by ",", or q to quit): 1
Install item 1


Patch has been submitted, and will be installed according to the request time,
please check installed patches report or CLI (show system patch installed).

Please don't forget to remove your media if necessary.
ok
guardium-v11.yourcompany.com> 


Generate support log for patch installation issue:


guardium-v11.yourcompany.com> support must_gather patch_install_issues


This operation may take several minutes to complete.

11.2.0_r108847_v11_2_1-el76-20200529_1309
    BUILD_ID_APPLIANCE="appliance-v11_2-20200529_1309"
Please check notes in /var/IBM/Guardium/log/must_gather/patch_install_logs/ANALYZE_RESULTS.txt file.
Created file /var/IBM/Guardium/log/must_gather/patch_install_logs/patch_install.20200818092518.tgz.
ok
guardium-v11.yourcompany.com>fileserver 192.168.2.70 3600




S-TAP Installed and Configured but Not Showing in Collector

S-Tap has been successfully installed on DB server. Service is running and configuration shows all related IP addresses configured properly. 

But Telnet <Collector IP>  port 9500 failed. Tcp port 9500 is s-tap communication port from DB server to Collector.

Solution:

  • restart inspection-engine
  • restart inspction-core

Notes for those two commands:  https://www.ibm.com/support/knowledgecenter/SSWL9Z_10.0.0/com.ibm.guardium.appmaskref.doc/cli_api/inspection_engine_cli_commands.html

guardium-v11.yourcompany.com> restart inspection-core
Are you sure you want to restart inspection-core (y/n)?
Restarting inspection-core

ok
guardium-v11.yourcompany.com>


References

1   




No comments:

Post a Comment