Professional Documents
Culture Documents
3.04 - Configuration - Audit - System - v10x - Lab
3.04 - Configuration - Audit - System - v10x - Lab
Hands-On
1
IBM Security IBM Security Guardium
Overview
A database is a program that is installed at the operating system level and makes use of operating
system services. There are many configuration elements that reside within operating system constructs
rather than within the database itself.
Examples include files, registry values and environment variables. Many of these files and values control
some of the most important aspects of database security. A good example is the authentication method
of the database. In almost all database platforms, an administrator can change the way that a database
authenticates users by changing such a value, either in addition to or instead of using SQL.
The IBM Security® Guardium® Configuration Audit System (CAS) tracks all changes made to the
database at various levels, and reports on these changes to a centralized web-based console. Using the
CAS module, database security administrators can know that no changes that may affect security have
been made in ways that bypass the database’s SQL engine.
Objectives
This Lab will illustrate how we can check to make sure CAS is installed and configured on both the
appliance and database server, describe and create a template and utilize CAS to distinguish changes
made on the operating system that may affect database performance, using the following steps:
__3. Discuss and create and utilize a template for mapping changes.
2
IBM Security IBM Security Guardium
1. Pre-requisite:
a. Bring up both Collector and the Database Server VMs. Once the Database Server is
up, you may see this screen. Click <enter or CTRL +G> to be directed to the Login
screen,
b. Once both the Guardium collector and Database server VM images are up and
running, log in to the osprey database server with the credentials root/guardium.
c. After you’ve logged in, you will see this screen. Double click on the terminal icon to
open a command window.
3
IBM Security IBM Security Guardium
d. In the command window, run the command to start the databases with the command:
./startdb_all.sh
a. If you are running the VMs in a laptop, open a browser and type
https://10.10.9.238:8443. This will bring up the Guardium Collector GUI.
4
IBM Security IBM Security Guardium
b. If you are running the VMs in the cloud (via the SCS Portal), from the graphical
interface in the database server, click on the icon for the Firefox browser,
OR
use the published service URL (look at the Instructions document for how to use
Published Services) to open the Guardium Collector GUI from your laptop’s browser.
c. Click on the bookmark for the Guardium collector and login as pot / guardium.
5
IBM Security IBM Security Guardium
3. Let’s check for the CAS Status. There are 2 reports that give you if CAS is running.
a. In the User Interface search bar, type CAS and one of the hits returned will be CAS
Status.
b. Alternatively, you can check the status of CAS and other services in the Services
Status report.
4. For your reference, let’s check an existing CAS template to monitor a sensitive UNIX OS
file. In the Navigation menu, go to Harden > Configuration Change Control > CAS
Template Set Configuration.
6
IBM Security IBM Security Guardium
__a. Select Default Unix/Oracle Template Set V8.0 : UNIX – ORACLE and click on the
Pencil Icon (Modify).
7
IBM Security IBM Security Guardium
5. Create a new CAS template. Click on the Plus sign (New) to define new template for this
lab.
8
IBM Security IBM Security Guardium
__a. Enter ‘V10 PoT Unix Users CAS Template’ for Template Set Name, select Unix from the
OS Type drop-down list, N_A from DB Type drop-down list, and then click Apply.
__c. Enter ‘V10 PoT /etc/passwd’ for the Description field, enter /etc/passwd for the File
name field, enter root for both the File Owner and File Group fields, select Minutes from
the Period drop-down list, check the Keep data and Enabled checkboxes, and then click
Apply.
9
IBM Security IBM Security Guardium
/etc/passwd is an Linux/UNIX operating systems file that stores essential information, which is required
during login i.e. user account information. /etc/passwd is a text file, that contains a list of the system’s
accounts, giving for each account some useful information like user ID, group ID, home directory, shell,
etc.
__e. Verify the Template was properly added to the CAS Configuration Navigator.
10
IBM Security IBM Security Guardium
6. In the Navigation menu, go to Harden > Configuration Change Control > CAS Host
Configuration.
11
IBM Security IBM Security Guardium
__a. Select the IP of your Host DB Server (10.10.9.56) and click the Modify icon. Note that the
IP address of your Host DB Server will be different if it is being hosted in a Cloud
environment.
12
IBM Security IBM Security Guardium
__b. Select the V10 PoT Unix Users CAS Template that was previously created, and click Add
Datasource.
13
IBM Security IBM Security Guardium
__c. Select System (10.10.9.56)_N_A(Change Audit System). Click Add. Note that the IP
address of your System will be different if it is being hosted in a Cloud environment,
__d. Click OK to ignore the warning since a datasource is not required to access a file.
__e. Verify the following screen appears. If you don’t see any value under Monitored Items.
Click on the Run Instance Now icon to refresh the page. Click Back.
14
IBM Security IBM Security Guardium
7. In the Navigation Menu, go to Harden > Reports > CAS Changes. The Changes report
displays two reports containing the monitored file (/etc/passwd) – CAS Change Details
along with the current contents of the /etc/passwd file.
15
IBM Security IBM Security Guardium
__f. If you see too many entries in this report, click on the tool icon to confgure Runtime
parameters and enter /etc/passwd for the Value for Monitored Item.
16
IBM Security IBM Security Guardium
8. Simulate suspicious changes made to the monitored UNIX operating system file using the
terminal to access the VM database server.
__b. Type adduser YourName, type tail /etc/passwd to confirm the new entry, and then type
exit to exit.
17
IBM Security IBM Security Guardium
__a. Go to Harden > Reports > CAS Changes again to run the report. Results may take a
minute or so. You will see a new entry to the report with the timestamp of the change to
add the user.
__b. In the CAS Saved Data Report right click on the last entry (or most recent) and select
View Difference, to inspect the changes.
__c. Verify the differences. In this case, a new entry was added.
10. (Optional) You can delete the user you added and check the difference on the
/etc/passwd using the same CAS reports.
18
IBM Security IBM Security Guardium
__c. Check the content of the passwd file with tail /etc/passwd
19
IBM Security IBM Security Guardium
__3. CAS would NOT be useful for monitoring which of the following:
20
IBM Security IBM Security Guardium
__a. MD5.
__c. Zip.
File text contents.
21
IBM Security IBM Security Guardium
22
IBM Security IBM Security Guardium
False.
__3. CAS would NOT be useful for monitoring which of the following:
False.
True.
C – ZIP.
23