3.04 - Configuration - Audit - System - v10x - Lab

IBM Security IBM Security Guardium
IBM Security Guardium
Hands-On
Configuration Audit System

Revised for Guardium 10.6
1
Configuration Audit System (CAS)
Overview
A database is a program that is installed at the operating system level and makes use of operating
system services. There are many configuration elements that reside within operating system constructs
rather than within the database itself.
Examples include files, registry values and environment variables. Many of these files and values control
some of the most important aspects of database security. A good example is the authentication method
of the database. In almost all database platforms, an administrator can change the way that a database
authenticates users by changing such a value, either in addition to or instead of using SQL.
The IBM Security® Guardium® Configuration Audit System (CAS) tracks all changes made to the
database at various levels, and reports on these changes to a centralized web-based console. Using the
CAS module, database security administrators can know that no changes that may affect security have
been made in ways that bypass the database’s SQL engine.
Objectives
This Lab will illustrate how we can check to make sure CAS is installed and configured on both the
appliance and database server, describe and create a template and utilize CAS to distinguish changes
made on the operating system that may affect database performance, using the following steps:
__1. Validate that CAS is installed on the database server.
__2. Ensure that CAS is running.
__3. Discuss and create and utilize a template for mapping changes.
__4. Create changes on operating system and view CAS results.
__5. Automate CAS report for future usage.
2
1. Pre-requisite:
a. Bring up both Collector and the Database Server VMs. Once the Database Server is
up, you may see this screen. Click <enter or CTRL +G> to be directed to the Login
screen,
b. Once both the Guardium collector and Database server VM images are up and
running, log in to the osprey database server with the credentials root/guardium.
c. After you’ve logged in, you will see this screen. Double click on the terminal icon to
open a command window.
3
d. In the command window, run the command to start the databases with the command:
./startdb_all.sh
2. Start the Guardium Appliance and log in.
a. If you are running the VMs in a laptop, open a browser and type
https://10.10.9.238:8443. This will bring up the Guardium Collector GUI.
4
b. If you are running the VMs in the cloud (via the SCS Portal), from the graphical
interface in the database server, click on the icon for the Firefox browser,
OR
use the published service URL (look at the Instructions document for how to use
Published Services) to open the Guardium Collector GUI from your laptop’s browser.
c. Click on the bookmark for the Guardium collector and login as pot / guardium.
5
3. Let’s check for the CAS Status. There are 2 reports that give you if CAS is running.
a. In the User Interface search bar, type CAS and one of the hits returned will be CAS
Status.
b. Alternatively, you can check the status of CAS and other services in the Services
Status report.
4. For your reference, let’s check an existing CAS template to monitor a sensitive UNIX OS
file. In the Navigation menu, go to Harden > Configuration Change Control > CAS
Template Set Configuration.
6
__a. Select Default Unix/Oracle Template Set V8.0 : UNIX – ORACLE and click on the
Pencil Icon (Modify).
__b. View contents for reference and click Back
7
5. Create a new CAS template. Click on the Plus sign (New) to define new template for this
lab.
8
__a. Enter ‘V10 PoT Unix Users CAS Template’ for Template Set Name, select Unix from the
OS Type drop-down list, N_A from DB Type drop-down list, and then click Apply.
__b. Click Add To Set.
__c. Enter ‘V10 PoT /etc/passwd’ for the Description field, enter /etc/passwd for the File
name field, enter root for both the File Owner and File Group fields, select Minutes from
the Period drop-down list, check the Keep data and Enabled checkboxes, and then click
Apply.
9
/etc/passwd is an Linux/UNIX operating systems file that stores essential information, which is required
during login i.e. user account information. /etc/passwd is a text file, that contains a list of the system’s
accounts, giving for each account some useful information like user ID, group ID, home directory, shell,
etc.
__d. Click Back.
__e. Verify the Template was properly added to the CAS Configuration Navigator.
10
6. In the Navigation menu, go to Harden > Configuration Change Control > CAS Host
Configuration.
11
__a. Select the IP of your Host DB Server (10.10.9.56) and click the Modify icon. Note that the
IP address of your Host DB Server will be different if it is being hosted in a Cloud
environment.
12
__b. Select the V10 PoT Unix Users CAS Template that was previously created, and click Add
Datasource.
13
__c. Select System (10.10.9.56)_N_A(Change Audit System). Click Add. Note that the IP
address of your System will be different if it is being hosted in a Cloud environment,
__d. Click OK to ignore the warning since a datasource is not required to access a file.
__e. Verify the following screen appears. If you don’t see any value under Monitored Items.
Click on the Run Instance Now icon to refresh the page. Click Back.
14
7. In the Navigation Menu, go to Harden > Reports > CAS Changes. The Changes report
displays two reports containing the monitored file (/etc/passwd) – CAS Change Details
along with the current contents of the /etc/passwd file.
15
__f. If you see too many entries in this report, click on the tool icon to confgure Runtime
parameters and enter /etc/passwd for the Value for Monitored Item.
16
8. Simulate suspicious changes made to the monitored UNIX operating system file using the
terminal to access the VM database server.
__a. Open a terminal session.
__b. Type adduser YourName, type tail /etc/passwd to confirm the new entry, and then type
exit to exit.
17
9. Examine Reports to Demonstrate CAS Capabilities.
__a. Go to Harden > Reports > CAS Changes again to run the report. Results may take a
minute or so. You will see a new entry to the report with the timestamp of the change to
add the user.
__b. In the CAS Saved Data Report right click on the last entry (or most recent) and select
View Difference, to inspect the changes.
__c. Verify the differences. In this case, a new entry was added.
__d. When finished reviewing the results, close the window.
10. (Optional) You can delete the user you added and check the difference on the
/etc/passwd using the same CAS reports.
__a. Open up the Terminal.
18
__b. Run the command userdel YourName
__c. Check the content of the passwd file with tail /etc/passwd
19
Configuration Audit System (CAS) review
__1. The CAS process runs on:
__a. The InfoSphere Guardium Collector.
__b. The database server.
__c. The client PC.
__d. A network switch.
__2. CAS can detect and alert on changes as they happen.

(True or False).
__3. CAS would NOT be useful for monitoring which of the following:
__a. OS Script results.
__b. Specific files.
__c. All files matching a pattern.
__d. Database script results.
__e. Network activity.
20
__4. CAS can add a substantial load to the database system.

(True or False).
__5. Multiple CAS templates can be assigned to a host.

(True or False).
__6. CAS cannot monitor files at which level:
__a. MD5.
__b. Owner/group, date modified, size.
__c. Zip.
File text contents.
21
22
Configuration Audit System (CAS) review (Answers)
__1. The CAS process runs on:
B – The database server.
__2. CAS can detect and alert on changes as they happen.

(True or False).
False.
__3. CAS would NOT be useful for monitoring which of the following:
E – Network activity (since it may change frequently).
__4. CAS can add a substantial load to the database system.

(True or False).
False.
__5. Multiple CAS templates can be assigned to a host.

(True or False).
True.
__6. CAS cannot monitor files at which level:
C – ZIP.
23

3.04 - Configuration - Audit - System - v10x - Lab

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3.04 - Configuration - Audit - System - v10x - Lab

Uploaded by

Copyright:

Available Formats

IBM Security IBM Security Guardium

IBM Security Guardium

Configuration Audit System

Configuration Audit System (CAS)

__1. Validate that CAS is installed on the database server.

__2. Ensure that CAS is running.

__4. Create changes on operating system and view CAS results.

__5. Automate CAS report for future usage.

2. Start the Guardium Appliance and log in.

__b. View contents for reference and click Back

__b. Click Add To Set.

__d. Click Back.

__a. Open a terminal session.

9. Examine Reports to Demonstrate CAS Capabilities.

__d. When finished reviewing the results, close the window.

__a. Open up the Terminal.

__b. Run the command userdel YourName

Revised for Guardium 10.6

Configuration Audit System (CAS) review

__1. The CAS process runs on:

__a. The InfoSphere Guardium Collector.

__b. The database server.

__c. The client PC.

__d. A network switch.

__2. CAS can detect and alert on changes as they happen.

__a. OS Script results.

__b. Specific files.

__c. All files matching a pattern.

__d. Database script results.

__e. Network activity.

__4. CAS can add a substantial load to the database system.

__5. Multiple CAS templates can be assigned to a host.

__6. CAS cannot monitor files at which level:

__b. Owner/group, date modified, size.

Revised for Guardium 10.6

Configuration Audit System (CAS) review (Answers)

__1. The CAS process runs on:

B – The database server.

__2. CAS can detect and alert on changes as they happen.

E – Network activity (since it may change frequently).

__4. CAS can add a substantial load to the database system.

__5. Multiple CAS templates can be assigned to a host.

__6. CAS cannot monitor files at which level:

You might also like