IBM Security Guardium V10.1 en

IBM Security Guardium V10.
IBM
Tables of Contents
Welcome 1
Product overview 1
IBM Guardium 1
What's new in this release 2
Release Notes 5
Getting Started 6
Getting Started with the User Interface 6
Customizing the User Interface 8
Quick start for monitoring and compliance 8
System View 9
Data Activity Monitoring 9
Policies and Rules 9
Workflows 9
Auditing 10
Classification 10
File Activity Monitoring 10
Overview and concepts for file activity monitoring 10
Prerequisites for file activity monitoring 11
High level workflow for file activity monitoring 12
Key Concepts and Tools 12
Queries and Reports 13
Access Control 13
User Roles 13
Groups 13
Data Archive and Purge 13
Guardium Installation Manager 14
Discover 14
Datasources 14
Creating a datasource definition 15
Working with existing datasources 19
Reporting on datasources 20
Defining a datasource using a service name 20
Managing KDC definitions 20
Cloud database service protection 21
Cloud database service protection workflow 22
AWS IAM definition 22
Create, modify, delete cloud accounts 23
Discover cloud databases 24
Catalog and manage databases 24
Manage Classification and Vulnerability Assessment 24
Configure database auditing 25
Modify limit of objects added automatically and collector
Enable auditing on one database
Disable auditing on one database
Starting and stopping DB audit ownership
Manage object auditing 27
Managing object audit in one database 27
Managing object audit in multiple databases 28
Database Auto-discovery 28
Classification 29
Classification Process Performance 30
Classification Rule Handling 30
Working with Classification Processes 31
Working with Classification Policies 32
Working with Classification Rules 32
Working with Classification Rule Actions 34
Discover Sensitive Data 35
Discovery scenarios 36
Name and description 36
What to discover 37
Rule Criteria 37
Actual Member Content 38
Where to search 39
Run discovery and review report 39
Audit 40
Scheduling 41
Regular Expressions 41
Discover and classify sensitive data in file servers 44
Installing and activating FAM components 44
File discovery and classification GIM parameters 45
Customizing FAM decision plans 47
Entitlement Optimization 48
Enable and configure entitlement optimization 49
Entitlement Optimization What's New 50
Entitlement Optimization Users and Roles 51
Entitlement Optimization Recommendations 51
Entitlement Optimization Browse entitlements 51
Entitlement Optimization What If 52
Protect 53
Baselines 53
Policies 56
Special pattern tests 58
Rule actions 58
Creating policies 63
Installing Policies 67
Rule definition fields 70
How to integrate custom rules with Guardium policy 73
How to use the appropriate Ignore Action 79
Character sets 80
Correlation Alerts 97
How to signify events through Correlation Alerts 99
Incident Management 102
How to manage the review of multiple database security incidents 103
Query rewrite 105
How query rewrite works 106
Using query rewrite 107
Enabling query rewrite 107
Creating query rewrite definitions 107
Testing query rewrite definitions 108
Defining a security policy to activate query rewrite 109
Creating a custom report to validate query rewrite results 109
File Activity policies and rules 110
File Activity Policies and rules functionality 110
Create a FAM policy and its rules from scratch 112
Creating a FAM policy rule from the Investigative Dashboard Entitlements tab 113
Monitor and Audit 113

Building audit processes 114
How to create an Audit Workflow 122
Open Workflow Process Results 125
How to distribute workflow through Guardium groups 125
Audit Process To-Do List 134
Audit and Report 134
External Data Correlation 135
Privacy Sets 140
Custom Alerting 141
Flat Log Process 142
Build Expression on Query condition 143
Database Entitlement Reports 143
User Identification 143
Identify Users via Application User Translation 144
Identify Users via API 148
Identify Users via Stored Procedures 151
Value Change Auditing 151
Create an Audit Database 153
Monitored Table Access 155
Quick start for compliance monitoring 156
Prerequisites for compliance monitoring 157
Set up compliance monitoring 158
Populate groups 159
Enable scanning for sensitive data 159
Understanding the compliance monitoring views 160
How to use PCI/DSS Accelerator to implement PCI compliance 161
Workflow Builder 165
How to create Customized Workflows 166
How to use Customized Workflows 167
Threat Detection Analytics 169
Characteristics of an SQL injection attack 169
Characteristics of a stored procedure attack 169
Enabling threat detection analytics 169
Working with case reports 170
Activating the audit process workflow for threat analytics 170
Working with threat diagnostic dashboards 171
Investigating SQL injection threats 171
Investigating stored procedure threats 172
Threat Detection Analytics Functions 172
Investigation Dashboards 177
Enabling and disabling the Investigation Dashboard 178
Enabling File Activity in the investigation dashboard 179
Accessing the investigative dashboard 179
Investigation Dashboard for data 179
Investigation Dashboard for files 180
Filtering data and saving filters in the investigation dashboard 181
Filtering an individual chart 182
Creating, saving, and exporting investigation dashboards 182
Using the topology view 182
Local and distributed search 183
Using Data In-Sight 183
Outliers Detection 185
Quick start for outlier detection 185
Enabling and disabling outliers detection on an Aggregator 186
Enabling and disabling outliers detection locally on a Collector 186
Interpreting data outliers in the investigation dashboard 187
Interpreting file activity outliers 189
Monitor the outlier mining status 190
Grouping users and objects for outlier detection 191
Excluding events from outlier detection 191
Data Protection Dashboard 192
Reports 193
Report parameters 196
Creating dashboards 196
Viewing a report 197
Refreshing reports 198
Exporting a report 198
Viewing Drill-Down Reports 199
Creating a report 199
Creating reports for z/OS 199
Data Mart 199
Audit and Report 208
Queries 208
Using the Query Builder 209
Query Conditions 211
Domains, Entities, and Attributes 213
Domains 214
Custom Domains 216
Entities and Attributes 223
Database Entitlement Reports 254
How to take advantage of predefined reports 263
Predefined Reports 266
Predefined admin reports 266
Predefined user Reports 284
Predefined Reports Common 290
How to ask questions of the data 292
How to report on dormant tables and columns 294
How to Generate API Call from Reports 297
How to use Constants within API Calls 301
How to use API Calls from Custom Reports 305
Optional External Feed 310
Mapping an External Feed 310
Distributed Report Builder 311
How to create a Distributed Report 315
Assess and harden 317

Introducing Guardium Vulnerability Assessment 318
Database privileges for vulnerability assessments and classification 321
Deploying VA for DB2 for i 321
Using VA with Cloudera 323
Vulnerability Assessment tests 326
Defining a query-based test 327
Defining a CAS-based test 328
Assessments 329
Creating an assessment 329
How to create a security assessment 330
Running an assessment 334
Viewing assessment results 335
Creating a VA test exception 336
VA summary 336
Required schema change 337
Assessing RACF vulnerabilities 337
Configuration Auditing System 338
Prerequisites, installing and running CAS on a Windows server 340
Prerequisites, installing and running CAS on a Linux, UNIX server 341
Locating Java home directory and checking version 342
CAS Start-up and Failover 342
CAS Templates 344
Working with CAS Templates 348
CAS Hosts 351
CAS Reporting 352
CAS Status 357
Configuring your Guardium system 358

System Configuration 359
Inspection Engine Configuration 361
Portal Configuration 364
Managing the TLS version 364
Generate New Layout 365
Configure Authentication 365
Global Profile 366
Alerter Configuration 370
Anomaly Detection 371
Session Inference 372
Block S-TAP connection to Guardium (S-TAP Certification) 372
IP to Hostname Aliasing 372
System Backup 372
Configuring patch backup 376
Configure Permission to Socket connection 376
Access Management Overview 376

Understanding Roles 378
Managing roles and permissions 379
How to create a role with minimal access 380
Manage Users 381
How to create a user with the proper entitlements to login to CLI 383
Importing Users from LDAP 384
Data Security - User Hierarchy and Database Associations 386
How to define User Hierarchies 387
Guardium UI Login using a Smart card 389
Aggregation and Central management 391

Aggregation 391
Central Management 397
Guardium Component Services 397
Implementing Central Management 400
Implementing Central Management in a New Installation 400
Registering Units 400
Unregistering a Managed Unit 401
Synchronizing Portal User Accounts 402
Implementing Central Management in an Existing Installation 402
Using Central Management Functions 403
Deployment health views 403
Configuring a central manager for the deployment health views 404
Deployment health topology and table views 405
Deployment health dashboard 407
Scenario: Troubleshooting overloaded systems using the deployment health topology view 409
Enterprise load balancing 409
Associating S-TAP with managed units for load balancing 410
Viewing the enterprise load balancing load map 411
Viewing an enterprise load balancing activity report 411
Enterprise load balancing configuration parameters 411
Deployment inventory 413
Resource deployment view 413
Creating managed unit groups 413
Monitoring Managed Units 413
Installing Security Policies on Managed Units 417
Central Patch Management 417
Working with configuration profiles 418
Distribute Configuration 418
Distribute Authentication Configuration 419
Central Manager Redundancy 419
Investigation Center 422
Managing your Guardium system 424

Guardium Administration 425
Certificates 425
Unit Utilization Level 427
Configuring unit utilization data processing 428
Customer Uploads 429
Services Status panel 432
Archive, Purge and Restore 432
Guardium catalog 437
How to manage backup and archiving 438
Exporting Results (CSV, CEF, PDF) 440
Export/Import Definitions 441
Distributed Interface 443
Manage Custom Classes 444
SSH Public Keys 445
How to install an appliance certificate to avoid a browser SSL certificate challenge 445
Self Monitoring 446
How to monitor the Guardium system via alerts 448
Monitoring with SNMP 452
Running Query Monitor 453
Groups 454
Groups Overview 454
Using the group builder 455
Creating and editing groups 455
Viewing group membership and where groups are used 456
Populating groups 456
Importing from external datasources 456
Using the group builder (legacy) 457
Creating a new group 457
Modifying a group 457
Populating groups 458
How to populate a group from LDAP 458
Populating a group from a query 460
Populating a group from stored procedures 460
Populating a group using database sources 461
Populating a group using database dependencies 461
Populating a group using reverse dependencies 462
Populating a group using observed procedures 462
Populating a group using generate selected object 463
Using groups in queries and policies 463
Example: Using groups to create rules and policies 463
Predefined Groups 464
Security Roles 468
Notifications 468
How to create a real-time alert 469
Custom Alerting Class Administration 470
Predefined Alerts 471
Scheduling 471
Aliases 472
Dates and Timestamps 473
Time Periods 475
Time Periods 475
Comments 475
How to install patches 476
Support Maintenance 478
Product integration 478
Configure BIG-IP Application Security Manager (ASM) to communicate with Guardium system 478
Hadoop Integration 478
Hadoop integration using a standard Guardium S-TAP 479
Recommendations and limitations 479
S-TAPs and inspection engines with Hadoop 480
Guardium policies and rules with Hadoop 481
Guardium reporting with Hadoop 481
Hadoop integration using Cloudera Navigator 482
Planning the integration with Cloudera Navigator 482
Configure the solution for monitoring 482
Configure Guardium and Cloudera Navigator communication 483
Hadoop integration using Hortonworks and Apache Ranger 483
Planning the integration with Hortonworks and Apache Ranger 484
Configure the solution for monitoring 485
Configure Guardium and Ranger communication 485
Install and configure S-TAPs 486
Enable monitoring for Hadoop services 486
PIM integration 487
QRadar and Guardium integration 488
OPTIM to Guardium Interface 490
Combining real-time alerts and correlation analysis with SIEM products 490
How to transfer sensitive data to InfoSphere Discovery 492
CEF Mapping 495
LEEF Mapping 497
Troubleshooting problems 498

Techniques for troubleshooting problems 498
Getting fixes from Fix Central 499
Contacting IBM Support 500
Basic information for IBM Support 500
Exchanging information with IBM 503
Subscribing to Support updates 504
Problems and solutions 504
User Interface 505
Changes are not saved when you add an inspection engine 505
HTTP error 403 505
Java.lang.IllegalStateException 505
Pages are not loading correctly 506
Policies 506
Query does not appear in the co-relation alert definition 506
Rule does not trigger 507
Redact function causes overly masked result 507
SSH sessions and automated CRON jobs that log in to your Oracle database are shown as failed logins 507
The Guardium internal database is filling up 508
Reports 508
Cannot modify the receiver table for an Audit Process after it has been executed at least once 509
Cannot see multi-byte characters 509
File system is almost full 509
Guardium audit reports viewed in Microsoft Excel have rows with unexpected characters 510
Reports show IP address as 0.0.0.0 510
Request was interrupted or quota exceeded error message 510
Rule does not trigger 507
Scheduled Job Exceptions every 5 minutes 511
Scheduled jobs exception: merge required, delay executing process 512
The database user is not shown correctly in Guardium reports when you monitor Teradata 512
Unexpected results in Guardium reports with embedded commands 513
Assess and Harden 513
CAS is not working with Java 1.7 on Windows 513
Vulnerability Assessment exception group members appear in failed test 513
Configuring your Guardium system 514
Cannot configure STAP after upgrade 514
Guardium fails to recognize the network device VMXNET x 515
Guardium network interface error after system board replacement 515
Guardium virtual machine is not accessible from the network 515
SSLv3 is enabled 516
Access Management 516
Cannot log in to Guardium except as admin or accessmgr 517
Guardium accessmgr password reset 517
Aggregation 517
Cannot convert Guardium collector to aggregator 518
Data Export configuration change from a Guardium managed system's GUI fails with error 518
Difference between audit process results and report 518
HY000 errors after restoring the configuration in an aggregator 519
Central Management 519
A user is disabled in a Guardium managed unit, but shows as enabled on Central Manager 519
Central Manager does not recognize the new version of upgraded units 520
Scheduled tasks do not fire at the scheduled time 520
Torque exception in Central Management view of GUI 521
S-TAPs and other agents 521
AIX 6.1 fails when you install or upgrade IBM Security Guardium S-TAP 521
Error opening shared memory area when you configure Guardium COMM_EXIT_LIST for DB2 522
Guardium fails to collect shared memory traffic from Informix 522
High CPU and I/O Use in Guardium STAP host 523
Missing information from the login packet 523
Nanny process is killing sniffer 524
Sniffer cannot connect to UNIX S-TAP 524
UNIX S-TAP cannot start 524
S-TAP does not start automatically on Linux 525
S-TAP returns not FIPS 140-2 compliant 525
The K-TAP kernel module is still present after the uninstallation of S-TAP 526
UNIX S-TAP cannot read more than 16 inspection engines 526
Windows S-TAP service crashes on startup with error ID 1000 527
z/OS S-TAP fails to show active the Guardium system 527
GIM 527
Error installing the Guardium Installation Manager (GIM) 527
Guardium Installation Manager (GIM) service does not start in Windows 528
File activity 528
File activity is not logged in investigation dashboard or reports 528
File activity from removable disk is not logged in investigation dashboard 528
File activity appears in reports but not the investigation dashboard 529
Some files missing from classification results 529
Partial file discovery (entitlement) results in reports and investigation dashboard 529
File classification results are missing from reports and investigation dashboard 529
FAM bundle fails to install 530
Installing Your Guardium System 530
Checksum error during S-TAP installation 530
Guardium S-TAP returns an illegal cp: option - f error message 530
Installing a new Guardium patch does not complete 531
Missing file or directory after new Guardium S-TAP installation 531
Partition error installing Guardium 532
Patch installation fails: No such file or directory 532
Windows: S-TAP user's guide 533

Windows: Install, Upgrade, Uninstall S-TAP 533
Windows: S-TAP support matrix 533
Windows: Prerequisites: installing S-TAP 534
Windows: S-TAP disk space requirements 534
Windows: Guardium port requirements for S-TAP 534
Windows: Installing an S-TAP agent 534
Windows: Installing S-TAP agent with GIM (v10.1.4) 535
Windows: Installing S-TAP agent with GIM (v10.1-10.1.3) 536
Windows: S-TAP GIM installation parameters 537
Windows: Installing S-TAP agent using the interactive installer 537
Windows: Installing S-TAP agent using the command line interface 538
Windows: S-TAP command line installation parameters 539
Windows: S-TAP installation flow on Oracle RAC 540
Windows: Upgrading and Removing an S-TAP 540
Windows: When to restart or reboot the database after S-TAP installation or upgrade 541
Windows: Configuring S-TAP 541
Windows: Configure S-TAP from the GUI 541
Windows: Discover database instances 542
Windows: Configuring an Inspection Engine 542
Windows: Inspection engine verification 543
Windows: S-TAP verification 543
Windows: Configure standard verification 544
Windows: Configure advanced verification 544
Windows: Configuring the S-TAP verification schedule 544
Windows: S-TAP Load Balancing models and configuration guidelines 545
Windows: Set up S-TAP authentication with SSL certificates 545
Windows: Generating certificate signing request (CSR) on Guardium system 546
Windows: Installing an SSL certificate generated outside of the Guardium system 548
Windows: Configuring the S-TAP to use x.509 certificate authentication 551
Windows: Using DB2 exit library 552
Windows: Editing the S-TAP configuration parameters 552
Windows: Guardium Hosts (SQLGuard) parameters 553
Windows: General parameters 553
Windows: Inspection engine parameters 556
Windows: Firewall parameters 557
Windows: Query rewrite parameters 559
Windows: Discovery parameters 559
Windows: Debug parameters 559
Windows: Configuration Auditing System (CAS) parameters 560
Windows: Driver parameters 561
Windows: S-TAP operation and performance 561
Windows: Starting S-TAP using GIM 561
Windows: Stopping S-TAP using GIM 562
Windows: Starting S-TAP without GIM 562
Windows: Stopping S-TAP without GIM 562
Windows: Monitoring S-TAP in the GUI 563
Windows: S-TAP statistics 563
Windows: Monitoring with the Guardium Agent Monitor 563
Windows: Troubleshooting S-TAP problems 565
Linux and UNIX systems: S-TAP user's guide 566

Linux and UNIX systems: S-TAP functionality 567
Linux and UNIX systems: S-TAP support matrix 567
Linux and UNIX systems: Linux, Solaris, AIX, and HP-UX S-TAP monitoring mechanisms 569
Linux and UNIX systems: S-TAP to collector encryption 570
Linux and UNIX systems: UID chains 570
Linux and UNIX systems: Proxy firewall 570
Linux and UNIX systems: Installing S-TAP agents 570
Linux and UNIX systems: S-TAP installation prerequisites 571
Linux and UNIX systems: Database version and directory requirements 571
Linux and UNIX systems: Disk space requirements for S-TAP 572
Linux and UNIX systems: Port requirements for S-TAP 572
Linux and UNIX systems: System details and checks 572
Linux and UNIX systems: Install the S-TAP agent 572
Linux and UNIX systems: Installing the S-TAP client with GIM (v10.1.4) 573
Linux and UNIX systems: Installing S-TAP agent with GIM (v10.1-10.1.3) 574
Linux and UNIX systems: S-TAP GIM installation parameters 575
Linux and UNIX systems: Installing and updating S-TAP using RPM 575
Linux and UNIX systems: Installing the S-TAP client using the shell installer 577
Linux and UNIX systems: S-TAP install script parameters 578
Linux and UNIX systems: Install and uninstall S-TAP with native installers 578
Linux and UNIX systems: Installing and uninstalling S-TAP with AIX native installer 579
Linux and UNIX systems: Installing and uninstalling S-TAP with HP-UX native installer 579
Linux and UNIX systems: Installing and uninstalling the S-TAP with Solaris native installer 580
Linux and UNIX systems: When to restart or reboot after S-TAP install or upgrade 580
Linux and UNIX systems: Work with K-TAP 581
Linux and UNIX systems: Understanding K-TAP 581
Linux and UNIX systems: Building a K-TAP 581
Linux and UNIX systems: Copying a new K-TAP module to other systems 582
Linux and UNIX systems: Enable K-TAP after installation if Tee was installed by default 582
Linux and UNIX systems: Special environments configuration 582
Linux and UNIX systems: Solaris Zones S-TAP configuration 582
Linux and UNIX systems: Oracle RAC S-TAP configuration 583
Linux and UNIX systems: Configure S-TAP for DB2 WPAR 583
Linux and UNIX systems: Activate A-TAP on all nodes of a DB2 Cluster 585
Linux and UNIX systems: Configure delayed cluster disk mounting 585
Linux and UNIX systems: Uninstalling an S-TAP 585
Linux and UNIX systems: Upgrading S-TAP and K-TAP 586
Linux and UNIX systems: Configuring S-TAP 587
Linux and UNIX systems: Configure S-TAP from the GUI 587
Linux and UNIX systems: Discover database instances 588
Linux and UNIX systems: Configuring an Inspection Engine 589
Linux and UNIX systems: Inspection engine verification 589
Linux and UNIX systems: S-TAP verification 589
Linux and UNIX systems: Configure standard verification 590
Linux and UNIX systems: Configure advanced verification 590
Linux and UNIX systems: Configuring the S-TAP verification schedule 590
Linux and UNIX systems: S-TAP Load Balancing models and configuration guidelines 591
Linux and UNIX systems: Set up S-TAP authentication with SSL certificates 591
Linux and UNIX systems: Generating certificate signing request (CSR) on Guardium system 592
Linux and UNIX systems: Installing an SSL certificate generated outside of the Guardium system 594
Linux and UNIX systems: Configuring the S-TAP to use x.509 certificate authentication 597
Linux and UNIX systems: Increasing S-TAP throughput 598
Linux and UNIX systems: Kerberos-authenticated database traffic 598
Linux and UNIX systems: Kerberos authentication supported databases 599
Linux and UNIX systems: Enabling the Kerberos plugin 599
Linux and UNIX systems: Configuring the Kerberos plugin 599
Linux and UNIX systems: Finding the Kerberos configuration parameters for Oracle 600
Linux and UNIX systems: Finding the Kerberos configuration parameters for Sybase 600
Linux and UNIX systems: A-TAP management 601
Linux and UNIX systems: Preparing for A-TAP configuration and maintenance 601
Linux and UNIX systems: A-TAP configuration and activation 602
Linux and UNIX systems: A-TAP activate, deactivate and DB stop, restart guidelines 603
Linux and UNIX systems: guardctl utility commands for A-TAP 603
Linux and UNIX systems: guardctl return codes 604
Linux and UNIX systems: Database-specific guardctl parameters 605
Linux and UNIX systems: Oracle-specific guardctl parameters 605
Linux and UNIX systems: Sybase-specific guardctl parameters 606
Linux and UNIX systems: DB2-specific guardctl parameters 607
Linux and UNIX systems: Informix-specific guardctl parameters 607
Linux and UNIX systems: Postgres-specific guardctl parameters 608
Linux and UNIX systems: Deactivating A-TAP 608
Linux and UNIX systems: Configuring and Activating A-TAP in Special Environments 608
Linux and UNIX systems: Installing and activating A-TAP in Zones and WPARs environment 609
Linux and UNIX systems: Deactivate and uninstall A-TAP in Zones and WPARs environment 609
Linux and UNIX systems: Upgrading A-TAP in Zones and WPARs environment 610
Linux and UNIX systems: Configure and activate A-TAP steps for Teradata database 611
Linux and UNIX systems: Oracle configuration for A-TAP 612
Linux and UNIX systems: Troubleshooting A-TAP configuration issues 612
Linux and UNIX systems: Using Exit libraries 613
Linux and UNIX systems: DB2 Exit integration with S-TAP 613
Linux and UNIX systems: Informix Exit integration with UNIX S-TAP 615
Linux and UNIX systems: Teradata Exit integration 617
Linux and UNIX systems: Editing the S-TAP configuration parameters 617
Linux and UNIX systems: Guardium Hosts (SQLGuard) parameters 618
Linux and UNIX systems: General parameters 619
Linux and UNIX systems: Inspection engine parameters 623
Linux and UNIX systems: Firewall parameters 624
Linux and UNIX systems: Query rewrite parameters 627
Linux and UNIX systems: Server-side masking (SSM) parameters 627
Linux and UNIX systems: Discovery parameters 628
Linux and UNIX systems: Application server parameters 628
Linux and UNIX systems: Hadoop parameters 630
Linux and UNIX systems: Configuration Auditing System (CAS) parameters 631
Linux and UNIX systems: Debug parameters 632
Linux and UNIX systems: K-TAP parameters 632
Linux and UNIX systems: S-TAP operation and performance 634
Linux and UNIX systems: Stop S-TAP using GIM 634
Linux and UNIX systems: Restart S-TAP using GIM 635
Linux and UNIX systems: Stop S-TAP without GIM 635
Linux and UNIX systems: Restart S-TAP without GIM 635
Linux and UNIX systems: S-TAP logs 636
Linux and UNIX systems: How S-TAP/GIM processes are initialized by different OS types/versions 636
Linux and UNIX systems: Determine the S-TAP version 638
Linux and UNIX systems: Increasing S-TAP throughput 598
Linux and UNIX systems: Monitoring S-TAP in the GUI 638
Linux and UNIX systems: S-TAP statistics 639
Linux and UNIX systems: S-TAP Monitor (guard_monitor) 639
Linux and UNIX systems: Troubleshooting S-TAP problems 642
DB2 for IBM i S-TAP 643

Monitoring strategy 644
Installing the S-TAP for IBM i 645
Defining the S-TAP for IBM i 646
Guardium Installation Manager 646

Quick start for deploying monitoring agents 647
Prerequisites for deploying monitoring agents 648
Deploy monitoring agents 648
Managing software with GIM 649
Set up by Client 649
GIM user interfaces 650
GIM command line interface 653
GIM Server Allocation 655
Installing the GIM client on a Windows server 657
Installing the GIM client on a UNIX server 659
Uninstalling GIM and its modules on a UNIX database 659
Upgrading the GIM client 659
Using groups with GIM 660
Copying a K-TAP module by using GIM 660
GIM dynamic updating 660
When you upgrade your database server operating system 661
Distributing GIM bundles to managed units 661
Removing unused GIM bundles 662
Running GIM diagnostics 662
Debugging GIM operations 663
Restarting the supervisor for Solaris with SMF support 663
Installing your Guardium system 663

Operating modes 664
License keys 664
Hardware Requirements 665
Guardium port requirements 665
Step 1. Assemble the following before you begin 668
SAN storage devices 668
Step 2. Set up the physical or virtual appliance 669
Physical Appliance 669
How to identify eth0 and other network ports 669
Default passwords for physical appliances 669
Virtual appliance 670
Step 3. Install the Guardium image 670
Step 4. Set up initial and basic configuration 670
Set the primary system IP address 671
Set the Default Router IP Address 671
Set DNS Server IP Address 671
SMTP Server 671
Set Host and Domain Names 671
Set the Time Zone, Date and Time 671
Set the Initial Unit Type 672
Reset Root Password 672
Validate All Settings 672
Reboot the System 673
Step 5. What to do next 673
Verify Successful Installation 673
Set Unit Type 673
Install license keys 673
Install maintenance patches (if available) 674
Additional Steps (optional) 675
Creating the Virtual Image 675
VMware Infrastructure Overview 675
VM Installation Overview 675
Creating a Hyper-V Virtual Machine 678
Custom Partitioning 679
How to partition with an encrypted LVM 680
Example of SAN Configuration 680
Upgrading your Guardium System 682

Planning an upgrade 683
Choosing an upgrade method 683
Mixed-version environments during an upgrade 684
Upgrading with central managers and aggregators 684
Common upgrade tasks 685
Purge system data 685
Patch installation, distribution, and monitoring 685
Track installation progress with diag 686
Verify and cleanup after the upgrade 686
Upgrading a 32-bit environment 687
Upgrading a 32-bit central manager 687
Upgrade 32-bit managed units 688
Upgrading a 64-bit environment 689
Upgrading a 64-bit central manager 689
Upgrading a 32-bit environment with a backup central manager 690
Upgrading a 32-bit backup central manager 691
Upgrade old 32-bit primary central manager 692
Upgrading a 64-bit environment with a backup central manager 694
Upgrading a 64-bit backup central manager 694
Upgrade old 64-bit primary central manager 695
CLI and API 697

CLI Overview 697
Aggregator CLI Commands 699
Alerter CLI Commands 702
Certificate CLI Commands 704
Configuration and Control CLI Commands 708
diag CLI command 729
File Handling CLI Commands 738
Inspection Engine CLI Commands 745
Investigation Dashboard CLI Commands 747
Network Configuration CLI Commands 748
Support CLI Commands 753
System CLI Commands 760
User Account, Password and Authentication CLI Commands 766
GuardAPI Reference 771
GuardAPI Archive and Restore Functions 775
GuardAPI Assessment Functions 780
GuardAPI Auto-discovery Functions 785
GuardAPI Catalog Entry Functions 791
GuardAPI Classification Functions 795
GuardAPI Cloud Datasource Functions 818
GuardAPI Database User Functions 821
GuardAPI Datasource Functions 824
GuardAPI Datasource Reference Functions 837
GuardAPI Data User Security Functions 841
GuardAPI Enterprise Load Balancing Functions 846
GuardAPI Entitlement Optimization Functions 847
GuardAPI External Feed Functions 849
GuardAPI File Activity Monitor Functions 850
GuardAPI GIM Functions 855
GuardAPI Group Functions 870
GuardAPI Input Generation 881
GuardAPI Investigation Dashboard Functions 891
GuardAPI Native Audit Functions 892
GuardAPI Outliers Detection Functions 894
GuardAPI Process Control Functions 895
GuardAPI Query Rewrite Functions 917
GuardAPI Role Functions 933
GuardAPI S-TAP functions 939
GuardAPI Threat Detection Analytics Functions 172
S-TAP for z/OS V10.1.3 User's Guide 954

IBM Security Guardium S-TAP for Db2 on z/OS 954
IBM Security Guardium S-TAP for Db2 on z/OS overview 955
What's new in IBM Security Guardium S-TAP for Db2 on z/OS V10.1.3? 955
The IBM Security Guardium S-TAP for Db2 on z/OS installation environment 955
Installation and operation requirements 956
Compatibility with IBM Db2 Query Monitor for z/OS and other products 957
Required user ID authorizations 957
Configuring IBM Security Guardium S-TAP for Db2 on z/OS 958
Upgrading from previous versions of InfoSphere Guardium S-TAP for DB2 958
Configuring IBM Security Guardium S-TAP for Db2 on z/OS 958
APF authorizing the LOAD library data set 959
Enabling the dynamic LPA facility service CSVDYLPA 959
Service class considerations 959
Customizing JCL members 960
Creating the IBM Guardium S-TAP for Db2 control file 960
Configuring the IBM Guardium S-TAP for Db2 control file 960
Required statements for each subsystem 961
Configuring the collector agent 961
Configuring the JCL for ADHBIND 961
Configuring the JCL for ADHGRANT 961
Configuring the ADHCFGP data set 961
Defining the collector agent started task JCL 962
Configuring the collector agent for additional Db2 subsystems 963
Support Services Address Space overview 963
Usage considerations for the Master Address Space 964
Stopping the Master Address Space 964
Enabling CICS Login User ID reporting 964
Data collection 964
Data collection process 965
Collection policy 965
Collected event types 965
Audit data for Db2 Utilities 966
Filtering 966
Event types and filtering 967
Filtering by database name 968
Filter wildcard support 968
Policy pushdown 968
Streaming audit data to multiple systems 969
Starting and stopping the collector agent 969
Including or excluding failed accesses and negative SQL code 969
Quarantining SQL activity 970
SQL Blocking 970
Controlling host variable collection 970
Collecting Command activity by using the Audit SQL Collector 971
Collecting SET CURRENT SQLID events by using the Audit SQL Collector 971
Reference information 971
Sample library members 971
MODIFY command 972
S-TAP logging 974
Collector agent parameters 974
Keeping connections active when HOT_FAILOVER is enabled 983
Collector agent sample parameter file 984
ADHEMAC1 edit macro variables 984
Messages and codes for IBM Security Guardium S-TAP for DB2 on z/OS 985
Error messages 985
Error messages and codes: ADHAxxx 985
ADHA507E 985
Error messages and codes: ADHGxxx 986
ADHG000I 987
ADHG001I 987
ADHG002I 987
ADHG003I 987
ADHG004W 988
ADHG005S 988
ADHG006E 988
ADHG007E 988
ADHG008S 988
ADHG009I 988
ADHG010I 989
ADHG011E 989
ADHG012E 989
ADHG013I 989
ADHG014I 989
ADHG015W 989
ADHG017W 990
ADHG018I 990
ADHG019S 990
ADHG020I 990
ADHG021E 990
ADHG022I 990
ADHG026W 991
ADHG027I 991
ADHG030I 991
ADHG031I 991
ADHG097E 991
ADHG098I 991
ADHG099E 992
ADHG210I 992
ADHG501E 992
ADHG502E 992
ADHG503E 992
ADHG550E 992
ADHG510E 992
ADHG511E 993
ADHG512E 993
ADHG513E 993
ADHG514E 993
ADHG515E 993
ADHG516E 993
ADHG517E 994
ADHG520W 994
ADHG521W 994
ADHG522E 994
Error messages and codes: ADHIxxxx 994
ADHI026W 995
ADHI031I 995
ADHI530E 995
ADHI531W 995
ADHI612E 995
ADHI613E 996
ADHI697E 996
ADHI699E 996
Error messages and codes: ADHKxxxx 996
ADHK001I 996
ADHK002I 997
ADHK004I 997
ADHK005W 997
ADHK101I 997
ADHK102I 997
ADHK103I 997
ADHK104I 998
ADHK105I 998
ADHK106I 998
ADHK110I 998
ADHK111I 998
ADHK203I 998
ADHK204I 999
ADHK205I 999
Error messages and codes: ADHPxxxx 999
ADHP000I 1002
ADHP001I 1002
ADHP002I 1002
ADHP003I 1002
ADHP004W 1002
ADHP005S 1002
ADHP006E 1002
ADHP007E 1003
ADHP008S 1003
ADHP009I 1003
ADHP010I 1003
ADHP012I 1003
ADHP013I 1003
ADHP015W 1004
ADHP017W 1004
ADHP018I 1004
ADHP019S 1004
ADHP020I 1004
ADHP021E 1004
ADHP022I 1005
ADHP023I 1005
ADHP026W 1005
ADHP028E 1005
ADHP030I 1005
ADHP031I 1005
ADHP093E 1006
ADHP094E 1006
ADHP095E 1006
ADHP096E 1006
ADHP097E 1006
ADHP099E 1006
ADHP101W 1007
ADHP102E 1007
ADHP110I 1007
ADHP111I 1007
ADHP120I 1007
ADHP121I 1007
ADHP122I 1008
ADHP123I 1008
ADHP124I 1008
ADHP125I 1008
ADHP126I 1008
ADHP130I 1008
ADHP131I 1009
ADHP140I 1009
ADHP141I 1009
ADHP142I 1009
ADHP143I 1009
ADHP144I 1009
ADHP145I 1009
ADHP146I 1010
ADHP150I 1010
ADHP151I 1010
ADHP160I 1010
ADHP161I 1010
ADHP162I 1010
ADHP163I 1011
ADHP164I 1011
ADHP165I 1011
ADHP166I 1011
ADHP167I 1011
ADHP168I 1011
ADHP170I 1012
ADHP179E 1012
ADHP180I 1012
ADHP183E 1012
ADHP182I 1012
ADHP183I 1012
ADHP184I 1012
ADHP185I 1013
ADHP186I 1013
ADHP188I 1013
ADHP189W 1013
ADHP190W 1013
ADHP191W 1013
ADHP192E 1014
ADHP193I 1014
ADHP200E 1014
ADHP201E 1014
ADHP203E 1014
ADHP204E 1015
ADHP205E 1015
ADHP206E 1015
ADHP207E 1015
ADHP208E 1015
ADHP209E 1015
ADHP210I 1015
ADHP211W 1016
ADHP212W 1016
ADHP213E 1016
ADHP214E 1016
ADHP215E 1016
ADHP216W 1016
ADHP217W 1017
ADHP218W 1017
ADHP220I 1017
ADHP250E 1017
ADHP550E 1017
Error messages and codes: ADHQxxxx 1018
ADHQ1000E 1021
ADHQ1001I 1022
ADHQ1002I 1022
ADHQ1003E 1022
ADHQ1004I 1022
ADHQ1005I 1022
ADHQ1006E 1022
ADHQ1007E 1023
ADHQ1010I 1023
ADHQ1011I 1023
ADHQ1016E 1023
ADHQ1017E 1023
ADHQ1019I 1023
ADHQ1020E 1024
ADHQ1024E 1024
ADHQ1026E 1024
ADHQ1027I 1024
ADHQ1028E 1024
ADHQ1031E 1024
ADHQ1032I 1025
ADHQ1033E 1025
ADHQ1034I 1025
ADHQ1035E 1025
ADHQ1055E 1025
ADHQ1060I 1025
ADHQ1061E 1026
ADHQ1062E 1026
ADHQ1062I 1026
ADHQ1065E 1026
ADHQ1066E 1026
ADHQ1070E 1026
ADHQ1071E 1027
ADHQ1080I 1027
ADHQ1081I 1027
POLICY PUSH DETECTED. 1027
ADHQ1083I 1027
ADHQ1084I 1027
ADHQ1085I 1028
ADHQ1086I 1028
ADHQ1086E 1028
ADHQ1153E 1028
ADHQ1202I 1028
ADHQ1203I 1028
ADHQ1204I 1029
ADHQ1205E 1029
ADHQ1209I 1029
ADHQ1210E 1029
ADHQ1211I 1029
ADHQ1212E 1030
ADHQ1213W 1030
ADHQ1214W 1030
ADHQ1215W 1030
ADHQ1216E 1030
ADHQ1217W 1031
ADHQ1218W 1031
ADHQ1219W 1031
ADHQ1500E 1031
ADHQ2001E 1031
ADHQ2002E 1032
ADHQ2003I 1032
ADHQ2005I 1032
ADHQ2008E 1032
ADHQ2009E 1032
ADHQ2010I 1033
ADHQ2013I 1033
ADHQ2014I 1033
ADHQ2015I 1033
ADHQ2016I 1033
ADHQ2017I 1033
ADHQ2018I 1034
ADHQ2019I 1034
ADHQ2020I 1034
ADHQ2100E 1034
ADHQ2101E 1034
ADHQ2103E 1034
ADHQ2110E 1035
ADHQ2111E 1035
ADHQ2402I 1035
ADHQ2403I 1035
ADHQ2408E 1035
ADHQ2601E 1035
ADHQ2603E 1036
ADHQ3001I 1036
ADHQ3002I 1036
ADHQ3003I 1036
ADHQ3005I 1036
ADHQ3006I 1036
ADHQ3192E 1037
ADHQ3192I 1037
ADHQ3200I 1037
ADHQ3201I 1037
ADHQ3202I 1037
ADHQ3203I 1038
ADHQ3204I 1038
ADHQ3205I 1038
ADHQ3206I 1038
ADHQ3207I 1038
ADHQ3208I 1038
ADHQ3209I 1039
ADHQ3210I 1039
ADHQ3211I 1039
ADHQ3212I 1039
ADHQ3213I 1039
ADHQ3214I 1039
ADHQ3215I 1040
ADHQ3216I 1040
ADHQ3240I 1040
ADHQ3241I 1040
ADHQ3242I 1040
ADHQ3243I 1040
ADHQ3244I 1041
ADHQ3245I 1041
ADHQ3250I 1041
ADHQ3251I 1041
ADHQ3252I 1041
ADHQ3308E 1041
ADHQ3315E 1042
ADHQ3402I 1042
ADHQ3551E 1042
ADHQ3552E 1042
ADHQ3553E 1042
ADHQ4001E 1043
ADHQ4003E 1043
ADHQ5010I 1043
ADHQ5011I 1043
ADHQ5012I 1043
ADHQ5013I 1043
ADHQ6101E 1044
ADHQ6102E 1044
ADHQ7001E 1044
ADHQ7008E 1044
ADHQ7009E 1044
ADHQ7010E 1044
ADHQ7011E 1045
ADHQ7015E 1045
ADHQ7016E 1045
ADHQ8001E 1045
ADHQ8002E 1045
ADHQ8003E 1045
ADHQ8004E 1046
ADHQ8005E 1046
ADHQ8006E 1046
ADHQ8007E 1046
ADHQ8008E 1046
ADHQ8009E 1046
ADHQ8010E 1047
ADHQ8011E 1047
ADHQ8012E 1047
ADHQ8013E 1047
ADHQ8014E 1047
ADH8022I 1047
ADH9899I 1048
IBM Security Guardium S-TAP for IMS on z/OS 1048
IBM Security Guardium S-TAP for IMS on z/OS 1048
What does IBM Security Guardium S-TAP for IMS on z/OS V10.1.3 do? 1048
What's new in IBM Security Guardium S-TAP for IMS on z/OS V10.1.3? 1049
IBM Guardium S-TAP for IMS components 1049
IBM Guardium system 1049
IBM Guardium S-TAP for IMS agent 1050
Installing IBM Security Guardium S-TAP for IMS on z/OS 1050
Hardware and software prerequisites 1050
User ID authorities that are required for installation 1050
IBM Security Guardium S-TAP for IMS on z/OS security 1050
APF authorization 1051
OMVS segment 1051
TCP/IP connections 1051
z/OS log streams 1051
IMS RESLIB data sets 1052
SMF and IMS archive log data sets 1052
DBRC RECON data sets 1052
Operator commands 1052
Quarantining Database DLI calls 1052
Configuration overview 1052
Upgrading from Guardium S-TAP for IMS V9.0 1053
Upgrading from Guardium S-TAP for IMS V9.1 or V10.0 1053
Planning your configuration and customizing your environment 1054
Customizing the ISPF edit macro 1054
Job cards for the sample JCL in the SAMPLIB 1055
Setting up z/OS log streams 1055
Log stream security 1055
XCF-based log streams 1055
DASD-based log streams 1057
Configuring the IBM Security Guardium S-TAP for IMS on z/OS agent 1058
Customizing the agent configuration files 1058
Agent configuration 1066
Customizing the agent JCL 1066
Starting and stopping the agent 1066
Agent security considerations 1067
Modifying the frequency of AUIJ012I messages 1067
Setting up an IMS environment for auditing 1067
Security consideration for IMS processing 1067
Customizing IMS environments to capture DLI calls 1067
Customizing IMS cataloged procedures 1067
Coexisting with other DFSFLGX0 and DFSISVI0 Exit routines 1068
Defining LOGWRT exits 1068
Customizing IMS to use a System z Integrated Information Processor (ZzIIP) 1069
Copying common load modules from SAUILOAD to SAUIIMOD 1069
Configuring APP_EVENT support 1069
APP_EVENT examples 1069
Using agent configuration keywords 1070
Simulation mode 1072
Specifying multiple SMF data set masks 1072
Disabling SMF auditing at the agent level 1072
Controlling the frequency of SMF z/OS catalog queries 1073
Changing the retention period of incomplete SMF events 1073
Changing the name of the SMF address space JCL 1073
Auditing IMS data set access 1073
Changing the types of events that are audited using SMF records 1073
Using alternate RECON data sets for SMF and SLDS processing 1074
Overriding the range of ports used for communication between address space 1074
Overriding the TCP/IP DNS resolver table 1074
Specifying agent messages to issue to the operator console 1075
Creating a spill area for short-term outages 1075
Disabling IMS SLDS auditing at the agent level 1075
Controlling the frequency with which IMS System Log Data Sets are allocated and read 1076
Changing the name of the IMSL address space JCL 1076
Changing the types of events audited using IMS SLDS records 1076
Changing the name of the Common Memory Management address space JCL 1076
Excluding DLI calls on specific LPARS from being audited 1076
Running more than one agent in a SYSPLEX 1077
Restricting auditing to specific IMS systems when multiple IMS systems share RECON data sets 1077
Using the System z Integrated Information Processor (zIIP) 1077
Using multiple Guardium systems 1078
Providing Guardium system failover 1078
Streaming to multiple Guardium systems 1078
IBM Security Guardium S-TAP for IMS on z/OS agent reference information 1079
Agent environment 1080
APF authorization 1080
Agent job output 1080
Stopping the agent 1080
Starting and stopping the secondary address spaces 1080
Data collection 1081
IMS database DLI calls 1081
SMF records 1081
Records from IMS system log data sets (SLDS) 1082
Filtering stages 1082
Stage 0 filtering 1083
Policy pushdown 1083
Creating and modifying IMS definitions 1084
Navigating to the IMS Definitions panel 1084
IMS Definition fields 1084
IMSPLEX data sharing and XRF considerations 1085
Adding an IMS definition 1085
Modifying an IMS definition 1085
Deleting an IMS definition 1085
Data collection monitors 1086
IMS Logtypes and SMF record types that are collected by InfoSphere Guardium S-TAP for IMS 1087
Fields that are used for IMS policy pushdown 1088
Sizing the z/OS System Logger Log Stream for IBM Guardium S-TAP for IMS 1089
Calculating the Optimal Log Stream Size 1089
Considerations 1089
Using IBM Documentation 1090
Pertinent Report Fields 1090
Additional Resources 1090
XML statement definitions 1090
Sample XML file 1093
AUIA060W 1094
Troubleshooting 1094
Messages and codes for IBM Security Guardium S-TAP for IMS on z/OS 1094
Error messages and codes: AUIAxxxx 1095
AUIA003E 1096
AUIA004E 1096
AUIA005I 1096
AUIA006I 1096
AUIA007I 1096
AUIA008I 1097
AUIA009E 1097
AUIA010E 1097
AUIA021I 1097
AUIA022I 1097
AUIA023I 1097
AUIA024I 1098
AUIA027E 1098
AUIA028S 1098
AUIA029I 1098
AUIA030I 1098
AUIA031I 1099
AUIA033I 1099
AUIA034S 1099
AUIA035W 1099
AUIA036I 1099
AUIA037I 1099
AUIA038S 1099
AUIA041I 1100
AUIA042W 1100
AUIA043I 1100
AUIA044I 1100
AUIA045I 1100
AUIA048I 1100
AUIA049W 1101
AUIA050W 1101
AUIA051I 1101
AUIA052I 1101
AUIA053I 1102
AUIA054I 1102
AUIA055I 1102
AUIA056I 1102
AUIA057I 1102
AUIA058I 1102
AUIA059I 1103
AUIA060W 1103
AUIA061I 1103
Error messages and codes: AUIBxxxx 1103
AUIB300I 1104
AUIB302I 1104
AUIB305I 1104
AUIB306E 1104
AUIB700I 1105
Error messages and codes: AUIFxxxx 1105
AUIF002I 1105
AUIF003E 1105
AUIF501I 1106
AUIF502I 1106
AUIF503I 1106
AUIF505I 1106
AUIF506I 1106
AUIF507E 1107
AUIF508I 1107
AUIF702I 1107
Error messages and codes: AUIGxxxx 1107
AUIG001S 1108
AUIG002S 1108
AUIG003S 1108
AUIG004S 1108
AUIG005S 1109
AUIG006S 1109
AUIG014E 1109
AUIG015W 1109
AUIG016S 1109
AUIG017S 1110
AUIG018S 1110
AUIG045E 1110
AUIG046E 1110
AUIG047E 1110
AUIG048E 1110
AUIG049E 1111
AUIG050E 1111
AUIG051I 1111
AUIG052I 1111
AUIG053I 1111
AUIGF120I 1112
AUIGF201I 1112
AUIGF202I 1112
Error messages and codes: AUIIxxxx 1112
AUII017I 1113
AUII018E 1114
AUII019E 1114
AUII020E 1114
AUII021E 1114
AUII022E 1114
AUII023E 1115
AUII024E 1115
AUII025E 1115
AUII026E 1115
AUII027E 1115
AUII028E 1116
AUII029E 1116
AUII031E 1116
AUII038E 1116
AUII040E 1117
AUII041E 1117
AUII042W 1117
AUII043W 1117
AUII044E 1117
AUII046E 1118
AUII049E 1118
AUII050I 1118
AUII052I 1119
AUII055I 1119
AUII056I 1119
AUII057I 1119
AUII058A 1119
AUII060W 1120
AUII061I 1120
AUII120I 1120
AUII172I 1120
AUII173E 1121
AUII174E 1121
AUII175I 1121
AUII176E 1121
AUII177E 1121
AUII178E 1122
Error messages and codes: AUIJxxxx 1122
AUIJ005W 1124
AUIJ006E 1124
AUIJ007E 1124
AUIJ008I 1124
AUIJ009E 1124
AUIJ010I 1125
AUIJ011I 1125
AUIJ012I 1125
AUIJ013E 1126
AUIJ014E 1126
AUIJ015E 1126
AUIJ016E 1126
AUIJ017I 1126
AUIJ018W 1127
AUIJ019E 1127
AUIJ020I 1127
AUIJ021W 1127
AUIJ022W 1127
AUIJ023E 1128
AUIJ024W 1128
AUIJ042W 1128
AUIJ044W 1128
AUIJ055I 1129
AUIJ056I 1129
AUIJ057W 1129
AUIJ058W 1129
AUIJ201E 1129
AUIJ202E 1130
AUIJ203E 1130
AUIJ250I 1131
AUIJ251E 1131
AUIJ252W 1131
AUIJ255I 1131
AUIJ256I 1132
AUIJ257I 1132
AUIJ258I 1132
AUIJ259I 1132
AUIJ303W 1132
AUIJ304A 1133
AUIJ304E 1133
AUIJ307A 1133
AUIJ307E 1133
AUIJ330E 1134
AUIJ331E 1134
AUIJ332E 1134
AUIJ333E 1134
AUIJ335W 1135
AUIJ400E 1135
AUIJ401E 1135
AUIJ402E 1135
AUIJ403E 1135
AUIJ404E 1136
AUIJ406W 1136
AUIJ407I 1136
AUIJ408E 1136
AUIJ500I 1137
AUIJ501I 1137
AUIJ504I 1137
AUIJ521W 1137
AUIJ510I 1138
AUIJ511E 1138
AUIJ512E 1138
AUIJ513E 1138
AUIJ522E 1138
AUIJ609I 1139
AUIJ800E 1139
AUIJ860E 1139
AUIJ999E 1139
Error messages and codes: AUILxxxx 1140
AUIL002I 1140
AUIL003E 1140
AUIL600I 1140
AUIL601I 1140
AUIL602I 1141
AUIL603I 1141
AUIL605I 1141
AUIL606W 1141
AUIL607W 1142
AUIL701I 1142
Error messages and codes: AUIPxxxx 1142
AUIP001E 1143
AUIP002E 1143
AUIP003E 1143
AUIP004E 1143
AUIP005E 1143
AUIP006S 1143
AUIP007E 1144
AUIP008E 1144
AUIP009E 1144
AUIP010E 1144
AUIP011E 1144
AUIP012E 1145
AUIP013E 1145
AUIP014E 1145
AUIP015E 1145
AUIP016E 1145
Error messages and codes: AUIRxxxx 1145
AUIR002E 1146
AUIR004E 1146
AUIR006E 1146
AUIR007W 1146
AUIR008W 1146
Error messages and codes: AUITxxxx 1146
AUIT001E 1147
AUIT006S 1147
AUIT008E 1147
AUIT010E 1148
AUIT012I 1148
AUIT013I 1148
AUIT014I 1148
AUIT015I 1148
AUIT017I 1148
AUIT019I 1149
AUIT020I 1149
AUIT023I 1149
AUIT025I 1149
AUIT028E 1149
AUIT031I 1149
AUIT032I 1150
AUIT033I 1150
AUIT034S 1150
AUIT044E 1150
AUIT047E 1150
AUIT048I 1150
AUIT049I 1151
Error messages and codes: AUIUxxxx 1151
AUIUR002I 1151
AUIUR003I 1151
Error messages and codes: AUIXxxxx 1151
AUIX013E 1154
AUIX014E 1154
AUIX015E 1154
AUIX016E 1154
AUIX017E 1154
AUIX018E 1155
AUIX019E 1155
AUIX020E 1155
AUIX021E 1155
AUIX022E 1155
AUIX023E 1155
AUIX024E 1156
AUIX025E 1156
AUIX026E 1156
AUIX027S 1156
AUIX028E 1156
AUIX034S 1156
AUIX035E 1157
AUIX036E 1157
AUIX037E 1157
AUIX038E 1157
AUIX039E 1157
AUIX040E 1157
AUIX041E 1158
AUIX042E 1158
AUIX043E 1158
AUIX044E 1158
AUIX045E 1158
AUIX046E 1158
AUIX047E 1159
AUIX048E 1159
AUIX049E 1159
AUIX050E 1159
AUIX051E 1159
AUIX052E 1159
AUIX053E 1160
AUIX054E 1160
AUIX055E 1160
AUIX056E 1160
AUIX057E 1160
AUIX058E 1160
AUIX059E 1161
AUIX060E 1161
AUIX061S 1161
AUIX062E 1161
AUIX063E 1161
AUIX064E 1162
AUIX066E 1162
AUIX067E 1162
AUIX068E 1162
AUIX074E 1162
AUIX076E 1162
AUIX085E 1163
AUIX086E 1163
AUIX087E 1163
AUIX088E 1163
AUIX093S 1163
AUIX094S 1163
AUIX095S 1164
AUIX096S 1164
AUIX097S 1164
AUIX098E 1164
AUIX101E 1164
AUIX104E 1164
AUIX109E 1165
AUIX110I 1165
AUIX114E 1165
AUIX115E 1165
AUIX116I 1165
AUIX122I 1166
AUIX123W 1166
AUIX124S 1166
AUIX126E 1166
AUIX127S 1166
AUIX142E 1166
AUIX143E 1167
AUIX149E 1167
AUIX150E 1167
AUIX151E 1167
AUIX152E 1167
AUIX153E 1167
AUIX154E 1168
AUIX155E 1168
AUIX156E 1168
AUIX160E 1168
AUIX183E 1168
Error messages and codes: AUIYxxxx 1168
AUIY001E 1169
AUIY002E 1169
AUIY003E 1169
AUIY004E 1169
AUIY005E 1169
AUIY006E 1170
AUIY007I 1170
AUIY008I 1170
AUIY009E 1170
Error messages and codes: AUIZxxxx 1170
AUIZ002E 1172
AUIZ003W 1172
AUIZ004S 1172
AUIZ005S 1172
AUIZ007S 1173
AUIZ008W 1173
AUIZ009S 1173
AUIZ010W 1173
AUIZ011W 1173
AUIZ012I 1174
AUIZ013E 1174
AUIZ014W 1174
AUIZ020W 1174
AUIZ021E 1174
AUIZ022E 1174
AUIZ023E 1175
AUIZ024E 1175
AUIZ025E 1175
AUIZ026E 1175
AUIZ027W 1175
AUIZ028E 1175
AUIZ029E 1176
AUIZ030E 1176
AUIZ031E 1176
AUIZ032E 1176
AUIZ033E 1176
AUIZ034E 1177
AUIZ035E 1177
AUIZ036E 1177
AUIZ037I 1177
AUIZ038I 1177
AUIZ039I 1177
AUIZ040I 1178
AUIZ041E 1178
AUIZ041W 1178
AUIZ042W 1178
AUIZ043E 1178
AUIZ044S 1178
AUIZ045E 1179
AUIZ046E 1179
AUIZ047E 1179
AUIZ048E 1179
AUIZ049E 1179
AUIZ050E 1180
AUIZ051E 1180
AUIZ052E 1180
AUIZ053E 1180
AUIZ054E 1180
AUIZ055E 1180
AUIZ056E 1181
AUIZ057E 1181
AUIZ058I 1181
AUIZ059E 1181
AUIZ060E 1181
AUIZ061I 1182
AUIZ062I 1182
AUIZ063E 1182
AUIZ064E 1182
AUIZ065W 1183
AUIZ066E 1183
AUIZ067W 1183
IBM Security Guardium S-TAP for Data Sets on z/OS 1183
IBM Security Guardium S-TAP for Data Sets on z/OS overview 1184
What's new in IBM Guardium S-TAP for Data Sets V10.1.3? 1184
IBM Guardium S-TAP for Data Sets components 1184
Installation requirements for IBM Guardium S-TAP for Data Sets V10.1.3 1185
Software prerequisites 1185
User ID authority requirements 1185
Configuring the IBM Guardium S-TAP for Data Sets agent 1185
Security 1186
APF authorizing the load library 1186
Authorizing the z/OS agent started task for the control data set 1186
Defining an OMVS segment 1187
Planning your configuration 1187
Job cards for the sample JCL in the sample library 1187
Allocating auxiliary storage 1187
Configuring the SMFPRMxx PARMLIB member 1187
IAM and ACF2 collection considerations 1188
Enabling Innovations Data Processing IAM reporting 1188
Enabling Computer Associates International ACF2 reporting 1188
Creating the control data set 1188
Specifying subsystem options 1189
Configuring the started task JCL 1192
CICS Transaction Server support 1192
Configuring CICS Transaction Server support 1193
Using CICS system initialization parameters 1194
Configuring CICS signon reporting 1194
Starting the product 1195
Starting and stopping the agent started task 1195
Verifying the installation 1195
IBM Guardium S-TAP for Data Sets administration 1196
Communicating with the Guardium system 1197
Streaming audit data to multiple systems 1197
Communicating with the IBM Guardium S-TAP for Data Sets started task 1197
IBM Guardium S-TAP for Data Sets started task commands 1197
Data collection 1198
Record level and SMF data set monitoring options 1200
Policy pushdown 1202
Data set collection filtering parameters 1202
CICS collection filtering parameters 1207
Simulation mode 1209
VSAM and non-VSAM data set types and events 1209
SMF record types 1210
Time-to-reporting considerations 1211
Troubleshooting 1211
Messages and codes 1212
Error message code descriptions 1212
AUV1001I 1217
AUV1002E 1217
AUV1003E 1217
AUV1004E 1217
AUV1005E 1218
AUV1006E 1218
AUV1007E 1218
AUV1008I 1218
AUV1009E 1218
AUV1012E 1218
AUV1013I 1219
AUV1014E 1219
AUV1015E 1219
AUV1016E 1219
AUV1017I 1219
AUV1018E 1219
AUV1019I 1220
AUV1020E 1220
AUV1021E 1220
AUV1022E 1220
AUV1023E 1220
AUV1024I 1220
AUV1025E 1220
AUV1026I 1221
AUV1027E 1221
AUV1028I 1221
AUV1029E 1221
AUV1030I 1221
AUV1031E 1221
AUV1032I 1222
AUV1033E 1222
AUV1034E 1222
AUV1035E 1222
AUV1036E 1222
AUV1038E 1222
AUV1040E 1223
AUV1041I 1223
AUV1042E 1223
AUV1043E 1223
AUV1044E 1223
AUV1046E 1223
AUV1047E 1224
AUV1048I 1224
AUV1049E 1224
AUV1050E 1224
AUV1052E 1224
AUV1054E 1225
AUV1055E 1225
AUV1056I 1225
AUV1058E 1225
AUV1058I 1225
AUV1059E 1225
AUV1060I 1226
AUV1061E 1226
AUV1062I 1226
AUV1063E 1226
AUV1064W 1226
AUV1065E 1226
AUV1066E 1227
AUV1067E 1227
AUV1068E 1227
AUV1069E 1227
AUV1070I 1227
AUV1073W 1227
AUV1074E 1228
AUV1077I 1228
AUV1080E 1228
AUV1081E 1228
AUV1082W 1228
AUV1100E 1229
AUV1101E 1229
AUV1102E 1229
AUV1103E 1229
AUV1105E 1229
AUV1105I 1229
AUV1106I 1230
AUV1107I 1230
AUV1111E 1230
AUV1112E 1230
AUV1113E 1230
AUV1115E 1230
AUV1116E 1231
AUV1117E 1231
AUV1122E 1231
AUV1123E 1231
AUV1123W 1231
AUV1124E 1231
AUV1125E 1232
AUV1126E 1232
AUV1127I 1232
AUV1128E 1232
AUV1129I 1232
AUV1130I 1232
AUV1131I 1233
AUV1132I 1233
AUV1136I 1233
AUV1137I 1233
AUV1138E 1233
AUV1140I 1233
AUV1141I 1234
AUV1142I 1234
AUV1143I 1234
AUV1144I 1234
AUV1145I 1234
AUV1146E 1234
AUV1147I 1235
AUV1149I 1235
AUV1150I 1235
AUV1151E 1235
AUV1152I 1235
AUV1153I 1235
AUV1154E 1236
AUV1155E 1236
AUV1156E 1236
AUV1157E 1236
AUV1158E 1236
AUV1175I 1236
AUV1176E 1237
AUV1176I 1237
AUV1177I 1237
AUV1179E 1237
AUV1184E 1237
AUV1185E 1237
AUV1191E 1238
AUV1192I 1238
AUV1193I 1238
AUV1195E 1238
AUV1196E 1238
AUV1200E 1238
AUV1202E 1239
AUV1203E 1239
AUV1204E 1239
AUV1213E 1239
AUV1214E 1239
AUV1215E 1239
AUV1400I 1240
AUV1401I 1240
AUV1402I 1240
AUV1405I 1240
AUV1406W 1240
AUV1408W 1241
AUV1410I 1241
AUV1411E 1241
AUV1412I 1241
AUV1413E 1241
AUV1414I 1241
AUV1415E 1242
AUV1416I 1242
AUV1417E 1242
AUV1418I 1242
AUV1419E 1242
AUV1420I 1242
AUV1421E 1243
AUV1422I 1243
AUV1423E 1243
AUV1424I 1243
AUV1425E 1243
AUV1438I 1244
AUV1439I 1244
AUV1450W 1244
AUV1747E 1244
AUV1748W 1244
AUV2000E 1245
AUV2030E 1245
AUV2040E 1245
AUV2041E 1245
AUV2042E 1245
AUV2097I 1245
AUV2098I 1246
AUV2104E 1246
AUV2170I 1246
AUV2171I 1246
AUV2172E 1246
AUV2173E 1247
AUV2174E 1247
AUV2175E 1247
AUV2176E 1247
AUV2177E 1247
AUV2178I 1248
AUV2179E 1248
AUV2180W 1248
AUV2181I 1248
AUV2182I 1248
AUV2183W 1248
AUV2184W 1249
AUV2185I 1249
AUV2186E 1249
AUV2900E 1249
AUV2901E 1249
AUV2902E 1249
AUV2903E 1250
AUV3000E 1250
AUV3001E 1250
AUV3003E 1250
AUV3004I 1250
AUV3005E 1250
AUV3006E 1251
AUV3008E 1251
AUV3009I 1251
AUV3010W 1251
IBM Security Guardium V10.1
Welcome to the IBM Security Guardium documentation, where you can find information about how to install, maintain, and use IBM Guardium.
Getting started
Product overview
Product legal notices
What's new
Release notes
Installing
Upgrading
Common tasks
Discovering sensitive data

Monitoring deployment health
Monitoring S-TAP status
Distributing configuration profiles
Managing roles and permissions
Troubleshooting and support
Guardium support home

Guardium support resources
Guardium support videos
IBM developerWorks Answers for Guardium
More information
IBM Security Learning Academy

IBM data security and protection
IBM developerWorks Guardium community
Guardium tech talk videos
Â© Copyright IBM Corporation 2002, 2017
Product overview
Product and release information for GuardiumÂ® Solutions.
IBM Guardium
IBM Guardium prevents leaks from databases, data warehouses and Big Data environments such as Hadoop, ensures the integrity of information and automates
compliance controls across heterogeneous environments.
What's new in this release
New features, functions, and enhancements.
Release Notes
Learn about the latest features and enhancements, system requirements, and upgrade, installation, and support information.
IBM Guardium
IBM Guardium prevents leaks from databases, data warehouses and Big Data environments such as Hadoop, ensures the integrity of information and automates
compliance controls across heterogeneous environments.
It protects structured and unstructured data in databases, big data environments and file systems against threats and ensures compliance.
It provides a scalable platform that enables continuous monitoring of structured and unstructured data traffic as well as enforcement of policies for sensitive data access
enterprise-wide.
A secure, centralized audit repository combined with an integrated workflow automation platform streamlines compliance validation activities across a wide variety of
mandates.
It leverages integration with IT management and other security management solutions to provide comprehensive data protection across the enterprise.
They are intended to enable continuous monitoring of heterogeneous database and document-sharing infrastructures, as well as enforcement of your policies for sensitive
data access across the enterprise, utilizing a scalable platform. A centralized audit repository designed to maximize security, combined with an integrated compliance
workflow automation application, enables the products to streamline compliance validation activities across a wide variety of mandates.
IBM Security Guardium is designed to help safeguard critical data. Guardium is a comprehensive data protection platform that enables security teams to automatically
analyze what is happening in sensitive-data environments (databases, data warehouses, big data platforms, cloud environments, files systems, and so on) to help
minimize risk, protect sensitive data from internal and external threats, and seamlessly adapt to IT changes that may impact data security. Guardium helps ensure the
integrity of information in data centers and automate compliance controls.
The IBM Security Guardium solution is offered in two versions:
IBM Security Guardium Database Activity Monitoring (DAM)
IBM Security Guardium File Activity Monitoring (FAM) - Use Guardium file activity monitoring to extend monitoring capabilities to file servers.
IBM Security Guardium V10.1 1

The IBM Guardium products provide a simple, robust solution for preventing data leaks from databases and files, helping to ensure the integrity of information in the data
center and automating compliance controls.
Guardium products can help you:
Automatically locate databases and discover and classify sensitive information within them;
Automatically assess database vulnerabilities and configuration flaws;
Ensure that configurations are locked down after recommended changes are implemented;
Enable high visibility at a granular level into database transactions that involve sensitive data;
Track activities of end users who access data indirectly through enterprise applications;
Monitor and enforce a wide range of policies, including sensitive data access, database change control, and privileged user actions;
Create a single, secure centralized audit repository for large numbers of heterogeneous systems and databases; and
Automate the entire compliance auditing process, including creating and distributing reports as well as capturing comments and signatures.
The Guardium solution is designed for ease of use and scalability. It can be configured for a single database or thousands of heterogeneous databases located across the
enterprise.
This solution is available as preconfigured appliances shipped by IBMÂ® or as software appliances installed on your platform. Optional features can easily be added to
your system after installation.
These are the key functional areas of Guardium's database security solution:
Vulnerability assessment. This includes not just discovering known vulnerabilities in database products, but also providing complete visibility into complex
database infrastructures, detecting misconfigurations, and assessing and mitigating these risks.
Data discovery and classification. Although classification alone does not provide any protection, it serves as a crucial first step toward defining proper security
policies for different data depending on its criticality and compliance requirements.
Data protection. Guardium addresses data encryption at rest and in transit, static and dynamic data masking, and other technologies for protecting data integrity
and confidentiality.
Monitoring and analytics. This includes monitoring of database performance characteristics and complete visibility in all access and administrative actions for each
instance. On top of that, advanced real-time analytics, anomaly detection and security information and event management (SIEM) integration can be provided.
Threat prevention. This refers to methods of protection from cyberattacks such as distributed denial-of-service (DDoS) or SQL injection, mitigation of unpatched
vulnerabilities and other database-specific security measures.
Access management. This goes beyond basic access controls to database instances. The rating process focused on more sophisticated, dynamic, policy-based
access management capable of identifying and removing excessive user privileges, managing shared and service accounts, and detecting and blocking suspicious
user activities.
Audit and compliance. This includes advanced auditing mechanisms beyond native capabilities, centralized auditing and reporting across multiple database
environments, enforcing separation of duties, and tools supporting forensic analysis and compliance audits.
Performance and scalability. Although not a security feature per se, it is a crucial requirement for all database security solutions to be able to withstand high loads,
minimize performance overhead and support deployments in high-availability configurations.
For more information on the Guardium family of products, visit https://www.ibm.com/security/data-security/guardium.
Parent topic: Product overview
What's new in this release

New features, functions, and enhancements.
IBM Security Guardium V10.1.4
Amazon Oracle v11 RDS DBaaS Monitoring with Cloud database service protection
Disable TLS1.0/1.1, Enable TLS1.2
VA Support Oracle 12.2
Enhance VA GUI to show short description
Update OpenSSL for Windows/UNIX S-TAP
Support for EMC ATMOS
GDPR accelerator for z/OS
Classifier enhancement
Simplified deployment of S-TAP via GIM
Enhance Enterprise Load Balancer to verify sniffer is up before allocating Managed Units
Allow multiple KTAP buffers with more than five collectors
Prioritize connection packets over regular packets
Quick Start compliance monitoring
Deploy monitoring agents - Quickly prepare for database monitoring by discovering and activating GIM clients, installing S-TAPs, creating inspection engines,
and mapping the S-TAPs to collectors.
2 IBM Security Guardium V10.1

Set up compliance monitoring - Help meet compliance standards by quickly installing policies, populating groups, and running reports for monitoring
database activity.
Cloudera Hadoop - Guardium was the first to provide Vulnerability Assessment in the NoSQL space with its support of MongoDB. Now Guardium is expanding into
the Hadoop/Big Data space with support for the Cloudera platform. Guardium Vulnerability Assessment helps organizations feel more confident in using Cloudera
by empowering them to assess and correct the system to align with security best practices. Combined with the Guardium Activity Monitor for real time audit,
compliance, and security analytics, Guardium can provide a holistic security solution for Cloudera and for most common databases and data warehouses in typical
enterprise environments.
Guardium S-TAP for z/OS - IBM Security Guardium, extends data security on mainframes with enhanced:
Data protection to block against unauthorized DB2 for z/OS user activities
Performance and optimization to reduce overhead
Auditing and filtering capabilities to further extend data protection and real-time analytics
Usability and supportability to help accelerate deployment and diagnostics
1. Outliers detection enhancements
An outlier is defined by behavior by a particular source (a database, a particular user on a database, a server, or an OS user) in a particular time period that is
outside of the â€œnormalâ€ timeframe or scope of the particular source's activity. Outliers detection extends traditional database monitoring with
increased intelligence that provides early detection of possible attacks during operation by analyzing changes in source behavior. This release introduces:
FAM support
Runs on an aggregator on data from several collectors
Outlier mining status page, providing the current status of the outlier mining process on all managed units, and drill-down into outlier processes that
did not complete successfully
Two tabs in the Results Table of the Investigation Dashboard: Summary tab has one row per source per hour in which an anomaly was found, with
anomaly score and reasons; Details tab has one row per outlier with the anomaly score, outlier reason(s) and details (source program, object, verb,
etc.)
2. Hadoop activity monitoring and Cloudera 5.7+ integration/ Ranger enhancements
This release expands Guardium support for monitoring Hadoop data with Cloudera integration using Cloudera Navigator and Hortonworks integration using
Apache Ranger. These integrations allow SSL encryption for clients that need to access Hadoop data and are supported by a new Hadoop Monitoring UI.
3. Classifier enhancements and new Cleversafe backup/archive option
Guardium now supports running multiple classifier processes concurrently. The ability to run more than one classifier process at a time allows more efficient
use of available system CPU resources.
By default, Guardium classification processes now exclude several system databases and schema used by database software providers. By excluding these
databases and tables, classification processes run more efficiently and may return fewer errors.
Cleversafe backup/archive supports the Amazon S3 interface using the same SDK. Guardium interface to Cleversafe is analogous to Amazon S3 (which is
also supported by Guardium). Guardium cloud support now includes Cleversafe, SoftLayer and Amazon S3.
4. Enterprise health views
The new Deployment Health Dashboard expands existing deployment health views by providing an at-a-glance summary of health issues from across an
entire Guardium deployment. The dashboard is especially useful for identifying patterns and trends in the health data before investigating individual systems
where problems are identified.
5. FAM enhancements -UID chaining and multi-action rule and outliers
UID chain for Windows FAM - Currently the Windows FAM agent returns the username for the process assigned to a file event. Now the Windows FAM agent
will change that single username into a chain of usernames that belong to the history of the process (UID chain). For instance is Process 1 (user janedoe)
spawns Process 2 (user johndoe), then for file events related to process #2, FAM will report the UID chain consisting of {janedoe, johndoe}.
Multi-Action Rule for FAM - Multi-action rules are comprised of multiple actions, each one is per a specified command category or a specified group. The
commands in a FAM context are: Read, Write, Delete, Execute and File Operation.
6. Entitlements optimization
Entitlement Optimization mediates between the role of the DBA in providing users the entitlements required to perform their jobs efficiently, and the role of
Security in keeping entitlements as accurate and as minimal as possible to prevent system vulnerabilities. Navigate to Entitlements optimization by Discover
> Database Entitlements > Entitlement Optimization
7. HP Vertica support
HP Vertica is a big data system that competes with Hadoop. HP-Vertica provides a standard Postgres SQL interface with its proprietary extensions.
HP Vertica is used for data warehouses to provide very fast query performance. HP Vertica is used for user interaction analysis, ad tracking, click stream
applications, threat assessment and financial forecasting.
8. UNIX S-TAP RPM changes
Installation to /opt/guardium (location cannot be changed).
RPM default configuration

ktap_installed=1
Flex loading can be used by exporting NI_ALLOW_MODULE_COMBOS="Y" prior to RPM installation
sqlguard_ip set to 127.0.0.1
tap_ip set to hostname
RPM logs saved to /opt/guardium/rpm_logs
Live update is supported.
KTAP request updates supported via existing processes (increments package version).
Shell and GIM installers will refuse to install if RPM installation is detected.
STAP will be running after installation, but needs to be configured.
New script, guard-config-update, provided to make post-installation configuration easier.
9. GDPR Accelerator
Data privacy and security are the most pressing concerns that any organization must face. Previously within the European Union each country required
different levels of compliance, the newly announced General Data Protection Regulation (GDPR) expands and standardizes data protection rules across the
whole European Union.
The Guardium GDPR accelerator provides predefined reports based on GDPR groups and policies. To begin working with the GDPR accelerator, assign the
GDPR role to a Guardium user, then navigate to Accelerators > GDPR with that user account.
10. Data in-sight
Data in-sight introduces a revolutionary paradigm that utilizes human visual capabilities to gain an overall view on data flow and to identify unexpected
behaviors. Guardium already provides robust machine learning and data-analysis features to assist audits and detect attacks, based on accumulated
experience and knowledge. Data in-sight adds the flexibility of human visual perception to spot associations and movements in the raw data, irrespective of
known attack types, that would otherwise be unnoticed.
For example, an object recognition project to identify potholes in city streets would not identify an elephant wandering the neighborhood. The human eye,
however, would spot it immediately. Similarly, when reviewing audited data in bar charts, users looks for known issue types, but can easily overlook new
(unknown) aberrations.
Data in-sight converts audited data to a 3-D chronological visualization of data sources and destinations, showing data transactions unfold exactly as they
occurred.
The visualization space contains two planes, each represents entities of the audit domain of a given type. Every entry in the audit data is represented as a
moving â€˜flash lineâ€™ from an object of the upper plane (one of client IP, OS user, DB user, source program) to an object of the lower plane (one of
database, object, server). The flash line between the source and the destination leaves a trail (a dotted line) indicating the presence of interaction between
the specific source and destination, which gradually fades into the background. The trails form an overview of the interaction between sources and
destinations in the selected time period. The sources are located near their destinations, and near other similar sources. The size of the destination entity is
proportional to the volume of transactions relative to the other destination entities. There are many ways of modifying the display including: color-code the
top entity (color changes as data source details change), filter from the data in-sight chart, and the investigation dashboard facets. You can also view data in-
sight with VR headsets.
To access data in-sight: in the Investigation Dashboard, click Add Chart > data in-sight chart.
IBM Security Guardium V10.1
Infrastructure and platform:
Platform hardening with enhanced security, globalization, and accessibility improvements
Support for a Guardium appliance running in Hyper-V environment. Hyper-V is a virtualization solution from Microsoft.
Improved supportability and management of the Guardium deployment:
Stability and reliability are enhanced for the S-TAP agents and the collection parsing.
Central Manager Health View provides a central dashboard to assess the status of the deployed Guardium components.
S-TAP Watchdog (guard_monitor) for UNIX/Linux and Windows is a process designed to monitor S-TAP performance and responsiveness. If S-TAP
CPU utilization exceeds the configured threshold, or if S-TAP does not respond to a console request, the following actions can be taken:
Automatically run guard_diag;
Automatically kill the S-TAP process;
Automatically core dump and kill the S-TAP process.
Enterprise readiness enhancements make Guardium components easier to deploy and use in large environments, including:
Updates to the automatic load balancing to improve granularity and rebalancing requests
Reporting progress alerts for long running jobs
Finer grain access to user interface (UI) console to help customers divide roles and access to Guardium
Template and profile configurations to ease deployment and control from the Central Manager
Selective aggregation to streamline the reporting on large environments

Support for 7-element tuple - A tuple group allows multiple attributes to be combined together to form a single composite group member. Example of
7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name
Expanded data source coverage:
Improved failover, encryption, and reporting from the S-TAP agent on System i
Enhanced filtering, UID chaining, and usability for the S-TAP agents for z/OS data sources
Additional data security functions for more big data platforms: dynamic data masking for MongoDB, blocking for HortonWorks and integration with
Ranger security platform, and Cassandra Kerberos
Ranger integration - Ranger offers a centralized security framework to manage fine grained access control over Hadoop and related
components (Hive, HBase, HDFS, Yarn). Using Ranger administration console, users can easily manage policies around accessing a resource
(file, folder, database, table, column etc) for a particular set of users and/or groups, and enforce the policies within Hadoop. They also can
enable audit tracking and policy analytics for deeper control of the environment.
Support for the S-TAP agent RedHat 7.1 on Power 8 (big and little endian) architecture. Endianness refers to the order of the bytes, comprising a
digital word, in computer memory. Words may be represented in big-endian or little-endian format. Little-endian format stores the least significant
byte at the lower memory address with the most significant byte being stored at the highest memory address.
New support for DB2 Analytics Accelerator for z/OS
PostgreSQL 9.4 and SSL encryption support
For DB2 UDB and MS SQL, Guardium supports count_big(*).
Security integration that provides synergistic use cases for the challenging security problems across IT silos:
Insider Threat Protection. Leverage integration with IBM Security Privileged Identity Manager to uncover insider threats.
Threat Protection System. Work in conjunction with IBM Security QRadar and IBM Security XGS to detect threats before they reach the data source to
prevent data breaches or heighten monitoring alertness.
Technology preview for additional data access analytics tools:
Investigation Center provides a central place to run forensic tracking based on the audit records.
IBM Security Guardium Vulnerability Assessment V10.1
Updated security awareness with new common vulnerability event (CVE) and other vulnerability tests
Shared common framework for vulnerability assessment from the Application layer to the backend infrastructure, with an integration with IBM Security
AppScan
IBM Security Guardium for Files (FAM) V10.1
Scalability and performance improvements to help deploy in large organizations
File Activity Monitor discovery performance improvements
Support for FAM discovery on AIX 6.1 and Aix 7.1 (no classification). Support for shared drive discovery and classification on FAM crawler.
Release Notes
Learn about the latest features and enhancements, system requirements, and upgrade, installation, and support information.
Description of new features and enhancements

The latest version of Guardium contains many new features and enhancements to existing functionality. Review the following links for detailed release notes:
Guardium V10.1.4 release notes

Guardium V10.1 release notes
Announcement
See the IBM Guardium release announcement for the following information:
Detailed product description, including a description of new functionality
Product-positioning statement
Packaging and ordering information
International compatibility information
System requirements
For Guardium V10.1 system requirements and supported platforms information, see http://www-01.ibm.com/support/docview.wss?uid=swg27047801.
Upgrading Guardium

See Upgrading your Guardium system for information about upgrading to the latest version of Guardium.
Installing Guardium
See Installing your Guardium system for information about installing the latest version of Guardium.
Known issues
Known issues are documented and made available through the IBM Support website.
As problems are discovered and resolved, the IBM Support website is updated. Search the IBM Support website to quickly find workarounds or solutions to problems as
well as other documents such as downloads and detailed system requirements.
Support lifecycle
If you are using an older version of Guardium software, plan ahead to allow time for upgrades. You can find information about end-of-support dates for IBM products at
the IBM Software Support Lifecycle website.
Getting Started
Getting Started with the User Interface
Learn the basics of the Guardium user interface, including logging in for the first time, banner and navigation menus, and the user interface and data search.
Customizing the User Interface
Guardium supports customizing the navigation menu for specific users and roles.
Quick start for monitoring and compliance
Learn how to deploy monitoring agents to your database servers and configure database monitoring for compliance with security standards and regulations.
System View
The System View is the default initial view for many users. It enables you to see key elements of system status.
Data Activity Monitoring
Information about key security concepts used in Guardium data activity monitoring.
File Activity Monitoring
File Activity Monitoring discovers the sensitive data on your servers; classifies content using pre-defined or user defined definitions; configures rules and policies
about data access, and actions to be taken when rules are met.
Key Concepts and Tools
Information about key concepts pertaining to Guardium administration.
Related information:
Guardium overview, architecture, and user interface (video)
Getting Started with the User Interface

Learn the basics of the Guardium user interface, including logging in for the first time, banner and navigation menus, and the user interface and data search.
Navigation
When you first log in to the Guardium user interface, there are two main menus - the banner and the navigation menu.
You can expand and collapse the navigation menu by clicking the chevron icon , or you can hide the navigation menu completely by clicking the show / hide icon
The initial layout of your screen is determined by the license applied, the access allowed based on roles, the machine type and a visibility factor. Examples of roles are
user, admin, access manager, and CLI. Roles are assigned to users and applications to grant users specific access privileges.
Supported web browsers

Internet Explorer 9 (IE9) and above on Windows 7. Warnings when using IE9 - (1) sure your company website is not listed in the Compatibility View selection of Internet
Explorer; (2) When exporting files, the file download is blocked by the "Do not save encrypted pages to disk" IE9 option. Change the setting for this option and the
export/download works as expected.
Firefox ESR 24 and above
Chrome 28 and above
Minimum screen resolution - 1366 x 768
Banner Menu
The banner contains the following items:
Item Description
System time clock The universal time on your Guardium system.
To-Do List Contains the Audit Process To-Do List, which can be filtered by user, and the Processes With No Pending Results.

Help Open the product help by clicking Help > Guardium Help.
Get information about your Guardium system, such as the version number, by clicking Help > About Guardium.
For help content specific to a screen or feature you're working with, click the small help icon that is embedded in the screen's pane.
Note: Both help icons take you to the same Information Center, where you can search and access all help content.
User interface / data / Search for a part of the user interface, a piece of data, or a file.
file search
For example, if you want to find the Policy Builder, toggle the search to User Interface, and start typing policy builder. Click any of the
results to go to that part of the user interface.
Account type Indicates what type of account you have. Edit your account details, such as your password or name, customize UI layout, and sign out of
Guardium securely.
Machine type Indicates what type of machine you are on, such as stand-alone, managed unit, central manager, or aggregator.
The banner menu also contains important startup messages such as Low RAM memory, Quick Search memory and CPU 4-cores minimum requirement, Certificate
expiration, Central Management failure, SSLv3 enabled or disabled, and No License.
Note: Guardium recommends that SSLv3 be disabled. However, in dealing with older Guardium versions that do not have the latest release installed, if SSLv3 is disabled,
the Central Management functionality will be impaired between the Central Manager and the managed units.
Navigation Menu
Each icon in the navigation menu represents one phase of the Guardium security lifecycle, click any icon to expand it and see the components within the phase. The
lifecycle-centric navigation menu is one way to navigate the user interface and is consistent across roles. Menu items may be customized and may or may not appear
based on your role.Â
Phase Description
Setup Configure your network settings, check the status of your services, and setup datasource definitions, groups, aliases, and alerts.
Manage Manage your environment's overall health, S-TAPs, data, modules, maintenance, and reports.
Discover Automatically discover new databases that are introduced to your environment, and find and classify sensitive data.
Harden Assess your environment's current weaknesses with Vulnerability Assessment and monitor changes made to your environment with Configuration
Auditing System (CAS).
Investigate Monitor database activities and investigate suspicious activity in any part of your environment.
Protect Protect your environment with data security policies that block suspicious activity and prevent unauthorized access to data. For more information about
policies, see Policies.
Comply Reach compliance initiatives with audit processes and granular reporting.
Reports Create your own report or use one of many predefined reports to report on any part of your environment. For more information about reports, see
Reports.
My Create your own dashboards to easily review reports that are of primary interest to you. For more information about dashboards, see Creating
Dashboards dashboards.
Commonly Found Icons

Many of the finder and builder applications in Guardium share this set of icons.
Icon Description
New Create a new item, such as a group or datasource definition.
Modify Modify an item.
Note: When modifying items, the best practice is to clone the item, and then modify the clone.

Clone Clone an item to create a copy of the item.
Delete Delete an item.
Parent topic: Getting Started
Customizing the User Interface

Guardium supports customizing the navigation menu for specific users and roles.
The Customize Navigation Menu and Customize User/Role tools allow you to conveniently change the content and organization of the navigation menu. You can access
these tools in several locations:
All users can customize their own navigation menu by opening the User menu in the Guardium banner and selecting Customize.
Administrative users can customize the navigation menu for other users and roles by opening the User menu and selecting Customize User/Role or by navigating to
Setup > Tools and Views > Customize User/Role.
Users logged in as accessmgr can customize the navigation menu for other users and roles by navigating to Access > Access Management, selecting Role Browser,
and clicking the Customize Navigation Menu link.
The tool provides a consistent customization experience for all users.
The Navigation Menu list reflects the organization and contents of the Guardium navigation system. Select tools and reports from the Available Tools and Reports list and
use the icon to add items to the Navigation Menu list. Remove items from the Navigation Menu list by clicking the icon next to an item. Use drag and drop or the
icon controls to rearrange items within Navigation Menu list.
It is possible to define a new Guardium home page (that is, the first page seen after logging into the system) by selecting an item from the Navigation Menu list and clicking
the icon.
After clicking the OK button, the Guardium navigation menu is updated to reflect any changes you made in the Navigation Menu list.
The following limitations apply when using these tools:
You cannot delete the My Dashboards group, but you can delete individual dashboards within the group.
New groups that are empty will not be saved.
Empty groups shown in the Navigation Menu list will not appear in the Guardium navigation menu.

Quick start for monitoring and compliance

Learn how to deploy monitoring agents to your database servers and configure database monitoring for compliance with security standards and regulations.
About this task

Quick start for monitoring and compliance is comprised of the following two tools:
Deploy monitoring agents
Use the Deploy Monitoring Agents tool to automatically activate GIM clients, install S-TAPs, and begin monitoring database traffic.
The deploy monitoring agents tool simplifies the process of establishing a Guardium deployment. Building on existing Guardium installation manager (GIM)
infrastructure, the deploy monitoring agents tools helps you quickly find database servers, install monitoring agents (S-TAPs), and configure inspection engines for
your databases. In addition, the tool provides a centralized view for tracking and reviewing deployment status.
Compliance monitoring
After deploying monitoring agents (S-TAPs), use the Compliance Monitoring tool to establish monitoring for specific security standards and regulations.
Guardium provides several compliance monitoring templates--groups, security policies, and reports corresponding to specific standards and regulations--including
the following:
Basel Committee on Banking Supervision (BASEL II)

General Data Protection Regulation (GDPR)
General Data Protection Regulation for Db2 for z/OS (GDPR for Db2 for z/OS)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Security Standard (PCI)
Personally Identifiable Information (PII)
Sarbanes-Oxley Compliance (SOX)
These quick start compliance monitoring templates are especially useful for organizations that must comply with one of the associated standards or regulations in a
short period of time. After installing security policies, the compliance monitoring tool guides administrators or compliance officers through the initial setup and
population of groups with organization-specific information such as client IP addresses and specific privileged user IDs. In addition, the compliance monitoring tool
periodically checks your Guardium environment for new databases that can be monitored using the compliance monitoring templates.
Procedure

1. Review the following information to begin familiarizing yourself with the tools.
Quick start for deploying monitoring agents
Quick start for compliance monitoring
2. Deploy monitoring agents for your database servers.
a. Verify that you have met the prerequisites for using the deploy monitoring agents tool: Prerequisites for deploying monitoring agents.
b. Deploy monitoring agents to your database servers: Deploy monitoring agents.
3. Configure compliance monitoring for your database servers.
a. Verify that you have met the prerequisites for using the compliance monitoring tool: Prerequisites for compliance monitoring
b. Configure compliance monitoring: Set up compliance monitoring.
c. Populate groups to identify users and applications that are allowed to access your databases: Populate groups.
d. Provide credentials allowing Guardium to access your databases for the discovery and classification of sensitive data: Enable scanning for sensitive data
Results
After successfully deploying monitoring agents and configuring compliance monitoring for your database servers, Guardium begins monitoring your database traffic.
For more information about interpreting what you see on the compliance monitoring page, see Understanding the compliance monitoring views.
System View
The System View is the default initial view for many users. It enables you to see key elements of system status.
Three tabs under the System View display different types of status information:
The S-TAP Status Monitor displays summary data about S-TAPs that are deployed in your environment. Icons represent the high-level status, and you can drill down
to view information about inspection engines.
The Unit Utilization tab displays information about the usage of each Guardium system.
The System Monitor tab displays up-to-date details about incoming data, CPU usage, and other information.
Data Activity Monitoring

Information about key security concepts used in Guardium data activity monitoring.
Policies and Rules

A security policy contains an ordered set of rules to be applied to the observed traffic between database clients and servers. Each rule can apply to a request from a
client, or to a response from a server. Multiple policies can be defined and multiple policies can be installed on a Guardium system at the same time.
Workflows
Workflows consolidate several database activity monitoring tasks, including asset discovery, vulnerability assessment and hardening, database activity monitoring
and audit reporting, report distribution, sign-off by key stakeholders, and escalations.
Auditing
Guardium provides value change auditing features for tracking changes to values in database tables.
Classification
Guardium supports the discovery and classification of sensitive data to allow the creation and enforcement of effective access policies.
Policies and Rules

A security policy contains an ordered set of rules to be applied to the observed traffic between database clients and servers. Each rule can apply to a request from a client,
or to a response from a server. Multiple policies can be defined and multiple policies can be installed on a Guardium system at the same time.
Each rule in a policy defines a conditional action. The condition can be a simple test, for example a check for any access from a client IP address not found in an
Authorized Client IPs group, or the condition can be a complex test that evaluates multiple message and session attributes such as database user, source program,
command type, time of day, etc. Rules can also be sensitive to the number of times a condition is met within a specified timeframe.
The action triggered by the rule can be a notification action (e-mail to one or more recipients, for example), a blocking action (the client session might be disconnected), or
the event might simply be logged as a policy violation. Custom actions can be developed to perform any tasks necessary for conditions that may be unique to a given
environment or application.
Parent topic: Data Activity Monitoring
Workflows
Workflows consolidate several database activity monitoring tasks, including asset discovery, vulnerability assessment and hardening, database activity monitoring and
audit reporting, report distribution, sign-off by key stakeholders, and escalations.
Workflows are intended to transform database security management from a time-consuming manual activity performed periodically to a continuously automated process
that supports company privacy and governance requirements, such as PCI-DSS, SOX, Data Privacy and HIPAA. In addition, workflows support the exporting of audit
results to external repositories for additional forensic analysis via Syslog, CSV/CEF files, and external feeds.
For example, a compliance workflow automation process might address the following questions: what type of report, assessment, audit trail, or classification is needed,
who should receive this information and how sign-offs are handled, and what is the schedule for delivery?

Auditing
Guardium provides value change auditing features for tracking changes to values in database tables.
For each table in which changes are to be tracked, you can select which SQL value-change commands to monitor (insert, update, delete). Before and after values are
captured each time a value-change command is executed against a monitored table. This change activity is uploaded to Guardium on a scheduled basis, after which all of
Guardiumâ€˜s reporting and alerting functions can be used.
You can view value-change data from the default Values Changed report, or you can create custom reports using the Value Change Tracking domain.
Classification
Guardium supports the discovery and classification of sensitive data to allow the creation and enforcement of effective access policies.
A classification policy is a set of rules designed to discover and tag sensitive data elements. Actions can be defined for each rule in a classification policy, for example to
generate an email alert or to add a member to a Guardium group, and classification policies can be scheduled to run against specified datasources or as tasks in a
workflow.
Discovery and classification routines become important as the size of an organization grows and sensitive information like credit card numbers or personal financial data
become present in multiple locations, often without the knowledge of the current administrators responsible for that data. This frequently happens in the context of
mergers and acquisitions, or when legacy systems have outlasted their original owners. Guardium classification discovers and tags this sensitive data so appropriate
access policies can be applied.
File Activity Monitoring

File Activity Monitoring discovers the sensitive data on your servers; classifies content using pre-defined or user defined definitions; configures rules and policies about
data access, and actions to be taken when rules are met.
File activity monitoring consists of the following capabilities:
Discovery includes collecting metadata and entitlements for files and folders.
Classification uses decision plans to identify potentially sensitive data in the files, such as credit card information or personally identifiable information.
Monitoring and collection of audit information and policy rules, and real time alerts or blocking of suspicious users or connections.
File activity monitoring:
Meets regulatory compliance in a cost effective way

Automate and centralize controls, provide audit trail.
Achieve compliance with diverse regulations such as HIPAA, PCI DSS, various state-level and national privacy regulations.
Scales with growing data volumes and expanding enterprise requirements
Provides extensive heterogeneous support across all popular systems
Use case 1
Critical application files can be accessed, modified, or even destroyed through back-end access to the application or database server
Solution: File Activity Monitoring can discover and monitor your configuration files, log files, source code, and many other critical application files and alert or block
when unauthorized users or processes attempt access.
Use case 2
Need to protect files containing Personally Identifiable Information (PII) or proprietary information while not impacting day-to-day business.
Solution: File Activity Monitoring can discover and monitor access to your sensitive documents stored on many file systems. It will aggregate the data, give you a
view into the activity, alert you in case of suspicious access, and allow you to block access to select files and folders and from select users.
Use case 3
Need to block back-end access to documents managed by your application.
Solution: File Activity Monitoring can discover, monitor, and block back-end access to your documents, which are normally accessed through an application front-
end (for example, web portal).
Overview and concepts for file activity monitoring

Understand discovery, classification, monitoring, and blocking, as performed by file activity monitoring.
Prerequisites for file activity monitoring
High level workflow for file activity monitoring
Use this general workflow to plan and execute file activity monitoring.

File activity monitoring using Guardium (video)
Overview and concepts for file activity monitoring

Understand discovery, classification, monitoring, and blocking, as performed by file activity monitoring.
File activity monitoring for file servers consists of the following capabilities:

Discovery includes collecting metadata and entitlements for files and folders.
Classification uses decision plans to identify potentially sensitive data in the files, such as credit card information or personally identifiable information.
Monitoring and collection of audit information and policy rules, and real time alerts or blocking of suspicious users or connections.
Discovery and Classification
The basic discovery scan identifies the list of folders and files, their owner, access permissions, size, and the date and time of the last update. It also identifies user
permissions and group permissions. Discovery supports all file types. Classification is defined by decision plans. Each decision plan contains rules for recognizing a
certain type of data. (Decision plans for File Activity Monitoring are analogous to classification policies for Data Activity Monitoring.) Classification includes support many
types of files, including: Plain Text, HTML, Office, PDF. Default decision plans exist for HIPAA, PCI, SOX, and Source Code. You can change the classification entities from
the resulting reports/investigation dashboard, using the default decision plans. In addition, you can create new plans, or modify existing plans, using the Content Classifier
Workbench, a Windows application you upload to your collector appliance. See the requirements for IBM Content Classification Version 8.8, in this IBM Content
Classification technote. Plans are activated and configured through the Guardium Installation Manager (GIM).
Discovery and classification are handled by a discovery agent, called the file crawler. The file crawler sends the file metadata and data from its discovery and classification
processes to the Guardium system. The scan schedule is configurable. Subsequent (incremental) scans, after initial discovery and classification, identify incremental
changes of new and changed files only. Install and configure the file crawler with the Guardium Installation Manager (GIM) just as you would any other bundle.
Monitor, Audit, and Block
File activity monitoring is implemented by the S-TAP, running on the file server. (Activity monitoring does not require the FAM bundle used by discovery and classification).
For NFS volumes, it is important to have an S-TAP installed and configured on all machines that access those volumes. S-TAP manages ongoing monitoring, alerting, and
blocking of file access, according to the Guardium policy rules. The rules specify which file servers and files to monitor and what actions to take if policy rules are violated,
for example log the violation, alert, or block access. Monitored Operations are Read, Write, Execute, Delete, Change Owner, Permissions, Properties. Any activity that
matches the security policy rules criteria is sent to the Guardium collector where it is stored in the Guardium repository. (In database activity monitoring, the S-TAP sends
all data activity to Guardium, where it is monitored.) All events recorded in the Guardium repository are audited events.
Because the file monitoring rules are activated in the S-TAP, blocking occurs immediately. The data that is requested by the user is never read from disk; the S-TAP blocks
and prevents the operation. Access to files can also be blocked, even if the operating system permissions allow access.
Monitoring activities are presented in the predefined reports: Users privileges, File privileges, Count of activity per user, Count of activity per client, Files open to
â€œpublicâ€ , Dormant users, Dormant Files, etc., and the FAM â€“ Access report (log of all monitored activity), and in the Investigation Dashboard.
Important: Windows Administrator and Linux ROOT user activities are not monitored or blocked by File Activity Monitoring.
One S-TAP agent manages both file server and database activity monitoring. If you have licenses for both capabilities you can use the same S-TAP agent for both file and
database activity monitoring. Install and configure S-TAP with the Guardium Installation Manager (GIM) just as you would any other bundle.
Parent topic: File Activity Monitoring
Prerequisites for file activity monitoring

Install these components to run file activity monitoring:
GIM client on all file servers

S-TAP
License keys
bash shell must be installed prior to installing the FAM discovery agent
FAM discovery agent (also known as the FAM bundle or FAM agent, required for Discovery and Classification)
optional IBM Content Classification for non-default decision plans
File activity monitoring supports UID chain: The FAM agent changes a single user name into a chain of user names that belong to the history of the process (UID chain). For
instance if Process 1 (user janedoe) creates Process 2 (user johndoe), then for file events that are related to process #2, FAM reports the UID chain of {janedoe, johndoe}.
FAM supports the CIFS implementation of SMB V2.0 and later.
File activity monitoring does not support:
Network attached storage
File activity monitoring supports these servers:

Platform version FAM Monitoring FAM Discovery FAM Classification
aix-7.1-aix-powerpc yes yes no
aix-6.1-aix-powerpc. yes yes no

Platform version FAM Monitoring FAM Discovery FAM Classification
Red Hat 4 PowerPC yes no no
Red Hat 5 S390X yes no no
rhel-4-linux-i686 yes no no
rhel-4-linux-ia64 no no no
rhel-4-linux-x86_64 yes no no
rhel-5-linux-i686 yes yes yes
rhel-5-linux-ia64 no no no
rhel-5-linux-ppc64 yes no no
rhel-5-linux-x86_64 yes yes yes
rhel-6-linux-i686 yes yes yes
rhel-6-linux-ppc64 yes no no
rhel-6-linux-s390x yes no no
suse-10-linux-i686 yes yes yes
suse-10-linux-ppc64 yes no no
suse-10-linux-s390x. yes no no
suse-10-linux-x86_64 yes yes yes
suse-11-linux-i686 yes yes yes
suse-11-linux-s390x yes no no
suse-11-linux-x86_64 yes yes yes
suse-12-linux-x86_64 yes yes no
Ubuntu 10 x86/64 yes yes no
Ubuntu 12 x86/64 yes yes yes
Ubuntu 14 x86/64 yes yes no
Windows 2008 Server Yes Yes yes
Windows 2012 Server Yes Yes yes


Use this general workflow to plan and execute file activity monitoring.
1. Installing and activating FAM components on all file servers.

2. Configure File discovery and classification GIM parameters.
3. Optional Customizing FAM decision plans. You can use the default decision plans, or create your own using the IBM Content Classification.
4. Monitor and audit.
File activity can be included in reports, including the following predefined reports: File Activities, File Entitlement, Files Count of Activity Per Client, Files
Count of Activity Per Server, Files Count of Activity Per User, Files Privileges.
For ongoing investigation and analysis, use Investigation Dashboards, which include text search and outliers capability as well as enhanced visualizations.
See:
Investigation Dashboard for files
Interpreting file activity outliers
5. Protect: create and apply policies for ongoing monitoring and protection. See File Activity policies and rules.
UNIX: The debug level is configured by tap_debug_output_level. FAM errors and debug logs are named guard_stap.fam.txt. The default location in UNIX is \tmp,
and is configured by tap_log_dir
Windows: The FAM agent log file is called StapAT.ctl and resides in the C:\Program Files\IBM\Windows S-TAP\Logs folder.
Key Concepts and Tools

Information about key concepts pertaining to Guardium administration.
Queries and Reports

Guardium queries describe a set of information to be obtained from the collected data. Reports define how the data identified by a Guardium query is presented.
Access Control
Guardium provides access maps as a way to conveniently show data access between database clients and database servers.
User Roles
A role defines a group of Guardium users who share the same access privileges.

Groups
Guardium supports the grouping of elements to simplify creating and managing policies and to clarify the presentation of reports.
Data Archive and Purge
Data Archive backs up data that has been captured by a Guardium system. When configuring Data Archive, data purge criteria may also be specified.
Guardium Installation Manager
The Guardium Installation Manager (GIM) is used to install and maintain Guardium components on managed systems.
Queries and Reports

Guardium queries describe a set of information to be obtained from the collected data. Reports define how the data identified by a Guardium query is presented.
Guardium queries describe a set of information obtained from the collected data. Queries are comprised of three elements: entities, fields, and conditions. Entities define
the scope of a query, fields list the columns of data to be returned by the query, and conditions define tests to match against the data (greater than, less than, contains,
etc.)
A report defines how the data collected by a query is presented. The default report is a tabular report that reflects the structure of the query, with each attribute displayed
in a separate column. All runtime parameters and presentation components of a tabular report can be customized.
Parent topic: Key Concepts and Tools
Access Control
Guardium provides access maps as a way to conveniently show data access between database clients and database servers.
Data access by applications and tools can be categorized according to many dimensions, including what data is being accessed, how it is being accessed, or how many
SQL calls are being made. In an enterprise environment, it is very important to get a good handle on database access. This requirement can stem from the need to
understand and secure access to the database due to compliance initiatives and even due to the need to tune and optimize your database environment. Because there can
be many databases and a very large number of database clients in enterprise environments, getting a handle on the data access paths can be difficult.
The deployment health topology and table views show the data flow relationships between systems in your environment. These views make it easy to identify problematic
systems and investigate the underlying issues. Access the topology view by navigating to Manage > System View > Deployment Health Topology. Access the table view by
navigating to Manage > System View > Deployment Health Table.
User Roles
A role defines a group of Guardium users who share the same access privileges.
When a role is assigned to an application or the definition of an item (a specific query, for example), only those Guardium users who are also assigned that role can access
that component. If no security roles are assigned to a component (a report, for example), only the user who defined that component and the admin user can access it.
At installation time, Guardium is configured with a default set of roles and a default set of user accounts. The Guardium access manager can create new roles and modifies
existing roles as needed.
Groups
Guardium supports the grouping of elements to simplify creating and managing policies and to clarify the presentation of reports.
Grouping can simplify the process of creating policy and query definitions. It is often useful to group elements of the same type, and grouping can make the presentation
of information on reports more straightforward. Groups are used by all subsystems, and all users share a single set of groups.
For an example of grouping, assume that your company has 25 separate data objects containing sensitive employee information, and you need to report on all access to
these items. You could formulate a very long query testing for each of the 25 items. Alternatively, you could define a single group called sensitive employee info containing
those 25 objects. That way, in queries or policy rule definitions, you only need to test if an object is a member of that group.
An additional benefit of groups is that they can ease maintenance requirements when the group's composition changes. To continue the example, if your company decides
that two more objects need to be added to the sensitive employee info group, you only need to update the group definition and not all of the queries, reports, and policies
that reference the group.
Data Archive and Purge

Data Archive backs up data that has been captured by a Guardium system. When configuring Data Archive, data purge criteria may also be specified.
There are two archive operations: Data Archive and Results Archive. The path to these archive operations is Manage > Data Management > Data Archive or Results Archive
(Audit).
Data Archive
With Data Archive, data is typically archived at the end of the day on which it is captured, which ensures that in the event of a catastrophe, only the data of that day
is lost. The purging of data depends on the application and depends on business and auditing requirements, but in most cases data can be kept on the machines for
more than six months.
Results Archive

Results Archive backs up audit task results (e.g. reports, assessment tests, entity audit trail, privacy sets, and classification processes) as well as the view and sign-
off trails and the accommodated comments from workflow processes. Results sets are purged from the system according to the workflow process definition.
In an aggregation environment, data can be archived from the collector, from the aggregator, or from both locations. Most commonly, the data is archived only once, and
the location from where it is archived varies depending on the customer's requirements.

The Guardium Installation Manager (GIM) is used to install and maintain Guardium components on managed systems.
The GIM component includes a GIM server, which is installed as part of the Guardium system, and a GIM client, which must be installed on servers that host databases
and file servers you want to monitor. After installing the GIM client, it works with the GIM server to perform the following tasks:
Check for updates to installed software

Transfer and install new software
Uninstall software
Update software parameters
If your environment includes a Guardium system configured as a Central Manager, you must decide which Guardium systems you want to use as GIM servers. You can
either manage all of your GIM clients from a single Guardium system, such as the central manager, or you can manage them in groups from the different Guardium
systems. If you manage all of your GIM clients from a single Guardium system, then you can view the status of all the GIM clients and perform related tasks from a single
interface. If you choose to manage your GIM clients in groups from separate Guardium systems, then you can use each system to work with the GIM clients that it
manages, but no overall or environment-wide view is available.
Discover
Discovery refers to processes of locating and identifying objects in your environment that must be tracked for security and compliance purposes.
Discovery is the process of finding important objects such as privileged users, sensitive data, and datasources. Classification is the process of appropriately identifying
what is discovered for security and compliance purposes. These processes of discovery and classification are important in large organizations where mergers, acquisitions,
and legacy systems introduce new objects to your environment in unstructured or unpredictable ways. GuardiumGuardiumÂ® helps you incorporate these objects into
your environment so you can enforce effective security policies and ensure compliance.
A common scenario involves the discovery of sensitive data. Sensitive data refers to regulated information like credit card numbers, personal financial data, social security
numbers, and other information that requires special handling. Guardium supports two different approaches for discovering sensitive data: by using the Discover Sensitive
Data workflow builder, or by using the Policy Builder with other Guardium tools. The Discover Sensitive Data workflow builder is intended as an all-inclusive tool for
establishing discovery and classification processes for sensitive data. Use it to specify rules for discovery, define actions to take on discovered data, specify which data
sources to scan, distribute reports, and run the workflow on an automated schedule. For more advanced users, the Policy Builder supports more granular discovery and
classification rules that can be easily incorporated into existing processes and Guardium applications.
Datasources
Datasources store information about your database or repository such as the type of database, the location of the repository, or credentials that might be
associated with it. You must define a datasource in order to use it with Guardium applications.
Cloud database service protection
Cloud database protection provides classification, vulnerability assessment, and object auditing on cloud databases.
Database Auto-discovery
The Auto-Discovery application scans and probes your servers for open ports to prevent unknown or unwanted connections to your network. You can run auto-
discovery processes on demand, or schedule the processes on a periodic basis.
Classification
Classification policies and processes define how Guardium discovers and treats sensitive data such as credit card numbers, social security numbers, and personal
financial data.
Discover Sensitive Data
Create an end-to-end scenario for discovering and classifying sensitive data.
Regular Expressions
Regular expressions can be used to search traffic for complex patterns in the data.
Discover and classify sensitive data in file servers
File activity monitoring ensures integrity and protection of sensitive data on UNIX and Windows file servers.
Entitlement Optimization
Entitlement Optimization mediates between the role of the DBA in providing users the entitlements that are required to perform their jobs efficiently, and the role of
Security in keeping entitlements as accurate and as minimal as possible to prevent system vulnerabilities.
Datasources
Datasources store information about your database or repository such as the type of database, the location of the repository, or credentials that might be associated with
it. You must define a datasource in order to use it with GuardiumÂ® applications.
Creating a datasource definition

Use the Datasource Builder to create datasource definitions for use with Guardium applications.
Working with existing datasources
After you create a datasource definition, you can clone the datasource, modify the datasource, or delete the datasource.
Reporting on datasources
Guardium provides reports on the datasources that are in your environment and any changes made to them.
Defining a datasource using a service name
You can define a datasource that enables your users to connect to an Oracle database using the service name by using a custom URL.
Managing KDC definitions
If your datasource requires authentication using Kerberos, you can specify the information needed for Guardium to obtain a Kerberos ticket before making the

connection.
Parent topic: Discover

Use the Datasource Builder to create datasource definitions for use with Guardium applications.
About this task

You can create a datasource definition through two general processes. First, you can add a datasource definition from the Datasource Builder and then specify the
application for which you want to use the datasource. Second, you can go into the application you want to use, and create a datasource within the application. The
navigation for adding a datasource definition within a specific application varies depending on the application you choose or the type of database selected. For example, if
you want to create an audit database, navigate to Harden > Configuration Change Control (CAS Application) > Value Change Audit Database Creation and click Add
Datasource.
Procedure
1. Open the Datasource Builder by navigating to Setup > Datasource Definitions.
2. Click to open the Create datasource dialog. Use the Create datasource dialog to provide information about the datasource to be stored for future use.
Depending on the application and database type that you select, and the type of datasource you use, the dialog varies slightly.
3. Select an Application Type.
4. Enter a unique Name for the datasource.
5. From the Database Type menu, select the database or type of file. For some applications, the datasource must be a database, and cannot be a text file. Depending
on the type of database you select, some fields on the panel are disabled, or the labels change. For example, Assign Credentials can be either optional or
mandatory. When mandatory, it is disabled and the user name and password fields are mandatory. When optional, user name and password are disabled until you
select Assign Credentials.
6. Select Share Datasource to share the datasource definition across all applications. If you do not share the datasource, the definition you create can be used only
with the application you chose.
7. Optionally, configure additional credentials.
Use SSL: select to use SSL. Then optionally select import server SSL certificate, and click add certificate to select the certificate
Use LDAP: Select to use LDAP. Then click Assign credentials, and enter the user name and password
Use Kerberos: Select to use a predefined Kerberos configuration. Select a Kerberos configuration, and enter the Realm and KDC. The datasource compares
this with its own KDC and Realm to make sure they match.
8. Select Save Password to save and encrypt your authentication credentials on the Guardium appliance. Save password is required if you are defining a datasource
with an application that runs as a scheduled task (as opposed to on demand). When save password is selected, login name and password are required.
9. Enter your credentials for Login Name and Password.
10. For the Host Name/IP field, enter the host name or IP address for the datasource.
11. Use the table to complete Port based on your datasource type.
Datasource type and port number table
Database type Port number
Aster Data 2046
DB2 50000
For DB2 UDB, Guardium supports count_big(*). On very large tables, a standard count(*) could fail
DB2 for i 446
DB2 for z/OS 446
GreenplumDB 5432
Hadoop 21000-21050
Informix 1526

MS SQL Server (Dynamic ports) and MS SQL Server Port number grayed out - Use of this datasource allows a client without a defined port value or where the
(DataDirect - Dynamic ports) dynamic function is enabled from the MS SQL Server database server to connect dynamically to a MS SQL
server database. To define dynamic port, go onto the DB serve for MS SQL Server and define 0 for Dynamic
port type and remove TCP/IP which by default is port 1433. Setting Dynamic port value to 0 and restarting
the services will set a dynamic IP.
For MS SQL, Guardium supports count_big(*). On very large tables, a standard count(*) could fail
DataDirect driver for MS SQL Server
Previously the jTDS driver had to be downloaded in order to support Windows authentication using
NTLM and NTLMv.
Now the Guardium DataDirect driver will permit this.
Parameters
If the Guardium user wants to use Windows authentication, then add this parameter to the
Connection Property:
domain=domain_name;AuthenticationMethod=ntlmjava
If using NTLMv2 for Windows authentication, then add this parameter to the Connection Property:
domain=domain_name;AuthenticationMethod=ntlm2java
AuthenticationMethod
Purpose
Determines which authentication method the driver uses when establishing a connection. If the
specified authentication method is not supported by the database server, the connection fails and
the driver throws an exception.
Valid Values
auto | kerberos | ntlm | ntlmjava | ntlm2java | userIdPassword
Notes
If you specify AuthenticationMethod=ntlmjava when the LMCompatabilityLevel has been restricted

to NTLMv2, an error will be returned. When the LMCompatabilityLevel has been restricted to
NTLMv2, AuthenticationMethod must be set to ntlm2java.
If you specify AuthenticationMethod=ntlmjava or AuthenticationMethod=ntlm2java, you must

specify the name of the domain server that administers the database. You can specify the domain
server using the Domain property. If the Domain property is not specified, the driver tries to
determine the domain server from the User property. If the driver cannot determine the domain
server name, it throws an exception.
The User property provides the user ID. The Password property provides the password.
The values type4, type2, and none are deprecated, but are recognized for backward compatibility.
Use the kerberos, ntlm, and userIdPassword value, respectively, instead.
If the Guardium user is using non-standard database Unicode such as Azeri_Cyrillic_100_CI_AS or

Chinese_Hong_Kong_Stroke_90_CI_AS, then add this parameter to the connection property:
CodePageOverride=UTF-8
If using SSL (Force encryption=Yes) , then add:
encryptionMethod=SSL;validateServerCertificate=false
MS SQL Server (DataDirect) 1433
MongoDB 27017
MySQL 3306
Netezza 5480
Oracle (DataDirect) 1521
PostgreSQL 5432
SAP HANA 39015
Sybase 4100
Sybase IQ 2638
Teradata 1025
Text 0
Text:HTTP 8000

Text:FTP 21
Text:SAMBA 445
Text:HTTPS 8443
N_A 0
MS SQL Server (open source) (use Harden > 1433

Vulnerability Assessment > Customer Uploads to
upload these JDBC drivers, see Subscribed Groups
Upload)
Oracle (open source) (use Harden > Vulnerability 1521

Assessment > Customer Uploads to upload these
JDBC drivers, see Subscribed Groups Upload)
HIVE, HiveServer2 10000
HADOOP, Hive CLI deprecated 9083
HIVE, for Impala from Hue 21050
HADOOP, Impala shell 21000
HUE, Oracle Hue backend 1521
HUE, MySQL Hue backend 3306
HUE, PostgreSQL Hue backend 5432
WEBHDFS 50070
Note: When attempting to connect using an SSL datasource for the first time, you may encounter this error when testing the connection:
error
Connection unsuccessful
Could not connect to: 'jdbc:db2://su11u1x64t-va:55000/VA_DB' for user: '(DELETE ME) db2 10.1 SSL_DB2(Security Assessment)'.
DataSourceConnectException: Could not connect to: 'DB2 (DELETE ME) db2 10.1 SSL 9.70.146.39:55000' for user: 'db2inst1'.
Exception: com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.15.134] A communication
error occurred during operations on the connection's underlying socket, socket input stream,
This is caused because the GUI does not have the correct keystore file for the certificate loaded into memory. To correct this, restart the GUI and this error should
go away and the connection should be successful.
12. Depending on the datasource type, the dialog varies slightly for the fields after port.
If DB2, enter the database name.
If DB2 iSeries or Oracle, enter the service name.
If Informix, enter the Informix server name.
For a non-text Database Type, in the Database box, enter the database name (Informix, Sybase, MS SQL Server, PostgreSQL, or Teradata only). If it is blank
for Sybase or MS SQL Server, the default is master. For Sybase database, the Database text box should contain either the database name or default to master
if it is blank (This works for Entitlement Reports and Classifier. For VA, use the database instance name.)
For DB2, DB2 iSeries, or Oracle enter a valid schema name in the Schema box to use.
For a text file Database Type, in the File Name box, enter the file name.
13. Use the Connection Property box only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with this datasource.
The required format is property=value, where each property and value pair is separated from the next by a semicolon.
For a Sybase database with a default character set of Roman8, enter the following property: charSet=utf8.
For an Oracle Encrypted Connection you need to define a Connection Property as:
oracle.net.encryption_client=REQUIRED;oracle.net.encryption_types_client=RC4_40 (Replacing with an encryption algorithm required by the monitored
instance, regardless of its type).
NOTE that 3DES168 encryption is problematic. A datasource defined to use 3DES168 encryption will incorrectly throw an ORA-17401 protocol error or ORA-
17002 checksum error when it encounters any SQL error. Thereafter, the connection simply won't work until it is closed and reopened.
For a DB2 Encrypted Connection you need to define a Connection Property as: securityMechanism=13
For a DB2 iSeries Connection, define a Connection Property as: property1=com.ibm.as400.access.AS400JDBCDriver;translate binary=true
For DB2 z/OS datasource, add a Connection Property to improve database performance: resultSetHoldability=2
In Oracle, sys is an Oracle default user, is owner of the database instance, and has super user privileges, much like root on Unix. SYSDBA is a role and has
administrative privileges that are required to perform many high-level administrative operations such as starting and stopping the database as well as
performing such operations as backup and recovery. This role (SYSDBA) can also be granted to other users. The phrase sys as SYSDBA refers to the
connection method required to connect as the sys user.
For monitor values for Oracle 10 (sys as SYSDBA) (this is for the Oracle open source driver), enter the following: internal_logon=sysdba
For DataDirect (Oracle driver), enter the following: SysLoginRole=sysdba
In addition, if using CRYPTO_CHECKSUM_TYPES in your sqlnet.ora, use the following examples:
oracle.net.encryption_client=aes256;oracle.net.crypto_checksum_types_client=SHA1
oracle.net.encryption_client=rc4_256;oracle.net.crypto_checksum_types_client=MD5
oracle.net.encryption_client=aes256;oracle.net.crypto_checksum_types_client=MD5
oracle.net.encryption_client=rc4_256;oracle.net.crypto_checksum_types_client=SHA1
Example: Use authentication to Oracle LDAP which is known as OID. Values needed are: the LDAP server host or IP, the LDAP server port, the Oracle instance
name and the realm. The custom URL must be properly entered:
jdbc:guardium:oracle:@ldap://wi3ku2x32t4:389/on0maver;cn=OracleContext;dc=vguardium;dc=com
14. If needed, enter a Custom URL connection string to the datasource. When the Custom URL field is blank, the connection is made using the properties entered in the
other datasource definition fields (for example, host, port, instance, etc.).
Important:
When specifying a Custom URL field with the Oracle Open Source format, specify jdbc:guardium:oracle://;SID=<SID>.
When creating a datasource for an Oracle database with Oracle Advanced Security enabled, specify EncryptionLevel=required in the Custom URL field
of the datasource definition.
15. Click Show Advanced Options to display the Roles and CAS options.

16. Optionally click Roles to assign roles for the datasource. Adding a role to a Datasource will allow users to view Datasource configuration. Only owners and
administrators are allowed to modify and delete Datasource.
Because vendors offer flexibility during installation, users should be asked to help in determining the two fields required on the datasource definition.
CAS needs two pieces of information: a database instance account to run some of the database tools on Unix, and the name of the database instance directory in
order to find the files it is to monitor. Generally, if the Database Instance Account and Directory are not correctly entered in the Datasource Definition, you will see
No CAS data available messages for tests where CAS could not find data.
a. Enter a Database Instance Account (software owner) and a Database Instance Directory (directory where database software was installed) that will be used
by CAS.
These are suggestions for how to find the needed information to fill in the CAS information for datasources. This information may vary from one installation to
another. One of the ways used on Unix is to list the /etc/passwd file for specific database installations that can be used to identify the database instance
account and instance directory. Sometimes during the installation an environment variable is defined in the database instance account identifying the
instance directory, such as ORACLE_HOME. In this case, enter $ORACLE_HOME in the database instance directory field of the datasource definition form and
the variable will be expanded to find the correct directory name on the database server.
Note: To search multiple directories, you can define multiple file paths for Database Instance Directory. Refer to the MongoDB row for an example.
Table 1. Database Instances
Database
Type Database Instance Account Database Instance Directory/ Additional Hints
DB2 Often db2inst1 Home directory of db2inst1 or C:\Program Files\IBM\SQLLIB on Windows Â
The program db2cmd.exe must be on the system path, or in the bin subdirectory of the
Database Instance Directory.
Informix Often informix Something like /opt/IBM/informix on Unix, or C:\Program Files\IBM\Informix. An

environment variable INFORMIXDIR may be defined. Â
The program <servicename>.cmd must be on the system path where <servicename> is

the value entered in the Informix Server of the Datasource Definition.
MongoDB Often mongodb or mongos With MongoDB, you must specify multiple paths for the database instance directory.
Indicate a separate path by using a pipe "|" with spaces.
For example, /var/lib/mongo | MongoBinary=/usr/bin | dbpath=/var/lib/mongo |

logpath=/var/log/mongodb | keytab=/home/keytab | dbdumppath=/opt/backup |
sslpath=/etc/ssl | keyfile=/home/mongod/mongo_server.keyfile.
The /var/lib/mongo path is required, as it is the home path for the mongo user.
MongoBinary=/usr/bin is the path to the mongo binary. You must specify the variable
(which is case sensitive) and then equal the path.
dbpath=/var/lib/mongo is the path to the data files. In this case, it happens to be the
same as the MongoDB home directory.
logpath=/var/log/mongodb is the path to the MongoDB log.
keytab=/home/keytab is the directory to the MongoDB keytab file.
dbdumppath=/opt/backup is the directory to the MongoDB backup dump.
sslpath=/etc/ssl is the path to MongoDB SSL files.
keyfile=/home/mongod/mongo_server.keyfile points to the MongoDB keyfile.
You do not need to define all the listed paths. Whichever paths are not defined will not
be analyzed.
Oracle Often oracle, or version specific For example, /home/oracle9 on Unix, or C:\oracle\product\10.2.0\db_1 on Windows.
such as oracle9 or oracle10 An environment variable ORACLE_HOME may be defined. Â
On Windows, environment variables PERL5LIB and ORACLE_HOME must be defined,

and the program opatch.bat must be on the system path.

Database
Type Database Instance Account Database Instance Directory/ Additional Hints
SQL Server Not needed unless Windows There are two scenarios when populating Database instance Directory for CAS usage in
Authentication is being used. In SQL Server.
that case, it must be in the form
acceptable to Windows If the datasource is being used for Vulnerability Assessment Tests, then this column
Authentication, needs to be populate with the DATABASE INSTANCE HOME DIRECTORY. Â
DOMAIN/Username.
Examples
MSSQL2008
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL
MSSQL2014, default instance.
C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL
MSSQL2016, Name instance.
C:\Program Files\Microsoft SQL Server\MSSQL13.SQL2016\MSSQL
If the datasource is being used for NON Vulnerability Assessment Tests, but for CAS
monitoring files or registry. Â
Then this column will be the Microsoft SQL Server directory with Program Files
Examples C:\Program Files (x86)\Microsoft SQL Server
or
C:\Program Files\Microsoft SQL Server
Note: You must have two datasources if you want to do Vulnerability Assessment Tests
and CAS file monitoring
Sybase Often "sybase" For Unix /home/sybase, or C:\sybase for Windows. An environment variable SYBASE
may be defined.
MySQL Â An environment variable MYSQL_HOME may be defined.
Note: A MySQL datasource with a Unicode database name is not supported. The
datasource name in MYSQL must be ASCII.
Teradata Â Not needed. The installations all look the same.
Netezza Â Not needed. The installation is in the same location on all machines.
PostgreSQL Â This is the most flexible of the installations. The user is required to define two
environment variables on the Postgres database server: PostgreSQL_BIN should be the
location of the binaries for the installation, and PostgreSQL_DATA the location of the
data. Â
Note: If an environment variable is to be used within the Database Instance Directory field, that environment variable must be defined on the database
server.
b. Select a Severity Classification (or impact level) for the datasource. Severity classification can be used to sort, filter, or focus datasources while you are
viewing reports and results.
c. Click Save to save the datasource definition (you cannot add roles or comments until the definition has been saved).
d. Optionally click Add Comments to add comments to the definition.
e. Optionally click Test Connection to test connectivity of the defined datasource.
f. Click Close when you are finished with the definition.
Parent topic: Datasources
Working with existing datasources

After you create a datasource definition, you can clone the datasource, modify the datasource, or delete the datasource.
Procedure
Open the Datasource Builder by navigating to Setup > Datasource Definitions.
The Application Selection menu lists all applications with which you can use a datasource definition. Choose the application for which the datasource you want to
modify was created, and click Next, bringing you to the Datasource Finder.
Cloning a datasource
Procedure
Select the datasource that you want to clone from the Datasource Finder, and click Clone.
The information that you entered when the datasource definition was created appears in the Datasource Definition dialog, with "copy Of" appearing before the
original name of the datasource. Change whatever fields you like.
Click Apply to save the cloned datasource.

Modifying a datasource
Procedure
Select the datasource that you want to modify from the Datasource Finder, and click Modify.
The information that you entered when the datasource definition was created appears in the Datasource Definition dialog. Change whatever fields you like.
Click Apply to save the changes that you made to the datasource.
Removing a datasource
Procedure
Select the datasource that you want to modify from the Datasource Finder, and click Delete.
Reporting on datasources
GuardiumÂ® provides reports on the datasources that are in your environment and any changes made to them.
Procedure
Open the Datasources report by navigating to Reports > Report Configuration Tools > Datasources. The table that appears lists all datasources, and the information
that is stored in each datasource definition.
Right-click any cell in the table and you are given two options: Datasource Version History, and Invoke.
Click Datasource Version History to view changes made to the datasource definition.
Click Invoke to select and run one of the available APIs for the datasource.
Note: You can customize the run time and presentation parameters of the Datasources report by clicking the pencil icon.

Related concepts:
GuardAPI Datasource Functions
Defining a datasource using a service name

You can define a datasource that enables your users to connect to an Oracle database using the service name by using a custom URL.
About this task

You must enter the hostname, port, and service name as well as the custom URL.
Procedure
1. Determine the oracle service name. You can use commands like these:
SQL> set line size 5000;

SQL> select host_name, instance_name from v$instance;
SQL> select name from v$database;
SQL> show parameter service
Use the name that appears in the VALUE column.

2. Load the appropriate Oracle JDBC thin driver to the Guardium system.
a. Find and download the driver for your Oracle database here: http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-112010-090769.html
b. Open the Customer Uploads window by navigating to Harden > Vulnerability Assessment > Customer Uploads.
c. Locate the section titled Upload Oracle JDBC driver. Click Browse and browse to the location to which you downloaded the file. Click Use open-source driver
for all.
d. Restart the Guardium user interface after the upload is complete.
3. Define the datasource for this database.
a. Open the Datasource Builder by navigating to Setup > Datasource Definitions.
b. The Application Selection menu lists all applications with which you can use a datasource definition. Choose the application for which the datasource you
want to modify was created, and click Next, bringing you to the Datasource Finder.
c. Enter the service name in the Service Name field. In the custom URL field, enter jdbc:oracle:thin@//hostname:port/svcname where hostname and
port are the standard values for the database and svcname is the service name, the same value that you entered into the Service Name field
Managing KDC definitions

If your datasource requires authentication using Kerberos, you can specify the information needed for Guardium to obtain a Kerberos ticket before making the connection.
About this task

From Guardium V. 10.1.3 you can assign a KDC to a specific datasource or managed unit group, to provide Guardium authentication for Mongo and Hive databases. The
appliance gets a ticket via the JDBC connection, so the users do not need to get tickets themselves. Note that this is independent from what the appliance itself is set up
to use.
You can define up to 5 Kerberos Key Distribution Centers (KDC) on a Central Manager, and one on a standalone Guardium. To add a Key Distribution Center to Guardium
you specify:
realm: domain name in uppercase letters

KDC: hostname of the Kerberos server

encryption type for Kerberos tickets
des-cbc-md5
des-cbc-crc
rc4-hmac
des3-cbc-sha1
aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
The default is aes256-cts-hmac-sha1-96, which is the most secure encryption type.
Procedure
1. Click Setup > Tools and Views > Kerberos configuration
2. Click to create a new configuration.

3. Specify Name, KDC, and Realm.
4. Specify Encryption Type. The default is aes256-cts-hmac-sha1-96.
5. Click Save.
What to do next
After you have created a Kerberos KDC, you can select it when configuring your datasource setup.
Cloud database service protection

Cloud database protection provides classification, vulnerability assessment, and object auditing on cloud databases.
Once you set up the Guardium connection with the cloud, you can:
Discover database instances, and catalog them in Guardium.

Assign cataloged datasources to a Classification process or create a new process: Classification runs on the cloud databases and identifies objects according to the
defined rules
Assign cataloged datasources to a Vulnerability Assessment process or create a new process (requires a valid VA license): VA runs on the cloud databases and uses
the data in Guardium reports.
Enable DB auditing: Oracle Standard Auditing data is pulled from the cloud for Guardium reports, depending on installed policies. (See Oracle definitions in:
https://docs.oracle.com/cd/B28359_01/server.111/b28337/tdpsg_auditing.htm#TDPSG50051)
Enable object auditing (Oracle's audit trail). Review the Classification results and select objects for object auditing. (DB auditing must be enabled.) Object auditing
tracks all activities performed on the objects. Guardium uses this data for reports, investigation dashboard, etc. You can configure Guardium to add objects
automatically, per datasource. You can also set a default per account, inherited by all of its datasources. This is especially useful for databases whose objects need
auditing without any further evaluation. You would set a high but reasonable limit of what you expect the classification process to find. You also want to prevent an
overflow of objects if there is a mistake in your classification, so don't set it too high. (An overflow could affect the database performance.)
AWS permissions are required to perform Guardium functions on the cloud DB. See AWS IAM definition.
In on-premises databases, the S-TAP installed in the database sends all database traffic to the Guardium system. In the cloud environment, Guardium pulls log files from
the cloud DB, and processes the data similar to S-TAP data. The difference is that the S-TAP records all database activity, whereas in the cloud environment, only the
tables that you select are audited. Another difference is that there can be a slight delay in data retrieval from the cloud.
Activity on audited databases and objects is written to the database logs. The volume of log activity increases with the number of monitored items. High volume log
activity can impact the database performance. You need to ensure that you are capturing all relevant data, while not overloading the system.
You can run cloud database service protection in a CM environment and on a standalone Guardium collector.
In the context of cloud DB service protection, database refers to the database on the cloud, and datasource refers to the Guardium cataloged database.
Only one Guardium system can own the DB audit and object audit of any one DB. Other Guardium systems can access the same cloud account and see the DB details, but
cannot disable the DB audit or access the object audit data. You can move ownership from one Guardium system to another, for example if one goes down without
expectation of recovery.
Discovery, Classification, and VA are supported for all AWS RDS database engines.
Limitations on Database Audit
You must keep the RDS definition up to date, for example, DB instance deletions, or changes in credentials.
Guardium v10.1.4 supports only Oracle V.11 databases on an AWS cloud.
Extrusion rules are not supported, including redaction and testing for patterns in the returned data.
Return data is not supported, including records affected and logging of bind variable values.
Rule actions that interact with S-TAP are not supported; for example, S-GATE Terminate, Ignore, and query rewrite.
Failed logins are not captured by the Oracle audit, and therefore are not forwarded to Guardium.
Statements not captured by the Oracle audit, for example Statements with syntax errors, cannot be monitored.
Audit data has bind variable values but not type, for example, 123, so when it is replaced in SQL, surrounding quotes always added.
When variable values contain ASCII control character, for example, '\001' or multiple byte characters, the audit file is not downloadable.
Blob bind variable values are not supported.
Cloud database service protection workflow

AWS IAM definition
Define your IAM policy for your AWS account, depending on the required permissions.
Create, modify, delete cloud accounts
Create a cloud database service account with your DB credentials, modify, or delete the cloud account.
Discover cloud databases
Discover databases in the cloud account by selecting the regions you want to search.

Catalog and manage databases
Catalog databases to create the datasources in Guardium, modify users and passwords, and update the database configuration.
Manage Classification and Vulnerability Assessment
Assign datasources to an existing classification or vulnerability assessment process, or create new processes.
Configure database auditing
Enable auditing on the database so that object auditing data can get pulled by Guardium. Modify the limit of objects added automatically to classification, and
modify the collector.
Manage object auditing
View the potentially sensitive objects identified by the classification processes in the databases that you manage, and enable object auditing on selected objects to
monitor all activities performed on these objects.
Cloud database service protection workflow

About this task
This is a general workflow. Your specific workflow depends on what you want to achieve with the cloud database audit.
Procedure
1. Create a cloud account.
2. Discover its database instances.
3. Catalog the databases you want to work with. Cataloging creates a datasource within Guardium, so that you can manage the cloud database Guardium functions on
the specific database.
4. Optionally add the datasource to a new or existing VA process (requires Vulnerability Assessment license).
5. Optionally add the datasource to a new or existing Classification process.
6. Optionally enable DB Audit on relevant databases and restart the databases either now from the Guardium UI, or later from the DB console. Once DB auditing is
enabled, it performs standard Oracle auditing. When you enable DB Auditing, your Guardium system becomes the unique owner of the DB Audit on this DB. No
other Guardium system can modify the DB Audit or the object audit. To see Classification results, run Classification once (Run once now) after you enable the DB
Audit, or wait for the next scheduled run. (The datasource must be assigned to a Classification process.)
7. Review the Classification results of your datasources (requires a classification process and DB Audit):
View the objects, grouped either by the object or the classification process that identified the objects, using filters to further refine the results
enable or disable object audit: individually, by table
Drill down from the objects grouping to open a list of all databases that contain the selected object in their classification results. In this view you can also
enable and disable object auditing.
8. Periodically repeat steps 2 through 7.
9. Review the datasources periodically, checking for New objects, and optionally adding or removing objects from the object audit. For example, you might remove
objects if the automatically added objects include objects you have decided do not need auditing, or if a database is having performance issues. Or you could
identify a suspicious object that is not audited, and add it to the object audit.
Parent topic: Cloud database service protection
AWS IAM definition

Define your IAM policy for your AWS account, depending on the required permissions.
The minimum IAM permissions include viewing configuration and changing tags. They do not include enabling the DB audit, or restarting a DB. This JSON defines the
minimum permissions, without which you cannot run cloud database service protection.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:DescribeDBParameters",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DownloadDBLogFilePortion",
"rds:DescribeDBLogFiles",
"rds:ListTagsForResource",
"rds:RemoveTagsFromResource",
"rds:AddTagsToResource",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Full permission is enabled with these parameters.
Enable, disable DB audit on instance

When not configured, the Enable DB Auditing and Disable DB Auditing buttons are grayed out, and you need to request the DBA to enable or disable the DB instance
on the AWS console.
"rds:CopyDBParameterGroup",
"rds:CreateDBParameterGroup",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
Restart DB instance

When not configured, the Restart buttons is grayed out, and you need to request the DBA to restart the DB instance on the AWS console.
"rds:RebootDBInstance",
Handle security group when the supported platform is EC2

When not configured, the DBA needs to add the Guardium IP to the security group. When configured, Guardium adds its IP to the security group of the DB instance.
If the Guardium system cannot identify its own IP due to the network configuration, then the DBA needs to add the IP on the AWS console.
"rds:ModifyDBInstance"
"rds:AuthorizeDBSecurityGroupIngress",
"rds:CreateDBSecurityGroup",
Handle security group when the supported platform is VPC

When not configured, the DBA needs to add the Guardium IP to the security group. When configured, Guardium adds its IP to the security group of the DB instance.
If the Guardium system cannot identify its own IP due to the network configuration, then the DBA needs to add the IP on the AWS console.
"rds:ModifyDBInstance"
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
When configuring these parameters, Guardium creates an inbound rule in the RDS instance security group, with collector public IP CIDR mask = 24.
Create, modify, delete cloud accounts

Create a cloud database service account with your DB credentials, modify, or delete the cloud account.
Create cloud account
About this task
Prerequisite: Define the AWS IAM policy, see AWS IAM definition.
Tip: If you are managing a large number of databases in this account, consider defining a default classification process. This saves you defining the properties for each
discovered database.
Procedure
1. Navigate to Discover > Database Discovery > Cloud DB Service Protection.
2. Click to open the Create Cloud DB Service Account Definition pane.

3. Define the account.
Unique account name
Provider
Unique access key ID and the secret access key ID as supplied by your cloud services provider. The account secret key functions as a password. Both the
access key and title should be unique so that you can't have multiple account names with the same access_id.
Limit objects added automatically (optional): This is the maximum number of objects found by classification that can be automatically enabled for object
auditing, when the DB Auditing is enabled. You can modify this, per database, after they are discovered. Objects that are enabled automatically appear as
Enabled in the managed objects window. If you want Guardium to add objects automatically, set a high but reasonable limit of what you expect the
classification process to find. You also want to prevent an overflow of objects if there is a mistake in your classification, so don't set it too high. (An overflow
could affect the database performance.) Zero (0) means no objects are automatically enabled for object auditing. If the number of audited objects plus the
number of newly classified objects exceeds this limit, then no new objects are enabled for object auditing. For example, if set to 15, and Classification
identifies 5 objects the first time it is run, then the 5 objects are assigned audit trail. If set to 15, and there are 5 objects already enabled for object auditing,
and the next run of Classification identifies 16 objects, then no new objects are enabled for object auditing. If set to 15, and there are 5 objects already
enabled for object auditing, and the next run of Classification identifies 5 objects, then the 5 new objects are enabled for object auditing.
4. Optionally define the default classification. All cataloged databases in this account are assigned to this classification process. You can modify the classification
process, per database, after they are cataloged.
5. Test access to the cloud.
a. Click Test Access. Guardium attempts to access the cloud.
b. If Guardium fails to access the cloud: check that your Guardium system has access to Amazon; check the keys you supplied.
6. Click Create.
The account is created and the Cloud DB Service Accounts list updates with the new Cloud account, with its account details in the right pane.
What to do next
Discover databases and catalog them, set up classification and vulnerability assessment, and object auditing.
Modify a cloud account

All parameters except the provider can be modified.
Procedure
1. Select the cloud account under Cloud DB Service Accounts, and click in the right pane.
2. Modify the configuration.
3. If any credentials were modified, test access to the cloud by clicking Test Access.
4. Click Save.
Delete a cloud account

Deleting an account disables the object audit and the DB audit on all the databases owned by the current environment.
Procedure
1. Select the account in the Cloud DB Service Accounts pane, click , and confirm.
2. Restart the DB from the DB console. If you do not have Amazon access to the DB, ask your DBA to disable DB auditing and to restart the DB. It's important to stop
auditing and restart the DB so that the DB stops writing to the log files used by Guardium.
Discover cloud databases

Discover databases in the cloud account by selecting the regions you want to search.
About this task

The databases table is populated and updated when you run Discover. Once a database has been discovered, it stays in the table, regardless of whether the database is
still in the cloud..
Every time you navigate to Discovery > Database Discovery > Cloud DB Service Protection, Guardium informs you if the DB auditing status in the cloud is different from the
status reported in the UI, with a message above the Database table: DB auditing status has changed for some databases. Click Refresh to update
the table. When you see this message, click Refresh to refresh the display.
You can also perform this check on demand by clicking Retrieve status. The retrieve can take a few minutes. When it's complete, a message appears only if any of the DB
audit statuses have changed. If there are changes, click Refresh
You can also upload cloud database definitions by CSV file. The required parameters are listed in GuardAPI Cloud Datasource Functions; the API parameter cloudTitle
must be replaced with the parameter environmentTitle (they have the same function, but different names). See the upload procedure in Create Datasource for CSV
uploaded via the Upload CSV menu in Customer Uploads, using the path Harden > Vulnerability Assessment > Customer Uploads to upload your file.
Procedure
1. Navigate to Discovery > Database Discovery > Cloud DB Service Protection, and click the service account name. When you create a cloud account, the Discover
Databases table is open, showing a list of all of the regions, with their RDS endpoints.
2. When you access this page subsequently, the table is closed. Click Discover Databases. The table opens showing the regions.
3. Select the row of each region whose databases you want to discover. Use the filter if relevant.
4. Click Discover. Guardium searches the regions, and adds any databases that were not previously discovered to the databases table.
Catalog and manage databases

Catalog databases to create the datasources in Guardium, modify users and passwords, and update the database configuration.
About this task

Cataloging creates the datasources within Guardium that are used for classification, vulnerability assessment, auditing, and reports. Databases that are not cataloged
have a red icon in the GuardiumDatasource column of the DB table.
Procedure
1. Catalog the databases you want to audit.
a. In the Databases table, select one or more databases.
b. Click Datasource > Catalog Datasource.
c. Enter the case-sensitive DB user and password that you received from your DBA. If you selected more than one database, be sure you want them to use the
same user and password pair.
d. Optionally select, modify or clear the default Classification process.
e. Click Catalog.
The Guardium datasource name appears in the Databases table.
2. Update the user or password:
a. In the Databases table, select one or more datasources.
b. Click Datasource > Update User and Password and modify the details. Both fields must be specified.
c. Click Catalog.
3. Modify one datasource definition.
a. Select the datasource and click Datasource > Open Datasource Definition
b. Modify as relevant. See parameter details in Creating a datasource definition.
c. Optionally test connectivity to the database by clicking Test Connection.
d. Click Save.
Manage Classification and Vulnerability Assessment

Assign datasources to an existing classification or vulnerability assessment process, or create new processes.
About this task

The Vulnerability Assessment menu is available only if you have a valid VA license.

Once you assign a classification process to a datasource, classification data is collected and handled the same as an on-premises database. You can assign classification
when you are not the owner, but you must take ownership in order to enable object audit and view the results.
A green icon indicates the process is running. A yellow icon means there is no schedule defined for the process. A red icon in the Classification Process or VA column
indicates no classification or VA assigned, or an error. View VA errors in Harden > Vulnerability Assessment > Assessment Builder > View Results. View classification errors
in Discover > End-to-End Scenarios > Discover Sensitive Data > Review Report ribbon > Process Log.
If you get a classification error file bdump-file-listing in BDUMP not found Unable to retrieve results for: 'RDSADMIN.TRACEFILE_ add
RDSADMIN to the pre-defined schema group Excluded Classification schemas - Oracle in the Group Builder.
Procedure
1. Assign one or more datasources to an existing Classification process.
a. Select one or more datasources.
b. Click Classification > Add to Classification.
c. Select the Classification Process and click Save.
d. Optionally click Edit/View to modify or run the classification process.
e. If you want to enable object auditing automatically for the objects found by classification process, click Edit/View to open the classification process; in the
Where to search ribbon, select the checkbox Enable object auditing for Cloud DBs.
f. Alternatively, run the classification: click Run Now in the Run Discovery ribbon in the Discover > End-to-End Scenarios > Discover Sensitive Data.
2. Create a new Classification process, and assign one or more datasources to it.
b. Click Classification > Create Classification.
c. Follow procedure in Discover Sensitive Data. Enable object auditing for Cloud DBs is selected by default. Leave it selected.
d. Run the classification: after you define Where to Search, click Run Now, or after you save the process click Run Now in the Run Discovery ribbon.
3. Assign one or more datasources to an existing Vulnerability Assessment.
b. Click Vulnerability Assessment > Add to Vulnerability Assessment.
c. Select the Vulnerability Assessment process and click Save.
d. Run the process: navigate to Harden > Vulnerability Assessment > Assessment Builder, select the process and click Run once now.
4. Create a new Vulnerability Assessment, and assign one or more datasources to it.
b. Click Vulnerability Assessment > Create Vulnerability Assessment.
c. Enter a description of the vulnerability assessment; enter one or more email addresses, separated by commas, to receive the results as part of an audit
process that you define.
d. Click Save.
The VA process is created with all tests, the selected datasources, and the receivers you defined.
e. Run the process: navigate to Harden > Vulnerability Assessment > Assessment Builder, select the process and click Run once now.
Configure database auditing

Enable auditing on the database so that object auditing data can get pulled by Guardium. Modify the limit of objects added automatically to classification, and modify the
collector.
About this task

The databases table presents various details of the discovered databases. You can use the colored indicators in the table to see the status of any datasource at a quick
glance. Red indicates no configuration, for example the database is not cataloged, or the datasource was not assigned to a classification or VA process. There are hover
tips on the color-coded status indicators to give you more information when the color is red or yellow. Use the predefined filter list to filter any of the columns that have
the color-coded status indicators, or the free text filter for other values.
If there is a collector defined for the datasource, it appears in the Active Collector column if you are the owner. Otherwise the column is blank.
The DB Audit Owner is the CM host name in a CM environment. In a standalone system the value is the collector's host name.
The DB Auditing column has one of the following values.
Enabled. When followed by pending restart, indicates that the status will take effect upon instance restart.
Disabled. When followed by pending restart, indicates that the status will take effect upon instance restart.
configuration does not match requirement. (The AWS parameter audit trail is not configured according to Guardium's requirement XML, EXTENDED. Ask your DBA
to modify this value.) When followed by pending restart, indicates that the status will take effect upon instance restart.
Not supported for this db engine. Activity monitoring is not currently supported by Guardium.
If you own the instance, a classification process is assigned, and DB audit is enabled, you should see results in the Objects column. The total is the number of objects
identified by the classification processes assigned to this instance; Audited is the number of those objects that are enabled for Object Audit; New is the number of objects
that have been found by a classification process but have not been enabled automatically. These objects require review. See Manage object auditing.
You should see results in the Objects column if the datasource is assigned to a classification process, the process has run since enabling the DB audit, and you are the
owner. If you don't see objects, verify the classification process and run it again.
Modify limit of objects added automatically and collector

You can modify the limit of objects added automatically and the collector on one or more databases simultaneously. Fields that are left blank are not modified.
Procedure
1. Select one or more databases.

2. Click DB Auditing > DB Auditing Configuration .
3. Modify the number of Limit objects added automatically. This is the maximum number of objects found by classification that can be automatically enabled for
object auditing, when the DB Auditing is enabled. You can modify this, per database, after they are discovered. Objects that are enabled automatically appear as
Enabled in the managed objects window. If you want Guardium to add objects automatically, set a high but reasonable limit of what you expect the classification
process to find. You also want to prevent an overflow of objects if there is a mistake in your classification, so don't set it too high. (An overflow could affect the
database performance.) Zero (0) means no objects are automatically enabled for object auditing. If the number of audited objects plus the number of newly
classified objects exceeds this limit, then no new objects are enabled for object auditing. For example, if set to 15, and Classification identifies 5 objects the first
time it is run, then the 5 objects are assigned audit trail. If set to 15, and there are 5 objects already enabled for object auditing, and the next run of Classification
identifies 16 objects, then no new objects are enabled for object auditing. If set to 15, and there are 5 objects already enabled for object auditing, and the next run
of Classification identifies 5 objects, then the 5 new objects are enabled for object auditing.
4. Collector appears in, and is mandatory for, a Central Manager environment. Select a collector from the drop-down list of all collectors in the CM environment. This is
the collector that pulls the audit data (activities) from the DB.
5. Click Apply.
Enable auditing on one database

You can enable DB auditing on one database at a time.
About this task
You can configure the parameter Limit objects added automatically or the collector with any permission level. Other changes require DB permissions. Your access keys
may or may not include these permissions. The instructions below cover all levels of permission.
When you enable DB Auditing, your Guardium system becomes the unique owner of the DB Audit on this DB. No other Guardium system modify the DB Audit or the object
audit. Another system can forcefully take ownership by clicking Start owning DB Audit.
Run classification at least once after enabling DB audit to see and manage objects for auditing. If no objects are found, check your policies.
CAUTION:
When you start managing the database, the Amazon RDS tag IBM Guardium IP is created with the value of your Guardium hostname. This tag should not be modified or
removed.
Procedure
1. Select the row of the database.

2. Click DB Auditing > DB Auditing Configuration.
3. Optionally modify the value of objects added automatically to the Object Audit.
4. In CM environment, if there is no collector defined, select one from the drop-down list and click Apply. The dialog refreshes, and the buttons are enabled.
5. If Enable DB Auditing is enabled, click it. The dialog and the table refreshes showing You are now owner of the DB audit. The dialog box refreshes. Either click
Restart to restart the database now (a confirmation message appears), or click Wait for next manual restart for example, to wait for a maintenance window. If you
choose Wait for next manual restart, you need to access the cloud console directly at a later time. If you click Restart and you do not have sufficient access rights,
an error appears. Request your DBA to configure audit trail as XML, EXTENDED and restart the instance.
6. If Enable DB Auditing is not enabled, click Own DB Audit. The dialog box refreshes. Click Wait for next manual restart and request your DBA to configure audit trail
as XML, EXTENDED and restart the instance.
7. If you made changes to the DB audit status, click Retrieve Status and wait for the message saying the status has changed, then click Refresh. The DB Audit Owner
column shows the host name of the CM or the collector's hostname in a standalone Guardium, and the icon in the DB Auditing turns green.
Disable auditing on one database

You can disable DB auditing on one database at a time. When you disable the DB audit, you also relinquish ownership of the DB auditing.
About this task
When you stop owning or disable the DB Audit, the entire object audit is disabled as well and the list of objects that can be audited (the come from the classification
results) are deleted.
Procedure
1. Select the row of the database.

2. Click DB Auditing > DB Auditing Configuration.
3. Click Disable DB Auditing, then click Wait for next manual restart, for example to wait for a maintenance window, or click Restart to restart the database now. If you
choose Wait for next manual restart, you need to access the cloud console directly at a later time. If don't have permission to change the configuration, click Stop
Owning DB Audit and request your DBA to disable the DB audit on this instance.
4. Click Retrieve Status to refresh the display with the latest status from the cloud.
Results
If there were changes, a message appears: DB auditing status has changed for some databases. Click Refresh to update the table. Click Refresh.
The status changes to disabled or disabled pending restart, the icon in the DB Auditing turns red, and the DB Audit Owner column is blank.
Starting and stopping DB audit ownership
About this task
You can modify the DB ownership status of one database at a time.
Owning the DB Audit gives you exclusive rights to the DB Audit and Object Audit definitions, and access to the object audit data (see Manage object auditing). Other
Guardium systems can access the same cloud account but can only see the DB details.
With full access rights, when you enable the DB audit, you also take ownership of the DB. If your access keys do not provide full access rights, then you take ownership
without enabling the DB audit. When DB audit is enabled (by the DBA) you will have access to the audit data. Conversely, when you disable the DB Audit, you relinquish

ownership. If your access keys do not provide full rights, you would stop owning DB audit, and request the DBA to disable the DB audit.
You can move ownership from one Guardium system to another.
If you are transferring ownership between two live systems, first stop owning the DB Audit on the current owner, then take ownership on the second Guardium system. All
auditing is stopped when one Guardium system relinquishes ownership. You'll need to define the auditing process on the new Guardium system: assign the DB to a
classification, run the process, and add objects to the Object Audit.
CAUTION:
Stop owning the DB Audit on one before starting to own it on the second. Otherwise the data will go to the previous collector, as well as the new collector. Two collectors
with different policies (different CMs) receiving the same activities, produce different, or incomplete, results on each collector.
If you are transferring ownership from a Guardium system that has gone down without expectation of recovery, you can start owning the DBA Audit from another
Guardium system, while maintaining the audit definitions, only the ownership changes. In this scenario, stop the original Guardium from owning the DB Audit in the DB
console.
Procedure
1. In the databases table, select the row of the database.

2. To stop owning DB audit: Click DB Auditing > DB Auditing Configuration > Stop owning DB audit.
3. To start owning DB audit: Click DB Auditing > DB Auditing Configuration > Start owning DB audit.
Manage object auditing

View the potentially sensitive objects identified by the classification processes in the databases that you manage, and enable object auditing on selected objects to
monitor all activities performed on these objects.
About this task

Prerequisite: DB auditing must be enabled and owned by you, and classification must run at least once on this the datasource.
New objects are objects that have been found by classification processes that have not been enabled for auditing. You can filter for all new objects, and then either enable
them for object auditing, or clear the New flag. When there are no New objects, then you are up to date with evaluating the new objects. Remember, Guardium could
receive new data every time the classification process runs. When new objects are found that were not added automatically to the object audit, there is a notice New
objects were found.
The Found by Classification column lists all the classification processes that identified this object.
The status Mixed in the Object Audit Status column means the object audit is enabled in some datasources and disabled in other datasources.
Enabling and disabling object auditing is a heavy process, and can take a few minutes. There is a waiting icon while the cloud processes the auditing changes.
You can review objects found in one datasource or multiple datasources by selecting the rows of the datasources you want to review from the Databases table. The object
audit windows shows all objects found by all classification processes on the selected database or databases.
Managing object audit in one database

Managing object audit in multiple databases
Managing object audit in one database

About this task
The Objects in Datasource <name> window lists all objects found by the classification processes run on this datasource. Objects can be found by more than one
classification process.
When objects have been identified by the classification process but were not enabled automatically for object audit, New objects found appears above the objects
table. Click New Only to filter for all new found objects that require handling. New objects could be found every time the classification runs. When there are no New
objects, you are up to date with the new objects evaluation.
Review the datasources periodically, checking for New objects, and optionally adding or removing objects from the object audit. For example, you might remove objects if
the automatically added objects include objects you have decided do not need auditing, or if a database is having performance issues. Or you could identify a suspicious
object that is not audited, and add it to the object audit.
Use the classification filter for objects that you know must be audited. Select all objects in the filtered view, and enable object auditing.
Procedure
1. If you assigned the Classification process before you enabled DB Audit, run the Classification once now and wait a few minutes (or wait for the next scheduled run)
for Guardium to identify objects.
2. Select one datasource. Consider using the filter New objects found to identify datasources with new objects.
3. Select DB Auditing > Manage Object Auditing. The Manage Object Auditing window opens listing all objects found by the classification processes to which this
datasource is assigned.
4. Consider using the filter New only to identify all objects classified as New.
5. Select one or more objects (rows) in the table.
6. To enable audit trail, select Actions > Enable Audit. The system responds with the success or failure of the operation.
7. To clear the New flag, click Actions > Clear New flag.
8. To disable audit trail, select Actions > Disable audit. The system responds with the success or failure of the operation.
Parent topic: Manage object auditing

Managing object audit in multiple databases
About this task
This view lists all objects found by the classification processes run on the selected datasources. Objects can be found by more than one classification process. View the
objects grouped by object (default), or classification. The Found by Classification column lists all the classification processes that identified the object.
When objects are identified by the classification process but were not enabled automatically for object audit, New objects found appears above the objects table. Click
New Only to filter for all new found objects that require handling. Review the New objects and either enable object auditing, or clear the New flag.
New objects could be found every time the classification runs. When there are no New objects, you are up to date with the new objects evaluation.
Review the datasources periodically, checking for New objects, and optionally adding or removing objects from the object audit. For example, you might remove objects if
the automatically added objects include objects you have decided do not need auditing, or if a database is having performance issues. Or you could identify a suspicious
object that is not audited, and add it to the object audit.
Group by Object: To view all new found objects, type New in the text filter.
To enable or disable the object audit on one object in all the selected datasources, select the row(s) and click Action > Enable / Disable
To take action per datasource, click Present in # datasources to view all datasources whose classification processes have identified the selected object
Group by Classification is especially useful when you have almost identical datasources, or classification policies, whose objects need auditing without any further
evaluation, for example GDPR.
Procedure
1. If you assigned the Classification process before you enabled DB Audit, run the Classification once now (or wait for next scheduled run) and wait a few minutes for
Guardium to identify objects.
2. When grouped by object:
a. Select multiple datasources that have New objects in the Objects column of the Databases Table. Use the filter New objects found to identify these
datasources.
b. Click DB Auditing > Manage Object Auditing. The Manage Object Auditing window opens.
c. If the object must always be audited in all the datasources, select the row(s) and click Actions > Enable Audit. The system responds with the success or
failure of the operation.
d. If you want to enable the object audit on individual databases, click the number in the Present in # Datasources column, in the row of the object to open the
Datasources containing <object> window. This window shows all datasources whose classification processes have identified the selected object. Select one
or more datasource rows and click Actions > Enable Audit.
3. For a classification process whose identified objects always need auditing without further evaluation: Click the Classification radio button (above the table); select
one or more rows of classification processes, and click Actions > Enable Audit.
Parent topic: Manage object auditing
Database Auto-discovery
The Auto-Discovery application scans and probes your servers for open ports to prevent unknown or unwanted connections to your network. You can run auto-discovery
processes on demand, or schedule the processes on a periodic basis.
Database Auto-discovery Overview

There are many scenarios where databases can exist undetected on your network and expose your network to potential risk. Old databases might be forgotten and
unmonitored, or a new database might be added as part of an application package. A rogue DBA might also create a new instance of a database to conduct malicious
activity outside of the monitored databases.
Auto-discovery uses scan and probe jobs to ensure that no database goes undetected in your environment.
A scan job scans each specified host (or hosts in a specified subnet), and compiles a list of open ports that are specified for that host.
A probe job uses the results of the scan to determine whether there are database services that are running on the open ports. A probe job cannot be completed
without first running a scan. View the results of this job in the Databases Discovered predefined report.
Before you begin, you must download and install the patch for the Auto-discovery application. The patch is available at IBM Fix Central.
Follow these steps to use the Auto-discovery application:
1. Create an Auto-discovery process to search specific IP addresses or subnets for open ports.
2. Run the Auto-discovery process on demand or on a scheduled basis.
3. View the results of the process with Auto-discovery reports, or create custom reports.
Auto discovery has its own processes that are independent of audit processes, but they work exactly the same way as audit processes.
You can only enter IPs when doing a scan, not host names, but Guardium does detect host names as part of the report. Guardium does not truncate host names in the
Guardium product. However, it may be necessary to configure the report to have wider columns.
Guardium auto-discovery does not guess on what database appears during a probe. If Guardium auto-discovery says it has found a database, then it is 100% certain what
the database is.
Note: Discovery only finds running databases. Databases will need to be started if discovery is to be used during the installation. Due to how the AIX KTAP interception
works, the databases need to be restarted after the first time S-TAP runs. If the databases are not restarted, some interception will not work.
Create an Auto-discovery Process

Specify which host and ports the Auto-discovery process scans.

1. Configure Auto-discovery by clicking Discover > Database Discovery > Auto-discovery Configuration.
2. Click New to create a new process and open the Auto-discovery Process Builder.
3. Enter a Process name that is unique on your GuardiumÂ® system.
4. To run a probe job immediately after the scan job completes, check the Run probe after scan check box.
5. For each host or subnet to be scanned, enter the host and port, and click Add scan. Each time that you add a scan, it is added to the task list.
Note:
Wildcard characters are enabled. For example: to select all addresses beginning with 192.168.2, use 192.168.2.*.
Specify a range of ports by putting a dash between the first and last port numbers in the range. For example: 4100-4102.
After you add a scan, modify the host or port by typing over it. Click Apply to save the modification.
If you have a dual stack configuration, you will need to set up a scan for both the IPV4 and the IPV6 addresses.
To remove a scan, click the Delete this task icon for the scan. If a task has scan results dependent upon it, the scan cannot be deleted.
6. When finished adding scans, click Apply, and run the job or schedule the job in the future.
See Scheduling if you need help defining a schedule.
Run or Schedule an Auto-discovery Process

Run or schedule scan and probe jobs as part of the Auto-discovery process.
1. Click Discover > Database Discovery > Auto-discovery Configuration.

2. Select the process to-be run from the Auto-discover Process Selector list and do one of the following:
3.
To run a job immediately, click Run Once Now.
To schedule a job in the future, click Modify Schedule (see Scheduling if you need help defining a schedule).
Note: A probe job cannot run without the results of the scan job. You can schedule the two jobs to run individually, or you configure the probe job to run after
the scan job by modifying a process, and checking the Run probe after scan check box.
4. After you start or schedule a job, you can click Progress Summary to display the status of this process.
Auto-discovery Reports
Open the Auto-discovery reports by clicking Discover > Reports and selecting from the available reports.
You can create custom reports with the Auto-discovery Query Builder. Open the Auto-discovery Query Builder by clicking Discover > Database Discovery > Auto-discovery
Query Builder.
Databases Discovered Report

Open the Databases Discovered report by clicking Discover > Reports > Databases Discovered.
The main entity for this report is the Discovered Port. Each individual port that is discovered has its own row in the report. The columns that are listed are: Time Probed,
Server IP address, Server Host Name, DB Type, Port, Port Type (usually TCP), and a count of occurrences.
There are no special runtime parameters for this report, but it excludes any discovered ports with a database type of Unknown.
When an auto-discovery process definition changes, the statistics for that process are reset.
Auto-discovery Tracking Domain

The Auto-discovery Tracking domain contains all of the data reported by Auto-discovery processes. Click any entity name to display its attributes.
Auto-discovery Tracking Domain Entities
Auto-discovery Scan provides a time stamp for each scan operation.

Discovered Host provides the IP address and host name for each discovered host.
Discovered Port provides a time stamp, identifies the port, and provides the database type for each port discovered open.
Classification
Classification policies and processes define how GuardiumÂ® discovers and treats sensitive data such as credit card numbers, social security numbers, and personal
financial data.
Discovery and classification processes become important as the size of an organization grows and sensitive information like credit card numbers and personal financial
data become present in multiple locations, often without the knowledge of the current administrators responsible for that data. This frequently happens in the context of
mergers and acquisitions, or when legacy systems have outlasted their original owners. Creating workflows for discovering sensitive data allows you to identify sensitive
data in your environment and take appropriate actions, such as applying access policies.
Classification processes consist of classification policies that have been associated with one or more datasources. Classification processes can be submitted to be run
once or, if login credentials have been stored for all the datasources used in the process, scheduled to run on a periodic basis in a compliance workflow automation
process.
Classification policies consist of classification rules and classification rule actions designed to find and tag sensitive data in specified datasources.
Classification rules use regular expressions, Luhn algorithms, and other criteria to define rules for matching content when applying a classification policy.
Classification rule actions specify a set of actions to be taken for each rule in a classification policy. For example, an action might generate an email alert or add an object
to a Guardium group. Each time a rule is satisfied, that event is logged, and thus can be reported upon (unless ignore is specified as the action to be taken, in which case
there is no logging for that rule).
Classification Process Performance

Classification processes are handled with sampling routines and timeout parameters that ensure minimal performance impact on database servers.

Classification Rule Handling
Classification rules are handled according to flexible matching and grouping criteria.
Working with Classification Processes
Create, run, and view classification processes using the Classification Process Builder.
Working with Classification Policies
Working with Classification Rules
Working with Classification Rule Actions
Classification Process Performance

Classification processes are handled with sampling routines and timeout parameters that ensure minimal performance impact on database servers.
When the classifier runs, you have the option of specifying how it samples records. The default behavior takes a random sampling of rows using an appropriate statement
for the database platform in question. For example, the classifier samples using a rand() statement for SQL databases. The alternative behavior is sequential sampling,
which reads rows, in order, up to the specified sample size. Random sampling is the default behavior and is generally recommended because it provides more
representative results. However, random sampling may run incur a slight performance penalty when compared to sequential sampling.
For both random and sequential sampling, the default sample size is 2000 rows or the total number of available rows, whichever is fewer. Larger or smaller sample sizes
may be specified. If you check the random sampling box, it selects 2000 rows randomly from that table/view and then scans. If the table contains less than 2000 rows, it
will scan all the rows. If you uncheck the random sampling box, it selects the first 2000 rows from that table/view and then scans. The default query time-out value is 3
minutes (180 seconds). If the process is running but stuck for 30 minutes, the entire process will be halted.
To further minimize the impact of classification processes on the database server, long running queries will be cancelled, logged, and the remainder of the table skipped.
Any rows acquired up to that point will be used while evaluating rules for the table. Similarly, if a classification process runs for an extensive period of time without
completing, the entire process is halted, logged with the process statistics, and the next classification process is started. This is an uncommon occurrence and usually only
happens on servers that are already experiencing performance problems.
The classifier periodically throttles itself to idle so it does not overwhelm the database server with requests. If many classification rules are sampling data, the load on the
database server should remain constant but the process may take additional time to run.
The classifier handles false positives by using excluded groups for schema, table and table columns. Previously, it could be a complex process to set up Guardium to
ignore false positive results for future classification scans. Now, when you review classifier results, you can easily add false positive results to an exclusion group, and add
that group to the classification policy to ensure those results are ignored in future scans.
Multi-thread classifier
Guardium can run more that one classifier process on a server based on the number of cores a server is setup/defined with. Basically, you can run multiple classifier
processes (almost at the same time - starting time is still the same every 10 seconds or so to start).
Run these commands to find out the number of cores on your server. For example:
Test using command "nproc" or "lscpu" to see number of allowed concurrent process * 2 AND/OR grep -c processor /proc/cpuinfo AND/OR grep "cpu cores"
/proc/cpuinfo |sort -u |cut -d":" -f2
Multiply the number of cores by 2 and that gives you the number of concurrent classifier processes you could define and run at the same time.
Use these CLI commands to set and to get the set value for setting concurrency levels:
grdapi set_classification_concurrency_limit limit=4 (setting up to 4 classifier processes to run at the same time)
grdapi get_classficiation_concurrency_limit (show/display the current concurrency limit, the default of any server is set to 1)
Parent topic: Classification
Classification Rule Handling

Classification rules are handled according to flexible matching and grouping criteria.
Fire only with Marker

The Fire only with Marker allows for the grouping of Classifier rule types by the same exact name. Additionally, all returned rules using a marker must return data based on
the same table name. If two, or more, rules are defined with the same marker then those rules will fire together and together such that if both rules fire on the same table
then they both will be logged and their actions invoked. If on the other hand only one of them fires on a table then neither of the rules will be logged or have their actions
invoked. Being able to have multiple rules fire together becomes important when you care about sensitive data appearing together within the same table. For example,
you may want to know when a table has both a social security number and a Massachusetts drivers license.
The Fire only with Marker is a constant value, can be named any value, and must have the exact same value across rules you want to group. This means that if one rule has
a marker of ABC then the other rule that you want to group it with must also have a marker named ABC. Any other marker value and the rules are no longer grouped.
You must use at least two rules of any values based on looking for data within the same table name.
Continue on Match
The Fire only with Marker is also based on the Continue on Match. As an example, if the following rules were defined such that Rule 3 does not match the Continue on
Match then no results will be returned regardless if all three marker rules were positive. This is because you didn't get to run Rule 4 and the grouping will not fire because
all Fire only with Markers must execute and with positive results.
Rule 1. Firemarker rule ABC (continue on match)

Rule 3. non-firemarker rule type (continue on match)
Unmatched Columns Only

Use this option for reducing the granularity of data results. Some organizations may want to do a survey of their data to discover which tables and columns have sensitive
data without necessarily needing to find every type of sensitive data in that column. A new option for Continue on match, With Unmatched Columns only, means that as
soon as the classifier finds a match for that column, it will ignore that column as it continues its processing.
Table 1. Summary of available classifier processing options

Continue on match With Unmatched Columns only Granularity of Result
No N/A Table. Classifier will stop processing rules after the first hit in the table.
Yes Yes Table and column. Classifier will record the first hit for any given column and ignore it thereafter for
subsequent rules.
Yes No Detailed. Classifier will record hits for all columns for all rules.
Classification with Luhn algorithm

When a rule name begins with guardium://CREDIT_CARD, and there is a valid credit card number pattern in the Search Expression box, the classification policy will use the
Luhn algorithm (a widely-used algorithm for validating identification numbers such as credit card numbers), in addition to standard pattern matching. The Luhn algorithm
is an additional check and does not replace the pattern check. A valid credit card number is a string of 16 digits or four sets of four digits, with each set separated by a
blank. There is a requirement to have both the guardium://CREDIT_CARD rule name and a valid [0-9]{16} number in the Search Expression box in order to have the Luhn
algorithm involved in this pattern matching.
Working with Classification Processes

Create, run, and view classification processes using the Classification Process Builder.
Procedure
Open the Classification Process Builder by navigating to Discover > Classifications > Classification Process Builder.
Create a Classification Process
Procedure
1. From the Classification Process Builder, click the icon to open the Define Classification Process panel.
2. Enter a name for the process in the Process Description field.
3. Select a classification policy from the list. You can click Modify to view and edit the policy if needed.
4. Optionally clear the Random sampling check box. This feature applies only when the number of records in a table exceeds the sample size. Random sampling will
randomly search a number of records in the table up to the defined sample size. This is a high quality search because the results are more representative of the
data. Clearing the Random sampling check box changes the behavior to sequentially search records in the table up to the defined sample size. A sequential search
may be faster than a random sampling, but the results may not be as representative of all the available data.
5. Enter a Sample size when searching for data (see Define Classification Policy Rules / Define a Search for Data Rule), if the number of records in a table is <= to
"Sample size", then all those records are searched for a match. When the number of records in a table exceeds "Sample size", then random sampling may be used.
6. Click the Add Datasource button to add one or more datasources.
7. Click Save. This completes the definition of the classification process.
8. Optionally add comments to the definition. See Comments in the Common Tools help book.
9. Optionally add security roles. See Security Roles in the Access Management help book.
10. Optionally submit the classification process for execution. See Run a Classification Process.
11. Click Done when you are finished.
Run a Classification Process
About this task
There are three ways to run classification processes:
On demand from the Classification Process Builder, which is described in this task.
As a task within a Compliance Workflow Automation Process, described elsewhere.
As part of a Discover Sensitive Data Workflow, described elsewhere.
Procedure
1. From the Classification Process Builder, select the process to run, and click Modify to open the Classification Process Builder.
2. Click the Run Once Now button to submit the job. This places the process on the Guardium Job Queue, from which the Guardium system runs a single job at a time.
You can view the job status using the Guardium Job Queue.
3. Click the Done button when you are finished.
View Classification Results
Procedure

1. From the Classification Process Builder, click the View Results button. The results will open in a separate window.
2. On any row of the Process Run Log, click (details) to display more information.
3. Optionally, if Data User Security is enabled, through the Global Profile, check boxes will be displayed that allow users to control / toggle rows in the result set in
accordance to the Filtering defined.
4. Click Close this window when you are done viewing the results. In addition, there is a Classifier Process Log report to display the status of the classification process.
View the Job Queue
Before you begin
The Guardium Job Queue is available from the administrator portal only.
Procedure
To view the report, open the Guardium Job Queue by navigating to Discover > Classifications > Guardium Job Queue.
Working with Classification Policies

Procedure
Open the Classification Policy Builder by navigating to Discover > Classifications > Classification Policy Builder.
Create a Classification Policy
Procedure
1. Click New to open the Classification Policy Definition panel.

2. Enter a unique name in the Name field.
3. Enter a category in the Category field, and a classification in the Classification field. Both are required. Both are used to group and organize data on reports.
4. Optionally enter a Description.
5. Optionally enter comments. These can be entered at any time after the policy has been saved. See Comments.
6. Click Edit Rules to define rules and their associated actions. See Define Classification Policy Rules for detailed instructions. It is recommended to use the Discover
Sensitive Data scenario (Discover > End-to-End Scenario > Discover Sensitive Data) for modifying existing classification policies. Use the same Discover Sensitive
Data scenario to create classification policy groups. Also, if groups have been created, they have to be explicitly selected.
Modify a Classification Policy
Procedure
1. Select the classification policy to be modified, and do one of the following:

To modify policy rules, click Edit Rules and see Define Classification Policy Rules.
To modify any other element of the definition, click the Modify button.
2. Type over any of the items as appropriate.
3. Click Save to save any changes, and click Done when you are finished.
Clone a Classification Policy
Procedure
1. Select the classification policy to be cloned, and click the Clone button.
2. Type over any of the items as appropriate for the cloned policy. We recommend that you replace the default name for the clone, which is the name of the selected
policy prefixed with Copy of.
3. Click the Save Clone button to save the new classification policy. The policy will be re-displayed in the Classification Policy Definition panel.
4. See Modify a Classification Policy for instructions on how to change components of the new classification policy definition.
Working with Classification Rules

Procedure
1. Open the Classification Policy Rules panel from the Classification Policy Finder by navigating to Discover > Classifications > Classification Policy Builder.
2. It is recommended to use the Discover Sensitive Data scenario (Discover > End-to-End Scenario > Discover Sensitive Data) for modifying existing classification
policies. Use the same Discover Sensitive Data scenario to create classification policy groups. Also, if groups have been created, they have to be explicitly selected.
Add a New Classification Policy Rule
Procedure
1. Click the Add Rule button to open the Classification Rule definition panel.
2. Enter a Rule Name.
3. Optionally enter a new Category and/or Classification for the rule. The defaults are taken from the Classification Policy Definition for the policy.
4. If the next rule in the classification policy should be evaluated after this rule is matched, mark the Continue on Match checkbox. The default is to stop evaluating
rules when a rule is matched.
5. Select a Rule Type. For a new rule, no Rule Type is selected. Once a Rule Type is selected, the panel expands to include the fields needed to define that type of rule.
For the specifics of how to define each type of rule, see one of the following sections:

Define a Catalog Search Rule - Search the database catalog for table or column name
Define a Search for Data Rule - Match specific values or patterns in the data
Note: The database authentication (user/password) defined within the datasource definition being used should have adequate levels of permission for the
rule/search being defined. For example, in Oracle, a user with an appropriate role (such as SYSTEM or DBA) can properly search an access right within the
database catalog. This note applies to the System Table choice when using Search for Data Rule Type. Do not check System Table if user does not have the
SYSTEM role.
Define a Search for Unstructured Data Rule - Match specific values or patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba)
6. Click the New Action button to add an action to be taken when this rule is matched. See Add a Classification Rule Action.
7. Click Accept to add the rule to the policy.
Define a Catalog Search Rule
About this task
A catalog search rule searches the database catalog for table and/or column names matching specified patterns. Wildcards are allowed: % for zero to any number of
characters, or _ (underscore) for a single character.
Procedure
1. In the Table Type row, mark at least one type of table to be searched: Synonym, Table, or View. (Table is selected by default.)
2. Optionally enter a specific name or a wildcard based pattern in the Table Name Like box. If omitted, all table names will be selected.
3. Optionally enter a specific name or a wildcard based pattern in the Column Name Like box. If omitted, all column names will be selected.
4. Click the Accept button when you are done.
Define a Search for Data Rule
About this task
A search for data rule searches one or more columns for specific data values. Wildcards are allowed: % for zero to any number of characters, or _ (underscore) for a single
character. For example, the Rule Type is Search for Data, the Table Type is Table, and the Table Name Like is CREDIT%.
Procedure
1. In the Table Type row, mark at least one type of table to be searched: Synonym, Table, or View. (Table is selected by default.)
2. In the Table Name Like row, optionally enter a specific name or a wildcard based pattern. If omitted, all table names will be selected.
3. In the Data Type row, select one or more data types to search.
4. In the Column Name Like row, optionally enter a specific name or wildcard pattern. If omitted, all column names will be selected.
5. Optionally enter a Minimum Length. If omitted, no limit.
6. Optionally enter a Maximum Length. If omitted, no limit.
7. In the Search Like field, optionally enter a specific value or a wildcard based pattern. If omitted, all values will be selected.
8. In the Search Expression field, optionally enter a regular expression to define a pattern to be matched. To test a regular expression, click the (Regex) button to open
the Build Regular Expression panel in a separate window. For detailed information about how to use regular expressions, see Regular Expressions.
9. In the Evaluation Name, optionally enter a fully qualified Javaâ„¢ class name that has been created and uploaded. The Java class will then be used to fire and
evaluate the string. There is no validation that the class name entered was loaded and conforms to the interface. See Custom Evaluation and Manage Custom
Classes for more information on creation and uploading of Java class files.
10. Optionally enter a Fire only with Marker name. See Fire only with Marker.
11. In the Hit Percentage field, optionally enter a percentage of matching data that should be achieved for this rule to fire. Data is returned if the percentage of
matching data examined is greater than or equal (>=) then the percentage value entered, noting that an empty entry means it is not a condition and will not affect
whether the rule fires or not and return data to the view screen, a 0 percentage will cause the rule to fire for this condition and return data to the view screen, and a
percentage of 100 requires that all must match.
12. In the Compare to Values in SQL field, optionally enter a SQL statement. The SQL entered, which must be based on returning information from one and only one
column, will then be used as a group of values to search against the tables and/or columns selected. If used, the Compare to Values in SQL should follow the
following rules:
The SQL statement MUST begin with SELECT
The SQL statement SHOULD NOT utilize the ';' semi-colon
The SQL entered MUST specify a schema value name in order to be accurate in returning results.
Good examples include:
SELECT ename FROM scott.emp

select EMPNUMBER from SYSTEM.EMP where EMPNUMBER in(5555,4444)
select DNAME from SCOTT.DEPT where DNAME like 'A%G'
SELECT ZIP from SCOTT.FOO where ZIP in (SELECT ZIP FROM SCOTT.FOO)
13. In the Compare to Values in Group field, optionally select a group. The group selected will then be used as a group of values to search against the tables and/or
columns selected. As long as one of the values within a group, that is either a public or a classifier group, matches, then the value rule will return data.
14. Mark the Show Unique Values checkbox to add, to the Comments, details on what values matched the classification policy rules and fired. Use regular expressions
in the Unique Values Mask field to redact the unique values. For example, mark the Unique Values checkbox and use ([0-9]{2]-[0-9]{3})-[0-9]{4} in the Unique
Values Mask field to log the last four digits and redact the prefix digits.
Define a Search for Unstructured Data Rule
About this task
A Search for Unstructured Data rule examines a non-database file.
Procedure
1. In the Search Like box, optionally enter a specific value or a wildcard based pattern. If omitted, all values will be selected.
2. In the Search Expression box, optionally enter a regular expression to define a pattern to be matched. To test a regular expression, click the icon to open the
Build Regular Expression panel in a separate window. For detailed information about how to use regular expressions, see Regular Expressions.

3. Optionally enter a marker name.

Procedure
1. After a rule has been saved, click the (Customize) button for that rule to return to the rule definition panel, from which you can add one or more rule actions.
2. Click the New Action button to open the Action panel.
3. Enter an Action Name.
4. Optionally enter a Description.
5. Select an Action Type from the list. Depending on the action selected, a different set of fields will appear on the panel.
For the Ignore and Log Result actions, no additional information is needed.
Ignore - Do not log the match, and take no additional actions.
Log Result - Log the match, and take no additional actions.
For all other actions, additional fields will appear on the panel, and you will have to enter additional information.
Add To Group Of Object-Fields Action
Add To Group Of Objects Action
Create Access Rule Action
Create Privacy Set Action
Log Policy Violation Action
Send Alert Action
6. After actions have been added to the Classification Rule panel, the controls in the table can be used to modify the actions defined.
7. Click Accept when you are done working with the rule definition.
Add to Group of Object Fields Action
About this task
Each time the classification rule is matched, a member will be added to the selected Object-Field group on the Guardium system. You have the option of replacing all
members, or adding new members.
For a database file, the object component of the member will be the database table name, and the field component will be the column name.
For an unstructured data file, the object component of the member will be the file name (in quotes), and the field component will be the column name, but if column
names cannot be determined, the columns will be named column1, column2, etc.
Procedure
1. Do one of the following:

Select an Object-Field Group from the list, or
Click the Groups button, define a new group using the Group Builder, and then select that group from the list.
2. Optionally mark the Replace Group Content box to completely replace the membership of the selected group with members returned by this rule. By default, this
box is not marked, which means that new members will be added to the group, but no members will be deleted. For a job that is run on demand, this box is ignored,
and you are given the opportunity to add or replace members on the view results panel.
3. Click the Save button to add the action to the rule definition, close the Action panel, and return to the rule definition panel.
Add to Group of Objects Action
About this task
Each time the classification rule is matched, a member will be added to the selected Object group on the Guardium system.
For a database file type, the member will be the database table name. For an unstructured file type, the member name will be the file name.
You have the option of replacing all entries, or only adding new entries.
Procedure

Select an Object Group from the list, or
Click the Groups button, define a new group using the Group Builder, and then select that group from the list.
Note: To use aliases with groups generated from Classifier - Open the Group Builder, select the Object group generated by Classifier and then click Modify.
Click on the Aliases button in Group button to change the name of the Object Group.
2. Optionally mark the Replace Group Content box to completely replace the membership of the selected group with members returned by this rule. By default, this
box is not marked, which means that new members will be added to the group, but no members will be deleted. For a job that is run on demand, this box is ignored,
and you are given the opportunity to add or replace members on the view results panel.
3. From the Actual Member Content, select the naming convention that will be used when adding the member to the group where 'Full' is the schema.tablename and
'Name' is the tablename.
4. Click Save to add the action to the rule definition, close the Action panel, and return to the rule definition panel.
Create Access Rule Action
About this task
Each time the classification rule is matched, an access rule will be inserted into an existing security policy definition. The updated security policy will not be installed (that
task is performed separately, usually by a Guardium administrator).
Procedure

1. Select an Access Policy from the list. You must be authorized to access that policy.
2. Enter a rule name in the Rule Description box.
3. Select an action from the Access Rule Action list.
4. Optionally select a Commands Group, or click the Groups button, define a new Commands group using the Group Builder, and then select that Commands group
from the list.
5. To log field values separately, mark the Include Field checkbox. Otherwise, only the table will be recorded (the default).
6. To include the server IP address, check the Include Server IP checkbox.
7. If you have selected an alerting action, a Receiver row appears on the panel, and you must add at least one receiver for the alert. Click Modify Receivers to add one
or more receivers.
8. Click Accept to add the action to the rule definition, close the Action panel, and return to the rule definition panel.
Create Privacy Set Action
About this task
Each time the classification rule is matched, the selected privacy set's object-field list will be replaced.
For a database file, the object component of the privacy set will be the database table name, and the field component will be the column name.
For an unstructured data file, the object component of the privacy set will be the file name (in quotes), and the field component will be the column name, but if column
names cannot be determined, the columns will be named column1, column2, etc.
Procedure
1. Select the previously defined Privacy Set whose contents you want to replace.
2. Click the Accept button to add the action to the rule definition, close the Action panel, and return to the rule definition panel.
Log Policy Violation Action
About this task
Each time the classification rule is matched, a policy violation will be logged. This means that classification policy violations will be logged (and can be reported) together
with access policy violations (and optionally correlation alerts) that may have been produced.
Procedure
1. Select a Severity code from the list.

Send Alert Action
About this task
Click the Accept button to add the action to the rule definition, close the Action panel, and return to the rule definition panel.
Procedure
1. Select a Notification Type code from the list.

2. Click the Modify Receivers button to add one or more receivers. The specified receiver will be get one mail per datasource per rule per action. So, if a datasource
has three rules and each rule has two actions (that have at least one match), then the user will get 2 * 3 = 6 mails.

Create an end-to-end scenario for discovering and classifying sensitive data.
About this task

Discovery and classification processes become important as the size of an organization grows and sensitive information like credit card numbers and personal financial
data propagate to multiple locations. This often happens in the context of mergers and acquisitions or when legacy systems have outlasted their original owners. As a
result, sensitive data may exist beyond the knowledge of the person who currently owns that data. This is a common yet extremely vulnerable scenario, since you cannot
protect sensitive data unless you know it exists.
Sensitive data discovery scenarios span three critical aspects of enterprise security:
Discovery: locating the sensitive data that exists anywhere in your environment
Protection: monitoring and alerting when sensitive data is accessed
Compliance: creating audit trails for reviewing the results of sensitive data discovery processes
The Discover Sensitive Data end-to-end scenario builder streamlines the processes of discovery, protection, and compliance by integrating several Guardium tools into a
single user-friendly interface.
Table 1. Discover sensitive data tools map

Value Scenario Task Description Result
Name and Description Provide a name and description for the scenario and its Creates a classification process and classification
Discover related processes and policies. policy.
What to discover Create rules and rule actions for discovering and Optionally creates new datasource definitions.
classifying data.

Value Scenario Task Description Result
Where to search Identify datasources to scan.
Run discovery Run the scenario, review the results, and define ad hoc
grouping and alerting actions.
Review report Creates an access policy.
Protect
Audit Define recipients, a distribution sequence, and review Creates an audit process.
Comply options.
Schedule Create a schedule to run at defined intervals.
This sequence of tasks guides you through the processes of creating a new discovery scenario. This includes creating classification policies consisting of rules and rule
actions for discovering sensitive data, creating classification processes by identifying datasources to scan for sensitive data, defining ad hoc policies (for grouping and
alerting, for example), and creating audit processes that distribute results to different stakeholders at scheduled intervals.
While a discover sensitive data scenario creates underlying policies and processes that can be accessed using other Guardium tools (for example the Classification Policy
Builder or through GuardAPI commands), there are no GuardAPI commands for creating or modifying a discovery scenario.
1. Discovery scenarios
Create a new discovery scenario or select an existing discovery scenario to copy or edit.
2. Name and description
Provide a name and description for your discovery scenario.
3. What to discover
Create policies consisting of rules and rule actions for discovering and classifying sensitive data.
4. Where to search
Identify datasources to scan for sensitive data.
5. Run discovery and review report
Optionally run your discovery scenario and review the results.
6. Audit
Optionally create an audit process by defining receivers, a distribution sequence, and review options for the discovery and classification report.
7. Scheduling
Optionally activate the audit process by scheduling it to run at defined intervals.
What to do next
Continue to the next section and provide a Name and description for your discovery and classification scenario.
Discovery scenarios
Create a new discovery scenario or select an existing discovery scenario to copy or edit.
Procedure
1. Navigate to Discover > End-to-End Scenarios > Discover Sensitive Data.
2. Create, copy, or edit a discovery scenario.
Click the icon to create a new scenario.
Click the icon to copy an existing scenario or template.

Click an existing scenario name from the Discovery Scenarios list to begin editing that scenario.
Some discovery scenarios or templates are provided by default, including the following:
GDPR [template]
The GDPR [template] scenario provides the latest set of discovery rules and language support for your GDPR compliance strategy. Templates can be copied
or edited and saved under a different name, and the GDPR [template] will always receive the latest GDPR discovery rules and language support.
GDPR
The GDPR scenario provides a basic set of discovery rules that can be used as part of a GDPR compliance strategy. You can edit and save changes to the
GDPR scenario, but the scenario will not receive updated rules or language support over time.
Attention: If the GDPR [template] is available, using the older GDPR scenario is not recommended because the GDPR scenario does not receive updates.
Parent topic: Discover Sensitive Data

Next topic: Name and description
Name and description

Provide a name and description for your discovery scenario.
About this task

The name provided for the discovery scenario will also be used to name underlying policies and processes.
During this step, you may also specify security roles that can access the discovery scenario.
Procedure
1. Open the Name and Description section and provide or edit the name and optional description of the scenario. The name you provide here will also be used to name
underlying classification processes and policies created by the discovery scenario.

Example: A discovery scenario named "Find PCI" will create a classification process named "Find PCI" and a classification policy named "Find PCI Classification
Policy" (followed by a date and time stamp).
2. Provide category and the classification labels for tagging violations. "Sensitive" is the default value for category and classification labels.
3. Optionally, click the Roles button to specify security roles that can access the discovery scenario.
What to do next
Continue to the next section of the discovery scenario, What to discover.
Previous topic: Discovery scenarios
Next topic: What to discover
What to discover
Create policies consisting of rules and rule actions for discovering and classifying sensitive data.
About this task

Classification policies contain ordered sets of rules and rule actions that identify and take actions on sensitive data. Each rule in a policy defines a conditional action that is
taken when the rule matches. The conditional test can be simple, for example a wildcard string found anywhere in a table, or a complex test that considers multiple
conditions. For discover sensitive data scenarios, the action triggered by a rule can be a grouping action that adds the object to a specified group or an alerting action that
triggers a notification when rules are matched. Multiple grouping and alerting actions can be combined and ordered to create sophisticated responses to matched rules.
This task guides you through the processes of creating and editing classification rules and rule actions for use in your discovery scenario.
Procedure
1. Open the What to discover section to define rules for discovering data.
2. Use the Language menu to filter rule templates by the selected language and countries where the selected language is a national language. Templates for universal
patterns like credit card numbers and email addresses are displayed for all Languge menu selections.
3. Add rules to your discovery scenario by doing one of the following:
Click the icon to create a new rule.
Select rules from the Classification Rule Templates table and click the icon to add predefined rules.
4. Define a new rule, or edit a rule template by selecting the template and clicking the icon.
a. Select a Rule type based on the type of search being performed.
Search for data matches specific patterns or values in the data
Catalog search matches table or column names in the database catalog
Search for unstructured data matches specific values or patterns in an unstructured data file, for example CSV, TXT, or CEF files
b. Provide a name and description while optionally specifying a special pattern test at the beginning of the Name field. The rule name will also be used to name
the rule associated with the classification policy in the Classification Policy Builder. If you require a special pattern test, it is recommended that you work
with its corresponding template (for example, use Bank Card - Credit Card Number for credit card numbers).
c. Open the Rule Criteria section to define a regular expression and other search criteria for the rule. If you are working with a rule template, an appropriate
regular expression is provided by default.
Attention: For rules created in the discover sensitive data scenario, the default Data type includes both Number and Text.
d. Open the Actions section and define any rule actions that should be taken when rule criteria match.
e. When defining multiple rule actions, you can optionally click the icon and use the and icons to change the order in which the actions are
executed.
f. Click Save when you are finished adding or editing rule definitions to return to the What to discover section of the discovery scenario.
5. Optionally click the icon and use the and icons to change the order in which rules are applied. Rule order is important as the default behavior stops
rule execution after the first match unless Continue on match is selected under Rule criteria.
6. When you are finished working with rules, click Next to begin working on the next section of the discovery scenario.
What to do next
Continue to the next section of the discovery scenario, Where to search.
Previous topic: Name and description
Next topic: Where to search
Related concepts:
Regular Expressions
Related tasks:
Related reference:
Actual Member Content
Rule Criteria
Special pattern tests
Rule Criteria
Table 1.
Attribute Description
Table type Select one or more table types to search: Synonym, Table, or View. Table is selected by default.
Data type Select one or more data types to search: Number, Text, or Date. Number and Text are selected by default.

Search expression Optionally enter a regular expression to define a search pattern to match. To test a regular expression, click the RE button to open the regular
expression editor.
Table name like Optionally enter a specific name or wildcard pattern. If omitted, all table names are selected.
Column name like Optionally enter a specific name or wildcard pattern. If omitted, all column names are selected.
Continue on match If the next rule in the classification policy should be evaluated after this rule is matched, mark the Continue on Match checkbox. The default is
to stop evaluating rules once a rule is matched.
Search wildcard Optionally enter a specific value or a wildcard pattern. If omitted, all values are selected.
Minimum length Optionally enter a minimum length. If omitted, there is no limit.
Maximum length Optionally enter a maximum length. If omitted, there is no limit.
Evaluation name Optionally enter a fully qualified Javaâ„¢ class name that has been created and uploaded. The Java class will then be used to fire and evaluate
the string.
Note: There is no validation that the class name entered was loaded and conforms to the interface.
Fire only with marker The Fire only with marker allows for the grouping of classifier rules: rules with the same marker fire at the same time. Additionally, all returned
rules using a marker must return data based on the same table name. If two or more rules are defined with the same marker, those rules will
fire together such that if both rules fire on the same table they will both be logged and their actions invoked. On the other hand, if only one rule
fires on a table then neither of the rules will be logged or have their actions invoked. Being able to have multiple rules fire together becomes
important when you care about sensitive data appearing together within the same table. For example, you may want to know when a table has
both a social security number and a Massachusetts drivers license.
The fire only withMarker is a constant value, can be named to any value, and must have the exact same value across the rules you want
grouped. This means that if one rule has a marker of ABC then the other rule that you want to group it with must also have a marker named
ABC.
The Fire only with Marker also interacts with the Continue on Match flag. For example, if the following rules were defined such that Rule 3 does
not match the Continue on match then no results will be returned regardless if all three marker rules were positive. This is because you didn't
get to run Rule 4 and the grouping will not fire because all Fire only with markers must execute with positive results.
Rule 1. Firemarker rule "ABC" (continue on match)
Rule 3. non-firemarker rule type (continue on match)
Hit percentage Optionally enter a percentage of matching data that should be achieved for this rule to fire. Data is returned if the percentage of matching data
examined is greater than or equal (>=) then the percentage value entered, noting that an empty entry means it is not a condition and will not
affect whether the rule fires or not and return data to the view screen. A 0 percentage will cause the rule to fire for this condition and return
data to the view screen, and a percentage of 100 requires that all must match.
Compare to values in Optionally enter a SQL statement. The SQL entered, which must be based on returning information from one and only one column, will then be
SQL used as a group of values to search against the tables and columns selected.
Note: If used, the Compare to values in SQL should observe the following rules:
The SQL statement MUST begin with SELECT.

The SQL statement SHOULD NOT utilize the ; (semi-colon).
The SQL entered MUST specify a schema value name in order to be accurate in returning results.
Good examples:
SELECT ename FROM scott.emp

select EMPNUMBER from SYSTEM.EMP where EMPNUMBER in(5555,4444)
select DNAME from SCOTT.DEPT where DNAME like 'A%G'
SELECT ZIP from SCOTT.FOO where ZIP in (SELECT ZIP FROM SCOTT.FOO)
Compare to values in Optionally select a group. The group selected will then be used as a group of values to search against the tables and columns selected. As long
group as one of the values within a group, that is either a public or a classifier group, matches, then the value rule will return data.
Show unique values Mark the Show Unique Values checkbox to add details on what values matched the classification policy rules to the comments field of the
resulting report.
Unique values mask Use regular expressions in the Unique values mask field to redact the unique values. For example, mark the Show unique values checkbox and
use ([0-9]{2]-[0-9]{3})-[0-9]{4} in the Unique values mask field to log the last four digits and redact the prefix digits.
Parent topic: What to discover
Actual Member Content

Use the Actual Member Content field to define how objects are labeled by the Add to Group of Objects rule action.
Table 1.
Actual Member Content Selection Value in Group
Object Name Only tableName
Like Name% tableName%
Like %Name %tableName
Like %Name% %tableName%

Actual Member Content Selection Value in Group
%/%.Name %%.tableName
Fully Qualified Name schemaName.tableName
Like Full% schemaName.tableName%
Like %Full %schemaName.tableName
Like %Full% %schemaName.tableName%
%/Full %%.schemaName.tableName
Read/%.Name Read/%.tableName
Change/%.Name Change/%.tableName
Read/Full Read/schemaName.tableName
Change/Full Change/schemaName.tableName
If your rules return the table name JJ_CREDIT_CARD from the schema DB2INST1, and you have specified an Add to Group of Objects action, the Actual Member Content
selections behaves as follows:
Selecting Fully Qualified Name adds DB2INST1.JJ_CREDIT_CARD to the selected group.

Selecting Object Name Only adds JJ_CREDIT_CARD to the selected group.
Selecting Change/Full adds Change/DB2INST1.JJ_CREDIT_CARD to the selected group.
Parent topic: What to discover
Where to search
Identify datasources to scan for sensitive data.
About this task

Datasources store information about your database or repository such as the type of database, the location of the repository, or authentication credentials that may be
associated with it. Adding datasources to a discovery scenario creates a classification process where classification policies are applied to the selected datasources.
In this task, identify the datasources you would like to search for sensitive data.
Procedure
1. Open the Where to search section to identify the datasources you would like to search for sensitive data.
2. Add datasources to your discovery scenario by doing one of the following:
Click the icon to open the Create Datasource dialog and add a new datasource definition.
Select datasources from the Available Datasources table and click the icon to add existing datasources.
3. Define a new datasource, or edit an existing datasource by selecting the datasource and clicking the icon. New datasources defined through the discovery
scenario can also be viewed or edited through the Datasource Definitions tool.
a. Provide or edit the name of the datasource.
b. Select the appropriate database type from the Database type menu and provide the requested information to complete the datasource definition. The
available fields differ depending on the selected database type.
c. When you are finished editing the datasource definition, click Save to save your work and optionally click Test Connection to verify the datasource
connection.
d. When you are finished working with the datasource definition, click Close to close the dialog.
4. If you are using this classification process for cloud databases also, select Enable object auditing for Cloud DBs.
5. When you are finished adding datasources, click Next to begin working on the next section of the discovery workflow.
Results
A classification process is created after adding datasources to your discovery scenario and saving the scenario. To view or edit this process directly, use the Classification
Process Builder.
What to do next
Continue to the next section of the discovery workflow, Run discovery.
Previous topic: What to discover
Next topic: Run discovery and review report
Related concepts:
Datasources
Related tasks:
Run discovery and review report

Optionally run your discovery scenario and review the results.
About this task

After defining policies for discovering sensitive data and identifying datasources to search, you can run the classification process and review the results. Running the
process and reviewing the results allows you to refine your policies, for example specifying additional search criteria if you find the results too broad. It may be necessary
to go through several iterations of refining policies, running the process, and assessing the results before achieving the desired results.
Procedure
1. Open the Run discovery section to test your discovery scenario.
2. Click Run Now to begin.
Attention:
Depending on the policies you have specified and the number of datasources you have selected to search, it may take several minutes or more to complete
the process of identifying sensitive data. The process status is indicated next to the Run Now button, or you can monitor the process using the Guardium Job
Queue.
You can also run the classification process by visiting the Classification Process Builder, selecting your classification process, and clicking Run Once Now.
3. When the discovery scenario has finished running, open the Review report section to see the results.
4. While reviewing the results, you can define additional rules and actions based on the results. Use the Filter to refine results (filtering is not supported with more
than 10,000 results).
a. Select the row(s) containing data you want to define actions against.
b. Click Add to Group to define a grouping action, or click Advanced Actions to define other actions such as alerting, logging, or ignoring.
c. After completing the dialog to define an action, click OK to return to the results report.
Attention:
Actions added from the results table are considered ad hoc actions that run only as invoked from the results table. These actions will not appear in the
What to discover > Edit rule > Actions section of your discovery scenario, and they will not run automatically as part of the discovery scenario or
related classification processes.
Use the Policy Builder to review, edit, and install alerting actions and access rules.
Use the Group Builder to review and edit grouping actions.
Use the Privacy Set Builder for to review privacy set actions.
Use the Incident Management tool to review policy logging actions.
5. When you are finished reviewing the results report, click Next to begin working on the next section of the discovery scenario.
Results
After running the search for sensitive data, monitor its status next to the Run Now button or using the Guardium Job Queue. You can use the Group Builder to review any
grouping actions or the Policy Builder to review and install any alerting actions that were added from the results table.
What to do next
Optionally, continue to the next section of the discovery scenario, Audit.
Previous topic: Where to search
Next topic: Audit
Audit
Optionally create an audit process by defining receivers, a distribution sequence, and review options for the discovery and classification report.
About this task

You can define any number of receivers for the results of a discovery workflow, and you can control the order in which they receive results. In addition, you can specify
process control options, such as whether a receiver needs to sign off on the results before they are sent to the next receiver.
The audit process created by adding receivers to a discovery scenario inherits the name of the scenario. For example, adding receivers to a discovery scenario named "Find
PCI" creates an audit process named "Find PCI Audit process" followed by a date and time stamp.
Procedure
1. Open the Audit section to define receivers for discovery reports.
2. Add receivers to your discovery scenario by clicking the icon and defining options for how the reports are delivered.
If sending the report to Guardium users, roles, or groups, you will need to define process control options.
If sending the report to email recipients, provide their email address and filter the report by a Guardium username that is appropriate for the email recipient.
3. Click OK to add the receiver to the discovery workflow. Continue adding additional receivers to the scenario if needed.
4. Optionally click the icon and use the and icons to change the order in which reports are distributed to recipients. This is important when using
sequential distribution as it determines which receivers must review or sign the report before it is sent to subsequent receivers.
5. When you are finished adding, editing, and ordering receivers, click Next to begin working on the next section of the discovery workflow.
Results
An audit process is created after defining receivers and saving the discovery scenario. To view, edit, or run this process directly, use the Audit Process Builder.
The audit process remains inactive until it is scheduled using the Schedule section of the discovery scenario or using the Audit Process Builder. You can also run the audit
process by visiting the Audit Process Builder, selecting the audit process, and clicking Run Once Now.
What to do next
Optionally, continue to the next section of the discovery workflow, Schedule.
Previous topic: Run discovery and review report
Next topic: Scheduling

Related concepts:
Building audit processes
Scheduling
Optionally activate the audit process by scheduling it to run at defined intervals.
About this task

A schedule becomes part of an audit process along with any receivers specified in the Audit section of the discovery scenario. Defining a schedule runs the audit process at
specified intervals and ensures that results from the associated classification process are regularly distributed and reviewed.
Procedure
1. Open the Schedule section to define a schedule for discovering data.
2. Use the Schedule by menu to set daily or monthly intervals for the audit process.
3. Use the Start schedule every and Repeat every check boxes to define how many times per day and how many times within each hour to run the audit process.
4. Use the Start date and time controls to define an explicit date and time for the schedule to begin.
5. Clear the Activate schedule check box to deactivate the audit process while retaining scheduling information for later use. The Activate schedule box is checked by
default, meaning that the audit process becomes active after saving the schedule.
6. When you have defined a schedule, click Save to finish editing and close the workflow editor.
Results
An audit process is created after defining a schedule and saving the discovery scenario. To view or edit this audit process directly, use the Audit Process Builder. Review
the Scheduled Jobs report to see the status, start time, and next fire time for scheduled audit tasks.
Previous topic: Audit
Related concepts:
Regular Expressions
Regular expressions can be used to search traffic for complex patterns in the data.
The IBM Guardium implementation of regular expressions conforms with POSIX 1003.2. For more detailed information, see the Open Group web site:
www.opengroup.org. Regular expressions can be used to search traffic for complex patterns in the data. See Policies for examples.
This help topic provides instructions for using the Build Regular Expression Tool, and several tables of commonly used special characters and constructs. It does not
provide a comprehensive description of how regular expressions are constructed or used. See the Open Group web site for more detailed information.
The important point to keep in mind about pattern matching or XML matching using regular expressions, is that the search for a match starts at the beginning of a string
and stops when the first sequence matching the expression is found. Different or the same regular expressions can be used for pattern matching and XML matching at the
same time.
Note: IBM Guardium does not support regular expressions for non-English languages.
Using the Build Regular Expression Tool

When an input field requires a regular expression, you can use the Build Regular Expression tool to code and test a regular expression. The Build Regular Expression icon is
located in Policy Builder under Add Rule.
To open the Build Regular Expression tool, click the icon next to the field that will contain the regular expression. If you have already entered anything in the field, it will
be copied to the Regular Expression box in the Build Regular Expression panel.
1. Select a category of regular expressions from the drop-down list.

2. Select a pattern from the drop-down list.
3. Enter or modify the expression in the Regular Expression box.
4. To test the expression, enter text in the Text To Match Against box, and then click the Test button:
If the expression contains an error (a missing closing brace, for example), you will be informed with a Syntax Error message.
The Match Found message indicates that your regular expression has found a match in the text that you have entered.
If no match is found, the No Match Found message is displayed.
5. We suggest that you repeat the step a number of times to verify that your regular expression both matches and does not match, as expected for your purpose.
6. To enter a special character at the end of your expression, you can select it from the Select element list. To enter a special character anywhere else, you must type
it or copy it there.
7. When you are done making changes and testing, click Accept to close the Build Regular Expression panel and copy the regular expression to the definition panel.
Special Characters and Constructs

The following table provides a summary of the more commonly used special characters and constructs.
Table 1. Special Characters and Constructs

Character How do I do ... Example Matches No Match
literal Match an exact sequence of characters (case sensitive), can can Can cab caN
except for the special characters described below
. (dot) Match any character including carriage return or newline ca. can cab c cb
(\n) characters

Character How do I do ... Example Matches No Match
* Match zero or more instances of preceding character(s) Ca*n Cn Can Caan Cb Cabn
^ Match string beginning with following character(s) ^C. Ca ca a
$ Match string ending with preceding character(s) C.n$ Can Cn Cab
+ Match one or more instances of preceding character(s) ^Ca+n Can Caan Cn
? Match either zero or one instance of preceding Ca?n Cn Can Caan

character(s)
| Match either the preceding or following pattern Can|cab Can cab Cab
(x ...) Match the sequence enclosed in parentheses (Ca)*n Can XaCan Cn CCnn
{n} Match exactly n instances of the preceding character(s) Ca{3}n Caaan Caan Caaaan
{n,} Match n or more instances of the preceding character(s) Ca{2,}n Caan Caaaan Can Cn
{n,m} Match from n to m instances of the preceding character(s) Ca{2,3}n Caan Caaan Can Caaaan
[a-ce] Match a single character in the set, where the dash [C-FL]an Can Dan Lan Ban
indicates a contiguous sequence; for example, [0-9]
matches any digit
[â-ce] Match any character that is NOT in the specified set [^C-FL]an aan Ban Can Dan
[[.char.]] Match the enclosed character or the named character [[.~.]]an or [[.tilde.]]an ~an @an
from the Named Characters Table
[[:class:]] Match any character in the specified character class, from [[:alpha:]]+ abc ab3
the Character Classes Table
Named Characters Table (English)

The following table describes the standard character names that can be used within regular expression bracket pairs ([[.char]]). Character names are location specific, so
non-English versions of GuardiumÂ® may use a different set of character names.
NUL \0
SOH \001
STX \002
ETX \003
EOT \004
ENQ \005
ACK \006
BEL \007
alert \007
BS \010
backspace \b
HT \011
tab \t
LF \012
newline \n
VT \013
vertical-tab \v
FF \014
form-feed \f
CR \015
carriage-return \r
SO \016
SI \017
DLE \020
DC1 \021
DC2 \022
DC3 \023
DC4 \024
NAK \025
SYN \026
ETB \027
CAN \030
EM \031
SUB \032
ESC \033
IS4 \034
FS \034
IS3 \035
GS \035
IS2 \036
RS \036
IS1 \037
US \037
space ' '
exclamation-mark !
quotation-mark "

number-sign #
dollar-sign $
percent-sign %
ampersand &
apostrophe \'
left-parenthesis (
right-parenthesis )
asterisk *
plus-sign +
comma ,
hyphen -
period .
full-stop .
slash /
solidus /
zero 0
one 1
two 2
three 3
four 4
five 5
six 6
seven 7
eight 8
nine 9
colon :
semicolon ;
less-than-sign <
equals-sign =
greater-than-sign >
question-mark ?
commercial-at @
left-square-bracket [
right-square-bracket ]
backslash \
reverse-solidus \\
circumflex ^
circumflex-accent ^
underscore _
low-line _
grave-accent `
left-brace {
left-curly-bracket {
right-brace }
right-curly-bracket
vertical-line |
tilde ~
DEL 177
NULL 0
Named Character Class Table (English)

The following table describes the standard character classes that you can reference within regular expression bracket pairs ([[:class:]]). Note that character classes are
location specific, so non-English versions of Guardium may use a different set of character names.
alnum - Alphanumeric (a-z, A-Z, 0-9)

alpha - Alphabetic (a-z, A-Z)
blank - Whitespace (blank, line feed, carriage return)
cntrl - Control
digit - 0-9
graph - Graphics
lower - Lowercase alphabetic (a-z)
print - Printable characters
punct - Punctuation characters
space - Space, tab, newline, and carriage return
upper - Uppercase alphabetic
xdigit - Hexadecimal digit (0-9, a-f)
Regular Expression Examples

You can copy and paste any of the expressions into a field requiring a regular expression. When using any of these examples, we strongly suggest that you experiment by
using it in the Build Regular Expression tool, entering a variety of matching and non-matching values, so that you understand exactly what is being matched by the
expression.
Regular Expression Examples
Social Security Number (must have hyphens) [0-9]{3}-[0-9]{2}-[0-9]{4}
Phone Number (North America - Matches 3334445555, 333.444.5555, 333-444-5555, 333 444 5555, (333) 444 5555, and all combinations thereof) $?[0-9]{3}$?[-. ]?
[0-9]{3}[-. ]?[0-9]{4}

Postal Code - (Canada) [ABCEGHJKLMNPRSTVXY][0-9][A-Z] [0-9][A-Z][0-9]
Postal Code - (UK) [A-Z]{1,2}[0-9][A-Z0-9]? [0-9][ABD-HJLNP-UW-Z]{2}
Zip Code (US) (5 digits required, hyphen followed by four digits optional) [0-9]{5}(?:-[0-9]{4})?
Credit Card Numbers [0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4}
Discover and classify sensitive data in file servers

Installing and activating FAM components

Install the GIM client on the file server, then use it to install the file activity monitoring discovery agent.
File discovery and classification GIM parameters
Use these GIM parameters to configure file discovery and classification, for each collector.
Customizing FAM decision plans
Decision plans are used to identify sensitive content in files. The Guardium FAM discovery agent provides default decision plans for HIPAA, PCI, SOX, and Source
Code. You can change the classification entities from the resulting reports/investigation dashboard, using the default decision plans. You can also create new plans,
or modify existing plans using the IBM Content Classifier Workbench.

Installing and activating FAM components

Install the GIM client on the file server, then use it to install the file activity monitoring discovery agent.
Before you begin

License keys must be installed. See Install license keys.
S-TAP for FAM must be installed. Required for file monitoring and policy enforcement. This can be installed together with the FAM discovery agent using GIM, if it's
not already installed.
bash shell must be installed before starting this procedure
FAM discovery agent (also known as the FAM bundle or FAM agent) must be accessible. Required for file discovery and classification. Download from Fix Central or
obtain from your Guardium representative.
Tip: To install the FAM discovery agent successfully on AIX, it is recommended to set the process data size to unlimited by modifying the following lines in the
/etc/security/limits file: default: data = -1
Procedure
1. Install the GIM client on the file server. See Guardium installation manager.
2. Download the FAM bundle and save in an accessible drive. Choose the correct module for your file server OS. The UNIX bundle has a name like: guard-bundle-
FAM_r*****_trunk_*****.gim. The Windows bundle looks like: guard-FAM-guardium_r*****Windows-Server-x86_x64_ia64.gim.
3. If you are also installing the S-TAP, install it before installing the FAM bundle. Download the S-TAP from Fix Central and follow the instructions in the next step. S-
TAP must be installed before the FAM bundle is installed.
4. On the Central Manager if there is one, otherwise on an appliance, upload and import the FAM bundle:
a. Navigate to Manage > Module Installation > Upload Modules.
b. Under Upload Module, click Browse and navigate to the FAM bundle. Click Upload.
c. Under Import uploaded modules, select the FAM bundle and click Install/Update.
5. Install and configure the FAM bundle:
a. Navigate to Manage > Module Installation > Set up by Client (Legacy). To see all registered clients, click Search.
b. Select your file server and then click Next.
c. Choose the FAM module you uploaded. (For Windows, you may need to uncheck the Display Only Bundles checkbox.)
d. Configure parameters for the FAM discovery agent. Configure SOURCE_DIRECTORIES for the directories you want to scan. By default, the agent will only do
basic scanning for entitlement information. To enable scanning based on decision plans, such as for SOX or HIPAA, you need to set FAM_IS DEEP_ANALYSIS
to true. By default, it uses all of the default decision plans. You can specify which decision plans you want it to use. The default schedule for the scanning is
every 12 hours, and starts immediately upon configuration. You can change these using GIM parameters FAM_SCHEDULER_HOUR_TIME_INTERVAL,
FAM_SCHEDULER_START, and FAM_SCHEDULER_REPEAT. See full parameter list in File discovery and classification GIM parameters.
Note: You can also configure GIM parameters using the grdapi command: gim_update_client_params.
e. Click Apply to Selected then click Install/Update, where you can install immediately or schedule a later time.
6. For v10.4 S-TAP installed by GIM, enable FAM monitoring on the S-TAP by changing the parameter fam_enable to 1 (enabled). See Windows: Editing the S-TAP
configuration or Linux/UNIX: Editing the S-TAP configuration. This is required even if you are only using the FAM discovery agent.
7. Verify that the FAM discovery agent installed successfully by viewing the Guardium report, S-TAP Status Monitor (add the report from My Dashboards). Look for the
FAM_Agent suffix in the IP address of the S-TAP host.
8. To trigger file rediscovery later without uninstalling and reinstalling the FAM bundle:
a. Remove the files under the work directory. If Guardium is installed in the default directory, the files to be removed are in this directory on the file server:
/usr/local/IBM/modules/FAM/current/files/work
b. Change any FAM parameter in GIM, for example, changing the time interval from 5 to 10 minutes
c. Click Apply to Selected then click Install/Update.
Results
Discovery and Classification results: when the installation of the FAM discovery agent (file crawler) is complete, a basic run of the file crawler begins, using the initial path
that you specified during the installation. Each time the crawler completes its run, it sends a status message that is included in the Files Crawler Configuration report. This

process gathers the list of folders and files, their owner, access permissions, size, and the date and time of the last update.
Parent topic: Discover and classify sensitive data in file servers
GuardAPI File Activity Monitor Functions
File discovery and classification GIM parameters

Use these GIM parameters to configure file discovery and classification, for each collector.
Configure file discovery and classification per collector. These parameters can be configured during installation, or at a later time using GIM (Manage > Module Installation
> Set up by Client) or using the GuardAPI command gim_update_client_params. You can only update one collector at a time when using the GuardAPI.
D
e
f
a
u G
l U
GIM Parameter t Description I
FAM_CLASSIFICATION_LANGUAGES E Set to GenericLanguage for automatic language detection. X

n
g For Linux, ensure that your Linux server has the required language support installed. For example, to
li support Chinese document classification, Chinese support should be installed on Linux.
s For more information about supported languages for IBM Content Classification, see http://www-
h 01.ibm.com/support/knowledgecenter/SSBRAM_8.8.0/com.ibm.classify.workbench.doc/c_WBG_available_
languages.htm%23wp9000332?lang=en
FAM_DEBUG 0 Logs on the file server are collected and sent to the Guardium appliance. X
0=OFF
1= ON
FAM_ENABLED 1 Enables FAM discovery. X
0 = FAM Discovery agent is disabled.

1 = FAM Discovery agent is enabled. This is the default.
2 = Restart FAM Discovery agent.
To restart FAM: Change the FAM_ENABLED parameter in the GIM GUI to 2 and apply to clients by clicking
Install/Update.
The FAM service in the file server should change PID showing it has restarted (ps -ef | grep fam), and there
is a new entry in the pre-defined GUI report "Files Crawler Configuration". The config reverts to 1 in the GIM
GUI allowing you to restart again by repeating the process.
The S-TAP parameter fam_enable must be enabled for the discovery agent to function.
Windows:The FAM service restarts, as shown in the Event viewer (Windows logs > System The IBM
Guardium FAM service entered the stopped state and The IBM Guardium FAM service
entered the running state). There is no new entry in the pre-defined GUI report "Files Crawler
Configuration" and the configuration stays at 2 in the GIM GUI. For next restart, change the parameter to 1.
FAM_ICM_CLASS_DECISION_PLANS Â Enable the decision plans by including their Plan names and their classification entities. X

DecisionPlanName1{Entity1.1,Entity1.2,..}:DecisionPlanName2{Entity2.1,Entity2.2,..}
Set semicolon delimited list of Decision Plans list of entities for each Decision Plan.
Format: Entities listed in curly braces and colon delimited.
When curly braces are empty or missing for some Decision Plans, all classification entities are presented in
the classification results in FAM report /Investigation Dashboard.
Examples for empty/missing curly braces : DecisionPlanName1{}:DecisionPlanName2{}
DecisionPlanName1:DecisionPlanName2"~
FAM_ICM_CLASS_THREAD_COUNT 5 Number of threads for the classifier to use. The default is 5 and is the recommended value. X

D
e
f
a
u G
l U
FAM_ICM_URL h The URL of the IBM Content Classification Server. X

t
t
p
:/
/
l
o
c
a
l
h
o
s
t
:
1
8
0
8
7
FAM_INSTALLER Â The path to the installer package. Windows only. Â

FAM_INSTALL_DIR Â The location in which the File Activity Monitoring software is installed. Windows only. Â

FAM_IS_DEEP_ANALYSIS Â Controls classification X

False=classification is disabled. Basic scan of metadata and access permission only.
True=classification is enabled, based on file content.
If no decision plans are enabled (FAM_ICM_CLASS_DECISION_PLANS is undefined), only a basic scan is
performed.
FAM_SCAN_EXCLUDE_DIRECTORIES N Directories to exclude from discovery and classification. X

U
L Format: full path to directory
L Wildcards are not supported.
FAM_SCAN_EXCLUDE_REMOTE_DIRECTORIES t Remote directories to exclude from discovery and classification. X

r
u true: do not scan remote directories.
e false: scan remote directories.
Wildcards are not supported.
On Windows, set to something like: \\\\RemoteMachine\sharefolder\directory
FAM_SCAN_EXCLUDE_EXTENSIONS N Excludes the specified file extension(s) or documents without extensions from the FAM scan. Relevant for X
U both Windows and Linux.
L
L Format: semicolon delimited list
The setting is case sensitive. Examples of excluded extensions: pdf;txt;doc. To exclude documents without
extension, set to "NO_EXTENSION".
FAM_SCAN_EXCLUDE_FILES N Files to exclude from discovery and classification. X

U
L Format: valid filename.
L Wildcards are not supported.
FAM_SCAN_MAX_DEPTH Â Limit the depth for the scan relative to the specified starting directories (FAM_SOURCE_DIRECTORIES). X

FAM_SCHEDULER_HOUR_TIME_INTERVAL 1 Frequency, in hours, at which the discovery and classification scan is run. X
2
Format: integer
The default is 12 hours.
FAM_SCHEDULER_MINUTE_TIME_INTERVAL Â Along with the hour interval, this is the time interval between scans. For example, if you want scans to occur X
12 hours and 30 minutes apart, specify 12 for the hour and 30 here for the minute.
Format: integer
FAM_SCHEDULER_REPEAT Â True = Repeat the discovery process at the specified time interval. X
False = Do not repeat scan.
FAM_SCHEDULER_START_TIME N Time of initial activation of the discovery and classification processes. X

U
L Format: MM-DD-YYYY HH:mm
L For example, if you enter 01-02-2016 18:00, the scan will start at 6 PM on January 2nd 2016. If the time
interval is 12 hours, the process will run every day at 6 PM and 6 AM.

D
e
f
a
u G
l U
FAM_SERVER_PORT 1 The Guardium collector port, 16022. X

6
0
2
2
FAM_SOURCE_DIRECTORIES N The directory or directories to start scanning from. X

U
L Wild cards are not supported. Example: /home/test.
L Format: Set list of semicolon delimited FAM source directories.
Example: %IBM_FAM_HOME%/test/dir1;%IBM_FAM_HOME%/test/dir2 ~
Use FILE_SYSTEM_ROOTS to scan all files in the server. Not recommended especially if the server has lots
of files.
GIM - GUI
GIM - CLI
Customizing FAM decision plans

Decision plans are used to identify sensitive content in files. The Guardium FAM discovery agent provides default decision plans for HIPAA, PCI, SOX, and Source Code.
You can change the classification entities from the resulting reports/investigation dashboard, using the default decision plans. You can also create new plans, or modify
existing plans using the IBM Content Classifier Workbench.
Before you begin

Install IBM Content Classification 8.8 on a Windows workstation that can be connected to your Guardium environment.
During File Activity Monitoring, the GIM installation user must configure ICM Decision Plan setting on the File Activity Monitoring GIM configuration page.
User must configure the list of Decision Plans (categories) with entities (NVP fields) for each Decision Plan delimited by colons.
This configuration is used by File Activity Monitoring for content classification.
The customer should be able to configure all possible entities for each Decision Plans templates, available during the File Activity Monitoring installation.
Decision plan classification will appear only when file is sensitive and classification is not empty.
After File Activity Monitoring installation, there are four Decision Plan templates available:
HIPAA, PCI, SOX, Source
HIPAA Decision Plan used for finding medical information
PCI for finding Credit Card Numbers
SOX for financial documents
The "Source" decision plan refers to two knowledge bases (CodeKB and DocumentTypeKB) which are loaded by default once the Source decision plan is configured.
Here the list of possible entities for each Decision Plan supplied out of the box with File Activity Monitoring and can be configured via GIM.
HIPAA
SSN, Name, License, GovermentID, PassportContext, BankAccount, Address, IPAddress, EmailAddress, URL, Phone, CreditCard, possibleHealthPlan, Confidential_match,
HIPAA_match
PCI
SSN, Name, License, GovermentID, PassportContext, BankAccount, Address, IPAddress, EmailAddress, URL, Phone, BankAccountContext, CreditCard, CreditContext,
containCardIssuer, PCI_match, Confidential
SOX
SSN, Name, License, GovermentID, PassportContext, BankAccount, Address, IPAddress, EmailAddress, URL, Phone, BankAccountContext, CreditCard, CreditContext,
containCardIssuer, piiMatch, Confidential, SOXContext, SOX_match
Source
containDate,hasSSN, hasBirthDate, containCardIssuer, hasCreditCard, PCIViolation, HIPAA_Match, ConfidentialMatch, Source_match
A decision plan is a collection of rules that you configure to determine how IBM Classification Module classifies content items. Rules consist of triggers and actions. A
trigger determines the conditions that must be met to initiate an action. An action determines how the document is to be classified. A decision plan can also refer to one or
more knowledge bases to combine rule, keyword-based classification with statistical, text-based classification.
A Knowledge base is a set of collected data that is used to analyze and categorize content items. The knowledge base reflects the kinds of data that the system is
expected to handle. Before the knowledge base can analyze text, it must be trained with a sufficient number of sample content items that are properly classified into

categories. A trained knowledge base can compute a numerical measure of an item's relevancy to each category.
Note: ICM is not able to work with Decision Plans with Chinese names. Content documents in Chinese and Decision Plan rules in Chinese is supported, but not Decision
Plan names in Chinese.
Note: Distribution of decision plans from the Central Manager to managed units is unsupported.
Note: The classification results for each decision plan should be specified by properly configured and recognized entities. Classification will appear only when the file is
sensitive and classification is not empty. In debug level, there is documentation regarding ICM errors and decision plan failures.
About this task

For the purpose of this description, assume that your company has a confidential project named "ProjectA." You want to identify and monitor all files that contain this
string.
Procedure
1. Use the Windows Start menu to open the IBM Content Classification 8.8 Classification Workbench.
2. In the Open Project dialog, click New....
3. In the New Project dialog, choose Decision Plan for the project type. Enter a name for this decision plan, such as ProjectA_DP. Enter a description if you want one.
4. In the New Project Options dialog, select Create an empty project.
5. In Project Explorer click Word and string list files. In the Word and string list files dialog, click New... to create a new file. In the New File dialog, choose Word list for
the file type and choose a name for the file. In this example we call the file Names. Wordlist_Names.txt appears in the list of files.
6. Double-click the file name to edit the file. Insert a single line with the string ~ProjectA~ and save the file.
7. In Project Explorer click DecisionPlan > New Group > New Rule. Change the name of the rule to ProjectA.
8. In the New Rule dialog, open the Trigger tab. Click condition.
9. Choose Trigger when fields contains specific words or phrases. Choose Word list file. Click OK.
10. Open the Action tab. Click Add new rule.
11. Select Advanced Actions from the Action Type list. Choose the Set content field action. This content field is created when the specified trigger fires. The content
field can be viewed in FAM reports.
12. In the Add action dialog, enter ProjectA_match as the content field name and enter found in the Value field.
13. Import the content set into the decision plan project.
a. Create a text document that contains the string "ProjectA."
b. In the Project Explorer, expand the ProjectA_DP project. Right-click Content Set and choose Import Content Set.
c. Click Files from a file system folder. Browse to the file that you created in step a. Click Next, then Next, then Next, then Finish.
14. Verify that your definition is successful.
a. In the Project Explorer, open the Content Set tab. Right-click your file and choose Run Item through Decision Plan.
b. In the Analyzed item dialog, expand Decision Plan and the group. Verify that Rule:ProjectA is marked [Triggered].
c. Click Content Fields.... In the Select Content Fields dialog, verify that "ProjectA_match" is displayed in the Changed fields box, and "found" is displayed in the
content box.
15. In the Project Explorer, click Project > Save to save the ProjectA_DP project.
16. In the Project Explorer, click Project > Export to export the ProjectA_DP project to a dpn file.
17. Use GIM to push the dpn file to the file servers where you want to use the decision plan.
Entitlement Optimization mediates between the role of the DBA in providing users the entitlements that are required to perform their jobs efficiently, and the role of
Security in keeping entitlements as accurate and as minimal as possible to prevent system vulnerabilities.
Entitlement optimization was introduced in Guardium V10.1.2.
Situations naturally arise during day to day management of the system that result in vulnerabilities, for example:
Over-generalized access
A privilege that was given to a user needed for one-time use but not removed afterward
Changes over time of users and tables, resulting in dormant users and tables
Privileges that are passed from one user to another
Entitlements require constant ongoing vigilance. For example, advanced persistent threats (APT) usually originate with one of these back door entries into the system.
Entitlement optimization constantly analyzes usersâ€™ privileges and actions, and produces recommendations that pinpoint specific actions that aim to minimize user
access to only that which is required. The analysis is entirely performed by the system. The admin reviews the results, examines each case, and takes the appropriate
actions, for example, removing privileges from a DB user, or deleting dormant roles.
You can also investigate entitlement changes over the past week, a complete list of users and roles, data source privileges alongside their actual usage, and a simulated
justification of a specific user-role combination. These views provide information relevant to the recommendations, and are also starting points for other investigations.
The advantages of entitlement optimization over Guardium reports is that it consolidates information for all database types (that appears in multiple Guardium reports),
and it adds new analyses into its own comprehensive and consolidated reports, simplifying entitlement management, and thereby increasing system security.
Entitlement optimization supports database types: Microsoft SQL Server, Oracle. It does not support SQL Contained Databases. (Guardium reports are per database type.)
Entitlement optimization activity monitoring is limited to the data currently monitored by Guardium. The accuracy of the Recommendations, Entitlement browse and What
if analyses depend on the relevance of the monitored data. To fully maximize the potential of this tool, configure the userScope and objectScope parameters, and consider
modifying the security policy.
Users that are dormant from the time you start monitoring with Entitlement optimization are not included in the entitlement optimization reports. To watch a specific user
that is monitored but doesn't have any recommendations, manually check the activity of the user either through entitlement browse or any of the other Guardium activity
monitoring tools. The tools have the full information if the policy is correctly defined.
Entitlements analysis is per Collector, and operates only on the data sources that you configure by grdapi.

The must gather feature supports entitlement optimization. See Basic information for IBM Support.
Access entitlement optimization from Discover > Database Entitlements > Entitlement Optimization
Enable and configure entitlement optimization

Use these grdapi commands to enable and configure entitlement optimization.
Entitlement Optimization What's New
The What's New tab summarizes the additions and changes that are made to the system over the calendar week, from Sunday to Sunday.
Entitlement Optimization Users and Roles
The Users and Roles tab lists all users and their roles for all data sources that are enabled for Entitlement Optimization on this collector.
Entitlement Optimization Recommendations
Recommendations pinpoint specific actions that aim to minimize user access to only that which is required.
Entitlement Optimization Browse entitlements
Use the views and filters in this window to see the activity level of entitlements, and the lineage of the entitlements.
Entitlement Optimization What If
What If shows the probable justification for entitlement of a specific user with one or more specific verbs on a specific object (regardless of whether or not the
entitlement exists).
Enable and configure entitlement optimization

Use these grdapi commands to enable and configure entitlement optimization.
All commands are run on the Collector, and use the already defined Guardium data sources. First you enable the feature on the Collector, then specify the data sources
and enable the specific features.
The most accurate results are obtained by fine-tuning the data that is included in the entitlement optimization.
Users and Roles, and Browse entitlements, are enabled by default, however you must set extractActivity and extractEntitlement to true to extract the relevant data. The
other three features (What's New, Recommendations, What If) are enabled individually. For example, you can enable Recommendations while leaving What If disabled.
Entitlement recommendations uses a subset of data, filtered by the userScope and objectScope parameters. Browse Entitlements uses the userScope parameter to filter
data. Both parameters specify one or more Guardium groups. Most likely, you will create specific groups to use for this purpose. Define the groups to extract only the data
you want, to minimize storage and processing. The groups should have Full Audit, so that all data is analyzed and the results are conclusive. When you use groups with Full
audit, the Browse Entitlements shows all rights of all users, regardless of their activity. A user that is outside of the userScope definition appears in the window, but its
activity count is "unknown."
The best practice is to carefully evaluate and design your data collection scheme such that you only rarely change it. This is for two reasons: every time you change the
configuration, it takes a week to generate data for reports; the data is compared to data of the previous 3 weeks, and when you change the data definition the comparison
is less meaningful for the first 3 weeks.
Data is present in each tab from the first Sunday after you enable the individual feature.
See full command details in GuardAPI Entitlement Optimization Functions.
Prerequisites
Quick Search is enabled. (Required for What-if, Recommendations, and updating activity in Entitlement Browse.)
The user that configures the entitlement optimization must have permission to all the meta data and schema tables that are in the configured datasources.
Enable entitlement_optimization on the Collector

Enables entitlement optimization on the Collector.
Syntax:
grdapi enable_entitlement_optimization
Disable entitlement_optimization on the Collector

Disables entitlement optimization on the Collector.
Syntax:
grdapi disble_entitlement_optimization
Add data source to entitlement optimization

Add one or more data sources to entitlement optimization and enables individual analyses.
Syntax:
grdapi add_datasource_to_entitlement_optimization datasourceName=[datasource] isEnabled=[true/false] userScope=[USER SCOPE] objectScope=[OBJECT SCOPE]

extractActivity=[true/false] extractEntitlement=[true/false] generateRoleClusters=[true/false] generateNews=[true/false] generateRecommendations=[true/false]
Use this table to determine which extractions you require, per feature:
Table 1. enable_entitlement_optimization parameters required per analysis type

Â Whatâ€™s New Users and Roles Recommendations Browse Entitlements What If
(generateNews) (generateRecommendati (generateRoleClusters)
ons)
extractActivity Â Â Â X X

Â Whatâ€™s New Users and Roles Recommendations Browse Entitlements What If
(generateNews) (generateRecommendati (generateRoleClusters)
ons)
extractEntitlement X X X X Â
Remove data source from entitlement optimization

Removes one or more data sources from entitlement optimization such that no data is collected.
remove_datasource_from_entitlement_optimization datasourceName=[datasource name]
Modify entitlement data source parameters

Modifies the parameters for a data source that is already enabled for entitlement optimization.
Syntax:
grgapi set_entitlement_datasource_parameter datasourceName=[datasource name] parameterName=[value] parameterName=[value]
where parameterName is one of:
isEnabled
userScope
objectScope
extractActivity
extractEntitlement
generateRoleClusters
generateNews
generateRecommendations
filterTempObjects
filterIgnoreVerbs
View optimization information

Syntax:
grdapi get_entitlement_optimization_info
Typical output:
Entitlement Optimization is enabled

===================================
Datasource: SCALE-DB16
===================================
isEnabled: true
userScope:
objectScope:
extractActivity: true
extractEntitlement: true
generateRoleClusters: true
generateNews: true
generateRecommendations: true
filterTempObjects: true
filterIgnoreVerbs: true
Parent topic: Entitlement Optimization
Entitlement Optimization What's New

The What's New tab summarizes the additions and changes that are made to the system over the calendar week, from Sunday to Sunday.
Data is presented in the tab from the first Sunday after you enabled the feature.
The What's New tab presents:
The number of new Users, Roles, Objects, and the number of databases associated with these additions
The number of new Grantees and Grantors and the number of grants
What to look for
Look for current trends, for example, by drilling-down to find:
Unusual type or quantity of changes in the entitlements

Most active grantors / grantees
Click Details in any topic to open a detailed table of the additions. For example, the details on new users are the server and service name.

Entitlement Optimization Users and Roles

The Users and Roles tab lists all users and their roles for all data sources that are enabled for Entitlement Optimization on this collector.
This tab is based on the standard Guardium user and roles report that presents data on only one database type. It presents:
Host
Service Name
DB type
Grantee
Grantee type
Role
You can use the standard Report Builder functions, which are accessed by the icons above the table.
Entitlement Optimization Recommendations

Recommendations pinpoint specific actions that aim to minimize user access to only that which is required.
The system is continuously evaluating users and privileges. The weekly Entitlement recommendations report is based on the last 3 weeks of data (by default), such that
each new report overlaps with data of the previous report. The Recommendations tab is equivalent to the Recommendations report in â€œReportsâ€ , which can be
enabled as a distributed report.
If you customized the userScope parameter, the recommendations only include users from the specified user groups. The userScope and objectScope parameters are
used in order to explicitly define the scope of recommendations. In order to maximize the accuracy of recommendations regarding users and objects, the users and
objects in the specified groups should have Full Audit.
All recommendations must be thoroughly investigated by the admin, by drilling-down for specific server, database, object, and recommendation type, before
implementation.
The top of the tab contains a pie graph that shows the recommendations by type. The table at the bottom of the window lists the recommendations. You can modify the
recommendations report using the standard reports icons, export the report by clicking Export, and map to API by clicking Actions.
The recommendations types are:
Table 1. Recommendation Types

Type String Details
ANOMAL USER User {object} has anomal activity within role {source} User activity count within a specific role is anomalous.
This means the user is either much more active or
much less active than other users.
ALERT ACTIVITY (Ad-hoc user) User {source} used the privilege {verb}-{object} but no A typical ad hoc user gives itself permission, performs
entitlement was found an action, and then removes the permission. Users can
be erroneously identified as ad hoc due to the time
differences between the entitlement changes and their
activities. Use the Guardium Activity Monitoring Tools
to determine whether or not the privilege is justified.
DORMANT_USER Remove inactive or empty user{object} User has no assigned privilege or had no activity within
the given interval.
DORMANT_ROLE Remove inactive or empty role{role} No users, no activity by any users, or empty privileges
REVOKE_FROM_USER Revoke{verb}-{object} from user {source} User did not performed any activity on the relevant
object, verb.
REVOKE _FROM_ROLE Revoke{verb}-{object} from role {source} ALL the users within the specific role didn't perform
any activity on object, verb.
REMOVE_FROM_ROLE Remove user{object} from role{source} User didn't use any of the privileges granted to him by
the role.
INACTIVE DATABASE Database has no activity If the unused database cannot be justified, remove it.
Entitlement Optimization Browse entitlements

Use the views and filters in this window to see the activity level of entitlements, and the lineage of the entitlements.
Data is presented in the tab from the first Sunday after you enabled the feature. After the first Sunday, the activities are updated daily.
This information is useful for general entitlement investigation, and to further evaluate recommendations in the Recommendations report. The default view in this window
is a bar chart of the datasources with the highest rates of unused privileges.
Entitlement browse shows all the entitlements of the data sources defined in the grdAPI that have extractEntitlement available. This is true if the activity collection is off,
and if the user scope and object scopes are defined. You can always search and see the permissions of all the users.

The activity count field results are affected by the userScope parameter, as follows:
Users that are included in the userScope:
Active users appear green and have numerical results in the activity count column
Non-active users appear red and the activity count is "Not active"
Users that are not included in the userScope:
Active users appear green and have numerical results in the activity count
Non-active users appear gray and the activity count is "unknown"
Typical investigations are:
Determine which objects a user has permissions for and whether he uses them
Determine whether a user utilized his permission on an object at the specific time it was permitted
Are there permissions that are used more than expected?
Are there permissions that are used only once?
What is the lineage of the permissions that have been unusually utilized: explicit, or implicit, inherited from a parent role, or role hierarchy?
To get more details on how a specific privilege is used, with full SQL, you can search for Data Activity (Investigate > Search for Data Activity), right-click the DB User or
Source program in the Results Table, and select Full SQL by DB User.
Unused entitlements are typically one of:
Action rarely performed, but a valid entitlement, for example generating a quarterly report
Unused and therefore not justified (point of vulnerability)
To view entitlement usage on a specific service on a specific server:
1. On the left side, select a server IP and service.

2. Filter by one or more of: Name, Object Name.
3. Optionally enter a Verb or date range.
Figure 1. Selecting entitlement criteria
The table presents the Grantee type, Grantee, Verb, Name, Activity count, and Lineage. A user can have multiple privilege lineages: explicit, or implicit, inherited from a
parent role, or role hierarchy.
Entitlement Optimization What If

What If shows the probable justification for entitlement of a specific user with one or more specific verbs on a specific object (regardless of whether or not the entitlement
exists).
Data is available in this tab from the first Sunday after you enabled the feature.
Guardium analyzes the behavior of similar users to produce the probable justification, which is some cases provides highly relevant information. The analysis can be useful
when you examine unused entitlements, and the REVOKE_FROM_USER recommendation. It is a general indication, and should be used together with other entitlement
optimization functions.
Enter these details and click OK to generate the probability:
User name
Object name
Verb (one or more)
Server IP
Service name
Possible responses are:
The probability that this DB user will use this privilege is n%. Probability of 100% indicates that the user used the activity at least once.

Failed to find data source on server.
Object and DB user are not in scope.
No sufficient evidence found for DB user and privilege: either the User / Object / Verb does not exist in the selected database, or no activity is found for the user, or
no activity has been found for the object, verb tuple. Possible fixes: wait for activity collection to run; make sure the input is entered correctly.
Protect
After you identify databases and file systems that contain sensitive data, you can take several steps to protect that data. Protection options include masking data, alerting
personnel based on data access, and establishing policies that enforce access restrictions.
Baselines
A baseline is a profile of access commands executed in the past, helping to identify normal activity and anomalous behavior (inconsistent with or deviating from
behavior that is usual, normal, or expected).
Policies
A security policy contains an ordered set of rules to be applied to the observed traffic between database clients and servers. Each rule can apply to a request from a
client, or to a response from a server. Multiple policies can be defined and multiple policies can be installed on a GuardiumÂ® appliance at the same time.
Correlation Alerts
An alert is a message indicating that an exception or policy rule violation was detected.
How to signify events through Correlation Alerts
Trigger a correlation alert if there are more than fifteen SQL Errors in the last three hours from any individual user of the application.
Incident Management
The Integrated Incident Management (IIM) application provides a business-user interface with workflow automation for tracking and resolving database security
incidents.
How to manage the review of multiple database security incidents
Incident management - track and resolve database security incidents.
Query rewrite
Query rewrite functionality provides fine-grained access control for databases by intercepting database queries and rewriting them based on criteria defined in
security policies.
File Activity policies and rules
Baselines
A baseline is a profile of access commands executed in the past, helping to identify normal activity and anomalous behavior (inconsistent with or deviating from behavior
that is usual, normal, or expected).
The Baseline Builder generates a baseline by examining activity previously logged and currently available, on the Guardium system.
When included in a security policy, the baseline becomes a baseline rule, which allows all database access that has been included in the baseline. Â
A baseline rule in a policy has the following characteristics:
There can be only one baseline rule.

The baseline rule action is always Allow, which means accept the command and do not continue to the next rule in the policy.
When the baseline rule is added to the policy, it is positioned first in the list of rules. It can be moved anywhere in the set of rules (which are evaluated in sequence),
as appropriate for the policy.
Once a baseline rule has been included in a policy, it cannot be removed.
Attention: The Baseline Builder and related functionality is deprecated starting with Guardium V10.1.4.
The Policy Builder can generate suggested policy rules from the baseline. The suggested rules can be edited and included in the policy ahead of the baseline rule, so that
alternative actions (alerts, for example) can be taken for some commands that were seen in the baseline period. In addition, an examination of the suggested rules
provides valuable insight into the actual traffic patterns observed (types of commands and frequency).
The Baseline Builder provides the ability to control what gets included in the baseline, in several ways:
By specifying a threshold to control how many occurrences of a command must be seen before the command will be included in the rule. A threshold of one
includes every command observed, while a threshold of 1,000 includes only those commands occurring 1,000 times or more.
By controlling sensitivity to one or more attributes. For example, if the baseline is sensitive to the database user, it will include commands for specific users only.
Users who did not execute the command during the baseline period would not be allowed by the baseline rule.
By limiting the connections included to subsets of server and client IP addresses. The baseline always specifies a single client network mask and a single server
network mask. Each mask can be as inclusive or as exclusive as required.
By merging data from different time periods. There may be traffic that occurs during non-contiguous time periods that should be included in the baseline. You can
merge the data from any number of time periods into a single baseline. In addition, the data can be filtered for specific client and server addresses.
About Baseline Sensitivity

Baseline sensitivity can be based on any combination of the following (each will be described in more detail, later):
Database User
Database Protocol
Database Protocol Version
Time Period
Source Program
Sequence
Baseline sensitivity depends on a specified threshold, which defines the minimum number of times a command must be observed during the baseline period in order to
include that command in the baseline.

With no sensitivity selected, each command that exceeds the threshold will be included in the baseline.
If a single type of sensitivity is selected, a separate count of each command will be maintained for each value of the sensitivity type (database user, for example).
If multiple types of sensitivity are selected, separate counts of each command are maintained for each combination of values for each selected type (for each combination
of database user and source program, for example). Thus for each type of sensitivity included, the number of combinations can increase dramatically.
About Sequence Sensitivity

If the baseline is sensitive to command sequence, then when included in a policy the baseline rule will allow only the sequences of commands observed during the
baseline period. To illustrate with a very simple example: if the only two sequences of commands observed in the baseline period are A-B and B-C, the following table
illustrates which sequences of commands would be allowed by that baseline rule.
Table 1. About Sequence Sensitivity

Command Sequence Allowed
A-B Y
A - everything else N
B-C Y
B - anything else N
Anything but A N
About Time Period Sensitivity

When the baseline is sensitive to the time period, separate counts are maintained for each time period defined. If overlapping time periods are defined (which is a normal
situation), a command will be counted only once, in the most restrictive time period during which it occurs. If the time-period is non-contiguous â€“ for example, from
00:00 to 08:00 each day of the week â€“ only one contiguous segment of the time period is considered (eight hours in the example).
To illustrate how the Baseline Builder assigns requests to time periods, assume that Saturday is included in three time periods:
24x7 (24 hours, 7 days a week)

Saturday (24 hours only)
Week End (48 hours - Saturday + Sunday)
Since the time period named Saturday is the most restrictive (24 hours only), all requests time-stamped on Saturday will be counted in that time period, and not in the
more inclusive Week End or 7x24 time periods.
About Baselines in Aggregation and Central Manager Environments

If there are multiple GuardiumÂ® appliances in an Aggregation and/or Central Manager environment, there is a single important point to keep in mind when generating and
using baselines:
Baselines are generated using only the data currently available on the appliance that is generating the baseline.
This means that:
A baseline generated on a collector will be built using the traffic available on that unit only.
A baseline built on an aggregator will be built from the data currently available on the aggregator, which typically will have been sent from multiple collectors over a
period of time.
A baseline generated on a Central Manager that is not also an aggregator will be empty, since a Central Manager does not collect data (unless it is also an
aggregator).
In a Central Management environment, a baseline generated on a managed unit will be built using data from that unit only, but the baseline will be stored on the
Central Manager, and it will be available for use on any other unit.
In a Central Management environment, to generate a single baseline from multiple managed units, the baseline can be built with data from the first managed
appliance, and then merged using data from the other appliances, one at a time.
About Suggested Rules

When a baseline is included in a policy, the Policy Builder can generate suggested rules from the baseline. It will generate the minimum number of rules necessary to
represent everything that is included in the baseline. You can then accept any or all of the suggested rules, and modify the accepted ones as necessary. In addition to
being a convenient way to generate an explicit policy (rather than an implicit policy based on a baseline only), this is an important step in validating that a baseline does
not include malicious or erroneous activity that may have occurred during the baseline period.
You may want to modify the suggested rules if you discover an activity that occurred during the baseline period that you would like to monitor or alert upon in the future.
You simply tailor the appropriate rule suggested from the baseline, and assign the desired action. By default, the suggested rules will be positioned before the baseline
rule, so that the action specified will be taken before the baseline rule executes to allow that command with no further testing of rules.
Note: The Policy Builder can also generate rules from the database ACL. See Policies for more information.
About Suggested Object Groups

When generating suggested rules from either the baseline or the database ACL (access control), the Policy Builder minimizes the number of suggested rules by creating
suggested object groups. For example, assume the baseline includes a particular command that references only three objects: AAA, BBB, and CCC, and that there is not
already an object group defined consisting of only those three objects. The Policy Builder will create a suggested object group for those objects, and will generate a single
rule for the command, which references the suggested object group.
You can display the membership of a suggested object group, and you have the option of accepting or rejecting each group. In the example just given, if you reject the
suggested object group, the single rule that references it will be replaced by three suggested rules (one each for AAA, BBB, and CCC).
Creating a Baseline

1. Click Protect > Security Policies > Baseline Builder to open the Baseline Finder.
2. Click New to open the Baseline Builder.
3. Enter a unique baseline name in the Baseline Description box. Do not include apostrophe characters in the baseline description.
4. In the Baseline Sensitivity pane, mark each element to which the baseline will be sensitive. The more sensitive the baseline, the more complex the testing that will
be done both when creating the baseline and more importantly, when inspecting traffic. See the Overview, for more information about baseline sensitivity.
5. In the Baseline Threshold pane, enter the minimum number of occurrences for a command during the baseline period for that command to be included in the
baseline. If one or more sensitivity boxes have been marked, this count applies to the combination of sensitive values.
If the approach you are taking in building your security policy is to always allow the most commonly issued commands from the past, then set this number upwards
to the appropriate level. If, on the other hand, you want to ensure that the baseline is comprehensive, then leave this value set to 1. In either case, you can have the
Policy Builder suggest rules from the baseline. The suggested rules are sorted in descending order by frequency in the baseline period, so you can decide at that
time whether to include or modify rules for each unique command issued.
6. Use the Baseline Network Information pane to identify the servers and clients to be included in the baseline. The method used to select which IP addresses to use
to construct the baseline is the same for servers and clients.
For each address encountered in the baseline data, membership in an optional tagged group is considered first. A tagged group is a specific list of IP addresses for
which baseline constructs will be generated. If a tagged group is selected, and if an IP address encountered in the baseline data is included in the corresponding
tagged group, that element will be included in the baseline for that specific IP address. For example, assume that the Tagged Client IP Group named ZoneAGroup
has been selected, and that group includes a client address of 192.162.14.33. If the baseline generator encounters the command SELECT abc FROM xyz from that
IP address, that command will be counted for that specific address.
In contrast, if no tagged group is selected, or if an IP address is encountered in the baseline data that is not a member of the selected tagged group, that command
may be counted with identical commands from other IP addresses as directed by the corresponding network mask.
The network mask is required to group both client and server IP addresses. Choices include all the different variations of subnet masks between 255.255.255.255
(all four octets must match) and 0.0.0.0 (all octets can be anything).
You must always:
Enter a subnet mask in the Server Network Mask box.

Enter a subnet mask in the Client Network Mask box.
To illustrate how the baseline builder uses network masks to group addresses, assume that:
The Client Network Mask is 255.255.0.0, meaning that the first two octets must match, but the second two octets can be anything.
In the baseline data, a request with the client IP address 192.168.3.211 is encountered.
That client IP address is not in the selected Tagged Client IP Group (or there is no Tagged Client IP Group selected).
The command is SELECT abc FROM xyz.
When generating the baseline, this command will be included in the count of all SELECT abc FROM xyz commands for all client IP addresses from the 192.168.0.0
subnet.
7. Click Save to validity-check and save the baseline definition. If you have omitted required fields or entered invalid values, the definition will not be saved and you
must resolve any problems before attempting to save again.
8. Optionally click Roles to assign roles for the policy.
9. Optionally click Comments to add comments to the definition.
10. After a baseline has been saved successfully, the Baseline Generation and Baseline Log panes appear on the panel.
11. Click anywhere on the Baseline Generation pane title to expand the pane.
12. Supply both From and To dates to define the time period from which the baseline is to be generated. There are a number of ways to enter dates; for more
information see Dates_and timestamps. Regardless of how you enter dates, any minutes or seconds specified will be ignored.
13. Click the Generate button to generate the baseline. If you have modified the baseline definition, you will be prompted to save the definition before generating the
baseline.
Note: After you successfully generate the baseline for the first time, additional fields are displayed in the Baseline Generation panel. These fields allow you to merge data
from additional time periods into the baseline, and to restrict the client and server IP addresses used during each additional time period.
Merge Baseline Information

To merge baseline information (to include information from additional time periods and/or from different groups of clients and servers, for example):
2. From the Baseline Definition list, select the baseline into which additional baseline information is to be merged.
3. Click Modify to open the Edit Baseline panel.
4. Do not modify the Baseline Sensitivity selections. If you modify the baseline sensitivity, you are prompted to generate a completely new baseline to replace the
existing one.
5. Optional. Set the Minimum number of occurrences for addition to Baseline value in the Baseline Threshold pane. The value entered here has no impact on
information previously included in the baseline. Once something is added to the baseline, it is not removed during a merge operation.
6. Optional. Enter alternative network information in the Baseline Network Information pane. The displayed values are from the last generate or merge operation. If
the merged information comes from the same set of servers and/or clients, leave these fields unchanged. Otherwise, make the appropriate changes in this pane to
select the traffic to be included in the baseline.
7. Click anywhere on the Baseline Generation pane title to expand the pane.
8. Supply both From and To dates to define the time period from which the baseline is to be generated. There are a number of ways to enter dates; for more
information see Dates_and timestamps. Regardless of how you enter dates, any minutes or seconds specified will be ignored.
9. Select the Merge radio button.
10. Optional. In the Filter Selection pane, limit the baseline generation to specific client and/or server IP addresses by entering an IP address followed by a network
mask. For example, to select all client IP addresses from the 192.168.9.x subnet, enter 192.168.9.1 in the first Client IP box, and 255.255.255.0 in the second box.
To include additional addresses, click the Add button, then enter the additional address information
11. Click Generate to generate the baseline. If you have modified the baseline definition, you will be prompted to save the definition before generating the baseline.
Modify a Baseline
Caution: Before modifying a baseline definition, be sure that you understand the implications of modifying it, particularly if the baseline whose definition you want to
modify and re-generate is used in an installed policy. If you modify and re-generate a baseline contained in an installed policy, when you re-install that policy it will use the

new baseline. To provide a fall-back option for baselines used by installed policies, consider instead cloning these baselines and policies, and modifying and generating
the cloned definitions. See Clone a Baseline for more information.
2. From the Baseline Definition list, select the baseline to be modified. Click the Modify button to open the Edit Baseline panel. Apart from the panel title, this panel is
identical to the Add Baseline panel. See Create a Baseline for instructions on using this panel.
Clone a Baseline
There are a number of situations where you may want to define a new baseline based on an existing one, without modifying the original definition. See the caution.
2. From the Baseline Definition list, select the baseline to be cloned.
3. Click Clone to open the Clone Baseline panel.
4. Enter a unique name for the new baseline in the New Baseline Description box. Do not include apostrophe characters in the new baseline description.
5. To clone the baseline constructs (the commands, basically) that have been generated for the baseline being cloned, mark the Clone Constructs checkbox.
6. Click Accept to save the new baseline. You can then open and edit the new baseline by using the Baseline Finder.
Remove a Baseline
2. From the Baseline Definition list, select the baseline to be removed.
3. Click Delete. You are prompted to confirm the action.
Parent topic: Protect
Policies
A security policy contains an ordered set of rules to be applied to the observed traffic between database clients and servers. Each rule can apply to a request from a client,
or to a response from a server. Multiple policies can be defined and multiple policies can be installed on a GuardiumÂ® appliance at the same time.
Each rule in a policy defines a conditional action. The condition tested can be a simple test - for example it might check for any access from a client IP address that does
not belong to an Authorized Client IPs group. Or the condition tested can be a complex test that considers multiple message and session attributes (database user, source
program, command type, time of day, etc.), and it can be sensitive to the number of times the condition is met within a specified timeframe.
The action triggered by the rule can be a notification action (e-mail to one or more recipients, for example), a blocking action (the client session might be disconnected), or
the event might simply be logged as a policy violation. Custom actions can be developed to perform any tasks necessary for conditions that may be unique to a given
environment or application. For a complete list of actions, see Rule Actions Overview.
A policy violation is logged each time that an alert or log-only action is triggered. Optionally, the SQL that triggered the rule (including data values) can be recorded with
the policy violation. Policy violations can be assigned to incidents, either automatically by a process, or manually by authorized users (see the Incident Management tab in
the Guardium GUI. For further information, see Incident Management.
Note: Correlation alerts can also be written to the policy violations domain (see Correlation Alerts).
In addition to logging violations, policy rules can affect the logging of client traffic, which is logged as constructs and construct instances.
Constructs are basically prototypes of requests that Guardium detects in the traffic. The combinations of commands, objects and fields included in a construct can
be very complex, but each construct basically represents a very specific type of access request. The detection and logging of new constructs begins when the
inspection engine starts, and by default continues (except as described) regardless of any security policy rules.
Each instance of a construct detected in the traffic is also logged, and each instance is related to a specific client-server session. No SQL is stored for a construct
instance, except when a policy rule requests the logging of SQL for that instance, or for a particular client/server session of instances (with or without values).
In addition to controlling the inclusion of SQL in client construct instances, a security policy rule can disable the logging of constructs and instances for the remainder of a
session. Â
In heavy volume situations, the parsing and aggregating of information into constructs and instances can be deferred by using the Log Flat (Flat Log) option. When used,
the production of alerts and reports will be delayed until the logged information has been aggregated. See Log Flat discussed later in this topic.
To completely control the client traffic that is logged, a policy can be defined as a selective audit trail policy. In that type of policy, audit-only rules and an optional pattern
identify all of the client traffic to be logged. See Use Selective Audit Trail discussed later in this topic.
In addition to installing new policies from Policy Installer screen of Administration Console/Policy Installation:
A new policy can be installed from Policy Finder screen.

From the Policy Definition screen, an installed policy can be reinstalled, without reinstalling other installed policies.
From Policy Rules screen, an installed policy rule can be reinstalled, without reinstalling the entire policy.
On a new installation only (not on upgrades), a default policy exists. It has no rules, but Selective Audit is checked (this means that the Guardium system will not collect
any traffic per the default policy). The default policy on 64-bit Guardium (new installation) is Default - Ignore Data Activity for Unknown Connections.
Policy Rule Basics

Within a policy, rules are evaluated in the order in which they appear, as each element of traffic is analyzed.
There are three types of rules:
An access rule applies to client requests - for example, it might test for UPDATE commands issued from a specific group of IP addresses.
An exception rule evaluates exceptions returned by the server (responses) - for example, it might test for five login failures within one minute.
An extrusion rule evaluates data returned by the server (in response to requests) - for example, it might test the returned data for numeric patterns that could be
social security or credit card numbers.
Category, Classification, and Severity

For each rule, an optional Category and/or Classification can be assigned. These are used to group policy violations for both reporting and incident management.
Minimum Counts and Reset Intervals

Some activities are normal and acceptable when they occur less than a certain rate. But those same activities may require attention when the rate exceeds a tolerable
threshold. For example, if interactive database access is allowed, a consistent but relatively low rate of login failures might be expected, whereas a sharply higher rate
might indicate an attack is in progress.
To deal with thresholds, a minimum count and a reset interval can be specified for each policy rule. This can be used, for example, to trigger the rule action after the count
of login failures exceeds 100 (the minimum count) within one minute (the reset interval). If omitted, the default is to execute the rule action each time the rule is satisfied.
Continue to Next Rule

By default, the evaluation of access and exception rules for a unit of traffic ends when a rule is triggered, providing that there is not multiple actions in one rule. In cases
where it is necessary to take multiple actions for the same or similar conditions, mark the Continue to Next Rule box for that rule.
Note: Continue to Next Rule applies to access rules following access rules and to exception rules following exception rules, but not to an exception rule following an
access rule or an access rule following an exception rule.
Extrusion rules will be processed regardless of the end of an access or exception rule preceding the extrusion rule. See extrusion rules revoke in the Rule Definitions
Reference table at the end of this topic for information on excluding logging a response that has already been selected for logging by a previous rule in the policy.
Record Values with Policy Violation

When marked, the actual construct causing the rule to be satisfied will be logged in the SQL String attribute and is available in reports. If not marked, no SQL statement
will be logged. To include the full values in the policy violation, mark the Rec. Vals box for that rule.
Note: The full SQL with values will be available only in the policy violation record, within the policy violations reporting domain. It will not be available in the client traffic
log, or on reports from the data access domain. To include full SQL (with or without data values) in the client traffic log, use the Log Full SQL rule actions.
For more information about working with rules, see the following topics:
View the Policy Rules for the Installed Policy

Specify Values and/or Groups of Values in Rules
Filter Rules to Display only a Subset
Copy Rules
Using Rules Suggested from the Database ACL.
Add or Edit Rules
Using the Policy Simulator
Specify Values and/or Groups of Values in Rules

For many rule attributes, you can specify a single value and/or a group value, using controls like those illustrated for the App User.
Be aware that a group member may contain wildcard (%) characters, so each member of a group may match multiple actual values.
When a Group is selected, be aware that the group may contain wildcards.
Negative Rule: Mark the Not box to create a negative rule; for example, not the specified App User, or not any member of the selected group, or neither the
specified App User nor any member of the selected group.
Empty Value: Enter the special value guardium://empty to test for an empty value in the traffic. This is allowed only in the following fields: DB Name, DB User, App
User, OS User, Src App, Event Type, Event User Name, and App Event Text.
To define a new group to be tested: Click the Groups button to define a new group, and then select that group from the Group list.
To match any value: Leave the value box blank, and select nothing from the Group list (be sure that the line of dashes is selected, as in the example). Â
To match a specific value only: Enter that value in the value box, and select nothing from the Group list.
To match any member of a group: Leave the value box blank, and select the group from the list. If the minimum count is greater than 1, there will be a single
counter, and it will be incremented each time any member of the group is matched.
To match an individual value or any member of a group: Enter a specific value in the value box, and select a group from the list. If the minimum count is greater than
1, there will be a single counter, and it will be incremented each time the individual value or any member of the group is matched.
If the minimum count is greater than 1, count each individual value separately: Enter a dot (.) in the value box, and select nothing from the group list. Note that the
dot option cannot be used for the Service Name or Net Protocol boxes. If the minimum count is greater than 1, count each member of a group separately: Enter a
dot (.) in the value box, and select a group from the list. Note that the dot option cannot be used for the Service Name or Net Protocol boxes.
Pattern matching using Regular Expressions

In addition to special pattern tests, regular expressions can be used to search traffic for complex patterns in the data. The Guardium implementation of regular
expressions conforms with POSIX 1003.2, which differs from the UNIX implementation of regular expressions. Regular expressions are allowed in any field that is
followed by the Build Regular Expression button.
Note: You can also use regular expressions in the following fields (DB user, App User, SRC App, Field name, Object, App Event Values Text) by typing the special value
guardium://regexp/(regular expression) in the text box that corresponds to the field.
Note: IBM Security Guardium does not support regular expressions for non-English languages.
For detailed information about how to use regular expressions, see Regular Expressions.

You can use these special pattern tests to identify sensitive data that is contained in the traffic that flows between the database server and the client.
Rule actions
There are a number of factors to consider when selecting the action to be taken when a rule is satisfied.
Creating policies
In addition to creating policies, you can modify, clone, or remove a policy.
Installing Policies
Use this topic to install the policy on the Guardium collector and modify the schedule.

Rule definition fields
You can use these fields when you define policy rules.
How to integrate custom rules with Guardium policy
Show how to automatically modify/derive Guardium policy from a custom entitlement system.
How to use the appropriate Ignore Action
Detail how the data is handled when using Ignore actions in Policy Rules.
Character sets
You can use character set codes in extrusion rules.

You can use these special pattern tests to identify sensitive data that is contained in the traffic that flows between the database server and the client.
Each policy rule can include a single special pattern test. To use one of these tests, begin the rule name with one of the special pattern test names, followed by a space
and one or more additional characters to make the rule name unique For example, if you are searching for Social Security numbers of your employees, you could name the
rule guardium://SSEC_NUMBER employee. You can still specify all other components of the rule, such as specific client and server IP addresses.
These tests match a character pattern, and that match does not guarantee that the suspected item, such as a Social Security number, has been encountered. There can be
false positives under a variety of circumstances, especially if longer sequences of numeric values are concatenated in the data.
guardium://CREDIT_CARD
Detects credit card number patterns. It tests for a string of 16 digits or for four sets of four digits, with each set separated by a blank. This special pattern test also
works with American Express 15-digit credit card number patterns (first digit 3 and second digit either 4 or 7). For example: 1111222233334444 or 1111 2222
3333 4444
When a rule name begins with "guardium://CREDIT_CARD", and there is a valid credit card number pattern in the Data pattern field, the policy uses the Luhn
algorithm, a widely-used algorithm for validating identification numbers such as credit card numbers, in addition to standard pattern matching. The Luhn algorithm
is an additional check and does not replace the pattern check. A valid credit card number is a string of 16 digits or four sets of four digits, with each set separated by
a blank. There is a requirement to have both the guardium://CREDIT_CARD rule name and a valid [0-9]{16} number in the Search Expression box in order to have the
Luhn algorithm involved in this pattern matching.
guardium://PCI_TRACK_DATA
Detects two patterns of magnetic stripe data. The first pattern consists of a semi-colon (;), 16 digits, an equal sign (=), 20 digits, and a question mark (?), such as:
;1111222233334444=11112222333344445555?
The second pattern consists of a percent sign (%), the character B, 16 digits, a carat (^), a variable-length character string terminated by a forward slash (/), a
second variable-length character string terminated by a carat (^), 31 digits, and a question mark (?), such as:
%B1111222233334444^xxx/xxxx x^1111222233334444555566667777888?
guardium://SSEC_NUMBER
Detects numbers in Social Security number format: three digits, dash (-), two digits, dash (-), four digits, such as 123-45-6789. The dashes are required.
guardium://CPF
The Cadastro de Pessoas FÃsicas (CPF), a Brazilian personal identifier. It contains 11 digits of the format nnn.nnn.nnn-nn, where the last two digits are check
digits. Check digits are computed from the original nine digits to provide verification that the number is valid. The formatting characters within the expression are
optional. If there is a match on the expression, the check digits are validated.
guardium://CNPJ
Cadastro Nacional de Pessoas JurÃdicas (CNPJ), an identification number used for Brazilian companies. It contains 14 digits of the format 00.000.000/0001-00
where:
The first eight numbers show the registration.

The next four numbers identify the entity branch. 0001 is the default value for head quarters.
The last 2 numbers are the check digits.
The formatting characters within the expression are optional. If there is a match on the expression, the check digits are validated.
Parent topic: Policies
Rule actions
There are a number of factors to consider when selecting the action to be taken when a rule is satisfied.
Blocking Actions (S-TAP/S-GATE)

This section describes S-TAPÂ® Terminate and S-GATE actions.
S-TAP Terminate Action

The S-TAP TERMINATE action will terminate a database connection (a session) and prevent additional requests on that session. This action is available in S-TAP,
regardless of whether S-GATE is used or not.
Note: With S-TAP TERMINATE, the triggering request usually will not be blocked, but additional requests from that session will be blocked (on high rate, sometimes more
than one request may go through before the session is terminated).
S-GATE Actions
S-GATE provides database protection via S-TAP for both network and local connections.

When S-GATE is available, all database connections (sessions) are evaluated and tagged to be monitored in one of the following S-GATE modes:
Attached (S-GATE is "on") â€“ S-TAP is in firewalling mode for that session, it holds the database requests and waits for a verdict on each request before releasing
its responses. In this mode, latency is expected. However, it assures that rogue requests will be blocked.
Detached (S-GATE is "off") - S-TAP is in normal monitoring mode for that session, it passes requests to the database server without any delay. In this mode latency
is not expected.
S-GATE configuration in the S-TAP defines the default S-GATE mode for all sessions, as well as other defaults related to S-GATE verdicts when the collector is not
responding. (See Linux and UNIX systems S-TAP firewall parameters and Windows S-TAP firewall parameters.) Other than the default S-GATE configuration, S-GATE is
controlled through the real-time policy mechanism using the following S-GATE Policy Rule Actions:
S-GATE ATTACH: sets S-GATE mode to "Attached" for a specific session.
Intended for use when a certain criteria is met that raises the need to closely watch (and if needed block) the traffic on that session.
S-GATE DETACH: sets S-GATE mode to "Detached" for a specific session.
Intended for use on sessions that are considered as "safe" or sessions that cannot tolerate any latency.
S-GATE TERMINATE: Has effect only when the session is attached. It drops the reply of the firewalled request, which will terminate the session on some databases.
The S-GATE TERMINATE policy rule will cause a previously watched session to terminate.
Note:
S-GATE/ S-TAP termination does not work on a client IP group whose members have wild-card characters. S-GATE/S-TAP termination only works with a single IP
address. Wild-card should be handled by groups if the customer wants to use multiple IP entries. Customer can create groups of trusted or untrusted users/clients
to handle their business needs in the policies.
For ATAP and S-GATE, there are limitations for lower Linux kernels. Basically, for S-TAP 10.1.2 and higher, S-GATE is supported everywhere except Linux with ATAP
and kernels less than 2.6.36.
For MySQL databases, It should be noted that MySQL's default command line connection is 'mysql -u<user> -p<pass> <dbname>â€™
In this mode, MySQL will first map all the objects and fields in this database to support auto completion (with TAB).Â When a terminate rule on any object or field
that is involved in this mapping, it will immediately disable the connection session. To avoid this, connect to MySQL with the "-A" flag, which will disable the"'auto-
complete" feature, and will not trigger the "terminate" rule. Another option is to fine tune the rule and not terminate on ANY access to these objects/field and
instead find a criteria that is more narrow and will not trigger the rule on the login sequence.
Alerting Actions
Alert actions send notifications to one or more recipients.
For each alert action, multiple notifications can be sent, and the notifications can be a combination of one or more of the following notification types:
Email messages, which must be addressed to GuardiumÂ® users, and will be sent via the SMTP server configured for Guardium. Additional receivers for real-time
email notification are Invoker (the user that initiated the actual SQL command that caused the trigger of the policy) and Owner (the owner/s of the database). The
Invoker and Owner are identified by retrieving user IDs (IP-based) configured via Guardium APIs. The choice Data Security User - Database Associations (available
from accessmgr) displays the mapping (this is similar to what is displayed if running the Guardium API command "list_db_user_mapping").
SNMP traps, which will be sent to the trap community configured for the Guardium appliance.
Syslog messages, which will be written to syslog.
Custom notifications, which are user-written notification handlers, implemented as Javaâ„¢ classes.
Note: Alerts definition and notification are not subject to Data Level Security. Reasons for this include alerts are not evaluated in the context of user, the alert may be
related to databases associated to multiple users and to avoid situations where no one gets the alert notification.
Message templates are used to generate alerts. Multiple Named Message Templates are created and modified from Global Profile. There are several types of alert actions,
each of which may be appropriate for a different type of situation.
Alert Daily sends notifications only the first time the rule is matched each day.
Alert Once Per Session sends notifications only once for each session in which the rule is matched. This action might be appropriate in situations where you want to
know that a certain event has occurred, but not for every instance of that event during a single session. For example, you may want a notification sent when a
certain sensitive object is updated, but if a program updates thousands of instances of that object in a single session, you almost certainly would not want
thousands of notifications sent to the receivers of the alert.
Alert Only - For Alert Only, with type syslog, the message goes directly to /var/log/messages. For other types of Alert Only, the message will get sent to MESSAGE
table. Alert Only does not notify of policy violations.
Alert Per Match sends notifications each time the rule is satisfied. This would be appropriate for a condition requiring attention each and every time it occurs.
Alert Per Time Granularity sends notifications once per logging granularity period. For example, if the logging granularity is set to one hour, notifications will be sent
for only the first match for the rule during each hour. (The Guardium administrator sets the logging granularity on the Inspection Engine Configuration panel.)
Log or Ignore Actions

These actions control the level of logging, based on the observed traffic.
The Log and Ignore commands are generally always available, but the Audit Only action is only available for a Selective Audit Trail policy. Access rules, exception rules and
extrusion rules differ in what actions are permitted. Click on the Add Action button for offerings.
Audit Only: Available for a Selective Audit Trail policy only. Log the construct that triggered the rule. For a Selective Audit Trail policy, no constructs are logged by
default, so use this selection to indicate what does get logged. When using the Application Events API, you must use this action to force the logging of database
user names, if you want that information available for reporting (otherwise, in this case, the user name will be blank).
Allow: When matched, do not log a policy violation. If "Allow" action is selected, no other actions can be added to the rule. Constructs are logged.
FAM Alert and Audit - two rule actions - Alert, on a matching event, trigger an alert (using receiver and template) and Audit, log the construct that triggered the rule.
FAM Audit only - log the construct that triggered the rule.
FAM Ignore - Do not log this event.
FAM Log Only Access Violations - log FAM access violations.
Log only: Log the policy violation only. We refer to the fact that the rule was triggered as a policy violation. Except for the Allow action, a policy violation is logged
each time a rule is triggered (unless that action suppresses logging).

Log masked details: Log the full SQL for this request, replacing values with question marks (???). This action is available for access rules and extrusion rules.
Log full details: Log the full SQL string and exact timestamp for this request. See notes in Further Discussion and Examples.
Log full details with values: Like Log full details, but in addition, each value is stored as a separate element (parse and log the values into a separate table in the
database). This log action uses more system resources as it logs the specific values of the relevant commands. Use this log action only when you need to generate
reports with specific conditions on these values. Activation of this log action choice is not available without consulting Technical Services (admin
user/Tools/Support Maintenance).
Log full details per session: Log the full SQL string and exact timestamp for this request and for the remainder of the session.
Log full details with values per session: Â See the descriptions of Log full details with values and Log full details per session. Activation of this log action choice is
not available without consulting Technical Services (admin user/Tools/Support Maintenance).
Skip Logging: Â When matched, do not log a policy violation, and stop logging constructs. This is similar to the Allow action, but it additionally stops the logging of
constructs. This action is used to eliminate the logging of constructs for requests that are known to be of no interest. GDM_CONSTRUCT will be logged in some
cases, because parse/log of construct occurs before the rule is applied. However, the construct will not be included in the session. This feature also applies for
exception rules concerning database error code only, allowing users to not log errors when an application generates large amounts of errors and there is nothing
that the user can do to stop the application errors. Â
Ignore responses per session: Responses for the remainder of the session will be ignored. This action does not log a policy violation, but it stops analyzing
responses for the remainder of the session. This action is useful in cases where you know the database response will be of no interest. This action works when
sniffing data from an S-TAP. This action does not work when sniffing data from a SPAN port.
Note: For ignore responses per session, since the sniffer does not receive any response for the query or it is ignored, then the values for COUNT_FAILED and
SUCCESS are whatever the default for the table says they are, in this case COUNT_FAILED=0 and SUCCESS=1.
Ignore session: The current request and the remainder of the session will be ignored. This action does not log a policy violation, but it stops the logging of
constructs and will not test for policy violations of any type for the remainder of the session. This action might be useful if, for example, the database includes a test
region, and there is no need to apply policy rules against that region of the database. Ignore Session rules provide the most effective method of filtering traffic. An
ignore session rule will cause activity from individual sessions to be dropped by the S-TAP or completely ignored by the sniffer. Â Note: connection (login/logout)
information is always logged, even if the session is ignored.
Ignore S-TAP session: The current request and the remainder of the S-TAP session will be ignored. This action is done in combination with specifying in the policy
builder menu screen of certain systems, users or applications that are producing a high volume of network traffic. This action is useful in cases where you know the
database response from the S-TAP session will be of no interest. Two options for Ignore S-TAP session: IGNORE_ENTIRE_STAP_SESSION - This is a "hard" ignore
and can not be revoked, and IGNORE_STAP_SESSION (REVOCABLE) - This is a "soft" ignore, and this rule action can enable the session traffic to be sent again
without requiring a new connection to the database. Note for ignore_stap_session (revocable) - Revoke STAP Ignore command is persistent for the S-TAP host in
one sniffer process. New sessions opened after the S-TAP is in the revoked ignore state will NOT be ignored (even if the rule IGNORE STAP SESSION (REVOCABLE)
is triggered. REVOKE Ignore - Sessions that were ignored by the action "IGNORE S-TAP SESSION (REVOCABLE)" will be resumed, meaning the traffic will be sent to
Guardium system after "REVOKE Ignore" command received by the S-TAP. (This command can be sent from S-TAP control-->send command).
Ignore SQL per session: No SQL will be logged for the remainder of the session. Exceptions will continue to be logged, but the system may not capture the SQL
strings that correspond to the exceptions.
Log Extrusion Counter: Available only for extrusion rules, this action updates the counter, but does not log any of the returned data. This action saves disk space
when the counter value is most important and returned values are the least important.
Log Masked Extrusion Counter: Available only for extrusion rules, this action updates the counter; logs the SQL request, replacing values with question marks; does
not log the returned data (response).
Quarantine: Available for access, exception and extrusion rules, the purpose of this action is to prevent the same user from logging into the same server for a certain
period of time. There is one validation item: you cannot have a rule with a QUARANTINE action without having filled in a value for amount of time that the user is
quarantined. See Quarantine for (minutes) to set this quarantine time. If the session is watched (S-GATE scenario), send a drop verdict. If the session is not
watched (S-TAP TERMINATE scenario), have the S-TAP stop the session. Take the current time and add to that the number of minutes from the reset interval field.
You get a new timestamp. In a new structure you keep a sorted list (sorted by this timestamp). Each element has in addition to the timestamp, a server IP, server
type, a DB user name, a service name and a flag saying whether this was a watched session or not.
No Parse - Do not parse the SQL statement.
Quick Parse No Fields - Do not parse fields in the SQL statement. All quick parse rules are only applied if SQL string is greater than 100 characters.
Quick Parse Native - This is used only for Guardium S-TAP for DB2 on z/OS. Use this rule action in an environment where heavy traffic is overloading the Sniffer. Use
of this rule action should improve performance in the S-TAP for DB2 on z/OS.
Quick Parse: For access rules only, for the remainder of the session, Do not parse the SQL statement. This reduces parsing time. In this mode all objects accessed
can be determined (since objects appear before the WHERE clause), but the exact object instances affected will be unknown, since that is determined by the
WHERE clause.
Redact: For extrusion rules only, this feature allows a customer to mask portions of database query output (for example, credit card numbers) in reports for certain
users. The selection Replacement Character in the Data Pattern section of the extrusion rule menu choices defines the masking character. Should the output
produced by the extrusion rule match the regular expression of the Data Pattern, the portions that match sub-expressions between parenthesis "(" and ")" will be
replaced by the masking character. Predefined regular expressions (fast regexp) can also be used. See Data Pattern in Rule definition fields for more information.
Restriction:
Redaction does not work on open sessions after an S-TAP live upgrade.
Redaction does not work on tables created with field and number type.
SQL Pattern is not supported for redaction rules.
Record Values Separately/ Do Not Record Values Separately: This action is a session-based access rule. Used in Replay function to distinguish between
transactions.
Mark as Auto-Commit ON/ Mark as Auto-Commit OFF: This action is a session-based access rule. Used in Replay function due to various auto-commit models for
different databases.
z/OS Audit: Used specifically for z/OS Collection Profile policy rules (IMS, Data Sets, and DB2), which are used to specify which traffic to collect on the z/OS server.
This action specifies that traffic that meets the filtering criteria is sent to the collector, and it is the only action that can be specified on a Collection Profile rule.
Note:
Redaction (Scrub) on supported as of version 9.1. For Windows and UNIX/Linux platforms, Scrub is supported only with ANSI character sets.
Redaction (Scrub) rules should be set on the session level (meaning, trigger rules on session attributes like IPs, Users, etc), not on the SQL level / attributes (like -
OBJECT_NAME or VERB), because if you set the scrub rule on the SQL that needs to be scrubbed it probably will take a few miliseconds for the scrub instructions to make
it to the S-TAP where some results may go though unmasked.
To guarantee all SQL is scrubbed, set the S-TAP (S-GATE) default mode to "attach" for all sessions (in guard_tap.ini). This will guarantee that no command goes through
without being inspected by the rules engine and holding each request and waiting for the policy's verdict on the request. Â This deployment will introduce some latency
but this is the way to ensure 100% scrubbed data.
For the Informix database, when char is used as data type, there will be no null terminated at the end of each column. Thus all four columns are captured in sendmsg
system call as one piece. KTAP will always try to redact whatever data it captures. This is a limitation when using redaction and the Informix database.

Note:
For HTTP support, there are Policy action limitations. The following policy actions are not supported for HTTP: S-TAP terminate and Skip logging.
For other actions, the following are not supported by HTTP:
Ignore Responses Per Session: because HTTP does not support exception and extrusion.
Ignore SQL Per Session: because HTTP does not contain SQLs.
Quarantine: This action is used to quarantine user, but HTTP does not support DBUser and OSUser.
Quick Parse: This action is for log SQL.
SGate Terminate: This action is not supported for Hadoop - all the terminate actions do not work for HTTP.
For policy conditions - these conditions are not supported for HTTP:
Client MAC; DB Name; DB User; App User; OS User; Src App; Masking Pattern; Replacement Character; Quarantine for minutes; Records Affected Threshold; XML Pattern;
Event Type; Event User Name; App Event Values Text; App Event Values Text Group; App Evert Values Text and Group; Numeric; Date.
Further discussion and examples

Log Full Details
By default the Guardium collector masks all values when logging an SQL string. For example
insert into tableA (name,ssn,ccn) values ('Bob Jones', '429-29-2921','29249449494949494')
is logged as insert into tableA (name,ssn,ccn) values (?, ?,?). This is the default behavior for two reasons:
1. Values should not be logged by default because they may contain sensitive information.
2. Logging without values can provide for increased system performance and longer data retention within the appliance. Very often, database traffic consists of
many SQL requests, identical in everything except for their values, repeated hundreds, thousands, or even millions of times per hour. By masking the values,
Guardium is able to aggregate these repeated SQL requests into a single request, called a "construct". When constructs are logged, instead of each individual
SQL request/construct being logged separately, it is only logged once per hour (per session) with a counter of how many times the construct was executed.
This can save a tremendous amount of disk space because, instead of creating a hundreds (or millions) of lines in the database, only one new line is added.
With Log Full Details, Guardium logs the data with the values unmasked and each separate request. Log Full Details also provides the exact timestamp whereas
logging without details provides the most recent timestamp of a construct within the logging granularity time period (usually 1-hour).
Ignore S-TAP Session - Ignore S-TAP Session causes the collector to send a signal to the S-TAP instructing it to stop sending all traffic, except for the logout
notification, for specific sessions. For example, if you have a rule that says where DBUserName?=scott, Ignore S-TAP Session:
When Scott logs into the database server, S-TAP sends the connection information to the collector.
The collector logs the connection. Session information (log in/log outs) are always logged.
The collector sends a signal to S-TAP to stop sending any more traffic from this specific session. This means that any commands run by Scott against the
database server and any responses (result sets, SQL errors, etc.) sent by the Database server to Scott will be discarded by S-TAP and will never reach the
collector.
When Scott logs out of the database server, S-TAP will send this information to the collector (log in/log out information is always tracked even if the session is
ignored).
When Scott logs in again, these steps are repeated. The logic on which sessions should be ignored is maintained by the collector, not the S-TAP.
It is important to note that Ignore Session rules are still very important to include in the policy even if using a Selective Audit Trail. Ignore Session rules decrease
the load on a collector considerably because by filtering the information at the S-TAP level, the collector never receives it and does not have to consume resources
analyzing traffic that will not ultimately be logged. A Selective Audit Trail policy with no Ignore Session rules would mean that all traffic would be sent from the
database server to the collector, causing the collector to analyze every command and result set generated by the database server.
Using MS-SQL or Sybase batch statements in Guardium application
Limitation
The success or failure of SQL commands in MS-SQL or Sybase batch statements may not show correctly.
MS-SQL or Sybase SQL batch statements are primarily used when creating complex procedures.
When executing SQL statements separately, the status of each statement is tracked separately and will have the correct success or failure value.
When a batch of SQL statements (used in MS-SQL or Sybase) are executed together, the status returned is the single status of the last transaction in the batch.
Guardium example
[Start of SQL batch]
SQL 1 statement - failed
SQL 2 statement - failed
SQL 3 statement - success
[End of SQL batch]
In the Guardium application, only the success or failure of the last SQL statement is reported in a MS-SQL or Sybase batch statement. In this case, success is
reported for the MS-SQL or Sybase batch statement, even though SQL 1 and SQL 2 failed.
Set character set

You can use an action under a policy extrusion rule in order to attach alternative character sets to the session.
Special Pattern Rules with character sets

Example of extrusion rule (with hint):
Character set EUC-JP (code 274).
Extrusion rule pattern: guardium://char_set?hint=274
As a result an extrusion rule is attached to the session and Analyzer will use EUC-JP in the session, if there is no other character set.
Example of extrusion rule (with force) :
Extrusion rule pattern: guardium://char_set?force=274
As a result an extrusion rule us attached to the session and Analyzer will use EUC-JP character set in the session in any case. Character set used before will be substituted
by EUC-JP.
Keep in mind that extrusion rules usually attach to the session with some delay. Therefore short sessions or the beginning of the session are not immediately changed by a
character set change. The schema works for: Oracle, Sybase, MY SQL, and MS SQL.
Analyzer rules
Certain rules can be applied at the analyzer level. Examples of analyzer rules are: user-defined character sets, source program changes, and issuing watch verdicts for
firewall mode. In previous releases, policies and rules were applied at the end of request processing on the logging state. In some cases, this meant a delay in decisions
based on these rules. Rules applied at the analyzer level means decisions can be made at an earlier stage.
Log Flat
The Log Flat option listed in Policy Definition of Policy Builder allows the Guardium appliance to log information without immediately parsing it.
This saves processing resources, so that a heavier traffic volume can be handled. The parsing and merging of that data to Guardium's internal database can be done later,
either on a collector or an aggregator unit.
There are two Guardium features involving the Flat Log Process - Flat Log by policy definition and Flat Log by throttling mechanism.
Flat Log by throttling mechanism - This is the feature implemented by running the CLI command, store alp_throttle 1. The same policy that is applicable to real-time S-TAP
traffic is used to process traffic that was logged into the GDM_FLAT_LOG table.
For Flat Log by throttling mechanism, the Flat Log checkbox should NOT be checked in Policy Builder.
Flat Log by policy definition - Selection of this feature involves the Policy Builder menu in Setup >Tools and Views and Flat Log Process menu in Manage > Activity
Monitoring.
Note: Rules on flat does not work with policy rules involving a field, an object, SQL verb (command), Object/Command Group, and Object/Field Group. In the Flat Log
process, "flat" means that a syntax tree is not built. If there is no syntax tree, then the fields, objects and SQL verbs cannot be determined.
The following actions do not work with rules on flat policies: LOG FULL DETAILS; LOG FULL DETAILS PER SESSION; LOG FULL DETAILS VALUES; LOG FULL DETAILS
VALUES PER SESSION; LOG MASKED DETAILS.
When the Log Flat (Flat Log) checkbox option listed in the Policy Definition screen of the Policy Builder is checked,
Data will not be parsed in real time .

The flat logs can be seen on a designated Flat Log List report.
Rules on Flat
This section describes the differences on uses of Rules on Flat.
When Rules on flat is checked:
Session-Level rules will be examined in real-time.

No rules will be evaluated when the offline processing does takes place.
When Rules on flat is NOT checked:
Policy rules will fire at processing time using the current installed policy.
The following actions do not work with rules on flat policies: LOG_FULL_DETAILS; LOG_FULL_DETAILS_PER_SESSION; LOG_FULL_DETAILS_VALUES;
LOG_FULL_DETAILS_VALUES_PER_SESSION; LOG_MASKED_DETAILS.
Using Selective Audit Trail

Use the Selective Audit Trail option, in the Policy Definition section of Policy Builder, to limit the amount of logging on the Guardium appliance.
This is appropriate when the traffic of interest is a relatively small percentage of the traffic being accepted by the inspection engines, or when all of the traffic you might
ever want to report upon can be completely identified.
Without a selective audit trail policy, the Guardium appliance logs all traffic that is accepted by the inspection engines. Each inspection engine on the appliance or on an S-
TAP is configured to monitor a specific database protocol (Oracle, for example) on one or more ports. In addition, the inspection engine can be configured to accept traffic
from subsets of client/server connections. This tends to capture more information than a selective audit trail policy, but it may cause the Guardium appliance to process
and store much more information than is needed to satisfy your security and regulatory requirements.
When a selective audit trail policy is installed, only the traffic requested by the policy will be logged, and there are two ways to identify that traffic:

By specifying a string that can be used to identify the traffic of interest, in the Audit Pattern box of the Policy Definition panel. This might identify a database or a
group of database tables, for example. Note that an audit pattern is a pattern that is applied (via regular expression matching) to EACH SQL that the logger
processes to see if it matches. This pattern match is strictly a string match. It does NOT match against the session variables (DB name, etc) the way the policy rules
do.
Or by specifying Audit Only or any of the Log actions (Log Only, Log Full Details, etc.) for one or more policy rules in a Rule Definition panel. With policy rules you can
be extremely precise, specifying exact values, groups or patterns to match for every conceivable type of attribute (DB Type, DB Name, User Name, etc.).
If the Guardium security policy has Selective Audit Trail enabled, and a rule has been created on a group of objects, the string on each element in the group is checked. If
there is a match, a decision is made to log the information and continue. If the Guardium security policy has Selective Audit Trail enabled, and a rule has been created on a
group of objects using a NOT designation on the object group, there is still a need to check the string on each element in the group, and decide to log and continue only if
none of the elements match. NOT designated rules behave the same as normal rules when used with Selective Audit Trail.
This includes:
OR situations such as rules based on multiple objects or commands;

Situations with two NOT conditions (for example, NOT part of a group of objects and NOT part of a group of commands); and,
Situations with one NOT condition and one YES condition (for example, a NOT part of a group of objects and a YES part of a group of commands).
Note: Any select statements with query hints, such as SELECT /*+ ORDERED USE_MERGE(m) */ SELECT /*+ ORDERED */ SELECT /*+ all_rows */ etc. are allowed to pass
through the parser and logged regardless of the rule definition to skip them (at least with selective audit mode). This is because a selective audit policy should not prevent
logging of certain SQLs that may be needed for other functions, like application user translation.
Selective Audit Trail and Application Events API

When a selective audit trail policy is used, and application users or events are being set via the Application Events API, the policy must include an Audit Only rule that fires
whenever a set/clear application event, or set/clear application user command is encountered. See Identify Users via API for information about setting the application
user via the Application Events API.
Selective Audit Trail and Application User Translation

When a selective audit trail policy is used, an Application User Translation is also being used:
The policy will ignore all of the traffic that does not fit the application user translation rule (for example, not from the application server).
Only the SQL that matches the pattern for that policy will be available for the special application user translation reports.
Selective Audit Trail and specifying an empty group

An empty tuple group attached to a rule will NOT cause a rule action to match.
Creating policies
In addition to creating policies, you can modify, clone, or remove a policy.
Create a policy
Use this section to create a policy. The steps follow the menu fields on the Policy Builder screen.
Follow these steps:
1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
2. A series of predefined policies (available for policy cloning) with access, exception and extrusion rules have been created for database events that demonstrate
attempts to defeat the protect mechanisms. Such events that will generate log actions or alerts are: failed logins and SQL errors from certain groups or servers,
access of certain database objects by certain users or groups, attempts to change SQL GRANT commands, and more. These predefined policies facilitate quicker
creation of policies for compliance. For exmaple, GDPR, Basel II, and PCI.
Attention: If a [template] version of a predefined policy is available, using the older version (not marked as a [template]) is not recommended because it will not
receive updates. Instead, clone the [template] version and customize it as needed.
3. Clone a predefined policy or click New to open the Policy Definition panel.
4. Enter a unique name for the policy in the Policy Description box. Do not include apostrophe characters in the description.
5. Optional. Enter a category in the Category box. A category is an arbitrary label that can be used to group policy violations for reporting purposes. The category
specified here will be used as the default category for each rule (and it can be overridden in the rule definition).
6. Optional. Select a baseline to use from the Policy Baseline list. Be sure that the baseline selected has been generated. If it has not been generated, the Policy
Builder will not be able to suggest rules from that baseline. If the baseline you want to use does not display in the list, your Guardium user ID has not been assigned
a security role authorized to use that baseline. Contact your GuardiumÂ® Administrator for further information.
If the policy includes a baseline, the policy definition will initially contain only the baseline, and the action for a baseline is always allow without continuing to the
next rule.
When adding a baseline to an existing policy, it will be added as the first rule. You can move the baseline rule to any location in the policy. (Be aware if moving the
baseline as the last rule, it will have no effect.)
7. Optionally mark Log Flat to indicate that Guardium is to log data, but not analyze and aggregate the data to the internal database.
8. If Log Flat is selected, optionally mark Rules on Flat to apply the policy rules to the flat log data (as opposed to the aggregated data).
9. Optionally mark Selective Audit Trail to restrict what will be logged when this policy is installed:
When marked, only traffic requested by this policy will be logged. This is appropriate when the traffic of interest is a relatively small percentage of the traffic
being seen by the inspection engines. When marked, there are two ways to signal what traffic to log: by specifying a string that can be used to identify the
traffic of interest, in the Audit Pattern box; or by specifying Audit Only or any of the Log actions for one or more policy rules (rule actions are described later).
When not marked (the default situation), the Guardium appliance logs all traffic that is seen by the inspection engines. This provides comprehensive audit
trail capabilities, but may result in capturing and analyzing much more information than is needed.

For more information, see Using Selective Audit Trail.
10. Click Save to save the policy definition.
11. Optionally click Roles to assign roles for the policy.
Where to go from here

After creating a new policy definition, use the Policy Finder panel to access that definition. Complete the policy definition by performing one or more of the following tasks:
Create policy rules manually. See Add or Edit Rules.

If the policy includes a baseline, have the Policy Builder suggest rules from the baseline. You can optionally accept or tailor the generated rules as necessary. See
Using Rules Suggested from the Baseline.
Have the Policy Builder suggest rules from the database access control (ACL) defined for that database. You can reject, or accept and optionally tailor each rule as
necessary. See Using Rules Suggested from the Database ACL.
Modify/Clone/Remove a Policy
Use this section for the steps on how to modify, clone or remove a policy.
Modify a policy
Use caution before modifying a policy definition: be sure that you understand the implications of modifying a policy that is in use. If the existing policy has to be re-
installed before all revisions have been completed, the policy may not install, or it may not produce the desired results when installed. For this reason, it is preferable to
clone the policy, so that the original is always available to reinstall.
2. From the Policy Description list, select the policy to be modified.
To edit overall policy settings (Category, Log Flat option, etc.) click Modify. To change any of these settings, see Create a Policy.
To edit the rules only, click Edit Rules. To modify any components of the rule definitions, see Add or Edit Rules.
Clone a policy
There are a number of situations where you may want to define a new policy based on an existing one, without modifying the original definition.
2. From the Policy Description list, select the policy to be cloned.
3. Click Clone to open the Clone Policy panel.
4. Enter a unique name for the new policy in the New Name box. Do not include apostrophe characters in the name.
5. To clone the baseline constructs (the commands, basically) that have been generated for the baseline being cloned, mark the Clone Constructs checkbox.
6. Click Save to save the new policy. You can then open and edit the new policy via the Policy Finder. See Modify a Policy.
Remove a policy
2. From the Policy Description list, select the policy to be cloned.
3. Click the Delete button. You will be prompted to confirm the action.
Add or Edit Rules

Use this section to add or edit rules within a policy.
2. From the Policy Description list, select the policy to be edited.
3. Click the Edit Rules button to open the Policy Rules panel.
To edit a rule, click the Edit this rule individually button.
To add a new rule, click one of the following buttons:
Add Access Rule
Add Exception Rule
Add Extrusion Rule (will only be available if the administrator user has set the Inspection Engine configuration to Inspect Returned Data)
Extrusion matches allow the user to define how many matched records will be grouped together when logged and reported on by Guardium. Extrusion rules
must have an action of LOG FULL DETAILS and a rule name that includes guardium://(some text)?split=(number) where (some text) is any text or one of the
predefined words such as CREDIT CARD and (number) is the number of returned data records per Guardium log record.
5. The attributes that can be tested for in each type of rule vary, but regardless of the rule type, each rule definition begins with the following four items:
Rule Description - Enter a short, descriptive name for the rule. To use a special pattern test, enter the special pattern test name followed by a space and one
or more additional characters to make the rule name unique, for example: guardium://SSEC_NUMBER employee.
Category - The category will be logged with violations, and is used for grouping and reporting purposes. If nothing is entered, the default for the policy is
used.
Classification - Optionally enter a classification in the Classification box. Like the category, these are logged with exceptions and can be used for grouping and
reporting purposes.
Severity - Select a severity code: Info, Low, Med, or High (the default is Info).
6. Use the remaining fields of the Rule Definition panel to specify how to match the rule. Many of the same fields are available for Access, Exception, and Extrusion
Rules; and some fields are available only after selecting various other options. For an alphabetical reference of all fields available in the rules definition panels, see
Rule Definition Reference. Also, for instructions on how to use combinations of groups and individual values, see Specify Values and/or Groups of Values in Rules.

7. For each type of rule, you can enter one or more regular expressions in a Pattern box, to match against strings in the traffic. Enter the expression manually, or click
the icon to open the Build Regular Expression tool, which allows you to enter and test regular expressions.
8. For exception rules only, select a single exception type to which the rule will be sensitive, from the Exception Type box. The rule count is incremented only when the
selected exception type is encountered.
9. When a rule action is selected, the following two fields are enabled:
Min. Ct. - Enter the minimum number of times the rule must be matched before the rule action is triggered. The count of times the rule has been met will be
reset each time the action is triggered or when the reset interval expires. The default of zero is identical to 1, meaning that every time the rule is matched the
action will be triggered.
Reset Interval (minutes) - Used only when the minimum count is greater than zero, and required in that case. Enter the number of minutes after which the
rule counter will be reset to zero. The counter is also reset to zero each time that the rule action is triggered.
10. Check the Continue to Next Rule box to indicate that when this rule is satisfied and its action is triggered, testing of the same request, exception, or results should
continue with the next rule. This means that multiple rules may be satisfied and multiple actions taken based on a single request or exception. If not marked (the
default), no additional rules will be tested when this rule is satisfied. If marked, rule testing will continue with the next rule, regardless of whether or not this rule is
satisfied.
11. When the Rec. Vals box is marked, the actual construct causing the rule to be satisfied will be logged in the SQL String attribute and is available in reports. If not
marked, no SQL statement will be logged.
12. Message templates are used to generate alerts. Multiple Named Message Templates are created and modified from Global Profile.
13. Select the action to take when the rule is satisfied.
14. If an alert action is specified, the Notification pane opens, and at least one notification type must be defined. For instructions on how to add notifications, see
Notifications.
15. Click Save to save the rule. This closes the Rule Definition panel and returns to the Policy Rules panel.
Filter Rules to Display Only a Subset

When a policy contains many rules, it can be useful to view a subset of the rules having common attributes.
The Filter box in the Rules Definition panel can be used for this purpose. The process of defining a filter is similar to the process of defining a rule.
2. From the Policy Description list, select the policy to be viewed or modified.
3. Click Edit Rules.
4. In the Filter boxd do one of the following:
Select a filter from the Filter list.
Click Edit to modify a filter definition.
Click New to define a new filter.
Once the filtered set of rules is displayed, you can perform any of the actions described in this section on the displayed rules.
Copy Rules
Use this procedure to copy selected rules from one policy to another, or to a different location in the same policy.
All of the rules copied will be copied to a single location - after rule 3, for example. To copy rules to different locations in the receiving policy, either perform multiple copy
operations, or copy all of the rules in one operation, and then edit the receiving policy to move the rules as necessary.
2. From the Policy Description list, select the policy from which you want to copy one or more rules.
4. Mark the checkbox for each rule to be copied.
5. Click Copy Rules.
6. From the Copy selected rules to policy list, select the policy to receive the copied rules.
7. From the Insert after rule list, select the rule after which the copied rules should be inserted, or select Top to insert the copied rules at the beginning of the list.
8. Click Copy. You will be informed of the success of the operation.
9. You should now edit the policy to which you copied the rules, to verify that you have copied the correct rules to the correct location.
Using Rules Suggested from the Baseline

Use Policy Builder to suggest rules from the baseline included in the policy.
2. From the Policy Description list, select the policy to work with. (It must include a baseline.)
3. Click the Edit Rules button.
4. Set the Rule minimum count value. This is the minimum number of like commands that the system should find in order to suggest a rule. The default is zero. The
smaller the number entered, the more suggested rules the system will generate. (Be aware that the Count that displays in the suggested rules panel does not
reflect this value.)
5. Set the Object Group minimum count value, to determine how many instances of an object group the system should find to generate a suggested object group. The
default is one. The smaller the number entered here, the greater the number of suggested object groups.
6. Click the Suggest Rules button. The suggested rules display in a separate window, in the Suggested Rules panel.
7. The suggested rules are sorted in descending order by the count of occurrences in the baseline period, which is listed for each suggested rule. If you select one or
more of the suggested rules and click Save, they are inserted in the same order, just before the BASELINE rule in the Policy Rules panel. You can then change the
order of the suggested rules or edit them as necessary, from the Policy Rules panel.
8. Expand the rules and check the membership of the suggested object groups. In the Object column of the Suggested Rules panel, if any suggested object groups
have been created, these begin with the name Suggested Object Group and are displayed as hypertext links. For information about how to view, accept, or reject
suggested object groups, see Using Suggested Object Groups.
9. Mark the Select box for each suggested rule to include in the policy.
10. Click Save to accept the selected rules.
11. You can now edit or modify the suggested rules as you would any rules that you added manually.
Using Suggested Object Groups

The Policy Builder can suggest rules from both the baseline included in the policy and the database security policy (internal to the DBMS) defined for a server.

In either case, it attempts to generate the minimal set of rules by grouping database objects (tables, procedures, or views) into suggested object groups. You can accept or
reject the suggested object groups.
Before accepting a suggested object group, you can edit the generated Group Description field (Suggested Object Group603-25 11:54, for example) to provide a more
meaningful name. After accepting a suggested object group, you can view its membership. You can reject the use of that group within any suggested rule, but you cannot
edit the membership of that group.
If you reject a suggested object group, the suggested rule for that group is replaced with a separate suggested rule for each member of the rejected group. You can accept
or reject each of those suggested rules separately. After accepting a suggested rule, you can edit that rule.
Viewing Suggested Object Groups
Suggested object groups display in the Object column of the Suggested Rules panel as hypertext links beginning with the words Suggested Object Group.
To view a suggested object group's membership, click the hypertext link for that group. If the group has not yet been accepted, the group membership displays in
the Edit Group panel. If the group has already been accepted, it displays in the View Group panel.
Accepting Suggested Object Groups

To accept a suggest object group:
1. Enter a meaningful name in the Group Description field in the Edit Group panel. (Not required, but strongly recommended). Do not include apostrophe
characters in the name. This is the only opportunity you have to name this group. Otherwise, the group gets a name beginning with Suggested Object Group
and followed by a number, as described previously.
2. Click Save to accept the edited group for the suggested rule, or click Save for All to accept the edited group for all suggested rules in which it appears. The
new object name will replace the old one in the rule.
Rejecting Suggested Object Groups

When you reject a suggested object group, the use of that group is replaced by one or more suggested rules. To reject a suggested object group, do one of the
following:
To reject the group for this suggested rule only: Click the Reject button.
To reject the group for all suggested rules: Click the Reject for All button.
Note: If you accept a suggested object group in one rule, open that same suggested object group again from another rule, and then click the Reject for All button, that
group will be retained in any rule where it was explicitly accepted, but rejected in the remaining rules in which it was used.
Using Rules Suggested from the Database ACL

For a specified database server, the Policy Builder can suggest access rules using the security policy defined internally by the DBMS.
The Policy Builder does this by examining the permissions granted to user groups and database objects (tables, procedures, and views) within the DBMS, then grouping
the database objects into suggested object groups so that the total number of suggested rules can be minimized. You can accept or reject any suggested object group (see
Using Suggested Object Groups). You can also accept or reject any suggested rule.
To have the Policy Builder suggest rules from the database ACL:
Note: When suggesting rules from the database ACL, the system does not use the Rule minimum count or the Object Group minimum count fields. Those fields are used
only when suggesting rules from the baseline.
1. Click Suggest from DB to open the Database Definition panel in a separate browser window.
2. Click Add Datasource to select the database from which you want to access the DB ACL.
Note: If adding an Oracle, DB2Â® or DB2 for z/OSÂ® datasource to access the DB ACL, the Query Parameters section, in the Database Definition pop-up window, will
be disabled.
3. Click Suggest Rules to generate the rules. The Suggested Rules panel opens in a separate window (as described previously, for the Rules Suggested from Baseline).
If you select one or more of the suggested rules and click Save, they will be inserted in the same order into the list of rules in the Policy Rules panel, just before the
BASELINE rule. If there is no BASELINE rule, they will be inserted at the beginning of the list. Once the suggested rules have been inserted into the Policy Rules
panel, you can change the order of the rules or edit them, as necessary.
4. Check the membership of the suggested object groups. In the Object column, any suggested object groups that have been created begin with the name Suggested
Object Group and display as hypertext links (in blue and underlined). For information about how to view, edit, accept, or reject suggested object groups, see Using
Suggested Object Groups).
5. Mark the Select box for each suggested rule you want included in the policy. Click Save to accept the selected rules.
Using the Policy Simulator

Use the Policy Simulator to test access rules without installing the policy.
It does not test exception rules or extrusion rules. The simulator replays logged network traffic and applies all access rules in the policy. It produces a special report in a
separate window, listing the SQL that triggered alert or log only actions. The report includes the following columns: Timestamp, Category Name, Access Rule Description,
Client IP, Server IP, DB User Name, Full SQL String, Severity Description, and Count of Policy Rule Violations. Use the CLI command, store allow_simulation, to make the
Policy Simulation button active in the GUI.
The Policy Simulator can be used to test only the following types of access rule actions:
Log Only
Any Alert action: Alert Daily, Alert Once Per Session, Alert Per Match, Alert Per Time Granularity
The Policy Simulator will not produce any results if the policy includes logging actions other than Log Only. To use the simulator for such a policy, temporarily change all
logging actions to Log Only.
To use the Policy Simulator:
2. From the Policy Description list, select the policy to work with.

4. Click the Policy Simulator button to open the Policy Simulator panel.
5. Supply both From and To dates to define the time period to use for the simulation.
Note: Historical data can be archived and purged from your Guardium appliance on a schedule defined by your Guardium administrator. Be sure that data from the
time period you specify is available (and has not been purged).
6. Click Test. When the test starts and while it is running, the message * is running is displayed in the Policy Simulator panel. When the test completes, a special report
opens in a separate window listing all rule matches that were logged. If no alert or log only rules were triggered, you will receive a No Drill Down Report
Available message. In the latter case, you may not have included enough data in the test period.

Creating and installing a policy (video)
Guardium groups and policies (video)
Installing Policies
Use this topic to install the policy on the Guardium collector and modify the schedule.
Multi-policy support
1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Installation to open the Policy Installer.
2. Select the policy to be installed from the Policy Description box.
Click Install to install the policy immediately.
If using the Policy Installer, you can click Modify Schedule to open the general-purpose scheduling utility, to schedule the policy installation.
View Policy rules for the Installed Policy

More than one installed policy is permitted at the same time. All installed policies are available for action. There are two limitations: policies defined as selective audit
policies can not be mixed with polices not defined as selective audit policies, and policies defined as flat log can not be mixed with policies not defined as flat log. If trying
to mix policies, an error message will result when installing these mixed policies.
The order of appearance can be controlled during the policy installation, such as first, last or somewhere in between. But the order of appearance can not be edited at a
later date.
On the Policy Installation page, click the icon to remove a previously-installed policy.
The first installed policy has a special meaning, as it sets the value of the global policy parameters. These parameters are: Global pattern; Is it a selective audit; Client and
Server net mask; Tagged Client and Server group ID.
This multi-policy support is available through the GUI (Setup > Tools and Views > Policy Installation) and through GuardAPI.
View Policy rules for the Installed Policy

From the Currently-Installed Policy panel, any user can view the rules of the installed policy, and in addition, authorized users can open the policy for editing.
1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Installation to open the Policy Installer.
2. Click the Installed Policy link to display the policy rules. Authorized users will have an additional button enabled: To open the policy for editing in the Policy Builder,
click the Edit installed policy button.
Job Dependency Scheduler

The Guardium collector has many tasks such as Policy Installation, Audit Processes, Group updates, etc. that are scheduled to run periodically. The Job dependencies
feature finds all jobs that have a direct relationship and impact on the success of the execution of the task you are trying to schedule. Unless you find the jobs that are
defined as prerequisites for the job you are trying to schedule, there is a chance the task will relay on inaccurate data , which might lead to false or inaccurate results.
Feature Highlights
User marks a scheduled job to find and run dependencies at run time.
When the scheduler runs the job, it automatically finds all the subordinate jobs and runs them in order.
There is a retry sequence in case of a failure.
Find dependencies
Identify scenarios that require dependencies.
Identify Runnable vs. Non-Runnable jobs.
Calculate pre-defined job dependencies.
Job Suggested Prerequisite Job Reason
Policy Groups that are defined in any of the (to be installed) policies and are either Policy rules that use groups must have up-to-date group data before
Installati scheduled or not scheduled to be populated by the Populate From Query being installed.
on mechanism.
Policy Audit processes that include a Classification audit task, where the classification Policy rules that use groups must have up-to-date group data before
Installati task has an action of Add To Group of Object, Add To Group of Object/Field, or Add they are installed.
on To Access Rule.
Audit Custom table upload jobs where the custom table name is referred to (in the "from" Custom tables data that are referred to by an audit task of type Report
Process clause) by an audit task of type Report. must be populated with up-to-date data before an audit process is

scheduled to run.
Audit Groups that are defined in a condition of an audit task of type Report are either Groups that are referred to by a query condition must be populated with
Process scheduled or not scheduled to be populated by the Populate From Query up-to-date data before an audit task of type Report is run.
mechanism.
Populate Custom upload tables that contain any of the entities of the query that is used to Â
From populate a group.
Query
Audit Import Relevant for an aggregator only. This prerequisite guarantees that
Process information is imported from all aggregated units before any audit
process can run.
Scheduler enhancements
Find job dependencies when a scheduled job is run.
Run job dependencies in order.
Runnable jobs can be scheduled; Non-Runnable jobs cannot.
A Group is a Non-Runnable job.
Populate From Query on a Group is Runnable.
Direct dependencies are objects that are tied together by definition, for example, Policy depends on Rule and Rule depends on Groups.
Indirect dependencies are objects that are logically tied, for example, run Audit processes before installing policies.
GUI support
1. Check box option, Auto run dependent jobs, after selecting Create Schedule from Policy Installation.
2. Click Save to schedule the process. This notifies the user of the dependencies status.
GuardAPI support
GuardAPI job dependency commands:
CLI> grdapi add_job_dependency
function parameters :
dependOnJobExecutedWithin - String
dependOnTrigger - String - required
intervalBetweenRetries - Integer
jobRetries - Integer
jobTrigger - String - required
runIfDependOnJobReturns - String
api_target_host - String
Use this GuardAPI command for auto-execution of dependencies:
> grdapi auto_execute_suggested_dependencies jobTrigger=<trigger name of the scheduled job>
CLI> grdapi auto_execute_suggested_dependencies
CLI> grdapi delete_job_dependencies
dependOnTrigger - String
CLI> grdapi disable_auto_execute_suggested_dependencies
CLI> grdapi list_job_dependencies_tree

To obtain a list of all the scheduled jobs/triggers, run the GuardAPI command:
> grdapi list_scheduler_jobs
CLI> grdapi list_suggested_job_dependencies
CLI> grdapi list_existing_job_dependencies
CLI> grdapi modify_job_dependency
dependOnJobExecutedWithin - String
intervalBetweenRetries - Integer
jobRetries - Integer
runIfDependOnJobReturns - String
CLI> grdapi show_job_dependency_execution_profile
Run Scheduler
Scheduler will check for job dependencies when it is time to run a job.
Dependencies are executed in reverse order.
Example: Given a dependency tree:
Policy Install
(Runnable)
Â Audit Process (Runnable/ Indirect Â Â Â Â Â

dependency)
Â Â Audit Â Â Â Â
Task
Â Â Â Classification Â Â Â
Process
Â Â Â Â Classification Â Â
Policy
Â Â Â Â Â Classification Policy Â
Action
Â Â Â Â Â Â Group (Runnable/direct - Populate

from Query)
Execution order will be : Populate from Query Group â†’ Audit Process â†’ Policy Install
Scheduler will run each one of the dependencies and wait for it to finish.
Running a full dependency tree might take a long time to complete, but it is guaranteed all dependencies are executed in the correct order.
Handle errors
If any of the dependencies fails to execute, the job currently executed by the scheduler is not going to run.

If a failure occurs, an error message is written to the Scheduled Jobs Exception report.
The number of retries that the job dependent on previous jobs can be set. The default is 3. A valid value is â‰¥ 0. The interval, in minutes, between retries can be
set. The default is 3. A valid value is â‰¥ 0.
Rule definition fields

You can use these fields when you define policy rules.
Table 1. Reference Table of Rule Definition Fields

Field Description
Action Indicates the action to be taken when the rule is true. For a comprehensive description of all rule actions, see Rule
Actions Overview.
App Event Exists Match for an application event only. See the App Event Note.
App Event Values Match the specified application event Text, Numeric, or Date values. Also allow a Group to be chosen for the event string
as an option. See the App Event Note.
(App) Event Type Match the specified application event. See the App Event Note.
(App) Event User Name Match the specified application event user name only. See the App Event Note.
App Event Note The App Event fields cannot be used when the Flat Log box is marked.
App. User Application User. See Specify Values and/or Groups of Values in Rules.
Category An arbitrary label that can be used to group policy violations for reporting purposes. A default category can be specified
in the policy definition, but the default can be overridden for each rule.
Classification An arbitrary label that can be used to group policy violations for reporting purposes. A default classification can be
specified in the policy definition, but the default can be overridden for each rule.
Client Info DB2Â® client info: For access rules only. For z/OSÂ® only, a CLIENT INFO field (and CLIENT_INFO_GROUP_ID) will be
visible if DB_TYPE is either DB2, Â DB2 COLLECTION Profile or VSAM COLLECTION Profile.
The type of information that can be placed in this field is USER=x; WKSTN=y; APPL=z.
Client IP Clear the Not box to include, or mark the Not box to exclude:
Any client: Leave all client fields blank. The count will be incremented every time any client satisfies the rule. (You
cannot leave all fields blank if the Not box is marked.)
All clients selected by an IP address and mask: Enter a client IP address in the first box and network mask in the
second box. The count will be incremented each time that any of the specified clients satisfies the rule. For
example, to select all clients in subnet 192.168.9.x, enter 192.168.9.1 in the first box and 255.255.255.0 in the
second box. For more information selecting IP addresses, see Selecting IP Addresses Using a Mask.
A group of clients: Select a group of client IP addresses from the Group drop-down list, or click the Groups button
to define a new group and then select that group. The count will be incremented each time that any member of
the selected group satisfies the rule.
All clients selected by an IP address and mask AND a group of clients: Use both the Client IP and Group fields.
The count will be incremented each time that any client specified using either method satisfies the rule.
Allow wildcard in IP address. Wildcard % is permitted in a policy for Client IP group.
Client IP/Source Program/DB User/ Server 7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB
IP/Service Name
5-tuple group type available for access, exception and extrusion rules.
A tuple allows multiple attributes to be combined together to form a single group member.
Tuple supports the use of one slash and a wildcard character (%). It does not support the use of a double slash.
Wildcard % is permitted in a policy for Client IP/Source Program/DB User/ Server IP/Service Name group.
Client MAC To make the rule sensitive to a single client MAC address, enter the address in nn:nn:nn:nn:nn:nn format, where each n
is a hexadecimal digit (0-F) OR Enter a dot (.) in the Client MAC box to indicate that a separate count should be
maintained for each client MAC address OR Leave the Client MAC box empty to ignore client MAC addresses.
Command The command. See Specify Values and/or Groups of Values in Rules if a commands group cannot be edited, and the
and/or Group label changes to Collect Only, indicating that commands from only the selected group are to be selected.
If the Every box is checked, every field in the SQL statement must be a member of the group.
Continue to Next Rule If marked, rule testing will continue with the next rule, regardless of whether or not this rule is satisfied. This means that
multiple rules may be satisfied (and multiple actions taken) by a single SQL statement or exception. If not marked (the
default), no additional rules will be tested for the current transaction when this rule is satisfied.

Field Description
Data Pattern Every type of rule (Access, Exception, Extrusion) can have Data pattern, but it is required for Extrusion rules.
For use in defining Extrusion Rules - A regular expression to be matched, in the Data Pattern box. Click the Regex button
to open the Build Regular Expression tool, which allows you to enter and test regular expressions. This enables more
complex masking patterns. Put parentheses around the section that should be masked. Use this function to mask data
retrieved from the database.
For example,
Windows S-TAP: ([0-9][0-9][0-9][0-9[-, ]?[0-9][0-9][0-9][0-9][-, ]?[0-9][0-9][0-9][0-9][-, ]?)[0-9][0-9][0-9][0-9]
Unix S-TAP: ([0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4}[-, ]?)[0-9]{4}[ ]{0,20}
Additional regular expressions (Regex) for use only in Data Patterns with an action of Redact (Scrub):
For Windows S-TAP

Name: Pattern: Masked to:
SCRUB_SSN_ANSI AAA-AA-AAAA ***-***-AAAA
SCRUB_SSN_UNICODE UUU-UU-UUUU ***-***-UUUU
SCRUB_CC_SPACES_ANSI AAAA AAAA AAAA AAAA **** **** **** AAAA
SCRUB_CC_SPACES_UNICODE UUUU UUUU UUUU UUUU **** **** **** UUUU
SCRUB_CC_SOLID_ANSI AAAAAAAAAAAAAAAA ************AAAA
SCRUB_CC_SOLID_UNICODE UUUUUUUUUUUUUUUU ************UUUU
SCRUB_CC_AX_SOLID_ANSI AAAAAAAAAAAAAAA ***********AAAA
SCRUB_CC_AX_SOLID_UNICODE UUUUUUUUUUUUUUU ***********UUUU
UNIX S-TAP
Name: Pattern: Masked to:
SCRUB_SSN_ANSI AAA-AA-AAAA ***-***-AAAA
SCRUB_SSN_UNICODE UUU-UU-UUUU ***-***-UUUU
SCRUB_CC_SPACES_ANSI AAAA AAAA AAAA AAAA A*** **** **** 1234
SCRUB_CC_SPACES_UNICODE UUUU UUUU UUUU UUUU U*** **** **** ****
SCRUB_CC_SOLID_ANSI AAAAAAAAAAAAAAAA A***************
SCRUB_CC_SOLID_UNICODE UUUUUUUUUUUUUUUU U***************
SCRUB_AMEX_SOLID_ANSI AAAAAAAAAAAAAAAA A***************
SCRUB_AMEX_SOLID_UNICODE UUUUUUUUUUUUUUUU U***************
Regex with Redact - Use of Regular expressions (regex) in the IBM Security Guardium solution (including the masking in
the policy) are executed on the appliance, and allow advanced regexp capabilities.
However, the regex library for use with Redaction is executed in the kernel of the database server and is limited to most
basic regex. Only basic regex patterns can be used with Redaction.
For example, the regular expression nomenclature [0-9]* cannot be used to indicate any number of digits. It is
necessary to use basic regular expression nomenclature [0-9]-[0-9]-[0-9]... to specify a sequence of digits. Â
Note: S-TAPÂ® will only accept the predefined SCRUB pattern names; ignoring any other name.
Access rule, data pattern and replacement character - Using a data pattern, for example, [a-z,2]{3}([_][0-9]{1,2}) with a
replacement character of * will change the values between the parentheses in the data pattern to ***. Use this function
to mask values.
User Defined Character Sets
Available for Oracle, Sybase, MySQL, & MSSQL and for extrusion rules only, users may influence the character set
used by defining special extrusion rules. These character set policy rules are only used to set the character set a
user would like to convert traffic to, setting an action is irrelevant. In order to have an action for that traffic the
user needs to define additional rules after that character set rule. Two examples of setting a character set rule are
possible (hint or force) as defined in the following examples:
Example of extrusion rule (with hint)
Will convert the traffic by character set as defined in the extrusion rule of the installed policy ONLY if the regular
conversion failed.
Extrusion rule pattern: guardium://char_set?hint=274
Example of extrusion rule (with force)
Will convert the traffic by character set as defined in the extrusion rule of the installed policy for ALL data.
Extrusion rule pattern: guardium://char_set?force=274
See List of possible character set codes at end of this topic.
Note: Keep in mind that extrusion rules usually attached to the session with delay. Therefore short sessions or beginning
of a session may be not immediately affected by character set change.
DB Name The database name. See Specify Values and/or Groups of Values in Rules.

Field Description
DB Type Supported DB Types
For access rule: Cassandra, CIFS, CouchDB, DB2, DB2 COLLECTION PROFILE* (only for use with z/OS), FTP,
GreenPlumDB, Hadoop, HTTP, IBMÂ® INFORMIX (DRDA), IBM iSeries, IMSâ„¢, IMS COLLECTION PROFILE (only for uses
with z/OS, InformixÂ®, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, TERADATA, VSAM or
VSAM COLLECTION PROFILE* (only for use with z/OS).
For exception and extrusion rules: Cassandra, CIFS, CounchDB, DB2, FTP, GreenPlumDB, Hadoop, IBM INFORMIX
(DRDA), IBM iSeries, Informix, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, or
TERADATA. Note: Informix supports two protocols SQLEXEC (native Informix protocol) or DRDA (IBM protocol). These
protocols are automatically identified for Informix traffic with no additional settings. The Server Type attribute will show
INFORMIX (for SQLEXEC protocol) and IBM INFORMIX (DRDA) (for DRDA protocol).
Note: TERADATA has a silent login and allows clients to auto-reconnect. To block Teradata statements in a policy, use
the S-TAP firewall function with default state ON and un-watch safe users.
DB User The database user. See Specify Values and/or Groups of Values in Rules.
Error Code The error code (for an exception). See Specify Values and/or Groups of Values in Rules.
Exception Type The type of exception (selected from the list).
Note: A session closed by GUI timeout, in an Exception rule, will not produce a Session Error (Session_Error).
Field Name The field name. See Specify Values and/or Groups of Values in Rules.
Min. Ct. The minimum number of times the condition contained in the rule must be matched before the rule will be satisfied
(subject to the Reset interval).
Net. Protocol The network protocol. See Specify Values and/or Groups of Values in Rules.
Object The object name. See Specify Values and/or Groups of Values in Rules.
For Sybase and MS SQL Server, there are two groups, MASKED_SP_EXECUTIONS_SYBASE and
MASKED_SP_EXECUTIONS_MS_SQL_SERVER respectively that include names of stored procedures. If there is an
execution of an included procedure than everything will be masked.
Object/Command Group Match a member of the selected Object/Command group.
Object/Field Group Match a member of the selected Object/Field group.
OS User Operating system user. See Specify Values and/or Groups of Values in Rules.
Pattern A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click the (Regex)
button to open the Build Regular Expression tool, which allows you to enter and test regular expressions.
Time Period To make the rule sensitive to a single time period, select a pre-defined time period from the Period list or click the
(Period) button to define a new time period.
Rec. Vals. When marked, the actual construct causing the rule to be satisfied will be logged, and available in reports, in the SQL
String attribute. For a policy violation only, if not marked, no SQL statements will be logged.
Records Affected Threshold Access rule only. Set a threshold value for matched records. Example: Let 1000 instances take place before taking
action.
This field affects the output of the rule rather than the definition of the rule (example, what happens when it is triggered,
rather than when should it trigger).
Records affected threshold is based on rule and session. It is accumulated returned rows from all queries that meet the
rule condition. Once all accumulated records affected reach the threshold, the rule will trigger and the records affected
on the statement (if the action log full details) will be the accumulated value of the records affected.
Replacement Character Define a masking character.
Should the output produced by the extrusion rule match the regular expression, the portions that match sub-
expressions between parenthesis '(' and ')' will be replaced by the Masking character.
Reset Interval Used only if the Min. Ct. field is greater than zero. This value is the number of minutes after which the condition met
counter will be reset to zero.
Revoke This checkbox appears on extrusion rules only. It allows you to exclude from logging a response that has already been
selected for logging by a previous rule in the policy. In most cases you can accomplish the same result more simply by
defining a single rule with one or more NOT conditions to exclude the responses you do not want, while logging the
remaining ones that satisfy the rule. (The Revoke checkbox pre-dates NOT conditions, and is provided mainly for
backward compatibility to support existing policies.)

Field Description
Rule Description The name of the rule. To use a special pattern test in the rule, enter the special pattern test name followed by a space
and one or more additional characters to make the rule name unique, for example: guardium://SSEC_NUMBER
employee. (See Special Pattern Tests for more information.)
When displayed, the name will be prefaced with the rule number and the label Access Rule, Exception Rule, or Extrusion
Rule, to identify the rule type. If the rule was generated using the Suggest From DB function, the generated name is in
the format: Suggested Rule <n>_mm-dd hh:mm, consisting of the following components
n is sequence number for the generated rule
mm-dd is the month and day the rule was generated
hh:mm is the time the rule was generated
Server IP Clear the Not box to include, or mark the Not box to exclude:
Any server: Leave all server fields blank. The count will be incremented every time any server satisfies the rule.
(You cannot leave all fields blank if the Not box is marked.)
All servers selected by an IP address and mask: Enter a server IP address in the first box, and network mask in
the second box. The count will be incremented each time that any of the specified servers satisfies the rule. For
example, to select all servers in subnet 192.168.3.x, enter 192.168.3.1 in the first box, and 255.255.255.0 in the
second box.
A group of servers: Select a group of server IP addresses from the Group drop-down list or click the Groups
button to define a new group and then select that group. The count will be incremented each time that any
member of the specified group satisfies the rule.
All servers selected by an IP address and mask AND a group of servers: Use both the Server IP and Group fields.
The count will be incremented each time that any server specified using either method satisfies the rule.
Allow wildcard in IP address. Wildcard % is permitted in a policy for Server IP group.
Service Name The service name. See Specify Values and/or Groups of Values in Rules.
Severity Select a severity code from the list: INFO, LOW, NONE, MED or HIGH. If HIGH is selected and email alerts are sent by
this rule, the email will be flagged Urgent.
SQL Pattern A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click Regex to
open the Build Regular Expression tool, which allows you to enter and test regular expressions.
Restriction: SQL Pattern is not supported for redaction rules.
Src app Application source program. See Specify Values and/or Groups of Values in Rules.
Trigger Once Per Session Do not analyze session for same rule after first match. Especially effective for â€œSelective Auditâ€ policies.
XML Pattern A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click Regex to
open the Build Regular Expression tool, which allows you to enter and test regular expressions.
A regular expression to be matched can be used in this box. The regular expression must be entered manually.
Full_SQL return values using MSSQL In MSSQL, sp_cursoropen and sp_cursorfetch stored procedures are used for SELECT database queries.
Sp_cursoropen holds the original statement, while the FULL_SQL return value in an Extrusion rule will appear as
sp_cursorfetech instead of Select * from ___________.
How to integrate custom rules with Guardium policy

Show how to automatically modify/derive Guardium policy from a custom entitlement system.
This example will take a sample Oracle table (CUSTOM_ENTITLEMENT) as an example of a custom entitlement data, use an Oracle script to select data from this table,
and then generate a file with GuardAPI commands. The file will include commands for the creation of new or modification of existing policy rules, change of a policy rule
order, and policy reinstallation. Weâ€™ll then show you how to execute the generated script and then view the policy changes in the Guardium GUI.
Value-added: Guardium API provides access to Guardium functionality from the command line or script. This allows for the automation of repetitive tasks which is
especially valuable in larger implementations. Calling these GuardAPI functions enables a user to quickly perform operations such as maintenance of the Guardium policy.
Follow these steps.
1. Define a rule structure which logs full details for all database manipulation (DML) Commands. It will be used as a template for a creating new rules creation. The
rule will belong to the template policy.
2. Create the Oracle script that will generate a file with the following GuardAPI commands:
copy_rule - add new rules to the installed policies as a copy of rule template
update_rule - update the copied rules with the relevant data from CUSTOM_ENTITLEMENT Oracle table
update_rule - update the existing rule with the data from that table
change_rule_order - change rule position
policy_install, reinstall_policyâ€“ install /re-install policy
3. Run the generated script.

4. View installed policy changes.
Steps:

1. Define a rule template
As many actions are permitted for a given policy rule, it becomes very difficult to define the complex hierarchical structure that a rule has using the Guard API.
However, in most cases rules differ by the conditions and the action/receiver structures usually fall into a small set of different options. Therefore, the APIs are
based on cloning an existing rule which acts as a rule template â€“ this defines the actions/receiver structure and then conditions are changed using APIs.
Here we create a rule template (HowToTemplate), which includes rule action definition and will then be cloned and updated each time a new rule of that kind has to
be added to a policy.
Click Protect > Security Policies > Policy Builder to open the Policy Finder and create a template policy. S
Click New to create the template policy; entering a Policy description, checking the Selective audit trail check-box, and clicking the Save button.
Click Edit Rules button to add a template rule to this policy
Click on the Add Access Rule button to display the Access Rule Definition panel and add a rule.
To add the rule, enter DML Command - Log Full Details Templatein the Description box; choose (Public) DML Commandsfrom the Commands box; highlight LOG
FULL DETAILS WITH VALUESin the Action section; and then click the Save button.

2. Create the Oracle script that will generate a file with GuardAPI commands.
Key items to know before writing the script:
GuardAPI is a set of CLI commands, all of which begin with the keyword grdapi. To list all GuardAPI commands available, enter the command 'grdapi' with
no arguments. To display the parameters for a particular command, enter the command followed by '--help=yes'.
For example
CLI>grdapi copy_rule --help=yes
ID=0
fromPolicy - required
ruleDesc - required

toPolicy - required
ok
Both the keyword and value components of parameters are case sensitive.
If a parameter value contains one or more spaces, it must be enclosed in double quote characters. For example:
grdapi copy_rule ruleDesc="DMLCommand - Log Full Details Template" ...
There is no need to use all available parameters that a function supports. In addition to the required parameters, use the parameters that you want to
change.
Scripts, which invoke GuardAPI, may contain sensitive information, such as passwords for datasources. To ensure that sensitive information is kept
encrypted at all times, the grdapiÂ command supports passing of one encrypted parameter to an API Function. This encryption is done using the System's
Shared Secret which is set by the administrator and can be shared by many systems, and between all units of a central management and/or aggregation
cluster; allowing scripts with encrypted parameters to run on machines that have the same shared secret. For more details about this issue please see
Guardium Help.
If multiple policies are installed, then install policy command (policy_install) must include all installed policies descriptions delimited by pipe character. This
must be done even if only one policy has changes. The policy descriptions should be in the order you want the policies to be installed.
Example of the command for installation of policies HowTo 1 and HowTo 2:
grdapi policy_install policy="HowTo 1|HowTo 2"
Â
Logic behind writing of the script; changing the currently installed policy HowTo in the following way:
a. For each record in the CUSTOM_ENTITLEMENT table with IS_NEW_FLAG equals â€˜1â€™, a new access rule with description saved in RULE_DESC column
will be added to the â€œHowToâ€ policy. The rule logs full details for all DML Commands from OS user (OS_USER field value), client IP (CLIENT_IP), server
IP (SERVER_IP) with service name (SERVICE_NAME).
b. If IS_NEW_FLAG value is â€˜0â€™, the rule with description equals to the value of RULE_DESC column will be changed based on the relevant data from this
record of the table.
c. Rule3 will be set as the first rule â€“ to show how to use change_rule_order function.
d. In order to apply all of the changes, the policy will be reinstalled.
Data in custom_entitlement tableÂ
Table 1. Custom entitlement

os_user client_ip server_ip rule_desc service_name is_new_rule seq
User1 192.168.7.101 192.168.7.201 Rule1 PROD1 1 1
User2 192.168.7.102 192.168.7.202 Rule2 PROD2 1 2
User3 192.168.7.103 192.168.7.203 Rule3 PROD3 1 3
User4 192.168.7.104 192.168.7.204 Rule2 PROD4 0 4
Changes, based on logic and table data, can be described as:
a. Add a new access rule: Rule1. The rule logs full details for all DML Commands from user â€œuser1â€ , client IP â€œ192.168.7.101â€ to Oracle database
on â€œ192.168.7.201â€ server with service name â€œPROD1â€ .
b. Add a new access rule: Rule2. The rule logs full details for all DML Commands from user â€œuser2â€ , client IP â€œ192.168.7.102â€ to Oracle database
c. Add a new access rule: Rule3. The rule logs full details for all DML Commands from user â€œuser3â€ , client IP â€œ192.168.7.103â€ to Oracle database
d. Change Rule2 â€“ set OS user to â€œuser4â€ , client IP to â€œ192.168.7.104â€ , server IP to â€œ192.168.7.204â€ , service name to â€œPROD4â€ .
e. Set Rule3 to be the first rule in the policy.
f. In order to apply all of the changes, re-install the policy
Oracle script
SET LINESIZE 2000

SET TERMOUT OFF
SET FEEDBACK OFF
SET SERVEROUTPUT ON SIZE 1000000

spool update_policy.txt
declare cursor CUSTOM_TABLE is

select OS_USER,CLIENT_IP,SERVER_IP,SERVICE_NAME,RULE_DESC,IS_NEW_RULE
from CUSTOM_ENTITLEMENT order by SEQ;
S_RULE_DESC VARCHAR2(100);
BEGIN
FOR CUR_W IN CUSTOM_TABLE
LOOP
IF NVL(CUR_W.IS_NEW_RULE,'0') = '1' THEN
-- copy rule
DBMS_OUTPUT.PUT_LINE('grdapi copy_rule ruleDesc="DMLCommand - Log Full Details Template" fromPolicy=HowToTemplate
toPolicy=HowTo ');

S_RULE_DESC := 'DMLCommand - Log Full Details Template';
ELSE
S_RULE_DESC := CUR_W.RULE_DESC;
END IF;
-- update rule
DBMS_OUTPUT.PUT_LINE(
'grdapi update_rule ruleDesc="'||S_RULE_DESC||'"'||
' fromPolicy=HowTo newDesc="'|| CUR_W.RULE_DESC ||'" clientIP='||CUR_W.CLIENT_IP ||
' clientNetMask=255.255.255.0 serverIP='||CUR_W.SERVER_IP||' serverNetMask=255.255.255.0 '||
' serviceName='||CUR_W.SERVICE_NAME ||' osUser='||CUR_W.OS_USER||' dbType=ORACLE');
END LOOP;
-- set Rule3 to be the first one
DBMS_OUTPUT.PUT_LINE('grdapi change_rule_order ruleDesc=Rule3 fromPolicy=HowTo order=1');
-- reinstall policy
DBMS_OUTPUT.PUT_LINE('grdapi policy_install policy=HowTo');
END;
/
spool off
Generated script with GuardAPI commands
When the Oracle script is run within SQL*Plus, and spooled accordingly, will produce a file (update_policy.txt) that looks like:
grdapi copy_rule ruleDesc="DMLCommand - Log Full Details Template" fromPolicy=HowToTemplate toPolicy=HowTo

grdapi update_rule ruleDesc="DMLCommand - Log Full Details Template" fromPolicy=HowTo newDesc="Rule1" clientIP=192.168.7.101
clientNetMask=255.255.255.0 serverIP=192.168.7.201 serverNetMask=255.255.255.0 serviceName=PROD1 osUser=user1 dbType=ORACLE
grdapi update_rule ruleDesc="Rule2" fromPolicy=HowTo newDesc="Rule2" clientIP=192.168.7.104 clientNetMask=255.255.255.0
serverIP=192.168.7.204 serverNetMask=255.255.255.0 serviceName=PROD4 osUser=user4 dbType=ORACLE
grdapi change_rule_order ruleDesc=Rule3 fromPolicy=HowTo order=1
grdapi policy_install policy=HowTo
Note: The last grdapi command which re-installs the policy to apply the rules to the system
3. Run the generated script.
To run this script use the following command structure:
ssh cli@[Guardium appliance name] < [script name]
For example, to run update_policy.txt script on host 192.168.12.5 (password will be prompted for)
ssh cli@192.168.12.5 <update_policy.txt
Sample output:
192.168.12.5> ok
ID=20002
192.168.12.5> 192.168.12.5> ok
ID=20015
192.168.12.5> 192.168.12.5> ok
ID=20002
192.168.12.5> 192.168.12.5> ok
ID=20016
192.168.12.5> 192.168.12.5> ok
ID=20002
192.168.12.5> 192.168.12.5> ok
ID=20017
192.168.12.5> 192.168.12.5> ok
ID=20016
192.168.12.5> 192.168.12.5> ok
ID=20002
192.168.12.5> 192.168.12.5>
Â
4. View installed policy changes.
Before running the script, there were no rules defined in the HowTo policy as shown in this preview

After running the script:
As a result of the copy_rule, the HowTo policy now has three Access Rules.
As a result of the change_rule_order command, Rule3 is now first.
Â
Expanding any of the policy rules, Rule1 here, we can validate the various fields that have been altered with the update_rule commands.
Â
As a result of the update_rule command, Rule2 has been change.

Â
And as a result of the policy_install command, the currently installed policy is now the HowTo policy with three installed rules.
How to use the appropriate Ignore Action

Detail how the data is handled when using Ignore actions in Policy Rules.
Value-added: Make clearer what happens when certain choices are made in Policy Rules for log or ignore actions, which control the level of logging, based on observed
traffic.
For further information, see Policies.
Ignore session
The current request and the remainder of the session will be ignored. This action does not log a policy violation, but it stops the logging of constructs and will not test for
policy violations of any type for the remainder of the session. This action might be useful if, for example, the database includes a test region, and there is no need to apply
policy rules against that region of the database.
Table 1. Ignore session

Data logged or ignored between client and DB Data sent from DB Server/S-TAP to Collector Data from Span Port/ Network TAP to Collector
Server/S-TAP
Ignore - SQL commands, SQL errors, Result Sets Log in/ Log out Ignore â€“ SQL commands, SQL errors, Result Sets.
Sniffer to S-TAP - One signal to S-TAP to stop sending SQL commands and errors coming from a Span Port or
activity for this session. If additional activity is sent by Network TAP are filtered at the Sniffer.
S-TAP, it is ignored at the sniffer level only.
Ignore SQL commands
Ignore SQL errors
Ignore Result Sets
Ignore S-TAP session
The current request and the remainder of the S-TAP session will be ignored. This action is done in combination with specifying in the policy builder menu screen of certain
machines, users or applications that are producing a high volume of network traffic. This action is useful in cases where you know the database response from the S-TAP
session will be of no interest.
Table 2. Ignore S-TAP session

Server/S-TAP

Server/S-TAP
Ignore - SQL commands, SQL errors, Result Sets Log in/ Log out Â Sniffer to S-TAP - One signal to S-TAP Not Applicable
to stop sending activity for this session. Additional
signals to S-TAP to stop sending activity to this If there is a need to ignore traffic from a Span Port/
session. Network TAP, use Ignore session instead.
Â
Ignore responses per session
Responses for the remainder of the session will be ignored. This action logs a policy violation, but it stops analyzing responses for the remainder of the session. This action
is useful in cases where you know the database response will be of no interest.
Note: For ignore response per session, since the sniffer does not receive any response for the query or it is ignored, then the values for COUNT_FAILED and SUCCESS are
whatever the default for the table says they are, in this case COUNT_FAILED=0 and SUCCESS=1.
Table 3. Ignore responses per session
Server/S-TAP
Log â€“ SQL commands Â Ignore - SQL errors, Result Log in/ Log out Â SQL Commands Â Sniffer to S-TAP - Not applicable
Sets One signal to S-TAP to stop sending activity for this
session. Additional signals to S-TAP to stop sending This rule action is S-TAP-only implementations.
activity to this session.
Ignore SQL per session
No SQL will be logged for the remainder of the session. Exceptions will continue to be logged, but the system may not capture the SQL strings that correspond to the
exceptions.
Table 4. Ignore SQL per session

Server/S-TAP
Ignore - SQL commands Log in/ Log out Ignore â€“ SQL commands
Log - SQL errors, Result Sets Sniffer to S-TAP - One signal to S-TAP to stop sending Log - SQL errors, Result Sets
activity for this session. If additional activity is sent by
S-TAP, it is ignored at the sniffer level only. SQL commands are filtered at the Sniffer.
Log SQL commands
Log SQL errors
Log Result Sets, if using extrusion rules Â
Selective Audit Trail
Use a Selective Audit Trail policy to limit the amount of logging on the appliance. This is appropriate when the traffic of interest is a relatively small percentage of the traffic
being accepted by the inspection engines, or when all of the traffic you might ever want to report upon can be completely identified.
It is important to note that Ignore Session rules are still very important to include in the policy even if using a Selective Audit Trail. Ignore Session rules decrease the load
on a collector considerably because by filtering the information at the S-TAP level, the collector never receives it and does not have to consume resources analyzing traffic
that will not ultimately be logged. A Selective Audit Trail policy with no Ignore Session rules would mean that all traffic would be sent from the database server to the
collector, causing the collector to analyze every command and result set generated by the database server.
Table 5. Selective Audit Trail

Server/S-TAP
Ignore - SQL commands Log in/ Log out Ignore â€“ SQL commands
Log - SQL errors, Result Sets Ignore SQL commands, except for those defined by Log - SQL errors, Result Sets
Audit-Only or Log Full Details rules.
SQL commands are filtered at the Sniffer.
Log SQL errors
Log Result Sets, if using extrusion rules
Character sets
You can use character set codes in extrusion rules.
List of possible character set codes

ANSI_X3.4-1968 - 1
ANSI_X3.4-1986 - 2
ASCII - 3
CP367 - 4
IBM367 - 5

ISO-IR-6 - 6
ISO646-US - 7
ISO_646.IRV:1991 - 8
US - 9
US-ASCII - 10
CSASCII - 11
UTF-8 - 12
ISO-10646/UCS2 - 13
UCS-2 - 14
CSUNICODE - 15
UCS-2BE - 16
UNICODE - 17
UNICODEBIG - 18
TSCII - 19
UCS-2LE - 20
UNICODELITTLE - 21
ISO-10646/UCS4 - 22
UCS-4 - 23
CSUCS4 - 24
UCS-4BE - 25
UCS-4LE - 26
UTF-16 - 27
UTF-16BE - 28
UTF-16LE - 29
UTF-32 - 30
UTF-32BE - 31
UTF-32LE - 32
UTF7 - 33
UTF-7 - 34
UTF-8 - 35
UCS2 - 36
UCS2 - 37
UCS4 - 38
UCS4 - 39
UTF8 - 40
UTF8 - 41
CP819 - 42
IBM819 - 43
ISO-8859-1 - 44
ISO-IR-100 - 45
ISO8859-1 - 46
ISO_8859-1 - 47
ISO_8859-1:1987 - 48
L1 - 49
LATIN1 - 50
CSISOLATIN1 - 51
ISO-8859-2 - 52
ISO-IR-101 - 53
ISO8859-2 - 54
ISO_8859-2 - 55
ISO_8859-2:1987 - 56
L2 - 57
LATIN2 - 58
CSISOLATIN2 - 59
ISO-8859-3 - 60
ISO-IR-109 - 61
ISO8859-3 - 62
ISO_8859-3 - 63
ISO_8859-3:1988 - 64
L3 - 65
LATIN3 - 66
CSISOLATIN3 - 67
ISO-8859-4 - 68
ISO-IR-110 - 69
ISO8859-4 - 70
ISO_8859-4 - 71
ISO_8859-4:1988 - 72
L4 - 73
LATIN4 - 74
CSISOLATIN4 - 75
CYRILLIC - 76
ISO-8859-5 - 77
ISO-IR-144 - 78
ISO8859-5 - 79
ISO_8859-5 - 80
ISO_8859-5:1988 - 81
CSISOLATINCYRILLIC - 82
ARABIC - 83
ASMO-708 - 84
ECMA-114 - 85

ISO-8859-6 - 86
ISO-IR-127 - 87
ISO8859-6 - 88
ISO_8859-6 - 89
ISO_8859-6:1987 - 90
CSISOLATINARABIC - 91
ECMA-118 - 92
ELOT_928 - 93
GREEK - 94
GREEK8 - 95
ISO-8859-7 - 96
ISO-IR-126 - 97
ISO8859-7 - 98
ISO_8859-7 - 99
ISO_8859-7:1987 - 100
CSISOLATINGREEK - 101
HEBREW - 102
ISO-8859-8 - 103
ISO-IR-138 - 104
ISO8859-8 - 105
ISO_8859-8 - 106
ISO_8859-8:1988 - 107
CSISOLATINHEBREW - 108
ISO-8859-9 - 109
ISO-IR-148 - 110
ISO8859-9 - 111
ISO_8859-9 - 112
ISO_8859-9:1989 - 113
L5 - 114
LATIN5 - 115
CSISOLATIN5 - 116
ISO-8859-10 - 117
ISO-IR-157 - 118
ISO8859-10 - 119
ISO_8859-10 - 120
ISO_8859-10:1992 - 121
L6 - 122
LATIN6 - 123
CSISOLATIN6 - 124
ISO-8859-13 - 125
ISO-8859-13 - 126
ISO-8859-13 - 127
ISO-8859-13 - 128
L7 - 129
LATIN7 - 130
ISO-8859-14 - 131
ISO-CELTIC - 132
ISO-IR-199 - 133
ISO8859-14 - 134
ISO_8859-14 - 135
ISO_8859-14:1998 - 136
L8 - 137
LATIN8 - 138
ISO-8859-15 - 139
ISO-IR-203 - 140
ISO8859-15 - 141
ISO_8859-15 - 142
ISO_8859-15:1998 - 143
ISO-8859-16 - 144
ISO-IR-226 - 145
ISO8859-16 - 146
ISO_8859-16 - 147
ISO_8859-16:2000 - 148
KOI8-R - 149
CSKOI8R? - 150
KOI8U? - 151
KOI8R? - 152
CP1250 - 153
MS-EE - 154
WINDOWS-1250 - 155
CP1251 - 156
MS-CYRL - 157
WINDOWS-1251 - 158
CP1252 - 159
MS-ANSI - 160
WINDOWS-1252 - 161
CP1253 - 162
MS-GREEK - 163
WINDOWS-1253 - 164
CP1254 - 165

MS-TURK - 166
WINDOWS-1254 - 167
CP1255 - 168
MS-HEBR - 169
WINDOWS-1255 - 170
CP1256 - 171
MS-ARAB - 172
WINDOWS-1256 - 173
CP1257 - 174
WINBALTRIM - 175
WINDOWS-1257 - 176
CP1258 - 177
WINDOWS-1258 - 178
850 - 179
CP850 - 180
IBM850 - 181
CSPC850MULTILINGUAL? - 182
862 - 183
CP862 - 184
IBM862 - 185
CSPC862LATINHEBREW? - 186
866 - 187
CP866 - 188
IBM866 - 189
CSIBM866 - 190
MAC - 191
MACINTOSH - 192
MACUK - 193
CSMACINTOSH - 194
MACIS - 195
MAC - 196
MAC - 197
MAC - 198
MAC - 199
MACUKRAINIAN - 200
MAC - 201
MAC - 202
MAC - 203
MAC - 204
MAC - 205
HP-ROMAN8 - 206
R8 - 207
ROMAN8 - 208
HPROMAN8 - 209
ROMAN8 - 210
ARMSCII-8 - 211
GEORGIAN-ACADEMY - 212
GEORGIAN-PS - 213
KOI8-T - 214
KOI8-T - 215
CP1133 - 216
IBM-CP1133 - 217
ISO-IR-166 - 218
TIS-620 - 219
TIS620 - 220
TIS620-0 - 221
TIS620.2529-1 - 222
TIS620.2533-0 - 223
TIS620.2533-1 - 224
CP874 - 225
WINDOWS-874 - 226
VISCII - 227
VISCII - 228
VISCII - 229
TCVN - 230
TCVN-5712 - 231
TCVN5712-1 - 232
TCVN5712-1:1993 - 233
ISO-IR-14 - 234
ISO646-JP - 235
JIS_C6220-1969-RO - 236
JP - 237
CSISO14JISC6220RO? - 238
JISX0201-1976 - 239
JIS_X0201 - 240
X0201 - 241
CSHALFWIDTHKATAKANA - 242
ISO-IR-87 - 243
JIS0208 - 244
JIS_C6226-1983 - 245

JIS_X0208 - 246
JIS_X0208-1983 - 247
JIS_X0208-1990 - 248
X0208 - 249
CSISO87JISX0208? - 250
ISO-IR-159 - 251
JIS_X0212 - 252
JIS_X0212-1990 - 253
JIS_X0212.1990-0 - 254
X0212 - 255
CSISO159JISX02121990? - 256
CN - 257
GB_1988-80 - 258
ISO-IR-57 - 259
ISO646-CN - 260
CSISO57GB1988? - 261
CHINESE - 262
GB_2312-80 - 263
ISO-IR-58 - 264
CSISO58GB231280? - 265
CN-GB-ISOIR165 - 266
ISO-IR-165 - 267
ISO-IR-149 - 268
KOREAN - 269
KSC_5601 - 270
KS_C_5601-1987 - 271
KS_C_5601-1989 - 272
CSKSC56011987 - 273
EUC-JP - 274
EUCJP - 275
EXTENDED_UNIX_CODE_PACKED_FORMAT_FOR_JAPANESE - 276
CSEUCPKDFMTJAPANESE - 277
MS_KANJI - 278
SHIFT-JIS - 279
SHIFT_JIS - 280
SJIS - 281
CSSHIFTJIS - 282
CP932 - 283
ISO-2022-JP - 284
CSISO2022JP? - 285
ISO-2022-JP-1 - 286
ISO-2022-JP-2 - 287
CSISO2022JP2? - 288
CN-GB - 289
EUC-CN - 290
EUCCN - 291
GB2312 - 292
CSGB2312 - 293
CP936 - 294
GBK - 295
GB18030 - 296
ISO-2022-CN - 297
CSISO2022CN? - 298
ISO-2022-CN-EXT - 299
HZ - 300
HZ-GB-2312 - 301
EUC-TW - 302
EUCTW - 303
CSEUCTW - 304
BIG-5 - 305
BIG-FIVE - 306
BIG5 - 307
BIGFIVE - 308
CN-BIG5 - 309
CSBIG5 - 310
CP950 - 311
BIG5-HKSCS - 312
BIG5HKSCS? - 313
EUC-KR - 314
EUCKR - 315
CSEUCKR - 316
CP949 - 317
UHC - 318
CP1361 - 319
JOHAB - 320
ISO-2022-KR - 321
CSISO2022KR? - 322
IBM037 - 323
IBM038 - 324
IBM256 - 325

IBM273 - 326
IBM274 - 327
IBM275 - 328
IBM277 - 329
IBM278 - 330
IBM280 - 331
IBM281 - 332
IBM284 - 333
IBM285 - 334
IBM290 - 335
IBM297 - 336
IBM367 - 337
IBM420 - 338
IBM423 - 339
IBM424 - 340
IBM437 - 341
IBM500 - 342
IBM775 - 343
IBM813 - 344
IBM819 - 345
IBM848 - 346
IBM850 - 347
IBM851 - 348
IBM852 - 349
IBM855 - 350
IBM856 - 351
IBM857 - 352
IBM860 - 353
IBM861 - 354
IBM862 - 355
IBM863 - 356
IBM864 - 357
IBM865 - 358
IBM866 - 359
IBM866NAV? - 360
IBM868 - 361
IBM869 - 362
IBM870 - 363
IBM871 - 364
IBM874 - 365
IBM875 - 366
IBM880 - 367
IBM891 - 368
IBM903 - 369
IBM904 - 370
IBM905 - 371
IBM912 - 372
IBM915 - 373
IBM916 - 374
IBM918 - 375
IBM920 - 376
IBM922 - 377
IBM930 - 378
IBM932 - 379
IBM933 - 380
IBM935 - 381
IBM937 - 382
IBM939 - 383
IBM943 - 384
IBM1004 - 385
IBM1026 - 386
IBM1046 - 387
IBM1047 - 388
IBM1089 - 389
IBM1124 - 390
IBM1129 - 391
IBM1132 - 392
IBM1133 - 393
IBM1160 - 394
IBM1161 - 395
IBM1162 - 396
IBM1163 - 397
IBM1164 - 398
MSCP949 - 399
EUC-JISX0213 - 400
UJIS - 401
CP852 - 402
EUCJP-MS - 403
IBM902 - 404
IBM921 - 405

WINDOWS-31J - 406
IBM1025 - 407
IBM1140 - 408
IBM1137 - 409
IBM1122 - 410
IBM1141 - 411
IBM1142 - 412
IBM1143 - 413
IBM1144 - 414
IBM1145 - 415
IBM1146 - 416
IBM1147 - 417
IBM1148 - 418
IBM1149 - 419
IBM1153 - 420
IBM1155 - 421
IBM1157 - 422
EBCDICUS - 423
IBM1112 - 424
IBM1158 - 425
437 - 426
500g - 427
500V1g - 428
851g - 429
852g - 430
855g - 431
856g - 432
857g - 433
860g - 434
861g - 435
863g - 436
864g - 437
865g - 438
866NAVg - 439
869g - 440
874g - 441
904g - 442
1026g - 443
1046g - 444
1047g - 445
8859_1g - 446
8859_2g - 447
8859_3g - 448
8859_4g - 449
8859_5g - 450
8859_6g - 451
8859_7g - 452
8859_8g - 453
8859_9g - 454
10646-1:1993g - 455
10646-1:1993/UCS4/ - 456
ANSI_X3.4g - 457
ANSI_X3.110-1983g - 458
ANSI_X3.110g - 459
ARABIC7g - 460
ASMO_449g - 461
BALTICg - 462
BIG-5g - 463
BIG-FIVEg - 464
BIG5-HKSCSg - 465
BIG5g - 466
BIG5HKSCSg? - 467
BIGFIVEg - 468
BS_4730g - 469
CAg - 470
CN-BIG5g - 471
CN-GBg - 472
CNg - 473
CP-ARg - 474
CP-GRg - 475
CP-HUg - 476
CP037g - 477
CP038g - 478
CP273g - 479
CP274g - 480
CP275g - 481
CP278g - 482
CP280g - 483
CP281g - 484
CP282g - 485

CP284g - 486
CP285g - 487
CP290g - 488
CP297g - 489
CP420g - 490
CP423g - 491
CP424g - 492
CP437g - 493
CP500g - 494
CP737g - 495
CP775g - 496
CP803g - 497
CP813g - 498
CP851g - 499
CP852g - 500
CP855g - 501
CP856g - 502
CP857g - 503
CP860g - 504
CP861g - 505
CP863g - 506
CP864g - 507
CP865g - 508
CP866NAVg? - 509
CP868g - 510
CP869g - 511
CP870g - 512
CP871g - 513
CP875g - 514
CP880g - 515
CP891g - 516
CP901g - 517
CP902g - 518
CP903g - 519
CP904g - 520
CP905g - 521
CP912g - 522
CP915g - 523
CP916g - 524
CP918g - 525
CP920g - 526
CP921g - 527
CP922g - 528
CP930g - 529
CP932g - 530
CP933g - 531
CP935g - 532
CP936g - 533
CP937g - 534
CP939g - 535
CP949g - 536
CP950g - 537
CP1004g - 538
CP1008g - 539
CP1025g - 540
CP1026g - 541
CP1046g - 542
CP1047g - 543
CP1070g - 544
CP1079g - 545
CP1081g - 546
CP1084g - 547
CP1089g - 548
CP1097g - 549
CP1112g - 550
CP1122g - 551
CP1123g - 552
CP1124g - 553
CP1125g - 554
CP1129g - 555
CP1130g - 556
CP1132g - 557
CP1137g - 558
CP1140g - 559
CP1141g - 560
CP1142g - 561
CP1143g - 562
CP1144g - 563
CP1145g - 564
CP1146g - 565

CP1147g - 566
CP1148g - 567
CP1149g - 568
CP1153g - 569
CP1154g - 570
CP1155g - 571
CP1156g - 572
CP1157g - 573
CP1158g - 574
CP1160g - 575
CP1161g - 576
CP1162g - 577
CP1163g - 578
CP1164g - 579
CP1166g - 580
CP1167g - 581
CP1361g - 582
CP1364g - 583
CP1371g - 584
CP1388g - 585
CP1390g - 586
CP1399g - 587
CP4517g - 588
CP4899g - 589
CP4909g - 590
CP4971g - 591
CP5347g - 592
CP9030g - 593
CP9066g - 594
CP9448g - 595
CP10007g - 596
CP12712g - 597
CP16804g - 598
CPIBM861g - 599
CSA7-1g - 600
CSA7-2g - 601
CSA_T500-1983g - 602
CSA_T500g - 603
CSA_Z243.4-1985-1g - 604
CSA_Z243.4-1985-2g - 605
CSA_Z243.419851g - 606
CSA_Z243.419852g - 607
CSDECMCSg - 608
CSEBCDICATDEg - 609
CSEBCDICATDEAg - 610
CSEBCDICCAFRg - 611
CSEBCDICDKNOg - 612
CSEBCDICDKNOAg - 613
CSEBCDICESg - 614
CSEBCDICESAg - 615
CSEBCDICESSg - 616
CSEBCDICFISEg - 617
CSEBCDICFISEAg - 618
CSEBCDICFRg - 619
CSEBCDICITg - 620
CSEBCDICPTg - 621
CSEBCDICUKg - 622
CSEBCDICUSg - 623
CSEUCKRg - 624
CSEUCPKDFMTJAPANESEg - 625
CSGB2312g - 626
CSIBM037g - 627
CSIBM038g - 628
CSIBM273g - 629
CSIBM274g - 630
CSIBM275g - 631
CSIBM277g - 632
CSIBM278g - 633
CSIBM280g - 634
CSIBM281g - 635
CSIBM284g - 636
CSIBM285g - 637
CSIBM290g - 638
CSIBM297g - 639
CSIBM420g - 640
CSIBM423g - 641
CSIBM424g - 642
CSIBM500g - 643
CSIBM803g - 644
CSIBM851g - 645

CSIBM855g - 646
CSIBM856g - 647
CSIBM857g - 648
CSIBM860g - 649
CSIBM863g - 650
CSIBM864g - 651
CSIBM865g - 652
CSIBM868g - 653
CSIBM869g - 654
CSIBM870g - 655
CSIBM871g - 656
CSIBM880g - 657
CSIBM891g - 658
CSIBM901g - 659
CSIBM902g - 660
CSIBM903g - 661
CSIBM904g - 662
CSIBM905g - 663
CSIBM918g - 664
CSIBM921g - 665
CSIBM922g - 666
CSIBM930g - 667
CSIBM932g - 668
CSIBM933g - 669
CSIBM935g - 670
CSIBM937g - 671
CSIBM939g - 672
CSIBM943g - 673
CSIBM1008g - 674
CSIBM1025g - 675
CSIBM1026g - 676
CSIBM1097g - 677
CSIBM1112g - 678
CSIBM1122g - 679
CSIBM1123g - 680
CSIBM1124g - 681
CSIBM1129g - 682
CSIBM1130g - 683
CSIBM1132g - 684
CSIBM1133g - 685
CSIBM1137g - 686
CSIBM1140g - 687
CSIBM1141g - 688
CSIBM1142g - 689
CSIBM1143g - 690
CSIBM1144g - 691
CSIBM1145g - 692
CSIBM1146g - 693
CSIBM1147g - 694
CSIBM1148g - 695
CSIBM1149g - 696
CSIBM1153g - 697
CSIBM1154g - 698
CSIBM1155g - 699
CSIBM1156g - 700
CSIBM1157g - 701
CSIBM1158g - 702
CSIBM1160g - 703
CSIBM1161g - 704
CSIBM1163g - 705
CSIBM1164g - 706
CSIBM1166g - 707
CSIBM1167g - 708
CSIBM1364g - 709
CSIBM1371g - 710
CSIBM1388g - 711
CSIBM1390g - 712
CSIBM1399g - 713
CSIBM4517g - 714
CSIBM4899g - 715
CSIBM4909g - 716
CSIBM4971g - 717
CSIBM5347g - 718
CSIBM9030g - 719
CSIBM9066g - 720
CSIBM9448g - 721
CSIBM12712g - 722
CSIBM16804g - 723
CSIBM11621162g - 724
CSISO4UNITEDKINGDOMg? - 725

CSISO10SWEDISHg? - 726
CSISO11SWEDISHFORNAMESg? - 727
CSISO15ITALIANg? - 728
CSISO16PORTUGESEg? - 729
CSISO17SPANISHg? - 730
CSISO18GREEK7OLDg? - 731
CSISO19LATINGREEKg? - 732
CSISO21GERMANg? - 733
CSISO25FRENCHg? - 734
CSISO27LATINGREEK1g? - 735
CSISO49INISg? - 736
CSISO50INIS8g? - 737
CSISO51INISCYRILLICg? - 738
CSISO58GB1988g? - 739
CSISO60DANISHNORWEGIANg? - 740
CSISO60NORWEGIAN1g? - 741
CSISO61NORWEGIAN2g? - 742
CSISO69FRENCHg? - 743
CSISO84PORTUGUESE2g? - 744
CSISO85SPANISH2g? - 745
CSISO86HUNGARIANg? - 746
CSISO88GREEK7g? - 747
CSISO89ASMO449g? - 748
CSISO90g - 749
CSISO92JISC62991984Bg? - 750
CSISO99NAPLPSg? - 751
CSISO103T618BITg? - 752
CSISO111ECMACYRILLICg? - 753
CSISO121CANADIAN1g? - 754
CSISO122CANADIAN2g? - 755
CSISO139CSN369103g? - 756
CSISO141JUSIB1002g? - 757
CSISO143IECP271g? - 758
CSISO150g - 759
CSISO150GREEKCCITTg? - 760
CSISO151CUBAg? - 761
CSISO153GOST1976874g? - 762
CSISO646DANISHg? - 763
CSISO2022CNg? - 764
CSISO2022JPg? - 765
CSISO2022JP2g? - 766
CSISO2022KRg? - 767
CSISO2033g - 768
CSISO5427CYRILLICg? - 769
CSISO5427CYRILLIC1981g? - 770
CSISO5428GREEKg? - 771
CSISO10367BOXg? - 772
CSKSC5636g - 773
CSNATSDANOg - 774
CSNATSSEFIg - 775
CSN_369103g - 776
CSPC8CODEPAGE437g? - 777
CSPC775BALTICg? - 778
CSPCP852g - 779
CSSHIFTJISg - 780
CSUCS4g - 781
CSWINDOWS31Jg? - 782
CUBAg - 783
CWI-2g - 784
CWIg - 785
DEg - 786
DEC-MCSg - 787
DECg - 788
DECMCSg - 789
DIN_66003g - 790
DKg - 791
DS2089g - 792
DS_2089g - 793
E13Bg? - 794
EBCDIC-AT-DE-Ag - 795
EBCDIC-AT-DEg - 796
EBCDIC-BEg - 797
EBCDIC-BRg - 798
EBCDIC-CA-FRg - 799
EBCDIC-CP-AR1g - 800
EBCDIC-CP-AR2g - 801
EBCDIC-CP-BEg - 802
EBCDIC-CP-CAg - 803
EBCDIC-CP-CHg - 804
EBCDIC-CP-DKg - 805

EBCDIC-CP-ESg - 806
EBCDIC-CP-FIg - 807
EBCDIC-CP-FRg - 808
EBCDIC-CP-GBg - 809
EBCDIC-CP-GRg - 810
EBCDIC-CP-HEg - 811
EBCDIC-CP-ISg - 812
EBCDIC-CP-ITg - 813
EBCDIC-CP-NLg - 814
EBCDIC-CP-NOg - 815
EBCDIC-CP-ROECEg - 816
EBCDIC-CP-SEg - 817
EBCDIC-CP-TRg - 818
EBCDIC-CP-USg - 819
EBCDIC-CP-WTg - 820
EBCDIC-CP-YUg - 821
EBCDIC-CYRILLICg - 822
EBCDIC-DK-NO-Ag - 823
EBCDIC-DK-NOg - 824
EBCDIC-ES-Ag - 825
EBCDIC-ES-Sg - 826
EBCDIC-ESg - 827
EBCDIC-FI-SE-Ag - 828
EBCDIC-FI-SEg - 829
EBCDIC-FRg - 830
EBCDIC-GREEKg - 831
EBCDIC-INTg - 832
EBCDIC-INT1g - 833
EBCDIC-IS-FRISSg - 834
EBCDIC-ITg - 835
EBCDIC-JP-Eg - 836
EBCDIC-JP-KANAg - 837
EBCDIC-PTg - 838
EBCDIC-UKg - 839
EBCDIC-USg - 840
EBCDICATDEg - 841
EBCDICATDEAg - 842
EBCDICCAFRg - 843
EBCDICDKNOg - 844
EBCDICDKNOAg - 845
EBCDICESg - 846
EBCDICESAg - 847
EBCDICESSg - 848
EBCDICFISEg - 849
EBCDICFISEAg - 850
EBCDICFRg - 851
EBCDICISFRISSg - 852
EBCDICITg - 853
EBCDICPTg - 854
EBCDICUKg - 855
EBCDICUSg - 856
ECMA-128g - 857
ECMA-CYRILLICg - 858
ECMACYRILLICg - 859
ESg - 860
ES2g - 861
EUC-CNg - 862
EUC-JISX0213g - 863
EUC-JP-MSg - 864
EUC-JPg - 865
EUC-KRg - 866
EUC-TWg - 867
EUCCNg - 868
EUCJP-MSg - 869
EUCJP-OPENg - 870
EUCJP-WINg - 871
EUCJPg - 872
EUCKRg - 873
EUCTWg - 874
FIg - 875
FRg - 876
GBg - 877
GB2312g - 878
GB13000g - 879
GB18030g - 880
GBKg - 881
GB_1988-80g - 882
GB_198880g - 883
GOST_19768-74g - 884
GOST_19768g - 885

GOST_1976874g - 886
GREEK-CCITTg - 887
GREEK7-OLDg - 888
GREEK7g - 889
GREEK7OLDg? - 890
GREEKCCITTg - 891
HUg - 892
IBM-803g - 893
IBM-856g - 894
IBM-901g - 895
IBM-902g - 896
IBM-921g - 897
IBM-922g - 898
IBM-930g - 899
IBM-932g - 900
IBM-933g - 901
IBM-935g - 902
IBM-937g - 903
IBM-939g - 904
IBM-943g - 905
IBM-1008g - 906
IBM-1025g - 907
IBM-1046g - 908
IBM-1047g - 909
IBM-1097g - 910
IBM-1112g - 911
IBM-1122g - 912
IBM-1123g - 913
IBM-1124g - 914
IBM-1129g - 915
IBM-1130g - 916
IBM-1132g - 917
IBM-1133g - 918
IBM-1137g - 919
IBM-1140g - 920
IBM-1141g - 921
IBM-1142g - 922
IBM-1143g - 923
IBM-1144g - 924
IBM-1145g - 925
IBM-1146g - 926
IBM-1147g - 927
IBM-1148g - 928
IBM-1149g - 929
IBM-1153g - 930
IBM-1154g - 931
IBM-1155g - 932
IBM-1156g - 933
IBM-1157g - 934
IBM-1158g - 935
IBM-1160g - 936
IBM-1161g - 937
IBM-1162g - 938
IBM-1163g - 939
IBM-1164g - 940
IBM-1166g - 941
IBM-1167g - 942
IBM-1364g - 943
IBM-1371g - 944
IBM-1388g - 945
IBM-1390g - 946
IBM-1399g - 947
IBM-4517g - 948
IBM-4899g - 949
IBM-4909g - 950
IBM-4971g - 951
IBM-5347g - 952
IBM-9030g - 953
IBM-9066g - 954
IBM-9448g - 955
IBM-12712g - 956
IBM-16804g - 957
IBM037g - 958
IBM038g - 959
IBM256g - 960
IBM273g - 961
IBM274g - 962
IBM275g - 963
IBM277g - 964
IBM278g - 965

IBM280g - 966
IBM281g - 967
IBM284g - 968
IBM285g - 969
IBM290g - 970
IBM297g - 971
IBM420g - 972
IBM423g - 973
IBM424g - 974
IBM437g - 975
IBM500g - 976
IBM775g - 977
IBM803g - 978
IBM813g - 979
IBM848g - 980
IBM851g - 981
IBM852g - 982
IBM855g - 983
IBM856g - 984
IBM857g - 985
IBM860g - 986
IBM861g - 987
IBM863g - 988
IBM864g - 989
IBM865g - 990
IBM866NAVg? - 991
IBM868g - 992
IBM869g - 993
IBM870g - 994
IBM871g - 995
IBM874g - 996
IBM875g - 997
IBM880g - 998
IBM891g - 999
IBM901g - 1000
IBM902g - 1001
IBM903g - 1002
IBM904g - 1003
IBM905g - 1004
IBM912g - 1005
IBM915g - 1006
IBM916g - 1007
IBM918g - 1008
IBM920g - 1009
IBM921g - 1010
IBM922g - 1011
IBM930g - 1012
IBM932g - 1013
IBM933g - 1014
IBM935g - 1015
IBM937g - 1016
IBM939g - 1017
IBM943g - 1018
IBM1004g - 1019
IBM1008g - 1020
IBM1025g - 1021
IBM1026g - 1022
IBM1046g - 1023
IBM1047g - 1024
IBM1089g - 1025
IBM1097g - 1026
IBM1112g - 1027
IBM1122g - 1028
IBM1123g - 1029
IBM1124g - 1030
IBM1129g - 1031
IBM1130g - 1032
IBM1132g - 1033
IBM1133g - 1034
IBM1137g - 1035
IBM1140g - 1036
IBM1141g - 1037
IBM1142g - 1038
IBM1143g - 1039
IBM1144g - 1040
IBM1145g - 1041
IBM1146g - 1042
IBM1147g - 1043
IBM1148g - 1044
IBM1149g - 1045

IBM1153g - 1046
IBM1154g - 1047
IBM1155g - 1048
IBM1156g - 1049
IBM1157g - 1050
IBM1158g - 1051
IBM1160g - 1052
IBM1161g - 1053
IBM1162g - 1054
IBM1163g - 1055
IBM1164g - 1056
IBM1166g - 1057
IBM1167g - 1058
IBM1364g - 1059
IBM1371g - 1060
IBM1388g - 1061
IBM1390g - 1062
IBM1399g - 1063
IBM4517g - 1064
IBM4899g - 1065
IBM4909g - 1066
IBM4971g - 1067
IBM5347g - 1068
IBM9030g - 1069
IBM9066g - 1070
IBM9448g - 1071
IBM12712g - 1072
IBM16804g - 1073
IEC_P27-1g - 1074
IEC_P271g - 1075
INIS-8g - 1076
INIS-CYRILLICg - 1077
INISg - 1078
INIS8g - 1079
INISCYRILLICg - 1080
ISIRI-3342g - 1081
ISIRI3342g - 1082
ISO-2022-CN-EXTg - 1083
ISO-2022-CNg - 1084
ISO-2022-JP-2g - 1085
ISO-2022-JP-3g - 1086
ISO-2022-JPg - 1087
ISO-2022-KRg - 1088
ISO-8859-9g - 1089
ISO-8859-10g - 1090
ISO-8859-11g - 1091
ISO-8859-16g - 1092
ISO-10646g - 1093
ISO-10646/UTF-8/ - 1094
ISO-10646/UTF8/ - 1095
ISO-IR-4g - 1096
ISO-IR-8-1g - 1097
ISO-IR-9-1g - 1098
ISO-IR-10g - 1099
ISO-IR-11g - 1100
ISO-IR-15g - 1101
ISO-IR-16g - 1102
ISO-IR-17g - 1103
ISO-IR-18g - 1104
ISO-IR-19g - 1105
ISO-IR-21g - 1106
ISO-IR-25g - 1107
ISO-IR-27g - 1108
ISO-IR-37g - 1109
ISO-IR-49g - 1110
ISO-IR-50g - 1111
ISO-IR-51g - 1112
ISO-IR-54g - 1113
ISO-IR-55g - 1114
ISO-IR-57g - 1115
ISO-IR-60g - 1116
ISO-IR-61g - 1117
ISO-IR-69g - 1118
ISO-IR-84g - 1119
ISO-IR-85g - 1120
ISO-IR-86g - 1121
ISO-IR-88g - 1122
ISO-IR-89g - 1123
ISO-IR-90g - 1124
ISO-IR-92g - 1125

ISO-IR-98g - 1126
ISO-IR-99g - 1127
ISO-IR-103g - 1128
ISO-IR-111g - 1129
ISO-IR-121g - 1130
ISO-IR-122g - 1131
ISO-IR-127g - 1132
ISO-IR-139g - 1133
ISO-IR-141g - 1134
ISO-IR-143g - 1135
ISO-IR-150g - 1136
ISO-IR-151g - 1137
ISO-IR-153g - 1138
ISO-IR-155g - 1139
ISO-IR-156g - 1140
ISO-IR-166g - 1141
ISO-IR-193g - 1142
ISO-IR-197g - 1143
ISO-IR-209g - 1144
ISO/TR_11548-1/ - 1145
ISO646-CAg - 1146
ISO646-CA2g - 1147
ISO646-CNg - 1148
ISO646-CUg - 1149
ISO646-DEg - 1150
ISO646-DKg - 1151
ISO646-ESg - 1152
ISO646-ES2g - 1153
ISO646-FIg - 1154
ISO646-FRg - 1155
ISO646-FR1g - 1156
ISO646-GBg - 1157
ISO646-HUg - 1158
ISO646-ITg - 1159
ISO646-JP-OCR-Bg - 1160
ISO646-KRg - 1161
ISO646-NOg - 1162
ISO646-NO2g - 1163
ISO646-PTg - 1164
ISO646-PT2g - 1165
ISO646-SEg - 1166
ISO646-SE2g - 1167
ISO646-YUg - 1168
ISO2022CNg? - 1169
ISO2022CNEXTg? - 1170
ISO2022JPg? - 1171
ISO2022JP2g? - 1172
ISO2022KRg? - 1173
ISO6937g - 1174
ISO8859-11g - 1175
ISO11548-1g - 1176
ISO88591g - 1177
ISO88592g - 1178
ISO88593g - 1179
ISO88594g - 1180
ISO88595g - 1181
ISO88596g - 1182
ISO88597g - 1183
ISO88598g - 1184
ISO88599g - 1185
ISO885910g - 1186
ISO885911g - 1187
ISO885913g - 1188
ISO885914g - 1189
ISO885915g - 1190
ISO885916g - 1191
ISO_2033-1983g - 1192
ISO_2033g - 1193
ISO_5427-EXTg - 1194
ISO_5427g - 1195
ISO_5427:1981g - 1196
ISO_5427EXTg - 1197
ISO_5428g - 1198
ISO_5428:1980g - 1199
ISO_6937-2g - 1200
ISO_6937-2:1983g - 1201
ISO_6937g - 1202
ISO_6937:1992g - 1203
ISO_8859-7:2003g - 1204
ISO_8859-16:2001g - 1205

ISO_9036g - 1206
ISO_10367-BOXg - 1207
ISO_10367BOXg - 1208
ISO_11548-1g - 1209
ISO_69372g - 1210
ITg - 1211
JIS_C6229-1984-Bg - 1212
JIS_C62201969ROg - 1213
JIS_C62291984Bg - 1214
JOHABg - 1215
JP-OCR-Bg - 1216
JSg - 1217
JUS_I.B1.002g - 1218
KOI-7g - 1219
KOI-8g - 1220
KOI8g - 1221
KSC5636g - 1222
L10g - 1223
LATIN-9g - 1224
LATIN-GREEK-1g - 1225
LATIN-GREEKg - 1226
LATIN10g - 1227
LATINGREEKg - 1228
LATINGREEK1g - 1229
MAC-CYRILLICg - 1230
MAC-ISg - 1231
MAC-SAMIg - 1232
MAC-UKg - 1233
MACCYRILLICg - 1234
MIKg - 1235
MS-MAC-CYRILLICg - 1236
MS932g - 1237
MS936g - 1238
MSCP949g - 1239
MSCP1361g - 1240
MSMACCYRILLICg - 1241
MSZ_7795.3g - 1242
MS_KANJIg - 1243
NAPLPSg - 1244
NATS-DANOg - 1245
NATS-SEFIg - 1246
NATSDANOg - 1247
NATSSEFIg - 1248
NC_NC0010g - 1249
NC_NC00-10g - 1250
NC_NC00-10:81g - 1251
NF_Z_62-010g - 1252
NF_Z_62-010_(1973)g - 1253
NF_Z_62-010_1973g - 1254
NF_Z_62010g - 1255
NF_Z_62010_1973g - 1256
NOg - 1257
NO2g - 1258
NS_4551-1g - 1259
NS_4551-2g - 1260
NS_45511g - 1261
NS_45512g - 1262
OS2LATIN1g? - 1263
OSF00010001g - 1264
OSF00010002g - 1265
OSF00010003g - 1266
OSF00010004g - 1267
OSF00010005g - 1268
OSF00010006g - 1269
OSF00010007g - 1270
OSF00010008g - 1271
OSF00010009g - 1272
OSF0001000Ag? - 1273
OSF00010020g - 1274
OSF00010100g - 1275
OSF00010101g - 1276
OSF00010102g - 1277
OSF00010104g - 1278
OSF00010105g - 1279
OSF00010106g - 1280
OSF00030010g - 1281
OSF0004000Ag? - 1282
OSF0005000Ag? - 1283
OSF05010001g - 1284
OSF100201A4g? - 1285

OSF100201A8g? - 1286
OSF100201B5g? - 1287
OSF100201F4g? - 1288
OSF100203B5g? - 1289
OSF1002011Cg? - 1290
OSF1002011Dg? - 1291
OSF1002035Dg? - 1292
OSF1002035Eg? - 1293
OSF1002035Fg? - 1294
OSF1002036Bg? - 1295
OSF1002037Bg? - 1296
OSF10010001g - 1297
OSF10020025g - 1298
OSF10020111g - 1299
OSF10020115g - 1300
OSF10020116g - 1301
OSF10020118g - 1302
OSF10020122g - 1303
OSF10020129g - 1304
OSF10020352g - 1305
OSF10020354g - 1306
OSF10020357g - 1307
OSF10020359g - 1308
OSF10020360g - 1309
OSF10020364g - 1310
OSF10020365g - 1311
OSF10020366g - 1312
OSF10020367g - 1313
OSF10020370g - 1314
OSF10020387g - 1315
OSF10020388g - 1316
OSF10020396g - 1317
OSF10020402g - 1318
OSF10020417g - 1319
PTg - 1320
PT2g - 1321
PT154g - 1322
RK1048g - 1323
RUSCIIg - 1324
SEg - 1325
SE2g - 1326
SEN_850200_Bg - 1327
SEN_850200_Cg - 1328
SHIFT-JISg - 1329
SHIFT_JISg - 1330
SHIFT_JISX0213g - 1331
SJIS-OPENg - 1332
SJIS-WINg - 1333
SJISg - 1334
SS636127g - 1335
STRK1048-2002g - 1336
ST_SEV_358-88g - 1337
T.61-8BITg - 1338
T.61g - 1339
T.618BITg - 1340
TS-5881g - 1341
UHCg - 1342
UJISg - 1343
UKg - 1344
UTF8g - 1345
UTF16g - 1346
UTF16BEg? - 1347
UTF16LEg? - 1348
UTF32g - 1349
UTF32BEg? - 1350
UTF32LEg? - 1351
WCHAR_Tg - 1352
WIN-SAMI-2g - 1353
WINDOWS-31Jg - 1354
WINDOWS-936g - 1355
WINSAMI2g - 1356
WS2g - 1357
YUg - 1358
Correlation Alerts
An alert is a message indicating that an exception or policy rule violation was detected.

Alerts are triggered in two ways:
A correlation alert is triggered by a query that looks back over a specified time period to determine if alert threshold has been met. The GuardiumÂ® Anomaly
Detection Engine runs correlation queries on a scheduled basis. By default, correlation alerts do not log policy violations, but they can be configured to do that.
A real-time alert is triggered by a security policy rule. The Guardium Inspection Engine component runs the security policy as it collects and analyzes database
traffic in real time.
Regardless of how they are triggered, Guardium logs all alerts the same way: the alert information is logged in the Guardium internal database. The amount and type of
information logged depends on the specific alert type. The Guardium Alerter component, which also runs on a scheduled basis, processes each new alert, passing the
logged information for each alert to any combination of the following notification mechanisms:
SMTP â€“ The SMTP (outgoing e-mail) server. The Alerter passes standard email messages to the SMTP server for which it has been configured.
SNMP â€“ The SNMP (network information and control) server. When SNMP is selected for an alert notification, the Alerter passes all alert messages of that type to
the single trap community for which the Alerter has been configured.
Syslog â€“ The alert is written to syslog on the Guardium appliance (which may be configured by the Guardium Administrator to write syslog messages to a remote
system).
Note: For SNMP or SYSLOG, the maximum message length is 3000 characters. Any messages longer than that will be truncated.
Custom â€“ A user written Javaâ„¢ class to handle alerts. The Alerter passes an alert message and timestamp to the custom alerting class. There can be multiple
custom alerting classes, and one custom alerting class can be an extension of another custom alerting class.
Note: Alerts definition and notification are not subject to Data Level Security. Reasons for this include alerts are not evaluated in the context of user, the alert may be
related to databases associated to multiple users and to avoid situations where no one gets the alert notification.
Note: If there is an alert using a query that contains 30 fields or more (including counters) the anomaly detection will fail with an Array out of bound exception
error message Queries with 30 columns (or more) can not be used for alerts. Such queries do not appear in the list of available queries for threshold alerts.
Alerting Tasks for Administrators

Guardium administrators perform the following tasks:
Customize the Alert Message Template, using the Global Profile.

Configure and start the Alerter, which delivers messages to SMTP, SNMP, Syslog, or Custom alerting classes
Start and stop the Anomaly Detection Engine, which runs the correlation alerts according to the schedules defined.
Upload Custom Alerting Classes to the Guardium system.
Alerting Tasks for Users

Guardium users (and administrators) can perform these correlation alerting tasks:
Define queries that can be used for correlation alerts

Define correlation alerts
Write custom alerting classes
About Correlation Alert Queries

A correlation alert is based on a query in any of the reporting domains. That query must be defined before the alert can be defined. To be available for use by a correlation
alert, the query must contain at least one date field.
Create a Correlation Alert

1. Click Protect > Database Intrusion Detection > Alert Builder to open the Alert Finder.
2. Click New in the Alerts Finder panel to display the Add Alert panel.
3. Enter a unique name for the alert in the Name box. Do not include apostrophe characters in the alert name.
4. Enter a short sentence that describes the alert in the Description box.
5. Enter an optional category in the Category box.
6. Enter an optional classification in the Classification box.
7. For Recommended Action, the user can add free text as the recommended action for the specific alert.
8. As in real-time alerts, the user can choose a template for the message that is sent in case the threshold alert fires. The template uses a predefined list of variables
that are replaced with the appropriate value for the specific alert. The list of variables and a default template are detailed in the Named Templates section of the
Global Profile help topic.
9. Select a severity level from the Severity list. For an email alert, a setting of HIGH results in the email being flagged as HIGH.
10. Enter the number of minutes between runs of the query in the Run Frequency field.
11. Mark the Active box to activate the alert, or clear the box to save the alert definition without starting it running (it can be activated later). In a Central Manager
environment, the alert will be activated (or stopped) on all managed units when this box is marked (or cleared). To disable the alert on a specific appliance in a
Central Manager environment, use the Anomaly Detection panel of the Administrator Console.
12. Mark the Log Policy Violation box to log a policy violation when this alert is triggered. By default, correlation alerts are logged in the Alert Tracking domain only. By
marking this box, correlation alerts and real-time alerts (issued by the data access security policy) can be viewed together, in the Policy Violations domain.
13. From the Query list in the Alert Definition panel, select the query to run for this alert. The list of queries displayed will include all queries defined that:
Contain at least one date field (timestamp) - a timestamp field is required
Contain a Count field - a count field is required
Can be accessed by your Guardium user account
Troubleshooting tips
If a custom query has been created in any Query Builder in Report Building, and it does not appear in the Query list, then make sure that the custom query
has a timestamp (date field).
After selecting a query from the Query list in the Alert Definition panel of the Add Alert screen, and there is need to edit the query (Edit icon), and the query
can not be edited, then go to Query Builder (Tools > Report Building) to edit the query.
14. If the selected query contains run-time parameters, a Query Parameters panel will appear in the Alert Definition pane. Supply parameter values as appropriate for
your application.
15. In the Accumulation Interval box, enter the length of the time interval (in minutes) that the query should examine in the audit repository, counting back from the
current time (for example, enter 10 to examine the last 10 minutes of data).
Note: Alerts that run on aggregators are based only on data with the defined merge period.
16. Check the Log Full Query Results box to have the full report logged with the alert.

17. If the selected query contains one or more columns of numeric data, select one of those columns to use for the test. The default, which will be the last item listed,
is the last column for the query, which is always the count of occurrences aggregated in that row.
18. In the Alert Threshold pane, define the threshold at which a correlation alert is to be generated, as follows:
In the Threshold field, enter a threshold number that will apply as described by the remaining fields in the panel.
From the Alert when value is list, select an operator indicating how the report value is to relate to the threshold to produce an alert (greater than, greater
than or equal to, less than, etc.).
Select per report if the threshold number applies to a report total, or select per line if the threshold applies to a single line of the report (the report being the
output of the selected query, run by looking back over the specified accumulation time).
If there is no data during the specified Accumulation Interval:
If the threshold is per report, the value for that interval is 0 (zero), and an alert will be generated if the threshold condition is met (for example, if the
condition specified is â€œAlert when value is Â < 1â€ ).
If the threshold is per line, no alert will be generated, regardless of the specified condition (this is because there are no lines of output).
Select As absolute limit to indicate that the threshold entered is an absolute number or select As a percentage change within period to indicate that the
threshold represents a percentage of change within the time period identified in the From and To fields.
If the As percentage change within period option is selected, use the date picker controls to select the From and To dates.
If the As percentage change for the same "Accumulation Period" on a relative time is selected , one relative date will be entered and the alert will execute the
query for the current period and for the relative period (using the same interval), and will check the values as a percentage of the base period value.
Note: If relative period is used, each time the alert is checked it will execute the query twice, once for the current period and once for the relative period. Â
19. Indicate in the Notification Frequency box how often (in minutes) the Alert Receivers should be notified when the alert condition has been satisfied.
20. Click Save to save the alert definition.
Note: You cannot assign receivers or roles, or enter comments until the definition has been saved.
21. In the Alert Receivers panel, optionally designate one or more persons or groups to be notified when this alert condition is satisfied. To add a receiver, click the Add
Receiver button to open the Add Receiver Selection panel.
Note: If the receiver of an alert is the admin user then admin needs to be assigned an email for the alert to fire.
Note: An additional receiver for threshold alerts is Owner (the owner/s of the database). If the query associated with the alert contains Server IP and Service name
and if the alert is evaluated Per Row, then the receiver can be Owner. The alert notification must have: Alert Notification Type: Mail, Alert User ID: 0, Alert
Destination: Owner. See Alerting Actions in Policiesfor additional receivers for real-time alerts.
22. Optionally click Roles to assign roles for the alert.
24. Click Apply and then Â Done when you have finished.
Modify a Correlation Alert

2. Select the correlation alert you want to modify, in the Alert Finder panel.
3. Click Modify to open the Modify Alert panel.
4. Referring to Create a Correlation Alert topic, make changes to the alert definition.
5. Click Save.
Remove a Correlation Alert

2. Select the correlation alert you want to remove, in the Alerts Finder panel.
3. Click the Delete button. You will be prompted to confirm the action.
How to signify events through Correlation Alerts

Trigger a correlation alert if there are more than fifteen SQL Errors in the last three hours from any individual user of the application.
About this task

Use correlation alerts to inform about events accumulated over time. Applications do not normally have SQL errors. An increase in SQL Errors in an application is a warning
sign that a possible SQL Injection is being attempted. See the online help topics, Correlation Alerts and Queries for further information.
Prerequisites
Configure email (SMTP) server (Setup > Tools and Views >Alerter)
After fully configuring the correlation alert, make sure it is active and running (Setup > Tools and Views> Anomaly Detection)
An alert is a message indicating that an exception (correlation alert) or policy rule violation (real-time alert) was detected.
A correlation alert is triggered by a query that looks back over a specified time period to determine if an alert threshold has been met.
Overview of correlation alert steps
1. Create a custom query from Exceptions Tracking with a field of SQL Errors (with a count) and a condition of application users. In order to use this custom query in
the Alert Builder, a date field (timestamp) is required.
3. Click on New. Complete the fields per the instructions after the Alert Builder menu screen.
4. Add Receiver.

Exceptions domain, SQL Errors query
Procedure
1. Exceptions Tracking - Open the Query Finder
Users: Select Tools > Report Building, and then select the Exceptions domain only.
2. Open the drop-down choices for Query. Select SQL Errors. This will open a configuration screen with SQL Errors at the main title.
3. Clone this selection, typing in a unique name in the text box for the query. Do not include apostrophe characters in the query name.
4. In your custom query, under Query fields, from Client/Server entity list, add a date field (timestamp) and change the database error text field to count field mode.
Under Query conditions, change the run time parameters of exception types to attribute and choose Exception.App. User Name.
5. Click Save. This custom query for SQL Errors from any application user is now available for use in the Alert Builder.

Alert Builder menu screen
6. Alert Builder - Create a Correlation Alert

8. Click the New button in the Alerts Finder panel to display the Add Alert panel.
9. Enter a unique name for the alert in the Name box. Do not include apostrophe characters in the alert name.
10. Enter a short sentence that describes the alert in the Description box.
11. Enter an optional category in the Category box. In this instance, Self Monitoring was used.
12. Enter an optional classification in the Classification box.
13. Select a severity level from the Severity list. For an email alert, a setting of HIGH results in the email being flagged as urgent.
14. Enter the number of minutes between runs of the query in the Run Frequency field.
15. Mark the Active box to activate the alert.
16. Mark the Log Policy Violation box to log a policy violation when this alert is triggered. By default, correlation alerts are logged in the Alert Tracking domain only. By
marking this box, correlation alerts and real-time alerts (issued by the data access security policy) can be viewed together, in the Policy Violations domain.
17. From the Query list in the Alert Definition panel, select the query to run for this alert. The list of queries displayed will include all queries defined that:
Contain at least one date field (timestamp) - a timestamp field is required
Contain a Count field - a count field is required
Can be accessed by your GuardiumÂ® user account
Troubleshooting tip: If a custom query has been created in any Query Builder in Report Building, and it does not appear in the Query list, then make sure that the
custom query has a timestamp (date field).

Troubleshooting tip: After selecting a query from the Query list in the Alert Definition panel of the Add Alert screen, and there is need to edit the query (Edit icon),
and the query can not be edited, then go to Query Builder (Tools > Report Building) to edit the query.
18. If the selected query contains run-time parameters, a Query Parameters panel will appear in the Alert Definition pane. Supply parameter values as appropriate for
your application.
19. In the Accumulation Interval box, enter the length of the time interval (in minutes) that the query should examine in the audit repository, counting back from the
current time (for example, enter 10 to examine the last 10 minutes of data).
20. Mark the Log Full Query results box to have the full report logged with the alert.
21. If the selected query contains one or more columns of numeric data, select one of those columns to use for the test. The default, which will be the last item listed,
is the last column for the query, which is always the count of occurrences aggregated in that row.
22. In the Alert Threshold pane, define the threshold at which a correlation alert is to be generated, as follows:
In the Threshold field, enter a threshold number that will apply as described by the remaining fields in the panel.
From the Alert when value is list, select an operator indicating how the report value is to relate to the threshold to produce an alert (greater than, greater
than or equal to, less than, etc.).
Select per report if the threshold number applies to a report total.
If there is no data during the specified Accumulation Interval: If the threshold is per report, the value for that interval is 0 (zero), and an alert will be generated if the
threshold condition is met (for example, if the condition specified is â€œAlert when value is < 1â€ ).
23. Indicate in the Notification Frequency box how often (in minutes) the Alert Receivers should be notified when the alert condition has been satisfied.
24. Click the Apply button to save the alert definition.
Note: You cannot assign receivers or roles, or enter comments until the definition has been saved.
25. In the Alert Receivers panel, optionally designate one or more persons or groups to be notified when this alert condition is satisfied. To add a receiver, click the Add
Receiver button to open the Add Receiver Selection panel. For information about adding receivers, see notifications.
26. Optionally click the Roles button to assign roles for the alert. See Security Roles.
27. Optionally click the Comments button to add comments to the definition.
28. Click the Apply button and then the Done button when you have finished.
If there are more than fifteen SQL errors in the last three hours by any application user, then an alert will be sent to the designated receiver.
Incident Management
The Integrated Incident Management (IIM) application provides a business-user interface with workflow automation for tracking and resolving database security
incidents.
It simplifies incident management by allowing administrators to group a series of related policy violations into a single incident and assign them to specific individuals.
This reduces the number of separate policy violations that oversight teams need to review.
Incident generation processes can be defined and scheduled to read the policy violations log and generate new incidents. From an incident generation process, each
selected incident is:
Assigned a unique incident number

Assigned to a user
Assigned a severity code
Assigned to a category
In addition, policy violations can be assigned manually (by authorized users) to new incidents or existing incidents from the Policy Violations / Incident Management
report.
Once an incident has been generated, administrators and other users work with incidents from the Incident Management tab, which is included on both the admin and
user portals. From there, all other tasks can be performed (assign incidents, send notifications, assign status, and so forth).
The Incident Management functions can be accessed from the drill-down menus of the Incident Management reports. Each user may only have a subset of reports or
functions available, depending on the security roles assigned to the user account.
You can create your own copies of the Incident Management reports, but those copies will not have all of the capabilities available from the pre-configured reports on the
Incident Management tab. To assign incidents, severity codes, and so forth, use the reports on the Incident Management tab.
Define an Incident Generation Process

An incident generation process executes a query against the policy violations log, and generates incidents based on that query. By default, the definition and scheduling of
incident generation processes is restricted to users with the admin role.
1. Click Comply > Tools and Views > Incident Generation to open Incident Generation Processes.
2. Click Add Process to open the Edit Incident Generation Process panel.
3. Select a query from the Query list. There are several restrictions that apply to queries used in an incident generation process. We suggest that you open the query in
the Query Builder to verify that it satisfies the following criteria:
The query must be from the Policy Violations domain.
The query must have the Add Count check box checked. See Queries for more information.
The main entity for the query must be the Policy Rule Violation entity.
The query fields for the query must not include a SQL string (from either the SQL entity or the Full SQL String attribute of the Policy Rule Violation entity).
4. Select a Severity for the incident (defaults to Info).
5. Optionally enter a Category for the incident (defaults to none).
6. Optionally enter a Threshold for generating the incident. The default is one, meaning every row returned by the query will generate an incident.
7. From the Assign to User list, select the user to whom the incident will be assigned.
8. Enter the From and To Dates for the query. For a scheduled query, use relative dates (for example: now -1 day and now).
9. Click Save to save the process definition. You cannot run or schedule the process until it has been saved.
10. To run the query now, click Run Once Now.
11. To schedule the query, click Modify Schedule to open the general-purpose scheduling utility.

Assign/Reassign to Incident
1. Double-click the policy violation to be assigned or reassigned, in one of the Incident Management reports.
2. Select Assign/Reassign to incident from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of open incidents (for
example, Assign to Incident #123), and one additional option: Assign to a new incident.
3. Select an incident to assign this violation to, or select Assign to a new incident to assign this Policy Violation to the next incident number available (they are
numbered in sequence).
A message is displayed when the change has been completed, and the Incident Management panel will be refreshed. If a new incident has been created, it will be
listed first in the Open Incidents report.
Assign to User
1. Double-click the incident to be assigned to another user, in one of the Incident Management reports.
2. Select Assign to user from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of users, and one additional option:
Unassign.
3. Select a user, or select Unassign to remove the current user assigned. When a user is assigned, the Status Description will be Assigned, and when unassigned the
Status Description will be Open.
A message is displayed when the change has been completed, and the Incident Management panel will be refreshed.
Change Severity
1. Double-click the incident on which the severity is to be changed, in one of the Incident Management reports.
2. Select Change Severity from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of severity codes: Info, Low, Med, and
High.
3. Select the new severity code.
Notify
1. Double-click the incident a user is to be notified about, in one of the Incident Management reports.
2. Select Notify from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of users.
3. Select a user.
A message is displayed when the user has been a notification.
Change Status
1. Double-click the incident on which the status is to be changed, in one of the Incident Management reports.
2. Select Change Status from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of status codes:
ASSIGNED - Once an incident has this status, it cannot have additional policy violations added to it. To add policy violations, change the incident status back
to Open, add the violations, and then change the status back to Assigned.
CLOSED - Once an incident is marked Closed it cannot be modified, and is no longer listed.
OPEN - This is the initial status for a new incident.
3. Select the new status code.
Add Comments
1. Double-click the incident to which comments are to be added, in one of the Incident Management reports.
2. Select Comments from the drill-down menu, to open the User Comment window. For instructions on how to add comments, see Comments.
How to manage the review of multiple database security incidents

Incident management - track and resolve database security incidents.
About this task

Administrators can group a series of related policy violations into a single incident and assign to specific individuals. This reduces the number of separate policy violations
that oversight teams need to review.
Prerequisites
Create a Policy (See Policies).

Start inspection engines (See Inspection Engine Configuration).
A security policy contains an ordered set of rules to be applied to the observed traffic between database clients and servers.
A policy violation is logged each time that a rule is triggered. Policy violations can be assigned to incidents, either automatically by a process, or manually by authorized
users (see Incident Management).
Summary of Steps
2. Edit Incident Generation Process (Query, Severity, Threshold, Scheduling).
3. Go to Incident Management tab for reports.

Incident Management
The Incident Management application provides a business-user interface with workflow automation for tracking and resolving database security incidents.
Incident generation processes can be defined and scheduled to read the policy violations log and generate new incidents. From an incident generation process, each
selected incident is:
Assigned a unique incident number.

Assigned to a user.
Assigned a severity code.
Assigned to a category.
In addition, policy violations can be assigned manually (by authorized users) to new incidents or existing incidents from the Policy Violations / Incident Management
report.
Once an incident has been generated, administrators and other users work with incidents from the Incident Management tab, which is included on both the admin and
user portals. From there, all other tasks can be performed (assign incidents, send notifications, assign status, and so forth).
The Incident Management functions can be accessed from the drill-down menus of the Incident Management reports. Each user may only have a subset of reports or
functions available, depending on the security roles assigned to the user account.
Define an Incident Generation Process
An incident generation process executes a query against the policy violations log, and generates incidents based on that query. By default, the definition and scheduling of
incident generation processes is restricted to users with the admin role.
Procedure
2. Click the Add Process button to open the Edit Incident Generation Process panel.
3. Select a query from the Query list. There are several restrictions that apply to queries used in an incident generation process. Open the query in the Query Builder to
verify that it satisfies the following criteria:
The query must be from the Policy Violations domain.
The query must have the Add Count checkbox checked. See Query Builder Overview (Queries) for more information.
The main entity for the query must be the Policy Rule Violation entity.
The query fields for the query must not include a SQL string (from either the SQL entity or the Full SQL String attribute of the Policy Rule Violation entity).
4. Select a Severity for the incident (defaults to Info).
5. Optionally enter a Category for the incident (defaults to none).
6. Optionally enter a Threshold for generating the incident. The default is one, meaning every "row" returned by the query will generate an incident.
7. From the Assign to User list, select the user to whom the incident will be assigned.
8. Enter the From and To Dates for the query. For a scheduled query, use relative dates (for example: now -1 day and now).
9. Click Save to save the process definition. You cannot run or schedule the process until it has been saved.
10. To run the query now, click Run Once Now.
11. To schedule the query, click Modify Schedule to open the scheduling utility. For instructions on how to use the scheduler, see Scheduling.
12. Assign/Reassign to Incident - Double-click on the policy violation to be assigned or reassigned, in one of the Incident Management reports.
13. Select Assign/Reassign to Incident from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of open incidents (for
example, Assign to Incident #123), and one additional option: Assign to a new incident.
14. Select an incident to assign this violation to, or select Assign to a new incident to assign this Policy Violation to the next incident number available (they are
numbered in sequence).
A message displays when the change has been completed, and the Incident Management panel will be refreshed. If a new incident has been created, it will be
listed first on the Open Incidents report.
From the Incident Policy Violations / Incident Management report, users can:
Assign/Reassign to Incident (create an incident from this policy violation).

Change the severity of the incident.
Notify one or more users about the incident.
View reports of Client IP Activity, User Activity, or SQL from the incident.

15. Assign to User - Double-click on the incident to be assigned to another user, in one of the Incident Management reports.
16. Select Assign to user from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of users, and one additional option:
Unassign.
17. Select a user, or select Unassign to remove the current user assigned. When a user is assigned, the Status Description will be Assigned, and when unassigned the
Status Description will be Open.
A message displays when the change has been completed, and the Incident Management panel will be refreshed.
18. Change Severity - Double-click on the incident on which the severity is to be changed, in one of the Incident Management reports.
19. Select Change Severity from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of severity codes: Info, Low, Med, and
High.
20. Select the desired severity code.
Once a policy violation has been assigned to an incident the incident displays in the Open Incidents report. From the Open Incidents report, users can perform the
actions shown:
21. Notify - Double-click on the incident a user is to be notified about, in one of the Incident Management reports.
22. Select Notify from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of users.
23. Select a user.
When the user gets the notification, a message will be displayed.
24. Change Status - Double-click on the incident on which the status is to be changed, in one of the Incident Management reports.
25. Select Change Status from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of status codes:
ASSIGNED - Once an incident has this status, it cannot have additional policy violations added to it. To add policy violations, change the incident status back
to Open, add the violations, and then change the status back to Assigned.
CLOSED - Once an incident is marked Closed it cannot be modified, and is no longer listed.
OPEN - This is the initial status for a new incident.
26. Select the desired status code.
27. Add Comments - Double-click on the incident to which comments are to be added, in one of the Incident Management reports.
28. Select Comments from the drill-down menu, to open the User Comment window. For instructions on how to add comments, see Commenting.
Each user portal displays a My Open Incidents report for that user. From the My Open Incidents report, users can perform the actions shown:
Query rewrite

Query rewrite functionality provides fine-grained access control for databases by intercepting database queries and rewriting them based on criteria defined in security
policies.
The modification of queries happens transparently and on-the-fly, such that a user issuing queries seamlessly receives results based on rewritten SQL statements.
Query rewrite functionality is implemented through a combination of query rewrite definitions indicating how queries should be changed or augmented and a run-time
context indicating the specific circumstances where the query rewrite definitions should be applied.
Rewriting database queries on the fly allows administrators to implement several types of access control, as illustrated by the following examples.
Table 1. Examples of access control with query rewrite.

Access control Original SQL Rewritten SQL
Limiting access to rows by adding a WHERE clause SELECT C from T SELECT C from T WHERE [values]
Limiting access to columns by modifying the SELECT list SELECT C1 from T SELECT C2 from T
Â SELECT C1,C2 from T SELECT C2 from T
Restricting database activities by rewriting SQL statements to do nothing. SELECT EMAIL from T SELECT++ EMAIL from T
Restricting what users can do by modifying query verbs (SELECT, INSERT, UPDATE, etc.) DROP TABLE T UPDATE T SET [values]
Restricting what users can do by modifying query objects (TABLE, VIEW, COLUMN, etc.) SELECT C from T1 SELECT C from T2
The ability to seamlessly rewrite database queries provides an extremely powerful and flexible form of access control that allows organizations to quickly address a wide
range of security concerns. For example, query rewrite definitions can be developed to accomplish any of the following:
enforcing security in multi-tenancy scenarios where multiple users and applications share a single database, but where not all users and applications should have
access to all data
exposing a database to a production environment for testing purposes without exposing the entire database
rapidly correcting critical security vulnerabilities while permanent solutions are developed at the database or application level
Please review the following sections to learn more about how query rewrite works and how to configure it for use within your Guardium environment.
Note: If the S-TAP is set for firewall_default_state=1, the default state for Query Rewrite, qrw_default_state=1 cannot be set at the same time.
How query rewrite works

Learn how Guardium implements query rewrite functionality.
Using query rewrite
Learn how to enable and use query rewrite functionality.
How query rewrite works

Learn how Guardium implements query rewrite functionality.
Overview
Once query rewrite has been enabled on the S-TAP for supported database servers (see Enabling query rewrite), query rewrite functionality is implemented through three
policy rule actions:
QUERY REWRITE: ATTACH

QUERY REWRITE: APPLY DEFINITION
QUERY REWRITE: DETACH
These rule actions are installed as access policy rules. The access policy rules specify both query rewrite definitions that indicate how queries should be rewritten and a
run time context that indicates when those definitions should be applied.
Once query rewrite rules have been specified, sessions are handled as follows:
1. A SQL request triggers a QUERY REWRITE: ATTACH rule, and all subsequent activity in the session is watched by query rewrite.
2. While sessions are being watched by query rewrite, traffic is held at the S-TAP and the session information is checked against access policy rules.
3. If a query in the watched session matches a QUERY REWRITE: APPLY DEFINITION rule, the query is rewritten according to the definition and sent to the S-TAP.
4. The S-TAP releases the rewritten query to the database server.
5. When a QUERY REWRITE: DETACH rule is triggered, query rewrite stops watching activity for the remainder of the session or until another QUERY REWRITE:
ATTACH rule is triggered.
Requirements and limitations

Query rewrite is intended to work with the following database servers:
Oracle
DB2 (Linux and Unix only)
Microsoft SQL
For information about supported database servers and any associated restrictions, see Platforms supported for IBM Guardium 10.1. For detailed information about
database client support for query rewrite, contact IBM Guardium support.
Important: When query rewrite is watching a session, the sniffer is required to send engine verdicts to the S-TAP for each SQL request in the session. This process is
asynchronous and introduces latency between the sniffer and S-TAP. Create query rewrite rule conditions that avoid attaching to sessions for performance-sensitive or
trusted applications.
Parent topic: Query rewrite

Related tasks:
Enabling query rewrite
Using query rewrite

Learn how to enable and use query rewrite functionality.
About this task

Follow this task sequence to enable and begin using query rewrite functionality.
1. Enabling query rewrite

Learn how to configure an S-TAP for query rewrite functionality.
2. Creating query rewrite definitions
Learn how to create query rewrite definitions for data masking and access control scenarios.
3. Testing query rewrite definitions
Learn how to test query rewrite definitions against sample input and verify that the rewrite definitions behave as expected.
4. Defining a security policy to activate query rewrite
Learn how to create access policy rules using your query rewrite definitions with live queries.
5. Creating a custom report to validate query rewrite results
Learn how to create a query rewrite tracking report for auditing query rewrite activity.
Parent topic: Query rewrite
Enabling query rewrite

Learn how to configure an S-TAP for query rewrite functionality.
About this task

Query rewrite functionality is only enabled when both of the following conditions are met:
Query rewrite is enabled in the guard_tap.ini file

Query rewrite policy rules exist and are triggered by session traffic
This task guides you through the changes you need to make in your guard_tap.ini file.
Procedure
1. Open guard_tap.ini in a text editor.
2. Locate the parameter qrw_installed = 0 and change it to qrw_installed = 1. The parameter qrw_installed must be set to a value of 1 to enable query rewrite
functionality. Set qrw_installed = 0 to disable query rewrite functionality.
3. Save your changes to guard_tap.ini.
4. On the Guardium system, log in as the CLI user and restart the inspection engine using the restart_inspection_engines CLI command.
Results
Upon completion of this task, query rewrite functionality is enabled and will respond to policy rules that contain query rewrite actions.
Parent topic: Using query rewrite
Next topic: Creating query rewrite definitions
Creating query rewrite definitions

Learn how to create query rewrite definitions for data masking and access control scenarios.
Procedure
1. Open Protect > Security Policies > Query Rewrite Builder.
2. Provide a unique and meaningful name for the query rewrite definition in the Name field.
3. Create and parse a model query.
a. Provide a model query in the Enter a model query field.
For example, to create a rewrite definition preventing the use of SELECT * from statements, enter SELECT * from EMPLOYEE as a model.
b. Click the DB Type menu and select a SQL parser to use with the model query.
c. Click Parse to process the model query.
Your model query will be broken down into individual components with each actionable component highlighted with underlined text.
4. Define how to rewrite specific components of the model query.

a. Click on an underlined component of the parsed query that you would like to rewrite. A dialog will open to help create your query rewrite definition.
Options:
Select and modify an individual verb, field, or object from the parsed query
Add a component to the query (shown as gray underlined text next to the parsed query)
Rewrite the entire query by clicking the gray underlined [R] next to the parsed query
In the example SELECT * from EMPLOYEE where we want to prevent the use of SELECT * from statements, click the * to provide rewrite content.

a. The Change from field indicates what will be rewritten.
b. The To field defines the rewritten component.
For example, to prevent the use of SELECT * from statements, replace the * component with a list of specific objects: EMPNO, FIRSTNME, MIDINIT,
LASTNAME, WORKDEPT, PHONENO, HIREDATE, JOB, EDLEVEL, SEX.
Important:
Rewrite definitions are based on syntax, so any statement with the form SELECT * from [OBJECT] will match the example. For instance, both SELECT *
from DEPARTMENT and SELECT * from EMPLOYEE statements match our example.
Query rewrite definitions can be restricted to specific objects using access policy rules. See Defining a security policy to activate query rewrite for
instructions.
c. Click Save to save the rewrite definition, then click Back to close the dialog.
5. Review the output of the query rewrite definition using the Real time preview field and make any changes as needed.
Using our example, SELECT * from EMPLOYEE is rewritten as SELECT EMPNO, FIRSTNME, MIDINIT, LASTNAME, WORKDEPT, PHONENO, HIREDATE, JOB,
EDLEVEL, SEX from EMPLOYEE.
6. When you are satisfied with the results, click Save to save your query rewrite definition.
Your query rewrite definition is saved and displayed in the list of available query rewrite definitions in the Query Rewrite Builder.
What to do next
Continue working with query rewrite definitions:
Create additional definitions by clicking New and repeating the steps in this task.
Edit an existing query rewrite definition by double-clicking an item in the list of available query rewrite definitions.
Copy and edit an existing query rewrite definition by selecting the item in the list of available query rewrite definitions and clicking Clone.
Delete an existing query rewrite definition by selecting the item in the list of available query rewrite definitions and clicking Delete.
When you are finished working with query rewrite definitions, continue to the next step in this sequence to test and implement your definitions.
Previous topic: Enabling query rewrite
Next topic: Testing query rewrite definitions
Related tasks:
Defining a security policy to activate query rewrite
Testing query rewrite definitions

Learn how to test query rewrite definitions against sample input and verify that the rewrite definitions behave as expected.
Before you begin

To complete this task, you need to have created one or more query rewrite definitions.
Procedure
1. Open Protect > Security Policies > Query Rewrite Builder.
2. Click Set Up Test to open a dialog and select query rewrite definitions for testing.
a. Drag and drop items from the Available query rewrite definitions field to the Test query rewrite definitions field.
b. Drag and drop items with the Test query rewrite definitions field to order multiple definitions as you would within an access policy.
c. Click Save to close the dialog when you are finished.
3. Type or paste test queries into the test field.
For example, to test a rewrite definition preventing the use of SELECT * from statements (see Creating query rewrite definitions), enter sample queries such as:
SELECT * from DEPARTMENT

SELECT * from EMPLOYEE
SELECT FIRSTNME, case
when SALARY > 150000 then 'high'
when SALARY > 100000 then 'medium'
when SALARY > 80000 then 'fair'
else 'poor'
end from EMPLOYEE
DELETE from EMPLOYEE where EMPNO=100
INSERT into TEMP_EMP SELECT * from EMPLOYEE
4. Click Run Test to process the sample queries and review the results.
For example, the sample queries provided in the previous step return the following results:
Table 1. Query rewrite test results

Original SQL Rewritten SQL Ch
an
ge
d
SELECT * from DEPARTMENT SELECT EMPNO, FIRSTNME, MIDINIT, LASTNAME, WORKDEPT, YE
PHONENO, HIREDATE, JOB, EDLEVEL, SEX from DEPARTMENT S
SELECT * from EMPLOYEE SELECT EMPNO, FIRSTNME, MIDINIT, LASTNAME, WORKDEPT, YE
PHONENO, HIREDATE, JOB, EDLEVEL, SEX from EMPLOYEE S

Original SQL Rewritten SQL Ch
an
ge
d
SELECT FIRSTNME, case when SALARY > 150000 then 'high' when SELECT FIRSTNME, case when SALARY > 150000 then 'high' when NO
SALARY > 100000 then 'medium' when SALARY > 80000 then SALARY > 100000 then 'medium' when SALARY > 80000 then
'fair' else 'poor' end from EMPLOYEE 'fair' else 'poor' end from EMPLOYEE
DELETE from EMPLOYEE where EMPNO=100 DELETE from EMPLOYEE where EMPNO=100 NO
INSERT into TEMP_EMP SELECT * from EMPLOYEE INSERT into TEMP_EMP SELECT * from EMPLOYEE NO
Important:
Rewrite definitions are based on syntax, so any statement with the form SELECT * from [OBJECT] will match the example. For instance, both SELECT * from
DEPARTMENT and SELECT * from EMPLOYEE statements match our example.
Query rewrite definitions can be restricted to specific objects using access policy rules. See Defining a security policy to activate query rewrite for instructions.
5. Continue entering sample queries to test your rewrite definitions. Click Set Up Test to change or reorder the rewrite definitions used for the test.
What to do next
When you are satisfied with the test results, create a security policy to begin using your query rewrite definitions with live queries.
Previous topic: Creating query rewrite definitions
Next topic: Defining a security policy to activate query rewrite
Related tasks:
Creating query rewrite definitions

Learn how to create access policy rules using your query rewrite definitions with live queries.
Before you begin

To complete this task, you need to have created and tested one or more query rewrite definitions, and you need to be familiar with creating security policies.
Procedure
1. Open Protect > Security Policies > Policy Builder.
2. Create a new policy or modify an existing policy to use your query rewrite definitions.
Tip: Consider creating a new policy for testing query rewrite definitions. Add your rewrite rules to existing security policies once you are satisfied with the behavior
of the test policy.
3. Click Edit Rules to begin adding rewrite rules to the selected policy, then select Add Rules > Add Access Rule.
Note: Query rewrite rules are always classified as access rules.
4. Add a rule with a QUERY REWRITE: ATTACH rule action. Be sure to check the Continue to next rule checkbox. This rule identifies the specific session parameters
that must be matched in order to trigger a query rewrite session, for example a specific database user name or client IP address.
5. Add a rule with one or more QUERY REWRITE: APPLY DEFINITION rule actions and select the query rewrite definition(s) you would like to apply. This rule identifies
the specific objects or commands that must be matched in order to apply the rewrite definitions and modify the source query.
For example, you can limit the data that displays back to a user when a SELECT * from EMPLOYEE query is issued. To do so, set the Object field to EMPLOYEE and
create a query rewrite definition to replace the * with a list of defined columns for the data you want the user to have access to.
6. Add a rule with a QUERY REWRITE: DETACH rule action. This detaches the query rewrite session and prevents further monitoring of session traffic. The conditions
set for the detach rule should not be the same as the attach rule.
7. To install the new policy, return to the Policy Finder, select your security policy, and choose Select an installation action > Install and Override. Click OK when asked
to confirm installation of the policy.
8. Log in to your database server and run test queries to verify that your access policy rewrite rules are functioning as intended.
a. Log in to your database server.
b. Issue queries that should trigger (or should not trigger) the installed access policy rules and match the criteria of your query rewrite definitions.
For example, if you set the Object to EMPLOYEE and you issue SELECT * from EMPLOYEE, you should only see results for the columns you defined for * in
the query rewrite definition. In contrast, if you issue a SELECT * from DEPARTMENT, you should see all column data returned for the DEPARTMENT object.
c. Verify that the results reflect the rewritten SQL.

Previous topic: Testing query rewrite definitions
Next topic: Creating a custom report to validate query rewrite results
Related concepts:
Policies
Creating a custom report to validate query rewrite results

Learn how to create a query rewrite tracking report for auditing query rewrite activity.
Before you begin

To complete this task, you need to have created and installed access policy rules that apply query rewrite definitions, and you need to be familiar with creating reports.

About this task
A query rewrite tracking report helps validate query rewrite actions in both test and production environments.
Procedure
1. Open Reports > Report Configuration Tools > Query Builder
2. Select Query Rewrite from the Domain menu.
3. Click the icon to define a new query.

4. Provide a meaningful and unique name for the query in the Query Name field.
For example, My query rewrite report
5. Select one of the available options from the Main Entity menu.
The following options are available:
Query Rewrite Log

Client/Server
Session
Access Period
6. Click Next to open the report builder.
7. Expand sections within the Entity List and select items to build your report.
Click an item and select Add Field to add the item as a column in the report.
Click an item and select Add Condition to add a conditional filter to the report.
Alternatively, drag and drop items from the Entity List into the Query Fields and Query Conditions tables to apply them to your report.
Include the following items as a starting point for a query rewrite report:
Client/Server: Timestamp
Client/Server: DB User Name
Client/Server: Server Type
Query Rewrite Log: Applied QR Definition Names
Query Rewrite Log: Input SQL
Query Rewrite Log: Output SQL
8. Click Save when you are done building your report.
9. Click Create Report to create the report.
10. Click Add to My Custom Reports to add the report to your custom reports.
11. Open Reports > My Custom Reports and select the report you created to view a report of query rewrite actions.

Previous topic: Defining a security policy to activate query rewrite
File Activity policies and rules

File Activity Policies and rules functionality

A file activity monitoring policy specifies how Guardium handles different file activity events. Each policy consists of a set of ordered rules. Each rule in a policy
defines a conditional action that is taken when the rule matches. The conditional test can be simple, for example a user accesses a specific location, or a complex
test that considers multiple conditions. The action ranges from nothing to blocking the event. Multiple grouping and alerting actions can be combined and ordered
to create sophisticated responses to matched rules.
Create a FAM policy and its rules from scratch
Set up file activity monitoring by defining and managing policies and rules in the Policy Builder for Files window.
Creating a FAM policy rule from the Investigative Dashboard Entitlements tab
You can use the monitored data, such as datasource names, user names, actions, and file paths, in the Investigation Dashboard Results Table to create policy rules.

File Activity Policies and rules functionality

A file activity monitoring policy specifies how Guardium handles different file activity events. Each policy consists of a set of ordered rules. Each rule in a policy defines a
conditional action that is taken when the rule matches. The conditional test can be simple, for example a user accesses a specific location, or a complex test that
considers multiple conditions. The action ranges from nothing to blocking the event. Multiple grouping and alerting actions can be combined and ordered to create
sophisticated responses to matched rules.
For example, you can define policies for these cases:
Log a policy violation if John writes into the CONFIDENTIAL folder

Block a group of users from deleting the file SALARIES.XLS
Send an e-mail to Krishna if JENNY reads from any files that begin with the name sample*
Audit all accesses to any file that has been classified as containing sensitive data related to PCI
Groups: Guardium uses the concept of groups for policy and report creation.
Guardium groups are created and maintained on the Guardium collector or Central Manager. Do not confuse Guardium groups with file system groups.
It is recommended that you consider a naming strategy for your groups, including groups of data sources (file servers), groups of files (such as by sensitivity level or
combination of sensitivity level and application), groups of users (a list of all known users, â€œauthorizedâ€ users, users with special privileges).

Rule Guidelines
A overly broad rule (a rule that monitors too many files) can overload the system and increase processing and response time.
A FAM rule can have more than one pattern in it. To protect both a directory and its contents, define a rule with two patterns /FAMtest/* and /FAMtest.
A group comprised of file paths: each path must be unique irrespective of case. For example, these two paths can co-exist in a group: C:\ABC and C:\abcdef.
However, these two paths cannot co-exist in a group C:\ABC and C:\abc. The Group builder is not case sensitive. It is not required to input members with all upper
case characters or all lower case characters. However, in UNIX, which is case sensitive, the path /IBM/Guardium is different from the path /ibm/guardium. If the
user wants to monitor both of these paths, the current Group builder has a limitation and will not see them as two paths.
The ordering of rules in the security policy is very important. The rules are sent to the S-TAP as a set and are processed strictly in order. Any given user activity is
checked against each rule in the policy in order. The first rule that meets the criteria of this file access is applied and subsequent rules are ignored. In most cases,
put the most specific rule first and the most general rule last. For example, you have two rules:
Rule A: audit only all access to /data/*
Rule B: block, log violation and audit user 'joe' from accessing /data/salaries
If you put Rule A first, and Joe tries to read /data/salaries, there is no need to go to the next rule, and Joe will be audited. If you put Rule B first, Joe is blocked from
accessing /data/salaries and there is no need to go to the next rule.
Behavior of FAM when using a pre-10.1.2 S-TAP (no multi-action support) with a 10.1.2 or higher Sniffer (includes multi-action support)
If using a pre-10.1.2 S-TAP with a new 10.1.2 Sniffer/UI with multi-action rule, blocking is implemented correctly since this action is on the S-TAP side.
On the Sniffer side, the actions are accumulative of all actions specified.
For example, if you select Audit Only for READ command and Block, Log Violations and Audit for DELETE command, then the DELETE command is blocked, but not
the READ command. However, both the READ command and the DELETE command trigger audit, log violations and alerts even though the READ command was
Audit Only.
In the other instance where the user uses a 10.1.2 S-TAP and a pre-10.1.2 Sniffer/UI, that works fine since there is no way to define a multi-action rule ( thus no UI
or GuardAPI to support).
Rule attributes
Rule name
A unique name
Datasource
The datasource can be:
datasource selected from drop-down list

group selected from drop-down list
group created from selected groups in the Create New Rule window
manually entered path
Rule Action
The rule action is the action taken when the criteria are met. Actions are one of:
One action for any file access that matches the rule criteria
Multi-action rule comprised of multiple actions, each one is per a specified command category or a specified group. Note that Continue to next rule is not
supported when using Multi-action rules.
The rule actions are:
Alert and audit: Send an alert directly generated from the sniffer with specific behavior, and log the event.
Audit only: Log the event in GDM tables
Block, log violation, and audit: Block access to the object, log a policy violation, and log the event. A blocking action requires an alert configuration as well.
Ignore: No action taken.
Log as violation and audit: Log this as a policy violation and log the event.
Access commands: Because there are hundreds of file system commands, they are grouped into these categories:
Read
Write
Execute
Delete
File Operation, including any calls that affect file metadata such as change file ownership, change file permissions, and similar calls.
These categories are fixed in the system and cannot be changed. However, you can create a Guardium group that contains any combination of categories, and use
that group in the security policy. For example, you can create a Guardium group that contains Write and Execute as members.
If you leave the command unspecified, all file system commands are counted as a match. Some calls, such as get system time, do not affect files at all and are
ignored.
Rule criteria
For any given file access, rule criteria are used to evaluate whether a particular action should be taken. For any datasource or group of datasources (file servers), the
rule criteria that you can specify include:
User: The OS user who is accessing files. This can also be a group of users, as defined in a Guardium group. If this is left blank then the rule applies to all users
(except root).
File Path: This can be a Windows or UNIX file path, an individual file path, or a group of file paths, as defined in a Guardium group. This cannot be blank (except
when removable media is selected). You can also select to monitor the subdirectories in the file path.
Wild cards in the name specification:
The '*' character matches any number of any characters

The '?' character matches one single character

For UNIX, use back slash to escape * and ?
Tip: Wild cards take extra processing. Excessive use of wild cards impacts performance.
UNIX
Usage:
To match all files on disk, enter /*
To match /tmp/My*File.txt exactly , use /tmp/My\*File.txt
To match any file with a .txt extension in /tmp, use /tmp/*.txt
Example: The FAM rule pattern is: /FAM*
meaning
Directory: /
File name: FAM*
The rule in place has subdirectories selected: (Subdirs: Yes)
The file accessed is:
/guardium/modules/SUPERVISOR/10.0.0/FAM.output
This matches. The file name, FAM.output, matches the name, FAM, and is located in a subdirectory of the given directory '/'.
Windows: For Windows, you must specify the drive, such as C:\
Usage:
To monitor all files on the C drive, enter C:\ and mark the Monitor subdirectories checkbox.
To match any file with a .txt extension in C:\tmp, use C:\tmp\*.txt
GuardAPI examples: create policy with two rules
grdapi create_policy ruleSetDesc=policy1 isFam=true

grdapi create_fam_rule policyName=policy1 ruleName=rule1 serverHost="x.x.x.x" filePath="/famtest/*" command="DELETE"
actionName="Alert and Audit" notificationType="SYSLOG"
grdapi create_fam_rule policyName=policy1 ruleName=rule2 serverHost="x.x.x.x" filePath="/famtest/*" command="READ"
actionName="Alert and Audit" notificationType="MAIL"
policy1 -> rule1 -> "DELETE" -> "Alert and Audit" -> "SYSLOG"
policy1 -> rule2 -> "READ" -> "Alert and Audit" -> "MAIL"
GuardAPI examples: create policy with multi-Action Rule

Multi-Action Rule for FAM - Multi-action rules are comprised of multiple actions, each one is per a specified command category or a specified group. The commands
in a FAM context are: Read, Write, Delete, Execute and File Operation. If the system does not support Multi-Action Rules, it ignores the rule and continues to the
next rule.
grdapi create_policy ruleSetDesc=policy1 isFam=true

grdapi create_fam_rule policyName=policy1 ruleName=rule1 serverHost="x.x.x.x" filePath="/famtest/*"
add_action_to_fam_rule policyName=policy1 ruleName=rule1 command="DELETE, READ" actionName="Alert and Audit"
notificationType="SYSLOG"
add_action_to_fam_rule policyName=policy1 ruleName=rule1 command="WRITE" actionName="Alert and Audit" notificationType="MAIL"
policy1 -> rule1 -> "DELETE, READ" -> "Alert and Audit" -> "SYSLOG"
policy1 -> rule1 -> "WRITE" -> "Alert and Audit" -> "MAIL"
Adding another action using commandGroupId, assuming commandGroupId=20000 exists, and it has "DELETE, WRITE"
add_action_to_fam_rule policyName=policy1 ruleName=rule1 command="READ" commandGroupId=20000 actionName="Ignore"

notificationType=""
policy1 -> rule1 -> "READ, DELETE, WRITE" -> "Ignore"
FAM behavior with pre-V 10.1.2 S-TAP and V. 10.1.2 and higher Sniffer
Multi-action for FAM was introduced in V. 10.1.2. The pre-10.1.2 S-TAP does not support FAM multi-action, while V. 10.1.2 and higher Sniffer does support multi-
action. On the Sniffer side, the actions are accumulative of all actions specified.
For example, if the policy specifies Audit Only for READ command, and Block, Log Violations and Audit for DELETE command, then the DELETE command is blocked,
but not the READ command. However, both the READ command and the DELETE command will trigger audit, log violations and alerts even though the READ
command was Audit Only.
Parent topic: File Activity policies and rules
Create a FAM policy and its rules from scratch

Set up file activity monitoring by defining and managing policies and rules in the Policy Builder for Files window.
About this task

Once you open the Policy Builder for Files and additional views within the policy builder, you can toggle between the various views by clicking Policy Builder for Files, New
Policy and Create New Rule at the bottom of the page.
You can also create policies and rules using GuardAPI.
Procedure
1. On a standalone or MU, access the FAM policy builder, navigate to Protect > Security Policies > Policy Builder for Files.
2. Enter a name for the new policy. (You can save the policy once a rule is defined.)
3. To add existing rules to the policy.
a. Click Show Templates. The Rule Templates table opens.
b. Optionally filter the list with the filter function.
c. Select one or more rules and click the right arrow

4. To create a new rule.
a. Click to open the Create New Rule window.

b. Name the rule, define its attributes and click Save.
5. To modify an existing rule and add it to the policy.
a. Select the rule and click .
b. Click , change the name, modify the other attributes as relevant, and click Save.
6. Change the order of the rules using the
7. Delete a rule by selecting it and clicking delete rule.

8. Click Save to save the policy, or Save and Install to install the policy immediately. (See Installing Policies.

Creating a FAM policy rule from the Investigative Dashboard Entitlements tab
You can use the monitored data, such as datasource names, user names, actions, and file paths, in the Investigation Dashboard Results Table to create policy rules.
Before you begin

The FAM bundle must be installed and configured
Discovery and classification must be enabled
Investigation Dashboard must be enabled, see Enabling and disabling the Investigation Dashboard
About this task
Procedure
1. Choose File from the dropdown list in the product banner and click the search icon to open the Investigation Dashboard for file data.
2. Open the Results Table Entitlements tab. Click Details to see individual entries.
3. Choose one or more entries in the results that you want to use to populate a rule. You can use the Select all check box to include all the entries that are currently
displayed (not all the entries in the database).
4. Right-click and choose Add Policy Rule. The Build Rule dialog opens with values from the entries that you selected. If you selected multiple entries, a group is
created that contains the values from those entries. You can create a rule that is to be added to an existing policy, or create a new policy that includes your new rule.
Note: A overly broad rule (a rule that monitors too many files) will overload the system and increase processing and response time.
Note: A FAM rule can have more than one pattern in it. To protect both a directory and its contents, define a rule with two patterns /FAMtest/* and /FAMtest.
Note: When using FAM policy, setting a group to define monitored file paths requires either consideration of case sensitivity. Otherwise the group cannot be created
successfully. The workaround is to create two different FAM policy rules. Clarification - If strings defined as members of group are different without considering
case sensitive, the group can be created successfully. For example: 1. C:\ABC 2. C:\abcdef. If strings defined as members of group are same without considering
case sensitive, the group can NOT be created. For example: 1. C:\ABC 2. C:\abc So it is not required to input members with all upper case characters or all lower
case characters. Group builder is not case sensitive. However, in UNIX, which is case sensitive, the path /IBM/Guardium is different from the path /ibm/guardium. If
the user wants to monitor both of these paths, the current Group builder has a limitation and will not see it as the same path.
5. Choose datasources, actions, and criteria. Overwrite any values that you want to change. Click Edit to modify each field.
6. To create a new policy and install it, click Create and Install. To create the policy but not install it, click OK.
Monitor and Audit

After you identify your sensitive data and take steps to protect it, you must monitor activities that access this data. In many cases you can use the data that is generated
by monitoring to comply with audit requirements, either regulatory or internal.

Streamline the compliance workflow process by consolidating, in one spot, the following database activity monitoring tasks: asset discovery; vulnerability
assessment and hardening; database activity monitoring and audit reporting; report distribution; sign-off by key stakeholders; and, escalations.
Audit and Report
GuardiumÂ® organizes the data it collects into a set of domains. Each domain contains a different type of information relating to a specific area of concern: data
access, exceptions, policy violations, and so forth.
External Data Correlation
This topic describes the creation of custom tables for enterprise information that is needed in addition to existing Guardium internal data.
Privacy Sets
A privacy set is a collection of elements that can be used to do special monitoring.

Custom Alerting
Alert messages can be distributed via e-mail, SNMP, syslog, or user-written Javaâ„¢ classes. The last option is referred to as custom alerting.
Flat Log Process
The Flat Log option is a process to allow the Guardium appliance to log information without immediately parsing it in real time.
Build Expression on Query condition
Use the Add Expression icon, next to the Value, Parameter, Attribute selections, to enter Query Conditions including user-defined string and mathematical
expressions.
Database Entitlement Reports
Entitlement reviews are the process of validating and ensuring that users only have the privileges required to perform their duties.
User Identification
Guardium provides several methods to identify application users, when the actual database user is not apparent from the database traffic.
Value Change Auditing
The Value Change Auditing feature tracks changes to values in database tables.
Create an Audit Database
Create an audit database and perform value-change monitoring activities.
Monitored Table Access
This feature adds a â€œLast Assessedâ€ field to relevant tables, for interaction with Optimâ„¢ Designer data lifecycle products.
How to use PCI/DSS Accelerator to implement PCI compliance
Configure IBM Security Guardiumâ€™s PCI/DSS Accelerator and create a series of policies and reports, in order to meet PCI/DSS requirements.
Workflow Builder
The Workflow Builder is used to define customized workflows (steps, transitions and actions) to be used in the Audit Process.
Threat Detection Analytics
Guardium includes specialized threat detection analytics that scan and analyze audited data to detect symptoms that may indicate different types of database
attacks.
Investigation Dashboard
The Investigation Dashboard provides powerful tools for identifying and assessing problems that might exist in your Guardium environment. It uses either local or
system-wide unfiltered data, and provides numerous filter options to query data across an entire Guardium environment, potentially from any Guardium collector
within that environment.
Outliers Detection
Enable and start auditing outliers detection in two easy steps, letting Guardium do the work of identifying abnormal server and user behavior, and providing early
detection of possible attacks.
Data Protection Dashboard
The Guardium data protection dashboard provides a summary view of risk and compliance data intended for senior-level security officers.

Streamline the compliance workflow process by consolidating, in one spot, the following database activity monitoring tasks: asset discovery; vulnerability assessment and
hardening; database activity monitoring and audit reporting; report distribution; sign-off by key stakeholders; and, escalations.
Automate and integrate the following audit activities into a compliance workflow:
The ability to group multiple audit tasks (reports, vulnerability assessments, etc.) into one process.
Schedule these processes to run on a regular basis.
Run these tasks in the background.
Write the task results to a comma-separated value (CSV) file or ArcSight Common Event Format (CEF) file and/or forward the results to other systems using Syslog.
Add comments and notations.
Assign the process to its originator for viewing (he/she will get a new item in their To-Do list once the result is ready).
Assign the process for other users or to a group of users or a role.
Create the requirement that these assignees sign on the result.
Allow escalation of the result (assign to someone outside of the original audit trail).
Transform the management of database security from time-consuming manual activities performed periodically to a continuous, automated process that supports
company privacy and governance requirements, such as PCI-DSS, SOX, Data Privacy and HIPAA.
Export audit results to external repositories for additional forensic analysis â€“ Syslog, CSV/CEF files, external feed.
The Audit Process Log report, shows a detailed activity log for all tasks including start and end times. This report is available for admin users via the GuardiumÂ® Monitor
tab. Audit tasks show start and end times, however the start and end of Security Assessments and Classifications (which go to a queue) is the same.
The results of each workflow process, including the review, sign-off trails, and comments can be archived and later restored and reviewed through the Investigation
Center.
A compliance workflow automation process answers the following questions:
What type of report, assessment, audit trail, or classification is needed?

Who should receive this information and how are signoffs handled?
What is the schedule for delivery?
Further elements of the compliance workflow automation process include:
A process definition
A distribution plan, which:
Defines receivers, who can be individual users, user groups, or roles. (See Process Receivers.)
Defines the review/sign responsibility for each receiver.
Defines the distribution sequence by setting the Continuous flag.
A set of tasks (see Process Task Types)
A schedule - The audit process can be run immediately, or a schedule can be defined to run the process on a regular basis
Process Task Types

A workflow process may contain any number of audit tasks:
Reports, custom or pre-defined. Guardium provides hundreds of predefined reports, with more than 100 regulation-specific reports.
Security assessment report, The security database assessment scans the database infrastructure for vulnerabilities, and provides an evaluation of database and
data security health, with both real-time and historical measurements. It compares current environment against preconfigured vulnerability tests based on known
flaws and vulnerabilities, grouped using common database security best practices (like STIG and CIG1), as well as incorporating custom tests. The application
generates a Security Health Report Card, with weighted metrics (based on best practices) and recommends action plans to help strengthen database security.
An entity audit trail, A detailed report of activity relating to a specific entity is produced (for example, a client IP address or a group of addresses).
A privacy set, A report detailing access to a group of object-field pairs (a Social Security number and a date of birth, for example) is produced during a specified time
period.
A classification process, The existing database metadata and data is scanned, reporting on information that may be sensitive, such as Social Security numbers or
credit card numbers.
An external feed, Data can be exported to an external specialized application for further forensic analysis.
Note: The Optional External Data Feed is an optional component enabled by product key. If this feature has not been enabled, this choice will not appear in Audit
Task selection and the Feed Type list will be empty.
Workflow Processes, Central Management and Aggregation

On a Central Manager, reports can reference data from remote datasources (managed units). Audit processes that use these reports will be accessible from the Central
Manager only, and will not be visible from managed units.
Workflow Automation (audit processing) for the Aggregator server now includes the capability to create ad-hoc databases for each Aggregator task and specify only the
relevant days for that task.
Note: The ad-hoc databases for the Aggregation server may be kept in the system for up to 14 days (depending on the value of the CLI command, drop_ad_hoc_audit_db)
for post-run analysis by Guardium support services if required.
When defining reports in Audit Process, the number of days of the report (defined by the FROM-TO fields) should not exceed a certain threshold (one month by default). If
this threshold is exceeded, a run-time error will result when trying to run the audit task on the Aggregator.
It is permissible to create an audit task with a FROM-TO range that is wider than the max_audit_reporting value Â (set in CLI) because Audit processes defined on the
Aggregator may be run on managed collectors (when this aggregator is a manager). Audit tasks run on collector unit, do not have a max_audit_reporting limitation.
So, it is valid to save tasks beyond the allowed range, but you will get a Run Time Exception when the task is executed on the Aggregator.
The Audit Report threshold can be configured using the CLI command, show max_audit_reporting or store max_audit_reporting. There is no warning message when a
report is created with an invalid FROM-TO range. Instead a fixed message appears in the Task Parameters panel in the Audit Process setup menu screen (Tools/Audit
Process Builder. open up Audit Tasks to display Task Parameters). The fixed message is:
On aggregators, only reports not exceeding the allowed time range (CLI: max_audit_reporting) will be executed.
Note: When running a patch install, all audit processes are stopped.
Stop an audit process

Stopping an audit process can be performed only if the audit tasks have not been run or are running. Stopping an audit process will not execute any more tasks that have
not started. Stopping an audit process does not deliver partial results. The audit process stops and a stopped error message is the result. However, if tasks are complete,
stopping an audit process will not stop the sending of results.
Stop an audit process by using invoking GuardAPI (place the cursor on any line and double-click for a drill-down) from Comply > Tools and Views > Audit Process Log
report.
For any user, stopping an audit process, will display only the line belonging to that user (just the tasks, not all the details). An admin user can see all the details and can
stop anyone's audit processes. A user can only stop their own audit processes.
Note:
Queries using a remote source can not be stopped. Online reports using a remote source can not be stopped.
Stopping an audit processes does not apply to Privacy Sets Audit Tasks or External Feed Audit Tasks. If the Privacy Set or External Feed tasks have started, they will finish
even if the process is stopped.
Results Distribution
Audit process receivers will be notified via email and/or their To-Do list of pending audit process results. You can designate any receiver as a signer for a process, in which
case the results can optionally be held at that point on the distribution list, until that receiver electronically signs the results or releases them. Receivers can be individual
users, user groups, or roles.
Audit Process Summary

In the Audit Process Finder screen is the Audit Process Status Summary. This section contains information on scheduled audit processes, as well as results, receivers
outstanding and errors. This summary is a consolidation of data from multiple audit process reports.
There is also a button to delete any audit process results. See the Audit Process Finder screen. Look for the Results button, next to the Run Once Now button (choices of
View or Delete).
Delete audit process results, but track or log who deleted the report. The audit-delete role is used to track or log when an audit process result has been deleted. Users
with the audit-delete role can delete reports. Admin users can also delete reports. Tracking is done through the User Activity Audit Trail report.
Note: Audit process results from remote sources is limited to 100,000 results. To go beyond that limit, use the CLI command, store save_result_fetch_size (show
save_result_fetch_size).
Process Receivers

You can define any number of receivers for a workflow automation process, and you control the order in which they receive results. In addition, receivers can notify
additional receivers, using the Escalate function. It is also possible to run an audit process with no defined receivers. For example, an audit process with no receivers that
writes to syslog and has no need to review (or sign) the results.
Who can be a receiver?

On the Process Definition panel, the drop-down list of receivers includes all Guardium users, user groups, and roles (groups and roles are labeled as such). When a group
or role is selected, all users belonging to the group or having that role will receive the results.
If a group receiver is selected, and any workflow automation task uses the special run-time parameter ./LoggedUser in a query condition, the query will be executed
separately for each user in the group, and each user will receive only their results.
For example, assume that your company has three DBAs, and each DBA is in charge of a different set of servers. Using the Custom Data Upload facility, upload the areas of
responsibilities of each DBA (with server IPs) to the Guardium system, and correlate that to the database activity domain, and then use a report in this custom domain as
an audit task. If a user group that contains the three DBAs is designated as the receiver, each DBA will receive the report relevant for his or her collection of servers only.
If a group receiver is selected, and sign-off is required, each group member must sign the results separately (as explained earlier, each member of the group may be
looking at a different set of results).
A receiver can be solely an email address and results will be sent to that email address. When entering an email address, the user will be required to enter a user that will
be used to filter the data. The user must be the same user that is logged in or a user under the user that is logged in the data hierarchy.
If a role receiver is selected, only one user with that role will need to sign the results, and other users with that role will be notified when the results have been signed.
Note:
When a workflow event is created, every status used by that event can be assigned a role (meaning that events can only be seen by this role when in this status). Â When
an event is assigned to an audit process, it is important that every role that is assigned to a status of this event have a receiver on this audit process. Â Otherwise, it is
possible that an audit result row can be put into a status where none of its receivers are able to see this row or change its status.
If this is to occur, the admin user (who is able to see all events, regardless of their roles) would be able to see the row and change its status. Â However, if data level
security is on, the admin user may not be able to see this row. Â The admin user would need to either turn data level security off (from Global Profile) or have the
dataset_exempt role. It is important to configure the audit process so that all roles who must act on an event associated with this audit process are receivers of this audit
process.
email Notification
Optionally, receivers can be notified of new process results via email, and there are two options for distributing results via email:
Link Only Â - The email notification will contain a hypertext link to the results stored on the Guardium system. For the link to work, you must access your mail from a
system that has access to the Guardium system. See the following section for more information about email links.
Full Results - A PDF file or generated CSV file containing the results will be attached to the email, except for an Escalation that specifies a receiver not included in
the original distribution list, in which case no PDF or CSV file will be attached. When the Full Results option is selected, care must be taken, since sensitive and
private data may be included in the PDF or CSV file. When running an audit process, if there is a receiver with Full Results with CSV checked, it does not generate
CSV files for tasks of type Assessment, Classifier or External Feed. These task types also can not generate CSV/CEF/PDF files for export. Only for tasks of type
Report, Privacy Set or Entity Audit Trails, and if there is a receiver with Full Results via CSV checked, will CSV files be generated.
Note: When viewing audit results, if a generated PDF already exists, a Recreate PDF button will appear for the user to recreate and download the regenerated PDF.
Hypertext Links to Process Results

In email messages, there are conditions where links to process results on the Guardium system will not work. For example:
If you are accessing email from a location where you cannot normally access the Guardium system, the links will not work. For example, when out of the office, you
may have access to your email over the Internet, but not to your company's private network or LAN, where the system is installed.
If you have not accessed your email for a longer period of time than the report results are kept, those results will not be available when you click the link. For
example, if the results are kept for seven days but you have been on vacation for two weeks, your email may contain links to results older than seven days, and
those links will not work.
About Frozen Receivers Links

Once a process has been run, the existing receiver list is frozen, which means:
You cannot delete receivers from the list.

You cannot move existing receivers up or down in the list.
You can add receivers to end of the list at any time, and reposition the new receivers at that time.
If the Guardium user account for a receiver on the list is deleted, the admin user account (which is never deleted) is substituted for that receiver. Thus the admin
user receives any email notifications that would have been sent to a deleted receiver, and the admin user must act upon any results released to that receiver.
If you need to create a totally different set of receivers for an existing process, deactivate the original process, make a clone of it, and then make the modifications
to the receivers list in the cloned version before saving it.
How Results are Released to Receivers

Results are released to the Guardium users listed on the receivers list, subject to the Continuous check box, as follows:
If the Continuous check box is marked, distribution continues to the next receiver on the list without interruption.
If the Continuous check box is cleared, distribution to the next receiver is held until the current receiver performs the required action (review or sign).
For example, assume you want to define a workflow process as follows:
DBAs - All DBAs should receive their results at the same time, with each DBA receiving a different result set based on the server IPs associated with him/her
Only when ALL DBAs have signed, the DBA Manager should see the results
Only when DBA Manager releases the report, the Auditors should see the results

All Auditors should receive the reports at the same time, but only one of them (any of them) needs to sign each result. Â The others will be updated when a result
was signed.
An auditor can escalate a result to the Audit Manager.
To define this flow:
The DBAs group would be named as the first receiver

The DBA Manager would be next on the list.
The Auditors role (not group) would be next on the list. Any Auditor could sign and others will be notified. Also, any auditor can escalate a results set to the Audit
Manager.
Note: The results will only distribute to the next receiver when the current receiver has marked the Continuous button. This is completely separate from the
review/sign functionality and does not depend on the review/sign functionality all.
Note: Process results that are exported to CSV or CEF files are sent to another network location by the Guardium archiving and exporting mechanism. These results
are not subject to the receivers list or to any signing actions. They are subject to the Guardium CSV/CEF export schedule (if any is defined), and they are subject to
the access permissions that have been granted for the directory in which they are ultimately stored.
Exporting Audit Task Output to CSV, CEF or PDF Files

Reports containing information that can be used by other applications, or reports containing large amounts of data, can be exported to other file formats. Report, Entity
Audit Trail, and Privacy Set task output can be exported to CSV (Comma Separated Value) files, and output for database activity reports can be exported to an ArcSight
Common Event Format (CEF) file.
In addition, CEF and CSV file output can be written to syslog. If the remote syslog capability is used, this will result in the immediate forwarding of the output CEF/CSV file
to the remote syslog locations. The remote syslog function provides the ability to direct messages from each facility and severity combination to a specific remote system.
See the remotelog (syslog) CLI command description for more information.
Each record in the CSV or CEF file represents a row on the report.
The exported file is created in addition to the standard task output, it does not replace it. These files are useful when you need to:
Integrate with an existing SIEM (Security Incident and Event Manager) in your infrastructure (Qradar, ArcSight, Network Intelligence, LogLogic, TSIEM, etc.).
Review and analyze very large compliance task results sets. (Task results sets that are intended for Web presentation are limited to 5,000 rows of output, whereas
there is no limit to the number of rows that will be written to an exported CSV or CEF file.)
Exported CSV and CEF files are stored on the Guardium system, and are named in the format:
process_task_YYYY_MMM_DD-HHMMSS.<csv | cef>
Where process is a label you define on the audit process definition, task is a second-level label that you can define for each task within the process, and YYYY_MMM_DD-
HHMMSS is a date-time stamp created when the task runs.
You cannot access the exported CSV or CEF files directly on the Guardium system. Your Guardium administrator must use the CSV/CEF Export function to move these files
from the Guardium system to another location on the network. To access those files, check with your Guardium administrator to determine the location to which they have
been copied.
The fact that exported files are sent outside of the Guardium system has two important implications:
The release of these files is not connected to the results distribution plan defined for the audit process. These files are exported on a schedule defined by the
Guardium administrator.
Once the CSV/CEF Export function runs, all exported files will be available to anybody (Guardium user or not) who can access the destination directory defined for
the CSV/CEF Export operation. For this reason, your Guardium administrator may want to schedule additional jobs (outside of the Guardium system) to copy sets of
exported files from the Guardium CSV/CEF Export destination directory, to directories with appropriate access permissions.
CSV/CEF Export activity is available in the Aggregation/Archive Activity report.
Note: If observed data level security has been enabled, then audit process output (including files) will be filtered so users will see only the information of their assigned
databases. Files sent to an email receiver as an attachment will be filtered. However, files downloaded locally on the machine and then moved elsewhere using the Results
Export function are not subject to data level security filtering. See CSV/CEF Export later in this topic for further information on CSV/CEF Export.
The following table summarizes what happens when exporting an Audit Process file to CSV/CEF/PDF.
Table 1. Exporting Audit Task Output to CSV, CEF or PDF Files

Function Level CSV CEF PDF
Attach to email Receiver Full Details radio --> PDF check box N/A Full Details radio --> PDF check box
The radio buttons are only for receiver

PDF
Export file Task Export CSV file check box Export CSV file check box Export CSV file check box
Report empty and Approve if Receiver Export not affected (empty files will be Export not affected (empty files will be Export not affected (empty files will be
Empty = yes exported) exported) exported)
Attachment, no email attachment Attachment, no email attachment Attachment, no email attachment

Zip attachment Audit If no file generated, nothing to zip N/A If no file generated, nothing to zip
Process
Merge all CSVs into one ZIP file PDF is not zipped
Compress (export) Task Compressed, separate file for each Compressed, separate file for each PDF is not compressed
CSV file CSV file
How Zip for Email and Compress work for Audit Task Output
Zip for Email is the highest level of control for Audit Task Export. Zip for email produces a set of CSV or CEF files. PDF is not ever zipped and is not ever compressed.

Compress works on individual files.
Note: For CSV attachments, when Zip for Email is cleared, Compress can still be applied. And Compress can be per task. Thus one Audit Task may send a .csv file while
another may send a .csv.gz file, in the same email.
The interaction of Zip for Email and Compress is as follows:
With Zip for email checked (regardless of whether Compress is also checked), the attachment is one zip file of CSV files.
With Zip for email not checked, and Compress checked, the attachment is a set of csv.gz files.
With Zip for email not checked, and Compress not checked, the attachment is a set of csv files.
With Compress checked, Download All will be csv.gz.
With Compress cleared, Download All will be csv.
With Compress checked or cleared, Download displayed will still be csv.
With Compress checked, export of CSV/CEF files will be gzipped.
With Compress cleared, export of CSV/CEF files will not be gzipped.
Export to SCAP or AXIS

In the Audit Process Definition, in the section on Add New Task, when choosing a Task Type of Security Assessment, a number of choices will appear: Export AXIS xml and
Export SCAP xml. Choose one of these selections in order to save the Audit Process results and to transfer the XML file to the destination set up for Results Export
(Manage > Data Management > Results Export (Files)). Further choices are for configuring the PDF format: Report, Difference, Report and Difference.
SCAP is Security Content Automation Protocol. AXIS is Apache EXtensible Interaction System and is used by QRadar.
Creating or Changing Reports

Use the Report Builder to create or customize reports, including customization such as applying highlight colors to rows. To open the Report Builder, navigate to Reports >
Report Configuration Tools > Report Builder.
Create an Audit Workflow Process

1. Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder.
2. Click the New button to open the Audit Process Definition panel The Audit Process Definition panel is divided into three sections: General, Receivers and Tasks.
3. Go to the Tasks section first. You must define at least one audit task before you can save the process. Work your way through each task in setting choices. Perform
the appropriate procedure for each audit task you want to include in the audit process. The task choices detailed in this section are:
Define a Report Task
Define a Security Assessment Task
Define an Entity Audit Trail Task
Define a Privacy Set Task
Define a Classification Process Task
Define an External Feed Task
4. Go to the Receivers section. Open the drop-down box and add the receivers for the process. See Add Receivers. Checkoffs are needed to determine action required,
additions to To-do list, notification via email notifications and continuous distribution. Again see Add Receivers for complete information in setting these choices.
5. Go to the General section. Enter a name in the Description box. Do not include apostrophe characters.
6. Check the Active box to associate a schedule with this process.
7. Mark the Archive Results box if you want to store the results offline after the retention period has expired. When results have been archived, you can restore them
to the system for viewing again, later.
8. Use the Archive Result purge before Reviewed box to delete the results of an ad-hoc process without holding until all reviewers had reviewed, all sign-offs have
taken place, all workflow activities have been met. This feature gives the user an option of deleting results in a specified period of time (such as 1-day) whether the
results have been reviewed or not.
9. In the Keep for a minimum of (n) days or (n) runs boxes, specify how long to keep the results, as either a number of days (0 by default) or a number of runs (5 by
default). After that, the results will be archived (if the Keep for a minimum box is marked) and purged from the system.
Note: Results will only be shown if there are receivers for the results. Add receivers, re-run the results and the run will now show up in the dropdown list.
10. If one or more tasks create CSV or CEF files, you can optionally enter a label to be included in all file names, in the CSV/CEF File Label box. These files can also be
compressed, or Zipped, by clicking on the Zip for mail box to add a checkmark.
Note: There is a limit on export of CSV/CEF file sizes greater than 10240 MB (10.240 GB). It is a recommended best practice to check the box Zip for mail.
11. The Email Subject field in the Audit Process definition is used in the emails for all receivers for that audit process. The subject may contain one (or more) of the
following variables that will be replaced at run time for the subject:
%%ProcessName will be replaced with the audit process description
%%ExecutionStart will be replaced with the start date and time of the first task.
%%ExecutionEnd will be replaced with the end date and time of the last task.
Upon entering a subject, it will check whether any variable (starting with %% is present) and will ensure all are valid variables.
12. Optionally assign security roles.

13. Optionally add comments.
14. Click the appropriate buttons to Schedule or Run an Audit Workflow Process.
15. Click Save. Do not leave this menu screen to perform another configuration before saving your work. Work-in-progress is not saved and not held in half-created
suspension if you leave this section to go create something else needed for the audit task.
For example, to define an assessment task in Audit Process Builder, it is first necessary to go to Security Assessment Builder to create assessment tests and then to
Datasource Definitions to identify the database(s) to be assessed. Save your work when creating Audit Workflow and then go to other tasks or perform those other
tasks first and then create the Audit Workflow Process.
Add Receivers
1. In the Receiver column, select a receiver from the drop-down list of Guardium individual users, groups, or roles. If you select a group or a role, all members of the
group or users with that role will receive the results; and if signing is required, only one member or user will need to sign the results.
2. In the Action Required column, select one option:
Review (the default) - Indicates that this receiver does not need to sign the results.
Review and Sign - Indicates that this receiver must sign the results (electronically, by clicking the Sign Results button when viewing the results online).

3. In the To-Do List column, either mark or clear the Add check box to indicate whether this receiver should be notified of pending results in their Audit Process To-Do
List.
Note: To send files on an external server without sending email and without adding results to the to-do list, define an audit process without receivers. Also clear the
to-do list check box in the Add Receiver section and remove/ do not add any receiver in the receiver section in order not to add results to To-do list.
4. In the Email Notification column, select one option:
No - email will not be sent to the receiver.
Link Only - email will contain a hypertext link to the results (on the Guardium system).
Results - email will contain a copy of the results in PDF or CSV format. Be aware that the results from Classification or Assessment tasks may return sensitive
information.
5. The check box in the Continuous column controls whether or not distribution of results continues to the next receiver (the default), or stops until this receiver has
taken the appropriate action. If the Continuous box is cleared, and this receiver is a group or a role, when any user who is a member or that group or role performs
the selected action, the results will be released to the next receiver on the list.
Note: The results will only distribute to the next receiver when the current receiver has marked the Continuous button. This is completely separate from the
review/sign functionality and does not depend on the review/sign functionality all.
6. Click Add to add the receiver to the end of the list, and repeat these steps for each receiver. One receiver is required.
7. Receivers who are not users are permitted. Choose: Email and then enter an email address, and the results will be sent to that email address. When entering a non-
user email address, there is a requirement that a user name that will be used to filter the data. The user must be the same user that is logged in or a user under the
user that is logged in the hierarchy. This user will be saved in a new column in the Receivers section of the screen.
8. Approve if Empty - When this check box is checked, if all the reports of the task are empty, it will do the following: automatically sign the result (and/or mark it as
viewed); automatically click Continue (if relevant); will NOT send the notification email; will NOT add the task to the To-Do list of that user; Â will NOT generate any
PDF/CSV/CEF files. With this check box, empty audit results will be signed automatically and the results will still look like any other complete (viewed/signed) audit
results when looking at the audit result logs. This action will apply to empty reports and the empty security assessment results. See table summarizing what
happens when Approve If Empty = YES in the section Exporting Audit Task Output to CSV, CEF or PDF Files.
Export a CSV or CEF File

Report, Entity Audit Trail, and Privacy Set audit task output can be exported to CSV files, and Report audit task output can be exported to a CEF file. From the Report, Entity
Audit Trail or Privacy Set section under Audit Tasks, work through the following:
1. Select title.
2. Enter an optional label for the file in the CSV/CEF File Label box. The default is from the Description for the task. This label will be one component of the generated
file name (another will be the label defined for the workflow automation process).
3. Mark either Export CSV file or Export CEF file.
Note: CEF file output is appropriate for data access domain reports only (Access, Exceptions, or Policy Violations, for example). Other domains like the Guardium
self-monitoring domains (Aggregation/Archive, Audit Process, Guardium Logins, etc.) do not map to CEF extensions.
4. If Export CEF file was selected, optionally mark the Write CEF to Syslog box to write the CEF records to syslog. If the remote syslog facility is enabled, the CEF file
records will thus be written to the remote syslog.
5. If the Compress box is checked, then the CSV/CEF files to be exported will be compressed.
6. If the Export PDF file box is checked, then a PDF file (with similar name as CSV Export file) for this Audit Task is created and exported together with the CSV/CEF
files.
Note: The Export PDF file will not be compressed, even if the Compress box in the previous step is checked.
Define a Report Task

If you have not yet started to define compliance workflow automation process, create a workflow process before performing this procedure. If the report to be used has
not yet been defined, do that first.
1. If the Add New Task pane is not open, click Add Audit Task.
2. Click the Report radio button.
3. There a number of choices for CSV/CEF File Label, Export CSV/CEF, Export PDF, Write to Syslog, and Compress. See Export a CSV or CEF File.
4. The selection of PDF Options are: Report (the current results), Diff (difference between one earlier report and a new report) and Reports and Diff (both).
Note: The selection of PDF Options applies to both PDF attachments and PDF export files. The Diff result only applies only AFTER the first time this task is run.
Â There is no Diff with a previous result if there is no previous result. The maximum number of rows that can be compared at one time is 5000. If the number of
result rows exceeds the maximum, the message
(compare first 5000 rows only)
will show up in the diff result.

5. Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected.
6. Click Apply.
API for automatic execution

By default, the Guardium application comes with setup data that links many of the API functions to reports, providing users, through the GUI, with prepared calls to APIs
from reporting data. Use API Assignment in Reports to link additional API functions to predefined Guardium reports or custom reports. The menu choice API for automatic
execution will appear in the Add Audit Task: Report when selecting an appropriate predefined Guardium report or custom report that have fields in the report that are
linked to API parameters. Examples of predefined reports where the API for automatic execution menu choice will appear are Access Policy Violations, Databases
Discovered, and Guardium Group Details.
Workflow Builder
The formal sequence of event types created in Workflow Builder is managed by clicking on the Event and Additional Column button in the Audit Tasks window. This button
will appear after an audit task has been created and saved. This additional button will not appear until the audit task is saved. Configure these workflow activities when
Adding An Audit Task:
1. Create and save an Audit Task. After saving, an additional button will appear, Events and Additional Columns.
2. Click this additional button.
3. At the next screen, place a checkmark in the box for Event & Sign-off. The workflow created in Workflow Builder will appear as a choice in Event & Sign-off.
4. Highlight this choice. Apply (save) your selection.
5. If additional information (such as company codes, business unit labels, etc.) is needed as part of the workflow report, add this information in the Additional Column
section of the screen and then click Apply (save). In order to select the predefined or created groups column, change the Type column to Group. When done, close

this window.
6. Apply (save) your Audit Task. Apply (save) the entire Audit Process Definition.
This Event and Additional Column button appears in all audit tasks. By placing the cursor over this button, an information balloon will appear telling the user if the audit
task has an Event or a Sign-off column linked to the specific audit task.
Note:
If data level security at the observed data level has been enabled, then audit process output will be filtered so users will see only the information of their databases.
Under the Report choices within Add an Audit Task are two procedural reports, Outstanding Events and Event Status Transition. Add these two reports to two new audit
tasks to show details of all workflow events and transitions Â These two reports will not be filtered (observed data level security filtering will not be applied). These two
reports are available by default in the list of reports only to admin user and users with the admin role.
The Additional Columns button is disabled for Classification tasks.
Clone an Audit Task - If you are cloning a process, and you made changes to a cloned task before the cloned process is saved, the workflow associated with the original
task will not be cloned.
Deletion of a event status is permitted only if the status is not in the first status of any events, and if it not used by any action. The validation will provide a list of
events/actions that prevent the status from being deleted.
The owner/creator of a workflow event can always see all statuses of this event, regardless of what roles have been assigned to these statuses. Â
Define a Security Assessment Task

f you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure. If the assessment to be used
has not yet been defined, do that first.
2. Click the Security Assessment button.
3. Select a security assessment from the Security Assessment list.
4. The selection of PDF Content are Report (the current results), Diff (difference between one earlier report and a new report) and Reports and Diff (both).
5. Click Apply.
Note:
If data level security at the observed data level has been enabled, then audit process output will be filtered so users will see only the information of their databases.
If a security assessment task Â is empty (for example, a security assessment with a set of no roles), this empty security assessment will not show up in the drop-down list
in Audit Builder.
Define an Entity Audit Trail Task

If you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure.
2. Click the Entity Audit Trail button.
3. Select the type of entity to be audited. Depending on the type selected, you will be required to supply the following information:
Object: Enter an object name.
Object Group: Select an object group from the list.
Client IP: Enter a client IP address.
Client Group IP: Select a client IP group.
Server IP: Enter a server IP address.
Application User Name: Enter an application user name.
4. There a number of choices for CSV/CEF File Labels, Write CEF to Syslog, Compress and Export PDF. See Export a CSV or CEF File.
5. In the Task Parameters pane, supply run-time parameter values (only the From and To periods are required).
6. Click Apply.
Note: If data level security at the observed data level has been enabled, then audit process output will be filtered so users will see only the information of their databases.
Define a Privacy Set Task

f you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure. If the privacy set to be used
has not yet been defined, do that first.
2. Click the Privacy Set button.
3. Select a privacy set from the Privacy Set list.
4. Select either Report by Access Details or Report by Application User to indicate how you want the results sorted and displayed.
5. There a number of choices for CSV/CEF File Labels, Write CEF to Syslog, Compress and Export PDF. See Export a CSV or CEF File.
6. Enter starting and ending dates for the report in the Period Start and Period End boxes.
7. Click Apply.
Define a Classification Process Task

If you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure. If the classification process
to be used has not yet been defined, do that first.
2. Click the Classification Process button.

Note: You will be alerted that classification processes may return sensitive data, and those results will be appended to PDF or CSV files.
3. Select a classification process from the Classification Process list. Click Apply.
Define an External Feed Task

This type of workflow automation task feeds data collected by Guardium to an external application, mapping the data to a format recognized by that application. This task
type is an extra-cost feature, enabled by a patch.
Note: If this feature is used in a Central Manager environment, the External Feed Patch must be installed on the Central Manager, and on all managed units on which the
task will run.
For more information about how the data is mapped from Guardium to the external application, refer to the documentation for the option that was purchased.
If you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure.
2. Click External Feed.
3. Select a feed type from the Feed Type list.
4. The controls that appear next depend on the feed type selected. See Optional External Feed for additional information on specific External Feed Types.
5. Select an event type from the Event Type list.
6. Select a report from the Report list. Depending on the report selected, a variable number of parameters will appear in the Task Parameters pane.
7. In the Extract Lag box, enter the number of hours by which the feed is to lag, or mark the Continuous box to include data up to the time that the audit task runs.
8. In the Datasources pane, identify one or more datasources for the external feed.
9. Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected.
10. Click Apply.
View or Sign Results

1. Open the Compliance Workflow Automation results.
2. If signing is required, click the Sign Results button.
3. Optional. To forward these results to another user, click Escalate, and see Forward Results to Additional Receivers (in Escalation section).
4. Click Close this window link.
Note: If there are outstanding events, then the results can not be signed either from the audit viewer or from the To-do list. If there are outstanding events and an attempt
is made to sign the results, the following message appears:
Audit process cannot be signed - has pending events.
Please update all outstanding events prior to signing this result.
Note: When viewing audit process results, if a result has events associated with it, the Sign Results button is not available on this result until all events are in a Final state
or cannot be seen by this user (due to data-level security).
Note: This report also contains a date or Last Action Time, located in a column between Receiver and Status. This report shows that the result was signed by user AAA, but
also when this user AAA signed this result.
Release Results without Signing or Viewing

1. Open your To-Do List panel.
2. Click the Continue button for the results you want to release to the next receiver on the distribution list.
View Results Distribution

1. Open the compliance workflow automation results.
2. Expand the Distribution Status panel by clicking the (Show Details) button.
View Receiver Comments Added to Results

1. Open the compliance workflow automation results.
2. Expand the Comments panel by clicking the Show Details button.
Note: These are the comments that were attached to the results when the report page was retrieved from the Guardium system. If you add comments of your own,
or if other receivers are adding comments simultaneously, you will not see those comments until you refresh your page (using your browser Refresh function).
Escalate Process Results

A receiver of process results can forward the results notification for review and/or sign-off to additional receivers. If you escalate the results to a receiver outside of the
original audit and sign-off trail, and the results include a CSV file, that file will not be included with the notification.
Regardless of who is a receiver of an audit result, an escalation can involve any user on the system, provided the Escalate result to all users box is checked in the Setup >
Tools and Views > Global Profile menu. A check mark in this box escalates audit process results to all users, even if data level security at the observed data level is
enabled. The default setting is enable. If the check box is disabled (no check mark in the check box), then audit process escalation will only be allowed to users at a higher
level in the user hierarchy. If the check box is disabled, and there is no user hierarchy, then no escalation is permitted.
Also, depending on event permissions, if for example, the infosec user can only see events in status1 and dba user can only see events in status2, the dba user will receive
a different result than the result the infosec user saw when the infosec user clicked Escalate. Â It is possible that infosec will escalate to dba, and dba will receive an audit
result with 0 rows in it.
1. If the compliance workflow automation results you want to forward are not open, open them now.

2. Click Escalate.
3. Select the receiver from the Receiver list.
4. In the Action Required column, select Review (the default) or Review and Sign.
5. Click the Escalation button to complete the operation.
Note:
Audit process results cannot be escalated to a group of users, only to users or roles.
When escalating to an user who already has the result in the user's to-do list, a popup message will appear, asking if an additional email should be sent. If yes, an
additional email will be sent to the user, but the to-do list will not be incremented.
Schedule or Run a Compliance Workflow Automation Process

2. Select the process from the Process Selection List.
3. Click Modify to open the Audit Process Definition panel.
4. To run the process once, click Run Once Now, or to define a schedule for the process, click Modify Schedule.
Note: After a schedule has been defined for a process, the process runs according to that schedule only when it is marked active. To activate or deactivate an audit
process, see the next section.
Activate or Deactivate a Compliance Workflow Automation Process

After a schedule has been defined for an audit process, it runs according to that schedule, only when it is marked active.
To activate or deactivate an audit process:
2. Select the audit process from the Process Selection List.
3. Click Modify.
4. In the Audit Process Definition panel, mark the Active box to start running the process according to the schedule; or clear the Active box to stop running the process
(ignoring any schedule defined).
Note: If you are activating the process but there is no schedule, click Modify Schedule to define a schedule for running the process.
5. Click Save.
How to create an Audit Workflow

Create an audit process workflow that generates a pre-defined report on a pre-set schedule, assigns the report to the database administrator for review and sign-
off, and facilitates the reviewed report being sent to a supervisor for an additional review and signoff.
Open Workflow Process Results
Use View to see the Workflow Process Results
How to distribute workflow through Guardium groups
Using the receiver group option, define a single Compliance Workflow audit process that will send different results to different Guardium users based on a pre-
defined, custom mapping.
Audit Process To-Do List
This topic describes the Audit Process To-Do List and the steps required to open and use it.
Parent topic: Monitor and Audit
How to create an Audit Workflow

Create an audit process workflow that generates a pre-defined report on a pre-set schedule, assigns the report to the database administrator for review and sign-off, and
facilitates the reviewed report being sent to a supervisor for an additional review and signoff.
About this task

Automate the workflow steps of the audit process of the customer.
See the Compliance Workflow Automation topic for additional information on this subject.
Procedure
1. Open the Audit Process Finder by navigating to Comply > Tools and Views > Audit Process Builder.
2. Click the New button to open the Audit Process Definition panel.
The Audit Process Definition panel is divided into three sections: General, Receiver Table, and Audit Tasks.

Audit Process Builder menu screen
3. Go to the General section. Enter a name in the Description box. Do not include apostrophe characters.
4. Check the Active box to associate a schedule with the process. At least one audit task must be defined before you can save the process.
5. Mark the Archive Results box if you want to store the results offline after the retention period has expired. When results have been archived, you can restore them
to the appliance for viewing again, later.
6. In the Keep for a minimum of (n) days or (n) runs boxes, specify how long to keep the results, as either a number of days (0 by default) or a number of runs (5 by
default). After that, the results will be archived (if the archive box is marked) and purged from the appliance.
7. If one or more tasks create CSV or CEF files, you can optionally enter a label to be included in all file names, in the CSV/CEF File Label box. These files can also be
compressed, or Zipped, by clicking on the Zip CSV for mail box to add a checkmark.
8. The Email Subject field in the Audit Process definition is used in the emails for all receivers for that audit process. The subject may contain one (or more) of the
following variables that will be replaced at run time for the subject:
%%ProcessName will be replaced with the audit process description
%%ExecutionStart will be replaced with the start date and time of the first task.
%%ExecutionEnd will be replaced with the end date and time of the last task.
Upon entering a subject, it will check whether any variable (starting with %% is present) and will ensure all are valid variables.
9. Go to the Receivers section. Open the drop-down box and add the receivers for the process. See Add Receivers in the Compliance Workflow Automation topic for
further information. Checkoffs are needed to determine action required, additions to To-do list, notification via email notifications and continuous distribution.
Again, see Add Receivers for complete information in setting these choices. In this example, do not check the continuous boxes for the receivers. If the Continuous
checkbox is marked, distribution continues to the next receiver on the list without interruption. If the Continuous checkbox is cleared, distribution to the next

receiver is held until the current receiver performs the required action (review or sign). In this example, the DBA needs to view and sign the report before it goes to
the Supervisor.
10. Go to the Tasks section. You must define at least one audit task before you can save the process.
11. Define a Report Task.
a. If the Add New Task pane is not open, click Add Audit Task (see illustration).
b. Click the Report button.
c. Optionally create CSV or CEF file output and write to Syslog.
d. Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected.
e. Click Apply.
Audit Task â€“ Report
12. Optionally assign security roles.

a. Open or select the item to which you want to assign one or more security roles (a report definition, for example).
b. Click the Roles button.
c. In the Assign Security Roles panel, mark all of the roles you want to assign (you will only see the roles that have been assigned to your account).
d. Click Apply.
13. Optionally add comments
14. Click the appropriate buttons to Schedule or Run an Audit Workflow Process (see link)
15. Click Apply.
16. Schedule or Run a Compliance Workflow Automation Process
Open the Audit Process Finder by navigating to Comply > Tools and Views > Audit Process Builder.
a. Select the process from the Process Selection List.
b. Click Modify to open the Audit Process Definition panel.
c. To run the process once, click Run Once Now, or to define a schedule for the process, click Modify Schedule.
Note: After a schedule has been defined for a process, the process runs according to that schedule only when it is marked active.

17. Sign-off and Review of Report
After the report has run, distribution status can be observed from the report. In the example, the DBA has viewed and signed the report and the supervisor has not.
Distribution Status
The Audit Process Log report shows a detailed activity log for all tasks including start and end times. This report is available by navigating to Reports > Guardium
Operational Reports > Audit Process Log. Audit tasks show start and end times.
Example of Audit Process Log
Parent topic: Building audit processes
Open Workflow Process Results

Use View to see the Workflow Process Results
Do one of the following:
Open your Workflow Automation To-do List (see Audit Process To-Do List) and click View for the results set you want to view or sign.
If you have received an e-mail notification containing hypertext links to your To-Do List or the results, click one of those links to open your To-Do List or the results
directly from the e-mail. You must have access to the Guardium system at the location from which you are accessing your e-mail (or these links will not work). If you
are not logged in, you will be prompted to log in to the Guardium system.
Note: When you register a new managed unit to a central manager, you might be unable to view audit results. The application does not show results that have a timestamp
before the managed unit was registered to the central manager. The timestamp of the registration uses the central manager time, and the timestamp of the audit result
uses the managed node time. So, if the central manager time is ahead of the managed unit time, results generated on the managed unit are not visible until the managed
unit time passes the time of registration. This should happen in no more than 24 hours, possibly less depending on the locations of the two machines. You should be able
to view the results of audit processes on the managed unit within 24 hours of registration.
How to distribute workflow through Guardium groups

Using the receiver group option, define a single Compliance Workflow audit process that will send different results to different Guardium users based on a pre-defined,
custom mapping.
Value-added: Setup a single audit process and distribute the appropriate results to the appropriate manager. This saves having to create separate audit processes for
separate receivers.

IBM Security Guardiumâ€™s Compliance Workflow Automation automatically delivers reports, classification results, and security assessment results to Guardium users
on a scheduled basis. Result receivers can be defined as Guardium users, Guardium roles or user groups.
For example, consider a large organization that has fifteen DBA managers that need to review the activities for the DBAs they manage without viewing the activities of the
other managerâ€™s DBAs. One solution would be to setup fifteen separate audit processes; one for each manager. This would take a lot of time to configure and it is
difficult to manage: Each audit process needs to be scheduled separately and any global change would need to be made individually for all fifteen audit processes.
The user group distribution method, on the other hand, permits the setup of a single audit process and distributes the appropriate results to each manager based on a
manager/DBA mapping. This process requires more upfront configuration but reduces to maintenance time. Only one audit process needs to be scheduled and changes
only need to be applied in one location.
User mapping
The first step in the process is to map the users to the data elements within Guardium that will be the basis for report distribution. The example that will be used in this
document will be based on objects, but you can apply these concepts with any data element within Guardium.
Example: Three users have responsibility over three different sets of tables, based on audit requirements (PCI, HIPPA, and CCI) within a database server, as follows:
Table 1. User with Table/Object

User Table/Object
User01 db2inst1.cc_numbers
User01 db2inst1.ccn
User02 db2inst1.ADDRESSES
User02 db2inst1.SSN_NUMBERS
User02 db2inst1.G_CUSTOMERS
User02 db2inst1.G_EMPLOYEES
User02 db2inst1.G_FUNDS
User03 db2inst1.doctor
User03 db2inst1.medicare
User03 db2inst1.med_history
This table must be added as a custom table within Guardium, either manually or through a data upload. The following steps demonstrate how to create a custom table
manually. The screenshots are from the â€œadminâ€ user interface, but they can also be accessed from within the â€œuserâ€ user interface.
1. Navigate to Reports > Report Configuration Tools > Custom Table Builder and press the Manually Define button.
2. At the Custom Table Builder screen, define the table layout. Make sure that Group Type matches the correct data element in Guardium. Press Apply and Back
when complete.
3. Press Edit Data to manually add the records. Note, if you have a large amount of data, choose Upload Data to import from an external data source.

4. Press Insert.
5. Enter each combination of values and press Insert until you have added all of the required records.
6. When complete, press the Query button to review the data.
7. Press return when complete.

Custom Domains
Next, join this custom table to the Guardium table structure using Custom Domains.
1. Navigate to Reports > Report Configuration Tools > Custom Domain Builder. Highlight [Custom] Accessand press Clone.
2. In the Custom Domain Builder:
a. Highlight the new table created under Available entities.
b. Highlight the table under Domain entities to which you would like to join the custom table.
c. Under Join condition choose the fields on each table on which to create the join and press Add Pair.

3. Press the arrows (>>) button to move the custom table from Available entities to Domain entities.
4. Press the Detail button to review the joins.
5. Confirm that the joins are correct and press Close.

6. Press Apply to save the new custom domain.
Custom Report
Next, create a report to distribute to the users.
1. Navigate to Reports > Report Configuration Tools > Report Builder and select the new domain from the Domain drop-down menu.
2. Press New.
3. Enter a Query Name and Main Entity and press Next.

4. Create a new report with a run-time parameter for the user field created in the custom table.
User Group
Create a new group of â€œGuardium Usersâ€ based on the custom table.
1. Navigate to Setup > Tools and Views > Group Builder and create a new group with Guardium Users as the Group Type.
2. Add all of the users from the custom table.

Audit Process
1. Create a new Audit Process.
2. Choose the group created in User Group as the Receiver
3. Choose the custom report created in step 4 as the task.
4. In the run-time parameter, enter the special tag â€œ./LoggedUserâ€ . This will cause the results to be distributed based on the custom mapping.
5. Press Run Once Now to run the Audit Process
When the audit process completes, each receiver should a different result set based the mapping:

Users
User01
User02
User03

Audit Process To-Do List

This topic describes the Audit Process To-Do List and the steps required to open and use it.
There are several ways to open the Audit Process To-Do List, including:
Click the icon in the page banner.

Navigate to Comply > Tools and Views > Audit Process To-Do List.
If you received an email notification, click the To-Do List link to open your To-Do List. Alternatively, click the report link to open the results. In either case, you must
be accessing your email from a location where the GuardiumÂ® system can be accessed.
The following steps describe how to use the Audit Process To-Do List:
1. Select the user whose To-Do list you want to open, either by opening up the drop-down menu or clicking Search Users. You will be informed if the list is empty.
2. As an administrator, you can perform any actions on any to-do list entry. Any actions you perform are logged, indicating that the action was performed on behalf of
the user by the administrator.
3. The choices available per to-do list entry are View, Download as PDF and Sign viewed results.
The selection of PDF Content are: Report (the current results), Diff (difference between one earlier report and a new report) and Reports and Diff (both).
Note: The selection of PDF Content applies to both PDF attachments and PDF export files. The Diff result only applies only AFTER the first time this task is run.
Â There is no Diff with a previous result if there is no previous result. The maximum number of rows that can be compared at one time is 5000. If the number of
result rows exceeds the maximum, the message compare first 5000 rows only will show up in the diff result.
4. Click on the icon of arrows circling to Refresh the set.
Note: To send files on an external server without sending email and without adding results to the to-do list, define an audit process without receivers. Also clear the to-do
list checkbox in the Add Receiver section and remove/ do not add any receiver in the receiver section in order not to add results to To-do list.
To-Do Lists and Data Level Security

The To-Do list has a pull-down menu to see the to-do lists of other users. Unlike the pull-down menu of users with role admin, the pull-down menu for the rest of the users
will include ONLY users under the current user in the Data Level Security (DLS) hierarchy. If the user has the exempt role, then all the users are shown in the pull-down
menu. Users with role admin can see all users in the pull-down menu.
When a user accesses another user's results, the data presented in the report is filtered according to the Data Level Security and the role of the user selected (for example,
in the case of a custom workflow, the data is filtered according to the role of the user selected and the status defined for that role).
If a user with role admin accesses a result of a user that is UNDER in the hierarchy, then it behaves as explained in the previous paragraph. If administrator accesses a
result of a user which is NOT under in the hierarchy, then it will show the result using the Data Level Security of the administrator and will show for all roles.
When a result is added to a user's to-do list because a change in a status of an event, if the result was not in the to-do list previously, then an email is sent to the user. The
email will not contain a PDF, just a notification and link.
If a user goes to some other user's to-do list, a message will indicate which user is determining the DLS filtering.
Audit and Report

GuardiumÂ® organizes the data it collects into a set of domains. Each domain contains a different type of information relating to a specific area of concern: data access,
exceptions, policy violations, and so forth.
All domains and their contents are described in the Domains, Entities, and Attributes appendix.
There is a separate query builder for each domain, and access to each query builder is controlled by security roles. Regardless of the domain, the same general-purpose
query-builder tool is used to create all queries. For detailed instructions on how to build queries, see Queries. Â Â
In addition to the standard set of domains, users can define custom domains to contain information that can be uploaded to the Guardium appliance. For example, your
company might have a table relating generic database user names (hr23455 or qa4872, for example) to real persons (Paula Smith, John Doe). Once that table has been

uploaded, the real names can be displayed on Guardium reports, from the custom domain. For more detailed information on how to define and use custom domains, see
External Data Correlation.
External Data Correlation

This topic describes the creation of custom tables for enterprise information that is needed in addition to existing GuardiumÂ® internal data.
Many customers have valuable information in many different databases in their environment. Â It is extremely useful for an audit report, to correlate relevant information
need to make these reports easy and useful to understand. Â The External Data Correlation allows you to create custom tables on the Guardium appliance for enterprise
information that is needed in addition to the existing Guardium internal data. You can do this either manually within the GUI or based on an existing table on a database
server. Queries and reports can then be created for this information just as if it were predefined data.
There is a distinction between a custom table, a custom domain, and a custom query.
For example, perhaps a table exists on a database servers containing all employees, their database usernames, and the department to which they belong (for example,
Development, Financial, Marketing, HR, etc.). Â If you upload this table and all its data, you could cross-reference this table with Guardium's internal tables to see, for
example, which employees from Marketing are accessing the financial database (which may constitute a suspicious activity).
To access Data Mart help, Click Data Mart.
Custom Tables
A custom table contains one or more attributes that you want to have available on the Guardium appliance. For example, you may have an existing database table relating
encoded user names to real names. In the network traffic, only the encoded names will be seen. By defining a custom table on the Guardium appliance, and uploading
data for that table from the existing table, you will be able to relate the encoded and real names.
Before defining a custom table, first verify that the data you need from the existing database is a supported data type. A data type is supported if it is taken as one of the
following SQL type by the underlying JDBC driver: INTEGER, BIGINT, SMALLINT, TINYINT, BIT, BOOLEAN, DECIMAL, DOUBLE, FLOAT, NUMERIC, REAL, CHAR, VARCHAR,
DATE, TIME, TIMESTAMP. The following table summarizes some of the supported and unsupported data types for uploading to a custom table.
Supported and Unsupported Data Types for Custom Tables

Use this table to see what supported and unsupported data types exist for certain databases.
Table 1. Supported and Unsupported Data Types for Custom Tables

Databases Supported Data Types Unsupported Data Types
Oracle float number char varchar2 date nchar nvarchar2 long clob raw nclob longraw bfile rowid urowid blob
DB2Â® char varchar bigint integer smallint real double decimal date time blob clob longvarchar datalink
timestamp
Sybase char nchar varchar nvarchar int smallint tinyint datetime smalldatetime text binary varbinary image timestamp
MS SQL bigint bit char datetime decimal float int money nchar numeric nvarchar text
real smalldatetime smallint tinyint smallmoney varchar unique identifier
InformixÂ® char nchar integer smallint decimal smallfloat float serial date money text
varchar nvarchar datetime
MY SQL bigint decimal int mediumint smallint tinyint double float date datetime longtext tinyblob tinytext blob text mediumblob mediumtext longblob
timestamp time year char binary enum set longtext
Note: Blob value (even a value of 1K) in dynamic SQL can be captured, but same size blob value in static SQL cannot be captured.
Custom Table Archive and Restore
The Custom Table Builder screen has a button called Purge/Archive.
The Custom Table Data Purge screen has a checkbox for Archive. Checking this box results in the data of the custom table being included in the normal data archive.
This custom table data is archived according to the date in SQLGUARD_TIMESTAMP column of the custom table.
The data of the custom table can be archived from a collector or an aggregator.
The data of the custom table archived from a collector can be restored to any collector or aggregator managed by the same Central Manager as the source collector (the
metadata must be present).
The data of the custom table archived from an aggregator can be restored to any aggregator managed by the same Central Manager as the source aggragator.
If the archive file to be restored to a Guardium system does not have the metadata, then the data of the custom table is not restored.
If the structure of the custom table has changed between the time of archive and the time of restore in a way that results in an SQL error (for example, columns removed
or type changed), then a warning message appears on the aggregation/archive activity report and the data is not restored.
If a custom table is set to be purged by the default purge, then the restored data will be kept for the number of days specified on the restore screen.
If the custom table is set to overwrite data when it uploads, then restored data will be deleted at the time an upload is performed.
Custom Domains
A custom domain contains one or more custom tables. If it contains multiple tables, you define the relationships between tables when defining the custom domain.
Custom Queries

A custom query accesses data from a custom domain. You use the Custom Query Builder to create queries against custom domains. Custom queries can then be used like
any other query to generate reports or audit tasks, populate groups, or to define aliases.

DB Entitlement Reports use the Custom Domain feature to create links between the external data on the selected database with the internal data of the predefined
entitlement reports. See topic, Link External Data to Internal Data, on this subject. See Database Entitlement Reports for further information on how to use predefined
database entitlement reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
Create a Custom Table

Open the Custom Table Builder by navigating to either of the following:
Comply > Custom Reporting > Custom Table Builder

Reports > Report Configuration Tools > Custom Table Builder
Upload a Table Definition

Creating a custom table can be accomplished by the uploading of a table definition by accessing its metadata from the database server on which the metadata is defined.
Note: Custom Tables uploaded to Guardium are optional components enabled by product key. If these components have not been enabled, the Custom Tables choices
listed will not appear in the Custom Table Builder selection.
1. Open the Custom Table Builder.

2. Click Upload Definition to open the Import Table Structure panel. It is not necessary to select an item
3. Enter a description for the table in the Entity Desc field. This is the name you will use to reference the table when creating a custom query.
4. Enter the database table name for the table in the Table Name field. This is the name you will use to create the table in the local database.
5. Enter a valid SQL statement for the table in the SQL Statement field. The result set returned by the SQL statement must have the same structure as the custom
table defined. For example, if the custom table contains all columns from the table named my_table, enter Â select * from my_table.
Note:
Do not include any newline characters in the SQL statement. All columns must be explicitly named; making use of a column alias if necessary.
6. Click Add Datasource to open the Datasource Finder in a separate window. This will allow us to define where the external database is located, and the credentials
needed to retrieve the table definition and content later in the process.
7. Use the Datasource Finder to identity the database from which the table definition will be uploaded.
8. Click Retrieve to upload the table definition. This will execute the SQL Statement and retrieve the table structure. The SQL request is sent to the external database
from the Guardium system. Remember that only the definition is being uploaded and you can upload data later.
Manually Define a Table Definition

2. Click Manually Define to open the Define Entity panel.
3. Enter a description for the table in the Entity Desc field. This is the name you will use to reference the table when creating a custom query. Â Use of the special
characters \$|&;'`" are not allowed in the entity description.
4. Enter the database table name for the table in the Table Name field. This is the name you will use to create the table in the local database.
5. For each column in the table to be defined:
Enter a name in the Column Name box. This will be the name of the column in the database table.
Enter a name in the Display Name box. This is the name you will use to reference the attribute in the Custom Domain Builder and the Custom Query Builder.
Select a data type (Text, Date, Integer, Float, or TimeStamp).
For a Text attribute, enter the maximum number of characters in the Size box. (The Size box is not available for other data types.)
If uniqueness is to be enforced on the column, check the Unique box.
If the attribute being defined corresponds to a group type, select that group type from the Group Type list.
Click Add to add the column.
6. Use the Entity Key drop-down list to identify which column will be used as the entity key. The Entity Key is used in the query builder when selecting count.
7. If additional changes are made after the Add button, such as deletion of a column, or changing an attribute, Click Apply to save any changes.
8. Click Done when you have added all columns for the table.
Modify a Table Definition

If you modify the definition of a custom table, you may invalidate existing reports based on queries using that table. For example, an existing query might reference an
attribute that has been deleted, or whose data type has been changed. When applying changes to a custom table, if any queries have been built using attributes from that
table, the Queries are displayed in the Query List panel. Note: You can also use the Modify to view and validate the table structures that were imported.

2. Choose a custom table by clicking on the entity label and highlighting it.
3. Click Modify to open the Modify Entity panel.
4. See Defining a Table Manually for assistance.
5. When applying changes to a custom table, if any queries could be invalided due to modification to attribute from that table, the queries are displayed in the Query
List panel. Use the Query List panel to choose and change queries. You do not have to make all changes immediately as you can always come back and use the
Check for Invalid Queries option.
Invalid Queries
If you modify the definition of a custom table, you may invalidate existing reports based on queries using that table. For example, an existing query might reference an
attribute that has been deleted, or whose data type has been changed. It is a good idea to check for invalid queries after the table modification process.

2. Click Invalid Queries.
3. The queries are displayed in the Query List panel. Use the Query List panel to choose and change queries.

Purge Data from Custom Table
Data can be purged from custom tables on the Guardium server on demand, or on a scheduled basis.

2. Choose a custom table by clicking on the table name and highlighting it
3. Click Purge to open the Custom Table Data Purge panel.
4. Click Purge All to purge now.
Note: Run once now purge will look at the RESTORED_DATA table for retention. Purge ALL will purge all records deleted without checking the retention.
5. In the Configuration panel, enter the age of the data to be purged, as a number of days, weeks or months prior to the purge operation date.
6. Click Run Once Now to run a schedule purge operation once.
7. Click Modify Schedule to open the standard Schedule Definition panel and schedule a purge operation.
8. Click Done to close the panel.
Upload Data to a Custom Table

2. Choose a custom table by clicking on the name of the table and highlighting it
3. Click Upload Data to open the Import Data panel.
4. In the SQL Statement box, enter a valid SQL statement for the table. The result set returned by the SQL statement must have the same structure as the custom
table defined. For example, if the custom table contains all columns from the table named my_table, enter Â select * from my_table. The following fields,
which are internal to Guardium, are available for use within SQL statements:
^FromDate?^ and ^ToDate?^ where the value is equal to the previous upload date and the current upload date respectively.
^fromID^ and ^toID^ where, when used with Id Column Name consist of the maximum value of the Id Column from the previous upload and the maximum
value of the current upload respectively.
Note: Do not include any newline characters in the SQL statement.
5. Specify, if needed, a column name in the Id Column Name (from the table defined within the datasource) will be used and allow for tracking by ID and be used in
conjunction with the internal Guardium fields ^fromID^ and ^toID^.
6. In the DML command after upload box, enter a DML command (an update or delete SQL statement) with no semicolon, to be executed after uploading the data.
Note: Do not include any newline characters in the SQL statement.
7. Check the Overwrite per upload box if you wish to have data purged in the custom table before the upload. Check the Overwrite per datasource if you wish to have
data for that datasource purged before the upload from it
8. Check the default purge button (in the Upload Custom Data screen) to be part of the Default Custom Table Purge Job purge object which has an initial default age of
60 days. To add a purge schedule for this table, go to initial Custom Table Builder page, select a Custom Table and click Purge to open a Custom Table Data Purge
configuration screen.
9. Check the Use default schedule box only if uploading tables from previous versions of Guardium. This check box only appears in a Central Manager view and only for
predefined custom tables CM Buffer Usage Monitor, Enterprise No Traffic, S-TAPÂ® Changes and S-TAP Info.
10. Click Add Datasource to open the Datasource Finder in a separate window. Use this window to identify one or more databases from which the table data will be
uploaded. You may add multiple datasources to upload from multiple sources. Note: For a Central Manager, in the Import Data page there is a read only check box
called Include default source. If this check box is checked, upload data will iterate through all online registered managed units. Note: When adding a datasource,
the application can not be scheduled to run without specifying the user name and password of the selected datasource.
11. You can click Check/Repair to compare the schema of the custom table to the schema of the meta-data. For central management environments: In a central
management environment, the custom table definition resides on the central manager, and the custom table may not exist on the local (managed unit) database.
Click the Check/Repair button to check if the custom table exists locally, and create one if it does not.
12. Click Verify Datasources to test the external database connection. An acknowledgement screen will appear.
13. Click Apply.
14. To upload data to this custom table, do one of the following:
Click Run Once Now to upload data manually.
Check Modify schedule to configure the schedule.
Maintain Custom Table

When following the procedure for creating a Custom Table (detailed previously) and selecting a predefined custom table, click Maintenance to manage the table engine
type and table index. The table engine types for custom tables/entitlements (InnoDB and MyISAM) will appear for all predefined custom databases as the data stored on
the Guardium internal database is MYSQL-based. The two major types of table storage engines for MySQL databases are InnoDB and MyISAM. Major differences between
these MYSQL table engine types:
InnoDB is more complex while MyISAM is simpler.

InnoDB is more strict in data integrity while MyISAM is looser.
InnoDB implements row-level lock for inserting and updating while MyISAM implements table-level lock.
InnoDB has transactions while MyISAM does not.
InnoDB has foreign keys and relationship constraints while MyISAM does not.
Note: Changing the engine type is disallowed (and the selection greyed out) if the row number in the table is greater than 1M.
The other selection in the Maintain Custom Table menu is Manage Table Index. Click Insert to open Table Index Definition. The pop-up screen suggests columns in the
table to add to indexes based on columns used on custom domains as Join conditions. Select the columns and save. Indexes will be created (or re-created).
Schedule Custom Data Uploads

Once a custom table definition is in place, data can be uploaded to custom tables on the Guardium appliance on a scheduled basis.
Note: New installations do not automatically start Enterprise reports. There is one upload schedule for each custom table. The total amount of disk space reserved on the
Guardium appliance for custom tables is 4GB.

2. Choose a custom table by clicking on the entity label and highlighting it.
3. Click Upload Data to open the Import Data panel.
4. Mark the Use Default Schedule check box to upload this table using the default schedule. Otherwise, this custom table uses its own upload data schedule.
5. Click Modify Schedule to open the standard Schedule Definition panel and modify the schedule.

The Enterprise reports custom upload are like other jobs. There are two ways to enable them:
In the Custom Table Upload GUI. (requires license for custom upload)
Use GuardAPI from the CLI:
grdapi add_schedule jobName=CustomTablePurgeJob_CM_SNIFFER_BUFFER_USAGE obGroup=customTableJobGroup Enterprise S-TAPs

Changed: grdapi add_schedule jobName=customTableDataUpload_106 jobGroup=customTableJobGroup CM Buffer Usage Monitor: grdapi
add_schedule jobName=customTableDataUpload_104 jobGroup=customTableJobGroup S-TAP Info: grdapi add_schedule
jobName=customTableDataUpload_80 jobGroup=customTableJobGroup
Create a Custom Domain

After defining one or more custom tables, define a custom domain so that you can perform query and reporting tasks using the custom data. The information collected is
organized into domains, each of which contains a different type of information relating to a specific area of concern: data access, exceptions, policy violations, etc. There is
a separate query builder tool for each domain. Custom domains allow for user defined domains and can define any tables of data uploaded to the Guardium appliance. See
Custom Domains. The usage for these custom entitlement (privileges) domains are for entitlement reports which are found if logged in as a user. To see these reports, go
to the user tab, DB Entitlements.
Note: DB Entitlements Domains are optional components enabled by product key. If these components have not been enabled, the choices listed in the Custom Domains
help topic will not appear in the Custom Domain Builder selection.
1. Open the Custom Domain Builder by navigating to one of the following:

Comply > Custom Reporting > Custom Domain Builder
Reports > Report Configuration Tools > Custom Domain Builder
Setup > Tools and Views > Custom Domain Builder
2. Click Domains to open the Domain Finder panel.
3. Click New to open the Custom Tables Domain panel.
4. Enter a Domain Name. Typically, you will be including a single custom table in the domain, so you may want to use the same name for the domain.
5. The Available Entities box lists all custom tables that have been defined (and to which you have access). Select an entity. Optionally, click the (Filter) tool to open
the Entity Filter and enter a Like value to select only the entities you want listed, and click Accept. This closes the filter window and returns you to the Custom
Tables Domain panel, with only those entities matching the Like value listed in the Available Entities box. Select the entity you want to include.
6. Click the >> arrow button to move the entity selected in the Available Entities list to the Domain Entities list.
7. To add an entity to a domain that already has one or more tables, follow the procedure outlined. You will need to use the Join Condition to define the relationship
between the entities.
For each additional entity:
From the Domain Entities box, select an entity. All of the attributes of that entity will become available in the field drop-down list of the Domain Entities box.
Select the attribute from that list that will be used in the join operation.
From the Available Entities list, select the entity you want to add. All of the attributes of that entity will become available in the field dropdown list of the
Available Entities box. Select the attribute from that list that will be used in the join operation.
Select = (the equality operator) if you want the join condition to be equal (e.g., domainA.attributeB = domainC.attributeD). Select outer join if you want the
join condition to be an outer join using the selected attributes.
Click Add Field Pair. Add Field Pair can be used to add more attributes pairs of these two entities to the join condition.
Repeat the steps for any additional join operations.
Note: When data level security is on, internal entities added to the custom domain cannot belong to different domains with filtering policies.
8. Select the Timestamp attribute for the custom domain entity.
Note: At least one entity with a timestamp must be used, since a timestamp is required to save a custom domain.
9. Click Apply.
Modify a Custom Domain

The goal is to create a linkage between external data and the internal data. Â
1. Open the Custom Domain Builder.

2. Choose the Custom Domain that you wish to clone
3. Click Modify to open the Custom Tables Domain panel.
4. See Open Custom Domain Builder and Linking External Data to Internal Data for assistance.
5. Click Apply to save the changes.
Remove a Custom Domain

2. Choose the Custom Domain that you wish to clone.
4. Click Delete to remove the custom domain.
Clone a Custom Domain

2. Choose the Custom Table that is in the domain you wish to clone.
4. Click Clone to open the Custom Tables Domain panel.
5. Change the Domain Name to reflect the new domain.
6. See Open Custom Domain Builder and Linking External Data to Internal Data for assistance.
Link External Data to Internal Data

The goal is to create a linkage between external data and the internal data. Â

2. Choose the Custom Table that has your external data.
4. Click Modify to open the Custom Tables Domain panel.
5. Click the Filter icon next to the Available Entities.
6. Un-check the Custom box for the filter and optionally fill in a Like condition to filter entity names and click Accept.
7. Select an entity from the Available Entities that you would like to link with your external data.
8. Select the field that will be used to join data with your external data.
9. Highlight the table from the Domain Entities that contains your external data
10. Select the field that will be used to join data with the internal data.
11. Click the Add Field Pair to add the relationship.
12. Click the double arrow >> to add the internal table to the Domain Entities list.
Working with Custom Queries

This section describes how to open the Custom Query Builder. See Building Queries and Building Reports for assistance in defining a query and building a report. Use the
Custom Query Builder to build queries against data from custom domains, which contain one or more custom tables.
1. Open the Custom Query Builder by navigating to Comply > Custom Reporting > Custom Query Builder.
2. Select a custom domain from the list.
3. Click Search to open the Query Finder
4. To view, modify or clone an existing query, select it from the Query Name list, or select a report using that query from the Report Title list.
5. To view all of the queries defined for a specific custom table, select that custom table from the Main Entity list and click the Search button (only the custom tables
included in the selected custom domain will be listed).
Bidirectional Interface to and from InfoSphere Discovery

Both IBM Guardium and InfoSphereÂ® Discovery have the capability to identify and classify sensitive data, such as Social Security Numbers or credit card numbers.
A customer of the IBM Guardium product can use a bidirectional interface to transfer identified sensitive data information from one product to another. Those customers
who have already invested the time in one InfoSphere product can transfer the information to the other InfoSphere product.
Note: In IBM Guardium , the Classification process is an ongoing process that runs periodically. In InfoSphere Discovery, Classification is part of the Discovery process that
usually runs once.
The data will be transferred via CSV files.
The summary of Export/Import procedures is as follows:
Export from Guardium - Run the predefined report (Export Sensitive Data to Discovery) and export as CSV file.
Import to Guardium - Load to a custom table against CSV datasource; define default report against this datasource.
Follow these steps:
Export from Guardium

Export Classification Data from IBM Guardium to InfoSphere Discovery
1. As an admin user in the Guardium application, go to Tools > Report Building >Classifier Results Tracking > Select a Report > Export Sensitive Data to Discovery.
Note: Add this report to the UI pane (it is not by default).
2. Click the Customize icon on the Report Result screen and specify the search criteria to filter the classification results data to transfer to Discovery.
3. Run the report and click Download All Records.
4. Save as CSV and import this file to Discovery according to the InfoSphere Discovery instructions.
Import to Guardium
Import Classification Data from InfoSphere Discovery to IBM Guardium
1. Export the classification data as CSV from InfoSphere Discovery based on InfoSphere Discovery instructions.
2. Open the Custom Table Builder by navigating to either of the following:
Comply > Custom Reporting > Custom Table Builder
Reports > Report Configuration Tools > Custom Table Builder
Select ClassificationDataImport and click Upload Data.
3. In Upload Data screen, click Add Datasource, click New, define the CSV file imported from Discovery as new datasource (Database Type = Text). Â
Note: Alternatively you can load the data directly from Discovery database if you know how to access the Discovery database and Classification results data.
4. After defining the CSV as Datasource, click Add in Datasource list screen.
5. In Upload data screen click Verify Datasource and then Apply.
6. Click Run Once Now to load the data from the CSV.
7. Go to Report Builder, select the Classification Data Import report, Click Add to Pane to add it to your Portal and then navigate to the report.
8. Access the Report, click Customize to set the From/To dates and execute the report.
The report result has the classification data imported from InfoSphere Discovery. Double click to invoke APIs assigned to this report. The data imported from Discovery
can be used for the following:
Add new Datasource based on the result set.

Add/Update Sensitive Data Group.
Add policy rules based on datasource and sensitive data details.
Add Privacy Set.
CSV Interface signature

Use the table for examples of CSV interface signatures used in the bidirectional transfer between IBM Guardium and InfoSphere Discovery.
Table 2. CSV Interface signature

Interface signature Example
Type DB2
Host 9.148.99.99
Port 50001
dbName (Schema name for DB2 or Oracle, db name for cis_schema

others)
Datasource URL Â
TableName MK_SCHED
ColumnName ID_PIN
ClassificationName SSN
RuleDescription Out-of-box algorithm of InfoSphere Discovery
HitRate 70% - not available for export in Guardium Vers. 8.2
ThresholdUsed 60% - not available for export in Guardium Vers. 8.2

Privacy Sets
A privacy set is a collection of elements that can be used to do special monitoring.
It consists of one or more object-field pairs - for example, the salary field of the employee table, or all fields of the salary history table. All access to these elements within
a given timeframe can be reported.
Select any of the topics to work with privacy sets.
Open the Privacy Set Builder

To access a privacy set definition, your GuardiumÂ® user account must be assigned a security role that is also assigned to that privacy set definition. Privacy sets that you
cannot access will not display in a list of privacy sets.
1. Open the Identify Privacy Set panel by navigating to one of the following:
Comply > Tools and Views > Privacy Set Builder
Discover > Database Discovery > Privacy Set Builder
Click the New button to define a new privacy set (see Create a Privacy Set).
Select a privacy set from the list, and click one of the following buttons:
Clone - See Clone a Privacy Set.
Modify - Use this button to modify the definition or to run a report based on that definition. See Modify a Privacy Set, or Run a Privacy Set Report.
Remove - See Remove a Privacy Set.
Create a Privacy Set

1. Open the Identify Privacy Set panel by navigating to one of the following:
Comply > Tools and Views > Privacy Set Builder
Discover > Database Discovery > Privacy Set Builder
2. Click New to open the Privacy Set Definition panel.
3. In the Privacy Set Description box, enter a unique name for the privacy set. Do not include apostrophe characters in the name. This is the name that will display in
the Identify Privacy Set panel.
4. From the Security Classification drop-down list, optionally select a security classification for this privacy set.
5. In the Elements in this Privacy Set pane, for each element pair to include:
Enter an object name in the Object box.
Enter a field name in the Field box, or mark the Any Field in this Object box to include all fields contained in the specified object.
Click Add this new Object â€“ Field Pair.
6. When all elements have been added, click Save.
7. Optionally, click the Roles button to add Roles.
8. Optionally, click the Comments button to add comments.
Modify a Privacy Set

1. Open the privacy set to be modified, in the Privacy Set Builder. See Open the Privacy Set Builder.
2. Make any changes to the privacy set definition, as necessary. For a description of all fields, see Create a Privacy Set.
3. Click Save.
Clone a Privacy Set

1. Open the privacy set to be cloned, in the Privacy Set Builder. See Open the Privacy Set Builder.
2. The cloned privacy set will be named COPY OF selected privacy set. Â We suggest that you change this to something more meaningful. Do not include apostrophe
characters in the name.
3. Make any additional changes to the privacy set definition, as necessary. For a description of all fields, see Create a Privacy Set.
4. Click Save.
Remove a Privacy Set

If a auditing process is running, you cannot remove a privacy set. Stop the auditing process, then follow the steps to remove the privacy set.
1. Select the privacy set to be removed, in the Identify Privacy Set panel. See Open the Privacy Set Builder.
2. Click Delete and confirm the action.
3. Click Done.
Run a Privacy Set

This procedure describes how to run a privacy set report on demand. To schedule a privacy set report, include it in a compliance workflow (see Compliance Workflow
Automation).
1. Open the privacy set for the report, in the Privacy Set Builder. See Open the Privacy Set Builder.
2. Click Run.
3. In the Task Parameters, enter the starting and ending times for the task.
4. Select Report by Access Details, or Report by Application User, to specify how the results should be displayed. The first option is the default, in which case a count
of accesses is shown for each combination of client IP, server IP, server (name), server type, database protocol, source program name, and database user name. If
Application User is selected, the report will contain a separate column with that name (following DB User Name) and the output will be additionally qualified by the
application user.
5. Click Run Once Now. After the report has been executed, it will be displayed in a separate window.
6. Click Done.
Custom Alerting
Alert messages can be distributed via e-mail, SNMP, syslog, or user-written Javaâ„¢ classes. The last option is referred to as custom alerting.
When an alert is triggered, a custom alerting class can take any action appropriate for the situation; for example, it might update a Web page or send a text message to a
telephone number.
To create a custom alerting class, first contact Technical Support to obtain the necessary interface file. The following topic describes how to implement the interface. See
Use the Custom Alerting Interface, and also the following topic which contains an example: Sample Custom Alerting Class.
Once the class has been compiled, it must be uploaded to the GuardiumÂ® appliance. See Manage Custom Classes.
For guidelines on testing a custom alerting class, see the Test a Custom Alerting Class section later in this topic.
Note: Do not take or run custom code from untrusted data sources to order to reduce the risk of security vulnerabilities.
Note: Do not take or run custom code from untrusted sources.
Note: Do not write a custom class that gets data from an untrusted source.
Use the Custom Alerting Interface

The custom alerting class must be in the com.guardium.custom package and must implement the com.guardium.custom.alerts.CustomerDefinedAlertingIfc interface:
package com.guardium.custom
public class YourClassNameHere implements CustomerDefinedAlertingIfc {
Â Â Â Â Â Â Â }
The interface contains the five methods described.
Table 1. processAlert Method

Method 1 Â
Description Process a single alert message.
Syntax public void processAlert (String message, Date timeStamp)
Parameters A String containing the message generated by the alert.
A java.util.Date for the time the alert message was

created.
Table 2. getMessage Method
Method 2 Â
Description Return the alert message
Syntax public String getMessage ()
Parameters A String containing the alert message.

Table 3. getTimeStamp Method
Method 3 Â
Description Return the timestamp associated with the alert message.
Syntax public Date getTimeStamp ()
Parameters A java.util.Date for the time the alert message was

created.
Table 4. setMessage Method
Method 4 Â
Description Set the alert message.
Syntax public void setMessage (String inMessage)

Method 4 Â
Parameters A String containing the alert message.

Table 5. setTimeStamp Method
Method 5 Â
Description Set the timestamp associated with the alert message.
Syntax public void setTimeStamp (Date inDate)
Parameters A java.util.Date for the time the alert message was

created.
Sample Custom Alerting Class

The following sample program implements the five methods described in the previous section. For the processAlert method, this program simply writes the alert message
and timestamp to the system console.
/*
Â * Sample Custom Alerting Class
Â *
Â */
package com.guardium.custom;
import java.text.DateFormat;
import java.util.Date;
public class HandleAlerts implements CustomerDefinedAlertingIfc {
private String message = "";
private Date timeStamp = null;
public void processAlert(String message, Date timeStamp){
setMessage(message);
setTimeStamp(timeStamp);
System.out.println(getMessage() + " on " +
Â Â DateFormat.getDateInstance(). format(getTimeStamp()));
}
Â Â Â Â public void setMessage(String inMessage){
Â Â Â Â Â Â Â Â message = inMessage;
Â Â Â Â }
Â Â Â Â public String getMessage(){
Â Â Â Â Â Â Â Â return message;
Â Â Â Â }
Â Â Â Â public void setTimeStamp(Date inDate){
Â Â Â Â Â Â Â Â timeStamp = inDate;
Â Â Â Â }
Â Â Â Â public Date getTimeStamp(){
Â Â Â Â Â Â Â Â return timeStamp;
Â Â Â Â }
}
Test a Custom Alerting Class

After compiling a custom alerting class, follow the procedure to test it.
1. Upload the custom class to the appliance. This is an administration function that is performed from the Administrator Console. See Manage Custom Classes.
2. Define a correlation or real-time alert to use the custom alerting class. Regardless of which alert type generates the alert, testing is easier if you assign a second
notification type (email, for example) against which you can compare the custom alerting results.
3. Check the environment by doing one of the following:
For a correlation alert:
Check that the Anomaly Detection polling interval is suitable for testing purposes and that Anomaly Detection has been started. If the polling interval
is too long (it may be 30 minutes or more), you may have a long wait before the query runs.
Check that the Alerter polling interval is suitable for testing purposes and that the Alerter has been started.
Check that the alert to be tested has been marked Active.
For a real-time alert:
Check that policy containing the rule with the custom alert action is the installed policy.
Verify that the inspection engine was restarted after the updated policy was installed.
Check that the Alerter polling interval is suitable for testing purposes and that it has been started.
4. Take whatever action is necessary to trigger the alert (generate a number of login failures, for example).
Flat Log Process

The Flat Log option is a process to allow the GuardiumÂ® appliance to log information without immediately parsing it in real time.
This saves processing resources, so that a heavier traffic volume can be handled. The parsing and amalgamation of that data to Guardium's internal database can be done
later, either on a collector or an aggregator unit.
There are two Guardium features involving the Flat Log Process - Flat Log by policy definition and Flat Log by throttling mechanism.
Flat Log by throttling mechanism - This is the feature implemented by running the CLI command, store alp_throttle 1. The same policy that is applicable to real-time S-TAP
traffic is used to process traffic that was logged into the GDM_FLAT_LOG table.
For Flat Log by throttling mechanism, the Flat Log checkbox should NOT be checked in Policy Builder.
Flat Log by policy definition - Selection of this feature involves the Policy Builder menu in Setup >Tools and Views and Flat Log Process menu in Manage > Activity
Monitoring.

The following actions do not work with rules on flat policies: LOG FULL DETAILS; LOG FULL DETAILS PER SESSION; LOG FULL DETAILS VALUES; LOG FULL DETAILS
VALUES PER SESSION; LOG MASKED DETAILS.
When the Log Flat (Flat Log) checkbox option listed in the Policy Definition screen of the Policy Builder is checked,
Data will not be parsed in real time .

The flat logs can be seen on a designated Flat Log List report.
1. Navigate to Manage > Activity Monitoring > Flat Log Process.

2. Select the activity to perform:
Process - Merge the flat log information to the internal database.
Archive/Aggregation/Purge - Archive or aggregate, and optionally purge, the flat log.
Purge Only - Purge the flat log data.
3. Click Apply to save the configuration.
4. For a Process activity, optionally do one of the following:
Click Run Once Now to merge the flat log information to the internal database immediately.
Click Modify Schedule to define a schedule for this activity. You can select the start time, restart frequency, and repeat frequency. For the Schedule by.. field,
you must select either Day/Week or Month. See Scheduling for more information about scheduling.

Use the Add Expression icon, next to the Value, Parameter, Attribute selections, to enter Query Conditions including user-defined string and mathematical expressions.
Use this feature when you need to add a condition that is based not on the entire content of the attribute as is, but on part of the attribute, a function of the attribute, or a
function that combines more than one attribute.
An example is: INSTR(:attribute, '150.1') = 5, which will return all instances of Client IP matching the five characters listed. Type the character 5 in the entry box
next to the Add Expression icon. Type the INSTR(:attribute, '150.1') expression in the separate Build Expression window. Test the validity of the expression in the
Build Expression window. Another example is: LENGTH(:attribute) >= 40, which will return the length of any SQL statement greater than 40 characters. The
expression may (or may not) contain references to the actual attribute and can also contain references to other attributes.

Entitlement reviews are the process of validating and ensuring that users only have the privileges required to perform their duties.
Along with authenticating users and restricting role-based access privileges to data, even for the most privileged database users, there is a need to periodically perform
entitlement reviews, the process of validating and ensuring that users only have the privileges required to perform their duties. This is also known as database user rights
attestation reporting.
Use Guardiumâ€™s predefined database entitlement (privilege) reports (for example) to see who has system privileges and who has granted these privileges to other
users and roles. Database entitlement reports are important for auditors tracking changes to database access and to ensure that security holes do not exist from lingering
accounts or ill-granted privileges.
Custom database entitlement reports have been created to save configuration time and facilitate the uploading and reporting of data from the following databases: Oracle;
MYSQL; DB2Â®; SYBASE; SYBASE IQ; InformixÂ®; MS SQL 2000/2005/2008; NetezzaÂ®; Teradata; and, PostgreSQL; DB2 on z/OS.
For Microsoft SQL Server and Oracle databases you can also use Entitlement Optimization to access this information.
Follow these steps to use Guardiumâ€™s predefined database entitlement (privilege) reports with up-to-date snapshots of database users and access privileges:
1. Add datasources/databases to the appliance (navigate to Comply > Custom Reporting > Custom Domain Builder.
2. Assign datasources to entitlements (navigate to Comply > Custom Reporting > Custom Table Builder. Select the custom table listing of your entitlement. Click
Upload Data. Assign datasources to the entitlement report at the Import Data menu screen. When done, click Run Once Now.
3. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
DB Entitlement Reports use the Custom Domain feature of GuardiumÂ® to create links between the external data on the selected database with the internal data of the
predefined entitlement reports. See External Data Correlation for further information on Custom Domain Builder/Custom Query Builder/Custom Table Builder.
The predefined entitlement reports are listed in Database Entitlement Reports.
User Identification
GuardiumÂ® provides several methods to identify application users, when the actual database user is not apparent from the database traffic.
Some database applications are designed to use or share a small number of database user accounts. These applications manage their users independently of the
database management system, which means that when observing database traffic from outside of the application, it can be difficult to determine the application user who
is controlling a database connection at any given point in time. However, when questionable database activities occur, you need to relate specific actions to specific
individuals, rather than to an account shared by groups of individuals. In other words, you must know the application user, not just the database user.
Guardium provides several methods to identify application users, when the actual database user is not apparent from the database traffic:
Identify Users via Application User Translation - For some of the most popular commercial applications (Oracle EBS, PeopleSoft, SAP, etc.), Guardium can identify
users automatically.

Identify Users via API - The Application Events API allows you to signal Guardium when an application user takes or relinquishes control of a connection, or when
any other event of interest occurs. (This can be used for more than just identifying users.)
Identify Users via Stored Procedures - Many applications use database stored procedures to identify the application user. In these cases, user information can
usually be extracted from the stored procedure parameters.
Within the enterprise, it may be necessary to employ several methods to identify users, depending on the applications used.
Identify Users via Application User Translation

Some applications manage a pool of database connections. In such three-tier architectures the pooled connections all log into a database using a single functional
ID, and then manage all application users internally. When a user session needs access to the database ,it acquires a connection from the pool, uses it and then
releases it back to the pool. When this happens, Guardium can see how the application interacts with the database, but it cannot attribute specific database actions
to specific application users.
Identify Users via API
For some applications that manage users internally, the application user cannot be identified from the traffic. When this happens, you can use the Guardium
Application Events API.
Identify Users via Stored Procedures
In many existing applications, all of the information needed to identify an application user can be obtained from existing database traffic, from stored procedure
calls. Once Guardium knows what calls to watch for, and which parameters contain the user name or other information of interest, users can be identified
automatically.
Identify Users via Application User Translation

Some applications manage a pool of database connections. In such three-tier architectures the pooled connections all log into a database using a single functional ID, and
then manage all application users internally. When a user session needs access to the database ,it acquires a connection from the pool, uses it and then releases it back to
the pool. When this happens, GuardiumÂ® can see how the application interacts with the database, but it cannot attribute specific database actions to specific application
users.
For some widely used applications, Guardium has built-in support for identifying the end-user information from the application, and thus can relate database activity to
the application end-users.
To use this facility, follow these procedures:
1. Define an Application User Translation configuration for the application. See Configure Application User Detection.
2. Populate any pre-defined groups required for that application. See Populate Pre-Defined Application Groups.
3. Regenerate any portlets for special reports for that application, and place the portlets on a page. See Regenerate Special Application Report Portlets.
Selective Audit Trail and Application User Translation

If the installed data access policy uses the selective audit trail feature to limit the amount of data logged, there are two important considerations that apply to application
user translation:
The policy will ignore all of the traffic that does not fit the application user translation rule (for example, not from the application server).
Only the SQL that matches the pattern for that security policy will be available for the special application user translation reports.
Configure Application User Detection

1. Navigate to Protect > Database Intrusion Detection > Application User Translation. Details for existing application user translation configurations are displayed at
the top of the page.
2. Begin creating a new application user translation configuration by entering a unique code in the Application Code box.
Note: Under Central Management, you must use different application codes on different managed machines. This prevents aliases generated for the users from
conflicting with each other. (Under Central Management, there is one set of aliases that is shared by all managed units.)
3. From the Application Type list, select the application type:
BO-WI - Business Objects / Web Intelligence
EBS - Oracle E-Business Suite
PeopleSoft
SAP Observed
SAP DB
SIEBEL Observed
SIEBEL DB
4. In the Application Version box, enter the application version number (11, for example).
5. From the Database Type list, select the database type. Only the types that are available for the selected Application Type and Version will be displayed.
Note: When the Application Type is set to EBS, SIEBEL DB, or SAP DB, you have the option of selecting from preexisting datasources by clicking the Add Datasource
button. The datasource must match one of the supported database types for the application type being configured.
6. In the Server IP box, enter the IP address the application uses to connect to the database.
7. In the Port box, enter the port number the application uses to connect to the database.
8. In the Instance Name box, enter the instance name the application uses to connect to the database.
9. In the DB Name box, enter the database name for the application. (Required for some applications, not used for others.)
10. Mark the Active box to enable user translation. Nothing is translated until after the first import of user definitions.
11. Enter a User Name for Guardium to use when accessing the database. Enter a password for Guardium to use when accessing the database.
12. Mark the Responsibility box if you want to associate responsibilities (Administration, for example) with user names. Or clear the Responsibility box to just record
user names. When the box is cleared, all activities performed by a user will be grouped together, regardless of the responsibility at the time the activity occurred.
Note: If the Application Type is EBS (Database Type is Oracle), two additional choices appear: Connect to Server IP and Connect to User Name. Â If populated, the
system will connect using that IP and username in order to retrieve the Responsibility and User Names.
13. Click the Add button to save the Application User Translation definition.
14. Continue to the procedures: Populate Pre-defined Application Groups and Regenerate Special Application Report Portlets.
15. After the previous step is done, navigate to Manage > Activity Monitoring > Inspection Engines and click Restart Inspection Engines in the Inspection Engine
Configuration panel.

16. After performing the tasks specified in the two procedures in step 16, return to Application User Translation and click Run Once Now to import the user definitions
for this application (and any others defined).
17. Later, after verifying that the data import operation worked successfully (see step 20), return to this panel and click the Modify Schedule button to define an import
operation to run on a regular basis. You should schedule the importing of user definition data at whatever interval is suitable for your environment. The maximum
time that a new application user name will not be available is the time between executions of the import operation. For instructions on how to use the scheduler,
see Scheduling
18. The data import of Application User Translation can be confirmed by looking at predefined reports, e.g.,SAP Application Access. Navigate to Reports > Report
Configuration Tools > Report Builder and choose the report SAP Application Access. Regenerate this report and add to a pane, then set the date range to rather
large (for example, go back a year for data).
Note: The first time Run Once Now is clicked after installing the Application User Translation setting(s), Â it retrieves the last update-date for the tables it looks at. Â After
that, it imports only new data. Otherwise, we could find ourselves needlessly importing decades worth of data and filling many tables/databases.
Populate Pre-defined Application Groups

When Application User Translation has been configured, you must populate at least two pre-defined groups with information that will be specific to your environment. This
table identifies the groups that must be populated for each application type. For instructions on how to populate a group, see Groups overview.
Application Pre-Defined Group Group Type
EBS EBS App Servers Client IP
EBS DB Servers Server IP
PeopleSoft PSFT App Servers Client IP
PSFT DB Servers Server IP
PeopleSoft Objects Objects
Siebel SIEBEL App Servers Client IP
SIEBEL DB Servers Server IP
SAP SAP App Servers Client IP
SAP DB Servers Server IP
SAP - PCI Objects
Regenerate Special Application Report Portlets

For some application types, one or more special report portlets must be regenerated. For example, there are two pre-defined EBS reports, and two pre-defined PeopleSoft
reports. These reports cannot be modified. After populating the pre-defined application groups, follow the procedure to regenerate the predefined application portlets and
place them on a page.
The examples in this section are for the EBS portlets, but the procedure is identical for other application types.
1. Do one of the following to open the Report Finder: Users with the admin role: Select Tools - Report Building - Report Builder. All Others: Select Monitor/Audit - Build
Reports - Report builder.
2. Click Search to open the Report Search Results panel.
3. Select a report portlet for the application type (EBS Application Access, for example, and click Regenerate Portlet. You will be informed that the portlet has been
regenerated
4. Repeat the previous step for each application report (EBS Processes Database Access, or the PSFT Processes Database Access report, for example). Now add a tab
to your layout, and include the two regenerated portlets on that tab.
5. Click Customize to open the Customize pane.
6. Click Add Pane to define a new tab.
7. Enter a name for the tab - EBS Reports, for example - and click Apply. The new tab appears as the last tab in the list.
8. Click on the new tab name to edit that pane.
9. Click Add Portlet, and click Next until you locate the reports you want (the EBS reports, for example), and mark the checkbox next to each desired report.
10. Click Apply, and then click Save and Apply and then click Save to save the new pane layout. The new tab will appear at the end of the first row of tabs.
11. Click on the new tab name to open the tab.
12. Click Customize to set the runtime parameters (date range and Show Aliases, for example).
Unwilling to give DB_USER PASSWORD for EBS application

In some cases customers do not want to use the Oracle EBS DB_USER for translating EBS traffic. Under this scenario, when setting up Oracle EBS and wanting to translate
traffic with Application User Translation, there are two choices to make it work: Â
Supply the username and password that EBS uses to talk to Oracle (often APPS/$passwd).
If the customer does not want to supply/enter the password for the DB_USER EBS uses to access Oracle, it is still possible to get Application User Translation,
however the process is more complicated. Â
1. Make/choose a login for Oracle that will permit access to the database for gathering aliases/users/responsibilities. Â That user needs access to the table
[APPLSYS.]FND_USER and the view FND_RESPONSIBILITY_VL which combines two tables: APPLSYS.FND_RESPONSIBILITY and
APPLSYS.FND_RESPONSIBILITY_TL.
( CREATE VIEW FND_RESPONSIBILITY_VL AS SELECT /* $HEADER$ */ B.ROWID ROW_ID , B.WEB_HOST_NAME , Â Â Â Â

B.WEB_AGENT_NAME , B.APPLICATION_ID , B.RESPONSIBILITY_ID , Â Â Â Â
B.RESPONSIBILITY_KEY , B.LAST_UPDATE_DATE , B.LAST_UPDATED_BY ,
B.CREATION_DATE , B.CREATED_BY , B.LAST_UPDATE_LOGIN , Â Â Â Â
B.DATA_GROUP_APPLICATION_ID , B.DATA_GROUP_ID , B.MENU_ID , Â Â Â Â
B.START_DATE , B.END_DATE , B.GROUP_APPLICATION_ID , Â Â Â Â
B.REQUEST_GROUP_ID , B.VERSION , T.RESPONSIBILITY_NAME , Â Â Â Â
T.DESCRIPTION FROM FND_RESPONSIBILITY_TL T, FND_RESPONSIBILITY B

WHERE B.RESPONSIBILITY_ID = T.RESPONSIBILITY_ID Â Â Â Â
AND B.APPLICATION_ID = T.APPLICATION_ID Â Â Â Â
AND T.LANGUAGE = USERENV('LANG') )
2. Run the following SQL statements directly from the Guardium system: select RESPONSIBILITY_ID, RESPONSIBILITY_NAME from FND_RESPONSIBILITY_VL order
by RESPONSIBILITY_ID; Â Â and Â Â SELECT USER_ID, USER_NAME from FND_USER ORDER BY USER_ID;
Once the user is set up so that those two statements successfully run, two different Application User Translation entries are needed. Â Both need to have the same
server IP, port, and instance name, (and of course EBS and Oracle chosen for APP type and APP server type).
It does not matter if the Application Code is identical or not. One entry needs the username that EBS uses to connect to the database (usually APPS), but you can
put in an incorrect (dummy) password. The second entry needs the username and password that has been created to access those tables. Â
3. Once both are entered with Active and Responsibility selected, click Run Once Now, and start or restart EBS (assuming there is an Inspection Engine (S-TAPÂ® or
net) looking at the traffic). The collection of data and the assignment of APPS user names to that data for the EBS traffic will now take place. Â Â
Oracle priviliges needed for the Oracle EBS App User

Translation:
1. Grant select on the following tables to Custom DB User:
APPLSYS.FND_USER
APPLSYS.FND_RESPONSIBILITY
APPLSYS.FND_RESPONSIBILITY_TL
2. Create a private synonym FND_USER on APPLSYS.FND_USER for Custom DB User.

3. Create a view called FND_RESPONSIBILITY_VL for Custom DB User. Â You can find this view under the APPS user to use as your template.
How to Validate SAP Stack for Application User Translation

When supporting IBM Guardium SAP Application User Translation, there is a difference between the ABAP Stack and Javaâ„¢ Stack.
Note:
ABAP Stack and Java Stack have different kernel specifications.
ABAP Stack and Java Stack systems will have different tables.
ABAP Stack
Traditional ECC (Enterprise Core Components) SAP systems are written in ABAP code and are predominantly accessed via the SAP GUI, although web access is possible.
SAP ABAP systems have direct (read/write/update) access to traditional SAP databases. The databases are very large and contain all the sensitive data. This is where IBM
Guardium will be best utilized.
The following screen will appear when you enter the SAP GUI (ABAP Stack):
1-SAP GUI (ABAP Stack)
To validate the ABAP Stack SAP Kernel module for Application User Translation, follow these steps:
1. Log in to SAP.
2. Go to System > Status

2-System Status (ABAP Stack)
3. Click Other Kernel Info on the System Status screen.
3-System Kernel Information (ABAP Stack)
In this example, the kernel is 700.
SAP with a DB2Â® backend is also available for SAP kernel 640, but the user needs to set DB6_DBSL_ACCOUNTING=1 (in kernel 700 and up, this
DB6_DBSL_ACCOUNTING value is 1 by default). SAP for Oracle backend requires a kernel of 710 or higher.
Data gets put into the app user field and the app event string.
Java Stack
SAP Portal systems are written in Java code and are the front end web applications utilizing pre-canned queries to display SAP related web pages.
Portal systems can only be accessed via a web browser. Portal system databases are much smaller with only a few tablespaces.
The following screen will appear when you enter SAP Portal System (Java Stack).

4-SAP Portal System (Java Stack)
To validate the Java Stack SAP Kernel module for Application User Translation, follow these steps: 1. Click on System Information.
5-System TCJ (Java Stack)
In this example, the SAP Kernel version is 7.00.
SAP for either DB2 or Oracle requires a kernel of 7.02 or higher.
SAP sets similar client properties in the Java stack as it did for ABAP Stack.
Parent topic: User Identification
Identify Users via API

For some applications that manage users internally, the application user cannot be identified from the traffic. When this happens, you can use the GuardiumÂ® Application
Events API.
The Application Events API provides simple calls that can be issued from within the application to signal Guardium when a user acquires or releases a connection, or when
any other event of interest occurs.
Note: If your Guardium security policy has Selective Audit Trail enabled, the Application Events API commands that are used to set and clear the application user and/or
application events will be ignored by default, and the application user names and/or application events will not be logged. To log these items so that they will be available
for reports or exceptions, include a policy rule to identify the appropriate commands, specifying the Audit Only rule action.
GuardAppUser - Identify Users by API

Use two pre-defined triggers to set GDM_CONSTRUCT_INSTANCE.APP_USER_NAME and GDM_APP_EVENT.* for both Application User names and Application Event data.
These predefined triggers are:
GuardAppEvent
GuardAppUser
These each have start and stop triggers, and the Event has sub-triggers to set Type, Username, StrValue, NumValue, and Date.
The Guardium system is able to read special Select statements for the AppUserName and the AppEvent details.
The form is:
Select "action" [additional parameters] FROM [location].
Table 1. Action options

Syntax Action
GuardAppUser:<username> Set GDM_CONSTRUCT_INSTANCE.APP_USER_NAME to <username>

Syntax Action
GuardAppUserReleased Clear APP_USER_NAME for subsequent queries
GuardAppEvent:Start Start a GuardAppEvent (and it looks for additional parameters)
GuardAppEvent:Released End a GuardAppEvent (clears info for subsequent queries)

Table 2. Additional parameters (which set the values in GDM_APP_EVENT)
Parameters Syntax
GuardAppEventType: <event type string> Set APP_EVENT_TYPE to <event type string>
GuardAppEventUserName:<evntursname> Set GDM_APP_EVENT.APP_USER_NAME to <evntursname>
GuardAppEventStrValue:<strvalue> Set EVENT_VALUE_STR to <strvalue>
GuardAppEventNumValue:<num> Set EVENT_VALUE_NUM to <num>
GuardAppEventDateValue:<date> Set EVENT_DATE to <date>
Â Â
Some examples of select statements follow:
Select guardappuser:tiberius from dual
Select guardappuserreleased from dual
Select GuardAppEvent:Start, GuardAppEventType:Event1, GuardAppEventUserName:Tiberius, GuardAppEventStrValue:abc, GuardAppEventNumValue:123,

GuardAppEventDateValue:2016-01-26 15:55:28 from dual
Select GuardAppEvent:Released from dual
The FROM portion of the statement varies by database type.
Oracle: from DUAL
DB2 from SYSIBM.SYSDUMMY1
Informix from SYSTABLES
MS-SQL <blank>
Sybase <blank>
MySQL either <blank> or from DUAL
Guardium Identify App User name and Named Templates

There are several way to capture App User Name through Guardium. Guardium has two Turbine tables where APP_USER_NAME field values are stored, based on the way
the data was received:
GDM_CONSTRUCT_INSTANCE
GDM_APP_EVENT
The Named template %%AppUserName parameter in Guardium (see Global Profile menu) is mapped to the Turbine table, GDM_CONSTRUCT_INSTANCE. In order to use it
in the Named Template, Guardium needs the APP_USER_NAME in the GDM_CONSTRUCT_INSTANCE table to be populated with the App User value.
Change the syntax of SQL command in the application to the following:
SELECT 'GuardAppUser:<value>'
This will put the values into the right table and this will replace the %%AppUserName parameter in the Named template with the right value.
Example
........
select 'GuardAppUser:Db2_User' FROM SYSIBM.SYSDUMMY1 ;
select * from AppUser_DB2;
select 'GuardAppUserReleased' FROM SYSIBM.SYSDUMMY1 ;
select * from NoMoreUser_DB2;
........
Look for the results in /var/log/messages file:
Jan 24 12:49:41 vx64 guard_sender[28274]: LEEF:1.0|IBM|Guardium|10.0|Alert per match|ruleID=20003|ruleDesc=Alert per match|severity=INFO|devTime=2016-01-

24
11:50:39|serverType=DB2|classification=|category=|dbProtocolVersion=3.0|usrName=Db2_User|sourceProgram=DB2JCC_APPLICATION|start=1448383760000|dbUse
r=DB2INST1|dst=9.70.144.126|dstPort=50000|src=9.70.144.126|srcPort=58781|protocol=TCP|type=SQL_LANG|violationID=20|sql=select * from AppUser_DB2 FOR
READ ONLY|error=
Set the Application User via GuardAppUser

Use this call to indicate that a new application user has taken control of the connection. The supplied application user name will be available in the Application User
attribute of the Access Period entity. For this session, from this point on, Guardium will attribute all activity on the connection to this application user, until Guardium
receives either another GuardAppUser call or a GuardAppUserReleased call, which clears the application user name.
To signal when other events occur (you can define event types as needed), use the GuardAppEvent call, described in the following section.
Syntax: SELECT â€˜GuardAppUser:user_nameâ€™ FROM location
user_name is a string containing the application user name. This string will be available as the Application User attribute value in the Access Period entity.
FROM location is used only for Oracle, DB2Â®, or InformixÂ®. (Omit for other database types.) It must be entered exactly as follows:
Oracle: FROM DUAL

DB2: FROM SYSIBM.SYSDUMMY1
Informix: FROM SYSTABLES
Clear the Application User via GuardAppUserReleased

Use the GuardAppUserReleased call to signal that the current user has relinquished control of the connection. Guardium will clear the application user name, which will
remain empty for the connection until it receives another GuardAppUser call.
Syntax: SELECT â€˜GuardAppUserReleasedâ€™ FROM location
FROM location is used only for Oracle, DB2, or Informix. (Omit for other database types.) It must be entered exactly as follows:
Oracle: FROM DUAL

Set an Application Event via GuardAppEvent

This call provides a more generic method of signaling the occurrence of application events. You can define your own event types and provide text, numeric, or date values
to be stored with the event, both when the event starts and when it ends. You can use this call together with the GuardAppUser call. Guardium will attribute all activity on
the connection to this application event, until it receives either another GuardAppEvent:Start command or a GuardAppEvent:Released command.
Syntax:
SELECT â€˜GuardAppEvent:Start|Releasedâ€™, Â Â Â Â Â Â Â
â€˜GuardAppEventType:typeâ€™, Â Â Â Â Â Â Â
â€˜GuardAppEventUserName:nameâ€™, Â Â Â Â Â Â Â
â€˜GuardAppEventStrValue:stringâ€™, Â Â Â Â Â Â Â
â€˜GuardAppEventNumValue:numberâ€™, Â Â Â Â Â Â Â
â€˜GuardAppEventDateValue:dateâ€™ FROM location
Start | Released - Use the keyword Start to indicate that the event is taking control of the connection or Released to indicate that the event has relinquished control of the
connection.
type identifies the event type. It can be any string value, for example: Login, Logout, Credit, Debit, etc. In the Application Events entity, this value is stored in the Event
Type attribute for a Start call, or the Event Release Type attribute for a Released call.
name is a user name value to be set for this event. In the Application Events entity, this value is stored in the Event User Name attribute for a Start call, or the Event
Release User Name attribute for a Released call.
string is any string value to be set for this event. For example, for a Login event you might provide an account name. In the Application Events entity, this value is stored in
the Event Value Str attribute for a Start call, or the Event Release Value Str attribute for a Released call.
number is any numeric value to be set for this event. For example, for a Credit event you might supply the transaction amount. In the Application Events entity, this value is
stored in the Event Value Num attribute for a Start call, or the Event Release Value Num attribute for a Released call.
date is a user-supplied date and optional time for this event. It must be in the format: yyyy-mm-dd hh:mm:ss, where the time portion (hh:mm:ss) is optional. It may be the
current date and time or it may be taken from a transaction being tracked. In the Application Events entity, this value is stored in the Event Date attribute for a Start call, or
the Event Release Date attribute for a Released call.
FROM location is used only for Oracle, DB2, or Informix. (Omit for other database types.) See the following example. However, any dummy table name is acceptable for the
dummy SQL.
Oracle: FROM DUAL

The GuardAppEvent call populates an Application Events entity (see Application Events Entity in the Entities and Attributes section of the Appendices). When creating
Guardium queries and reports, you can access the Application Events entity from either the Access Tracking domain or the Policy Violations domain.
If any Application Events entity attributes have not been set using the GuardAppEvent call, those values will be empty.
Regarding the two date attributes:
Event Date is set using the GuardAppEvent call, or from a custom identification procedure as described in the following section.
Timestamp is the time that Guardium stores the instance of the Application Event entity.

Identify Users via Stored Procedures
In many existing applications, all of the information needed to identify an application user can be obtained from existing database traffic, from stored procedure calls.
Once GuardiumÂ® knows what calls to watch for, and which parameters contain the user name or other information of interest, users can be identified automatically.
In the simplest case, an application might have a single stored procedure that sets a number of property values, one of which is the user name. A call to set the user name
might look like this:
set_application_property('user_name', 'JohnDoe');
In a custom procedure mapping (described later), you can tell Guardium to:
Watch for a stored procedure named set_application_property, with a first parameter value of user_name.
Set the application user to the value of the second parameter in the call (JohnDoe, in the example).
There may be multiple stored procedures for an application: one to start an application user session, one to end a session, and others to signal key events particular to
that application. Guardiumâ€™s custom identification procedure mechanism can be used to track any application events you want to monitor.
Since each of your applications may have a different way of identifying users, you may have to define separate custom identification procedure mappings for each
application. To do that, follow the procedure outlined.
Define a Custom Identification Procedure Mapping

1. Navigate to Protect > Database Intrusion Detection > Custom ID Procedures.
2. To view an existing mapping, hold the mouse pointer over the More Info column icon for the row containing the map you want to view.
3. To add a mapping, click Add.
4. In the Custom Map Name box, enter the name to be used for this mapping.
5. In the Procedure Name box, enter the name of the database procedure that will supply information.
6. Select Set or Clear from the Action list to indicate whether the procedure call will set or clear application values. The Event Type Position field has a special use
when the Clear action is selected.
7. If application information can be obtained from an existing stored procedure call, but only under one or two conditions:
Use a Condition Location box to specify which stored procedure call parameter is to be tested
Use the corresponding Condition Value box to specify the value that must be matched to set application information from one or more of the other
parameters.
For example, assume that a stored procedure named set_context is used by an application to set a number of values, one of which is the user name. The
procedure is passed three parameters: an application name, a property name, and a value. Three typical calls are illustrated:
set_context('publishing_application', 'role_name', 'manager');
set_context('publishing_application', 'user_name', 'jsmith');
set_context('publishing_application', 'company', 'guardium');
In the examples, the second statement illustrates the format of the call we are interested in. The second parameter (the property name) is the parameter
that needs to be tested, so 2 would be entered in the Condition1 Location box, and user_name in the Condition1 Value box.
If a second format of the call also sets the user name, then the Condition2 Location and Value boxes can be used. For example, assume that the following
format of the procedure call is sometimes used to set a user name:
set_context('admin_application', 'admin_name', 'wjones');
To use this procedure, to set the application user name, enter 2 in the Condition2 Location box, and admin_name in the Condition2 Value box.
Note: If two conditions are used, the user name or any other information being extracted must be in the same parameter position for both types of calls.
8. For a Clear action:
Use only the Event Type Position and Application Username Position fields.
To clear the application event: set the Event Type Position to 1, and set the Application Username Position to 0.
To clear the application user: set the Event Type Position to 0, and set the Application Username Position to 1.
9. For a Set action, use the Parameter Position pane to indicate which stored procedure parameters map to which Guardium application event attributes. The first
procedure parameter is numbered 1. Use 0 (zero â€“ the default) for all attributes that are not set by the call. Application Username Position â€“ Enter the
parameter position of the application user name you want associated with database activity from this point forward (until reset, as described previously). Event
String Value Position â€“ Enter the parameter position of a string value for the event (for a login, this might be a user or account name). Event Number Value
Position â€“ Enter the parameter position of a numeric value for the event (for a transaction, this might be a dollar amount). Event Type Position â€“ Enter the
parameter position of a name for the event type (Login, Logout, Credit Request, etc.). Event Date Position â€“ Enter the parameter position of a date/time value for
the event. The format must be yyyy-mm-dd hh:mm:ss. The time portion (hh:mm:ss) is optional, and if omitted will be set to 00:00:00.
10. In the Server Information pane: Select the database server type from the Server Type list. Enter the database user name in the DB Username box. Optional: Enter a
database name in the Database Name box. If omitted, all databases will be monitored. Optional: Identify one or more servers. If no server is specified, all servers
will be monitored. To select a specific server only, enter the server IP address and network mask in the Server IP and Server Net Mask boxes; or, to select a group of
servers, select a server group from the Server IP Group list or click the Groups button to define a new group of servers.
11. When you are done, click the Add button to add the mapping to the list.
Value Change Auditing

The Value Change Auditing feature tracks changes to values in database tables.
The Value Change Auditing feature tracks changes to values in database tables. For each table in which changes are to be tracked, you select which SQL value-change
commands to monitor (insert, update, delete). Each time a value-change command is run against a monitored table, before and after values are captured. On a scheduled
basis, the change activity is uploaded to a GuardiumÂ® system, where all the reporting and alerting functions can be used. The basic steps to perform to use the Value
Change Auditing feature are:
1. Create an audit database on the database server. This database is where value-change data is stored until it is uploaded to the Guardium system. See Create an
Audit Database.
2. Identify the tables to be monitored, and for each table select the value-change commands (insert, delete, update) for which changes will be recorded. To record the
changes, a trigger is created for each table to be monitored, and that trigger writes the value-change data to the audit database. To allow updates to the audit
database (by the trigger), all users with update privileges for the monitored table are given appropriate privileges for the audit database. This has implications for

users who are given update privileges for that table later (see step 4). For detailed instructions on how to define the monitoring activities, see Define Monitoring
Activities.
3. Schedule uploads to transfer value-change data from the database server to the Guardium system. See Schedule Value-Change Uploads.
4. Maintain audit database access privileges. After a trigger has been created, a new user may be given access to the table on which the trigger is based. If that user
issues a monitored value-change command, it will fail because that user will not have appropriate privileges to update the audit database. See Maintain Privileged
Users Lists.
5. Monitor change activity from the administrator console, or use the Value Change Tracking query domain to create custom reports on the Guardium appliance. See
Value-Change Reporting.
Define Monitoring Activities

After you define an audit database, use the Value Change Auditing Builder to identify the tables to be monitored, and to select the types of changes (inserts, updates,
deletes) to be recorded.
1. Open the Value Change Auditing Builder by navigating to Harden > Configure Change Control (CAS Application) > Value Change Auditing Builder.
2. Click Add Datasource to open the Datasource Finder panel.
3. Select a datasource on which an audit database is defined. If an audit database is not yet defined, see Create an Audit Database.
4. Click Add to close the Finder and add the selected datasource to the Value Change Audit panel.
5. Optionally enter a Schema Owner and/or Object Name to limit the number of tables that are displayed when choosing the tables to be monitored. You can use the
% (percent) wildcard character. For example, to limit the display to all tables that begin with the letter a, enter a% in the Object Name box.
6. Click Choose Tables To Monitor to open the Define Data Audit panel.
7. Mark the Select box for each table to be monitored.
Note: You cannot define a trigger for a table that contains one or more user-defined data types.
The Trigger Defined column indicates if a trigger is already defined for the table. The Audit Insert, Audit Delete, and Audit Update check boxes indicate if the trigger
will record changes for that command.
If the Trigger Defined column is not marked, marking the Select checkbox for a table automatically marks all three the Audit checkboxes (Audit Insert, Audit Delete,
and Audit Update). If you do not want to monitor one or two of those commands, clear the appropriate checkbox.
8. Click Add Selections to define triggers for the selected tables. You will be informed of the action taken.
9. Click OK to close the message box and re-display the Define Data Audit panel. The selected tables remain selected, and the Trigger Defined column is now marked
for those tables. Note: The instant a trigger is defined for a table, it is active and recording changes for the selected commands in the audit database. The
configuration of triggers is done entirely on the database server, which is unlike most other Guardium configurations, which are defined on the Guardium database,
and then activated or deactivated as a separate task.
10. To define additional actions, repeat these steps, or remove triggers by marking the appropriate Select check boxes and clicking Remove Selections.
11. Click Done after you complete all changes.
Note: The Cancel button does not back out any changes that you have made to triggers using the Add or Remove Selections buttons.
After Defining Monitoring Activities

If you have added value-change monitoring activities to a datasource for the first time, you should schedule uploads for this datasource, because the audit database will
be emptied only after the data recorded there has been uploaded to the Guardium system. See the next section.
Schedule Value-Change Uploads

2. Select the audit datasource for which you want to schedule uploads, and click Schedule Upload to open the general-purpose task scheduler. If you need help
defining a schedule, see Scheduling in the Common Tools book.
Maintain Privileged Users Lists

When the value-change feature adds a trigger for a database table, all current users with permission to update that table are granted permission to update the audit
database table. This is required because the trigger updates the audit database with new and/or old values. If a new user is granted update permission for a monitored
table, when that user attempts an update, the update is not allowed because that user does not also have permission to update the audit database. When this happens,
you must update the audit database privileged users list by using the Value Change Auditing Builder.
To update the audit database privileged users list, the database user ID that is used to log in to the monitored database must be the creator of any role to which new users
have been added. Otherwise, the members of that role will not be available.
2. Click Add Datasource to open the Datasource Finder panel, select the appropriate Datasource from the list, and click Add.
3. Click Update Audit Tables Privileged Users. The permissions for all users who can run triggers to update the audit database tables are updated, and you are
informed when the operation completes.
4. Click OK to close the message box.
Value-Change Reporting
You can view value-change data from the default Values Changed report, or you can create custom reports using the Value Change Tracking domain. By default, the Value
Change Tracking domain is restricted to users having the admin role.
Values Changed Default Report

There is one default values-changed report available by navigating to Reports > Real-Time Guardium Operational Reports > Values Changed.
The main entity for the Values Changed report is the Changed Columns entity. In most cases, there is a separate row of the report for every column change that is detected
for every audit action (Insert, Update, Delete). However, for MS SQL Server and Sybase, if the monitored table does not have a primary key, there are two rows per change,
with the old and new values displayed on separate rows.

Create an Audit Database
Create an audit database and perform value-change monitoring activities.
To create an audit database and perform value-change monitoring activities, you must have a user account with appropriate permissions to:
Create a database on the server

Create a database user account on the server
Log in to each database to be monitored Create tables and triggers on each database to be monitored
Before Defining an Audit Database under Informix or Sybase

For InformixÂ® and Sybase (except for Sybase IQ, which does not support triggers) and depending on the operating system for the database server, you must perform one
of the following procedures before defining the audit database.
Informix Setup - Locate or Create a New Database Space

This topic applies for Informix (9.4 or later). Under Informix, we strongly recommend that you avoid using the default root database space, root_dbs. You cannot drop this
space or reduce its size.
You should use any other database space that has been defined, or to create a new database space, perform one of the following procedures (depending on the operating
system).
Informix - Create an Informix Database Space on a Windows Server

This procedure is performed outside of the GuardiumÂ® GUI, and applies for Informix version 9.4 or later.
1. Verify that the database server is online and listening.

2. Create a zero-byte file named guardium_dbs_dat.000 in the C:\IFMXDATA\server-name directory (sever-name is the name of the Informix server or the service
name). You can do this by saving an empty text file, and then renaming the file, replacing the txt suffix with 000.
3. Make the following directory the working directory:
C:\Program Files\Informix\bin
4. Execute following command:
C:\Program Files\Informix\bin>onspaces -c -d guardium_dbs -p C:\IFMXDATA\server-name\guardium_dbs_dat.000 -o 0 -s 150000
If the file is created successfully, you see the following messages:
Verifying physical disk space, please wait ...

Space successfully added.
** WARNING ** Â A level 0 archive of Root DBSpace will need to be done.
5. Restart the Informix server, and use a suitable tool (Aqua Data Studio remote client, for example) to connect and verify that the space named guardium_dbs has
been created. Your first connection attempt may fail with a message about the server running in Quiescent Mode. Â If this happens, attempt to re-connect at least
two more times, and it should work.
6. To verify that the guardium_dbs database space has been created, use Aqua Data Studio, and look under Storage.
Informix - Create an Informix Database Space on a Unix Server

This procedure is performed outside of the Guardium GUI, and applies for Informix version 9.4 or later.
1. From a command-line window, enter the following commands:
su - informix
cd demo/server
vi guardium_dbs
2. Without adding any text, save the empty guardium_dbs file.

3. Enter the following commands:
chmod 660 guardium_dbs

cd ../../bin
onspaces -c -d guardium_dbs -p /home/informix10/demo/server/guardium_dbs -o 0 -s 100000
Sybase Setup - Initialize Disks

This topic applies for Sybase servers only (except for Sybase IQ, which does not support triggers). Depending on the operating system of the database server, perform one
of the following procedures to initialize disks.
Sybase - Initialize Disks on a Windows Sybase Server

1. Connect to the server on which you want to create the Guardium audit database: guardium_audit.
2. Create a folder named guardium_audit, under the c: drive.
3. Connect to the database.
4. Execute the following commands:
use master
go
disk init name="guardium_auditdev", size=8192
go
disk init name="guardium_auditlog",

physname="c:/guardium_audit/guardium_auditlog", size=8192
go
Sybase - Initialize Disks on a Unix Sybase Server

1. Connect to the database.
2. Execute the following statements:
use master
go
disk init name = 'guardium_auditdev', physname
Â ='/home/sybase/data/guardium_auditdev' , size = 8192
go
disk init name = 'guardium_auditlog', physname
Â ='/home/sybase/data/guardium_auditlog' , size = 8192
go
Create the Database

For an Informix or Sybase database, be sure to perform the preliminary tasks before performing this procedure.
1. Open the Value Change Database Builder by navigating to Harden > Configuration Change Control (CAS Application) > Value Change Audit Database Creation.
2. Click Add Datasource to open the Datasource Finder panel. Datasources that have been defined from the Value Change Auditing application are labeled Monitor
Values. Datasources that have been defined for other applications will have different labels (Listener, or DBanalyzer, for example), and those datasources may not
have the appropriate set of database access permissions for Value Change Auditing application, which requires a user account having database administrator
authority. If a suitable datasource is not available, click the New button to define a new one for the database to be monitored (see Datasources in the Common
Tools book for detailed information on defining datasources).
Note: If a GUARDIUM_AUDIT database is already created on this dbserver, another one cannot be created. The GUARDIUM_AUDIT database/user must be dropped
before a new one can be created.
3. Select a datasource that uses an administrator account, and click Add, to add it to the Datasources pane on the Create Value Change Audit Database panel.
4. Enter an Audit Datasource Name. This is the name that will be used to identify the datasource later, to define monitoring tasks and to upload data. Do not confuse
this name with the name of the Datasource from the Datasources panel.
5. Optionally mark the Share Datasource box to share this datasource with other applications (Classification, for example). The default is not to share the datasource.
This type of datasource requires administrator privileges, so you may not want to share this datasource with other applications.
Note: To share a datasource with other users, assign security roles to that datasource.
6. For any database type other than DB2Â®, there will be additional fields in the Audit Configuration pane. All fields are required. Referring to the following table, enter
the appropriate values.
Table 1. Additional Audit Configuration Fields Table
Database Type Field: Description
Informix Database Space: Enter the name of an existing database space to use, or enter the name of the database space you created for
the audit database (guardium_dbs in the example shown previously). If you leave this blank, the default root_dbs space will be
used, which we do not recommend.
MS SQL Server Audit User Name: Enter a new database user name to use when accessing the audit database. This user will be given the
sysadmin role.
Audit Password: Enter a password.
An additional choice appears in Value change Audit Database Creation menu screen when then the datasource is MSSQL server.
This additional choice appears only when the datasource is MSSQL Server.
Compatibility Mode: Choices are Default or MSSQL 2000. The processor is told what compatibility mode to use when monitoring
a table.
Use the GuardAPI command, grdapi list_compatibility_modes to show the compatability modes for MS SQL Server.
Oracle Audit Password: Enter the password for the system user, which will be the database account used to access the audit database.
Default Tablespace: Enter a name for the default tablespace.
Temp Tablespace: Enter a name for the temporary tablespace.
Sybase Audit User Name: Enter a new database user name to use when accessing the audit database. This user will be granted the
sa_role.
Audit Password: Enter a password.
Data Device Name: Enter the same data device name used when initializing the disk for the audit database (guardium_auditdev
in the disk initialization procedure described earlier).
Log Device Name: Enter the same log device name used when initializing the disk for the audit database (guardium_auditlog in
the disk initialization procedure described earlier).
7. Click Create Audit Database to create the audit database.
8. Use the selection Value Change Audit Database Update and Upload on the Config and Control tab to select the actions in this table.
Action Description
Delete Click to remove the datasource from the Datasources pane.
Â Modify Click to edit this datasource definition in the Datasource Definition

panel.
Schedule Upload Click to schedule the upload of this audit datasource.
After Defining the Audit Database

After an audit database has been created on a database server, it will be available for use by the Value Change Auditing Builder, which is the tool that is used to build
triggers. See Value Change Auditing.
Monitored Table Access

This feature adds a â€œLast Assessedâ€ field to relevant tables, for interaction with Optimâ„¢ Designer data lifecycle products.
This feature is also called â€œTable Last Referencedâ€ .
This feature uses Guardiumâ€™s External Feed that is preconfigured with the data (a predefined External Feed map), and an audit process to run it.
Follow these Steps

1. Create the target (Optim) tables on any InformixÂ® database. Use the script.
2. Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder, then edit the process named Table Last Referenced. Add a
datasource to the External Feed task (the Informix datasource that contains the tables) and setup the run-time parameter for servers group. All the rest is
predefined and there is no need to change it.
3. Run (or schedule to run periodically) the audit process.
Note: The resulting table will show only the last run. The receiver count is the count of the receivers, and not the count of run results since the last run only.
IBM Guardium can detect external references to database objects, specifically tables. This capability, in conjunction with Optim Designer, can be used to manage the
retirement of inactive tables or archiving with certain retention policies.
GuardiumÂ® collects and maintains a list of tables with the date of last reference. The list is built using policies in Guardium that dictate the interval of last reference and
the frequency to be used for updating the list content. The information captured by Guardium is referred to as the â€œlast referenceâ€ list and supplies the following
information: What tables are no longer referenced? What table access trends exist for retirement candidates?
Having the ability to accurately plan for the retirement of applications will help to:
Plan for hardware retirement or redeployment

Reduce cost of ownership by moving or retiring those resources supporting the applications (for example, hardware, DBA(s), Application owners, IT operations such
as backups).
Know what tables are rarely or never accessed
This functionality of IBM Guardium has been added directly to the Optim Designer user interface.
The information supplied by Guardium to Optim consists of the following attributes per table entry:
Table 1. Monitored Table Access List Entry

List Entry Description
Field Comment
DataSourceDesc Description
Server IP Â
Host Name Â
DB Vendor for example, Oracle, DB2Â®
User Name for example, for Oracle it mostly defines the schema
Database Name Â
Schema Â
Table Â
Date Date of last access
Script to create Informix tables in the Optim product

Last_referenced_datasource
create table last_referenced_datasource (
Â Â Â Â id Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â serial(1) not null,
Â Â Â Â datasource_desc Â Â Â Â varchar(100),
Â Â Â Â server_ip Â Â Â Â Â Â Â Â Â Â char(39),
Â Â Â Â host_name Â Â Â Â Â Â Â Â Â Â varchar(200),
Â Â Â Â db_vendor Â Â Â Â Â Â Â Â Â Â char(40),
Â Â Â Â primary key (id) constraint last_referenced_datasource_pk
);
Last_referenced_table
create table last_referenced_table (
Â Â Â Â id Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â serial(1) not null,

Â Â Â Â datasource_id Â Â Â Â Â Â int not null,
Â Â Â Â user_name Â Â Â Â Â Â Â Â Â Â char(32),
Â Â Â Â db_name Â Â Â Â Â Â Â Â Â Â Â Â char(128) not null,
Â Â Â Â schema_name Â Â Â Â Â Â Â Â char(128) not null,
Â Â Â Â table_name Â Â Â Â Â Â Â Â Â char(128) not null,
Â Â Â Â last_reference Â Â Â Â Â datetime year to second not null,
Â Â Â Â primary key (id) constraint last_referenced_table_pk,
Â Â Â Â foreign key (datasource_id) references last_referenced_datasource(id) constraint last_referenced_table_fk
);

Guardium provides several compliance monitoring templates--groups, security policies, and reports corresponding to specific standards and regulations--including the
following:
Basel Committee on Banking Supervision (BASEL II)

General Data Protection Regulation (GDPR)
General Data Protection Regulation for Db2 for z/OS (GDPR for Db2 for z/OS)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Security Standard (PCI)
Personally Identifiable Information (PII)
Sarbanes-Oxley Compliance (SOX)
These quick start compliance monitoring templates are especially useful for organizations that must comply with one of the associated standards or regulations in a short
period of time. After installing security policies, the compliance monitoring tool guides administrators or compliance officers through the initial setup and population of
groups with organization-specific information such as client IP addresses and specific privileged user IDs. In addition, the compliance monitoring tool periodically checks
your Guardium environment for new databases that can be monitored using the compliance monitoring templates.
After choosing a compliance monitoring template and indicating databases where that compliance type should be applied, the compliance monitoring tool takes the
following actions:
A security policy is created and installed for the selected compliance type. In a centrally-managed environment, the policy is installed on the collectors.
A policy installation schedule is defined for 10:30 AM daily. In a centrally-managed environment, the policy installation schedule runs on the collectors.
A server IP group is populated with the server IP addresses of the selected databases.
The current user is assigned to the selected compliance-type role. This role enables access to related reports and accelerators from the main Guardium navigation.
When supported, a discover sensitive data scenario is created.
If a discover sensitive data scenario is created and at least one of the selected databases has a datasource defined, the scenario is scheduled to run once per week
on Sundays at 10:30 AM. In a centrally-managed environment, the schedule runs on the central manager.
The following table summarizes the features supported for each of the available compliance types:
Table 1. Summary of features supported by the Compliance Monitoring tool per
compliance type.
Â Basel II GDPR HIPAA PCI PII SOX
Security policy
Reports Â
Discover sensitive data scenario Â Â Â
Prerequisites for compliance monitoring

Review prerequisites and restrictions before configuring compliance monitoring.
Set up compliance monitoring
Learn how to complete the initial compliance monitoring configuration.
Populate groups
Learn how to populate groups for compliance monitoring.
Enable scanning for sensitive data
Learn how to store database credentials and allow the discovery and classification of sensitive data.
Understanding the compliance monitoring views
Learn how to interpret and respond to the compliance monitoring views.

Related concepts:
Policies
Datasources
Related tasks:
Groups
Guardium GDPR accelerator (video)

Review prerequisites and restrictions before configuring compliance monitoring.
The quick start for compliance monitoring tool uses templates to quickly establish compliance monitoring on new database servers in your environment. These templates
are optimized for use with new or expanding Guardium deployments. Ensure the easiest configuration and most complete functionality by verifying the following
prerequisites before you begin:
You are a Guardium user with administrative privileges running Guardium V10.1.3 or newer configured as a central manager or standalone system.
S-TAPs are installed and operational on the new database servers.
The database servers are supported by the compliance monitoring templates.
There are no policies installed other than the Default - Ignore Data Activity for Unknown Connections policy.
Warning:
You can install quick start compliance monitoring security policies alongside your preexisting policies only if the preexisting policies have the following Policy
Definition settings:
Log flat: disabled

Rules on flat: disabled
Selective audit trail: enabled
Installation of quick start security policies will fail if any preexisting policies have conflicting settings. When working with an existing deployment, considering
uninstalling your existing policies before working with the quick start policies. This restriction should not impact new Guardium deployments.
The following sections describe the quick start compliance monitoring prerequisites in detail.

Before you begin configuring compliance monitoring, the Guardium monitoring agent (S-TAP) must be installed on database servers and configured to communicate with
the Guardium system. See Deploy monitoring agents for information about quickly installing and configuring Guardium monitoring agents.
For more detailed information about S-TAPs, including other installation methods, see S-TAP administration guide.
Supported databases
The compliance monitoring tool detects databases in your Guardium environment based on the following criteria:
Active traffic on a Guardium system.

The discovered instances report (Discover > Reports > Discovered Instances).
The detection method varies by supported database type, as summarized in the following table.
Table 1. Summary of supported database types and detection methods.
Database Active traffic Discovered instances
Db2 for Linux, UNIX, and Windows Â
Db2 for z/OS Â

Important: The Default - Ignore Data
Activity for Unknown Connections policy
does not capture traffic for Db2 for z/OS
databases. Before using the compliance
monitoring tool with Db2 for z/OS
databases, you must first install a policy
that meets the policy definition and
active traffic criteria described in this
topic.
Informix
Microsoft SQL Server
MySQL
Netezza Â
Oracle
PostgreSQL Â
Sybase
Teradata
Active traffic meets the following criteria:
Traffic uses one of the following protocols:

Db2 for z/OS databases: BATCH, CALL, CICS, CTL, DRDA, PRIV, RRSAF, TRAN, TSO, or UTIL.
All other databases: TCP.
Traffic is not local (server IP does not equal client IP).
Unsuccessful logins are ignored.
Traffic is not encrypted.

Active traffic is checked for new databases every hour at 17 minutes after the hour. For example, active traffic from a database established at 13:00 will be detected at
13:17.
Discovered instances meet the following criteria:
Databases do not specify a port range.

Databases do not require a database name for datasource creation.
Extrusion rules and Inspect return data

Several quick start compliance monitoring policies use extrusion rules. Extrusion rules evaluate data returned by the server in response to requests. For example, an
extrusion rule might check for numeric patterns associated with sensitive data like social security or credit card numbers.
Extrusion rules require that the Inspect returned data setting is enabled for all inspection engines using the policy. To use the extrusion rules included with the following
compliance templates, you must allow the inspection engines to inspect returned data:
GDPR
HIPAA
PCI
PII (data privacy)
Important: Enabling Inspect returned data increases network traffic with the returned results set.
Enable Inspect return data from Manage > Activity Monitoring > Inspection Engines. For more information about the Inspect return data setting, see Creating policies and
Inspection engine configuration.
Policy definition settings

All compliance monitoring security policies use the following policy definition settings:
Log flat: disabled

Rules on flat: disabled
Selective audit trail: enabled
Policies with conflicting Log flat, Rules on flat, or Selective audit trail settings cannot be installed in the same Guardium environment. As a result, you cannot use the quick
start compliance monitoring templates if you have installed any policies that use different settings.
For new Guardium deployments or deployments without user-defined policies, you are unlikely to encounter any conflicts with these policy settings. For existing Guardium
deployments, if you receive a conflicting policies message while using the Set up compliance monitoring tool, review your policy definition settings.
For more information about selective audit trails, see Rule actions.
Exception: If it is the only installed policy, the Default - Ignore Data Activity of Unknown Connections policy is overridden by the installation of compliance monitoring
policies.
Parent topic: Quick start for compliance monitoring

Learn how to complete the initial compliance monitoring configuration.
Before you begin

For more information about prerequisites and restrictions, see Prerequisites for compliance monitoring.
About this task

Use the set up compliance monitoring tool to associate databases with one or more compliance templates. This procedure quickly installs a security policy, groups,
reports, and a discover sensitive data scenario when supported.
Procedure
1. Open the compliance monitoring page by navigating to Setup > Quick Start > Compliance Monitoring.
2. Open the compliance monitoring set-up tool by clicking the icon in the Set up compliance monitoring tile.
3. From the Compliance type section, use the Select the compliance type you want to enable menu to select the type of database monitoring you want to configure.
For example, to enable GDPR monitoring, select General Data Protection Regulation (GDPR). Click Next to continue.
4. From the Databases section, select databases from the Available databases table and click the icon to add them to the Selected databases table.
Tips:
Use the Exclude monitored databases check box to hide databases where compliance monitoring is already configured.
When using the General Data Protection Regulation for Db2 for z/OS (GDPR for Db2 for z/OS) compliance type, the list of available databases is filtered to
include only Db2 for z/OS databases. Similarly, Db2 for z/OS databases are not displayed when working with non-z/OS compliance types.
Select databases from the Selected databases table and click Provide credentials to store database credentials. Storing credentials enables the discovery
and classification of sensitive data for some compliance types. If automated configuration is not supported, the datasources created when you store
credentials can be used in your own discover sensitive data scenarios.
To disassociate databases from a compliance type, edit the configuration and remove databases from the Selected databases table or navigate from the
compliance type tile to View details > Databases and click the icon next to a database.
5. When you are finished identifying databases to monitor, click Run setup to install the policy, populate the server IP group, and run compliance monitoring reports.
6. From the Refresh the page to show new content? dialog, click Yes to refresh the page and complete the set up.

Results
After setting up compliance monitoring, you will see a tile on the compliance monitoring dashboard corresponding to the compliance template you configured.
What to do next
After configuring compliance monitoring, you may notice several icons on the compliance monitoring tiles. These icons indicate that additional configuration is
required. Use the Populate group links to populate additional groups or the Datasource credentials link to provide database credentials for a discover sensitive data
scenario.
Important: A default server IP group is automatically created and populated when monitoring is configured using the compliance monitoring set-up tool. However, it is
important to define the users and applications that are allowed to access your databases by populating several additional groups. For information about populating groups
from the compliance monitoring page, see Populate groups.
Related concepts:
Populate groups
Learn how to populate groups for compliance monitoring.
Before you begin

Install a compliance monitoring template by following the procedure described in Set up compliance monitoring.
About this task

A default server IP group is automatically created and populated when monitoring is configured using the compliance monitoring set-up tool. However, it is important to
define the users and applications that are allowed to access your databases by populating several additional groups. The following procedure describes how to quickly
populate groups.
Important:
Empty groups are not treated as wild cards and will not capture any traffic.
Hierarchical or nested groups are not supported.
Procedure
1. Use one of the following methods to identify unpopulated groups and open the Edit group dialog to begin.
In the Monitoring enabled section of a compliance monitoring tile, look for icons and click the associated Populate group link.
Click the View details link on a compliance monitoring tile to open the details panel, select the Summary tab, and click the icon next to a group.
Tip: In the details panel, unpopulated groups are highlighted with a small icon.
At this point, the details view and Edit group dialog will open on top of the compliance monitoring dashboard.
2. From the Edit group dialog, optionally provide a Category and Classification for the group. The Application type, Group type, and Description (used as the Group
name) fields are populated based on the group selected in the previous step and are not editable.
3. From the Edit group dialog, use one of the following methods to begin populating the selected group.
Click the icon to add an item to the Member table and manually specify a group member.
Click Import > From CSV to import group members from a CSV file.
Click Import > From group to import group members from another Guardium group of the same group type. For example, you can populate an authorized
users group from another group containing a list of users but not from a group containing a list of IP addresses.
Click Import > From external datasource to import group members from an external datasource. The Datasource menu will include all datasources marked
shared or of type custom domain. For more information, see Importing from external datasources.
4. When you are finished adding members to the group, click OK to return to the compliance monitoring dashboard.
Enable scanning for sensitive data

Learn how to store database credentials and allow the discovery and classification of sensitive data.
Before you begin

Install a compliance monitoring template by following the procedure described in Set up compliance monitoring.
About this task

The following procedure describes how to create datasources by storing database credentials using the compliance monitoring tool. Storing credentials and creating
datasources allows Guardium to access your databases for the discovery and classification of sensitive data.
Procedure
1. Use one of the following methods to identify where database credentials are required.
In the Scanning for sensitive data section of a compliance monitoring tile, look for a icon and click the associated Datasource credentials link. The
compliance monitoring databases view will open to a filtered list of databases that require credentials.

Click the View databases link to open the compliance monitoring databases view and look for databases that do not have a icon in the Datasource
column.
2. From the compliance monitoring databases view, select databases that require credentials and click Datasource actions > Provide credentials.
Tips:
If you select multiple databases and click Datasource actions > Provide credentials, the provided credentials are saved for all selected databases. When
providing credentials for multiple databases, make sure that the selected databases all use the same credentials. Otherwise, databases that use different
credentials will fail the connection test.
Storing credentials enables the discovery and classification of sensitive data for some compliance types. If automated configuration is not supported, the
datasources created when you store credentials can be used in your own discover sensitive data scenarios.
3. From the Provide credentials dialog, use the User name and Password fields to provide credentials for the selected databases. Click OK to return to the compliance
monitoring database view.
4. From the compliance monitoring database view, select databases that have stored credentials and click Datasource actions > Test connection. Use Test connection
to validate that the stored credentials allow access to the database. If the connection test fails, the discovery and classification of sensitive data will not work.
Important:
Testing connections can be time-intensive. It is not recommended to test a large number of connections at once.
If a connection test fails, navigate to Setup > Tools and Views > Datasource Definitions, select the datasource, and validate the datasource definition. For
example, you may need to specify the correct port for Db2 for z/OS databases, correct mixed-case PostgreSQL database names, or set other connection
properties required for your environment.
If a Microsoft SQL Server connection test fails, verify that the SQL Server Browser Windows service is started.
Results
After enabling scanning for sensitive data, scan results and any changes made to the policy (including changes to groups and group membership) become available after
the policy is installed according to the policy installation schedule. By default, the quick start compliance monitoring tool defines a policy installation schedule that runs
daily at 10:30 AM.
Understanding the compliance monitoring views

Learn how to interpret and respond to the compliance monitoring views.
User interface
The Compliance Monitoring tool consists of the following views:
Dashboard view
This is the default view and provides an overview of the current status of compliance deployment, organized by compliance type. Individual tiles reflect the current
configuration status of several compliance monitoring components, making it easy to quickly identify which compliance types require additional configuration.
Database view
The database view provides a table indicating which databases are configured with any of the supported compliance monitoring templates.

The Set up compliance monitoring tool provides a guided interface for quickly associating databases with compliance templates and running the initial setup.
Access the tool by clicking the icon on the Set up compliance monitoring tile of the dashboard view or by selecting databases and clicking the Set up
compliance monitoring button on the database view.
The compliance monitoring views provide several interrelated ways to complete the configuration tasks associated with establishing compliance monitoring. The following
table summarizes the tasks supported by the different views.
Table 1. Summary of tasks supported by compliance monitoring views.
Task Set up compliance monitoring Dashboard view Database view
Associate compliance type with databases From the Databases section, select Â Â
databases from the Available
databases table and click the

icon to move them to the Selected
databases table.
Populate groups Â From a compliance type tile, click Â

the Populate group link or navigate
to View details > Summary and click
the icon next to a group.
Define datasources for discovering sensitive data From the Databases section, select From a compliance type tile, click Select databases and click
databases from the Selected the Datasource credentials link, Datasource actions > Provide
databases table and click the select databases, and click credentials.
Provide credentials button. Datasource actions > Provide
credentials.
Important: Once configured with a compliance monitoring template, databases that have been taken offline will continue to appear in the compliance monitoring tool.
Policies
The quick start compliance monitoring templates provide security policies that are designed to work effectively and without any modification. Use these policies to quickly
get up and running with compliance monitoring. From the compliance monitoring dashboard view, click View details > Policies to see the policies associated with a specific

compliance type.
When compliance monitoring is configured from a central manager, quick start security polices are automatically pushed-down to all collectors. If policies other than the
default quick start security policies are installed, the quick start policies are installed last.
If you want to review the compliance monitoring policies in detail, they are available through the Policy Finder. Quick start compliance monitoring policies are identified
with the following naming convention: Quick Start compliance type. For example, the default GDPR policy is named Quick Start GDPR. It is also possible to edit the
compliance monitoring security policies using the Policy Builder for Data.
Restriction: Prior to Guardium V10.1.4, modifying the rules and groups used with quick start security policies may result in inaccurate configuration status in the
Compliance Monitoring tool.
If you have modified the compliance monitoring policies, revert to the default settings from the Compliance Monitoring dashboard view by clicking View details in the
desired compliance type tile, selecting the Policies tab, and clicking Reset to default. Before restoring the default settings, any customized settings are retained in a policy
with the following naming convention: Quick Start compliance type timestamp (where timestamp indicates the date and time default settings were restored). For example,
Quick Start GDPR 2017-05-01 19:17:59.
Important: Prior to Guardium V10.1.4, it may be necessary to reinstall the quick start security policy after using Reset to default. For more information, see Installing
security policies.
Policy installation schedule

By default, the quick start compliance monitoring tool defines a policy installation schedule that runs daily at 10:30 AM.
When compliance monitoring is configured from a standalone machine, a policy installation schedule is defined if there are no pre-existing policy installation schedules
(regardless of whether the schedules are active or paused). When compliance monitoring is configured from a central manager, the policy installation schedule is
configured for all collectors (regardless of whether existing policy installation schedules exist).
Groups
The compliance monitoring tool relies on several groups associated with each compliance type. These groups should be populated to establish effective compliance
monitoring. From the compliance monitoring dashboard view, click View details > Summary to see the groups associated with a specific compliance type.
Restriction:
Hierarchical or nested groups are not supported.

Empty groups are not treated as wild cards and will not capture any traffic.
Prior to Guardium V10.1.4, modifying the rules and groups used with quick start security policies may result in inaccurate configuration status in the Compliance
Monitoring tool.
You may notice a discrepancy between the number of databases and the members of the Server IP group shown on the View details > Summary tab for a compliance type.
This discrepancy reflects multiple databases running on a single database server or a Server IP group that has been updated outside of the compliance monitoring tool.
Reports
The quick start compliance monitoring templates provide several predefined reports for each compliance type. From the compliance monitoring dashboard view, click
View details > Reports to see the reports associated with a specific compliance type. These reports are also available under the Accelerators section of the main Guardium
navigation. This list of reports is predefined for each compliance type and does not reflect any custom reports you may have defined.
Restriction: The HIPAA compliance monitoring template does not provide any predefined reports.
Users and roles

The current user is assigned to the selected compliance-type role. This role enables access to related reports and accelerators from the main Guardium navigation. If
different Guardium users configure different compliance types, the individual users will only have access to the reports and accelerators associated with the compliance
types they configured.
For example, if user1 configures GDPR and user2 configures PCI, user1 will not have access to the PCI reports and accelerators because the PCI role has not been
assigned to user1. For information about manually assigning specific roles to users, see Access management overview.
Sensitive data
You may notice a discrepancy between the Matches found value on a compliance type tile and the associated objects groups on the View details > Summary tab. Matches
found indicates the number of unique table and column name pairs that matched criteria from the sensitive data discovery scenario. The number of members in the
OBJECTS group is the number of unique table names and is a cumulative value from all scans.
Important: In the Scanning for sensitive data section of a tile, icons indicate that one or more datasource has been configured for the discover sensitive data scenario.
Click View databases to investigate which databases have datasources defined for discovering sensitive data.
How to use PCI/DSS Accelerator to implement PCI compliance

Configure IBM Security Guardiumâ€™s PCI/DSS Accelerator and create a series of policies and reports, in order to meet PCI/DSS requirements.
PCI/DSS (Payment Card Industry/ Data Security Standard) is a set of technical and operational requirements designed to protect cardholder data.
Value-added: Give customers a whole view of PCI/DSS and provide predefined policies and reports to save configuration time.
Follow these steps:
1. Configure PCI role.
2. Configure reports and policies that follow the requirements.

Configure PCI role
1. Login via the Guardium GUI page using the â€œaccessmgrâ€ user account. Select a user (in this case, user1), and click on Roles.
2. In the user role form, check PCI, and then save the assignment.
Implement PCI accelerator

Log on using â€œuser1â€ and click Accelerators.
Overview
1. Click PCI Accelerator for Compliance.
2. Click PCI Data Security Standard.

Plan and Organize
Plan and Organize
Click the Overview for an introduction of how the predefined reports follow the compliance.
1. Cardholder Server IPs List: Cardholder information database server list. According to the company's actual situation, set the PCI Authorized Server IPs group
information, which specifies the database server that stores cardholder information.
2. Cardholders Databases: Cardholder information database. Set the PCI Cardholder DB: designated group information, which is stored in the database's
cardholder information.
3. Cardholder Objects: Cardholder information object. This needs to set the PCI Cardholder Sensitive objects.
4. DB Clients to Servers Map: Client/server mapping and PCI Authorized Server IPs set group information, which specifies the database servers storing
cardholder information. Query can be used to find client access to the cardholder database.
5. Active DB Users: Administrator in addition to categories of users, which visited the cardholder database. Set the â€œPCI Authorized Server IPsâ€ and
â€œPCI Admin Usersâ€ .
6. Cardholder DB Administration: Cardholder database management operations. Set the PCI Authorized Server IPs and Admin Users.
7. Authorized Source Programs: Credit program access. Set the PCI Authorized Server IPs, PCI Authorized Source Programs. Procedure for recording Credit
Cardholder database access.
8. Unauthorized Application Access: Non-credit program access. Set the PCI Authorized Server IPs, PCI Authorized Source Programs. Records of credit
program for the cardholder database access.
9. 8.5.8 Shared Accounts: PCI eighth requirements to have each person having computer access to be assigned a unique ID. Set PCI Authorized Server IPs to
count the number of times the same database username is trying to access from the cardholder database IP.
In the statements, click to view a report form, and then determine what specific group content needs to be filled in.
Here is the actual name of the group:
Navigate to Setup > Tools and Views > Group Builder, and in the Modify Existing Groups selection, select the group name.

Click Modify (the pencil icon) and go to Manage Members for Selected Group page. Add new members.
The group can also be filled through a customized query.
PCI Req. 10 Track & Monitor
Click the Overview for an introduction of how the Guardium monitor and predefined reports follow the compliance.
1. 10.2 and 10.3 Automation - Use the online help Protect help book and Comply Help book to automate this section.
2. 10.2.1 Data Access - PCI Access to cardholder data, Set the PCI Authorized Server IPs and PCI Admin Users.
3. 10.2.2 Admin Activity - PCI Activity by Admin. user. Set the PCI Authorized Server IPs and PCI Admin Users.
4. 10.2.3 Audit Trail Access - To follow this section completely, at least four kinds of reports must be defined: Logins to SQLGuard; User activity audit trails on
Guardium server; Scheduled job exceptions; and, User to-to lists. Navigate to Setup > Reports > Report Builder to create reports as you need.
5. 10.2.4 Invalid Access - PCI - Invalid Login Access Attempts: record the login failed try in the database. PCI - Unauthorized Application access: record the
database access not defined in PCI Authorized Source Programs.
6. These three sections can also use the Monitor and Audit Help Book in the embedded online help - 10.2.6 Initialization Log, 10.5 Secure audit trails, and 10.6
Access Auditing.
PCI Req. 11 Ongoing Validation
Click Overview for a discussion on the importance of vulnerabilities assessment. Click Harden > Assessment Builder to build an assessment process.
PCI Policy Monitoring
Click Overview to introduce the Policy.

1. To show your current policy installations, navigate to Setup > Tools and Views > Policy Installation and choose a suitable policy for installation.
2. Policy Violations - Records of violation operations.
Workflow Builder
The Workflow Builder is used to define customized workflows (steps, transitions and actions) to be used in the Audit Process.
For additional information, see Building audit processes. Follow these steps to:
Define the workflow steps (Event Status),

Define the flow of transit from one step to another (Actions)
Define which actions require sign-off
Assign roles to each status, to define the users permitted to view each status
Relevant Terms for this feature
Event Type - Custom workflow
Event Status - State/status of the workflow.
Event Action - Action/Transition
Note: Workflow Builder is an optional component enabled by product key.
Create a Workflow Process

1. With an Admin account, open the Workflow Builder by navigating to Comply > Tools and Views > Workflow Builder. With a User account that has DataPrivacy
privileges, open the Workflow Builder by navigating to Accelerators > Data Privacy > Track & Monitor > Audit Trail and Workflow Automation.
2. At the first screen (Event Type), click Event Status to go to the Event Status configuration.
3. Click Add Event Status to define a new Event Status. A multiple of Event Status are expected. Fill in the status description and place a check mark in the Is Final
check box if the task is a final task in the workflow.
4. Click Event Type and then click Add on Add Event Type Definition to define a new Event Type.
5. Fill in the description and designate the first task in the workflow.
6. Then choose all the Allowed Status for the workflow from the Available Status list, by highlighting the Status item and clicking on the > button between the
Available Status List and Allowed Status List.
7. When done, click the Save button. Note: the Save button (or Cancel button) only apply to changes made to name, default event or available events. Â
8. Go to the Defined Event Actions section of the Event Type menu screen. Defined Event Actions involves designating the separate Event Actions of the workflow.
9. Click the New button.
10. Fill in the Event Action Description and designate Prior status, Next status and if Sign-off of this event action is required. Click the Apply button.
11. Repeat Steps 9 and 10 until all event actions are described and designated.
12. Go to the Roles section of the Event Type menu screen. Roles involve defining who can see the event when it is in a particular Event Action. For example, who can
see events that are "Under Review" and who can see events that are "Approved".
13. Select the Event Type Status and click the Roles button.
14. In the Assign Security Roles panel, mark all of the roles you want to assign (you will only see the roles that have been assigned to your account). Click Apply to save
security role choices. Click the Back button.
15. Repeat steps 13 through 14 until all event type status have had roles defined.
16. The configuration effort from Workflow Builder is done.
17. Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder to schedule the workflow and build and show workflow reports.
See the Audit Process Builder steps under Define a Report Task.
There is a usage scenario, Workflow Builder Workflow Example in the Appendices.
Note: If the task type in Audit Process Builder is Classification Process, then Workflow Builder can not create customized workflows.
Warning Note: When a workflow event is created, every status used by that event can be assigned a role (meaning that events can only be seen by this role when in this
status). Â When an event is assigned to an audit process, it is important that every role that is assigned to a status of this event have a receiver on this audit process.
Â Otherwise, it is possible that an audit result row can be put into a status where none of its receivers are able to see this row or change its status.
If an audit row becomes inaccessible, the admin user (who is able to see all events, regardless of their roles) would be able to see the row and change its status. However,
if data level security is on, the admin user may not be able to see this row. The admin user would need to either turn data level security off (from Global Profile) or have the
dataset_exempt role. It is important to configure the audit process so that all roles who must act on an event associated with this audit process are receivers of this audit
process.
Note: Deletion of a event status is permitted only if the status is not in the first or final status of any events, and if it not used by any action. The validation will provide a list
of events/actions that prevent the status from being deleted.
Add Default Events only to limited number of records

When running an Audit Process report task, the results of this process task are saved in the table, REPORT_RESULT_DATA_ROW. This table will have a row for every row of
the report. If this report task also has a default event assigned to it, a row is added to the table, TASK_RESULT_ADDITIONAL_INFO, for every row of the report. This may
lead to a disk space issue only if default events are used for large results. Create events only on task results with a limited number of records, otherwise users will never
be able to manage the large number of records. If default events are used in the intended limited manner, there will not be any disk space issues nor any usability issues,
since it is not easy to close thousands of events.
How to create Customized Workflows

Define customized workflows made up of specific customer steps, transitions and actions to be further used in an audit process.
How to use Customized Workflows
Define an audit process that follows the customer's customized workflow practices. Bring the customer's specific auditing processes and practices into the
GuardiumÂ® solution.
How to create Customized Workflows

Define customized workflows made up of specific customer steps, transitions and actions to be further used in an audit process.
About this task

Define and manage workflow based on customer's specific practices.
See Workflow Builder for an overview of this component.
Prerequisites
See How to create an Audit Workflow. For additional information, see Compliance Workflow Automation.
After creating this customized workflow, See How to combine Customized Workflow with Audit Workflow.
Procedure
1. Open the Workflow Builder by navigating to Comply > Tools and Views > Workflow Builder.
2. At the first screen (Event Type), click the Event Status button to go to the Event Status configuration.
3. Click on Add Event Status to define a new Event Status. A multiple of Event Status are expected. Fill in the status description and place a check mark in the Is Final
check box if the task is a final task in the workflow. When done, go to the next step.
An example of a simple three-step workflow is: Open to Review state to Approve or Not Approved. Each step of the workflow is a separate Defined Task Event
Status.
The workflow tasks of the example are: Open, Review state, Approve after review, or Not approved. Also, if the task is the final task in a workflow, place a check
mark in the Is Final column. Examples of a final task in the example are Approved or Not Approved.

4. Click on the Event Type button and then click on the Add button of Add Event Type Definition to define a new Event Type.
5. Fill in the description and designate the first task in the workflow.
6. Then choose all the Allowed Status for the workflow from the Available Status list, by highlighting the Status item and clicking on the > button between the
Available Status List and Allowed Status List.
7. When done, click the Save button.
8. Go to the Defined Event Actions section of the Event Type menu screen. Defined Event Actions involves designating the separate Event Actions of the workflow.
9. Click the New button.
From the simple three-step workflow example, an Event Action of Under Review has a prior status of Open and a next Status of Review State. The Event Action of
Approved follows Under Review with a prior status of Review State and next status of Approve after review. Or the Event Action of Not approved has a prior status of
Review State and a next status of Not Approved. There is also a signoff capability for designated reviewers per Event Action (continuous or sequential). See the
previous screen shot.
10. Fill in the Event Action Description and designate Prior status, Next status and if Sign-off of this event action is required. Click the Apply button.
11. Repeat Steps 9 and 10 until all event actions are described and designated.
12. Go to the Roles section of the Event Type menu screen. Roles involve defining who can see the event when it is in a particular Event Action. For example, who can
see events that are "Under Review" and who can see events that are "Approved".
13. Select the Event Type Status and click the Roles button.
14. In the Assign Security Roles panel, mark all of the roles you want to assign (you will only see the roles that have been assigned to your account). Click Apply to save
security role choices. Click the Back button.
15. Repeat steps 13 through 14 until all event type status have had roles defined.
16. The configuration effort from Workflow Builder is done.
17. Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder to schedule the workflow and build and show workflow reports.
See the Audit Process Builder steps under Define a Report Task.
Parent topic: Workflow Builder
How to use Customized Workflows

Define an audit process that follows the customer's customized workflow practices. Bring the customer's specific auditing processes and practices into the GuardiumÂ®
solution.
About this task

Customized Workflows within the Guardium Audit Workflow process
The formal sequence of event types created in Workflow Builder is managed by clicking on the Event and Additional Column button in the Audit Tasks window. This button
will appear after an audit task has been created and saved. This additional button will not appear until the audit task is saved.
Prerequisites
See How to create Customized Workflows. For additional information, see Workflow Builder.
See How to create an Audit Workflow. For additional information, see Compliance Workflow Automation.
Define an audit process that follows the customer's customized workflow practices by following the additional steps.
Procedure
1. Configure these workflow activities when Adding An Audit Task.
2. Create and save an Audit Task. After saving, an additional button, Events and Additional Columns, will appear.
3. Click this additional button.
4. At the next screen, place a checkmark in the box for Event & Sign-off. The workflow created in Workflow Builder will appear as a choice in Event & Sign-off.
5. Highlight this choice. Save your selection.
6. If additional information (such as company codes, business unit labels, etc.) is needed as part of the workflow report, add this information in the Additional Column
section of the screen and then click Apply (save). When done, close this window.
7. Apply (save) your Audit Task. Apply (save) the entire Audit Process Definition. Click on the Run Once Now to create the report. Click on View to see the report.
8. Click on the Run Once Now to create the report. Click on View to see the report.
This Event and Additional Column button appears in all audit tasks.
Note:
If data level security at the observed data level has been enabled (see Global Profile settings), then audit process output will be filtered so users will see only the
information of their databases.
Under the Report choices within Add an Audit Task are two procedural reports, Outstanding Events and Event Status Transition. Add these two reports to two new
audit tasks to show details of all workflow events and transitions. These two reports will not be filtered (observed data level security filtering will not be applied).
These two reports are available by default in the list of reports only to admin user and users with the admin role.

Parent topic: Workflow Builder
Threat Detection Analytics

Guardium includes specialized threat detection analytics that scan and analyze audited data to detect symptoms that may indicate different types of database attacks.
Threat detection analytics scans and analyzes audited data to detect symptoms that may indicate SQL injection or Stored Procedure database attacks. Guardium does not
rely on a comparison against an ever-changing dictionary of attack signatures. Instead, Guardium analyzes audit data activity, exceptions, and outlier data (Outliers
Detection) over extended periods of time looking for patterns that indicate an attack. By tracking the suspicious events over time and correlating them, Guardium creates a
comprehensive picture of potential risks. This approach is more flexible and comprehensive, and does not require continual signature updates.
Threat detection analytics is supported on MySQL, Oracle, and DB2.
Characteristics of an SQL injection attack

Characteristics of a stored procedure attack
Enabling threat detection analytics
This topic describes the prerequisites and procedures for enabling threat detection analytics.
Working with case reports
This topic describes working with case reports.
Activating the audit process workflow for threat analytics
This procedures describes how to schedule and distribute the audit processes required for using Guardium threat diagnostic tools.
Working with threat diagnostic dashboards
A dashboard that is invoked from a specific threat case in either the Suspected malicious STP Cases or Suspicion SQL Injection Attacks report is called a threat
diagnostic dashboard.
Threat Detection Analytics Functions
Characteristics of an SQL injection attack

SQL injection attacks attempt to exploit web application vulnerabilities by concatenating user input with SQL queries. If successful, these attacks can execute malicious
SQL commands using the legitimate web application connection. SQL injection attacks can be difficult to identify because the individual steps of an attack, analyzed
independently of the other steps, might be considered legitimate. Using threat detection analytics, Guardium identifies potential SQL injection attacks by capturing the
individual steps and analyzing them as part of a single complex attack.
Typical symptoms of SQL injection attacks that Guardium identifies include:
An attacker trying to identify the structure of a dynamic SQL query, for example the number of columns queried
An unusually large quantity of new queries, specifically queries that are uniquely or unusually structured
Access to tables containing information about the database structure
Parent topic: Threat Detection Analytics
Characteristics of a stored procedure attack

A malicious stored procedure is a block of code designed to evade detection, and to perform complex attacks over a period of time. The exact attack can be repeated, or it
can change its characteristics over time. The stored procedure can be dormant for an extended period of time, making it harder to identify as suspicious. Even if unusual
activity was noticed in a previous audit, by the time the next audit occurs the previous activity has been forgotten. A malicious stored procedure can be used to disguise a
drop of an important table, or to extract the contents of a table.
Examples of suspicious activity are: the creation of a stored procedure with a DROP statement with sensitive objects; a DROP verb; SQL exceptions caused by missing
objects; a procedure that is modified after being dormant for an extended period of time.
Guardium tracks the activity around individual stored procedures, and together with Outlier mining data correlates the various symptoms and users. Guardium can detect
these typical symptoms of this malicious stored procedure use case (presented in the order they typically occur):
1. A database administrator creates a malicious Procedure A, which deletes data from the customer table
2. A month later the database administrator changes a commonly used Procedure B to call Procedure A
3. A different user calls the modified Procedure B, such that the customer table data is deleted by that innocent user
Enabling threat detection analytics

This topic describes the prerequisites and procedures for enabling threat detection analytics.
To enable threat detection analytics:
Ensure you meet the minimum required memory and storage requirements for search (4 CPU and 24 GB RAM).
Verify your system has logged application data. Specifically, SQLI requires application data because the injection initiates from the application. If the system
"trusts" the application and does not monitor it in Guardium, the injection cannot be identified.
Outlier detection is not required for SQL injection threat detection but it is required to fully support suspicious stored procedure detection. For more information,
see Enabling and disabling outliers detection locally on a Collector.
When upgrading to Guardium V10.1 through the upgrade patch process, you must enable threat detection scanning on each collector by using the following
Guardium API command: grdapi enable_advanced_threat_scanning. See GrdAPI Threat Detection Analytics Functions for more information about
parameters available for the enable_advanced_threat_scanning command.

Set up the audit process to send case reports to the relevant investigators. This is optional but recommended. See Activating the audit process workflow for threat
analytics for more information.
Important: Threat detection relies on analysis and correlation of logged data. Thus any rules that filter out traffic before logging are not considered for threat detection.
Examine your use of IGNORE S-TAP SESSION rules carefully to determine the risk of not logging these sessions versus optimizing the capacity of the collector.
Prerequisites for malicious stored procedures analytics

The analytics algorithm depends in part on sensitive objects groups. By default, the algorithm uses members in the system-defined sensitive objects group (group
ID 5). If you have already specified additional sensitive object groups for outlier detection, threat detection will use the same groups. Even if outlier detection is not
enabled, you can set your own sensitive object groups using the same GuardAPI command: set_outliers_detection_parameter
parameter_name="sensitiveObjectGroupIds" parameter_value=<group ID>,<group ID>,...
Policy rules must be installed to collect the necessary traffic for malicious stored procedure analysis.
Recommendation: Create the following rules in your policy in the suggested order. It is important to check the Continue to next rule checkbox for all these rules.
1. Access rule: Log Full Details where Command group filter is PROCEDURE DDL.
2. Access rule: Log Full Details where Command group filter is EXECUTE Commands. If your database is Oracle, include the command BEGIN in the rule.
3. Exception rule: Log Only where error type filter is SQL_ERROR.
Working with case reports

This topic describes working with case reports.
Guardium analyzes the symptoms over time, correlates them, and assigns a score per identified possible attack. If the score indicates a likely attack, the set of events
becomes a case whose id is unique per collector. Cases are externalized in case reports, one per each suspected attack. Access case reports by one of:
Set up an audit process to receive notifications in your To Do list on the Central Manager, and open the report directly on the relevant associated collector. Note that
the To Do list is updated once an hour.
Access Investigate > Exceptions.
The case reports window A report presents, by default, up to 3 incidents, one per line. Each case includes a risk score from 1 to 3, with 3 being the most severe. You can:
Hover on the case ID to view a summary of the attack (only stored procedure cases).
Hover on the case ID and click Link to Symptoms to access the detailed symptoms report.
Click the ID to open the case-specific threat diagnostic dashboard. See Working with threat diagnostic dashboards.
Restriction: Case reports have the following restrictions:
There is no Data Level Security.

These reports cannot be cloned.
You can create a distributed report for these case reports; however, from the Central Manager there are no direct links from the case report to the threat diagnostic
dashboard, and there is no additional hover help and link to symptoms.
Activating the audit process workflow for threat analytics

This procedures describes how to schedule and distribute the audit processes required for using Guardium threat diagnostic tools.
About this task

There are two preconfigured audit processes that control the distribution of threat analytics reports to the appropriate reviewers:
Suspected Malicious STP Cases
Suspected SQL Injection Cases
Each process pulls out the suspected cases on one attack type. You can customize these processes, or copy and create your own.
Procedure
1. Navigate to Comply > Tools and Views > Audit Process Builder. Optionally filter the available audit processes by clicking the Inactive only radio button or typing
Suspected in the Filter box.
The default task for this process is the corresponding report (Suspected Malicious STP Cases or Suspected SQL Injection Cases). Do not modify the runtime
parameters of these reports. However, you can add additional tasks to this same audit process. For example, you can add both the threat reports into a single audit
process.
If you are defining these audit processes from a central manager, define a task for each collector for which you want to see threat data and use the Remote Data
Source option.
2. Click Send results to define the audit process receivers who will receive reports on suspected malicious stored procedures.
3. Select the default receiver (user) and then click the icon to define the appropriate receiver or receivers for your organization. When you are finished, click OK.
4. Click Schedule audit process and review the schedule for the audit process.
The recommendation is to run the process every day, every hour starting at 12:30 AM (after both outliers and threat detection usually run). Note that the check box
Auto run dependent jobs has no effect for this task.

Important: Make sure the Activate schedule check box is checked.
5. Click Next and then click Save to finish working with the audit process.
Working with threat diagnostic dashboards

A dashboard that is invoked from a specific threat case in either the Suspected malicious STP Cases or Suspicion SQL Injection Attacks report is called a threat diagnostic
dashboard.
A threat diagnostic dashboard performs much like other investigation dashboards, except that the dashboard for that case is populated with the data from the suspicious
events (db user, server, objects, etc.) and uses different charts to provide different views of the event and surrounding events that may be helpful in investigating the
possible attack. The relevant search and outlier data is also available on the same dashboard page as the charts.
In many cases, you will not need to change any of the preexisting filters for the predefined threat diagnostic dashboards. However, if you want to do some of your own
comparative analysis, you can modify the preexisting filters.
See Investigation Dashboard for more information on working with dashboard and chart filters.
Tip: The threat diagnostic dashboard can only be opened by clicking on the case number in the relevant threat report. You cannot save changes to this dashboard or any
other predefined dashboard. If you make changes and want to keep the dashboard for further investigation, you must copy it and save it under a new name. You must also
save the filters by clicking the Filters menu and selecting Save.
Reference data is a set of predefined, chart-specific filters, for Threat Detection Analytics only, that show data similar to the case youâ€™re investigating but not included
in the general dashboard filter. Reference data cannot be changed by users. Hover over the filter icon in each chart to see the Reference Data.
In a typical suspected SQL injection attack scenario, the threat diagnostic dashboard is filtered for this attack and includes the following general dashboard filters:
Server: 8.34.223.145
DB user: USER1
Database: 8.4.134.213:31.5.12
DB type: MYSQL
Object: stp1_name
The chart for DB user can include reference data for similar DB users, such as USER2, USER3 and USER4. This enables you to compare the activities of the suspected user
with similar users, even though those additional users are not included on the general dashboard filters.
Not all fields include associated reference data. Any field for which there is no predefined reference filter is filtered as on the dashboard.
In some charts, filters can be inactivated so that you can compare data regardless of the filters chosen for the entire dashboard. This gives a wider picture of the activity.
Click the filter icon to open the Chart Filter Settings, and make modifications.
Investigating SQL injection threats

Investigating stored procedure threats
Investigating SQL injection threats

About this task
This procedure describes investigating a suspected SQL injection attack, using the threat diagnostic dashboard.
Procedure
1. From the To Do list, or from Investigate > Exceptions, open the Suspected SQL injection Cases dashboard. Each line is a case, with a Confidence (%) rating of
certainty of an attack, and a risk level of the attack.
2. Click View to evaluate for false positives. Hover over the selected case id and click Symptoms to open the SQL Injection Case Symptoms page. Every suspicious
action is described, and the SQL string displayed. You can see the exact modifications the user made to strings. By progressing from string to string, you can
observe how the attacker methodically gained more data using errors returned from previous queries.
3. Click the id number to open the default diagnostic dashboard for SQL injection attacks, which is filtered by the incident's date and suspected web-application
connection details. This helps narrow the investigation to database traffic that occurred during the attack. You can change or drop the filter to broaden the scope of
investigation. Use the bottom grid to get more detailed information on the chartâ€™s data. Note that if you move to a standard dashboard, all filters specific for the
suspected SQL injection attack are canceled.
4. Use these guidelines while investigating the charts:
Change the timescale to look for peaks at time of the attack
Look for violation of any security policy, and see if any violations correlate to other activity at the time of the attack
5. Drill-down by changing filters, timeframe, etc. to see if there are differences across the system.
6. Evaluate the charts in the dashboard:
Activities count per time and object

This chart contains the most used database objects in the time of the attack. By expanding the time frame of the dashboard you can compare the difference
in activity before and after the attack. Click a cell if you want to filter for a particular object. The color indicates different object names.
Error count per time and error
This chart indicates how many SQL errors were generated by the web application. A high rate of SQL errors can indicate that some sort of SQL injection attack
is taking place. The color indicates different error types.
Outlier count per time and outlier reason

An SQL injection attack involves a large number of new queries with a different structure than usual queries. Those queries generate outliers. Use this chart
to see the volume and score of outliers generated by the offended web application.
Violations count per time and violation
During an SQL Injection attack the attacker is likely to violate security policies that log access to unauthorized objects. Compare the volume and types of
violations to understand the risk of the attack.
Suspicious error types
Use this chart to explore specific SQL errors that are used in SQL injection attacks in order to exploit the vulnerability. Click a cell to filter the search and look
at the SQL statement that generated this error. You may notice an injected SQL code.
Suspicious object names
Use this chart to view the suspicious objects that are used during SQL injection attacks. Expand the time frame of the search to see if those objects were
used before the attack started. Compare the volume of the usage of those objects.
Parent topic: Working with threat diagnostic dashboards
Investigating stored procedure threats

About this task
This procedure describes investigating a suspected stored procedure attack, using the threat diagnostic dashboard.
Procedure
1. From the To Do list, or from Investigate > Exceptions, open the Suspected malicious STP Cases dashboard. Each line is a case, with a Confidence rating of certainty
of an attack, and a risk level of the attack.
2. Click View to evaluate for false positives.
3. Hover over the selected case id to view the case details.
4. Click symptoms to open the Malicious STP Case Symptoms page.
5. 5. Click the id number to open the default diagnostic dashboard for SQL injection attacks, which is filtered by the incident's date and suspected web-application
connection details. This helps narrow the investigation to database traffic that occurred during the attack. You can change or drop the filter to broaden the scope of
investigation. Use the bottom grid to get more detailed information on the chartâ€™s data.
6. Use these guidelines while investigating the charts:
Change the timescale to look for peaks at time of the attack
Look for violation of any security policy, and see if any violations correlate to other activity at the time of the attack
7. Drill-down by changing filters, time frame, etc. to see if there are differences across the system.
8. Evaluate the charts in the dashboard:
Compare errors on different servers

Use this chart to understand whether this server and DB user have exceptionally more errors than other servers and DB users.
Compare errors from different database users with similar behavior
Use this chart to compare the error types and their volume on this DB user compared to similar DB users. The similar DB users are all users that created
stored procedures.
Similar activities on stored procedures by this database user
Use this chart to see stored procedures the user has created/modified at the specific period. The chart is filtered by verb. Use this chart also to drill down and
see what the user did on the different stored procedures.
Compare violations from database users with similar behavior
Compare the volume and type of violation (policy) on DB users that create stored procedures.
Compare outliers from database users with similar behavior
Use this chart to compare the volume and type of outliers on this DB user with other DB users that create stored procedures.
Outliers by data on this database user
Use this chart to see the volume and score of outliers on the specific DB user.
Parent topic: Working with threat diagnostic dashboards
GuardAPI Threat Detection Analytics Functions

enable_advanced_threat_scanning
Enables the scanner processes to check for specific database attacks such as SQL injection and malicious stored procedures.
Parameter V Description
a
l
u
e
all Â Optional. In a central management configuration only, enables all threat detection scanners on all managed units. Allowable values:
true, false.
schedule_start Â Optional. Specifies the date and time to start running the processes. The accepted format is yyyy-mm-dd hh:mm:ss (24-hour clock).


a
l
u
e
api_target_host Â Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the unit on which command
is executed. Valid values:
all_managed: for all managed units

all: all managed units and CM
group:<group name>: where group name is a group of managed units
from CM only, the host name or IP of any managed unit, for example, api_target_host=10.0.1.123
from managed unit, the host name or IP of the CM
Guardium V10.1 and 10.1.2: In a central management configuration only, specifies a target host where the API will execute. On a
Central Manager (CM) the value is the host name or IP of any managed units. On a managed unit it is the host name or IP of the CM.
Example:
grdapi enable_advanced_threat_scanning all=true schedule_start="2016-03-24 12:00:05â€
You will see the following message if threat analytics is enabled when outlier detection is not:
Warning - Enabling advance threat scanning (AKA Eagle Eye) when Analytic anomaly detection is disabled.
Advance threat scanning (AKA Eagle Eye) enabled.
ok
disable_advanced_threat_scanning
Disables threat detection scanners on the collector.
a
l
u
e
all Â In a central management configuration only, disables all threat detection scanners on all managed units.


get_eagle_eye_info
Displays the current settings for threat detection parameters.
a
l
u
e

Â Â Â

Example:
grdapi get_eagle_eye_info
Eagle Eye Parameters Values:
EI_CASES_DISPLAY_LIMIT = 3
EI_CONFIDENCE_PCT_CHANGE_TO_REDISPLAY_CASE = 30
EI_EAGLE_EYE_ENABLED = 1
EI_PROCESSOR_TIMEOUT_SEC = 420

EI_SCANNER_PATCH_DEF = 10
EI_SCANNER_TIMEOUT_SEC = 300ok
set_eagle_eye_parameter
Use under the direction of IBM personnel. Changes configuration parameters for threat detection. These parameters must be set explicitly using parameter_name and
parameter_value as follows:
set_eagle_eye_scanner_parameter parameter_name=[parameter] parameter_value=[value]
a
l
u
e
EI_CASES_DISPLAY LIMIT Â The number of cases to be displayed in the to-do list report. Default is 3.

EI_CONFIDENCE_PCT_CHANG Â The percent of â€œconfidenceâ€ change that will cause this case to be redisplayed in the to-do list report, even if it has already
E_TO_REDISPLAY CASE appeared before. This can happen if Guardium detects another symptom or symptoms that raise the confidence by this percentage
value. Default is 30.
EI_PROCESSOR_TIMEOUT_SEC Â Processors that run longer time than this threshold are turned off. Default is 420 seconds.

EI_SCANNER_PATCH_DEF Â To avoid false positives as a result of patch installation, if in a single process run the number of stored procedures created exceeds
this parameter then the process assumes a patch is installed and it stops analyzing symptoms. Default is 10 stored procedure
creations detected in one run.
EI_SCANNER_TIMEOUT_SEC Â Scanners that run longer time than this threshold are turned off. Default is 300 seconds.


get_eagle_eye_scanners_info
Return scanner settings information.
a
l
u
e

Â Â Â

The data returned will contain the following information:
Field Description
ID The scanner ID.
Name The scanner name.
Status The status of the scanner from the last run:
I: in progress
D: done
K: killed
E: done with errors

Field Description
Enabled Indicates if the scanner is enabled.
True: enabled
False: disabled
Permanent disabled If the scanner was disabled 3 times in 24 hours, then it is permanently disabled.
True: disabled
False: enabled
Example:
grdapi get_eagle_eye_scanners_info
ID=0
ID:1, Name:SQLInjectionExceptionsScanner, Status:D, Enabled:true, Permanent disabled:false
ID:2, Name:NumNewConstructScanner, Status:D, Enabled:true, Permanent disabled:false
ID:3, Name:SQLInjectionSuspiciousObjectScanner, Status:D, Enabled:true, Permanent disabled:false
ID:4, Name:SqliQueryScanner, Status:Unknown, Enabled:false, Permanent disabled:true
ID:5, Name:EagleEyeSTPCreateProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:6, Name:EagleEyeSTPCallProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:7, Name:EagleEyeSTPExceptionProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:8, Name:EagleEyePreviousStpUsageProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:9, Name:EagleEyeSTPViolationProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:10, Name:EagleEyeSTPUserOutlierScanner, Status:D, Enabled:true, Permanent disabled:false
ok
set_eagle_eye_scanner_parameter
Use under the direction of IBM personnel. Activate or deactivate a scanner. These parameters must be set explicitly using parameter_name and parameter_value as
follows:
a
l
u
e
scanner_id Â Required. The unique ID of the scanner, which you can get from get_eagle_eye_scanners_info GuardAPI command.

is_active Â Defines if the scanner should run. Used to start a scanner that was stopped automatically because it timed out.

0 : the scanner is stopped
1: the scanner is activated
is_permanent_inactive Â If the scanner was permanently disabled after it was disabled 3 times in 24 hours then it can only be enabled again using this
GuardAPI.
1: the scanner is stopped permanently
0: the scanner is enabled

Example:
The following example reactivates a permanently deactivated scanner.
set_eagle_eye_scanner_parameter scanner_id=2 parameter_name=is_permanent_inactive parameter_value=0
get_eagle_eye_symptom_period_hours
Show the value of the symptom period parameter in hours. The symptom period determines how long back the process is looking and analyzing the collected symptoms
for one case.
a
l
u
e

a
l
u
e
case_name Â Required. The case type. The following values are allowed:

STP: malicious stored procedure case
SQL_INJECTION: SQL Injection case

Example:
grdapi get_eagle_eye_symptom_period_hours case_name=STP

The symptoms period for case type: STP is: 168 in hours
ok
set_eagle_eye_symptom_period_hours
Set a value for the symptom period parameter in hours. The symptom period determine how long back the process is looking and analyzing the collected symptoms for a
case.
a
l
u
e

symptom_period_hours Â Required. Integer. The number of hours in the past to analyze symptoms for a case.


Example:
grdapi set_eagle_eye_symptom_period_hours case_name=STP symptom_period_hours=170

The symptoms period for case type: STP was changed. The old value was: 168. The new value is: 170
ok
get_eagle_eye_debug_level
For use by IBM Service personnel. Displays current debug level:
1: on
0: off
a
l
u
e

a
l
u
e

Example:
grdapi get_eagle_eye_debug_level
ID=0
component=EAGLE_EYE level=1
ok
set_eagle_eye_debug_level
For use by IBM Service personnel. Displays current debug level.
a
l
u
e
level Â Integer. Required. Allowable values:

1: on
0: off

Example:
grdapi set_eagle_eye_debug_level level=0

ID=0
ok
Parent topic: GuardAPI Reference
The Investigation Dashboard provides powerful tools for identifying and assessing problems that might exist in your Guardium environment. It uses either local or system-
wide unfiltered data, and provides numerous filter options to query data across an entire Guardium environment, potentially from any Guardium collector within that
environment.
The Investigation Dashboard provides inter-related charts that help reveal patterns, anomalies, and relationships across your data. It does not require detailed knowledge
of topology, aggregation, or load balancing schemes. It contains the original quick search for enterprise functions, and other tools for visualizing and analyzing data.
Note: It is recommended to view the Investigation Dashboard in full screen mode.

Restriction: The Investigation Dashboard and the Data Level Security cannot be enabled concurrently.
Operating Modes
The Investigation Dashboard supports three operating modes:
Central Manager only
Queries are submitted on a Central Manager return enterprise-wide results from all Guardium collectors with search enabled. Queries that are submitted on
managed units return local results.
Central Manager only is the default operating mode.
All machines

Enterprise-wide search queries are submitted from any machine in the Guardium environment with search enabled. This mode can result in slower search results
and requires connectivity between all managed units in the environment.
Local only
This mode limits search queries to the local collector where the search is submitted: no data is retrieved from other collectors in the Guardium environment. On a
CM on local only mode, there is no data displayed.
See GuardAPI Quick Search for Enterprise Functions for information about setting the search mode.
Dashboard Components
A dashboard is a collection of one or more of the following items:
Three-axis data graphs, which are known as trimetric charts. These graphs can be displayed as a color map, bar graph, bubble graph, line graph, pie graph, step
graph, and area graph.
Animated bubble chart - an animated visualization of data changes over the last 48 hours.
Activity chart - a line chart that displays the volume of activity and outliers. It is located above the Results table.
Results table - provides the search results and investigation features of the original quick search. The Results Table is always at the bottom of the dashboard. It can
be added to any dashboard.
Facet list of one or more of Where, Who, What, Exception, and When. It appears on the left side of every dashboard and cannot be removed.
There are four default DAM views and two default FAM views, each with different charts and tables. Select the view from the dashboard menu . The default views
cannot be modified.
Enabling and disabling the Investigation Dashboard

This topic describes how to enable and disable the Investigation Dashboard.
Enabling File Activity in the investigation dashboard
Accessing the investigative dashboard
Investigation Dashboard for data
The investigation dashboard is a preset group of charts and a table that help you understand what is happening in your system at any given time, and upon which
you can build your own customized dashboards.
The investigation dashboard is a preset group of charts and a table that help you understand what is happening in your system at any given time, and upon which
you can build your own customized dashboards.
Filtering data and saving filters in the investigation dashboard
Filtering an individual chart
Creating, saving, and exporting investigation dashboards
Using the topology view
The topology view is visualization of the Guardium appliances in the search results.
Local and distributed search
Using Data In-Sight
The Data In-Sight visualization enables the user to profoundly examine a sequence of events that are captured by the Guardium system. It provides a
comprehensive picture of activity in a specific time window, and helps to detect unusual behaviors.

GuardAPI Investigation Dashboard Functions
Investigation Dashboard CLI Commands
Enabling and disabling the Investigation Dashboard

This topic describes how to enable and disable the Investigation Dashboard.
Before you begin

The Investigation Dashboard has following minimum hardware requirements:
64-bit architecture
24 GB RAM
4-core CPU
Restriction: The Investigation Dashboard and Data Level Security cannot be enabled concurrently.
Procedure
1. Log in to the machine as a user or administrator with the CLI role.
2. Use the following GuardAPI command to enable the Investigation Dashboard:
grdapi enable_quick_search schedule_interval=2 schedule_units=MINUTE
By default, violations are not included in search results. To include violations, set the includeViolations parameter to true:
grdapi enable_quick_search schedule_interval=2 schedule_units=MINUTE includeViolations=true
To enable outlier detection, see Outliers Detection.
Additional parameters may be specified, such as the search index update interval. For a complete list of parameters and descriptions, see the GuardAPI
Investigation Dashboard Functions reference information.

3. Use the following GuardAPI command to disable the Investigation Dashboard function at any time:
grdapi disable_quick_search
Results
Once enabled, see Accessing the investigative dashboard to learn more and begin using the investigation dashboard.
Attention:
Investigation Dashboard functionality opens ports 8983 and 9983 on both Central managers and collectors. The ports are opened when the Investigation
Dashboard is enabled and closed when it is disabled. To use the Investigation Dashboard, ensure that bidirectional communication between Central managers and
collectors on ports 8983 and 9983 is not blocked by any firewall.
Indexed search data is retained for 3 days. Use the purge object Guardium CLI command to change the retention period. For example, the following command
changes the retention period to 5 days: store purge object age 39 5. Note that 39 is the default object identification number associated with the search index. For
additional information, see Configuration and Control CLI Commands reference information.
Parent topic: Investigation Dashboard

Enabling File Activity in the investigation dashboard

Before you begin
The FAM bundle must be installed and configured. See File discovery and classification GIM parameters
The Investigation Dashboard must be enabled. See Enabling and disabling the Investigation Dashboard
Do not use V10.1 FAM crawler with V10.0 Guardium system. Do not use V10.0 FAM crawler with V10.1 Guardium system.
About this task

Note: The FAM queries the server for the server IP addresses and takes the first one it finds. There is no way to select "the appropriate" IP address from a host name when
the host has multiple IP addresses. Specify the IP address explicitly if you want to see that IP address in the reports.
Procedure
1. On the collector, at the CLI prompt, run the GuardAPI command:
grdapi enable_fam_crawler [extraction_start] [schedule_start] [activity_schedule_interval] [activity_schedule_units]
[entitlement_schedule_interval] [entitlement_schedule_units] Example: The following command sends updated discovery and classification results
to enterprise search for classification data every 2 minutes and for entitlement information every day.
grdapi enable_fam_crawler activity_schedule_interval=2 activity_schedule_units=MINUTE entitlement_schedule_interval=1
entitlement_schedule_units=DAY
By default, the extraction starts when you enter the command, extracting data from the moment (time) you entered the command.
2. Repeat on each collector.

Related concepts:
Accessing the investigative dashboard

Procedure
1. Click Investigate > Search for Data Activity or Investigate > Search for File Activity.
2. Alternatively, toggle the search to User Interface and search for investigation dashboard. Then, select either Search for Data Activity or Search for File Activity.
Results
The default investigation dashboard for data or files opens. By default, the only filter that is applied to the entire dashboard is to show the last hour of data.
Investigation Dashboard for data

The investigation dashboard is a preset group of charts and a table that help you understand what is happening in your system at any given time, and upon which you can
build your own customized dashboards.
There are four default views for data activity monitoring, each with different charts and tables. Select the view from the dashboard menu . The default views cannot be
modified.
The default dashboards contain data for the last hour presented in one or more of:
Trimetric charts (3â€“axis data graphs). The default view is a color map. Additional views are bar graph, bubble graph, line graph, pie graph, step graph, and area
graph.

Results table: provides the search results and investigation features of the original quick search. The Results Table is always at the bottom of the dashboard. It can
be added to any dashboard. Tabs are:
Activity: Summary and Details tabs. Each row in the Summary tab gives the number of instances of recorded activities per serverâ€“DB pair and the number
of DB types. The Detailed Summary adds the count of Source Programs, DB users, OS users, Client hostname, Client IP, and date. Each row in the Details tab
gives full details on one activity.
Outliers: see Interpreting data outliers in the investigation dashboard
Errors: Summary and Details tabs. Each row in the Summary tab gives the number of instances of reported errors per server and the number of DB types and
DB users. The Detailed Summary adds the number of Client IPS, error types and dates. Each row in the Details tab gives full details on one error.
Violations: Summary and Details tabs. Each row in the Summary tab gives the number of instances of recorded violations per serverâ€“DB pair and the
number of DB types. The Detailed Summary adds the count of Source Programs, DB users, OS users, Client hostname, Client IP, severity, violation, and date.
Each row in the Details tab gives full details on one violation.
Additional views that you can add or open are:
Topology view Search server status view: see Using the topology view
Animated bubble chart: an animated visualization of data changes over the last 48 hours. The chart depicts the behavior of objects over a period of 24 hours. Each
object is depicted as a circle, and its area and position (x and y axis) represent three user-selected variables. The animation represents the object's behavior over
the 24 hours. Access from the Add Chart drop-down.
Activity chart: a line chart that displays the volume of activity and outliers, located above the Results table. Access from the Add Chart drop-down.
Data in-sight: 3D visualization of data activity, see Using Data In-Sight. Access from the Add Chart drop-down.
Controls and options on this page:
A categorized facet list of Where, Who, What, Exception, and When, from the search results appears on the left side of every dashboard and cannot be removed.
Filter the entire dashboard by the specific facets by expanding the list and clicking individual facets.
The Active Filters row at the top of the window shows the current filters. Delete filters by clicking the .
Search field: free text search that filters the results in all fields simultaneously, irrespective of facet
Distributed search: see Local and distributed search
Time period for which data is presented: modify by clicking the drop-down in the upper right corner. Options are last 1 hour, last 3 hours, last 1 day, last 3 days, any
time period you specify. Default is one hour.
Filters drop-down: see Filtering data and saving filters in the investigation dashboard
add new dashboard save changes in dashboard save dashboard as: see Creating, saving, and exporting investigation dashboards

Related concepts:
Interpreting data outliers in the investigation dashboard
Related tasks:
Using Data In-Sight

The investigation dashboard is a preset group of charts and a table that help you understand what is happening in your system at any given time, and upon which you can
build your own customized dashboards.
There are two default FAM views, each with different charts and tables. Select the view from the dashboard menu . The default views cannot be modified.
Note: The Server IP and Client IP are always the same in the dashboard, except for the case of connecting through remote desktop on Windows. Client IP is only
supported when connecting through a remote desktop session.
Note: The FAM queries the server for the server IP addresses and takes the first one it finds. There is no way to select "the appropriate" IP address from a host name when
the host has multiple IP addresses. Specify the IP address explicitly you want to be guaranteed to see that IP address in the reports.
The default dashboards contain data for the last hour presented in one or more of:
Trimetric charts (3â€“axis data graphs). The default view is a color map. Additional views are bar graph, bubble graph, line graph, pie graph, step graph, and area
graph.
Results table: provides the search results and investigation features of the original quick search. The Results Table is always at the bottom of the dashboard. It can
be added to any dashboard. Tabs are:
Activity: Summary and Details tabs showing monitored data, based on the file server policy rules. Each row in the Summary tab gives the number of
instances of recorded access activities per server and OS user. The Details tab adds the Server Hostname, Server, Client Hostname, Client IP, OS user, File
Full Name, Command, Date and Time. Each row in the Details tab gives full details on one activity. Data in the Activity tab is consistent with the date and time
of the collector.
Outliers: see Interpreting file activity outliers
Errors: Summary and Details tabs. Each row in the Summary tab gives the number of instances of reported errors per server and client IP, and the date. The
Detailed Summary adds the error details, and the time. Each row in the Details tab gives full details on one error.
Violations: Summary and Details tabs. Each row in the Summary tab gives the number of instances of recorded violations per server, source program and OS
user combination. The Detailed Summary adds the Client IP, severity, violation and violation details, date, and time. Each row in the Details tab gives full
details on one violation. Data in the Violations tab is consistent with the data and time of the file server.
Entitlement: Summary and Details tabs. For file servers, this tab presents sensitive data based on the current FAM decision plans. Each row in the Summary
tab gives the number of instances of recorded access activities per server and owner. The Details tab adds the Server Hostname, full path, Type, , Size,
Classification Entities (the decision plan that caused this file to be identified as sensitive), Owner, Client Hostname, Client IP, OS user, File Full Name, users
and groups with write, read, execute, and delete permissions, last modification, Version (Sharepoint only), creation time, Date, and Time. Each row in the
Details tab gives full details on one activity. You can use the data in this table to create policy rules and groups for file servers, see Creating a FAM policy rule
from the Investigative Dashboard Entitlements tab.
Additional views that you can add or open are:
Topology view Search server status view: see Using the topology view

Animated bubble chart: an animated visualization of data changes over the last 48 hours. The chart depicts the behavior of objects over a period of 24 hours. Each
object is depicted as a circle, and its area and position (x and y axis) represent three user-selected variables. The animation represents the object's behavior over
the 24 hours. Access from the Add Chart drop-down.
Activity chart: a line chart that displays the volume of activity and outliers, located above the Results table. Access from the Add Chart drop-down.
Controls and options on this page:
A categorized facet list of Where, Who, What, Exception, and When, from the search results appears on the left side of every dashboard and cannot be removed.
Filter the entire dashboard by the specific facets, by expanding the list and clicking on individual facets.
The Active Filters row at the top of the window shows the current filters. Delete filters by clicking the .
Search field: free text search that filters the results in all fields simultaneously, irrespective of facet
Distributed search: see Local and distributed search
Time period for which data is presented: modify by clicking the drop-down in the upper right corner. Options are last 1 hour, last 3 hours, last 1 day, last 3 days, any
time period you specify. Default is one hour.
Filters drop-down: see Filtering data and saving filters in the investigation dashboard
add new dashboard save changes in dashboard save dashboard as: see Creating, saving, and exporting investigation dashboards

Related concepts:
Related tasks:
Filtering data and saving filters in the investigation dashboard

About this task
You can filter data in the entire investigation dashboard, and in an individual chart. You can drill down from the Results Table into related information.
You can save filters for your future use. When you save a filter set, you choose if you want to share it, and choose the roles that you share it with.
Procedure
1. Use the rules and syntax to filter data:
To match an exact phrase, use double quotation marks around the search terms. For example, â€œProfiling Alert Listâ€ returns entries for Connection
Profiling Alert List but not for Profiling List Alert.
To match all specified search terms, separate the terms with a space. For example, Hadoop getlisting returns any entries that contain both Hadoop and
getlisting in any location or sequence.
To match any specified search terms, separate the terms with OR or a vertical bar (|). For example, Hadoop OR getlisting returns any entries that contain
either Hadoop or getlisting in any location.
To exclude a specified search term, use NOT or a period (.). For example, NOT Hadoop does not return any entries that contain Hadoop in any location.
Wildcards are supported by using asterisks (*) at the beginning or ending of a string. For example, 10.10.70.* returns any entries with the string 10.10.70.
followed by any additional characters.
Search rules can be used in combination. For example, 2016â€“5-08 (19.*|20.*) returns results in the time range of May 8 between the hours of 19:00:00
â€“ 20:59:59.
Adding filters changes each view based on the RefFilter specified for the view. Current filters appear in the menu bar. Each one can be cleared by clicking its X.
2. Refine search results with any of the following methods:
Select specific filters based on the facets list:
Click the x or y-axis headers of a chart.

Click an individual search result in the Results Table:
Note: You can select one or more rows and right-click one of the server/DB user/Client IP cells to add the them to an existing group, or to create a new group.
3. Drill down by individual results by right-clicking on specific search results and exploring related outliers, errors, or violations, or viewing one of several available
drill-down reports.

4. To save a filter set, click Filters > Save. Provide a name for the filter and mark it as Private or click Share with to share the filter with specific roles. To save as your
default filter set (dashboard always opens with these filters), select Set as default filter. When you are finished, click OK to save the filter.
Filtering an individual chart

About this task
You can filter an individual chart. The icon becomes red when specific filters are set for a chart that are different than the general dashboard filters. Hover over the icon
to see which filters are used in that chart.
A chart can have filters set as inactive, which means the chart data is not filtered by that field. This enables Guardium to display other items, in addition to the ones related
to the case, that may be similar or in some way provide additional insight into the investigation.
Example: While investigating activity on a server, you want to compare one of the charts with data from other servers. This is possible by deactivating the Server filter for
just that one chart. To do this, you would click the icon and select the Inactive radio button for the Server row.
Procedure
1. Click the icon. The Chart Filter Settings opens.

2. Click or clear the radio buttons as relevant, and click Apply.
Creating, saving, and exporting investigation dashboards

About this task
There are many ways of filtering the data in the dashboard. Filter sets can be private or shared. For example, a person who is knowledgeable about the environment can
set up relevant filters. This person can create the filters for a specific investigator and then share the filter with that role. You cannot change and save the predefined
system dashboards under their original names.
Important: All investigation dashboards are public. When a dashboard is saved, all users who have access to dashboards also have access to the saved dashboard through
the dashboard menu. In addition, if you save a dashboard as the default dashboard, all users see that default.
You can use the same dashboards with different filter sets, depending on what data you want to see.
Example: Your dashboard includes an activity chart that shows the activities of database users with a breakdown by client IP. You want to view the same data filtered by
different databases, such as HR versus Financial. You might want to add different command types for each database as well.
Filter 1: by database HR, by verb SELECT
Filter 2: by database FINANCIAL, by verb UPDATE
You can open the same dashboard and toggle through the different filter sets associated with that chart by using the and icons above the Active filters list.
Any investigation dashboards, including threat diagnostics, can be encrypted and exported for sharing. Only the dashboard definitions are exported, not the filters.
If you have a dashboard that is configured with a good set of charts for investigating particular incident types, you can share this knowledge with other Guardium users
without including actual attack data or revealing the filters.
Procedure
1. To save the current display, click the icon.
2. To save a dashboard with a different name for modification and subsequent use, click the icon, and save it with a descriptive name and optionally a category.
You can also define a category when you save the dashboard. The name and category can include spaces. To retrieve the dashboard later, click the icon to open
the dashboard menu.
3. To export investigation dashboards, go to Manage > Data Management > Definitions Export. From the Type menu, select Investigation Dashboard and select the
dashboard definitions to export. Then, click Export.

The topology view is visualization of the Guardium appliances in the search results.
About this task

You can view details about each server, select filter criteria, narrow search results to specific segments of the overall Guardium environment. Solid circles represent
collectors and aggregators. Outlined circles represent Central Managers. The color of the circle indicates the status of the server. The outline color of the Central Manager
indicates its status. The size of the circle indicates the relative volume of the collected data.

The topology view is not supported on stand-alone machines.
Procedure
1. To open the topology view, click the Search server status view icon Search server status viewin the toolbar of the investigation dashboard.
2. Hover the mouse over an object to display detailed information about that object.
3. Select an object to narrow the search results to only that object and its children if any exist. Use Ctrl + click to select or deselect multiple objects in the topology
view.
4. Close the topology view by clicking the close icon or clicking outside the topology browser. The search results update automatically to reflect the available data
based on the scope selected in the topology view.
Local and distributed search

About this task
The Investigative Dashboards can run in either local or distributed modes. In local mode, searches are limited to the data available under the local machine (the machine
from which the search is run). For example, a local search that is run from an individual collector returns results from data sources under that collector but not from any
data sources under other collectors in the environment. In distributed mode, searches return data from across the entire Guardium environment and results are not
limited by the specific machine on which the search is run. A topology tool is provided to conveniently narrow search results to specific segments of the overall Guardium
environment.
Investigative Dashboards default to local search mode.
Procedure
1. To toggle between local or distributed search, click the Enable / Disable search all appliances icon in the search window toolbar. Search results automatically
update to reflect the available data based on the selection of local or distributed search.
2. See Using the topology view for information about filtering global search results by a specific segment of the Guardium environment.
Using Data In-Sight

The Data In-Sight visualization enables the user to profoundly examine a sequence of events that are captured by the Guardium system. It provides a comprehensive
picture of activity in a specific time window, and helps to detect unusual behaviors.
About this task

Data in-sight introduces a revolutionary paradigm that uses human visual capabilities to gain an overall view on data transactions and identify unexpected behaviors.
Guardium already provides robust machine learning and data-analysis features to assist audits and detect attacks. Algorithms, data analysis, and charts are designed

based on accumulated experience and knowledge. Data in-sight uses the flexibility of human vision perception to spot associations and movements in the raw data that
does not fit a pattern of known attacks that would otherwise be unnoticed. The tool presents various aspects of the data in a complex visual scenario, and provides the
observer with tools to directly explore large amounts of complex data.
Data in-sight converts audited data to a 3-D chronological visualization of data flow, from sources to destinations, showing data transactions unfold exactly as they
occurred.
The visualization space contains two planes, each represents entities of the audit domain of a specific type. Every entry in the audit data is represented as a moving
â€˜flash lineâ€™ from an object of the upper plane (for example, client IPs) to an object of the lower plane (for example, databases). The flash line between the source
and the destination leaves a trail (a dotted line) indicating the presence of interaction between the specific source and destination, which gradually fades into the
background. The trails form an overview of the interaction between sources and destinations in the selected time period. The size of each source and destination is
relative to their level of activity. The sources are located near their destinations, and near other similar sources. The display can be modified in various ways, giving
additional information or aspects on the data. You can view data in-sight with vr headsets.
Data in-sight is an answer to this constantly changing paradigm. It adds the flexibility of human visual perception to spot associations and movements in the raw data,
irrespective of known attack types, that would otherwise be unnoticed.
Data in-sight converts audited data to a 3-D chronological visualization of data sources and destinations, showing data transactions unfold exactly as they occurred. The
visualization space contains two planes, each represents entities of the audit domain of a one type. Each entry in the audit data is represented as a moving â€˜flash
lineâ€™ from an object of the upper plane (client IP, OS user, DB user, or source program) to an object of the lower plane (database, object, or server). The flash line
between the source and the destination leaves a trail (a dotted line) indicating the presence of interaction between the specific source and destination, which gradually
fades into the background. The flash line has the same color as the destination database. The trails form an overview of the interaction between sources and destinations
in the selected time period. The sources are located near their destinations, and near other similar sources. The size of the destination entity is proportional to the volume
of transactions relative to the other destination entities. There a many ways of modifying the display, including: color-code the top entity (color changes as data source
details change), filter from the data in-sight chart, and the investigation dashboard facets. You can also view data in-sight with vr headsets.
Procedure
1. In the Investigation Dashboard window, click Add Chart > Data in-Sight chart. The Chart Settings window opens.
2. In the Chart Settings pane, modify the object types that are represented in both planes, the type of data flow between them. You can optionally color-sort the
entities in the top plane by a secondary criteria, providing another level of analysis. For example, if the objects of the top plane represent client IPs and you select
color-sorting for source program, you can see the usage of different source programs by a specific IP client, and the usage of a common source program by different
client IPs. An object whose color changes repeatedly indicates a frequent change of source program usage in a single client IP. Click Apply.
Table 1. Data In-Sight Chart Settings
Field Description and Values
Data flow domain The type of data flow displayed. One of: Activities, Errors, Violations, Outliers.
Top plane entities The entity that is represented in the top plane. One of: Client IP, DB User, OS User, Source Program.
Bottom plane entities The entity that is represented in the bottom plane. One of: Database, Object, Server.
Color sort top entities by Extra (optional) color classification of top entities by: None, Client IP, DB User, OS User, Source Program.
Show top plane label yes, no
Show bottom plane label yes, no
Max. entities in top plane Maximum number of entities that are shown in the top plane.
Max. entities in bottom plane Maximum number of entities that are shown in the bottom plane.
Top entities color Opens color palette to select color for top plane entities. Disabled if top entities are color sorted.
Background color Opens a color palette to select color for background.
Planes color Opens a color palette to select color for planes (one color for both planes).
3. Modify the display by:
Click the magnifier icon to enter full screen mode for more details
Rotate the view by holding down the left mouse button and dragging
Pan by holding down the right mouse button and dragging
Zoom in and out with the mouse wheel
4. View entities by:
Hover over an entity to show its details in the legend
Click an entity to show only its data flows (other entities fade out). Click the background to exit.
Double-click an entity to use it as the active filter (over the entire dashboard)
5. The information pane, which is located in the upper right corner, shows the time stamp of the current displayed actions, the number of actions shown so far, and an
indication of the rate of events per second. You can modify the display by:
Pause/restart data flow
Restart data flow from beginning of time

period
Increase speed of data flow
Decrease speed of data flow
View from top (birdâ€™s eye)
View from side (default)
6. Use these buttons above the Control Panel as relevant:

Activates full-screen mode for the Data In-Sight
chart
Opens the Chart Settings

Closes the Data In-Sight chart
Opens a pop-up help
Outliers Detection
Enable and start auditing outliers detection in two easy steps, letting Guardium do the work of identifying abnormal server and user behavior, and providing early detection
of possible attacks.
An outlier is behavior by a particular source (in DAM either a database or a particular user on a database, and from Guardium V.10.1.2 in FAM either a server or an OS
user), in a particular time period or scope that is outside of the â€œnormalâ€ time frame or scope of the particular database or user's activity. Outliers can indicate a
security violation that is taking place, even if the activities themselves do not directly violate an existing security policy.
User activity that is identified as a suspected outlier includes:
User accessing a table for the first time

User selecting specific data in a table that he has never selected before
Exceptional volume of errors. For example, an application generates more SQL errors than it has in the past. This could indicate that there is a SQL injection attack
in progress.
Activity that itself is not unusual, but its volume is unusual
Activity that itself is not unusual, but the time of activity is unusual. For example, a DBA is accessing a particular table more frequently than in the past. This could
indicate that the DBA is slowly downloading small amounts of data over time.
Database activity that is identified as a suspected outlier includes:
Exceptional volume of errors

Activity that itself is not unusual, but its volume is unusual
Activity that itself is not unusual, but the time of activity is unusual
Outlier Mining findings are available from the Investigation Dashboard (Quick Search) and in Reports.
Outlier mining operates on data that is already audited by a security policy. Make sure that the data you want evaluated for outliers is already audited by a security Policy.
Outliers detection can run on:
An aggregator, with data from all its collectors (except a collector that is running outliers detection locally).
A collector, using data only its own data.
Quick start for outlier detection

Learn how to enable outliers, and start receiving alerts in a few simple steps.
Enabling and disabling outliers detection on an Aggregator
Enable, disable, and configure outliers detection on an Aggregator to configure outliers detection on of all the aggregator's collectors.
Enabling and disabling outliers detection locally on a Collector
Run outliers detection on a single collector to evaluate only that collector's data.
GuardiumÂ® provides a convenient graphical interface for identifying and responding to outliers detected by the algorithm.
View file activity monitoring outliers in the Investigation Dashboard Activity Chart and Results Table (investigation dashboard must be enabled), or review the
Analytic Outlier List report.
Monitor the outlier mining status
Use the outlier mining status page to monitor the outlier mining process on both a specific unit where the process runs and on a CM or aggregator.
Grouping users and objects for outlier detection
Find out how to add groups, for example user or object groups, to the default outlier detection algorithm.
Excluding events from outlier detection
It is possible to exclude events from outlier detection, for example, activity from test data.
Quick start for outlier detection

Learn how to enable outliers, and start receiving alerts in a few simple steps.
Before you begin

Anomaly Detection is enabled (Setup > Tools and Views > Anomaly Detection).
About this task

Outliers detection can run on any number of aggregators. However, it's recommended to start with one aggregator, refine the configuration, and then expand to additional
aggregators. Before you start, decide on the available resources to investigate outliers. Then limit the number of outliers reported daily to an amount you can investigate.
The guardium algorithm provides you with the mosts important events to investigate, not just the "top 10," for example.
Outlier detection is a separate process from security policy rules and enforcement, so you cannot set up real-time alerts on outliers. However, because outlier data is
included in reports, you can create a correlation alert. A correlation alert is triggered by a query that looks back over a specified time period to determine whether the alert
threshold has been met.
Procedure
1. Enable outliers, see Enabling and disabling outliers detection on an Aggregator or Enabling and disabling outliers detection locally on a Collector.

2.
3. Set the maximum number of outliers reported per day. See .
4. Optionally fine tune the outlier definition. See Grouping users and objects for outlier detection and Excluding events from outlier detection.
5. Create a query.
a. Navigate to Reports > Report Configuration Tools > Query Builder.
b. Set Domain=analytic, Query name=Analytic Outliers List or Analytic Outliers Summary by Date. All other settings can be left at their defaults.
c. Click Create Report.
6. Create an Audit process.
a. Navigate to Comply > Tools and Views > Audit Process Builder.
b. Name the process and add the task (the report you just created).
c. Define receivers. Decide what kind of notifications you want. You can set up alerts, add to the to-do list, and assign users to review and justify the findings.
d. Schedule the process as daily, and Save.
7. For easy viewing, add the outliers reports to My Dashboard.
Results
When the learning period is complete after one week, there should be data in the reports, and alerts are sent.
Parent topic: Outliers Detection
Enabling and disabling outliers detection on an Aggregator

Enable, disable, and configure outliers detection on an Aggregator to configure outliers detection on of all the aggregator's collectors.
Before you begin

It is strongly recommended that you enable outliers only on 64-bit aggregators with a minimum of 24 gigabytes of memory.
This feature is supported from Guardium V.10.1.2.
About this task

Restriction: Outliers detection and Data Level Security cannot be enabled concurrently.
When run on the aggregator, outliers detection data is extracted from the managed units and the learning and analysis phases happens on the aggregator.
Outliers detection is disabled by default. This procedure is run on a central manager, to enable or disable outliers detection on all collectors that send their data to the
specified aggregator, except a collector that is running outliers detection locally. (For more details on local collection, see Enabling and disabling outliers detection locally
on a Collector).
If a collector has moved from one aggregator to another, or if you want to enable outliers detection locally on a collector, disable the outliers detection on the aggregator,
enable outliers detection locally if relevant, and then enable outliers detection on the aggregator. Whenever you enable outliers detection on the aggregator, it refreshes
the list of the its collectors.
Procedure
1. Log in to the central manager as a user or administrator with the CLI role.
2. To enable the outliers detection function, enter:
grdapi enable_outliers_detection_agg schedule_interval=1 schedule_units=HOUR aggregator_host_name=<aggregator host name>

DAM_FAM=DAM
where:
aggregator_host_name parameter is the host name of the aggregator
FAM_DAM is an optional parameter specifying the type of outliers. The default is DAM.
3. To disable the outliers detection function, enter:
grdapi disable_outliers_detection_agg aggregator_host_name=<aggregator host name>
where:
aggregator_host_name parameter is the fully qualified domain name of the aggregator
Results
The system starts collecting outlier data. Once the learning has completed (14 days), outliers data is available in the Investigation Dashboard (Interpreting data outliers in
the investigation dashboard and Interpreting file activity outliers) and the Outlier Analytic List Report.

Related concepts:
GuardAPI Outliers Detection Functions
Enabling and disabling outliers detection locally on a Collector

Run outliers detection on a single collector to evaluate only that collector's data.
Before you begin

It is strongly recommended that you enable outliers only on 64-bit collectors with a minimum of 24 gigabytes of memory.
About this task

Restriction: Outliers detection and Data Level Security cannot be enabled concurrently.
Outliers detection is disabled by default. Follow the steps described below to enable or disable outliers detection locally on a collector. When outliers detection is enabled
locally on a collector, its data is not combined with the data on its aggregator.
To identify a collector that is running outliers mining locally, access the outlier mining status window, and look at the row of the individual collector (not under the
aggregator). The column Outlier Mining Enabled/Disabled shows green.
To change a outliers detection from local to the aggregator, disable outliers detection locally, disable outliers collection on the aggregator, and refresh the list of collectors
by re-enabling outliers detection on the aggregator.
Procedure
1. Log in to the collector as a user or administrator with the CLI role.
2. To enable the outliers detection function, enter:
grdapi enable_outliers_detection schedule_interval=1 schedule_units=HOUR DAM_FAM=DAM
where:
FAM_DAM is an optional parameter specifying the type of outliers. The default is DAM.
3. To disable the outliers detection function, enter:
grdapi disable_outliers_detection
Results
The system starts collecting outlier data. Once the learning has completed (7 days), outliers data is available in the Investigation Dashboard (see Interpreting data outliers
in the investigation dashboard and Interpreting file activity outliers), and the Outlier Analytic List Report.


GuardiumÂ® provides a convenient graphical interface for identifying and responding to outliers detected by the algorithm.
Quick Search must be enabled (grdapi enable_quick_search) to see outlier detection data in the investigation dashboard.
The Activity chart includes red (high) and yellow (medium) indicators that reflect the severity or total outliers score for the selected time interval. Red indicators reflect
highly anomalous events requiring immediate attention. Yellow indicators represent less extreme anomalies that warrant attention as part of other or related
investigations.
Hover over an outlier icon to view detailed information about outliers detected during that time period. To filter the Results Table to activities or outliers that occurred
during the same time period, click Show details.
From Guardium V.10.1.2 the Outliers tab in the Results Table has two views:
Summary has one row per source per hour in which an outlier was found, with an anomaly score and one or more reasons. Note that not every outlier presented in
the Summary Tab has further details in the Details tab.
Details is a sample of events that occurred, with one row per event with a reason (except diverse, see table) and other details (source program, object, verb, etc.).
For example, for high volume, the sampling presents the events with the highest score. You can configure the number of samples (rows) that appear in the Details
Tab, per each outlier in the Summary tab.

This table describes the columns in both the Summary and Details views:
Table 1. Columns in Outliers Tabs of the Results Table

Column name Description Further Action
Anomaly Score Summary Tab: A calculated aggregate value based on the volume Right-click the score to open a menu with additional actions you
of outliers, the severity of individual events, the predicted volume can perform. In the Details tab the score can be 0, indicating that
of outliers for a given time of day, and other factors. For example, the individual events are not suspicious on their own, but the
on a system that typically identifies 0 outliers at 1am and 5-10 accumulated events in that hour are suspicious.
outliers at 1pm during weekdays, the presence of two additional
outliers (of 2 outliers at 1am or of 12 outliers at 1pm) is more
significant, and weighted more heavily, than the hourly total itself.
Details Tab: The anomaly score is only relevant for a high volume
event.
High volume Outlier True or False. High volume of activities of some type, for example Â
on an object, of a DB user.
New Outlier True or False. High volume of activities on new objects, for Â
example an admin uncharacteristically creates a high number of
new tables.
Diverse Outlier Summary view only. True or False. High volume of different types See the Activity table for more details.
of activities, for example a DB user performs many more activities
than usual, or performs them at an unusual time. A sample of the
diverse events does appear in the Details tab, they can be
identified by the database user. Although Diverse is not a column
in the details tab, they may have other reasons assigned to them.
Otherwise they appear without a reason.
Error Outlier True or False. An unusually high incidence of error conditions. Â
Ongoing Outlier Summary view only. True or False. Event in the last few hours that There are no specific events to view. See the Activity table, filter
was not high enough to create an outlier, but does raise by the database in the facet list, and modify the time interval to
suspicions. the time of the suspicious behavior.
Number of Instances Details view only. Number of times this particular event has been Â
seen in the hour.
Records affected Number of records affected by the particular event. Appears as a Â

negative number if the event does not, by definition, have affected
records.
Server Server on which the event occurred Â
Database Database on which the event occurred Â
Source Program Details view only. Source Program in which the event occurred Â
DB User Details view only. DB User that executed the outlier event. Â
Object Object on which the user executed the event Â
Privileged User Summary view only. True or False. Whether the user is privileged Â
or not
Verb Details view only. Verb with which the user executed the event Â
Date Date on which the event occurred in the format yyyy-mm-dd Â
Time Time at which the event occurred in the format hh:mm:ss Â

Pre-Guardium V.10.1.2, there is one outlier reason column, with one or more of these values:
rare
a seldom seen condition
high volume
an unusually high incidence of a condition
new
a condition seen for the first time
error
an unusually high incidence of error conditions
Outlier reasons are assigned in combinations when needed. For example, an outlier may be flagged as both rare and high volume if a seldom-seen condition suddenly
occurs many times.
Note:
If a negative result ("-") appears in the Records affected result report, user should re-enable outliers to clear this negative result.

Anomaly Detection

View file activity monitoring outliers in the Investigation Dashboard Activity Chart and Results Table (investigation dashboard must be enabled), or review the Analytic
Outlier List report.
Outliers supports file activity monitoring from Guardium V.10.1.2
Quick Search must be enabled (grdapi enable_quick_search) to see outlier detection data in the investigation dashboard.
View outliers in the Investigation Dashboard Activity Chart and Results Table (investigation dashboard must be enabled), or review the Analytic Outlier List report.
Access the summary chart by selecting Data or from the User Interface drop-down, and clicking Enter; or by entering quick search in the search field and clicking Enter.
The Activity chart includes red (high) and yellow (medium) indicators that reflect the severity or total outliers score for the selected time interval. Red indicators reflect
highly anomalous events requiring immediate attention. Yellow indicators represent less extreme anomalies that warrant attention as part of other or related
investigations.
Hover over an outlier icon to view detailed information about outliers detected during that time period. To filter the Results Table to activities or outliers that occurred
during the same time period, click Show details.
The Outliers tab in the Results Table has two views:
Summary has one row per source per hour in which an outlier was found, with an anomaly score and one or more reasons. Note that not every outlier presented in
the Summary Tab has further details in the Details tab.
Details is a sample of events that occurred, with one row per event with a reason and other details. For example, for high volume, the sampling presents the events
with the highest score. You can configure the number of samples (rows) that appear in the Details Tab, per each outlier in the Summary tab.
This table describes the columns in both the Summary and Details views:
Table 1. Columns defined for both Summary and Details

Anomaly Score Summary Tab: A calculated aggregate value based on the volume Right-click the score to open a menu with additional actions you
of outliers, the severity of individual events, the predicted volume can perform. In the Details tab the score can be 0, indicating that
of outliers for a given time of day, and other factors. For example, the individual events are not suspicious on their own, but the
on a system that typically identifies 0 outliers at 1am and 5-10 accumulated events in that hour are suspicious.
outliers at 1pm during weekdays, the presence of two additional
outliers (of 2 outliers at 1am or of 12 outliers at 1pm) is more
significant, and weighted more heavily, than the hourly total itself.
Details Tab: The anomaly score is only relevant for a high volume
event.
High volume Outlier True or False. High volume of activities of some type, for example Â
on an object, of a DB user.
New Outlier True or False. High volume of activities on new objects, for Â
example an admin uncharacteristically creates a high number of
new tables.
Error Outlier True or False. High volume of errors Â
Ongoing Outlier Summary view only. True or False. Event in the last few hours that There are no specific events to view. See the Activity table, filter
was not high enough to create an outlier, but does raise by the database in the facet list, at the time of the suspicious
suspicions. behavior.
Number of Instances Details view only. Number of times this particular event has been Â
seen in the hour
Server Server on which the event occurred Â
OS user OS User that executed the event Â
Privileged User True or False. Whether the user is privileged or not Â
File Full Name Name of file on which the user executed the event Â

Command Command with which the user executed the event Â
Date Date on which the event occurred in the format yyyy-mm-dd Â
Time Time at which the event occurred in the format hh:mm:ss Â

Related concepts:
Anomaly Detection
Monitor the outlier mining status

Use the outlier mining status page to monitor the outlier mining process on both a specific unit where the process runs and on a CM or aggregator.
The outlier mining status page that is viewed in the CM presents details of all managed aggregators and their collectors. All collectors in the CM appear in individual rows
under their aggregators. When viewed in an aggregator this window presents details of the specific aggregatorâ€™s collectors. When viewed from a collector, only the one
collector is presented.
The page is located in the Guardium menu Manage > Maintenance > Outlier Mining Status
The following tables describe the page and the recommended user actions.
Table 1. Outliers Mining Status Page Columns

Column Description Actions
Unit Name of unit NA
Opens the list of units that send data to this aggregator Click to view the list of units
Unit on/off Indicates whether the unit is on or off. NA
Outlier Mining Enabled/Disabled Aggregator: Indicates whether outlier mining on the aggregator is enabled. If NA
disabled, then the rest of the row after this column is empty.
Individual row of one collector or standalone unit: Green indicates that outlier
mining is enabled locally.
Send data for outlier mining Collectors only. The collector sends outlier mining data to the aggregator. Data for outlier NA
mining is sent is sent from the collector to the aggregator if the aggregator is enabled for
outlier mining, and the collector is not running outliers mining locally.
Anomaly Last Found The local date and time on the CM of the last outlier mining run that found one or more NA
anomalies (outliers). Shows data only for units running version 10.1.2 and up.
Last Analysis The local date and time of the CM of the last outlier mining run (process end date/time). NA
Shows data only for units running version 10.1.2 and up.
Outlier Mining Status The status of the last outlier mining run. If an error/warning occurred
only once, let the process run
Green: the process ended successfully. again (next hour) and check the
result. If an error repeats,
Yellow: the process ended with warnings.
contact support.
Red: the process ended with errors.
Shows data only for units running version 10.1.2 and up.
Details The status can be red (error), yellow (warning), or green. For processes that ended with
warnings (yellow), click to open
a pop-up with the warning. For
processes that ended with
errors (red), click to open a pop-
up with the error.
Learning Since Date and time at which the outlier mining process was enabled. The process learns the NA
resource's behavior since this time.
Quick Search on/off Indicates whether Quick Search and Solr are enabled on the managed unit. When Quick See Enabling and disabling the
Search is disabled, this machine's data is not included in the Investigation Dashboard. Investigation Dashboard
Last Info. Update Last date and time the information in this row was updated. Data is usually updated in NA
intervals of about 5 minutes.
Table 2. Outliers Mining Status Page Buttons
Button Description Actions
Refreshes the display Click to refresh the display

Refresh
Plus Sign This button appears only when the unit detailed in the row is an aggregator. Click to open the list of units
that send data to this
aggregator.

Grouping users and objects for outlier detection
Find out how to add groups, for example user or object groups, to the default outlier detection algorithm.
About this task

By default, there are two groups of users and objects that are weighted or scored more heavily by GuardiumÂ® machine-learning algorithm: Admin Users and Sensitive
Objects. However, you may have already established additional groups that would also be useful for outlier detection. For example, you may have a group of Suspicious
Users or you may have several different groups of sensitive objects that are aligned with different applications.
Procedure
1. This task requires that you know the internal group ID to use with the grdapi command. To get the group ID, you can use the following command: grdapi
list_group_by_desc desc=[group name]. For example, if you have a group named BadGuys, you can enter the following command to get its internal group ID:
grdapi list_group_by_desc desc=â€ BadGuysâ€
2. Once you know the desired ID, add it as privileged user group for a boosted score as follows (note that you must also include the default group 1 if you want to
boost scores for that as well). To add a group with the ID 1234: grdapi set_outliers_detection_parameter parameter_name="privUsersGroupIds"
parameter_value=1,1234
3. To add sensitive objects with the IDs 333 and 156: set_outliers_detection_parameter parameter_name="sensitiveObjectGroupIds" parameter_value=5,333,156
Results
The specified groups or sensitive objects are added to the outlier detection and are given additional weight by the algorithm.
Excluding events from outlier detection

It is possible to exclude events from outlier detection, for example, activity from test data.
Exclude events that matching specific criteria, using Outlier Response

1. Right-click an outlier indicator and select Ignore to exclude outlier responses.
2. Enter specific values or use wildcard entries (with the * character) to define what you want to ignore.
3. Remove any unnecessary fields by clicking the appropriate icons.
4. Click OK to commit the changes.
5. To include previously ignored events, view the Analytic User Feedback report, double-click the previously-ignored event, and select Invoke >
delete_analytic_user_feedback.
For example, to ignore all activity from server 10.70.144.159, database ON1PARTR, and any database user beginning with GUARD, your dialog looks like:
Exclude events using Group Builder

If you have many items for exclusion, use the GuardiumÂ® Group Builder and populate any or all of the following groups as needed:
Analytic Exclude DB User
Analytic Exclude OS User
Analytic Exclude Server IP
Analytic Exclude Service Name
Analytic Exclude Source Program
The Group Builder has options for bulk uploading including the ability to populate from a query on a custom table.

Alternatively, use GuardAPI commands to populate the Analytic Exclude groups. For example, to add OMNISERVER to the Analytic Exclude Source Program group, use the
following command:
grdapi create create_member_to_group_by_desc desc=â€ Analytic Exclude Source Programâ€ member=â€ OMNISERVER%â€
Data Protection Dashboard

The Guardium data protection dashboard provides a summary view of risk and compliance data intended for senior-level security officers.
The data protection dashboard contains several charts and graphs in addition to compliance and risk statistics designed for continuous display on a large monitor. To open
the dashboard, navigate to Investigate > Guardium Data Protection Dashboard.
CAUTION:
The session will not expire and you will not be automatically logged out while viewing the data protection dashboard. Use care when leaving dashboard open for long
periods of time.
Information:
The dashboard automatically refreshes every 20 minutes.

The default search settings are for distributed search with data collected from the previous one day.
Charts and graphs

Several line charts allow you to quickly compare different types of data. For example, a chart can display the volume of activities, errors, and violations over time.
An Anomalous activities chart displays a summary of outliers in relation to overall activity. On this chart, an outliers summary dot represents an unexpected volume of
outliers.
Information: The y-axis of these charts is a log axis and may distort the chart proportions, and the values or counts are not logged.
Risk and compliance statistics

The Risk statistic shows the number of tests that failed with critical severity and the number of datasources where those failure occurred. Each datasource can have
multiple failed tests.
Monitored datasources shows the number of datasources for which the system is logging activities. This statistic is calculated by looking at the available access domain
data.
Compliance to-do list tasks shows the following summary of audit processes: the number of processes that were closed today, the number of processes that have been
open for less than three days, and the number of processes that have been open for more than three days.
Information:

Statistics are not affected by facet and text search filters, but statistics are affected by the search mode. To change the search mode, use the control to expand
the top pane, then click the icon to toggle between distributed and local search.
The statistics components are recalculated once every hour.
Reports
A report defines how the data collected by a query is presented.
The default report is a tabular report that reflects the structure of the query, with each attribute displayed in a separate column. All presentation components of a tabular
report (the column headings, for example) can be customized. All graphical reports are defined using the Report Builder. In addition to the start and from date (query to
and query from) parameters, values can now be displayed between the beginning of the page and start of the table in all reports.
Before using the Report Builder, create a query using the Query Builder. See Using the Query Builder.
The fastest way to create and view a report is by using the steps to Create a Report, then select the report from My Dashboard.
Move back and forth between menu screens using the Back and Next buttons. The back arrow in the web browser does not work for navigation between GuardiumÂ®
screens.
Icons used in Reports

Use icons to select functions within Report Builder.
Table 1. Report Icons

Graphical icons Function
Ad-hoc process for Run Once now
Refresh
Open or run in a new window
Add a report
Add to favorites
Modify or Edit the query for this report or Customize chart
Delete
Data Mart Builder
Clone
Configure runtime parameters
Configure report columns
<-- Customize report
-->
<--
Find a Report for Editing
To access a report definition, select the Reports lifecycle icon and then click Report builder.
Search for a report by choosing Domain, Query or Report title. The results display in the Report Search Results panel.
To locate a specific report, select that report from the Report Title list. The selected report displays immediately in the Report Search Results panel.
For the remaining types of search, click the Search button after making entries in one or more fields, or just click the Search button to list all reports available for
your Guardium account.
To list all reports that use a specific query, select that query from the Query list.
To list all reports for a specific chart type, select it from the Chart Type list.
To locate a specific report, select that report from the Report Title list. The selected report displays immediately in theReport Search Results panel.
If the search locates any reports, they display in the Report Search Results panel. Click any of the following buttons:

New - See Create a Report.
Clone - See Clone a Report.
Modify - See Modify a Report.
Roles - See Security Roles. Assign roles to reports in Report Builder. Assigning roles to reports while in Query Builder (Tracking) assign only the role to the Query,
not the report.
Delete- See Remove a Report.
Comment - See Comments.
API Assignment - See API Assignment
Drilldown Control - See Modify the Drill-Down Reports menu for a Report.
Create a Report
1. To access a report definition, select the Reports lifecycle icon and then click Report builder.
2. Click New to open the Create Report panel.
3. From the Query list, select a query value to be used by the report (for example, Guardium Logins)
4. Enter a unique name for the report in the Report Title field.
Customize the Report Presentation

Follow the step procedures to customize the report presentation.
1. In the Report Column Descriptions panel,

Optionally override the Report Title. The default is from the report definition. You can modify the title on most subsequent panels.
Optionally override any Column Description (the column headings).
2. Click Next to open the Report Attributes panel:
Mark the Tabular or Chart button.
Click Next to go to the Submit Report panel.
3. Click Save to submit the report for creation.
Create a Graphical Report

Follow the step procedures to create a graphical report.
1. Follow the previous steps in Customize the Report Presentation for Report Column Descriptions, Report Parameter Descriptions, and Report Attributes.
2. In the Report Chart Type panel, select the Chart type and click Next. The choices are Area, Bar, Bar Area, Bar Line, Column, Date Area, Date Column, Date Line,
Distributed Label Line, Individual Bar, Individual Column, Line, Pictogram, Pie, Polar, Speedo, and Stack Bar. Pie, Polar, Speedo, and Stack Bar are recommended.
Choose one and click Next.
3. If the Report Chart Type panel is not displayed, skip this step (all necessary data has been entered). Select the type of chart for the report from the Chart Type list.
4. Click Next to open the Report Presentation Parameters panel.
Review the parameters, which varies for each type of chart.
Optionally override any of the default settings for the chart type selected.
5. Click Next to continue to the Submit Report panel, and continue with the Submit Report Definition procedure.
6. To view your graphical report, go to My Dashboards, and add your graphical report.
Note:
A refresh icon appears in all graphical reports next to the help icon.
Submit Report Definition

1. Optionally add comments (see Comments).
2. Optionally assign roles (see Security Roles).
3. Click Save.
Modify a Report
1. Find the report to be modified. Go to the Report Builder finder menu.
2. Click Modify to open the Report Columns panel.
3. Continue with Customize the Report Presentation.
Clone a Report
1. Find the report to be cloned. Go to the Report Builder finder menu.
2. Click Clone to open the Report Columns panel.

3. Enter a new name for the cloned report, in the Report Title box. You can enter the new name on any of the subsequent screens - the only requirement is that the
new name must be entered before the cloned report can be saved.
4. Continue with Customize the Report Presentation.
Remove a Report
Be aware that you cannot remove predefined reports, and you cannot remove reports that are used in Audit Processes.
1. Find the report to be removed.
2. Click Delete to remove the report.
Report Size Limitation

Tabular reports are limited to 5,000 rows of output, but when included in a workflow process, any number of rows can be exported from the report task to a CSV or CEF
file. See Building audit processes.
Limits
The limit for the buttons when viewing a report (generate PDF, generate CSV, and printable) is 30,000 rows. This is non-customizable.
The limit for the Populate From Query in Group and Alias Builder when run via Run Once Now is 5,000 rows. This is non-customizable.
The limit for the Populate From Query in Group and Alias Builder when run via Scheduling is 20,000 rows. This limit is customizable, via the CLI command, show/store
populate_from_query_maxrecs.
Modify the Drill-Down Reports Menu for a Report

By default, the drill-down menu for a report includes all reports with run-time parameters that can be supplied by attributes from the report, which is given the usual
security role restrictions. To disable or enable any reports on the drill-down menu for a report:
1. Locate the report. Go to the Report Builder finder menu.

2. Click Drilldown Control to open the reportâ€™s Drilldown Control panel.
3. Mark the checkbox for any report to be disabled, or clear the checkbox for any report to be enabled.
4. Click Apply. The system displays a message saying your changes were applied successfully.
API Assignment
By default, the Guardium application comes with setup data that links many of the API functions to reports; providing users, through the GUI, with prepared calls to APIs
from reporting data. Use API Assignment to link additional API functions to predefined Guardium reports or custom reports.
For more information on using linked API functions, see the documentation on GuardAPI Input Generation.

2. Click API Assignment to open the API Assignment panel; showing the current API functions that are mapped to the selected report.
3. Click an API function to display a pop-up window of the current API to Report Parameter Mappings; showing the API parameters, if the API parameters are
required, any default values, and if any of the report fields are currently mapped to those parameters.
If there are no fields in the report that are linked to API parameters, it might be irrelevant to link an API function to a report. The mapping of API parameters to
report fields can be accomplished through both the GUI and the Guardium CLI. For additional information on mapping API parameters to report fields, see Mapping
GuardAPI Parameters to Domain Entities and Attributes in the GuardAPI Input Generation section.
4. Click the greater-than sign '>' to add the selected API function to the current list of functions that are assigned to this report.
Open Query for Editing from Report Portlet

1. Open a report portlet for any report that is based on the query to be edited.
2. Click Edit this Report's Query in the tool bar. You must be authorized to modify the query that the report is based on.
Report parameters
You can use parameters to control the contents and presentation of a report.
Creating dashboards
You can create one or more dashboards, add reports to them, and configure their appearance.
Viewing a report
There are several ways to view a report, including your dashboard and UI search.
Creating a report
If the predefined reports do not meet your needs, you can create your own.
Creating reports for z/OS
Learn how to create Guardium reports for z/OS data sources by customizing built-in reports and example queries.
Data Mart
A Data Mart is a subset of a Data Warehouse. A Data Warehouse aggregates and organizes the data in a generic fashion that can be used later for analysis and
reports. A Data Mart begins with user-defined data analysis and emphasizes meeting the specific demands of the user in terms of content, presentation, and ease-
of-use.
Audit and Report
Guardium organizes the data it collects into a set of domains. Each domain contains a different type of information relating to a specific area of concern: data
access, exceptions, policy violations, and so forth.
Queries
Use one of the many predefined queries that come with Guardium to get information about your data. Use the Query Builder to work with queries.
Domains, Entities, and Attributes
A domain provides a view of the data that Guardium stores.
How to take advantage of predefined reports
Instead of creating custom reports from scratch, take advantage of the predefined content in the Guardium application.
How to ask questions of the data
Use the Query Builder to define and modify questions about the collected data.
How to report on dormant tables and columns
Guardium offers functionality that can help data architects and DBAs discover which tables and which fields are not being used.
How to Generate API Call from Reports
Generate Guard API calls from a report either from a single row within a report or based on the whole report
How to use Constants within API Calls
Create a new entity attribute to be used during an API function call.
How to use API Calls from Custom Reports
Link API functions to reports and map report fields to the API functional parameters.

Optional External Feed
External feeds allow you to send Guardium report data directly to an external database.
Mapping an External Feed
Learn how to map an external feed to send Guardium report data directly to an external database.
Distributed Report Builder
This Central Manager feature provides a way to automatically gather data from all or a subset of the Guardium managed units that are associated with this
particular Central Manager. Distributed reports are designed to provide a high-level view, to correlate data from across data sources, and, to summarize views of the
data. You would continue to use aggregators for the row level data gathering across collectors.
How to create a Distributed Report
Guardium offers a function that provides a way to automatically gather data from all or a subset of the Guardium managed units that are associated with a particular
Guardium Central Manager.
Report parameters
You can use parameters to control the contents and presentation of a report.
There are two types of report parameters:
A runtime parameter provides a value to be used in a query condition. There is a default set of runtime parameters for all queries, and any number of runtime
parameters can be defined in the query that is used by the report.
A presentation parameter describes a physical characteristic of the report; for example, whether a graphical report includes a legend or labels, or what colors to use
for an element. All presentation parameters are provided with initial settings when you define a report.
To set report parameters:
1. Click Configure Report Parameters from the choices within the report. See the icon .
2. In the panel, enter runtime and presentation parameters in the boxes that are provided, as necessary for the task to be performed.
3. Click Save.
4. To view the report, go My Dashboards.
Standard Runtime Parameters

The following runtime parameters are present for all reports.
Runtime
Parameter Default and Description
Enter Period None for a new report, varies for default reports. The starting date for the report is always required.
From
Enter Period None for a new report, varies for default reports, though the default is almost always NOW. This date is the ending date for the report, and is always
to required.
Remote Data None. In a Central Manager environment, you can run a report on a managed unit by selecting that GuardiumÂ® system from the Remote Data Source list.
Source
Show None (meaning the system-wide default is used). Select the On to always display aliases, or Off to never display aliases. Select the default button to revert
Aliases to the system-wide default (controlled by the administrator) after either the On or Off button has been used.
Refresh Rate Rate at which report is refreshed.

(seconds)
Use this GuardAPI command, list_parameter_names_by_report_name. This function takes a report name as input parameter and returns a list of runtime parameter
names for that report.
Parent topic: Reports
Creating dashboards
You can create one or more dashboards, add reports to them, and configure their appearance.
Before you begin

Think about how you want to organize the reports that you view regularly. Do you want to view them in one dashboard, or in several dashboards?Â Do you want to group
and order them according to their purpose, how critical they are, or some other approach? You can always rearrange your dashboards or create new ones.
About this task
Procedure
1. Click My Dashboards > Create New Dashboard to open a new dashboard.
2. Enter a descriptive name in the Name field. This name is used in the list of dashboards in the menu.
3. Click Add Report to display a list of available reports. If you have designated certain reports as favorites, you can check the My Favorites box to see only a list of
those reports. If you want to see only graphical reports, check the Chart Only box.
4. The Add a Report dialog shows a list of all reports that meet your criteria. You can browse the list of reports, or type a string in the Filter field. The list of reports is
updated as you type.
5. Click the title of a report to add it to your dashboard. Continue adding as many reports as you want. When you are finished adding reports, click Close.
Results

You have a dashboard that gives you easy access to some selected reports.
What to do next
Review the appearance of your dashboard. Is it easy to use, and to find the information that you want? If not, you can configure it further.
Configuring your dashboard

You can configure several aspects of the appearance of your dashboard to make it as useful as possible.
About this task
Think about how you use your reports. What arrangement makes it easy to achieve your goals?Â Experiment with these changes.
Procedure
1. Rearrange the reports. To move a report, place your cursor on the reportâ€™s title bar, and drag it to a new location.
2. Choose a new number of columns by clicking 1, 2, or 3 in the Number of columns area. By default, your reports are shown in two columns. If you need more space
for each report, click 1 to see how your reports look when they are the full width of the dashboard. If you prefer to see more reports at one time, try three columns.
3. Resize your reports. Drag the resize icon to make a report longer or shorter, narrower or wider. If you adjust the width of a report, all the reports in that column use
the new width. If you change the number of columns, all columns return to their default widths.
Using your dashboard

Use the steps to add a report to dashboard and then to customize the appearance.
About this task
Dashboard replaces Add to Pane and Add to My Reports.
Procedure
1. Click on the Dashboard icon from the navigation.

2. Then click Create New Dashboard.
3. Click Add Report to select a report from all of the reports that you have access to, including any new reports that you created.
4. Leverage filtering to quickly find the report you are interested in.
5. Click the report name to add it to your dashboard. Add as many reports to your dashboard as you want, just by selecting each report.
6. Customize your dashboard by selecting a layout. The default is two columns. One column - the reports will assume the width of the dashboard. Two columns - the
reports will assume half of the width of the dashboard. Three columns - the reports will assume one third the width of the dashboard.
7. Customize your dashboard by moving the reports within the screen. Use the icon to customize the chart.
8. Designate specific reports as favorites by selecting the icon. When adding reports to a dashboard, filter based on favorites or filter based on charts.
9. Name your dashboard by clicking on the edit icon.
10. Delete a dashboard, by clicking on the delete icon .
Viewing a report
There are several ways to view a report, including your dashboard and UI search.
You can view a report in several ways:
If you have saved the report to a dashboard, open the dashboard to view the report.
You can add the report to a dashboard. Open the dashboard and click Add Report, then choose the report from the list.
Some reports are listed in categories in the Reports lifecycle.
Some reports are listed under the lifecycle to which they are most relevant.
You can use the user interface (UI) search function to find the report. On the banner, choose User Interface from the drop-down list next to the Search box. Enter
the name of the report into the Search box. Results begin to appear after you type a few characters. Choose the report from the list of results.
The following choices (with icons) permit editing and configuring of the report:
Edit the query for this report

Ad-hoc process for Run Once Now - Use this to invoke a call to GuardAPI commands.
Open in new window
Configure report columns

Configure runtime parameters - A run-time parameter provides a value to be used in a query condition. There is a default set of run-time parameters for all queries,
and any number of run-time parameters can be defined in the query that is used by the report.
Add to favorites
Refresh
You can hide columns from view. Click the columns icon and clear the check boxes for the columns that you want to hide.
You can sort report data by the contents of any column. Click the title of the column on which you want to sort. To reverse the order, click the title again. Sorting is always
performed on the actual data values, ignoring any aliases that are defined.

You can print a report while you are viewing it. Click Export > Full printable report to open a printable copy of the report in a new tab. Click the printer icon on the new tab
to print the report. You can also print a report by exporting it to a PDF file and printing the PDF file.
Note: For an instance where the PDF text is too small to read, the PDF report has a physical limit on how much it can expand horizontally given how wide the page is. Since
each line of the PDF report has to fit on one line, the typeface size changes to fit the data, and may force a very small typeface size in order to display all the data.
Graphical reports can be customized by clicking the Customize Chart icon. The choices include converting the data to a line chart, changing the X-axis and Y-axis
orientation, converting the report to a pie chart or a stacked column chart.
When viewing reports that display Oracle information, occasionally the ? question mark character is used to inform the viewer that the login information was not available.
Again when viewing reports that display Oracle information, the appearance of the number -1 signifies that an unknown number of records are affected. All Oracle
sessions are recorded, even with missed logins.
The OS user does not appear in reports if a Linux system or a Windows system using remote connections did not send the OS user with the login packet. For Linux local
connections, UID chain can be used to identify the user. See which systems support UID chains in Choosing your S-TAP setup.
Refreshing reports
Some reports are configured to refresh their data automatically. On other reports, you can refresh the data manually through the UI.
Exporting a report
You can export a report to a PDF file or a file of comma-separated values.
Viewing Drill-Down Reports
Many reports provide access to drill-down reports that provide more granular data.
Refreshing reports
Some reports are configured to refresh their data automatically. On other reports, you can refresh the data manually through the UI.
When you view a report that is configured to refresh automatically, the color of the Circular Arrows Refresh icon for this report is green, indicating that the report is
refreshing itself automatically.
At a certain point, the report stops refreshing if no further changes are made to the report and the color of the refresh icon turns from green to red. The point in time where
the color changes is equal to half of the GUI session timeout (which can be found by running the CLI command, show session timeout).
For example, if the session timeout is the default 900 seconds, the Circular Arrows Refresh icon on the Request Rate report is green for 450 seconds, then turns red.
There are several ways to refresh report data manually:
Click Refresh on the toolbar.

Use any toolbar button to print a report, download report data, or write the report to a PDF file. The report data is refreshed before performing any of these actions.
Set a time interval for periodic refreshing, by setting the refreshRate parameter value. To perform this task:
Click Customize on the report toolbar.

In the Configuration dialog, set the refreshRate parameter to the number of seconds after which the report data is to be updated. The default value of zero
indicates that the report data is not refreshed on a scheduled basis.
Click OK.
Customize Reports
When the user edits a report or makes a modification to the report through Report Customization, the user must manually click on Refresh. There is no automatic refresh.
UI Customization - In "New Life Cycle" dialog and "New Group" dialog, groups are limited to a maximum of 5 levels deep, so even with longer group names, all levels of
group names and node item text are visible on the navigation pane.
UI Customization - When user enters "<" or ">" in the textbox of "New Life Cycle" dialog or "New Group" dialog, a popup message is displayed to indicate that "The name
cannot contain < or > special characters", and the "OK" button becomes disabled.
UI Customization - In "New Life Cycle" dialog and "New Group" dialog, user can enter a maximum of 50 characters in the text box.
Parent topic: Viewing a report
Exporting a report
You can export a report to a PDF file or a file of comma-separated values.
You can export the contents of a report to a Portable Document Format (PDF) file, and save the file or view it. In the report toolbar, click Export > Download as PDF to
create a PDF copy. Follow the prompt to save or view the file.
When you generate a large PDF file, the process can cause the UI to time out. If you plan to generate large PDF files, consider doing so as part of an audit process, or
increasing the UI timeout value to avoid this problem.
You can also export the contents of a report to a comma-separated value (csv) file. You can export either all the records (the entire report) in the report, or only the display
records (the data currently displayed).
In the report toolbar, click Export > Download all records or Export > Download display records. You can save the results or select an application in which to view them.
Note: If editing a report and removing a column (for example, editing a report with seven columns and removing one column, leaving six columns), when the report is
exported as a PDF file, the report will show the original seven columns.

Viewing Drill-Down Reports
Many reports provide access to drill-down reports that provide more granular data.
If any drill down actions are available on a tabular report the user will know by right-clicking on a row of the grid and a context-menu will appear with any available drill-
down actions.
To be available as a drill-down report:
All of the runtime parameters for the drill-down report must be available from the report that is being viewed.
If security roles have been assigned, you must have access to the drill-down report.
Modify the Drill-Down Reports Menu for a Report

By default, the drill-down menu for a report includes all reports with run-time parameters that can be supplied by attributes from the report, which is given the usual
security role restrictions. To disable or enable any reports on the drill-down menu for a report:

2. Click Drilldown Control to open the reportâ€™s Drilldown Control panel.
3. Mark the checkbox for any report to be disabled, or clear the checkbox for any report to be enabled.
4. Click Apply. The system displays a message saying your changes were applied successfully.
Creating a report
If the predefined reports do not meet your needs, you can create your own.
Before you begin

You choose a query on which this report is based, and the domain of the query. If you must create a new query, do that before you create a report based on it. Remember
that there is distinction between queries and reports. A query describes a set of information to be obtained from the collected data. A report describes how the data
returned by the query is presented. Refer to Using the Query Builder for further information on creating a query. Refer to Domains, Entities, and Attributes for further
information on working with domains.
About this task

You might find it easier to clone a report and modify it than to create a report from scratch.
Procedure
1. Click Reports > Report Configuration Tools > Report Builder to open the Report Builder finder or filter menu. If you select Search at this point without choosing any
domain or query, a menu will appear with all queries listed. Select a query and use the icons (Add New Report , Modify , Clone , or Delete to work
with the queries.
2. From the Report Builder finder menu, click New .

3. The Create Report menu appears. Select a query and give the report a name. Then click Next.
4. The next screen returns the table columns of the query selected. Customize or use as is. Then click Next.
5. The Report Attributes menu appears. Chose a report type, either tabular or chart. Then click Next.
6. Then submit the report for creation by clicking Save. An acknowledgement screen will appear saying the data was successfully saved.
What to do next
If you want to include this report on a dashboard, open the dashboard, click Add Reports, and select this report from the list.
Creating reports for z/OS

Learn how to create Guardium reports for z/OS data sources by customizing built-in reports and example queries.
While the process of creating reports for z/OS data sources is the same as for other databases, there is not always a direct mapping between mainframe concepts and
Guardium's reporting entities and attributes. To ease communication between auditors and mainframe personnel, this section outlines the mapping of mainframe event
data to Guardium entities and attributes. There are some built-in reports that can be customized, and this information describes additional queries that are useful for
typical auditing scenarios.

Related concepts:
Using the Query Builder
Entities and Attributes
Data Mart
A Data Mart is a subset of a Data Warehouse. A Data Warehouse aggregates and organizes the data in a generic fashion that can be used later for analysis and reports. A
Data Mart begins with user-defined data analysis and emphasizes meeting the specific demands of the user in terms of content, presentation, and ease-of-use.
Use this feature to:

Define and generate a Data Mart.
Aggregate summarized and analyzed data from all units to enable high-level/ corporate view in a reasonable response time.
Improve performance of online reports on Guardium Aggregators.
Provide interactive analysis capabilities for finding patterns, trends, and outliers.
Enable collapsing and expanding levels of data
A Data Mart is practical and efficient for all the Guardium predefined-reports. It prepares the data in advance to avoid overload, full scans, and poor performance.
The Data Mart Configuration icon is available from any Predefined Report.
Highlights of benefits:
Provide Guardium Analytic capability that supports full lifecycle of data analysis.
The analytic process starts from the Query Builder and Pivot Table Builder where the users define their data analysis needs and then â€œSet As Data Martâ€ .
The Data Mart extraction program runs in a batch according to the specified schedule. It summarizes the data to hours, days, weeks, or months according to the
granularity requested and then it saves the results in a new table in Guardium Analytic database.
The data is then accessible to the users via the standard Reports and Audit Process utilities, likewise any other traditional Domain/ Entity. The Data Mart extraction
data is available under the DM domain and the Entity name is set according to the new table name specified for the data mart data. Using the standard Query
Builder and Report Builder, users can clone the default query and edit the Query and report, generate Portlet and add to a Pane.
The summarization of data shrinks the data volume significantly. It eliminates joins of many tables by storing the data analysis in un-normalized and pre-calculated
table.
The corporate view is supported by using the standard Aggregation utility for the new Guardium Analytic tables. If there is a huge amount of detailed row data at the
higher levels of the Aggregation Hierarchy, the Selective Aggregation feature, that enables aggregation of specific module(s), can be configured to aggregate
analytic data only.
The Data Mart builder is accessible via Query builder, Report Results, and Pivot-Table view.
Select the Set As Data Mart icon. The button is available only after Saving.
Access to the screen is enabled for users with Data Mart Building permission (User Role Permission). Display the Set As Data Mart new button only for users with the
appropriate permission.
Data Mart persistency - changes to the original Query, Report, or Pivot Table do not affect the Data Mart; A snapshot of the originated analysis definition is saved together
with the Data Mart upon creation.
If the Data Mart is based on Pivot Table, then the extraction process does not calculate the Total line (sum of columns) and Percent Of Column is not supported.
In addition to the Data Mart definition, the following are created by the Data Mart Definition process:
New Domain and Entity
Default Query
Default Report and portlet
New Data Mart table in the â€œDATAMARTâ€ new database to store the extracted data
Data Mart â€“ Query and Report Builder
The Data Mart definition process creates new Domain, Entity, default Query and Report. The default Query and Report is accessible via the Report Building menu.
Clicking Data Mart opens the Query Finder GUI; The Query, Report, and Entity fields filter only Data Mart domains (domain name starts with -
DatamartDefinition.DOMAIN_PREFIX).
Report Builder GUI: The default Data Marts' reports and all other reports that are related to Data Marts domains are available in the Report Builder GUI.
Follow these steps:
1. As an Admin user, select Data Mart icon .
2. Select New to create a new Data Mart or select from the list of previously created Data Marts.
3. Complete the fields asking for Data Mart name and Table name (Default is DM). Specify a time granularity and select an initial start time from the calendar
icon. Description is optional.
4. Use the Scheduler to schedule when to run this feature (Run Once Now).
5. Use the Roles section to restrict Data Mart only to users with the appropriate permission.
6. Save the configuration.
Note: Changes to the originated query/report do not affect the existing Data Mart.
Note: When a data mart extraction runs (Scheduled or Run once now) for the first time, it extracts data from Initial start date to the current time based on the
Time granularity. It saves the next period from in the DM_EXTRACTION_STATE table. On the next run, it extracts data starting from the next period from. If a
data mart extraction is sought earlier than next period from, then the data mart extraction will show as empty, because the extraction has already processed
that time period. In order to extract data earlier than next period from, restore the old data and then run data mart again.
Central Management and Data Mart

In a Central Management environment, the configuration is distributed automatically to the managed units.
The extraction schedule can be over-ridden on a Managed Unit.
In case of multiple Central Managers, the Data Mart definition can be cloned by using the Export/Import capability.
Add Data Mart Extraction schedule to the Central Manager Distribution screen.
Datamart extraction
Data extracted:
1. Export of: Exception Log - details the Exceptions / Errors captured by Guardium. The log will includes exception/error description, user name, source address, DB
protocol and more.
2. Export of: Session Log - Includes details about datasourcesâ€™ sessions (login to logout). The log includes session start and end timestamps, OS and DB user of the
session, source program and more.
3. Export of: Session Log Ended - Session may extend for long period. The extraction works hourly. This log sends the sessions that ended later than the hour started.
4. Export of: Access Log - Includes details of the connection information and the activity summary per hour. The log includes the OS and DB user, successful and failed
SQLs, client and server IP and more.
5. Export of: Full SQL - this log includes the executed SQL details. The log includes full SQL, records affected, session ID and more.
6. Export of: Outliers List - this log includes the outliers. The log includes server IP, DB user, Outlier type, DB and more.
7. Export of: Outliers Summary - this log includes an hour summary of outliers. The log includes server IP, DB user, DB and more.
8. Export of: Group Members - Includes a log of all groups members. The log includes Group type, Group description, Group member and Tuple Flag.
9. Export of: Export Extraction Log â€“ Includes log of data relevant to all export or copy files having a name starting with â€œExport:â€ .
10. Export of: Policy Violations â€“ A policy violation is logged each time that a policy rule is triggered. This log includes the details about the logged violations, such as
DB User, Source Program, Access Rule Description, Full SQL String and more.
11. Export of: Buff Usage Monitor - Provides an extensive set of sniffer buffer usage statistics
12. Export of: VA Results - Provides VA Results
13. Export of: Policy Violations - Detailed â€“ the same as Export Extraction Log, but has Object/Verb tuples. It is recommended that only one of them has to be used.
14. Export of: Access Log - Detailed â€“ the same as Access Log, but also has the following fields from Application Event entity: Event User Name, Event Type, Event
Value Str, Event Value Num, Event Date. It is recommended that Access Log or Access Log â€“ Detailed should be used and not the both of them.
15. Export of: Discovered Instances - Provides the result of S-TAP Discovery application, which discovers database instances
16. Export of: Databases Discovered â€“
17. Export of: Classifier Results
18. Export of: Datasources
19. Export of: S-TAP status
20. Export of: Installed Patches
21. Export of: System Info
22. Export of: User â€“ Role
23. Export:Classification Process Log
24. Export:Outliers List - enhanced
25. Export:Outliers Summary by hour - enhanced
Datamart Name Report Title Unit Type Datamart ID
Export:Access Log Export: Access Log Collector 22
Export:Session Log Export: Session Log Collector 23
Export:Session Log Ended Export: Session Log Collector 24
Export:Exception Log Export: Exception Log Any 25
Export:Full SQL Export: Full SQL Collector 26
Export:Outliers List Analytic Outliers List Any 27
Export:Outliers Summary by hour Analytic Outliers Summary
By Date Any 28
Export:Export Extraction Log User Defined Extraction Log Any 31
Export:Group Members Export:Group Members Any 29
Export:Policy Violations Export:Policy Violations Collector 32
Export:Buff Usage Monitor Buff Usage Monitor Any 33
Export:VA Results Security Assessment Export Any 34
Export:Policy Violations - Detailed Export:Policy Violations Collector 38
Export:Access Log - Detailed Export: Access Log Collector 39
Export:Discovered Instances Discovered Instances Any 40
Export:Databases Discovered Databases Discovered Any 41
Export:Classifier Results Classifier Results Any 42
Export:Datasources Data-Sources Central Manager,
Standalone 43
Export:STAP Status S-TAP Status Monitor Collector 44
Export:Installed Patches Installed Patches Any 45
Export:System Info Installed Patches Any 46
Export:User - Role User - Role Central Manager,

Datamart Name Report Title Unit Type Datamart ID
Standalone 47
Export:Classification Process Log Classification Process Log Any 48
Export:Outliers List - enhanced Analytic Outliers List - enhanced Any 49
Export:Outliers Summary by hour - enhanced Analytic Outliers Summary by Date - enhanced Any 50
Issue Summary
The DataMart mechanism exports Guardium sniff data periodically based on the Query defined.
Output files may be written into external machine on demand (configurable).
Extracted Files are compressed.
Extraction may be scheduled (default is hourly).
Extracted Files prefix is Global_ID and short host name of source Machine.
Extracted Files may include column headings (attributesâ€™ descriptions).
How to Use
All the examples shown below are for â€œExport:Exception Logâ€ DataMart, for other extraction, change to one of the following:
"Export:Access Log"
"Export:Session Log"
"Export:Session Log Ended"
"Export:Exception Log"
"Export:Full SQL"
"Export:Outliers List"
"Export:Outliers Summary by hour"
"Export:Group Members"
"Export:Export Extraction Log"
"Export:PolicyViolations"
"Export:Buff Usage Monitor"
"Export:VA Results"
"Export:Classifier Results"
"Export:Databases Discovered"
"Export:Access Log - Detailed"
"Export:Discovered Instances"
"Export:Datasources"
"Export:STAP Status"
"Export:Installed Patches"
"Export:System Info"
"Export:User â€“ Roleâ€
"Export:Classification Process Log"
"Export:Outliers List - enhanced"
"Export:Outliers Summary by hour - enhanced"
The export extractions are pre-defined in the system (via the Datamarts mechanism) and disabled by default. In order to enable the export extractions (all or specific) you
need to schedule the DataMarts via the grdapi as shown below. You can also use GUI for that.
Schedule Job for DataMart extraction:
grdapi schedule_job jobType=dataMartExtraction cronString=â€ 0 1 0/1 ? * 1,2,3,4,5,6,7â€ objectName=â€ Export:Exception Logâ€ startTime=â€ YYYY-MM-DD
HH:MM:SSâ€
Note that startTime is used to set future start if needed and can be removed if you want to start the DataMart immediately.
In order to delete specific export extractions you can run the following
Delete scheduled Job:
grdapi delete_schedule deleteJob="true" jobGroup="DataMartExtractionJobGroupâ€ obname="DataMartExtractionJob_25â€

jobname job description/ objectName
DataMartExtractionJob_22 Export:Access Log
DataMartExtractionJob_23 Export:Session Log
DataMartExtractionJob_24 Export:Session Log Ended
DataMartExtractionJob_25 Export:Exception Log
DataMartExtractionJob_26 Export:Full SQL
DataMartExtractionJob_27 Export:Outliers List
DataMartExtractionJob_28 Export:Outliers Summary by hour
DataMartExtractionJob_29 Export:Group Members
DataMartExtractionJob_31 Export:Export Extraction Log
DataMartExtractionJob_32 Export:Policy Violations
DataMartExtractionJob_33 Export:Buff Usage Monitor
DataMartExtractionJob_34 Export:VA Results
DataMartExtractionJob_38 Export:Policy Violations â€“ Detailed
DataMartExtractionJob_39 Export:Access Log â€“ Detailed
DataMartExtractionJob_40 Export:Discovered Instances
DataMartExtractionJob_41 Export:Databases Discovered
DataMartExtractionJob_42 Export:Classifier Results
DataMartExtractionJob_43 Export:Datasources
DataMartExtractionJob_44 Export:STAP Status
DataMartExtractionJob_45 Export:Installed Patches
DataMartExtractionJob_46 Export:System Info
DataMartExtractionJob_47 Export:User - Role
DataMartExtractionJob_48 Export:Classification Process Log
DataMartExtractionJob_49 Export:Outliers List - enhanced
DataMartExtractionJob_50 Export:Outliers Summary by hour - enhanced
You may enable or disable the extraction by using the following command:
Set DataMart active:
grdapi datamart_set_active Name=â€ Export:Exception Logâ€
Set DataMart inactive:
grdapi datamart_set_inactive Name=â€ Export:Exception Logâ€
Include header in DataMart extraction:
You can determine whether to include the header line (column names) in the output CSV file via the following grdapi:
grdapi datamart_include_file_header Name=â€ Export:Exception Logâ€ includeFileHeader=â€ Yesâ€
Set target host details:
In order to set target host for the export extraction you need to set the machine host, path and the credential via the following grdapi:
grdapi datamart_update_copy_file_info destinationHost=â€ Machine_Hostâ€ destinationPassword=â€ ********â€ destinationPath=â€ /where/to/store/â€

destinationUser=â€ userâ€ Name=â€ Export:Exception Logâ€ transferMethod=â€ SCPâ€ withCOMPLETEfile=false
withCOMPLETEfile parameter is optional. The default value is true. If set to true then COMPLETE file is sent after a data file is successfully transferred. See â€œCOMPLETE
fileâ€ section for details.
During the execution of this command, a dummy file is sent to a target machine to validate the connection details. You can also use datamart_validate_copy_file_info
grdapi for that.
Validate a connection to a target host:
In order to validate a connection to a target host please following grdapi:
grdapi datamart_validate_copy_file_info destinationHost=â€ Machine_Hostâ€ destinationPassword=â€ ********â€ destinationPath=â€ /where/to/store/â€

destinationUser=â€ userâ€ transferMethod=â€ SCPâ€
You can track the extraction log via the pre-defined â€œDatamart Extraction Logâ€ report. The report is available via the Report Builder screen; you can add it to a pane.
Enter the customize option in â€œDatamart Extraction Logâ€ report and Define the following:
Enter Value for Name LIKE : %

Enter Period From >= : YYYY-MM-DD HH:MM:SS (input a date in the past)
Enter Value for Status Like : %
Click update and DataMart Extraction Log report will be active â€“ shows you latest extractions.

Scheduler recommended start time
Outliers DataMarts should be scheduled around 10 minutes past an hour, because before that time data is not ready yet â€“ outliers processing starts on the top of an
hour.
It makes sense to schedule Access Log, Exception Log, Full Sql and Session Log/Ended with some time gaps. To get the consistent data by each run Session Log/ Ended
must be scheduled as the last ones.
Our recommendation
Job description Recommended cronString Every hour on:
Export:Access Log 0 40 0/1 ? * 1,2,3,4,5,6,7 00:40
Export:Session Log 0 45 0/1 ? * 1,2,3,4,5,6,7 00:45
Export:Session Log Ended 0 46 0/1 ? * 1,2,3,4,5,6,7 00:46
Export:Exception Log 0 25 0/1 ? * 1,2,3,4,5,6,7 00:25
Export:Full SQL 0 30 0/1 ? * 1,2,3,4,5,6,7 00:30
Export:Outliers List 0 10 0/1 ? * 1,2,3,4,5,6,7 00:10
Export:Outliers Summary by hour 0 10 0/1 ? * 1,2,3,4,5,6,7 00:10
Export:Export Extraction Log 0 50 0/1 ? * 1,2,3,4,5,6,7 00:50
Export:Group Members 0 15 0/1 ? * 1,2,3,4,5,6,7 00:15
Export:Policy Violations 0 5 0/1 ? * 1,2,3,4,5,6,7 00:05
Export:Buff Usage Monitor 0 12 0/1 ? * 1,2,3,4,5,6,7 00:12
Export:VA Results 0 0 2 ? * 1,2,3,4,5,6,7 Daily at 2 AM
Export:Policy Violations - Detailed 0 5 0/1 ? * 1,2,3,4,5,6,7 00:05
Export:Access Log - Detailed 0 40 0/1 ? * 1,2,3,4,5,6,7 00:40
Export:Discovered Instances 0 20 0/1? * 1,2,3,4,5,6,7 00:20
Export:Databases Discovered 0 20 0/1? * 1,2,3,4,5,6,7 00:20
Export:Classifier Results 0 20 0/1? * 1,2,3,4,5,6,7 00:20
Export:Datasources 0 0 7 ? * 1,2,3,4,5,6,7 Daily at 7 AM
Export:STAP Status 0 0/5 0/1 ? * 1,2,3,4,5,6,7 Every 5 minutes
Export:Installed Patches 0 0 5 ? * 1,2,3,4,5,6,7 Daily at 5 AM
Export:System Info 0 0 5 ? * 1,2,3,4,5,6,7 Daily at 5 AM
Export:User - Role 0 5 0/1 ? * 1,2,3,4,5,6,7 00:05
Export:Classification Process Log 0 25 0/1 ? * 1,2,3,4,5,6,7 00:25
Export:Outliers List - enhanced 0 10 0/1 ? * 1,2,3,4,5,6,7 00:10
Export:Outliers Summary by hour - enhanced 0 10 0/1 ? * 1,2,3,4,5,6,7 00:10
Purge /var/exportdir
If a file transfer is failed for any reason, for example, target machine is down, then it retries a transfer on the next run. The backlog is kept in /var/exportdir directory. Purge
Process cleans up the backlog older than 1 day.
COMPLETE file
The empty COMPLETE file is sent to notify an external system that a file is ready.
- For each file, in addition to the file a COMPLETE file is also sent. The COMPLETE file name is [file name]_COMPLETE.gz
1762144738_gibm32_EXP_SESSION_LOG_20151028230000_COMPLETE.gz
- The process is synchronous - for example, first, the file (the SESSION LOG file) is generated, then it is copied and only when it has finished copying then the COMPLETE
file is generated and copied.
- COMPLETE file is send even if there is no data to send.
Change datamart initial start:
In order to change datamart initial start time, please use update_datamart grdapi.
grdapi update_datamart Name="Export:Session Log" initial_start=[initial start value]
For example,
Set initial start to current time
grdapi update_datamart Name="Export:Session Log" initial_start=< >
Set initial start to Oct 1, 2016
grdapi update_datamart Name="Export:Session Log" initial_start="2016-10-01 00:00:00"
Copy file bundle

It is possible to bundle a number of CSV export datamarts together. The bundle has main datamart. Each datamart included in a bundle pull out data based on their own
scheduling. After the main datamart extracted data, it puts data files from all datamarts included in the bundle in the same tar file and sends it to a destination server. The
main datamart has to have the latest scheduling.
For example, the bundle included â€œExport:Full SQLâ€ , â€œExport:Exception Logâ€ , â€œExport:Session Logâ€ and â€œExport:Session Log Endedâ€ as main
datamart.
The recommended scheduling for this bundle:
Job description Recommended cronString Every hour on:
Export:Session Log 0 45 0/1 ? * 1,2,3,4,5,6,7 00:45
Export:Session Log Ended 0 46 0/1 ? * 1,2,3,4,5,6,7 00:46
Export:Exception Log 0 25 0/1 ? * 1,2,3,4,5,6,7 00:25
Export:Full SQL 0 30 0/1 ? * 1,2,3,4,5,6,7 00:30
Create a bundle:
grdapi datamart_copy_file_bundle action="create" bundle_name=[bundle name] main_datamart_name=[bundle main datamart name]
Include a datamart in a bundle:
grdapi datamart_copy_file_bundle action="include" bundle_name=[bundle name] datamart_name=[datamart name]
Exclude a datamart from a bundle:
grdapi datamart_copy_file_bundle action="exclude" bundle_name=[bundle name] datamart_name=[datamart name]
Delete a bundle:
grdapi datamart_copy_file_bundle action="delete" bundle_name=[bundle name]
Get a bundle information:
grdapi datamart_copy_file_bundle action="info" bundle_name=[bundle name]
Example:
grdapi datamart_copy_file_bundle action="create" bundle_name="SFE_BUNDLE" main_datamart_name="Export:Session Log Ended"
grdapi datamart_copy_file_bundle action="include" bundle_name="SFE_BUNDLE" datamart_name="Export:Exception Log"
grdapi datamart_copy_file_bundle action="include" bundle_name="SFE_BUNDLE" datamart_name="Export:Full SQL"
grdapi datamart_copy_file_bundle action="include" bundle_name="SFE_BUNDLE" datamart_name="Export:Session Log"
> grdapi datamart_copy_file_bundle action="info" bundle_name="SFE_BUNDLE" main_datamart_name="Export:Session Log" datamart_name=""
ID=0
=========================================
Bundle Name: SFE_BUNDLE
=========================================
Main Datamart: Export:Session Log Ended
Datamarts:
Export:Full SQL
Export:Exception Log
Export:Session Log
Get_Datamart Info grdapi
get_datamart_info grdapi gets detail datamart information.
get_datamart_info datamart_name=[Datamart Name]
Example,
grdapi get_datamart_info datamart_name="Export:Export Extraction Log"
=========================================
Data Mart Name: Export:Export Extraction Log
=========================================
Description:
Based on Report: User Defined Extraction Log
Based on Query: User Defined Extraction Log

Extract result to: File
Initial Start: 2016-04-18 09:00:00
Creation Date: 2016-12-28 18:01:24
Time Granularity: 1 HOUR
Active: true
---------------------
File Name: EXP_DM_EXTRACTION_LOG
Lines per File: 500000
File Header: "UTC Offset","Name","Period Start","Period End","Run Id","Start Time","End Time","Status","File Status","Records Extracted","Details","Timestamp"
Include File Header: true
-----------------------------------------
Copy File Info
-----------------------------------------
Host Name: host.com
User Name: admin
Directory: /local/incoming/
Transfer Method: SCP
Bundle Name:
Bundle Main Datamart: false
Send COMPLETE File: false
-----------------------------------------
Last Extraction Info
-----------------------------------------
State:1
---------------------
Timestamp: 2017-01-18 14:50:00
Next Period: 2017-01-18 14:00:00
Last Extracted ID: 0
---------------------
Extraction Log
---------------------
Timestamp: 2017-01-18 14:50:02
Extract Status: OK
Start Time: 2017-01-18 14:50:00
End Time: 2017-01-18 14:50:00
Period Start: 2017-01-18 13:00:00
Period End: 2017-01-18 14:00:00
Records Extracted: 26
Details: SCP to: host.com, User: admin, Path: /local/incoming/, File: DMv2_gibm32_EXP_DM_EXTRACTION_LOG_20170118180000.gz
Last for Period: true
File Name: /var/dump/DATAMART/EXP_DM_EXTRACTION_LOG_20170118180000.csv
Bundle Name:
File Transfer Status: Done
Comments
================
Full_SQL DataMart will work only if log full details or log masked details is defined and installed.

Outlier DataMarts will work only if outlier detection is enabled.
If DataMart/s scheduler had been stop for some time and you donâ€™t want the data to be extracted retroactively, then before you reschedule extractions to run again,
please set the correct â€œInitial Startâ€ in the Data Mart Configuration screen.
User Defined DataMarts
User Defined DataMart/s can also be used to transfer data to a destination host. DataMart has to be of type File, the Data Mart Name should starts with â€œExport:â€
and File Patch starts with â€œEXP_â€ .
Dependencies
================
How to apply Patch:
================
http://www-01.ibm.com/support/knowledgecenter/SSMPHH_8.2.0/com.ibm.guardium.using.doc/topics/how_to_install_patches.html?lang=en
GuardAPI commands for Data mart
grdapi datamart_copy_file_bundle
action - String - required - Constant values list
bundle_name - String - required
datamart_name - String
main_datamart_name - String
grdapi datamart_include_file_header
includeFileHeader - String - required - Constant values list
Name - String - required
grdapi datamart_set_active
grdapi datamart_set_inactive
grdapi datamart_update_copy_file_info
destinationHost - String
destinationPassword - String
destinationPath - String
destinationUser - String
transferMethod - String - Constant values list
withCOMPLETEfile - Boolean
grdapi datamart_validate_copy_file_info
destinationHost - String - required
destinationPassword - String - required
destinationPath - String - required
destinationUser - String - required
transferMethod - String - Constant values list
grdapi update_datamart
Comment - String

initial_start - Date
grdapi get_datamart_info
datamart_name - String - required
isExtended - Boolean
grdapi add_dm_to_profile
function parameters:
category - String
cron_string - String
datamart_name - String - required - Constant values list
profile_name - String - required - Constant values list
unit_type - String - Constant values list
grdapi remove_dm_from_profile
datamart_name - String - required
profile_name - String - required - Constant values list
Audit and Report

GuardiumÂ® organizes the data it collects into a set of domains. Each domain contains a different type of information relating to a specific area of concern: data access,
exceptions, policy violations, and so forth.
All domains and their contents are described in the Domains, Entities, and Attributes appendix.
There is a separate query builder for each domain, and access to each query builder is controlled by security roles. Regardless of the domain, the same general-purpose
query-builder tool is used to create all queries. For detailed instructions on how to build queries, see Queries. Â Â
In addition to the standard set of domains, users can define custom domains to contain information that can be uploaded to the Guardium appliance. For example, your
company might have a table relating generic database user names (hr23455 or qa4872, for example) to real persons (Paula Smith, John Doe). Once that table has been
uploaded, the real names can be displayed on Guardium reports, from the custom domain. For more detailed information on how to define and use custom domains, see
External Data Correlation.
Queries
Use one of the many predefined queries that come with Guardium to get information about your data. Use the Query Builder to work with queries.
Use queries to ask questions of your data such as, what are all the clients updating a specific database during weekend hours?
Queries are different from reports. A query describes a set of data, whereas a report describes how the data returned by a query is presented.
Once a query is completed, present the results of the query using reports. Reports usually are presented in tabular form, but you can customize the layout of a report as
you like.
To use queries, open the Query Builder by clicking Comply > Custom Reporting > Custom Query Builder. Choose a domain to query, select a main entity, and then use the
query as needed.
You cannot modify the predefined queries, but you can create a clone of a query and modify the clone.
The Main Entity

The main entity that you select for a query determines the following:
The level of detail for the report. There is one row of data for each occurrence of the main entity included in the report. The location of the main entity within the
hierarchy of entities is important in terms of what values can be displayed. The attributes for any entities under the main entity can be counted, but not displayed
(since there might be many occurrences for each row). To choose this level of detail, check the Sort by Count check box.
The total count is a count of instances of the main entity included on that row of the report, added as the last column of the report. To add or drop the count column
of the report, click the Add Count check box. This can result in the query/report performance boost in some cases.
To add or drop the ability to display one-row-per-value in the report, (which can result in the query/report performance boost in some cases), click the Add Distinct
check box. This selection yields condensed reports.

Partition optimization is enabled by default and improves query performance with partitioned database tables. On Guardium V10.1.2 and later, this feature can be
disabled by deselecting the Partition optimization check box. Partition optimization should not be disabled without the direction of IBM support.
The time fields against which the Period From and Period To runtime parameters are compared to select the rows of the report. The Query Builder uses the main
entity (among other parameters) to determine which time fields are used when defining the Period From and Period To values. This can be important for long-
running sessions, such as when pooled sessions are kept open by an application server. When applicable, the Period Start/Period End from the Access Period entity
is used, in other cases it will choose period values according to the main entity:
Session - the time stamp used is for the last update that is made to the session entity
Session Start - the starting time of the session entity is used
Session End - the ending time of the session entity is used
Full SQL - time stamp from Full SQL domain; query includes rows from the Full SQL domain even if not linked to values (for example - when Log Full Details is
set, there are no values)
Full SQL Values - time stamp from the Full SQL Â domain; query includes rows only if they have values from the Full SQL domain even if not linked to the Field
domain
Field SQL Values - time stamp from the Full SQL Â domain; query includes rows only if they have values from the Full SQL domain and they are linked to the
Field domain
In the Main Entity screen is the selection Run in Two Stages.
Use this selection for two-stage execution for Audit tasks of type report.
This applies to reports on queries on specific tables only. This two-stage mechanism applies to running queries as audit processes with columns and conditions
only on the following entities: Access (client/server), Session, Access Period, Construct (SQL), Object, and Sentence (Command).
This two-stage mechanism is not used if the query contains a condition with the Like Group operator or any alias-related operator (such as In Aliases Group)
or the condition uses Having.
In addition to using the query builder, each query can be set to run in two stages. By default queries run using the old method. In order for a query to run in two
stages, a flag must be set in the query builder. In addition, this method of running queries can be disabled (system-wide) to make all audit tasks use the old method
by creating the file: /var/log/guard/DontRunInTwoStages. Existence of this file indicates that the new two stages method should NOT be used.
Note: Fields containing tuples (combined fields) in the Two Stages execution is not supported in this release.
Note: Note: The Main Entity drop-down list includes only primary entities. However, access to secondary entities (for example Session Start and Session End) can be done
through its corresponding primary entity (for example, Session for Session Start and Session End).
Sorting
By default, query data is sorted in ascending order by attribute value, with the sort keys ordered as the attributes appear in the query. Aliases are ignored for sorting
purposes. The actual data values are always used for sorting. Attributes for which values are computed by the query (Count, Min, Max, or Avg) cannot be sorted.
To change the default sort order:
1. Check the Order-by check box.

2. Enter a number for Sort Rank (1 is the most major sort key).
3. Optionally, check the Descend check box to sort the values of that attribute in descending sequence.
The last column of a tabular report is a count of main entity occurrences. To sort on this count in descending sequence (in other words, listing the greatest number
occurrences first), mark the Sorted by occurrences check box.
Timestamps
A timestamp (lowercase t) is a data type containing a combined date-and-time value, which when printed displays in the format yyyy-mm-dd hh:mm:ss (for example,
2012-07-17 15:40:25). When creating or editing a query, most attributes with a timestamp data type display with a clock icon in the Entity List panel.
A Timestamp (uppercase T) is an attribute defined in many entity types, containing the time that the entity was last updated. For many timestamp attributes, you can print
the date, time, weekday or year components separately, by referencing additional Timestamp attributes (Date, Time Weekday, or Year).

Use the Query Builder to create or modify queries. Specify the domain you want to query, choose a main entity, then use the Query Builder to define or modify a
query.
Query Conditions
Use the AND, OR and HAVING operators with parentheses to create query conditions.

Use the Query Builder to create or modify queries. Specify the domain you want to query, choose a main entity, then use the Query Builder to define or modify a query.
1. Open the Query Builder by clicking Comply > Custom Reporting > Custom Query Builder.
2. Determine the domain you want to query. Select an item from the Domain Finder menu and click Search, or click New to create a custom domain.
3. Choose an existing query using the filter menus in the Query Finder, or click New to create a new query.
4. There are three main components to the Query Builder screen:
The Entity List pane identifies all entities and attributes contained in the domain. Entities are represented as folders, and attributes are the items within the
folders. Click on an entity folder to display its attributes, or click again to hide them. For a description of all entities and attributes, see Entities and Attributes
in the Domains, Entities, and Attributes information.
The Query Fields pane lists all fields to be accessed, what is to be displayed for that field (its value, a count, minimum, maximum, or average), and the sort
order. For more information about using this pane, see Query Fields Overview.
The Query Conditions pane specifies any conditions for selecting these fields (for example, where VERB = UPDATE). For more information about using this
pane, see Query Conditions Overview.
Creating a Query

1. Open the Query Builder for the appropriate domain.
2. Click New to open the New Query â€“ Overall Details panel.
3. Type a unique query name in the Query Name box. Do not include apostrophe characters in the query name.
4. Select the main entity for the query from the Main Entity list. Remember that the main entity controls the level of detail that is available for the query, and that it
cannot be changed. Basically, each row of data returned by the query will represent a unique instance of the main entity, and a count of occurrences for that
instance.
5. Click Next. The new query opens in the Query Builder panel. To complete the definition, see one of the following topics:
Query Builder Overview
Modify a Query
Modifying a Query
You cannot modify the Guardium predefined queries, but you can clone a query and modify the clone as needed.
1. Choose a domain and main entity to open the Query Builder for the query you want to modify.
2. Click Clone, enter a new name for the query (apostrophes are not allowed), and click Save.
3. Refer to the Query Builder Overview topic to modify any component of the query definition.
Removing a Query
You cannot remove a query that is being used by some other component. To delete such a query, you must first delete all components that use it (reports or correlation
alerts, for example). When attempting to delete a query, the reports and correlation alerts dependent on the query will be listed.
1. Choose a domain and query to open the Query Builder for the query you want to delete.
2. Click Delete.
Query Fields Overview

The Query Fields pane lists the columns of data to be returned by the query.
The Field Mode menus indicate what to print for the field: its Value, Count (number of distinct values), Min, Max, Average (AVG) or Sum for the row. The Value selection is
not available for attributes from entities greater than the main entity in the entity hierarchy for the domain.
There are two ways to add a field to the Query Fields pane:
Pop-Up Menu Method:

1. From the Entity List, click on the field to be added.
2. Select Add Field from the pop-up menu.
Drag-and-Drop Method:
1. From the Entity List, click on the icon of the field name (not on the field name itself), drag the icon to the Query Fields pane and release it.
When a field is added, it will be added to the end of the list.
To move a field up or down in the Query Fields pane, check the field's check box and click the Up or Down icons to move the field up or down one row.
A Caution about Full SQL Attributes in Queries

Beware of using the Full SQL attribute in a query. It may produce excessively large reports, because each distinct value of the attribute (the complete SQL query string in
this case) will be returned in a separate row.
On the other hand, the report may contain no information at all, or many blank columns where you are expecting Full SQL strings. Guardium captures Full SQL only when
directed to do so by policy rules - and the rules may not have been triggered during the reporting period.
Do not confuse the Full SQL attribute with the ability to drill down to the SQL for most queries in the Data Access domain having anything to do with SQL requests.
Groups of Types other than Types defined in Attribute

Validation on group type is often restrictive. See Groups Overview for examples of Group Types. Using Query Conditions, Query Builder, a group of types other than the
type defined for the attribute in the group condition is permitted. These additional choices are only for the operators IN GROUP and IN DYNAMIC GROUP. The selection of
types other than the type defined for the condition is performed in the Run-time parameter of the tabular report.
1. Create a group in the Group Builder by clicking Setup > Tools & Views > Group Builder. Specify a Group Name and choose OBJECTS for Group Type.
2. Create an Access report in the Report Builder by clicking Setup > Reports > Report Builder.
3. Specify a query name and click on the OBJECT folder from the Entity List in order to see more choices.
4. Highlight Object Name and click once in order to get the ADD CONDITION choice. Click Add Condition so that a line is added to the Query conditions section in the
main body of the menu screen. Â
5. Go to the drop-down selection next to the attribute Object name and choose, in the Operator column, IN GROUP or IN DYNAMIC GROUP. In the second drop-down
selection (Run-time Parameter column), choose the group that you created in step 1.
6. Save your work. Click Generate Tabular and then click Add to My New Reports.
7. Go to the My New Reports tab and highlight the report you created.
8. Click Customize next to the report name. This opens a tab called Customize Portlet (Run-time Parameters).
9. Open up the drop-down selection and the groups of the type corresponding to the entity being tested will appear at the beginning of the list, then a double dash
line, and then the rest of the groups. This is where different groups can be selected.
10. Save your work by clicking Update.
Table 1. Buttons
Buttons Steps
Delete 1. Select the query to be deleted.

2. Click Delete.

Buttons Steps
Clone 1. Select the query to be cloned.

2. Click the Clone.
3. Enter a new name for the cloned query.
Roles Assigning roles to reports while in the Query Builder only assigns the role to the Query, not the report. Assign roles to reports in Report Builder.
See Reports.
Save Click Save when you have finished all the tasks required on the menu screen.
Back Move back between menu screens of a multi-screen Guardium task or function using the Back button. The back arrow in the web browser does
not work for navigation between menu screens.
Set as Data Mart A Data Mart is a subset of a Data Warehouse. A Data Warehouse aggregates and organizes the data in a generic fashion that can be used later for
analysis and reports.
Parent topic: Queries
Related concepts:
Query Conditions
Use the AND, OR and HAVING operators with parentheses to create query conditions.
The AND, OR and HAVING operators are located in the Query Conditions title bar in the Query Builder.
Select from the Entity List and use the operators to build query conditions as part of your query.
Using AND and OR operators:
AND operators have precedence over OR operators.
Add an AND operator or an OR operator to the end or middle of the condition list using the add-condition menu or drag-drop the attribute's icon. Select and remove
conditions by clicking Delete. Save the query. If the generated SQL query is invalid, the query will not save, and an error message results.
Using parentheses:
All conditions are independent. Group conditions together by adding left and right parentheses around the conditions. Use brackets in complicated query
conditions.
When a condition is selected, pressing the left parenthesis button adds one left parenthesis condition before the first selected condition. Pressing the right
parenthesis button will add one right parenthesis condition after the first selected condition. If there is no condition that is selected, pressing the parentheses
buttons has no effect.
When creating a query condition that uses parentheses, the parentheses appear in the UI BEFORE the operator, but are applied AFTER the operator. For example, a
query condition is displayed as, this (AND that OR another). However, the actual logic is, this AND (that OR another).
Escaping backslash (\) characters: To correctly escape a backslash character for use in a query condition, use four backslash characters. For example, to specify
domain\user you would enter domain\\\\user.
There are two parts in the condition display panel: one starts with a WHERE condition and another one starts with a HAVING condition.
In the HAVING part, the aggregate field has options: Count, Min, Max, and AVG. The option SUM also applies to certain entities with ID in name (Session ID, Global ID, Full
SQL ID, Instance ID). IfÂ the HAVING button is not checked, the condition is inserted into the WHERE part with the aggregate field as empty string. If the HAVING button
is checked, the condition is inserted into the HAVING part and the aggregate field has options. After adding or removing a condition, the condition option will be updated.
Pressing SAVE generates a SQL. The SQL is validated before saving it. If validation failed (for example, syntax error), it generates an alert error message and puts a more
detailed error description in the log. If adding a condition at the wrong part, (for example, HAVING button is set, and the attribute icon is dropped on the WHERE part, or
vice versa) it generates a not-matched alert message. If the selected condition is in WHERE part, but the HAVING button is set, the adding condition fails because the
setting is not matched.
The attributes Total Access, Failed SQLs, and Successful SQLs can be added only under a HAVING clause (not the WHERE clause).
Allowed queries must have one time stamp column and either at least one column with Mode=Count OR the count flag set (or both). The query column to be evaluated by
the query must be one of the columns with Mode=Count OR the total access column (if the count flag is set).
Add or Remove a Query Condition

1. To remove a query condition, mark the check box in the row for that condition, and click the X button (Delete marked item) in the Query Conditions title bar.
2. To add a condition, create a row in the Query Conditions list for the appropriate field from the Entity List pane.
To add an AND condition, select the AND radio button in the Query Conditions title bar and do one of the following:
Select an entity from the Entity List pane and select Add Condition from the pop-up menu.
Drag the field icon from the Entity List pane, and drop it in the Query Conditions pane.
To add an OR condition, select the OR radio button in the Query Conditions title bar and do one of the following:
Drag the field icon from the Entity List pane, and release it to the start of the condition for which it is an OR condition.
Mark the check box for the condition to which you want to add the OR condition, click the field in the Entity List pane, and then select Add Condition from the
pop-up menu.
3. Optional: Use the Aggregate drop-down to select an aggregate of the attribute to be used for the query condition: Count, Min (minimum value), Max (maximum
value), or AVG (average value). Restrictions apply, as follows:

You cannot use an aggregate in an OR condition.
You cannot add an OR condition to one that contains an aggregate.
4. Select the operator for the new condition from the list. Not every attribute type has the same set of operators available. For example, attributes that cannot be
associated with groups will not have any of the group options (IN GROUP, LIKE GROUP). However, when adding tuples (multiple attributes that are combined
together to form a single group) as a condition of a query, all operators for new condition are available for selection.
Table 1. Operator for New Condition
Operator Description
< Less than
<= Less than or equal to
<> Not equal to
= Equal to
> Greater than
>= Greater than or equal to
CATEGORIZED AS Member of a group belonging to the category selected from the drop-down list, which appears when a group
operator is selected.
CLASSIFIED AS Member of a group belonging to the classification selected from the drop-down list, which appears when a
group operator is selected.
IN DYNAMIC GROUP Member of a group that is selected from the drop-down list in the runtime parameter column, which appears
when a group operator is selected.
IN GROUP Member of the group that is selected from the drop-down list in the runtime parameter column, which appears
when a group operator is selected. IN GROUP or IN ALIASES GROUP cannot both be used at the same time.
IN DYNAMIC ALIASES GROUP The operator works on a group of the same type as IN DYNAMIC GROUP, however assumes the members of
that group are aliases.
IN ALIASES GROUP The operator works on a group of the same type as IN GROUP, however assumes the members of that group
are aliases. Note that the IN GROUP/IN ALIASES GROUP operators expect the group to contain actual values or
aliases respectively. An alias provides a synonym that substitutes for a stored value of a specific attribute type.
It is commonly used to display a meaningful or user-friendly name for a data value. For example, Financial
Server might be defined as an alias for IP address 192.168.2.18.
IS NOT NULL Attribute value exists, but might be blank or unprintable
IS NULL Empty attribute
IN PERIOD For a time stamp only, is within the selected time period
LIKE Â
LIKE GROUP Matches a like value that is specified in the boxes. A like value uses the percent sign as a wildcard character,
and matches all or part of the value. Alphabetic characters are not case-sensitive. For example, %tea% would
match tea, TeA, tEam, steam. If no percent signs are included, the comparison operation is an equality
operation (=).
NOT IN DYNAMIC GROUP Not equal to any member of a group, which is selected from the drop-down list in the runtime parameter
column, which appears when a group operator is selected.
NOT IN DYNAMIC ALIASES The operator works on a group of the same type as NOT IN DYNAMIC GROUP, however assumes the members
GROUP of that group are aliases.
NOT IN GROUP Not equal to any member of the specified group, which is selected from the drop-down list in the runtime
parameter column, which appears when a group operator is selected.
NOT IN ALIASES GROUP The operator works on a group of the same type as NOT IN GROUP, however assumes the members of that
group are aliases.
NOT IN PERIOD For a time stamp only, not within the selected time period
NOT LIKE Not like the specified value (see the description of LIKE)
NOT LIKE GROUP Not like the value that is specified in LIKE GROUP
NOT REGEXP Not matched by the specified regular expression
REGEXP Matched by the specified regular expression For detailed information about how to use regular expressions, see
Regular Expressions.
Note: There are four special words that are not allowed as the name of a parameter: user; group; role; page.
An error results if an attempt is made to save a query with any of these words in the parameter. There are two types of conditions where this applies:
When creating a query condition with an operator such as =, <, LIKE, etc, and then selecting Parameter. This field does not allow the special words.
When creating a query condition with a DYNAMIC GROUP type operator (IN, NOT IN, IN ALIAS, etc), this field does not allow the special words.
5. For a group operator, select a group from the list.
For most other operators, you must supply a value for the condition, or indicate that a runtime parameter value (not containing exclamation points) is supplied later
(when the query is run). In these cases, a drop-down with three options appears. Do one of the following:
Select Value and enter an exact value in the box.

Select Parameter and enter a name for the runtime parameter (the name must not contain spaces).
Select Attribute and select another attribute to match the selected one (for example, this can be used to test for local traffic by matching the client and
server IP addresses).

There is an Add Expression icon next to the Value, Parameter, Attribute selections. Use this icon to enter query conditions, including user-defined string and
mathematical expressions.
Use this feature where the user needs to add a condition that is based not on the entire content of the attribute as is, but on part of the attribute, a function of the
attribute, or a function that combines more than one attribute.
An example is: INSTR(:attribute, '150.1') = 5, which returns all instances of Client IP matching the 5 characters listed. Type the character 5 in the entry
box next to the Add Expression icon. Type the INSTR(:attribute, '150.1') expression in the separate Build Expression window. Test the validity of the
expression in the Build Expression window. Another example is: LENGTH(:attribute) >= 40, which returns the length of any SQL statement greater than 40
characters. The expression might or might not contain references to the actual attribute and can also contain references to other attributes.
6. When you are done adding all conditions, remember to save the definition.

There is an Add Expression icon next to the Value, Parameter, Attribute selections. Use this icon to enter query conditions, including user-defined string and mathematical
expressions.
Use this feature where the user needs to add a condition that is based not on the entire content of the attribute as is, but on part of the attribute, a function of the
attribute, or a function that combines more than one attribute.
An example:
Return the location of the string 150.1, from the value 192.150.1.x., where the string 150.1 is at the fifth character of the value. The string 150.1 represents all instances
of Client IP matching the 5 characters listed.
When the function is run in the Expression field, it returns a value, and that value should be in the entry box.
Use the function, INSTR(:attribute, '150.1') with a "5" value in the entry box next to the Add Expression icon to return the records with 150.1 in the fifth location.
If the function is INSTR(:attribute, '150.1') = 5,Â then it becomes a Boolean phrase, and the only values in the entry box are 0 or 1.
Type the INSTR(:attribute, '150.1') expression in the separate Build Expression window.
Test the validity of the expression in the Build Expression window.
Another example: LENGTH(:attribute) >= 40, which returns the length of any SQL statement greater than 40 characters. The expression might or might not contain
references to the actual attribute and can also contain references to other attributes.
Parent topic: Queries

A domain provides a view of the data that GuardiumÂ® stores.
Each domain contains a set of data related to a specific purpose or function (data access, exceptions, policy violations, and so forth). For a description of all domains, see
Domains.
Each domain contains one or more entities. An entity is a set of related attributes, and an attribute is basically a field value. For a description of all entities and attributes,
see Entities and Attributes.
A Guardium query returns data from one domain only. When the query is defined, one entity within that domain is designated as the main entity of the query. Each row of
data returned by a query will contain a count of occurrences of the main entity matching the values returned for the selected attributes, for the requested time period. This
allows for the creation of two-dimensional reports from entities that do not have a one-to-one relationship.
There is a separate query builder for each domain, and access to each query builder is controlled by security roles. Thus each Guardium role typically has access to a
subset of domains, depending on the function of that role within the company. Guardium admin role users typically have access to all reporting domains.
Some domains are available only when optional components (CAS, or Classification, for example) are installed. Other domains report information pertaining to the
Guardium appliance (archiving activity, for example), and are available by default to Guardium admin role users only.
Some of the attributes described in this appendix are available to users with the admin role only. These are labeled: Reserved for admin role use only.
For users who do not have the admin role, these attributes will not be available from the query builder.
Similarly, not all attributes are available for all database protocols. When using a query builder, if you notice that an entity or attribute described in the documentation is
not listed in the Entities pane, that entity or attribute is not available for the selected database type.
See the following topics:
Domains
Building queries
Domains
The following table describes the query builders and associated domains that are provided with your Guardium system. Your company may have defined additional
custom domains.
Custom Domains
Custom domains allow for user defined domains and can define any tables of data uploaded to the appliance.
This topic contains a description of the attributes contained in each entity.
You can use database entitlement reports to verify that users have access only to the appropriate data. Your Guardium system includes predefined database
entitlement reports for several database types.

Domains
The following table describes the query builders and associated domains that are provided with your Guardium system. Your company may have defined additional
custom domains.
Each domain contains a set of data related to a specific purpose or function (data access, exceptions, policy violations, and so forth). For a description of all domains, see
Domains.
Each domain contains one or more entities. An entity is a set of related attributes, and an attribute is basically a field value. For a description of all entities and attributes,
see Entities and Attributes.
A GuardiumÂ® query returns data from one domain only. When the query is defined, one entity within that domain is designated as the main entity of the query. Each row
of data returned by a query will contain a count of occurrences of the main entity matching the values returned for the selected attributes, for the requested time period.
This allows for the creation of two-dimensional reports from entities that do not have a one-to-one relationship.
There is a separate query builder for each domain, and access to each query builder is controlled by security roles. Thus each Guardium role typically has access to a
subset of domains, depending on the function of that role within the company. Guardium admin role users typically have access to all reporting domains.
Some domains are available only when optional components (CAS, or Classification, for example) are installed. Other domains report information pertaining to the
Guardium appliance (archiving activity, for example), and are available by default to Guardium admin role users only.
Some of the attributes described in this section are available to users with the admin role only. These are labeled: Reserved for admin role use only.
For users who do not have the admin role, these attributes will not be available from the query builder.
Similarly, not all attributes are available for all database protocols. When using a query builder, if you notice that an entity or attribute described in the documentation is
not listed in the Entities pane, that entity or attribute is not available for the selected database type.
See the following topics:
Domains
Building queries
Access to the query builder for each domain is controlled by security roles, so each user role typically has access to a separate set of domains. Some domains are
available only when optional components are installed (CAS, for example).
On the default admin portal, all query builders can be opened from the menu of the Tools > Report Building tab. On the default user portal, many query builders can be
opened from the Custom Reporting application: Monitor/Audit > Build Reports.
Following a short description of the domain, the Description column lists the default security role assigned for each domain, and indicates how to access the domain from
the default user portal (if available).
Table 1. Domains
Query Builder (Domain) Description
Access Policy Use this domain to track for all available policies on system. Similar to Installed Policies domain used to track all installed
policies on system.
(Access Policy)
Roles: all. User portal: Not available
Access All of the client/server, session, SQL, and access periods related data. This is the data collected by the inspection engines
every time a request is sent to a server being monitored.
(LOGGER INFO)
Roles: all User portal: Monitor/Audit > Build Reports > Track data access
Aggregation/Archive Aggregation and archiving activity, including the date, time, and status of each operation (archive, send, purge, etc.).
(AGGREGATION/EXPORT/IMPORT) Roles: admin User portal: Not available
Alert All alerts generated and sent by Guardium.
(ALERT) Roles: all User portal: Monitor/Audit > Build Reports > Track sent alerts
Application Connection, session, and application data recorded for special non-Guardium application (Siebel and SAP, for example).
(Application Data) Roles: admin User portal: Not available
Audit Process The execution of audit processes and the distribution of results.
(AUDIT TRAIL) Roles: all User portal: Monitor/Audit > Build Reports > Audit Process builder
Auto-discovery Database auto-discovery activity, including all processes that have been run, and the hosts and ports discovered.
(AUTODETECT DB DISCOVERY) Roles: all User portal: Discover > DB Discovery > Auto-discovery Query Builder
CAS Changes All changes detected by CAS, including any changed data recorded.
(CAS Changes) Roles: cas User portal: Not available
CAS Config CAS instance configurations, describing the use of templates on specific hosts.
(CAS Config) Roles: cas User portal: Not available
CAS Host History History of CAS changes applied to CAS agent hosts.
(CAS Host History) Roles: cas User portal: Not available

CAS Templates Reports on the contents of CAS templates (which define the items to monitor).
(CAS Templates) Roles: cas User portal: Not available
Classifier Results Reports on classifier process runs and results.
(Classification Process) Roles: admin User portal: Not available
Comments User defined comments for various Guardium components.
(COMMENT ) Roles: all User portal: Monitor/Audit > Build Reports > Comment builder
Custom Domain Builder Custom domains have been defined for uploading commonly used tables and products. See Custom Table as a custom
domain contains one or more custom tables. If it contains multiple tables, you define the relationships between tables when
Â defining the custom domain.
Custom Query Builder User defined domains can define any tables of data uploaded to the Guardium appliance.
Roles: all User portal: Monitor/Audit > Build Reports > Custom query builder
Custom Table Builder A custom table contains one or more attributes that you want to have available on the Guardium appliance. For example, you
may have an existing database table relating encoded user names to real names. In the network traffic, only the encoded
names will be seen. By defining a custom table on the Guardium appliance, and uploading data for that table from the existing
table, you will be able to relate the encoded and real names.
DB Default Users Enabled Non-credential Scan - A process to scan a list of databases and check whether default users are enabled. The default users
as well as the list of servers to scan are provided as parameters to the API. A default group is provided for each database type
with the default users and passwords created by the database on every installation, customers can add/remove from that list.
The groups are of type DB User/DB Password and the names of the default groups are:
ORACLE Default Users; DB2Â® Default Users; SYBASE Default Users; MS SQL SERVER Default Users; INFORMIX Default
Users; Â MYSQL Default Users; TERADATA Default Users; IBMÂ® ISERIES Default Users; POSTGRESQL Default Users;
NETEZZA Default Users
Discovered Instance Instances that have been discovered by GIM
(Discovered Instances) Roles: all
User portal: Monitor/Audit > Build Reports > Discovered Instance
Enterprise Buffer Usage Shows the aggregate of Sniffer Buffer Usage from all managed units.
Â Roles: none User portal: Not available
Exceptions (see note at the end of the All of the exceptions and exception-related data. These are SQL exceptions sent from a database server and collected by
table) inspection engines, as well as exceptions generated by Guardium itself.
(LOGGER EXCEPTIONS) Roles: all User portal: Monitor/Audit > Build Reports > Track exceptions
Â
Flat Log Flat log processing activity.
(Flat Log) Roles: none User portal: Monitor/Audit > Build Reports > Flat Log builder
GIM Events Guardium Installation Manager
(GIM Events) Roles: all
User portal: Monitor/Audit > Build Reports > GIM Events
Group Membership in Guardium groups.
(Group ) Roles: all User portal: Monitor/Audit > Build Reports > Group builder
Guardium Activity All modifications performed by Guardium users to any Guardium entity, such as a report or query definition or modification.
(USER ACTIVITY AUDIT) Roles: admin User portal: Not available
Guardium Login All Guardium user login and logout information.
(USER LOGIN ) Roles: admin User portal: Not available
Installed Policy Provides description of policy parameters and rules for the installed policy. The Installed Policy domain supports multiple
policies and multiple actions per rule.
(Installed Policy)
Roles: all User portal: Not available
Policy Violations All policy violation data, for all violations of the policy detected by the Guardium inspection engines or STAPs.
(ACCESS RULES VIOLATIONS) Roles: all User portal: Monitor/Audit > Build Reports > Policy violations builder
Policy Violations Summary All policy violation data, for a summary of all violations of the policy detected by the Guardium inspection engines or STAPs.
(Access Rules Violations) Roles: all User portal: Monitor/Audit > Build Reports > Policy violations summary builder
Replay Results Replays the data stream from one datasource by another different datasource.
Roles: none
User portal: Not available

Rogue Connections Local database server processes that have circumvented S-TAPÂ® to connect to the database via shared memory, named
pipes, or other non-standard means. Applies to Unix S-TAP only, when the TEE monitoring method used.
Roles: all User portal: Monitor/Audit > Build Reports > Rogue connections builder
(HUNTER )
Security Assessment Result Records the results of vulnerability assessment processes.
(Assessment Test Result Monitor) Roles: none User portal: Not available
Sniffer Buffer Usage Inspection engine statistics.
(Sniffer Buffer Usage Monitor) Roles: none User portal: Not available
User/Role/Application Relates Guardium users, roles and applications (to report on who has access to which Guardium applications).
(Role User App) Roles: admin User portal: Not available
VA Tests Reports on tests that are available for security assessments.
(Assessment Tests) Roles: admin
User portal: Not available
Value Change All changes tracked by the trigger-based value change application.
(Value Change) Roles: admin User portal: Not available

Parent topic: Domains, Entities, and Attributes
Custom Domains
Custom domains allow for user defined domains and can define any tables of data uploaded to the appliance.
The usage for these custom entitlement (privileges) domains are for entitlement reports which are found if logged in as a user. To see these reports, go to the user tab DB
Entitlements.
A number of custom domains have been predefined.
[Custom] Access
This domain contains all of the same entities as the standard Data Access domain. It is provided as a custom domain to allow additional user-defined domains to be built
including information from this domain and any custom tables that have been uploaded by the user. [Custom]Access domain is meant to be cloned. This domain is
updated on each version therefore is not advisable to create reports on this domain. For a description of the entities included in the Access domain, see the Access
domain description in the Domains topic.
S-TAP Info (Central Manager)

Report: See S-TAPÂ® Reports. On a Central Manager, an additional report, S-TAP Info, is available. This report monitors S-TAPs of the entire environment. Upload this data
using the Custom Table Builder.
S-TAP info is a predefined custom domain which contains the S-TAP Info entity and is not modifiable.
When defining a custom query, go to upload page and click Check/Repair to create the custom table in CUSTOM database, otherwise save query will not validate it. This
table loads automatically from all remote sources. A user cannot select which remote sources are used - it pulls from all of them.
Based on this custom table and custom domain, there are two reports:
Enterprise S-TAP view shows, from the Central Manager, information on an active S-TAP on a collector and/or managed unit (If there are duplicates for the same S-TAP
engine, one being active and one being inactive, then the report will only use the active).
Detailed Enterprise S-TAP view shows, from the Central Manager, information on all active and passive S-TAPs on all collectors and/or managed units.
If the Enterprise S-TAP view and Detailed Enterprise S-TAP view look the same, it is because there only one S-TAP on one managed unit being displayed. The Detailed
Enterprise S-TAP view would look different if there is more S-TAPs and more managed units involved.
These two reports can be chosen from the TAP Monitor tab of a standalone system, but they will display no information.
DB Entitlement Domains
Along with authenticating users and restricting role-based access privileges to data, even for the most privileged database users, there is a need to periodically perform
entitlement reviews, the process of validating and ensuring that users only have the privileges required to perform their duties. This is also known as database user rights
attestation reporting.
Use Guardiumâ€™s predefined database entitlement (privilege) reports (for example) to see who has system privileges and who has granted these privileges to other
users and roles. Database entitlement reports are important for auditors tracking changes to database access and to ensure that security holes do not exist from lingering
accounts or ill-granted privileges.
DB Entitlement Reports use the Custom Domain feature to create links between the external data on the selected database with the internal data of the predefined
entitlement reports. See Database Entitlements Reports for further information on how to use predefined database entitlement reports. To see entitlement reports, log on
the user portal, and go to the DB Entitlements tab.
Note: DB Entitlements Reports are optional components enabled by product key. If these components have not been enabled, the choices will not appear in the Custom
Domain Builder/Custom Domain Query/Custom Table Builder selections.

The predefined entitlement reports are listed as follows. They appear as domain names in the Custom Domain Builder/Custom Domain Query/ Custom Table Builder
selections.
Oracle DB Entitlements
MYSQL DB Entitlements
DB2Â® DB Entitlements
SYBASE DB Entitlements
InformixÂ® DB Entitlements
Microsoft SQL Server DB Entitlements
NetezzaÂ® DB Entitlements
Teradata DB Entitlements
PostgreSQL DB Entitlements
The following domains are provided to facilitate uploading and reporting on Oracle DB Entitlements. Each of the following domains has a single entity (with the same
name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder/Custom Domain Query/ Custom Table Builder
selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or
reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
Oracle
ORA Accnts of ALTER SYSTEM - Accounts with ALTER SYSTEM and ALTER SESSION privileges
ORA Accnts with BECOME USER - Accounts with BECOME USER privileges
ORA All Sys Priv and admin opt - Report showing all system privilege and admin option for users and roles
ORA Obj And Columns Priv - Object and columns privileges granted Â (with or without grant option)
ORA Object Access By PUBLIC - Object access by PUBLIC
ORA Object privileges - Object privileges by database account not in the SYS and not a DBA role
ORA PUBLIC Exec Priv On SYS Proc - Execute privilege on SYS PL/SQL procedures assigned to PUBL
ORA Roles Granted - Roles granted to users and roles
ORA Sys Priv Granted - Hierarchical report showing system privilege granted to users including recursive definitions (i.e. privileges assigned to roles and then these
roles assigned to users
ORA SYSDBA and SYSOPER Accnts - Accounts with SYSDBA and SYSOPER privileges
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables
used in the query (which is hidden for all entitlements).
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), in order for the entitlement to
work.
/* Select privilege to these tables/views is required */
grant select on sys.dba_tab_privs to sqlguard;
grant select on sys.dba_roles to sqlguard;
grant select on sys.dba_users to sqlguard;
grant select on sys.dba_role_privs to sqlguard;
grant select on sys.dba_sys_privs to sqlguard;
grant select on sys.obj$ to sqlguard;
grant select on sys.user$ to sqlguard;
grant select on sys.objauth$ to sqlguard;
grant select on sys.table_privilege_map to sqlguard;
grant select on sys.dba_objects to sqlguard;
grant select on sys.v_$pwfile_users to sqlguard;
grant select on sys.dba_col_privs to sqlguard;
The following domains are provided to facilitate uploading and reporting on MYSQL DB Entitlements. Each of the following domains has a single entity (with the same
MYSQL: The queries ending in _40 use the most basic version of the mysql schema (for MySQL 4.0 and beyond). The information_schema has not changed since it was
introduced in MySQL 5.0, so there is a set of _50 queries, but no _51 queries. The _50 queries work for MySQL 5.0 and 5.1 and for 6.0 when it comes out, since the
information_schema is not expected to change in 6.0. The queries ending in _502 (MYSQL502) use the new information_schema, which contains much more information
and is much more like a true data dictionary.
MYSQL Database Privileges 40

MYSQL User Privileges 40
MYSQL Host Privileges 40
MYSQL Table Privileges 40

The following list details the minimal privileges required, in the database table (or view of the database table), in order for the entitlement to work.
Note: In addition to the privileges required, the user should connect to the MYSQL database to upload the data.
The entitlement queries for all MySQL versions through MySQL 5.0.1 use this set of tables: mysql.db mysql.host mysql.tables_priv mysql.user
Beginning with MySQL 5.0.2, and for all later versions, the entitlement queries use this set of tables: information_schema.SCHEMA_PRIVILEGES mysql.host
information_schema.TABLE_PRIVILEGES information_schema.USER_PRIVILEGES
If a datasource has a MYSQL database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading
data will loop through all MYSQL databases the user has access to.
DB2 DB Entitlements
The following domains are provided to facilitate uploading and reporting on DB2 DB Entitlements. Each of the following domains has a single entity (with the same name),
and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder/Custom Domain Query/ Custom Table Builder
DB2 Column-level Privileges (SELECT, UPDATE, ETC.)

DB2 Database -level Privileges (CONNECT, CREATE, ETC.)
DB2 Index-level Privilege (CONTROL)
DB2 Package-level Privileges (on code packages â€“ BIND, EXECUTE, ETC.)
DB2 Table-level Privileges (SELECT, UPDATE, ETC.) DB2 Privilege Summary
work.
GRANT SELECT ON SYSCAT.COLAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.DBAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.INDEXAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.PACKAGEAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.TABAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.SCHEMAAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.PASSTHRUAUTH TO SQLGUARD;
The following domains are provided to facilitate uploading and reporting on SYBASE DB Entitlements. Each of the following domains has a single entity (with the same
SYBASE System Privilege and Roles Granted to User including Grant option
SYBASE Role Granted to User and System Privileges Granted to user and role including Grant option
SYBASE Object Access by Public
SYBASE Execute Privilege on Procedure, function assigned To Public
SYBASE Accounts with System or Security Admin Roles
SYBASE Object and Columns Privilege Granted with Grant option
SYBASE Role Granted To User
work.
/* These are required on MASTER database */
grant select on master.dbo.sysloginroles to sqlguard

grant select on master.dbo.syslogins to sqlguard
grant select on master.dbo.syssrvroles to sqlguard
Â
/*These are required on every database, including MASTER */
grant select on sysprotects to sqlguard
grant select on sysusers to sqlguard
grant select on sysobjects to sqlguard
grant select on sysroles to sqlguard
If a datasource has a SYBASE database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading
data will loop through all SYBASE databases the user has access to.
Informix DB Entitlements
The following domains are provided to facilitate uploading and reporting on Informix DB Entitlements. Each of the following domains has a single entity (with the same
Informix Object Privileges by database account not including system account and roles
Informix database level privileges, roles and language granted to user including grant option
Informix database level privileges, roles and language granted to user and role including grant option
Informix Object Grant to Public
Informix Execute Privilege on Informix procedure and function granted to Public
Informix Account with DBA Privilege Informix Object and columns privileges granted with Grant option
Informix Role Granted To User and Role
used in the query (which is hidden for all entitlements). The following list (with comment line heading) details the minimal privileges required, in the database table (or
view of the database table), in order for the entitlement to work.
Since all users have sufficient privileges for system catalog SELECT privileges, there is no need to grant privilege to any user. Informix doesn't seem to like granting system
catalog to users. The grant would normally be used. Â But in this case they are not required.
grant select on systables to sqlguard;
grant select on systabauth to sqlguard;
grant select on sysusers to sqlguard;
grant select on sysroleauth to sqlguard;
grant select on syslangauth to sqlguard;
grant select on sysroutinelangs to sqlguard;
grant select on sysprocauth to sqlguard;
grant select on sysprocedures to sqlguard;
grant select on syscolauth to sqlguard;
If a datasource has a Informix database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading
data will loop through all Informix databases the user has access to.
Microsoft SQL Server 2000 DB Entitlements

The following domains are provided to facilitate uploading and reporting on MSSQL 2000 DB Entitlements. Each of the following domains has a single entity (with the
same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder/Custom Domain Query/ Custom Table
Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these
domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
MSSQL2000 Object Privilege By database account not including default system user
MSSQL2000 Role/System Privileges Granted to User including grant option
MSSQL2000 Role granted to user and role. System Privileges Granted to User and Role including grant option
MSSQL2000 Object Access by PUBLIC
MSSQL2000 Execute Privilege on System Procedures and functions to PUBLIC
MSSQL2000 Database accounts with db_owner and db_securityadmin role
MSSQL2000 Server account with sysadmin, serveradmin and security admin /* only run this entitlement against MASTER database */
MSSQL2000 Object and columns privileges granted with grant option
MSSQL2000 Role granted to user and role
work.

Â
grant select on dbo.syslogins to sqlguard
Â
/*These are required on every database including MASTER */
grant select on dbo.sysprotects to sqlguard
grant select on dbo.sysusers to sqlguard
grant select on dbo.sysobjects to sqlguard
grant select on dbo.sysmembers to sqlguard
If a datasource has a MSSQL database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading
data will loop through all MSSQL databases the user has access to.
Microsoft SQL Server 2005 and later DB Entitlements

The following domains are provided to facilitate uploading and reporting on Microsoft SQL Server 2005 and later DB Entitlements. Each of the following domains has a
single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder/Custom Domain
Query/ Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions
of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
Note: Objects in Dynamic query Strings will NOT be shown in xxx_DEPENDENCIES. An object in an EXECUTE IMMEDIATE SQL string called by a stored program unit does
not show dependency. This query exclude schema owner defined in group ID 202 "Dependencies_exclude_schema-MSSQL". User has the ability to add or subtract
schema name from this group for the dependencies query.
MSSQL2005/8 Object privileges by database account not including default system user.
MSSQL2005/8 Role/System privileges granted To User
MSSQL2005/8 Role/System Privilege granted to user and role including grant option
MSSQL2005/8 Object access by PUBLIC
MSSQL2005/8 Execute Privilege on System Procedures and functions to PUBLIC
MSSQL2005/8 Database accounts of db_owner and db_securityadmin Role
MSSQL2005/8 Server account of sysadmin, serveradmin and security admin /* only run against MASTER database */
MSSQL2005/8 Object and columns privileges granted with grant option
MSSQL2005/8 Role granted to user and role.
work.
Â
/*These are required on MASTER database */
grant select on sys.server_principals to sqlguard
Â
/*These are required on every databases including MASTER */
grant select on sys.database_permissions to sqlguard
grant select on sys.database_principals to sqlguard
grant select on sys.all_objects to sqlguard
grant select on sys.database_role_members to sqlguard
grant select on sys.columns to sqlguard
Netezza DB Entitlements
The following domains are provided to facilitate uploading and reporting on Netezza DB Entitlements. Each of the following domains has a single entity (with the same
Note: There is no DB error text translation for Netezza. The error appears in the exception description. Users can clone/add a report with the exception description for
Netezza as needed.
Netezza Obj Privs by DB Username - Object privileges with or without grant option by database username excluding ADMIN account.

Netezza Admin Privs by DB Username - Admin privileges with or without grant option by database username excluding ADMIN account.
Netezza Group /Role Granted To User - Group (Role) granted to user
Netezza Obj Privs By Group - Object privileges with or without grant option by GROUP excluding PUBLIC.
Netezza Admin Privs By Group - Admin privileges with or without grant option by GROUP excluding PUBLIC.
Netezza Admin Privs By DB Username, Group - Admin privileges with or without grant option by database username, group excluding ADMIN account and PUBLIC
group.
Netezza Obj Privs Granted - Object privileges granted with or without grant option to PUBLIC.
Netezza Admin Privis Granted - Admin privileges granted with or without grant option to PUBLIC.
Netezza Global Admin Priv To Users and Groups - Global admin privilege granted to users and groups excluding ADMIN account.
Netezza Global Obj Priv To Users and Groups - Global object privilege granted to users and groups excluding ADMIN account.
work.
Â
/* This script must be run from the system database */
GRANT SELECT ON SYSTEM VIEW TO sqlguard;
GRANT LIST ON DATABASE TO sqlguard;
GRANT LIST ON USER TO sqlguard;
GRANT LIST ON GROUP TO sqlguard;
GRANT SELECT ON _V_CONNECTION TO sqlguard;
For Netezza entitlement queries, it is recommended to connect to SYSTEM database, especially when granting the privilege to the user who is going to run these reports.
The granting privilege MUST take place from SYSTEM database or else the granted privilege will only take place on one particular database. When the granted privilege
takes place from SYSTEM database, a special feature will allow the granted privilege to carry through to all the databases.
The following domains are provided to facilitate uploading and reporting on Teradata DB Entitlements. Each of the following domains has a single entity (with the same
Teradata Object privileges by database account not including default system users.
Teradata System privileges and roles granted to users including grant option.
Teradata Roles granted to users and roles including grant option.
Teradata Role granted to users and roles. Â System privileges granted to users and roles including grant option.
Teradata Objects and System privileges granted to public. Note role cannot be granted to public in Teradata.
Teradata Execute privileges on system database objects to public.
Teradata System admin, Security admin privileges granted to user and role.
Note: There are no such role as System or Security admin in Teradata. User must create their own roles. These are some important system privileges that would
normally not be granted to normal user: ABORT SESSION, CREATE DATABASE, CREATE PROFILE, CREATE ROLE,CREATE USER, DROP DATABASE, DROP PROFILE,
DROP ROLE, DROP USER, MONITOR RESOURCE, MONITOR SESSION, REPLICATION OVERRIDE, SET SESSION RATE, SET RESOURCE RATE.
Teradata Object privileges granted with granted option to users. Not including DBC and grantee = 'All'.
work.
Â
GRANT SELECT ON DBC.AllRights TO sqlguard;
GRANT SELECT ON DBC.Tables TO sqlguard;
GRANT SELECT ON DBC.AllRoleRights TO sqlguard;
GRANT SELECT ON DBC.RoleMembers TO sqlguard;

The following domains are provided to facilitate uploading and reporting on PostgreSQL DB Entitlements. Each of the following domains has a single entity (with the same
There are seven entitlement custom domains/queries/reports for PostgreSQL. They are as follows (each is listed with Report name, description, note):
Â
PostgreSQL Priv On. Databases Granted To Public User Role With Or Without Granted Option. Privilege on databases granted to public, user and role with or without
granted option. Run this on any database, ideally PostgreSQL.
PostgreSQL Priv On Language Granted To Public User Role With Or Without Granted Option. Privilege on Language granted to public, user and role with or without
granted option. Run this per database.
PostgreSQL Priv On Schema Granted To Public User Role With Or Without Granted Option. Privilege on Schema granted to public, user and role with or without
PostgreSQL Priv On Tablespace Granted To Public User Role With Or Without Granted Option. Privilege on Tablespace granted to public, user and role with or
without granted option. Run this on any database, ideally PostgreSQL.
PostgreSQL Role Or User Granted To User Or Role. Role or User granted to user or role including grant option. Run this once in any database. Ideally PostgreSQL.
Â Â Â Â
PostgreSQL Super User Granted To User Or Role. Super user granted to user or role. Run this once in any database. Ideally PostgreSQL. Â Â Â Â
PostgreSQL Sys Privs Granted To User And Role. System privileges granted to user and role. Run this once in any database. Ideally PostgreSQL. Â Â Â Â
PostgreSQL Table View Sequence and Function privs Granted To Public. Tables, Views, Sequence and Functions privileges granted to public. Run this per database.
Run this per database.
PostgreSQL Table View Sequence and Function Privs Granted With Grant Option. Tables, Views, Sequence and Functions privileges granted to user and role with
grant option only. Exclude PostgreSQL account.
PostgreSQL Table View Sequence Function Privs Granted To Roles. Tables, Views, Sequence and Functions privileges granted to roles. Â Not including public. Run
this per database.
PostgreSQL Table Views Sequence and Functions Privs Granted To Login. Tables, Views, Sequence and Functions privileges granted to logins. Not including postgres
system user. Run this per database.
Note: As of version 8.3.6, PostgreSQL does not support grant admin option to public. There is only function, no store procedure. There is no support for column grant, only
table grant. Public is a group, not user. Public does not show up in pg_roles. The only privileges need to run all these queries is: GRANT CONNECT ON DATABASE
PostgreSQL TO username;
Â
work.
Â
/*This is required on POSTGRES database*/
grant connect on database postgres to sqlguard;
Â
/*These are required on every database, including POSTGRES (By default these are already granted to PUBLIC) */
grant select on pg_class to sqlguard;
grant select on pg_namespace to sqlguard;
grant select on pg_roles to sqlguard;
grant select on pg_proc to sqlguard;
grant select on pg_auth_members to sqlguard;
grant select on pg_language to sqlguard;
grant select on pg_tablespace to sqlguard;
grant select on pg_database Â to sqlguard;
Â
If a datasource has a PostgreSQL database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the
uploading data will loop through all PostgreSQL databases the user has access to.

This topic contains a description of the attributes contained in each entity.
For an overview of domains, entities, and attributes, see Domains, Entities, and Attributes. For a description of all domains, see Domains.
For z/OS data sources (Db2, Data Sets, and IMS), there are data-source-specific attributes and the meaning of existing attributes may differ than what is described here.
For more information on entities and attributes specific to z/OS data sources, see the following:
Report entities and attributes for Data Sets

Report entities and attributes for DB2 for z/OS
Report entities and attributes for IMS
Access Policy Entity

Describes all available policies on the system. Similar to Installed Policies entity used for all installed policies on system.
Entity List for Access Policy- Access Policy Entity; Rule Policy Entity; Rule Action Entity; and, Alert Notification. See Rule Entity for a list of attributes. See Rule Action Entity
for a list of attributes. See Alert Notification Entity for a list of attributes.
Table 1. Access Period Entity

Policy ID Uniquely identifies an access policy
Policy Description Describes the access policy
Selective Audit Trail Indicates if this is a selective audit trail policy (T/F).
Audit Pattern Test pattern used for a selective audit trail policy.
Timestamp Timestamp for the creation of the record.
Access Period Entity

Access Periods are related to Sessions. By default, an access period is one hour long, but this can be changed by the Guardium administrator in the Inspection Engine
Configuration (it corresponds to the Logging Granularity).
Timeout values depend on the number of the sessions opened by analyzer thread. For each analyzer thread there are following default values: If number of open sessions
>0 and < 250, then timeout is 60 minutes. If number of open sessions >=250 and < 500, then timeout is 30 minutes. If number of open sessions >= 500 and < 750, then
timeout is 15 minutes, If number of open sessions >= 750 and < 1200, then timeout is 5 minutes. If number of open sessions is >= 1200, then timeout is 2 minutes.
Table 2. Access Period Entity

Session ID Uniquely identifies a session.
Instance ID Uniquely identifies an instance of a construct.
Construct ID Uniquely identifies a command construct (for example, select a from b).
Total Access Total count of construct instances for this access period.
Period Start Date Date only from the period start attribute.
Period Start Weekday Weekday only from the period start attribute.
Period Start Time Time only from the period start attribute.
Timestamp Initially, the Timestamp value is set the first time that a request is observed on a client-server connection during an access period. By
default, an access period is one hour long, but this can be changed by the Guardium administrator in the Inspection Engine
Configuration - see the Guardium Administrator Guide. Thereafter, for each subsequent request, it is updated when the system updates
the average execution time and the command count for this period.
Period End Date and time for the end of the access period.
Period End Date Date only from the period end attribute.
Period End Weekday Weekday only from the period end attribute.
Period End Time Time only from the period end attribute.
Application User Application user name.
Average Execution Time The average command execution time during the period. This is for SQL statements only. It does not apply to FTP or Windows file share
traffic.
Failed Sqls (2) The number of failed SQL requests. See note at the end of the table.
Successful Sqls (2) The number of successful SQL requests. See note at the end of the table.
Application Event ID The application event ID if set from the API.
Total Records Affected (2) The total number of records affected. See note at the end of the table.
Avg Records Affected (2) The average number of records affected. See note at the end of the table.

Total Records Affected (Desc) If the Total Records Affected attribute is a character string instead of a number, that value appears here (for example, Large Results Set,
(2) or N/A.
Records affected - Result set of the number of records which are affected by each execution of SQL statements.
Note: The records affected option is a sniffer operation which requires sniffer to process additional response packets and postpone
logging of impacted data which increases the buffer size and might potentially have a adverse effect on overall sniffer performance.
Significant impact comes from really large responses. To prevent large amount of overhead associated with this operation, Guardium
uses a set of default thresholds that allows sniffer to decide to skip processing operation when exceeded.
You can use the store max_results_set_size, store max_result_set_packet_size, and store max_tds_response_packets CLI commands
to set levels of granularity.
Example of result set values:
Case 1, record affected value, positive number - this represents correct size of the result set.
Case 2, record affected value, -2 - This means number of records exceeded configurable limit (This could be tuned through CLI
interface).
Case 3, record affected value, -1 - This shows any unsupported cases of packets configurations by Guardium.
Case 4, record affected value, -2 - If the result set is sent by streaming mode.
Case 5, record affected value, -2 - Intermediate result during record count to update user about current value, ends up with
positive number of total records.
Show Seconds If a the number of accesses per second is being tracked, this contains counts for each second in the access period (usually one hour).
Avg Execution Ack Time Average Execution Acknowledged time in milliseconds
Original Timezone The UTC offset.
This is to point out that a UTC offset should be set so that the time from two different collectors that are in two different time zones
aggregate correctly. If the offset was not set then there would exist a condition where users would not really be able to determine or see
a true representation of when things happened in relation to time.
For instance, on an aggregator that aggregates data from different time zones, you can see session start of one record that is 21:00 with
original timezone UTC-02:00 and another record where session start is 21:00 with original timezone UTC-05:00, This means that these
events occurred 3 hours apart, but at the same respective local time (9 PM).
Session ID, Instance ID, Construct ID, and Total Access are only available to users with the admin role.
Failed Sqls, Successful Sqls, Application Event ID, Total Records Affected, Avg Records Affected, and Total Records Affected (Desc) are attributes that only appear when
the main entity for the query permits this level of detail. These are not available if either Client/Server or Session is the main entity.
Access Rule Entity

The name assigned to an access rule when it was defined. This is available for reporting only from the owning Policy Rule Violation entity (described later), when an access
rule violation is logged.
Table 3. Access Rule Entity

Access Rule Description Description from the access policy rule definition.
Activity Types Entity

Available only from the Aggregation/Archive domain, which by default is available to users assigned the admin role only. The Activity Types entity can be accessed only
from the owning Aggregation/Import/Export Log Entity. It identifies a type of action (Prepare for Aggregation, Encrypt, Send, etc.).
Table 4. Activity Types Entity

Activity Type Description of an aggregation/import/export activity.
Agg/Archive Log Entity

Available only from the Aggregation/Archive domain, which by default is available to users assigned the admin role only. One or more Aggregation/Import/Export Log
entities are created for each activity. For example, when an aggregator system imports data, you will typically see at least four activities:
Prepare for Aggregation
Check Duplicate Import (one per file exported to this aggregator)
Extract (one per file to be merged)
Merge (one per file merged)
Table 5. Agg/Archive Log Entity

Timestamp Updated at the start and end of the activity being logged (prepare for archiving, encrypt, send, etc.).
Status Status of the aggregation/import/export log activity.
User Name User name under which activity initiated.

Start Time Starting time of activity.
End Time Ending time of activity.
Period Start Starting time for the data being acted upon. Each archiving or aggregation activity operates on one full day of activity.
Period End Ending time for the activity being acted upon.
File Name Name of file used for the activity. Files created by the archive and export operations are named as follows:
<daysequence>-<scp_host>-w<run_datestamp>-d<data_date>.dbdump.enc
For example:
732423-g1.guardium.com-w20050425.040042-d2005-04-22.dbdump.enc
The date of the data contained on the file, in yyyy-mm-dd format is data_date, near the end of the file name (just before .dbdump.enc).
Take care that you do not confuse this date with the run date, which appears earlier in the file name, and is the date that the data was
archived or exported.
Comment Additional comment for the activity.
Guardium Host Name The name of the Guardium host.
Records Purged If the activity type is Purge, the number of records purged. Otherwise, N/A.
Original Timezone The UTC offset. This is done in particular for aggregators that have collectors in different time zones and so that activities that happened
hours apart do not seem as if they happened at the same time when imported to the aggregator.
Alert Notification Entity

Describes a policy alert notification.
Table 6. Alert Notification Entity

ALERT_NOTIFICATION_ID Identifies the alert notification.
ALERT_ID Identifies the alert definition.
Alert Notification Type Type of alert from the policy rule definition.
Alert User Receiver of the alert.
Alert Destination Type of alert (EMAIL, SNMP, SYSLOG, CUSTM).
Timestamp Timestamp alert record created.
ALERT_NOTIFICATION_ID and ALERT_ID are only available to users with the admin role.
Application Data Entity

Used for the SAP and Siebel reports.
Table 7. Application Data Entity

Application Data ID Unique identifier for this data.
Application Code The application type code.
Full SQL ID Identifies the full SQL data.
Application Type Application type.
User Application user name.
Operation Type The type of operation.
Change Date Date of the change.
Time Stamp Time stamp for this record.
Item Name Name of the item affected.
Transaction Code Transaction code.
System ID Unique identifier for the system.
Record Detail 1 Varies by item type.
VBKey The VBKey value.

Application Events Entity

This entity is created each time that the system observes an Application Events API call (which sets these attribute values) or a stored procedure call that has been
identified as a Custom Identification Procedure (which maps stored procedure parameters to these attributes).
Table 8. Application Events Entity

Application Event ID Unique identifier for this application events entity.
Event User Name User name, set by GuardAppEvent:Start.
Event Type Type of event, set by GuardAppEvent:Start.
Event Value Str String value, set by GuardAppEvent:Start.
Event Value Num Numeric value, set by GuardAppEvent:Start.
Event Date Datetime value, set by GuardAppEvent:Start. It displays in the format yyyy-mm-dd hh:mm:ss.
Note: If an attempt is made to set the event date using a format other than yyyy-mm-dd, it will contain all zeroes. The time portion
(hh:mm:ss) is optional, and if omitted will be 00:00:00.
Timestamp Created only once, when the event is logged. Do not confuse this attribute with the Event Date attribute, which can be set using an API
call or from a stored procedure parameter. (See the Guardium Administrator Guide for a description of the Application Events API and
Custom Identification Procedures.)
Event Release Type Type of event, set by GuardAppEvent: Released.
Event Release User Name User name, set by GuardAppEvent: Released.
Event Release Value Str String value, set by GuardAppEvent: Released.
Event Release Value Num Numeric value, set by GuardAppEvent: Released.
Event Release Date Datetime value, set by GuardAppEvent:Released. It displays in the format yyyy-mm-dd hh:mm:ss.
Application Event ID is only available to users with the admin role.
App User Name Entity

This entity will display the username from the App Event if the App Event exists. Otherwise, the user name will display from the Construct Instance.
Table 9. App User Name Entity

APP User Name Unique identifier for this App User Name entity.
Assessment Log Entity

This entity is created each time that an assessment is run.
Table 10. Assessment Log Entity

Assessment Log ID Uniquely identifies the assessment.
Timestamp Timestamp for the assessment.
Timestamp Date Date portion of timestamp.
Timestamp Time Time portion of the timestamp.
Assessment Log Type Predefined, query or custom test.
Assessment Log Severity The assessment test severity: Critical, Major, Minor, Cautionary, Informational. This is an ordered list of the level of severity
classifications. Assessment test severity: Critical, Major, Minor, Cautionary, Informational. The highest severity is the first classification
in this list. The lowest severity is the last classification in this list.
Assessment Result Id1 Identifies the assessment results set.
Message Message returned by the assessment.
Details Details for this assessment.

Assessment Log ID is only available to users with the admin role.
Assessment Result Datasource Entity

This entity is identifies a datasource accessed by the assessment test.
Table 11. Assessment Result Datasource Entity

Assessment Result data Identifies a results set for a datasource.

source ID
Assessment Result ID Identifies the result.
DB Type Database type: Oracle, MS-SQL, DB2Â®, Sybase, InformixÂ®, etc.
DB Name Database name.
Version Level Version level of the database.
Patch Level Patch level of the database.
Full Version Info Full version information for the datasource
Datasource name Name of the datasource.
Description Datasource description.
Host Host name for the datasource.
Port Port number on the host.
Service Name Service name for the datasource.
User Name User name used for datasource access.
Assessment Result data source ID and Assessment Result ID are only available to users with the admin role.
Assessment Result Header Entity

This entity is created for each task in the assessment results set.
Table 12. Assessment Result Header Entity

Assessment Result ID Identifies the assessment results set.
Assessment ID Identifies the assessment.
Task ID Identifies the task within the assessment.
Parameter Modified Flag Indicates if parameters modified since last run.
Execution Date Date that the assessment was run.
Received By All Indicates whether or not these results have been received by all receivers on the distribution list.
Overall Score Overall score for the assessment.
From Date From date for the assessment.
To Date To date for the assessment.
Assessment Description Assessment name from the definition.
Filter Client IP Clients selected: exact IP address, address with wildcards (*), or empty to select all.
Filter Server IP Servers selected: exact IP address, address with wildcards (*), or empty to select all.
Recommendation Recommendation returned for the task.
Assessment Result ID, Assessment ID, and Task ID are only available to users with the admin role.
Assessment Tests Entity

This entity contains entries for available tests.
Table 13. Assessment Tests Entity

Test Description Text description of the test
Test Type Type of assessment test (Observed, Predefined, Custom, Query based, CVE)
Datasource Type Type of Datasource (DB2, Informix, MYSQL, ORACLE, SYBASE, etc.)
Threshold User defined threshold, to override the value define upon the testâ€™s creation
Threshold Default Value Default threshold that defines the success/fail criteria
Severity Severity of the assessment (Critical, Major, Minor, Caution, Info)
Category Category of the assessment (Privilege, Authentication, Configuration, Version, Other)
Timestamp Timestamp test was created

Audit Process Entity
This entity contains basic definition parameters for an audit process.
Table 14. Audit Process Entity

Process Description Description from audit process definition.
Active Indicates if the process is active (able to be scheduled).
Keep Result Days The number of days the results will be kept by the system.
Keep Results Quantity The number of results sets that will be kept by the system.
Â Â
Audit Process Comments Entity

This entity has comments attached to an audit process definition. Comments attached to audit process results are contained the Audit Process Results Comments entity.
Table 15. Audit Process Comments Entity

Audit Process Comment The text of the comment.
Audit Process Comment The creator of the comment.

Creator
Audit Process Comment Timestamp for the comment.

Timestamp
Audit Task Entity

This entity describes a single audit task (within an audit process).
Table 16. Audit Task Entity

Task Type A numeric value indicates whether the task is a report, security assessment, entity audit trail, privacy set, or classification process.
Aliases are defined for these types, so reports with Aliases on will simplify reading of the report output.
Task Description Name of the task from the task definition.
Audit Process Result Entity

This entity contains the execution date for a set of audit process results.
Table 17. Audit Process Result Entity

Execution Date The date the audit process was executed.
Audit Process Results Comments Entity

This entity has comments attached to an audit process results. Comments attached to an audit process definition are contained the Audit Process Comments entity.
Table 18. Audit Process Results Comments Entity

Audit Process Comment The text of the comment.
Audit Process Comment The creator of the comment.

Creator
Audit Process Comment Timestamp for the comment

Timestamp
Auto-discovery Scan Entity

This entity identifies when a scan executed.
Table 19. Auto-discovery Scan Entity

Scan Timestamp The time the scan executed.

Changed Columns Entity
This entity describes a changed column.
Table 20. Changed Columns Entity

Changed Column Name Name of the changed column on the database.
Old Value Value before the change.
New Value Value after the change.
Changed Data Values Entity

This entity is used with the IBM InfoSphere Change Data Capture (InfoSphere CDC) replication solution that allows the replication to and from supported databases.
Maintenance of replicated databases can be used to reduce processing overheads and network traffic.
IBM Guardium Customers with Database Activities Monitoring will have access to InfoSphere CDC.
This Guardium feature uses Java CDC user exit to send value change information to the Guardium collector.
User exits for InfoSphere CDC lets the user define a set of actions the InfoSphere CDC can run before or after a database event occurs on a specified table.
Table 21. Changed Data Values Entity

Full SQL ID Unique identifier for the Full SQL.
Table Name Table Name from database
Column Name Column Name from database
Old Value Value before the change.
New Value Value after the change.
Timestamp Time the record was created.
Two files that need to be installed on the Database Server are for the Guardium agent that interfaces with IBM's InfoSphere Change Data Capture (InfoSphere CDC)
application. They are in the sources/apps/GuardCDC/lib/ directory of the build. These files are: protobuf-java-2.4.1.jar; and, GuardCdc.jar
Instructions for installation
Prerequisites - the InfoSphere Change Data Capture (InfoSphere CDC) application must already be installed on the DB Server.
Steps to install the Guardium agent on the Database server:
1. Copy these two files to the RepEngine/lib/ directory of the cdchome directory. An example of the full path would be /cdchome/cdc6.5.2/RepEngine/lib/
2. Unzip each file
3. Edit the guard_cdc_user_exit_config.mxl file to add the Guardium_Host name. An example of where this file would be located is
/cdchome/cdc6.5.2/RepEngine/lib/com/guardium/cdc/userexit/
4. Configure InfoSphere CDC to write to the GuardiumAgent. There are multiple steps to set up and configure the CDC application. These steps can be obtained
from the InfoSphere CDC development/support team at IBM.
Classification Process Results Entity

This entity is created for each classification process rule that is fired.
Table 22. Classification Process Results Entity

Catalog Catalog location for results set.
Schema Schema name if applicable.
Table Name Table name from the rule definition.
Column Name Column name from the rule definition.
Rule Description The classifier policy rule description.
Comments Any comments added to this rule definition.
Classification Name Classification for the rule.
Category Category for the rule.
Data Source Description Data source for the rule.
Classification Process Run Entity

This entity describes a classification process job execution.

Table 23. Classification Process Run Entity
Process Description From the process definition.
Status Job status.
Queue DateTime Timestamp when the job was submitted to the classifier/assessment queue.
Start DateTime Timestamp at start of job.
End DateTime Timestamp at end of job.
Data Sources Identifies the datasource list for the job.
Client/Server Entity
This entity describes a specific client-server connection. An instance is created each time a unique set of attributes (excluding the Timestamp) is detected.
Table 24. Client/Server Entity

Access ID A unique identifier for this client/server connection.
Timestamp Since all attributes in this entity contain static information, this timestamp is created only once, when Guardium observes a request on
the defined client-server connection for the first time.
Timestamp Date Date only from the timestamp.
Timestamp Time Time only from the timestamp.
Timestamp Weekday Weekday only from the timestamp.
Timestamp Year Year only from the timestamp.
Server Type DB2, Oracle, Sybase, etc.
Client IP Client IP address.
Server IP Server IP address.
Network Protocol Network protocol used (e.g., TCP, UDP, etc. Note that for K-TAP on Oracle, this may display as either IPC or BEQ)
DB Protocol Protocol specific to the database server.
DB Protocol Version Protocol version for the DB Protocol.
DB User Name Database user name. The DB user name is the person who connected to the database, either local or remote.
Source Program Source program for the interaction.
Client MAC Client hardware address.
Client Host Name Client host name.
Service Name Service name for the interaction. In some cases (AIXÂ® shared memory connections, for example), the service name is an alias that is
used until the actual service is connected. In those cases, once the actual service is connected, a new session is started - so what the
user experiences as a single session will be logged as two sessions.
For Teradata, Service name contains the session logical host id value.
Server OS Server operating system.
For Informix, the OS may appear as follows:
IEEEM indicating Unix or JDBCIEEEI indicating WindowsDEC indicating DEC Alpha
For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data
are stored during db session. This has a close relation to the platform being used and may appear as follows:
IBMÂ® MAINFRAME // IBM mainframe data format
HONEYWELL MAINFRAME // Honeywell mainframe data format
AT&T 3B2 // AT&T 3B2 data format.
INTEL 8086 // Intel 8086 data format (IBM PC or compatible)
VAX // VAX data format
AMDAHL // Amdahl data format

Client OS Client operating system.
For Teradata, as there is no direct information about client/server OS, instead, the data format type is used; indicating how integer data
are stored during db session. This has a close relation to the platform being used and may appear as follows:
IBM MAINFRAME // IBM mainframe data format
HONEYWELL MAINFRAME // Honeywell mainframe data format
AT&T 3B2 // AT&T 3B2 data format.
INTEL 8086 // Intel 8086 data format (IBM PC or compatible)
VAX // VAX data format
AMDAHL // Amdahl data format

OS User OS user account for the interaction.
Server Host Name Server host name.
Server Description Server description (if any).
ClientIP/DBUser Paired attribute value consisting of the client IP address and database user name.
Analyzed Client IP Applies only to encrypted traffic; when set, client IP is set to zeroes.
Analyzed Client IP has a map for CEF source. If the query used for the CEF does NOT contain the Client IP but contains the analyzed
client IP, the analyzed client IP will be used for the source. If both included in the query, then Client IP takes precedence.
Server IP/DB user Paired attribute value consisting of Server IP address and database user name.
Client/ Server by session Client/Server by session is also a Main Entity. Access this secondary entity by clicking on the Client/Server primary entity.
Access ID is only available to users with the admin role.
Note: For Access Tracking only, Client/Server Entity name will appear in the pulldown menu as two possible entities - Client/Server and Client/Server By Session.
Client/Server By Session will get count from Client/Server and date conditions from Session.
Client/Server will get count from Client/Server and date conditions also from Client/Server.
If the user chooses Client/Server, then the query will be populated with ATTRIBUTE_ID = 1. If the user chooses Client/Server By Session, then the query will be populated
with MAIN_ATTRIBUTE_ID = 0.
CM Buffer Usage Monitor Entity

Within Central Manager, shows the aggregate of all Sniffer Buffer Usage Entity that have been uploaded.
Table 25. CM Buffer Usage Monitor Entity

Sniffer Buffer Usage ID Â
Sniffer CPU PCT Percentage of CPU used by sniffer.
Sniffer Mem PCT Percentage of memory used by sniffer.
MySQL CPU PCT Percentage of CPU used by MySQL.
MySQL MEM PCT Percentage of memory used by MySQL.
PID Sniffer process identifier.
Memory Amount of memory used by sniffer.
Time Elapsed time used by sniffer.
Free Buffer Amount of free buffer space.
Analyzer Rate Rate at which messages being analyzed.
Analyzer Queue Size of the analyze queue.
Analyzer Total Total number of messages analyzed.
Logger Queue Size of logger queue.
Logger Total Total number of message logged.
Session Queue Size of session queue.
Session Total Total number of sessions.
Handler Data Internal sniffing engine data.
Extra STR Internal sniffing engine data.
Sniffer Connections Used Total number of connections currently being monitored since inspection engine was restarted.
Sniffer Packets Dropped Packets dropped by sniffer.
Sniffer Packets Ignored Packets ignored by sniffer.

Sniffer Packets Throttled Total number of connections that have been ignored due to throttling since inspection engine was restarted.
Sniffer Connections Ended Total number of connections that were monitored and have ended since inspection engine was restarted.
Logger Session Count Count of sessions logged.
Logger Packets Ignored by Packets ignored by policy rule action.

Rule
Analyzer Lost Packets Packets lost by analyzer.
Logger Dbs Monitored List of database types currently being monitored.
Mysql Is Up Boolean indicator for internal database restart (1=was restarted, 0=not restarted).
System Cpu Load System CPU utilization.
System Uptime Time since last start-up.
Mysql Disk Usage MySQL disk usage.
System Memory Usage System memory utilization.
System Var Disk Usage System var disk utilization.
System Root Disk Usage System Root disk utilization.
Eth0 Received Messages received on ETH 0.
Eth0 Sent Messages sent on ETH 0.
Promiscuous Received Rate of received packets through the sniffing network cards (non-interface ports).
Open FDs Open File Descriptors.
Open FDs MySQL Database open File Descriptors
Sessions normal Count of normal sessions.
Sessions not opened Count of sessions not opened by sniffer.
Sessions timeout Count of sessions timed-out.
Sessions ignored Count of sessions ignored by sniffer.
Session Direct closed Count of sessions directly closed .
Session guessed Count of sessions guessed.
SqlGuard Timestamp Is the time the record is inserted into the custom table
Datasource Name Is the name of the data source used to upload the record
Command Entity
For each command, an entity is created for each parent node and position in which the command appears in a command construct.
Table 26. Command Entity

Command Id Uniquely identifies the command.
Construct Id Uniquely identifies the construct (e.g., select a from b).
SQL Verb Main verb in SQL command (e.g., select, insert, delete, etc.).
Depth Depth of the command in the SQL parse tree.
Parent Identifier of parent node in the parse tree.
Command ID and Construct ID are only available to users with the admin role.
Comments Entity
This entity describes a user comment. It is available in the Comments domain only, which is restricted to admin users. This domain includes only sharable comments,
which are all comments except for those that run locally (see the Local Comments entity).
Table 27. Comments Entity

Comment Creator The Guardium user who created the comment.
Comment Reference Indicates the element to which the comment is attache - a query, audit process result, or another comment, for example.
Content of Comment The complete comment text.
Timestamp Date and time the comment was created.
Timestamp WeekDay Weekday only from the timestamp.

Object Description The name of the object from which the comment was defined. For example, a comment defined on a policy has an object description of
ACCESS_RULE_SET.
Record Associations A list of records that this comment is associated with.
Database Error Text Entity

The text of each common database error message is stored in a table in the Guardium internal database. It is available for reporting only from the owning Exception Entity
for each exception that is a database error. Some types of exceptions - S-TAPÂ® disconnects or reconnects, for example - will have no database error text.
Table 28. Database Error Text Entity

Database Error Text A database error code followed by a short text description of the error. The error code is taken from the Exception Description attribute
of the Exception entity. Using the error code as a key, the error text is obtained from an internal table on the Guardium appliance, which
contains the most common error messages (about 54,000 of them).
For example: ORA-00942: table or view does not exist

Error Code Displays the database error code.
Data Source Entity

This entity (under CAS Config Tracking/ Monitored Item Details Entity) identifies a data source.
Table 29. Data Source Entity

Data source ID Identifies a results set for a data source
Data source Type Data source type - Oracle, MS-SQL, DB2, Sybase, Informix, etc.
Data source Name Data source name
Data source Description Description of the data source
Host Host name for the data source
Port Port Number on host
Service Name Service name for the data source
User Name User name for datasource access
Database Name Database name
Last Comment Last comment
Shared Yes or No
Connection Properties The Connection Property box has information in it only if additional connection properties must be included on the JDBC URL to
establish a JDBC connection with this datasource.
Discovered Host Entity

This entity identifies a discovered host.
Table 30. Discovered Host Entity

Server IP IP address of the discovered host.
Server Host Name Host name of the discovered host.
Discovered Instances Entity

This entity identifies discovered instances.
Table 31. Discovered Instances Entity

Timestamp A timestamp value created when Guardium records this instance of the entity (every instance has a unique timestamp).
Host Host name for this instance
Protocol Protocol specific to this instance
Port Min Port range, minimum port number for inspection-engines
Port Max Port range, maximum port number for inspection-engines

Client IP IP address/mask of client
Exclude Client IP IP address/mask of clients to exclude
Proc Names Name of database executable
Named Pipe Pipe name used by database
KTAP DB Port Database port for KTAP
DB Install Dir Database Install Directory
Proc Name Process name
DB2 Shared Mem Adjustment Packet header size
DB2 Shared Mem Client Client I/O area offset

Position
DB2 Shared Mem Size DB2 shared memory segment size
Instance Name Name of the discovered instance
Informix Version Informix Version
Discovered Port Entity

This entity identifies a discovered port.
Table 32. Discovered Port Entity

Port Discovered port number.
Probe Attempted Indicates if a probe for a supported database service has been attempted on this port. T=yes, F=no.
Port Type Indicates the port type (usually TCP).
DB Type If a probe of the port has found a supported database type, indicates the type (DB2, Informix, MS SQL Server etc.)
Probe Timestamp The date and time that this specific port was probed.
Exception Entity
This entity is created for each exception encountered.
Table 33. Exception Entity

Exception ID Uniquely identifies the exception.
Exception Type ID Uniquely identifies the exception type.
Exception Timestamp Date and time created when this Exception entity was logged.
Exception Date Date only from the timestamp.
Exception Time Time only from the timestamp.
Exception Weekday Weekday only from the timestamp.
Exception Year Year only from the timestamp.
Source Address Source IP address of the exception.
Source Port Source port number.
Destination Address Destination IP address.
Destination Port Destination port number.
Database Protocol Database protocol for the exception.
New TTL value Reserved for admin role use only.
Exception Description Description of the exception.
For an S-TAP reconnect or timeout exception, this will contain the IP address or DNS name of the database server.
For a database exception, this is an error code from the database management system. For most common messages (about 54,000 of
them), a longer text description is available in the Database Error Text attribute. That text comes from the internal Guardium database
table of error messages, not from the exception itself.
SQL string that caused the The SQL string that caused the exception.
exception

User Name Database user name. On encrypted traffic, where correlation is required, this value may not be available, but it is always available from
the DB User Name attribute in the Client/Server entity.
App User Name Application user name.
Link to more information about Optional link that is sometimes available, depending on the exception source.
the exception1
Global ID1 Global identifier for the exception.
Exception ID and Exception Type ID are only available to users with the admin role.
Exception Type Entity

There is a fixed set of exception types, one of which will be associated with each exception logged. These are available for reporting only from the owning Exception Entity.
Table 34. Exception Type Entity


Exception Description A text description of the exception type, from the following list. Most of these should never be seen. See the notes in italic for the most
common exceptions and notes.
A new construct was used
Alert Process threw an exception
Custom Alerting Processing Exception
Database Server returned an error
For this message, a database error code will be stored in the Exception Description attribute of the Exception entity, and a text version of
the database error message will be available in the Database Error Text attribute of the Database Error Text entity.
DB Protocol Exception
Debug prints through the EXCEPTIONs mechanism
Dropped database requests
Session information was dropped due to excess traffic.
Error During Configuration Auditing System Process
Error During Classification Process
Invalid Query Invocation
Login Failed
Low-level DB protocol Exception
Scheduled job threw an exception
Security Assessment Exception
Security Exception
For this message, a custom class exception has been raised when breaching code execution is blocked; such as when users use the
Javaâ„¢ API to define their own alerts or assessments.
Session closed prematurely
SQL Parser Exception
S-TAP Connectivity reconnect
For this message, the IP address or DNS name of the database server will be available in the Exception Description attribute of the
Exception entity
S-TAP Connectivity timeout
For this message, the IP address or DNS name of the database server will be available in the Exception Description attribute of the
Exception entity
TCP ERROR
For this message, additional information about the error will be included in the Exception Description attribute of the Exception entity
Turbine class threw an exception
Unable to purge report
Field Entity
Each time Guardium encounters a new field, it creates a field entity.
Table 35. Field Entity

Field ID Uniquely identifies the field.
Construct ID Uniquely identifies the construct in which it was referenced.
Command ID Uniquely identifies the main command from the construct in which it was
referenced.
Object ID Uniquely identifies the object from the construct in which it was referenced.
Field Name Name of the field.

List Clause Use these attributes to order complex SQL queries.
Where Clause Example of SQL queries:
Order by Clause Order by
Having Clause SELECT * FROM dept_costs
Group By Clause WHERE dept_total >
On Clause (SELECT avg FROM avg_cost)
ORDER BY department
Having
SELECT column_name1, SUM(column_name2)
FROM table_name
GROUP BY column_name1
HAVING (numerical function condition)
Group By
SELECT column_name1, SUM(column_name2)
FROM table_name
GROUP BY column_name1
Where
SELECT FirstName, LastName, City
FROM Users
WHERE City = Los Angeles
Field ID, Construct ID, Command ID, and Object ID are only available to users with the admin role.
Field SQL Value Entity

These entities are created only by policy rule actions that log with values; for example: Log Full Details With Values, and Log Full Details Per Session With Values. The field
value logged may or may not be associated with a field name. For example, field names will be available (in the Field entity) if the following statement is logged:
insert into t1 (foo, bar) (10, 20)
But not available when the following statement is logged:
insert into t2 (10, 20)
Table 36. Field SQL Value Entity

Value A field value from the logged construct.
Flat Log Entity

This entity describes flat log processing activity.
Table 37. Flat Log Entity

Full SQL The full SQL logged.
Timestamp Date and time stamp when logged.
Timestamp Date Date portion of the timestamp.
Timestamp Time Time portion of the timestamp.
Response Time Response time for the request in milliseconds.
Records Affected The number of records affected by the request.
Succeeded Indicates if request was successful (True/False).

Statement Type The type of SQL statement
SQL: simple, direct SQL command, for example, typed directly into the CLI
RAW: PREPARE of a SQL statement for later execution, for example, conn.prepareStatement (select a from b where c=:value)
BIND: execution of a prepared statement including bound parameter values
Statement type is part of the FULL SQL entity and is audited only if you have configured Log Full Details for this statement within the
policy.
You can not filter out specific statement types in the policy, for example, audit-only SQL and BIND statements. You can, however, filter
these out in reports.
Returned Data Data returned (if any)
Bind Info Bind information for the request
Bind Variables Values For DB2/zOS, contains a list of comma separated bind variable
FULL SQL Entity

Full SQL entities are created only by the following policy rule actions: Log Full Details,Log Full Details With Values, Log Full Details Per Session, or Log Full Details Per
Session With Values.
Table 38. FULL SQL Entity

Full Sql Full SQL statement including values.
Timestamp The timestamp records the time when the SQL is executed in the database server.
Response Time The response time for the request in milliseconds. When requests are monitored in network traffic, the response times are an accurate
reflection of the time taken to respond to the request (Guardium timestamps both the client request and the server response).
Records Affected The number of records affected for each session. On reports using this attribute, we suggest that you turn on aliases to properly display
special cases such as Large Result Set or N/A.
Returned Data Data returned for this request (if any, and if available).
Full SQL ID Unique identifier for the Full SQL.
Instance ID Unique identifier for the Full SQL instance.
Succeeded Indicates if the call succeeded.
Records Affected (Desc) When the Records Affected is a string value instead of a number, that string is stored here. For example: Large Result Set or N/A.
Access Rule Description Description of the policy rule used
Returned Data Count Number of rows returned from the SQL statement used in the policy rule.
Auto-Commit Entries are automatically numbered.
Ack Response Time Acknowledged Response Time in milliseconds.
Ingress Kbyte count Records the number of bytes in requests.
Egress Kbyte count Records the number of bytes in responses.
Statement Type The type of SQL statement
SQL: simple, direct SQL command, for example, typed directly into the CLI
RAW: PREPARE of a SQL statement for later execution, for example, conn.prepareStatement (select a from b where c=:value)
BIND: execution of a prepared statement including bound parameter values
Statement type is part of the FULL SQL entity and is only audited if you have configured Log Full Details for this statement within the
policy.
You can not filter out specific statement types in the policy, for example, audit-only SQL and BIND statements. You can, however, filter
these out in reports.
Bind Variables Values For DB2/zOS, contains a list of comma separated bind variable
Full SQL ID, Instance ID, and Succeeded are only available to users with the admin role.

FULL SQL Values Entity
These entities are created only by the following policy rule actions: Log Full Details With Values, and Log Full Details Per Session With Values.
Table 39. FULL SQL Values Entity

Values One or more values from the logged construct.
Timestamp Date and Time Full SQL Values Entity was created.
GIM Events Entity

This entity describes events that have occurred while using the Guardium Installation Manager (GIM).
Table 40. GIM Events Entity

Event Generator IP address of the client (i.e. DB-Server) which generated the event.
Event Description Event Description.
Event Time The time when the event occurred.
Group Entity
This entity describes a group that has been defined to Guardium.
Table 41. Group Entity

Group Description The name of the group.
Group Subtype Subtype, if any, defined for the group.
Timestamp Date and time the group entity was created.
Group Member Entity

This entity describes a member of a group that has been defined to Guardium.
Table 42. Group Member Entity

Group Member The name of the group member.
Timestamp Date and time the group member was created or updated.
Group Type Entity

This entity describes a type of Guardium group (user, client IP address, command, etc.).
Table 43. Group Type Entity

Group Type Identifies the group type.
Timestamp Date and time the group type was created.
Guardium Activity Types

This entity describes the various user activities
Table 44. Guardium Activity Types

Activity Type Description Description of the activity
Activity Type ID Uniquely identifies the activity type.
Guardium Role Entity

This entity (under User Entity) identifies a Guardium role.
Table 45. Guardium Role Entity


Role Identifier ID of role identified.
Role Guardium role listed.
Guardium Applications Entity

This entity (under User Entity) identifies a Guardium application.
Table 46. Guardium Applications Entity

Application Identifier ID of application identified.
Application Guardium application listed (foe example, Query Builder, Policy Builder, etc.).
Guardium Activity Types Entity

An instance is defined in the internal Guardium database for each type of activity.
Table 47. Guardium Activity Types Entity

Activity Types Description Description of an activity.
Guardium User Activity Audit Entity

This entity is created for each Guardium user activity.
Table 48. Guardium User Activity Audit Entity

Login ID ID used for login.
User Name Guardium user name for the activity.
Timestamp Created when the activity was logged.
Modified Entity The Guardium entity modified (a group definition, for example).
Entity Key Used Key used to access the entity.
Key Value New value of the entity.
All Values All values altered.
Object Description The name of specific object altered.
Global ID A unique global ID for the session.
Host Name Host name of the user.
Guardium Users Login Entity

This entity is created each time a user logs in to the Guardium appliance.
Table 49. Guardium Users Login Entity

Login ID ID used for login.
User Name Created when the Guardium user logs in or out (there will be one entity per Guardium session).
Login Date And Time Date and time user logged in.
Logout Date And Time Date and time user logged out.
Login Succeeded Indicates if login was successful.
Global Id A unique global ID for the session.
Host Name Host name of the user.
Remote Address Remote address of the user.
Host Entity
A CAS Host entity is created the first time that CAS is seen on a database server host. It is updated each time that the online/offline status changes. The Host entity is also
available in the CAS Host History domain.
Table 50. Host Entity

Host Name Database server host name (may display as IP

address)
OS Type Operating system: UNIX or WIN

Is Online Online status (Yes/No) when record was written
Host Id Identifies the host record
Host Configuration Entity

A Host Configuration entity is created for each item in a CAS instance.
Table 51. Host Configuration Entity

Audit State Label Id Unique numeric identifier for the configuration item
Timestamp Timestamp for creation of the entity
Host Name Database server host name or IP address
OS Type Operating system: Unix or Windows.
DB Type Database type: Oracle, MS-SQL, DB2, Sybase, Informix, or N/A if the change is to an operating system instance
Instance Name Name of the template set instance
Type Type of monitored item that changed.
OS Script or SQL Script: A change triggered by the OS script contained in the monitored item template definition.
Environment Variable: An environment variable (Unix only)
Registry Variable: A registry variable (Windows only)
File: A specific file. There is no host configuration entity for a file pattern defined in the template set used by the instance. Instead, there
is a separate host configuration entity for each file that matches the pattern.
Monitored Item The name of the changed item, from the Description (if entered), otherwise a default name depending on the Type (a file name, for
example).
Â Â
Host Event Entity

A host event entity is created each time an event is detected or signaled (see the event types) by CAS.
Table 52. Host Event Entity

Audit Host Event Id Identifies the host event entity
Event Time Date and time that the event was recorded
Event Type Identifies the event being recorded:
Client Up - CAS started on database server host
Client Down - CAS stopped on database server host
Failover Off - A server is available (following a disruption), so CAS data is being written to the server
Failover On - The server is not available, so CAS data is being written to the failover file
Server Down - The database server stopped
Server Up - The database server started
Audit Host Id Identifies the host
Incident Entity
Incident entities are created by incident generation processes, or manually by assigning a policy violation to an incident.
Table 53. Incident Entity

Timestamp Time the incident was created.
Category Name Category assigned to the incident.
Incident Number Incident number (assigned sequentially).

Incident Severity Entity
The incident severity description for an incident.
Table 54. Incident Severity Entity

Incident Severity Description The severity code will be one of the following:
INFO, LOW, MED, HIGH
Incident Status Entity

Describes the status of an Incident entity.
Table 55. Incident Status Entity

Status Description Will be one of the following values:
OPEN - The incident has not yet been assigned to a user.
ASSIGNED - The incident has been assigned.
CLOSED - The incident is closed.
Installed Policy Entity

Describes the installed policy.
Table 56. Installed Policy Entity

ID Identifies the policy installation record.
Rule Set Id Identifies the set of rules.
Policy Description Description from the policy definition.
Selective Audit Trail Indicates if this is a selective audit trail policy (T/F).
Audit Pattern Test pattern used for a selective audit trail policy.
Timestamp Timestamp for the creation of the record.
Sequence Sets the order of sequence when there is multiple installed policies.
Instance Config Entity

An Instance Config entity is created each time that an instance configuration is defined. This entity defines how the CAS instance connects to the database (if necessary),
and identifies the template set used by the instance. It provides current status of the instance (in use, enabled, or disabled) and the date of the last revision.
Instance Config Entity Attributes
Table 57. Instance Config Entity

Config Id Identifies this configuration record.
Timestamp Timestamp record created.
DB Type Database type: Oracle, MS-SQL, DB2, Sybase, Informix; or N/A for an operating system instance
Instance The name of the instance
User The user name that CAS uses to log onto the database; or N/A for an operating system instance.
Port The port number CAS uses to connect to the database; or empty for an operating system
instance
DB Home Dir The home directory for the database; or empty for an operating system instance
Template Set Id Identifies the template set used by this instance
OS Type Operating system of the host: UNIX or Windows
Join Entity
A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.
Table 58. Join Entity

Join ID Unique identifier
Construct ID Identifies the construct in which the join is referenced.
Join SQL Join tables

Where SQL Where clause (join conditions)
Timestamp Date and Time that the Join Entity was created.
Local Comments Entity

This entity describes a local comment. It is available in the Comments domain only, which is restricted to admin users. This entity includes only local comments, for
processes and results sets that run locally. Comments that are sharable are defined in the Comments entity.
Table 59. Local Comments Entity

Comment Creator The Guardium user who created the comment.
Comment Reference Indicates the element to which the comment is attached - a query, audit process result, or another comment, for example.
Content of Comment The complete comment text.
Timestamp Date and time the comment was created.
Timestamp WeekDay Weekday only from the timestamp.
Object Description The name of the object from which the comment was defined. For example, a comment defined on an incident has an object description
of INCIDENT.
Record Associations A list of records that this local comment is associated with.
Â Â
Location View
How to determine what days are not archived
Use a query (Tools tab > Report Building > Report Builder > query Location View) that can be modified to create a report showing the files that are archived. This report
lists all the files with archive dates. Dates not on this report indicate that those dates have not been archived. Run archive for the dates not on the list, if required.
Table 60. Location View Entity

From Date The start date
To Date The finish date
Aggregator The Guardium system where the file was generated on. However this can be a collector, not just a
Aggregator
Host Host name
User Name Name of user
Path Path name to files
System Type What protocol was used while archiving - if it was SCP or FTP or Centera or TSM
Count of Destinations Archive destinations
Login Correlation Entity

Obsolete beginning with version 4.0 of Guardium. This was the only entity of the Access Trace Tracking domain, which was obsolete beginning with version 4.0 of S-TAP. If
you have old queries or reports using that domain, they will not work in this release, and any database login information recorded in that domain would pre-date the
installation of version 4.0 of S-TAP.
Message Text Entity

For a threshold alert, the text of the message.
Table 61. Message Text Entity

Message Text ID Uniquely identifies the message text
Message Subject Message subject (for an email message, for example).
Message Text Message text.

Messages Sent Entity
For each threshold alert message sent, the message type, recipients, status, and date of that message.
Table 62. Messages Sent Entity

Message ID Uniquely identifies the message
Message Type Type of message.
Sent To One or more recipients of message.
Message Status Status of message:
FAIL The send operation failed.
WAIT The message has not yet been sent.
SENT The message was sent.
Message Date Date message sent.
Message Context Message type:
INFO Informational message.
WARNING Possible error condition.
ALERT Real time or threshold alert.
ERROR Software or hardware error condition.
DEBUG Debugging message.
Message Originator The module creating the message; for example monitor or GuardiumJetspeedUser.
Monitor Values Entity

A monitor values entity is created for each insert, update or delete recorded, contains the details of the change (table name, action, SQL text, etc.).
Table 63. Monitor Values Entity

Timestamp Date and time the change was recorded on the Guardium appliance. This timestamp is created during the data upload operation. It is
not the time that the change was recorded on the audit database. To obtain that time, use the Audit Timestamp entity.
Server IP IP address of the database server.
DB Type Database type.
Service Name Oracle only. Database service name.
Database Name DB2, Informix, Sybase, MS SQL Server only. Database name.
Audit PK For Sybase and MS SQL Server only. A primary key used to relate old and new values (which must be logged separately for these
database types).
Audit Login Name Database user name defined in the datasource.
Audit Table Name Name of the table that changed.
Audit Owner Owner of the changed table.
Audit Action Insert, Update or Delete.
Audit Old Value A comma-separated list of old values, in the format:column-name=column_value,
Audit New Value A comma-separated list of new values, in the format:column-name=column_value,
SQL Text Available only with Oracle 9. The complete SQL statement causing the value change.
Triggered ID Unique ID (on this audit database) generated for the change.
Audit Timestamp Date and time that the trigger was executed.
Audit Timestamp Date Date portion of Audit Timestamp.
Audit Timestamp Time Time portion of Audit Timestamp.
Audit Timestamp WeekDay Day of week of the Audit Timestamp.

Audit Timestamp Year Year of the Audit Timestamp.
Monitored Changes Entity

This entity is created each time a monitored item changes. It identifies the monitored item within the CAS instance, and points to the saved data for the change.
Table 64. Monitored Changes Entity

Change Identifier Unique identifier for the change
Sample Time Timestamp (date and time on host) that sample was taken
Audit Config Id Identifies the host configuration
Saved Data Id Identifies the Saved Data entity for this change
Audit State Label Id Identifies the Host Configuration entity for this change
Timestamp Date and time this change record was created on the server (Guardium appliance server clock)
MD5 Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the
value calculated the last time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater
than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. Regardless of whether or not
MD5 is used, both the current value of the last modified timestamp for the item and the size of the item are compared with the values
saved the last time the item was checked.
Owner Unix only. If the item type is a file, the file owner
Permissions Unix only. If the item type is a file, the file permissions
Size File size, but there are special values as follows:
-1 = File exists, but has a zero bytes
0 (zero) = File does not exist, but this file name is being monitored (it never existed or may have been deleted)
Last Modified Timestamp for the last modification, taken from the file system at the sample time
Last Modified Date Date for the last modification
Last Modified Time Time for the last modification
Last Modified Weekday Day of week for the last modification
Last Modified Year Year for the last modification
Group Unix only. If the item type is a file, the group owner
Monitored Item Details Entity

A Monitored Item Details entity is created for each monitored item in a CAS instance.
Table 65. Monitored Item Details Entity

Audit Config Id Identifies the host configuration
Template ID Identifies the item template for this monitored item
Monitored Item Depending on the Audit Type, this is the OS or SQL script, environment, or registry variable, or file name. Regarding a file pattern defined
in an item template, there will be a separate monitored item detail entity for each file that matches the pattern, but there is no
monitored item details entity for the file pattern itself. If a file pattern is used, it is always available in the Template Content attribute.
Audit Config Set Id Identifies the template set in the host configuration
Audit Type Type of monitored item:
OS Script or SQL Script: The actual text or the path to an operating system or SQL script, whose output will be compared with the output
produced the next time it runs
Environment Variable or Registry Variable: An environment variable or a (Windows) registry variable
File: A specific file or a pattern to identify a set of files
Enabled Indicates whether or not the template is enabled
In Synch Indicates whether or not the template item definition on the server matches the template item definition on the CAS host
Audit Frequency The maximum interval at which the item is to be tested

Use MD5 Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the
Save Data When marked, previous version of the item can be compared with the current version
Description Optional description of the instance
Template Content The template entry that is the basis for this monitored item, set from the Template entity Access Name attribute when the instance was
created. Typically this will be the same as the monitored item, but in the case where a file pattern was used in the template, this will be
the file pattern
Object Entity
An instance of this entity is created for each object in a unique schema.
Table 66. Object Entity

Object Id Uniquely identifies the object.
Construct Id Uniquely identifies the construct in which the object is referenced.
Schema Database schema for the object.

Note: This attribute is deprecated since it is never populated
Object Name Name of the object.
App Object Module1 Uniquely identifies the application object module.
Object Id and Construct Id are available to users with the admin role only.
Object Command Entity

Describes an object-command entity.
Table 67. Object Command Entity

Object/Command An object value combined with a command value.
Object Field Entity

Describes an object-field entity. Note fields with no objects will not show up in reports that include the object.
Table 68. Object Field Entity

Object/Field An object value combined with a field value.
Policy Rule Violation Entity

This entity is created each time that a policy rule violation is logged. Not all policy rule violations are logged - see the description of the rule actions in Chapter 11: Building
Policies. The access rule causing the violation will be available in the dependent Access Rule Entity (described earlier).
Table 69. Policy Rule Violation Entity

Violation Log Id Uniquely identifies the violation entity.
Application User Name Name of the user creating the policy rule violation.
Full SQL String SQL string causing the policy rule violation.
Timestamp Created when the policy rule violation is logged. Not all policy rule violations are logged - see the description of the rule actions in
Chapter 11: Building Policies.
Message Sent The text of the policy rule violation message that was sent.
Total Occurrences Occurrence count that triggered the violation.
Application Event Id Application event ID (if any - these are set using the application events API)
Access Rule Description The description of the rule from its definition.
Category Name Category defined for the rule.
Severity Severity defined for the rule (the severity of an incident to which this is assigned may be different).

Incident Number If assigned to an incident, this is the incident number.
Classification Name Name of classification process.
Construct ID Uniquely identifies the construct in which it was referenced.
CLS Process Run ID Classification process job execution ID.
Violation Log Id are available to users with the admin role only.
Qualified Object Entity

A tuple allows multiple attributes to be combined together to form a single group member. In this case, the fields Server IP, Service name, DB name, DB user and Object
are combined together.
Table 70. Qualified Object Entity

Qualified Object Tuple - Server IP, Service name, DB name, DB user, Object
Rogue Connections Entity

An instance is created for each database connection seen by the S-TAP Hunter process, but not by S-TAP itself, indicating that the connection has bypassed the access
paths monitored by S-TAP.
Table 71. Rogue Connections Entity

Timestamp A timestamp value created when the Guardium appliance records the rogue connection reported by the Hunter.
Server Host Name Database server host name.
Source Program Source program name for the connection.
Source Port Source port for the connection.
Source PID Source process ID.
Target Program Target program name for the connection.
Target Port Target port for the connection.
Target PID Target process ID.
OS User Operating system user account name.
IPC Type Type of inter-process communications used for the connection, which may be from the following list:
SHM Shared memory
IPv4 Internet Protocol version 4
IPv5 Internet Protocol version 6
FIFO Named pipe
PIPE Simple pipe
INET Internet Protocol (HPUX)
DB Server Type Database server type: Oracle, DB2, Informix, or Sybase.
Rule Entity
Can be used for Installed policy rule entity or access policy rule entity. There is one for each rule of the installed policy/policies or access policy/policies. Apart from the ID
fields (which uniquely identify components on the internal database), all of these fields are described in the Policies help topic.
GDM_INSTALLED_POLICY_RULES_ID - Identifies an installed policy rule.

ACCESS_RULE_ID - Identifies an access rule.
Rule Description - From the policy definition.
Rule Position - Position within the policy.
Rule Type - Access, Exception, or Extrusion.
LAST_ACCESSED - Last

Client IP - From the rule definition.
Client Net Mask - From the rule definition.
Client IP Group - From the rule definition.
Server IP - From the rule definition.
Server IP Mask - From the rule definition.
Client MAC - From the rule definition.
Net Protocol - From the rule definition.
Net Protocol Group - From the rule definition.
Field - From the rule definition.
Field Group - From the rule definition.
Object - From the rule definition.
Object Group - From the rule definition.
Command - From the rule definition.
Command Group - From the rule definition.
Object-Field Group - From the rule definition.
DB Type - From the rule definition.
Service Name - From the rule definition.
Service Name Group - From the rule definition.
DB Name - From the rule definition.
DB Name Group - From the rule definition.
DB User - From the rule definition.
DB User Group - From the rule definition.
App. User - From the rule definition.
App User Group - From the rule definition.
OS User - From the rule definition.
OS User Group - From the rule definition.
Src App. - From the rule definition.
Source Program Group - From the rule definition.
Pattern/ XML Pattern - From the rule definition.
Period - From the rule definition.
Min. Ct. - From the rule definition.
Reset Interval - From the rule definition.
Continue to next Rule/ Revoke - From the rule definition.
Rec. Vals. - From the rule definition.
App Event Exists - From the rule definition.
Event Type - From the rule definition.
App Event Text Value - From the rule definition.
App Event Date Value - From the rule definition.
Event User Name - From the rule definition.
Error Code - From the rule definition.
Exception Type - From the rule definition.
Category Name- From the rule definition.
Classification Name - From the rule definition.
Severity - From the rule definition.
Data Pattern - From the rule definition.
SQL Pattern - From the rule definition.
Masking Pattern - From the rule definition.
Client IP/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
Sever IP/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
Net Protocol/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
Field Name/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
Object Name/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
Command/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
Service Name/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
DB Name/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
App. User/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
OS User/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
Source Program/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
Error Code/ Group - Provides the ability to display a single attribute and its related (if any) in a single column of the report.
App. Event Text/ Numeric/ Date - The application events text, numeric, and date attributes.
Category/ Classification - The combined category and classification for the rule.
GDM_Installed_Policy_Header_ID - Identifies an installed policy header.
Note: GDM_INSTALLED_POLICY_RULES_ID and ACCESS_RULE_ID are available to users with the admin role only.
Rule Action Entity

Can be used Installed policy rule action entity or access policy rule action entity. There is one for each rule of the installed policy/policies or access policy/policies .
Sequence - Sequence of the action within the rule.

Action
Block the request - See Blocking Actions in Policies.
Log or ignore the violation or the traffik - See Log or Ignore Actions in Policies.
Alert - See Alerting Actions in Policies.
Saved Data Entity

A Saved Data entity is created each time a change is detected for an item being monitored, if the Keep data box is marked for that item in the item template definition.
Table 72. Saved Data Entity

Saved Data ID Uniquely identifies the saved data item
Saved Data The actual data saved
Timestamp Timestamp for when the saved data entity was recorded in the server database
Change Identifier Identifies the monitored changes entity for this saved data entity
Saved Data ID is only available to users with the admin role.
Server IP-Server Port Entity

Describes a server IP-server port entity.
Table 73. Server IP-Server Port Entity

Server IP/Server Port A server IP value combined with a server port value.
Session Entity
This entity is created for each Client/Server database session.
Table 74. Session Entity

Global ID Uniquely identifies the session - access.
Session ID Uniquely identifies the session.
Access ID Uniquely identifies the access period.
Timestamp Initially, a timestamp created for the first request on a client-server connection where there is not an active session in progress. Later, it
is updated when the session is closed, or when it is marked inactive following an extended period of time with no observed activity.
When tracking Session information, you will probably be more interested in the Session Start and Session End attributes than the
Timestamp attribute.
Session Start Date and time session started. Session Start is also a Main Entity. Access this secondary entity by clicking on the Session primary entity.
Session Start Date Date only from the Session Start.
Session Start Time Time only from the Session Start.
Session Start Weekday Weekday only from the Session Start.
Session Start Year Year only from the Session Start.
Client Port Client port number.
Server Port Server port number.
Inactive Flag Default 0 - Open for sessions generated by SQL package.
1 - Closed (disconnect/ logout received).
2 - Probably closed; unclosed with no packets for a long time.
3 - For sessions generated from non-SQL packets.
TTL Reserved for admin role use only.
Session End Date and time the session ended. Session End is also a Main Entity. Access this secondary entity by clicking on the Session primary
entity.
Session End Date Date only from the Session End.
Session End Time Time only from the Session End.
Session End Weekday Weekday only from the Session End.
Session End Year Year only from the Session End.
Database Name Name of database for the session (MSSQL or Sybase only).
Note: For Oracle, Database Name may contain additional and application specific information such as the currently executing module
for a session that has been set in the MODULE column of the V$SESSION view
Session Ignored Indicates whether or not some part of the session was ignored (beginning at some point in time).
Ignored Since Timestamp created when starting to ignore this session.
Uid Chain For a session reported by Unix S-TAP (K-Tap mode only), this shows the chain of OS users, when users su with a different user name.
The values that appear here vary by OS platform - for example, under AIX the string IBM IBM IBM may appear as a prefix.
Note: For Solaris Zones, user ids may be reported instead of user names in the Uid Chain.

Old Session ID Points to the session from which this session was created. Zero if this is the first session of the connection.
Terminal Id Terminal ID of the connection, used internally to resolve session information.
Process ID The process ID of the client that initiated the connection (not always available).
Uid Chain Compressed Values compressed. See Uid Chain.
Duration (secs) Indicates the length of time between the Session Start and the Session End (in seconds).
Global ID, Session ID, and Access ID are only available to users with the admin role.
Severity Entity
The incident severity for an incident or policy violation
Table 75. Severity Entity

Severity Description The severity code will be one of the following:
INFO, LOW, MED, HIGH
Sniffer Buffer Usage Entity

The system creates this entity at the interval set by the store system netfilter-buffer-size CLI command (every 60 seconds by default).
Table 76. Sniffer Buffer Usage Entity

% CPU Sniffer Percentage of CPU used by sniffer.
% Mem Sniffer Percentage of memory used by sniffer.
% CPU Mysql Percentage of CPU used by MySQL.
% Mem Mysql Percentage of memory used by MySQL.
Sniffer Process ID Sniffer process identifier.
Mem Sniffer Amount of memory used by sniffer.
Time Sniffer Elapsed time used by sniffer.
Free Buffer Space Amount of free buffer space.
Analyzer Rate Rate at which messages being analyzed.
Logger Rate Rate at which messages being logged.
Analyzer Queue Length Size of the analyze queue.
Analyzer Total Total number of messages analyzed.
Logger Queue Length Size of logger queue.
Logger Total Total number of message logged.
Session Queue Length Size of session queue.
Session Total Total number of sessions.
Handler Data Internal sniffing engine data.
Extra Info Internal sniffing engine data.
Analyzer Lost Packets Packets lost by analyzer.
Eth0 Received Messages received on ETH 0.
Eth0 Sent Messages sent on ETH 0.
Logger Dbs Monitored List of database types currently being monitored.
Logger Packets Ignored by Packets ignored by policy rule action.

Rule
Logger Session Count Count of sessions logged.
Mysql Disk Usage MySQL disk usage.
Mysql Is Up Boolean indicator for internal database restart (1=was restarted, 0=not restarted).
Promiscuous Received Rate of received packets through the sniffing network cards (non-interface ports).
Sniffer Connections Ended Total number of connections that were monitored and have ended since inspection engine was restarted.

Sniffer Connections Used Total number of connections currently being monitored since inspection engine was restarted.
Sniffer Packets Dropped Packets dropped by sniffer.
Sniffer Packets Ignored Packets ignored by sniffer.
Sniffer Packets Throttled Total number of connections that have been ignored due to throttling since inspection engine was restarted.
System Cpu Load System CPU utilization.
System Memory Usage System memory utilization.
System Root Disk Usage System Root disk utilization.
System Uptime Time since last start-up.
System Var Disk Usage System var disk utilization.
Sessions normal Count of normal sessions.
Sessions not opened Count of sessions not opened by sniffer.
Sessions timeout Count of sessions timed-out.
Sessions ignored Count of sessions ignored by sniffer.
Session Direct closed Count of sessions directly closed .
Session guessed Count of sessions guessed.
Open FDs Open File Descriptors.
DB Open FDs Database open File Descriptors
Di Rate Â
Di Queue Length Â
Di Total Â
Di Lost Packets Â
Flat Log Requests Flat log requests.
SQL Based Assessment Definition

This entity describes a SQL based assessment definition
Table 77. SQL Based Assessment Definition

Bind Out Var Optional. Determines if the entered text in SQL statement is a procedural block of code that will return a value that should be bound to
an internal Guardium variable that will be used in the comparison to the Compare to value.
Compare To Value Compare value that will be used to compare against the return value from the SQL statement using the compare operator.
External Reference Reference to the Center for Internet Security (CIS) or Common Vulnerabilities and Exposures (CVE).
Operator Operator that will be used for the condition.
Recommendation Text Fail The Recommended text for fail that will be displayed when the test fails.
Recommendation Text Pass The Recommended text for pass that will be displayed when the test passes.
Result Text Fail The Result text for fail that will be displayed when the test fails.
Result Text Pass The Result text for pass that will be displayed when the test passes.
Return Type The Return type that will be returned from the SQL statement.
Short Description The short description for the assessment test.
SQL For Details A SQL Statement for Detail, a SQL statement that retrieves a list of strings to generate a detail string of Detail prefix + list of strings.
SQL The SQL statement that will be executed for the test.
SQL Entity
SQL Entity
This entity is created for each unique string of SQL. Values are replaced by question marks - only the format of the string is stored.
Table 78. SQL Entity

Sql SQL string.
Construct ID Uniquely identifies the construct in which the SQL appeared
Bind Info Bind information for this SQL string.
Truncated SQL Indicates if the SQL has been truncated or not where:
0 - false/no, not truncated
1 - true/yes, truncated

Task Receiver Entity
Indicates the action required by the results receiver.
Table 79. Task Receiver Entity

Action Required Indicates if signing action is required.
Task Results To-Do List Entity

Indicates the current status of the results.
Table 80. Task Results To-Do List Entity

Status Indicates the current status of the results.
(Esca) Action Required Indicates if to-do list action is required.
Action Required Indicates if signing action is required.
Template Entity
A CAS template entity is created for each item template within a template set. An item is a specific file or file pattern, an environment or registry variable, the output of an
OS or SQL script, or the list of logged-in users.
Table 81. Template Entity

Template ID A unique identifier for the item template within the set of all item templates
Template Set ID Unique identifier for the template set
Access Name Depending on the Audit Type, this is the OS or SQL script, environment or registry value, or a file name or a file name pattern
Audit Type The type of monitored item
Audit Frequency (Min) The maximum interval (in minutes) between tests
Use MD5 Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the
Save Data Indicates if the Keep data checkbox has been marked. If so, previous versions of the item can be compared with the current version
Editable Indicates whether or not this template can be modified. The default Guardium templates cannot be modified. In addition once a
template set has been used in a CAS instance, it cannot be modified. In any case, a template set can always be cloned and the cloned
set can be modified
Description Optional description of the template
Timestamp Date and time this template was last updated
Template ID and Template Set ID are only available to users with the admin role.
Template Set Entity

A CAS Template Set entity is created for each template set, which is a set of template items for a particular operating system or database.
Table 82. Template Set Entity

Template Set Id A unique identifier for the template set, numbered sequentially
OS Type Operating system: Unix or Windows
DB Type Database Type: Oracle, MS-SQL, DB2, Sybase, Informix, or N/A for an operating system template
Template Set Name The template name
IsDefault Indicates whether or not this template is the default for the specified OS Type and DB Type combination
Editable Indicates whether or not this template can be modified. The default Guardium templates cannot be modified. In addition once a
template set has been used in a CAS instance, it cannot be modified. In any case, a template set can always be cloned and the cloned
set can be modified
Timestamp Date and time the template was last updated
Template Set ID is only available to users with the admin role.
Test Result Entity

This entity is created for each set of test results.
Table 83. Test Result Entity

Test Result Id Identifies the test result.
Assessment Result Id Identifies the assessment results set.
Test Id1 Identifies the test.
Assessment Test Id Identifies the assessment test (task).
Test Score Returned test score.
Report Result Id Identifies the report result.
Parameter Modified Flag Indicates if parameters were modified since the last test.
Result Text Text returned by the test.
Test Description Description from the test definition.
Recommendation Recommendation returned by the test.
Score Description Description of the score.
Threshold String The threshold prompt for the test (e.g. Maximum Number of Different IP's Allowed per user)
Severity Severity assigned for the test result.
Category Category for the test result.
Assessment Result data Identifies the test result data source.

source Id1
Result Details Details of the test.
Exceptions Group Desc Exceptions Group Description. Populated when test is executed.
Test Result ID, Assessment Result ID, and Assessment Test ID are only available to users with the admin role.
Threshold Alert Details Entity

This entity is created each time that a correlation alert is triggered.
Table 84. Threshold Alert Details Entity

Alert Log ID Uniquely identifies the alert details entity.
Query Value Value returned by query.
Base Value Value assigned for the statistical alert.
Checked From Date The starting date and time checked for by the alert condition.
Checked To Date The ending date and time checked for by the alert condition.
Alert Threshold Alert threshold defined for the alert.
Notification Sent Text of notification sent.
Timestamp Created only once, when the statistical alert is logged.
Alert Description The description contained in the alert definition.
Alert Log ID is only available to users with the admin role.
Unit Utilization Level

Several unit utilization reports are provided by default at Manage > Reports > Unit Utilization, including:
Unit Utilization: Displays the maximum unit utilization level for each unit in the given timeframe. There is a drill-down that displays details for a unit across all
periods within the timeframe of the report.
Unit Utilization Distribution: Per-unit, this report displays the percent of periods in the report timeframe with utilization levels of low, medium, and high.
Utilization Thresholds: This predefined report displays all low and high threshold values for all unit utilization parameters.
Unit Utilization Daily Summary - Provides a daily summary of unit utilization data.
In addition, Units Utilization Levels tracking enables users to create custom queries and reports.
Tip: Enable aliases for all custom and pre-defined reports using unit utilization data to ensure that unit utilization levels are displayed as meaningful strings instead of
numbers. For example, low, medium, and high instead of 1, 2, or 3.
The list of attributes includes:
Host name
Period start
Number of restarts
Number of restarts level
Sniffer memory
Sniffer memory Level
Percent MySQL memory
Percent MySQL memory level
Free buffer space
Free buffer space level
Analyzer queue

Analyzer queue level
Logger queue
Logger queue level
MySQL disk usage
MySQL disk usage level
System CPU load
System CPU load level
System var disk usage
System var disk usage level
Overall unit utilization level
Number of requests
Number of requests level
Number of full SQLs
Number of full SQLs level
Number of exceptions
Number of exceptions level
Number of policy violations
Number of policy violations level
Number of flat log requests
Number of flat log requests level
Note: Each parameter has a value and a level which is calculated based on the value and the thresholds.
User Entity
Identifies the Guardium user defined as an audit process results receiver.
Table 85. User Entity

Login Name Guardium user name.
First Name First name for the Guardium user.
Last Name Last name for the Guardium user.
EMAIL Address Email address defined for the Guardium user.
Last Active Timestamp for last activity for this user.

You can use database entitlement reports to verify that users have access only to the appropriate data. Your Guardium system includes predefined database entitlement
reports for several database types.
Note: DB Entitlements Reports are optional components enabled by product key. If these components have not been enabled, the choices listed below do not appear in
the Custom Domain Builder/Custom Domain Query/Custom Table Builder selections.
The predefined entitlement reports are listed as follows. They appear as domain names in the Custom Domain Builder/Custom Domain Query/ Custom Table Builder
selections:
Oracle DB Entitlements Domains

MYSQL DB Entitlements Domains
DB2Â® DB Entitlements Domains
DB2 for i 6.1 and 7.1 DB Entitlements Domains
SYBASE DB Entitlements Domains
InformixÂ® DB Entitlements Domains
Microsoft SQL Server Entitlements Domains
NetezzaÂ® DB Entitlements Domains
Teradata DB Entitlements Domains
PostgreSQL DB Entitlements Domains
See also Entitlement Optimization.
The following domains are provided to facilitate uploading and reporting on Oracle DB Entitlements. Each of the following domains has a single entity (with the same
Oracle
ORA Accnts of ALTER SYSTEM - Accounts with ALTER SYSTEM and ALTER SESSION privileges
ORA Accnts with BECOME USER - Accounts with BECOME USER privileges
ORA All Sys Priv and admin opt - Report showing all system privilege and admin option for users and roles
ORA Obj And Columns Priv - Object and columns privileges granted Â (with or without grant option)
ORA Object Access By PUBLIC - Object access by PUBLIC
ORA Object privileges - Object privileges by database account not in the SYS and not a DBA role
ORA PUBLIC Exec Priv On SYS Proc - Execute privilege on SYS PL/SQL procedures assigned to PUBL
ORA Roles Granted - Roles granted to users and roles

ORA Sys Priv Granted - Hierarchical report showing system privilege granted to users including recursive definitions (i.e. privileges assigned to roles and then these
roles assigned to users
ORA SYSDBA and SYSOPER Accnts - Accounts with SYSDBA and SYSOPER privileges
work.
grant select on sys.dba_tab_privs to sqlguard;
grant select on sys.dba_roles to sqlguard;
grant select on sys.dba_users to sqlguard;
grant select on sys.dba_role_privs to sqlguard;
grant select on sys.dba_sys_privs to sqlguard;
grant select on sys.obj$ to sqlguard;
grant select on sys.user$ to sqlguard;
grant select on sys.objauth$ to sqlguard;
grant select on sys.table_privilege_map to sqlguard;
grant select on sys.dba_objects to sqlguard;
grant select on sys.v_$pwfile_users to sqlguard;
grant select on sys.dba_col_privs to sqlguard;
The following domains are provided to facilitate uploading and reporting on MYSQL DB Entitlements. Each of the following domains has a single entity (with the same
MYSQL: The queries ending in "_40" use the most basic version of the mysql schema (for MySQL 4.0 and beyond). The information_schema has not changed since it was
introduced in MySQL 5.0, so there is a set of _50 queries, but no _51 queries. The _50 queries work for MySQL 5.0 and 5.1 and for 6.0 when it comes out, since the
information_schema is not expected to change in 6.0. The queries ending in "_502" (MYSQL502) use the new information_schema, which contains much more
information and is much more like a true data dictionary.

The following list details the minimal privileges required, in the database table (or view of the database table), in order for the entitlement to work.
Note: In addition to the privileges required, the user should connect to the MYSQL database to upload the data.
The entitlement queries for all MySQL versions through MySQL 5.0.1 use this set of tables: mysql.db mysql.host mysql.tables_priv mysql.user
Beginning with MySQL 5.0.2, and for all later versions, the entitlement queries use this set of tables: information_schema.SCHEMA_PRIVILEGES mysql.host
information_schema.TABLE_PRIVILEGES information_schema.USER_PRIVILEGES
If a datasource has a MYSQL database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading
data will loop through all MYSQL databases the user has access to.
DB2 DB Entitlements
The following domains are provided to facilitate uploading and reporting on DB2 DB Entitlements. Each of the following domains has a single entity (with the same name),
and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder/Custom Domain Query/ Custom Table Builder
DB2 Column-level Privileges (SELECT, UPDATE, ETC.)

DB2 Database -level Privileges (CONNECT, CREATE, ETC.)
DB2 Index-level Privilege (CONTROL)

DB2 Package-level Privileges (on code packages â€“ BIND, EXECUTE, ETC.)
DB2 Table-level Privileges (SELECT, UPDATE, ETC.) DB2 Privilege Summary
work.
GRANT SELECT ON SYSCAT.COLAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.INDEXAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.PACKAGEAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.TABAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.SCHEMAAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.PASSTHRUAUTH TO SQLGUARD;
DB2 z/OS entitlements

The following domains are provided to facilitate uploading and reporting on DB2 for z/OS DB Entitlements.
DB2 zOS Executable Object Privs Granted To PUBLIC
DB2 zOS Object Privs Granted To PUBLIC
DB2 zOS System Privs Granted To GRANTEE -V8
DB2 zOS System Privs Granted To GRANTEE -V9
DB2 zOS System Privs Granted To GRANTEE -V10 Up
DB2 zOS Database Privs Granted To GRANTEE
DB2 zOS Schema Privs Granted To GRANTEE -V9 Up
DB2 zOS Schema Privs Granted To GRANTEE -V8 Only
DB2 zOS Database Resource Granted To GRANTEE
DB2 zOS Object Privs Granted To GRANTEE
DB2 zOS System Privs Granted With GRANT -V8
DB2 zOS System Privs Granted With GRANT -V9
DB2 zOS System Privs Granted With GRANT -V10 Up
DB2 zOS Database Resource Granted To PUBLIC
DB2 zOS Schema Privs Granted To PUBLIC
DB2 zOS Database Privs Granted To PUBLIC
DB2 zOS System Privs Granted To PUBLIC -V10 Up
DB2 zOS System Privs Granted To PUBLIC -V9
DB2 zOS System Privs Granted To PUBLIC -V8
DB2 zOS Object Privs Granted With GRANT
DB2 zOS Database Resource Granted With GRANT
DB2 zOS Schema Privs Granted With GRANT-V8 Only
DB2 zOS Schema Privs Granted With GRANT-V9 Up
DB2 zOS Database Privs Granted With GRANT
DB2 for i 6.1 and 7.1 DB Entitlements

The following domains are provided to facilitate uploading and reporting on DB2 for i DB Entitlements. Each of the following domains has a single entity (with the same
Use the script, gdmmonitor-db2-IBMi.sql, to detail the minimal privileges required, in the database table (or view of the database table), in order for the entitlement to
work.
Object privileges granted to grantee (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)

Object privileges granted to PUBLIC (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)
Executable Objects privileges granted to PUBLIC (Object type: package and Routine)
Object privileges granted to grantee with GRANT OPTION (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)
All of the object privileges exclude default system schemas from a predefined Guardium group called "DB2 for i exclude system schemas - entitlement report". Please add
to this group for schema that should be excluded.
The following domains are provided to facilitate uploading and reporting on SYBASE DB Entitlements. Each of the following domains has a single entity (with the same
SYBASE System Privilege and Roles Granted to User including Grant option
SYBASE Role Granted to User and System Privileges Granted to user and role including Grant option
SYBASE Object Access by Public
SYBASE Execute Privilege on Procedure, function assigned To Public
SYBASE Accounts with System or Security Admin Roles
SYBASE Object and Columns Privilege Granted with Grant option
SYBASE Role Granted To User
work.
grant select on master.dbo.sysloginroles to sqlguard
grant select on master.dbo.syslogins to sqlguard
grant select on master.dbo.syssrvroles to sqlguard
Â
/*These are required on every database, including MASTER */
grant select on sysprotects to sqlguard
grant select on sysusers to sqlguard
grant select on sysobjects to sqlguard
grant select on sysroles to sqlguard
If a datasource has a SYBASE database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading
data will loop through all SYBASE databases the user has access to.
SYBASE IQ Entitlements
Supported version: sybase IQ 15 and above.
The following custom table definition are created to upload data: (you can ignore the id.)
139 | SybaseIQ15 Object Privileges By DB User
140 | SybaseIQ15 Object Privileges By Group
141 | SybaseIQ15 System Authority And Group Granted To User
142 | SybaseIQ15 System Authority And Group Granted To User And Group
143 | SybaseIQ15 Object Access By Public
144 | SybaseIQ15 Exec priv on proc func to PUBLIC
145 | SybaseIQ15 User Group With DBA Perms Admin etc
146 | SybaseIQ15 Table View priv granted with grant
147 | SybaseIQ15 Group granted to user and group
148 | SybaseIQ15 Login policy for user group with login
Corresponding query/reports are as follows: (you can ignore the id.)
597 | SybaseIQ15 Object Privileges By DB User
598 | SybaseIQ15 Object Privileges By Group
599 | SybaseIQ15 System Authority And Group Granted To User

600 | SybaseIQ15 System Authority And Group Granted To Users And Groups Grantee
601 | SybaseIQ15 Object Access By Public
602 | SybaseIQ15 Execute Privilege On Procedure and Function To PUBLIC
603 | SybaseIQ15 User Group With DBA/Perms Admin/User Admin/Remote DBA database authority
604 | SybaseIQ15 Table View Priv Granted With Grant
605 | SybaseIQ15 Group Granted To User And Group
606 | SybaseIQ15 Login Policy For User And Group With Login Option Setting
They can be found under db entitlements with the others.
=========================================================================================
Description of each - some of them are self explained. some may need a few extra words:
1 /*
Object privileges by database user.
Object include: Table, views, procedure and functions.
These are privilege granted to users only, not including group or membership in group.
*/
2. /*
Object privileges by group.
Object inlcude: Table, views, procedure and functions.
These are privilege granted to group only.
*/
3 /* System Authority And Group Granted To Users.
*/
4 /* System Authority And Group Granted To Users And Groups Grantee.
*/
5 /* object access by public.
Including Tables, Views, Functions and Procedures
*/
6 /* Execute privilege on procedures and functions granted to PUBLIC:
*/
7 /* Users and groups with DBA, Perms Admin, User Admin or Remote DBA database authority.
*/
8 /* Tables and Views privileges granted with grant option to users and groups.
Note, this is the only grant option type allow in Sybase IQ. Routines cannot be grant with grant option.
*/
9 /* Group granted to users and group.
*/
10 /* Login policy assigned to user and group with login option setting */
How to use GuardAPI to add a datasource to Sybase IQ reports

How to use GuardAPI to add a datasource to each of the Sybase IQ reports and how to execute them.
See the examles below on how to add a datasource to each of the new reports and then execute each report.
Add a datasource for all Sybase IQ Entitlement Reports
grdapi create_datasource type="Sybase IQ" user=ent password=Guardium123 host=9.70.144.152 name="Sybase IQ entitlement6"

shared=true owner=admin application=CustomDomain port=2638 dbName=sn5qpuff
Add a datasource to all Sybase IQ Entitlement Reports
grdapi create_datasourceRef_by_name application=CustomTables objName="SybaseIQ15 Exec priv on proc func to

PUBLIC"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 Group granted to user and group"
datasourceName="Sybase IQ entitlement 6"

grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 Login policy for user group with
login"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 Object Access By Public" datasourceName="Sybase IQ
entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 Object Privileges By DB User"
datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 Object Privileges By Group" datasourceName="Sybase
IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 System Authority And Group Granted To
User"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 System Authority And Group Granted To User And
Group"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 Table View priv granted with
grant"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="SybaseIQ15 User Group With DBA Perms Admin
etc"datasourceName="Sybase IQ entitlement 6"
Execute ALL SybaseIQ Entitlement Reports
grdapi upload_custom_data tableName=SYBASEIQ15_EXEC_PRIV_ON_PROC_FUNC_TO_PUBLIC

grdapi upload_custom_data tableName=SYBASEIQ15_GROUP_GRANTED_TO_USER_AND_GROUP
grdapi upload_custom_data tableName=SYBASE_OBJ_COL_PRIVS_GRANTED_WITH_GRAN
grdapi upload_custom_data tableName=SYBASEIQ15_OBJECT_ACCESS_BY_PUBLIC
grdapi upload_custom_data tableName=SYBASEIQ15_OBJECT_PRIVS_BY_DB_USER
grdapi upload_custom_data tableName=SYBASEIQ15_OBJECT_PRIVILEGES_BY_GROUP
grdapi upload_custom_data tableName=SYBASEIQ15_SYSTEM_AUTHORITY_AND_GROUP_GRANTED_TO_USER grdapi upload_custom_data
tableName=SYBASEIQ15_SYSTEM_AUTHORITY_AND_GROUP_GRANTED_TO_USER_AND_GROUP grdapi upload_custom_data
tableName=SYBASEIQ15_TABLE_VIEWS_PRIV_GRANTED_WITH_GRANT grdapi upload_custom_data
tableName=SYBASEIQ15_USER_GROUP_WITH_DBA_PERMS_ADMIN_ETC
Informix DB Entitlements
The following domains are provided to facilitate uploading and reporting on Informix DB Entitlements. Each of the following domains has a single entity (with the same
Informix Object Privileges by database account not including system account and roles
Informix database level privileges, roles and language granted to user including grant option
Informix database level privileges, roles and language granted to user and role including grant option
Informix Object Grant to Public
Informix Execute Privilege on Informix procedure and function granted to Public
Informix Account with DBA Privilege Informix Object and columns privileges granted with Grant option
Informix Role Granted To User and Role
used in the query (which is hidden for all entitlements). The following list (with comment line heading) details the minimal privileges required, in the database table (or
view of the database table), in order for the entitlement to work.
Since all users have sufficient privileges for system catalog SELECT privileges, there is no need to grant privilege to any user. Informix doesn't seem to like granting system
catalog to users. The grant below would normally be used. Â But in this case they are not required.
grant select on systables to sqlguard;
grant select on systabauth to sqlguard;
grant select on sysusers to sqlguard;
grant select on sysroleauth to sqlguard;
grant select on syslangauth to sqlguard;
grant select on sysroutinelangs to sqlguard;
grant select on sysprocauth to sqlguard;
grant select on sysprocedures to sqlguard;
grant select on syscolauth to sqlguard;
If a datasource has a Informix database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading
data will loop through all Informix databases the user has access to.
Microsoft SQL Server 2000 DB Entitlements

The following domains are provided to facilitate uploading and reporting on MSSQL 2000 DB Entitlements. Each of the following domains has a single entity (with the
same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder/Custom Domain Query/ Custom Table
Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these
domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
MSSQL2000 Object Privilege By database account not including default system user
MSSQL2000 Role/System Privileges Granted to User including grant option
MSSQL2000 Role granted to user and role. System Privileges Granted to User and Role including grant option
MSSQL2000 Object Access by PUBLIC
MSSQL2000 Execute Privilege on System Procedures and functions to PUBLIC
MSSQL2000 Database accounts with db_owner and db_securityadmin role

MSSQL2000 Server account with sysadmin, serveradmin and security admin /* only run this entitlement against MASTER database */
MSSQL2000 Object and columns privileges granted with grant option
MSSQL2000 Role granted to user and role
work.
Â
grant select on dbo.syslogins to sqlguard
Â
/*These are required on every database including MASTER */
grant select on dbo.sysprotects to sqlguard
grant select on dbo.sysusers to sqlguard
grant select on dbo.sysobjects to sqlguard
grant select on dbo.sysmembers to sqlguard
Microsoft SQL Server 2005 and later DB Entitlements

The following domains are provided to facilitate uploading and reporting on Microsoft SQL Server 2005 and later DB Entitlements. Each of the following domains has a
single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder/Custom Domain
Query/ Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions
of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
Note: Objects in Dynamic query Strings will NOT be shown in xxx_DEPENDENCIES. An object in an EXECUTE IMMEDIATE SQL string called by a stored program unit does
not show dependency. This query exclude schema owner defined in group ID 202 "Dependencies_exclude_schema-MSSQL". User has the ability to add or subtract
schema name from this group for the dependencies query.
MSSQL2005/8 Object privileges by database account not including default system user.
MSSQL2005/8 Role/System privileges granted To User
MSSQL2005/8 Role/System Privilege granted to user and role including grant option
MSSQL2005/8 Object access by PUBLIC
MSSQL2005/8 Execute Privilege on System Procedures and functions to PUBLIC
MSSQL2005/8 Database accounts of db_owner and db_securityadmin Role
MSSQL2005/8 Server account of sysadmin, serveradmin and security admin /* only run against MASTER database */
MSSQL2005/8 Object and columns privileges granted with grant option
MSSQL2005/8 Role granted to user and role.
work.
Â
/*These are required on MASTER database */
grant select on sys.server_principals to sqlguard
Â
/*These are required on every databases including MASTER */
grant select on sys.database_permissions to sqlguard
grant select on sys.database_principals to sqlguard
grant select on sys.all_objects to sqlguard
grant select on sys.database_role_members to sqlguard
grant select on sys.columns to sqlguard
Netezza DB Entitlements

The following domains are provided to facilitate uploading and reporting on Netezza DB Entitlements. Each of the following domains has a single entity (with the same
Note: There is no DB error text translation for Netezza. The error appears in the exception description. Users can clone/add a report with the exception description for
Netezza as needed.
Netezza Obj Privs by DB Username - Object privileges with or without grant option by database username excluding ADMIN account.
Netezza Admin Privs by DB Username - Admin privileges with or without grant option by database username excluding ADMIN account.
Netezza Group /Role Granted To User - Group (Role) granted to user
Netezza Obj Privs By Group - Object privileges with or without grant option by GROUP excluding PUBLIC.
Netezza Admin Privs By Group - Admin privileges with or without grant option by GROUP excluding PUBLIC.
Netezza Admin Privs By DB Username, Group - Admin privileges with or without grant option by database username, group excluding ADMIN account and PUBLIC
group.
Netezza Obj Privs Granted - Object privileges granted with or without grant option to PUBLIC.
Netezza Admin Privis Granted - Admin privileges granted with or without grant option to PUBLIC.
Netezza Global Admin Priv To Users and Groups - Global admin privilege granted to users and groups excluding ADMIN account.
Netezza Global Obj Priv To Users and Groups - Global object privilege granted to users and groups excluding ADMIN account.
work.
Â
/* This script must be run from the system database */
GRANT SELECT ON SYSTEM VIEW TO sqlguard;
GRANT LIST ON DATABASE TO sqlguard;
GRANT LIST ON USER TO sqlguard;
GRANT LIST ON GROUP TO sqlguard;
GRANT SELECT ON _V_CONNECTION TO sqlguard;
For Netezza entitlement queries, it is recommended to connect to SYSTEM database, especially when granting the privilege to the user who is going to run these reports.
The granting privilege MUST take place from SYSTEM database or else the granted privilege will only take place on one particular database. When the granted privilege
takes place from SYSTEM database, a special feature will allow the granted privilege to carry through to all the databases.
The following domains are provided to facilitate uploading and reporting on Teradata DB Entitlements. Each of the following domains has a single entity (with the same
Teradata Object privileges by database account not including default system users.
Teradata System privileges and roles granted to users including grant option.
Teradata Roles granted to users and roles including grant option.
Teradata Role granted to users and roles. Â System privileges granted to users and roles including grant option.
Teradata Objects and System privileges granted to public. Note role cannot be granted to public in Teradata.
Teradata Execute privileges on system database objects to public.
Teradata System admin, Security admin privileges granted to user and role.
Note: There are no such role as System or Security admin in Teradata. User must create their own roles. These are some important system privileges that would
normally not be granted to normal user: ABORT SESSION, CREATE DATABASE, CREATE PROFILE, CREATE ROLE,CREATE USER, DROP DATABASE, DROP PROFILE,
DROP ROLE, DROP USER, MONITOR RESOURCE, MONITOR SESSION, REPLICATION OVERRIDE, SET SESSION RATE, SET RESOURCE RATE.
Teradata Object privileges granted with granted option to users. Not including DBC and grantee = 'All'.
work.
Â

GRANT SELECT ON DBC.AllRights TO sqlguard;
GRANT SELECT ON DBC.Tables TO sqlguard;
GRANT SELECT ON DBC.AllRoleRights TO sqlguard;
GRANT SELECT ON DBC.RoleMembers TO sqlguard;
The following domains are provided to facilitate uploading and reporting on PostgreSQL DB Entitlements. Each of the following domains has a single entity (with the same
There are seven entitlement custom domains/queries/reports for PostgreSQL. They are as follows (each is listed with Report name, description, note):
Â
PostgreSQL Priv On. Databases Granted To Public User Role With Or Without Granted Option. Privilege on databases granted to public, user and role with or without
granted option. Run this on any database, ideally PostgreSQL.
PostgreSQL Priv On Language Granted To Public User Role With Or Without Granted Option. Privilege on Language granted to public, user and role with or without
PostgreSQL Priv On Schema Granted To Public User Role With Or Without Granted Option. Privilege on Schema granted to public, user and role with or without
PostgreSQL Priv On Tablespace Granted To Public User Role With Or Without Granted Option. Privilege on Tablespace granted to public, user and role with or
without granted option. Run this on any database, ideally PostgreSQL.
PostgreSQL Role Or User Granted To User Or Role. Role or User granted to user or role including grant option. Run this once in any database. Ideally PostgreSQL.
Â Â Â Â
PostgreSQL Super User Granted To User Or Role. Super user granted to user or role. Run this once in any database. Ideally PostgreSQL. Â Â Â Â
PostgreSQL Sys Privs Granted To User And Role. System privileges granted to user and role. Run this once in any database. Ideally PostgreSQL. Â Â Â Â
PostgreSQL Table View Sequence and Function privs Granted To Public. Tables, Views, Sequence and Functions privileges granted to public. Run this per database.
Run this per database.
PostgreSQL Table View Sequence and Function Privs Granted With Grant Option. Tables, Views, Sequence and Functions privileges granted to user and role with
grant option only. Exclude PostgreSQL account.
PostgreSQL Table View Sequence Function Privs Granted To Roles. Tables, Views, Sequence and Functions privileges granted to roles. Â Not including public. Run
this per database.
PostgreSQL Table Views Sequence and Functions Privs Granted To Login. Tables, Views, Sequence and Functions privileges granted to logins. Not including postgres
system user. Run this per database.
Note: As of version 8.3.6, PostgreSQL does not support grant admin option to public. There is only function, no store procedure. There is no support for column grant, only
table grant. Public is a group, not user. Public does not show up in pg_roles. The only privileges need to run all these queries is: GRANT CONNECT ON DATABASE
PostgreSQL TO username;
Â
work.
Â
/*This is required on POSTGRES database*/
grant connect on database postgres to sqlguard;
Â
/*These are required on every database, including POSTGRES (By default these are already granted to PUBLIC) */
grant select on pg_class to sqlguard;
grant select on pg_namespace to sqlguard;
grant select on pg_roles to sqlguard;
grant select on pg_proc to sqlguard;
grant select on pg_auth_members to sqlguard;
grant select on pg_language to sqlguard;

grant select on pg_tablespace to sqlguard;
grant select on pg_database Â to sqlguard;
Â
If a datasource has a PostgreSQL database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the
uploading data will loop through all PostgreSQL databases the user has access to.
How to take advantage of predefined reports

Instead of creating custom reports from scratch, take advantage of the predefined content in the Guardium application.
Get the information that you seek faster, by accessing predefined reports available from the Guardium application. These predefined reports can be cloned and
customized to the needs of the user.
Using the Guardium predefined reports is a best practice recommendation, enabling organizations to quickly and easily identify security risks, such as inappropriately
exposed objects, users with excessive rights, and unauthorized administrative actions. Examples of the many predefined reports include: accounts with system privileges;
all system and administrator privileges, which are shown by user and role; object privileges by user; and all objects with PUBLIC access.
All parameters and values are displayed on all reports. The parameters and values can be edited using Customize in any report screen.
Several example reports are described below.
Logins to Guardium
All values for this report are from the Guardium Logins entity. For the reporting period, each row of the report lists the User Name, Login Succeeded (1= Successful,
0=Failed, -1 =password expired, -2 = login from different IP), Login Date And Time, Logout Date And Time (which is blank if the user has not yet logged out), Host Name,
Remote Address (of the user), and count of logins for the row.
Report Location: Reports > Monitoring of Guardium System > Guardium Logins
Table 1. Logins to Guardium

Domain Based on Query Main Entity
Guardium Logins Guardium Logins Guardium Users Login
Run-Time Parameter Operator Default Value
Host Name LIKE %
Period From >= NOW -1 DAY
Period To <= NOW
Buffer Usage Monitor

Provides an extensive set of buffer usage statistics.
Report Location: Reports > Guardium Operational Reports > Enterprise Buffer Usage
Table 2. Buffer Usage Monitor

Buffer Usage Buff Usage Monitor Sniffer Buffer Usage Monitor

Period To <= NOW
Group Usage Report

This report displays the list of all defined groups and all the entities that rely on each group.
Note: There are 328 records available in this report.
Report Location: Reports > Monitoring of Guardium System > Groups Usage Report
Guardium Applications
For each Guardium application, each row lists a security role that is assigned, or the word all, indicating that all roles are assigned.
Report Location: Reports > Real-Time Guardium Operational Reports > All Guardium Applications - Role
Table 3. Guardium Applications

internal - not available All Guardium Applications not available
Period From >= NOW -100 Month DAY
Period To <= NOW
Guardium Roles
This menu pane displays two reports: All Roles - Application Access - and All Roles; User.
All Roles - Application Access For each role, this report lists the number of applications to which it is assigned.
To list the applications to which a role is assigned, click the role and drill down to the Record Details report.
Report Location: Reports > Monitoring of Guardium System > All Roles - Application Access

Table 4. All Roles - Application Access
internal - not available All Roles - Application Access not available
Period From >= NOW -100 MONTH
Period To <= NOW
All Roles - User
For each role, this report lists the number of users to which it is assigned. To list the users to which a role is assigned, click the role and drill down to the Record Details
report.
Table 5. All Roles - User

internal - not available Roles - User not available
Period To <= NOW
Guardium Users
Lists each user, date of last activity, and number of roles assigned. For each user, you can drill down to the Record Details report to see the roles that are assigned to that
user.
Table 6. Guardium Users

internal - not available User role not available
Period To <= NOW
Unit Utilization Levels

The following default reports provide unit utilization data:

Table 7. Unit Utilization Levels
Internal - not available Unit Utilization Distribution Unit Utilization Levels
Period From >= NOW -24 HOUR
Period To <= NOW
Predefined Reports
At installation time, the GuardiumÂ® appliance is configured with a number of predefined reports.
Predefined admin reports
This section provides a short description of all predefined reports on the default administrator layout.
Predefined user Reports
This section provides a short description of all predefined reports on the default user layout.
Predefined Reports Common
This section provides a short description of all predefined reports on both the default user and default administrator layouts.
Predefined Reports
At installation time, the GuardiumÂ® appliance is configured with a number of predefined reports.
All parameters and values are displayed on all reports. The parameters and values can be edited from the Customize button in any report screen.
Use the search function of help to go to the specific report directly. Use quotation marks around words or phrases to precisely define search terms.
Predefined reports are described on the following pages:
Predefined admin Reports Predefined admin reports These are the predefined reports available to the admin user.
Predefined Reports from Accessmgr (see Access Management overview topic): User and Role Reports; Allowed Datasources; Allowed Servers; Databases Not
Associated; Datasources Not Associated.
API to run an audit process from tabular and graphical reports

In the Guardium GUI, there is an icon (Ad-hoc process for run once now) to invoke a call to the GuardAPI, create_ad_hoc_audit_and_run_once.
This opens a window with the following fields:
Email Addresses - A comma separated list of email addresses.

Content type for email receiver: PDF/CSV (a radio button 0 - PDF / 1 -CSV)
Add user as Receiver (check box)
The behavior of this process is as follows:
1 - If new process, one or a number of email receivers can be created in the list (if any) with a content type as indicated in the emailContentType parameter. It will also
create a user receiver for the user logged in (invoking the API) if the includeUserReceiver parameter is true.
2 - If existing process, Â all email receivers will be removed and replaced with the emails from the new list (if any) with the content type as defined in the
emailContentType parameter. If the list is empty, it will remove all email address receivers. If there is already a receiver for the user it will NOT be removed even if the
includeUserreceiver is false, however if the parameter is true and there is no such receiver then it will be added.
Once the audit process is generated it will be automatically executed (similar to a Run Once Now) and users should expect an item on their to-do list for that audit process.
The GuardAPI that creates ad hoc audit process will keep results to 7 days (instead of 1 day). Results will be deleted after 7 days.
For further information on parameters, see the GuardAPI command, create_ad_hoc_audit_and_run_once, in the GuardAPI Input Generation help topic.
Use cases for predefined reports

Database administrator
SQL Errors - An increase in SQL errors may indicate a SQL injection attack.
DDL (verify schema changes) - This report displays the client IP from which the DDL was requested, the main SQL verb (a specific DDL command), and the
total objects accessed for that record.
Failed logins - This report indicates attempts to access the database with expired login credentials.
Information security officer
Failed logins - People with proper credentials trying to access the database.
Terminated users - Terminated users trying to access the database.
Policy violations - Users and issues that violate security policies.
Auditors
Compliance reports - PCI, SOX, Data Privacy

Compliance workflow - Shows evidence of signoffs and procedures.
Parent topic: How to take advantage of predefined reports
Predefined admin reports

This section provides a short description of all predefined reports on the default administrator layout.
The Report selection of the Guardium GUI has five sections:
Report Configuration Tools;

Guardium Operational Reports;
Real-time Guardium Operational Reports;
Guardium Configuration Items; and,
Monitoring of Guardium System.
Note: If data level security at the observed data level has been enabled (see Global Profile settings), then audit process output will be filtered so users will see only the
The predefined admin reports are listed in alphabetical order.
Active S-TAPs changed

This alert only runs on Central Manager systems. S-TAPÂ® Host, S-TAP version, S-TAP changed, timestamp and count are shown.
Table 1. Active S-TAPs changed

internal - not available Active S-TAPs changed not available
Period From none none
Admin User Logins

Summary of logins to the database using a database user name defined in the Admin Users group. The report displays the client IP address from which the user with
administrative privileges logged into the database, database user name, source program, session start date and time, and session total for that record.
Table 2. Admin User Logins

Access Admin Users Login Session
Period To <= NOW
Aggregation/Archive Log
This report lists GuardiumÂ® aggregation activity by Activity Type. Each row of the report contains the Activity Type, Start Time, File Name, Status, Comment, Guardium
Host Name, Records Purged, Period Start, Period End, and count of log records for the row. You can limit the output by setting the Guardium Host Name run-time
parameter, which is set to % by default (to select all servers). The Records Purged column contains a count of records purged only when the activity type is Purge.
Table 3. Aggregation/Archive Log

Aggregation/Export/Import Aggregation/Archive Log Agg/Archive Log
Period From >= NOW -1 WEEK
Period To <= NOW
Guardium Host Name LIKE %
All Guardium Applications - Roles

This menu pane displays two reports: All Roles - Application Access - and All Roles; User.
All Roles - Application Access
For each role, this report lists the number of applications to which it is assigned. To list the applications to which a role is assigned, click on the role and drill down to the
Record Details report.
Table 4. All Roles - Application Access

internal - not available All Roles - Application Access not available
Period To <= NOW
All Roles - User
For each role, this report lists the number of users to which it is assigned. To list the users to which a role is assigned, click on the role and drill down to the Record Details
report.

Table 5. All Roles - User
internal - not available Role - User not available
Period To <= NOW
Appliance Settings
This report displays configuration settings from a Guardium system. Use the appliance settings report to quickly review and validate Guardium settings.
Table 6. Appliance settings

internal - not available Active S-TAPs changed not available
Show Aliases Radio buttons (On, Off, Default)
Remote Data Source Drop-down menu
Application Objects Summary

This report is a summary of every definition in the Guardium application. For instance, type Oracle in the ObjectNameLike space in the Run-Time Parameters page of
Application Objects and find all the Object Types and Object Descriptions where Oracle is used.
Note: This report presents metadata and as such is not filtered through the Data Level Security mechanism. This metadata could include database related information
such as Oracle SIDs.
Table 7. Application Objects Summary

Application Objects Application Objects Summary Application Objects
ObjectNameLike % %
ObjectTypeNameLike % %
Approved TAP clients

Only specific S-TAPs are permitted to connect to the Guardium application. This report shows which S-TAP is approved and the status of it.
Table 8. Approved TAP clients

internal - not available Approved TAP Clients not available
Period To <= NOW
Audit Process Log

Audit Process Log
This report shows a detailed activity log for all tasks including start and end times. This report is available for admin users via the Guardium Monitor tab. Audit tasks show
start and end times, however the start and end of Security Assessments and Classifications (which go to a queue) is the same.
The Audit Process has been expanded to the signoff of specific rows beyond a user signing off on the entire audit process. Displays a list of what has been signed off and
what is the status of specific rows.
Use this Audit Process Log to stop audit processes. Tasks can be stopped only if the tasks have not been run or are running. Any more tasks that have not started will not
execute. Partial results will not be delivered. If tasks are complete, stopping the audit process will not stop the sending of the results. Stopping the audit process is done
through a GrdAPI command, invoke api, from the Audit process Log report. For any user it only shows the line belonging to the user (but without all the details - just the
tasks). Admin users get to see all the details and can stop anyone's runs. Users can only stop their own runs.
Note:
Stopping the audit process will not cancel queries running using a remote source. Neither will such online reports using a remote source.
Not supported for Privacy sets and External Feed. This means that if the Privacy set task was started or the External Feed has started - it will finish even if the process is
stopped (as opposed to a query which will be killed).
Audit Process Log ID
Login Name
Run ID

Timestamp
Audit Process ID
Audit Process Description
Audit Task ID
Audit Task Description
Event Type
Detail
Count of Audit Process Log
Available Patches
Displays a list of available patches. There are no run-time parameters, and this reporting domain is system-only.
Buffer Usage Monitor

Provides an extensive set of buffer usage statistics. See the description of the Sniffer Buffer Usage entity for a description of the fields listed on this report.
Table 9. Buffer Usage Monitor

Buffer Usage Buff Usage Monitor Sniffer Buffer Usage Monitor
Period To <= NOW
CAS Deployment
This CAS reports details the Database type, OS name, Hostname and OS type.
Table 10. CAS Deployment

CAS CAS Deployment N/A
DB Type Like %
OS_Name Like %
Hostname Like %
OS_Type Like %
Changes (CAS)
CAS Change Details
For each monitored item, the changes are listed in order by owner.
Table 11. CAS Change Details

CAS Changes CAS Change Details Host Configuration
DB_Type Like %
Host_Name Like %
Instance_Name Like %
Monitored_Item Like %
OS_Type Like %
Type Like %
CAS Saved Data
This report lists the data saved for each change detected. This report is sorted by host name, and then by the most recent modification time.
Table 12. CAS Saved Data

CAS Changes CAS Saved Data Saved Data
Host_Name Like %

Monitored_Item Like %
Saved_Data_Id Like %
Configuration (CAS)
CAS Instances
This report lists CAS instance definitions (a CAS instance applies a template set to a specific CAS host). The default sort order for this report is non-standard. The sort keys
are, from major to minor: Host Name (ascending), Instance (ascending) and Last Status Change (descending).
Table 13. CAS Instances

CAS Config CAS Instances Monitored Item Details
Host_Name Like %
OS_Type Like %
DB_Type Like %
Instance Like %
CAS Instance Config
This report lists CAS instance configuration changes. The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending),
Instance (ascending) and Last Status Change (descending). You can limit the output by using any of the following runtime parameters, which select all values by default.
Table 14. CAS Instance Config

CAS Config CAS Instance Config Monitored Item Details
Host_Name Like %
OS_Type Like %
Template_Id Like %
Connection Profiling List

Connection Profiling List is a group of all allowed connections (the Connection Profiling List show all connection details).
Table 15. Connection Profiling List

internal - not available Connection Profiling List Client Server
Run-time parameter Operator Default Value
Query From Date >= NOW -1 DAY
Query To Date <= NOW
Connections Quarantined
Guardium policies can be used to terminate or quarantine connections in real time. Use threshold alerts, based on queries. See Quarantine under the Policies topic for
configuration instructions.
Table 16. Connections Quarantined

Connection Quarantine Connections Quarantined Connection Quarantine
Server IP LIKE %
DB User LIKE %
Server Name LIKE %
Period To <= NOW
CPU Tracker
Lists the Software TAP Host and number of CPUs on machines running S-TAPs.
Table 17. CPU Tracker


internal - not available not available not available
none n/a n/a
CPU Usage
By default, displays the CPU usage for the last two hours. This graphical report is intended to display recent activity only. If you alter the From and To run-time parameters
to include a larger timeframe, you may receive a message indicating that there is too much data. Use a tabular report to display a larger time period.
Table 18. CPU Usage

Sniffer Buffer CPU Usage Sniffer Buffer Usage Monitor
Period To <= NOW
Databases by Type/ Number of DB per type

Server type and client sources for each database type monitored.
Table 19. Databases by Type

Access Number of db per type Client/Server
Period To <= NOW
Databases Discovered
For the reporting period, for each Discovered Port entity where the DB Type attribute value is NOT LIKE Unknown, this report lists the Probe Timestamp, Server IP, Sever
Host Name, DB Type, Port, Port Type, and count of Discovered Ports for the row.
Table 20. Databases Discovered

Auto-discovery Databases Discovered Discovered Port
Period To <= NOW
PortNotLike NOT LIKE No default value.
DB Users Mapping List

The mapping between database users (Invokers of SQL that caused a violation) and email addresses for real time alerts.
Table 21. DB Users Mapping List

Auto-discovery DB Users Mapping List Guardium Users Login
Period To <= NOW
Default DB Users Enabled

This report details the default users found enabled after a database scan through the group of default users and list of servers supplied to the Non-credential Scan API.
When an enabled user is found within a database, that occurrence of database/user is reported only once. Subsequent scans will update the timestamp and database
version of the database. If a subsequent scan does not find a previously found user the timestamp remains unaffected so as to keep a history with the last time the user
was found enabled on a database. Scans are run under the Classifier Listener and submitted jobs (with the non_credential_scan API) may be tracked using the Guardium
Job Queue report.
Table 22. Default DB Users Enabled

Default DB Users Enabled Default DB Users Enabled Default DB Users Enabled

Period To <= NOW
Data Sources
Lists all datasources defined: Data -Source Type, Data-Source Name , Data-Source Description, Host, Port, Service Name, User Name, Database Name, Last Connect,
Shared, and Connection Properties..
You can restrict the output of this report using the Data Source Name run time parameter, which by default is set to â€œ%â€ to select all datasources.
Table 23. Data Sources

internal - not available Data-Sources not available
Data Source Name LIKE %
Period To <= NOW
Discovered Instances
This S-TAP report details the following information:
Timestamp, Host, Protocol, Port Min, Port Max, KTAP DB Port, Instance Name, Client, Exclude Client, Proc name, Named Pipe, DB Instance Dir, DB2Â® Shared Mem Adjust,
DB2 Shared Mem Client Position, DB2 Shared Mem Size.
Table 24. Discovered Instances

Exception Discovered Instances Exception
Period To <= NOW
Datamart Extraction Log

A Data Mart is a subset of a Data Warehouse. A Data Warehouse aggregates and organizes the data in a generic fashion that can be used later for analysis and reports. A
Data Mart begins with user-defined data analysis and emphasizes meeting the specific demands of the user in terms of content, presentation and ease-of-use.
The Data Mart extraction program runs in a batch according to the specified schedule. It summarizes the data to hours, days, weeks or months according to the granularity
requested and then it saves the results in a new table in Guardium Analytic database.
The data is then accessible to the users via the standard Reports and Audit Process utilities, likewise any other traditional Domain/ Entity. The Data Mart extraction data
are available under DM domain and the Entity name is set according to the new table name specified for the data mart data. Using the standard Query Builder and Report
Builder, users can clone the default query and edit the Query and report, generate Portlet and add to a Pane.
The extraction log consists of the following - Data Mart Name, Collector IP, Server IP, from-time, to-time, ID, run started, run ended, number of records, status, error code.
Definitions Export/Import Log

This report lists Guardium export/import activity by Activity Type. Each row of the report contains the Activity Type, Start Time, File Name, Status, Comment, and count of
log records for the row.
Table 25. Definitions Export/Import Log

Aggregation/Archive Export-Import Definitions Log Agg/Archive Log
Period To <= NOW
Dropped Requests
Tracks requests dropped by an inspection engine (Exception Description = Dropped database request). Under extremely rare, high-volume situations some requests may
be lost. When this happens, the sessions from which the requests were lost are listed in the Dropped Requests report.
Table 26. Dropped Requests

Exceptions Dropped Requests Exception
Period To <= NOW

Exception Count
For the reporting period, the total number of exceptions logged.
Table 27. Exception Count

Exceptions Exception Count Exception
Period To <= NOW
Enterprise S-TAP (Detailed) View

See S-TAP Info (Central Manager) for information on this report.
Enterprise S-TAP Association History

Enterprise S-TAP Association History reports on how long the S-TAP reported to the specific Guardium system in the Load balancer environment.
Enterprise S-TAP View

See S-TAP Info (Central Manager) for information on this report.
Export Sensitive Data to Discovery

Guardium and InfoSphereÂ® Discovery have mechanisms for the Classification of Sensitive Data.
A bidirectional interface is provided to transfer the identified sensitive data from Guardium to InfoSphere Discovery and from InfoSphere Discovery to Guardium.
This data will be transferred via CSV files. See External Data Correlation (Bidirectional Interface) for further information.
Table 28. Export Sensitive Data to Discovery

Internal - not available Export Sensitive Data to Discovery Classification Process Results
Period From >= NOW -3 HOURS
Period To <= NOW
Rule Description LIKE Â
Schema LIKE Â
Enterprise Buffer Usage Monitor

This report shows the aggregate of sniffer buffer usage from all managed units. There is a need to set the schedule for the upload. See the description of the Sniffer Buffer
Usage entity for a description of the fields listed on this report.
Table 29. Enterprise Buffer Usage Monitor

Enterprise Buffer Usage Enterprise Buffer Usage Sniffer Buffer Usage
Period To <= NOW
Guardium Job Queue

Displays the Guardium Job Queue. Previously known as Classifier/Assessment Job Queue. For each job, it lists the Process Run ID, Process Type, Status, Guardium Job
Process Id, Report Result Id, Guardium Job Description, Audit Task Description, Queue Time, Start Time, End Time, and Data Sources.
Table 30. Guardium Job Queue

Internal - not available Guardium Job Queue not available
Job Description LIKE %
Period To <= NOW
The job queue
Assessments and Classifications run in their own separate process called the job queue. Jobs are queued and have their status maintained while a listener periodically
polls the queue looking for waiting jobs to run.

Stopping
Running jobs, when right-clicked for drill-down, there is an option to stop the running job and cancel it. The job can not be restarted at this point.
Halting
Running jobs are monitored to reduce the number of hung jobs that might cause the job queue to be come overloaded. If a job is inactive for 30 minutes, the listener is
terminated and restarted, effectively stopping the operation of a job. Before the listener is restarted, a process called the cleaner runs, the status is set from RUNNING to
HALTED, and then the listener is restarted. A status of HALTED means the job was not able to run to completion.
Resubmitting
Sometimes the listener gets restarted for reasons other than a job hanging, for example rebooting the machine. When the cleaner halts the running jobs, it will see if the
job has responded in the past 8 minutes. If it has, the job will be copied and that copy will be resubmitted onto the job queue. The original halted will still display on the
queue, and still have the results it was able to process available.
Monitoring
The mechanism by which jobs maintain their active status is by touching the timestamp on the job queue record. It is important to note that the job queue record is used
for the entire job. Each individual classifier rule or assessment test interacts with the timestamp for its parent process, and they do not have individual timestamps that
are monitored.
The classifier will update its timestamp before every rule is tested and after every SQL operation. For example, if the classifier is scanning the data in a database that
supports paging, it will touch the timestamp after each batch of data is brought back from the database. This is because, depending on the state of the target database,
the classifier has the potential to invoke some long-running queries that will be limited to 30 minutes of execution.
Assessments touch the timestamp after each test in the assessment is evaluated. Most assessment tests run in a few seconds or less.
Observed Tests
The exception to the relatively quick-running assessment tests is the category of observed assessment tests. These tests are based on queries and reports that use the
internal sniffing data on the Guardium appliance and can run for longer periods of time and are unable to update the timestamp while they are in process. Therefore,
observed assessment tests have their timestamps set two hours into the future when they are started, essentially giving them two hours and thirty minutes to run to
conclusion. This can be confusing when looking at the job queue and seeing the timestamp set to a time in the future. Just like any other assessment test, when the
observed test ends, the timestamp will be touched. If the next test is an observed test, the timestamp will once again be set two hours into the future. Otherwise, the
timestamp will be set to the current time.
GIM Clients Status

Displays a list of GIM clients.
Table 31. GIM Clients Status

GIM Clients Status GIM Clients Status GIM Clients
Client Name % N/A
Client OS % N/A
GIM Events List

Displays a list of GIM Events.
Table 32. GIM Events List

GIM Events GIM Events GIM Events
Period To <= NOW
GIM Installed Modules

Displays a list of installed GIM Modules.
Note: This report shows the modules that have been associated with the host. If a module has been assigned to a host, the assigned version will appear in this report,
even if the module has not yet been scheduled or installed. To check the currently installed module, review the GIM Client Status report.
Table 33. GIM Installed Modules

GIM Installed Base GIM Installed Base GIM Installed
none not applicable not applicable
Group Usage Report

Displays the list of all defined groups and all the entities that rely on each group.

Guardium API Exceptions
Displays a time stamp and description of all GuardAPI exceptions. These are jobs where the Exception Type ID is GUARD_API_EXCEPTION.
Table 34. Guardium API Exceptions

Exception Guardium API Exceptions Exception
Period To <= NOW
Guardium Applications
For each Guardium application, each row lists a security role assigned, or the word all, indicating that all roles are assigned.
Table 35. Guardium Applications

internal - not available All Guardium Applications not available
Period From >= NOW -100 Month DAY
Period To <= NOW
Guardium Group Details

For the reporting period, each row of the report lists a group member. The columns contain the following information: Group Description, Group Type, Group Subtype,
Timestamp (from the Group Member entity), Group Member, and count of Group Member entities for the row. The value of the timestamp is set to the current time
whenever the record is updated.
You can restrict the output of this report using the run-time parameters, both of which are used with the LIKE operator and a default value of %, which selects all values.
Table 36. Guardium Group Details

Group Guardium Group Details Group Member
Group Description LIKE %
Group Type LIKE %
Period To <= NOW
Guardium Users
Lists each user, date of last activity, and number of roles assigned. For each user, you can drill down to the Record Details report to see the roles assigned to that user.
Table 37. Guardium Users

internal - not available User Role not available
Period To <= NOW
Host History (CAS)

CAS Host History
This report lists CAS host events. The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance and Event
Time (descending).
Table 38. CAS Host History

CAS Host History CAS Host History Host Event
Host_Name Like %
OS_Type Like %
Event_Type Like %
Inactive Inspection Engines

Lists all inactive inspection engines
Table 39. Inactive Inspection Engines

internal - not available Inactive Inspection Engines S-TAP Verification Header
Query from date >= NOW -3 HOUR
Query to date >= NOW
Inactive S-TAPs Since

Lists all inactive S-TAPs defined on the system. It has a single run-time parameter: Period From, which is set to now -1 hour by default. Use this parameter to control how
you want to define inactive. This report contains the same columns of data for the S-TAP Status report with the addition of a count for each row of the report.
Table 40. Inactive S-TAPs Since

internal - not available Inactive S-TAPs Since not available
Installed Patches
Displays a list of installed patches. There are no run-time parameters, and this reporting domain is system-only.
Table 41. Installed Patches

internal - not available Installed Patches not available
Logins to Guardium
All values for this report are from the Guardium Logins entity. For the reporting period, each row of the report lists the User Name, Login Succeeded (1= Successful,
0=Failed), Login Date And Time, Logout Date And Time (which will be blank if the user has not yet logged out), Host Name, Remote Address (of the user) and count of
logins for the row.
Table 42. Logins to Guardium

Guardium Logins Guardium Logins Guardium Users Login
Host Name LIKE %
Period To <= NOW
Logged R/T Alerts

For the reporting period, the total number of logged real time alerts, listed by rule description.
Table 43. Logged R/T Alerts

Policy Violations Logged R/T Alerts Policy Rule Violation
Period To <= NOW
Logged Threshold Alerts

For the reporting period, the total number of threshold alerts logged.
Table 44. Logged Threshold Alerts

Alert Logged Alerts Threshold Alert Details
Period To <= NOW

Logging Collectors (valid only from aggregation unit)
The Logging Collectors report appears under the Daily Monitor Tab and it is valid only on an aggregator unit. This report shows the number of sessions per Server IP, per
collector and per day. For example: on May 19, aggregator #1 collected 100 sessions for Server 192.168.x.x1, 50 sessions for Server 192.168.x.x2; aggregator #2
collected 30 sessions for Server 192.168.x.x3, 90 sessions for Server 192.168.x.x4; etc.
Table 45. Logging Collectors

Exceptions Logging Collectors Logging Collectors
Period To <= NOW
Managed Units (Central Manager)

Enterprise report on a Central Manager that shows which managed units are up. Use this report in a Statistical Alert to send an email to an ADMIN anytime a managed unit
is down.
Table 46. Managed Units (Central Manager)

internal - not available Managed Units Managed Units
Host Name LIKE %
Remote Data Source Â Drop-down menu
Show Aliases Â Radio buttons (On, Off, Default)
Number of Active Audit Processes

Number of active Guardium audit processes. When central management is used, this report contains data only on the Central Manager, and is empty on all managed units
(the standard message, No data found for requested query, displays). There are no run-time parameters for this report.
Table 47. Number of Active Audit Processes

Audit Process Number of Active Processes Audit Process
Outstanding Audit Process Reviews

Number of outstanding Guardium audit processes, listed by Guardium users.
Table 48. Outstanding Audit Process Reviews

Audit Process Outstanding Audit Process Task Results To-Do List

Reviews
Primary Guardium Host Change Log

Log of primary host changes for S-TAPs. The primary host is the Guardium unit to which the S-TAP sends data. Each line of the report lists the S-TAP Host, Guardium Host
Name, Period Start and Period End.
Table 49. Primary Guardium Host Change Log

internal - not available Primary SGuard host change log not available
Period To <= NOW
Query Entities and Attributes

This report lists all the entities and attributes in Guardium reports and was created to simplify the linkage between the Guardium attributes to the GuardAPI calls.
Use this report to also invoke Use this report to also invoke create_constant_attribute, create_api_parameter_mapping, delete_api_parameter_mapping, or
list_param_mapping_for_function.
Table 50. Query Entities and Attributes

Any of Guardium reporting domains Any of the entities for the reporting domain Any of the attributes within the entity
Report Name Like not applicable not applicable
if <> '%' it will show only the domain/entity and

attributes used by reports that match the new
parameter.
IF '%' then all domains, queries and attributes are

displayed (including those not used by any report).
Replay Statistics
This report shows Replay Statistics for Execution Start/End Date; Configuration Name; Schedule Setup Name; Job Status; Statistic Description; Session ID; Successful
Queries; Failed Queries; Total Queries; Type; Active/Waiting/Completed Tasks.
Table 51. Replay Statistics

Replay Results Tracking Replay Statistics Replay Result Statistics
Query from date >= NOW -1 DAY
Query to date <= NOW
Session >= N/A
Session <= N/A
Replay Summary
For the reporting period, a measure of what query failed or succeeded. Checkmark required in Replay Configuration for Query Failed or Query Succeeded.
Table 52. Replay Summary

Replay Results Replay Summary Replay Results
Query from date >= NOW -1 DAY
Query to date <= NOW
Results status % N/A
Schedule setup name % N/A
Restored Data
This report has two columns: RESTORED_DAY and EXPIRATION_DATE. When the user restores data from archive, this table is populated according to the data restored
and the duration specified for keeping this data. The purge process looks at this table to determine what data can be purged and cleans up records that expired.
RESTORED_DAY is the date of the data that was restored and is in the past. EXPIRATION_DATE is the date when this data will be purged and is a date in the
future.
Table 53. Restored Data

Restored Data Restored Data Restored Data
Period To <= NOW +10 DAY
Request Rate
By default, displays the request rate for the last two hours. This graphical report is intended to display recent activity only. If you alter the run-time parameters to include a
larger timeframe, you may receive a message indicating that there is too much data. Use a tabular report to display a larger time period.
Table 54. Request Rate

Sniffer Buffer Request Rate Sniffer Buffer Usage Monitor
Period To <= NOW

Rogue Connections
This report is available only when the Hunter option is enabled on Unix servers. The Hunter option is only used when the Tee monitoring method is used. This report lists
all local processes that have circumvented S-TAP to connect to the database.
Table 55. Rogue Connections

Rogue Connections Rogue Connections Rogue Connections
Period To <= NOW
Scheduled Job Exceptions

Displays a timestamp and the description for each scheduled job exception (including assessment errors). . These are jobs where the Exception Type ID is one of the
following: SCHED_JOB_EXCEPTION, ASSESSMENT_EXCEPTION, or ASMT_ERROR.
Table 56. Scheduled Job Exceptions

Sniffer Buffer CPU Usage Sniffer Buffer Usage
Period To <= NOW
Scheduled Jobs
Displays the list of currently scheduled jobs.
Table 57. Scheduled Jobs

internal - not available Scheduled Jobs not available
Session Count
For the reporting period, the total number of different sessions open.
Table 58. Session Count

Access Session Count Session
Period To <= NOW
SQL Count
For the reporting period, the total number of different SQL commands issued.
Table 59. SQL Count

Access SQL Count SQL
Period To <= NOW
S-TAP Configuration Change History

This report is displayed only when an inspection engine is added or changed. Lists S-TAP configuration changes - each inspection engine change will be displayed on a
separate row. Each row lists the S-TAP Host, DB Server Type, DB Port From, DB Port To, DB Client IP, DB Client Mask, and Timestamp for the change.
Table 60. S-TAP Configuration Change History

internal - not available Configuration Change History not available

Period To <= NOW
S-TAP Status
Displays status information about each inspection engine defined on each S-TAP Host. This report has no From and To date parameters, since it is reporting current status.
Each row of the report lists the S-TAP Host, DB Server Type, Status, Last Response, Primary Host Name, Yes/No indicators for the following attributes: KTAP Installed, TEE
Installed, Shared Memory Driver Installed, DB2 Shared Memory Driver Installed, Named Pipes Driver Installed, and App Server Installed. In addition, it lists the Hunter
DBS.
Note: The DB2 shared memory driver has been superseded by the DB2 Tap feature.
Table 61. S-TAP Status

internal - not available S-TAP Status not available
none n/a n/a
S-TAP Verification
List all results of S-TAP verifications.
Table 62. S-TAP Verification

internal - not available S-TAP Verification S-TAP Verification Header
Query from date >= NOW -3 HOUR
Query to date >= NOW
S-TAP Events
Use this report for information on the S-TAP (from SOFTWARE_TAP_EVENT table in internal database).
Table 63. S-TAP Events

internal - not available S-TAP Events not available
event type LIKE %
host type LIKE %
Period To <= NOW
S-TAP Info (Central Manager)

Report: See S-TAP Reports. On a Central Manager, an additional report, S-TAP Info, is available. This report monitors S-TAPs of the entire environment. Upload this data
using the Custom Table Builder.
S-TAP info is a predefined custom domain which contains the S-TAP Info entity and is not modifiable like the entitlement domain.
When defining a custom query, go to upload page and click Check/Repair to create the custom table in CUSTOM database, otherwise save query will not validate it. This
table loads automatically from all remote sources. A user cannot select which remote sources are used - it pulls from all of them.
Based on this custom table and custom domain, there are two reports:
Enterprise S-TAP view shows, from the Central Manager, information on an active S-TAP on a collector and/or managed unit (If there are duplicates for the same S-TAP
engine, one being active and one being inactive, then the report will only use the active).
Detailed Enterprise S-TAP view shows, from the Central Manager, information on all active and inactive S-TAPs on all collectors and/or managed units.
If the Enterprise S-STAP view and Detailed Enterprise S-TAP view look the same, it is because there only one S-TAP on one managed unit being displayed. The Detailed
Enterprise S-TAP view would look different if there is more S-TAPs and more managed units involved.
These two reports can be chosen from the TAP Monitor tab of a standalone system, but they will display no information.
Alert: See Viewing an Audit Process Definition for alert: Inspection Engines and S-TAP - alert on any activity related to inspection engine and S-TAP configuration
S-TAP Last Response

Pre-defined query and report are available, but not added to any panels.
The query/report displays All S-TAP Hosts and the last response (heartbeat) sent by each host.

The purpose of this query is to be able to define an alert that will trigger when S-TAP on a host did not respond for a given period of time.
The input parameters are: Last response From, and, Last Response To.
For example, when executed with Last response From = NOW -5 DAYS and Last Response To = NOW - 3 HOURS, it will display the host name and the last response time
for those hosts that sent the last response in the last 5 days, but had no response in the last 3 hours.
S-TAP Status Monitor

For each S-TAP reporting to this Guardium appliance, this report identifies the S-TAP Host, S-TAP Version, DB Server Type, Status (active or inactive), Last Response
Received (date and time), Primary Host Name, and true/false indicators for: KTAP, TEE, MS SQL Server Shared Memory, DB2 Shared Memory, Local TCP monitoring, Named
Pipes Usage, and Encryption.
This report has no run-time parameters, and is based on a system-only query that cannot be modified.
STAP/Z Files
STAP/Z provides files with raw data collected from DB2 (on z/OSÂ®) containing DB2 events, SQL statements, etc. This report lists an Interface ID, UA file name (Un-
normalized Audit Event), UT file name (Un-normalized Audit Event text), UH file name (Un-normalized Audit Event host variables), File Status, Total Number of Events
Processed, Number of Events Failed, and Timestamp. The Run-time parameters are FileName Like % and FileStatus Like %.
This report has two run-time parameters, FileName Like % and FileStatus Like %. It is based on a system-only query that cannot be modified.
TCP Exceptions
For the reporting period, for each exception where the Exception Description of the Exception Type entity is TCP/IP Protocol Exception, a row of this report lists the
following attribute values from the Exception entity: Exception Timestamp, Exception Description, Source Address, Destination Address, Source Port, Destination Port, and
count of Exceptions for that row.
Table 64. TCP Exceptions

Exceptions TCP Exceptions Exception
Period To <= NOW
Templates (CAS)
CAS Templates
This report lists CAS templates. By default, all template items are listed.
Table 65. CAS Templates

CAS Templates CAS Templates Template
Access_Name Like %
Template_Set_Name Like %
Audit_Type Like %
Tests Exceptions
Indicate pairs of test/datasource that are exempted temporarily. See create_test_exception for more information on the use of Test Exceptions.
Table 66. Tests Exceptions

internal - not available Tests Exceptions not available
Period To <= NOW
Throughput
For each Access Period in the reporting period, each row lists the Period Start time, the count of Server IP addresses, and the total number of accesses (Access Period
entities).
You can restrict the output of this report using the Server IP run time parameter, which by default is set to % to select all IP addresses.
Table 67. Throughput

internal - not available DB Server Throughput not available

Period To <= NOW
Server IP LIKE %
Throughput (graphical)
This report is a Distributed Label Line chart version of the tabular Throughput report. It plots the total number of accesses over the reporting period, one data point per
Period Start time.
You can restrict the output of this report using the Server IP run time parameter, which by default is set to % to select all IP addresses.
Table 68. Throughput (graphical)

Access DB Server Throughput - Chart Access Period
Period To <= NOW
Server IP LIKE %
User Activity Audit Trail Reports

The User Activity Audit Trail menu selection displays two reports. In addition, from each of those reports, a third report can be produced. See:
User Activity Audit Trail

System/Security Activities
Detailed Guardium User Activity (Drill-Down)
User Activity Audit Trail
For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from
the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.
From any row of the this report, the Detailed Guardium User Activity report is available as a drill-down report.
Table 69. User Activity Audit Trail

Guardium Activity User Activity Audit Trail Guardium User Activity Audit
Host Name LIKE %
Period To <= NOW
System/Security Activities
For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from
the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.
From any row of the this report, the Detailed Guardium User Activity report is available as a drill-down report.
Table 70. System/Security Activities

Guardium Activity User Activity Audit Trail Guardium User Activity Audit
Host Name LIKE %
Period To <= NOW
Detailed Guardium User Activity (Drill-Down)
This report is not available from the menu, but can be opened for any row of the User Activity Audit Trail report, or the System/Security Activities report. For the selected
row of the report, based on the User Name and Activity Type Description, this report lists the following attribute values, all of which are from the Guardium User Activity
Audit entity, except for the Activity Type Description, which is from the Guardium Activity Types entity: User Name, Timestamp, Modified Entity, Object Description, All
Values, and a count of Guardium User Activity Audits entities for the row.
Table 71. Detailed Guardium User Activity (Drill-Down)

Guardium Activity Detailed Guardium User Activity Guardium User Activity Audit

Activity Type Description Â value from calling report
Period To <= NOW
User Name Â value from calling report
Warning: Users should be aware that activities of the root user, and other sensitive system accounts, are logged. Drilling down into the activity of these users may show
sensitive commands and passwords that have been entered on the command line. Therefore users, whenever possible, should not enter sensitive command line
information that they would not like to show on this drill-down report.
User To-Do Lists

Displays for each Guardium audit process: a description, login name, action required (review or approve), status, user who has signed or reviewed, and execution date of
the specified task.
Table 72. User To-Do Lists

internal - not available Users To-do List not available
Period To <= NOW
User Comments - Sharable

Sharable user comments are all comments except for inspection engine, installed policy, and audit process results comments. For each sharable user comment, this
report lists the date created, the type of item to which it applies (an alert, for example), the user who created the comment, and the contents of the comment.
Note: Comments defined for inspection engines, installed policies, or audit process results can be viewed from the individual definitions, but they cannot be displayed on a
report.
Table 73. User Comments - Sharable

Comments Comments Defined Comments
Period To <= NOW
Unit Utilization Levels

The following default reports provide unit utilization data:
Table 74. Unit Utilization Levels

Internal - not available Unit Utilization Distribution Unit Utilization Levels
Period To <= NOW
Values Changed
For the reporting period, this report provides detailed information about monitored value changes. All attribute values displayed are from the Monitor Values entity. The
query this report is based upon has a non-standard sorting sequence, as follows:
Server IP
DB Type
Audit Timestamp
Audit Table Name
Audit Owner
The query this report is based upon has a number of run-time parameters, all of which use the LIKE operator and default to the value %, meaning all values will be
selected.

For each monitored value selected, a row of the report lists the Timestamp, Server IP, DB Type, Service Name, Database Name, Audit Login Name, Audit Timestamp, Audit
Table Name, Audit Owner, Audit Action, Audit Old Value, Audit New Value, SQL Text, Triggered ID, and a count of Change Columns entities for that row.
Table 75. Values Changed

Value Changed Values Changed Changed Columns
Audit Action LIKE %
Audit Login Name LIKE %
Audit Owner LIKE %
Audit Table Name LIKE %
DB Type LIKE %
Period To <= NOW
Server IP LIKE %
Predefined user Reports

This section provides a short description of all predefined reports on the default user layout.
For a description of the reports on the default administrator layout, see Predefined admin reports.
Note: If data level security at the observed data level has been enabled (see Global Profile settings), then audit process output will be filtered so users will see only the
View Installed Policy

The Currently-Installed Policy report displays information about the installed policy. Click the installed policy link to display the policy rules in a separate window.
Number of db per type

Displays the number of servers and clients for each monitored database type (default time period is the current day).
Request Rate
By default, displays the request rate for the last two hours. This graphical report is intended to display recent activity only. If you alter the From and To run-time
parameters to include a larger timeframe, you may receive a message indicating that there is too much data. (Use a tabular report to display a larger time period.)
Sessions By Server Type

For each server type (DB2Â®, InformixÂ®, etc.), a row of this report displays the total number of sessions that were open during the reporting period (by default, the last
three hours).
DML Execution on Sensitive Objects

For each SQL Verb from the DML Commands group that references an Object Name in the Sensitive Objects group, this report displays a row for each Access Period, Client
IP, and Source Program, with a total count of objects referenced in that row. Although the report title contains the word Executions, there is no guarantee that all
commands reported were actually executed.
Sensitive Objects Usage

For each object in the Sensitive Objects group, displays a row for each Client IP and Source Program that referenced the object during the reporting period, and a count of
object references.
The Sensitive Objects group is empty at installation time. Someone at your company must populate the group with the appropriate set of members.
Activity By Client IP
For each Client IP address seen during the reporting period, a row counts the number of SQL Verbs, Object Names, and the total number of sessions.
Database Servers
For each Server IP address accessed during the reporting period, a row of the report displays the Server Type, Database Name, Service Name, a count of source programs
accessing that server, and the total number of sessions for that row.
IMS Access (z/OS)

Use this to report access to IMSâ„¢ (z/OSÂ®).
Table 1. IMS Access (z/OS)


Access IMS Access Client Server
Period To <= NOW
IMS Object (z/OS)

Use this to report object to IMS (z/OS).
Table 2. IMS Object (z/OS)

Access IMS Object Object
Period To <= NOW
IMS Event (z/OS)

Use this to report event to IMS (z/OS).
Table 3. IMS Event (z/OS)

Access IMS Event SQL
Period To <= NOW
IMS Data Access Details (z/OS)

Use this to report data access details to IMS (z/OS).
Table 4. IMS Data Access Details (z/OS)

Access IMS Data Access Details Full SQL
Period To <= NOW
Client IP LIKE Â
DBUserName LIKE Â
IMS Name LIKE Â
ServerIP LIKE Â
Policy Violations
For every policy rule violation logged during the reporting period, this report provides the Timestamp from the Policy Rule Violation entity, Access Rule Description, Client
IP, Server IP, DB User Name, Full SQL String from the Policy Rule Violation entity, Severity Description, and a count of violations for that row. You cannot access the query
that this report is based upon (Policy Violations List with Severity), but you can clone the report.
Exceptions Distribution
Each wedge of the pie chart represents the proportion of exceptions for each Exception Description attribute value (from the Exception Type entity) that was logged during
the reporting period.
As with any chart, you can drill down on the pie chart to display the tabular version of the query on which the chart is based. There are several exceptions reports that are
accessible from this tabular report (or drill-downs from it) that are available here, but are not included on any menu.
Exceptions Monitor
A count of exceptions logged during the reporting period. One datapoint is created each time that you refresh the report on your portal.
Failed User Login Attempts

For each failed login attempt during the reporting period, lists the User Name, Source Address, Destination Address, and Database Protocol Type for the server the user
was attempting to log into.
SQL Errors

For each SQL error during the reporting period, displays the Client IP address, Server IP address, Server Type, database user name, database error text, and error
occurrence total for that record.
Exception Count
The total number of exceptions (Exception entities) logged during the reporting period.
Terminated Users Logins

Lists all logins by database users who are members of the Terminated DB User group. Each row lists a DB User Name, Client IP, Server IP, Server Type, Source Program,
last login time (the maximum value of the Session Start attribute), and the count of sessions for the row.
The Terminated DB Users group is empty at installation time. It must be populated by someone at your location. The query that this report is based upon (Terminated
Users Logins) cannot be accessed from any query builder.
Active Users Last Login

Last login recorded during the reporting period for each member of the Active Users group. All members of the group will be listed, even if there were no logins during the
reporting period. This is unlike most other reports based on members of a group. In the â€œnormalâ€ case, if no activity is found for a member, that member is not
listed.
Each row lists a DB User Name, Client IP, Server IP, Server Type, Source Program, last login time (the maximum value of the Session Start attribute), and the count of
sessions for the row.
The Active Users group is empty at installation time. It must be populated by someone at your location. The query that this report is based upon (Active Users Last Logins)
cannot be accessed from any query builder.
Active Users with no Activity

Listing of members in the Active Users group who have had no activity during the reporting period. This report will be empty if all users have had activity during the
reporting period.
The Active Users group is pre-defined, but empty at installation time. It must be populated by someone at your location. The query that this report is based upon (Active
Users with no Activity) cannot be accessed from any query builder.
Terminated Users Failed Login Attempts

Lists failed login attempts by database users who are members of the Terminated DB User group. This report will be empty if there were no failed login attempts by
anyone in this group during the reporting period.
The Terminated DB Users group is pre-defined, but empty at installation time. It must be populated by someone at your location. The built-in query for this report cannot
be accessed. The query that this report is based upon (Terminated Users Failed Login Attempts) cannot be accessed from any query builder.
Excessive Errors per period

Display #Errors/Period; E.g., more than N errors in 60min for the same Client IP address, Server IP address, Server Type, database user name.
Users inactive since

Show User and Last Session Start for all users having Access records and having max Session Start time earlier than 90 days ago. (an inactive user is missed if they never
once logged in, or if all their old logins have been purged)
Admin Users Login

For each DB User Name included in the Admin Users group, who had one or more sessions during the reporting period, each row lists the Client IP, DB User Name, Source
Program, Session Start time, and Count of Sessions for that row.
DB Predefined Users Login

For each DB User Name included in the DB Predefined Users group, who had one or more sessions during the reporting period, each row lists the DB User Name, Client IP,
Server IP, Source Program, Database Name, Service Name, and Count of Sessions for that row.
Administrative Commands Usage

For each SQL Verb included in the Administrative Commands group that was seen during the reporting period, this report lists the SQL Verb, Depth, Object Name, and
Client IP, and a count of objects referenced.
Administrative Objects Usage

For each Object Name included in the Administration Objects group that was seen during the reporting period, each row lists the Object Name, Client IP, Server IP, Service
Name, Database Name, Source Program, DB User Name, and Count of Objects for that row.
DML Execution on Administrative Objects

For each SQL Verb from the DML Commands group that references an Object Name in the Administration Objects group, this report displays a row for the DB User Name,
Client IP, Server IP, Server Type, Service Name, Database Name, SQL Verb, Object Name, and Count of Objects referenced in the row.
BACKUP Commands Execution

For each SQL Verb from the BACKUP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.
RESTORE Commands Execution

For each SQL Verb from the BACKUP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
REVOKE Commands Execution

For each SQL Verb from the REVOKE Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
KILL Commands Execution

For each SQL Verb from the KILL Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
DBCC Commands Execution

For each SQL Verb from the DBCC Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
Program, Database Name, SQL statement, and Count of Objects referenced in the row.
GRANT Commands Execution

For each SQL Verb from the GRANT Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
Privileged Account Utilization

Show User, Verb, and the Count of Periods within which the Verb was performed by a User in the group Admin Users
Privileged User Access of Business Objects

Show User, Verb, Object where the User in Admin Users and the Verb was performed by the on an Object that is in a selected group of Business Objects
CREATE Commands Execution

For each SQL Verb from the CREATE Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
DDL Commands
All DDL commands sent to the database. The report displays the client IP from which the DDL was requested, the main SQL verb (a specific DDL command), and the total
objects accessed for that record.
For each SQL Verb from the DDL Commands group seen during the reporting period, this report displays the Client IP, Server IP, Server Type, SQL Verb, and Count of
Commands referenced in the row.
ALTER Commands Execution

All ALTER commands issued. The report displays the client IP from which the DDL was requested, server IP address, service name, database user name, source program,
database name, object name, and main SQL verb (a specific DDL command) for each combination of client IP/DDL command listed on that specific line.
For each SQL Verb from the ALTER Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
DDL Distribution
This bar graph displays the distribution of commands seen from the DDL Commands group during the reporting period. For each command seen, a single bar represents
the total number of objects affected.
DROP Commands Execution

For each SQL Verb from the DROP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source
One User One IP

For each DB User Name for which session data was collected during the reporting period, each line of this report displays the count of Client IP addresses from which the
user logged in, and a total number of sessions.
Client IP Activity Summary

This report displays reporting period activity from a single Client IP address, which is specified as a run time parameter. Each row of the report displays the Client IP,
Source Program, SQL Verb, Depth (of sentence within the SQL command), an Object Name, and a count of times that object was referenced for that row.
Sessions List

This report lists all database sessions for the reporting period. For each session, the report displays the session (entity) Timestamp, the Session Start (timestamp), Server
Type, Client IP, Server IP, Client Port, Server Port, Network Protocol, DB Protocol, DB Protocol Version, DB User Name username, Source Program, and Count of Sessions
for that row (which should always be 1).
As with most reports, drill-down reports are available. There are a number of session reports that are accessible from this report, but are not included on any menu. This
includes the following reports, with the run time parameters for those reports set by using values from the selected row of the report:
Table 5. Sessions List

Report Run-time Parameters
Sessions by Client IP Server IP, Server Type
Sessions by Server IP Server Type
Sessions by Source Program Server Type, Sever IP
Sessions by User Server Type, Server IP
Sessions Details by Server Server Type, Server IP
Commands List
This report lists all SQL Verbs seen during the reporting period. At the outermost level, commands are grouped by the Period Start time from the Access Period entity,
which is usually one hour, on the hour. Your GuardiumÂ® administrator can modify the access period length by changing the logging granularity, which is one hour by
default. For each Access Period in the reporting period, each row lists the access Period Start time, a SQL Verb, Depth of the verb in the SQL statement, Parent (a pointer to
the owning verb), and a count of occurrences for the row.
Objects List
This report lists all objects seen during the reporting period. At the outermost level, objects are grouped by the Period Start time from the Access Period entity, which is
usually one hour, on the hour. Your SQL Guard administrator can modify the access period length by changing the logging granularity, which is one hour by default. For
each Access Period in the reporting period, each row lists the access Period Start time, an Object Name, and the count of occurrences for that row.
Object Activity Summary

This report displays reporting period activity for a single Object Name, which is specified as a run time parameter. Each row of the report displays the Client IP, Source
Program, SQL Verb, Depth (of sentence within the SQL command), an Object Name, and a count of times that object was referenced for that row.
Archive Candidates
This report lists objects (database tables or stored procedures, for example) that have not been accessed for an extended period of time. You cannot access the query this
report is based upon.
Windows File Share Activity

This report lists all Windows File Share SQL activity seen during the reporting period. At the outermost level, the SQL commands are grouped by the Period Start time from
the Access Period entity, which is usually one hour, on the hour. Your Guardium administrator can modify the access period length by changing the logging granularity,
which is one hour by default. For each Access Period in the reporting period, each row lists the access Period Start time, the Service Name, Client IP, Server IP, Source
Program, SQL (from the SQL entity), and a count of occurrences for the row. You cannot access the query this report is based upon, but you can clone the report.
Hourly Access Details

This report produces a highly detailed listing for each DB User Name seen in the reporting period, which is one hour by default for this report. Each row of the report lists a
DB User Name, Client IP, Server IP, Period Start, Source Program, SQL (from the SQL entity), and a count of occurrences during the access period.
Full SQL By DB User Name

This report displays reporting period Full SQL attribute values that have been logged for a single DB User Name, which is specified as a run time parameter. Each row of the
report displays the Full SQL ID, Timestamp (of the Full SQL entity), Client IP, DB User Name, Session Start, Source Program, Full SQL, and a count of occurrences for the
row.
Full SQL By Client IP

This report displays reporting period Full SQL attribute values that have been logged for a single Client IP, which is specified as a run time parameter. Each row of the
report displays the Full SQL ID, Timestamp (of the Full SQL entity), Client IP, DB User Name, Session Start, Source Program, Full SQL, and a count of occurrences for the
row.
Flat LOG List

Lists flat log processing tasks.
Classification Process Results

Lists classification process tasks.
DW Dormant Objects
Shows all the members of one group that are not members in a second group, with a focus on dormant tables. For example, this report shows objects that are in the all
objects group, but have not been used in a Select.

DW Dormant Objects/Fields
Shows all the members of one group that are not members in a second group, with a focus on dormant tables and columns. In this instance, groups are a 2-tuple type
(members that are a composite of a pair of value attributes). For example, this report shows objects that are in the all objects and fields group, but have not been used in a
Select.
DW EXECUTE Object Access

Use this report to populate the group called DW EXECUTE Objects with a set of stored procedure names that being executed. Then use indirect mapping in Group
Builder/Auto Generate Calling Prox to generate all the objects being used within these procedures.
DW SELECT Object Access

This report shows all object names that have been accessed through a SELECT statement.
DW SELECT Object-Field Access

This report shows all object and field names that have been accessed through a SELECT statement.
Long Running Queries

For the reporting period, this report lists the longest running queries, with the longest average execution time first. For each query, lists the Client IP, Server IP, SQL, Period
Start (from the Access Period entity), Average Execution Time, and the count of occurrences for this row. You cannot access the query this report is based upon.
Throughput
This report produces a count of all Server IPs seen, and total accesses, during the reporting period. At the outermost level, accesses are grouped by the Period Start time
from the Access Period entity, which is usually one hour, on the hour. Your Guardium administrator can modify the access period length by changing the logging
granularity, which is one hour by default. Each row lists the Period Start time, the count of Server IPs seen, and a total count of accesses for the row.
You can restrict the output of this report using the Server IP run time parameter, which by default is set to â€œ%â€ to select all IP addresses.
Throughput (Graphical)
This report is a Distributed Label Line chart version of the tabular Throughput report, plotting the total number of accesses over the reporting period, one data point per
Period Start time.
You can restrict the output of this report using the Server IP run time parameter, which by default is set to â€œ%â€ to select all IP addresses.
Number of Active Privacy Set Tasks

Number of active Guardium audit processes that contain one or more privacy set tasks. When central management is used, this report contains data on the Central
Manager only, and is empty on all managed units (the standard message, No data found for requested query, displays). This report has non-standard run time parameters:
there are no from and to date parameters, so all audit processes containing one or more privacy set tasks will be reported. You can clone the query that this report is
based upon (Number of Active Privacy Set Processes), but you cannot clone or regenerate the default report. The cloned query will have all of the standard run-time
parameters (including the from and to dates).
Guardium Job Queue

Displays the Guardium Job Queue. For each job, lists the Process Run ID, Process Type, Status, Cls/Asmt Process Id, Report Result Id, Cls/Asmt Description, Audit Task
Description, Queue Time, Start Time, End Time, and Data Sources.
Table 6. Guardium Job Queue

internal - not available Guardium Job Queue not available
Job Description LIKE %
Period To <= NOW
Databases Discovered
For the reporting period, for each Discovered Port entity where the DB Type attribute value is NOT LIKE Unknown, this report lists the Probe Timestamp, Server IP, Sever
Host Name, DB Type, Port, Port Type, and count of Discovered Ports for the row.
Table 7. Databases Discovered

Auto-discovery Databases Discovered Discovered Port
Period To <= NOW
Data Sources

This report appears on the default layout for both administrators and users. See Data Sources on the Predefined Reports - Common page.
Data Source Version History

This report appears on the default layout for both administrators and users. See Data Source Version History on the Predefined Reports - Common page.
Guardium Job Queue

Displays the Guardium Job Queue. For each job, lists the Process Run ID, Process Type, Status, Cls/Asmt Process Id, Report Result Id, Cls/Asmt Description, Audit Task
Description, Queue Time, Start Time, End Time, and Data Sources.
Outstanding Audit Process Reviews

For each Guardium user Login Name, this report lists the number and type of outstanding Guardium audit processes. An outstanding audit process has a Status attribute
value (in the Task Results To-Do-List entity) other than Reviewed or Signed. This report has non-standard run time parameters: there are no from and to dates, which
means that all outstanding task results will be reported. You can clone the query that this report is based upon (it has the same name), but you cannot clone or regenerate
the default report. The cloned query will have all of the standard run-time parameters (including the from and to dates).
Number of Active Audit Processes

The number of active Guardium audit processes. When central management is used, this report contains data on the Central Manager only, and is empty on all managed
units (the standard message, No data found for requested query, displays). This report has non-standard run time parameters: there are no from and to date parameters,
so all active audit processes will be reported. You can clone the query that this report is based upon (Number of Active Processes), but you cannot clone or regenerate the
default report. The cloned query will have all of the standard run-time parameters (including the from and to dates).
View Installed Policy

In the Currently Installed Policy panel, this special report displays the information about the installed policy such as the policy name, the number of rules it contains, and
its policy definition settings. You cannot access the query this report is based upon.
Policy Violation Count

For the reporting period, this report displays the number of policy violations logged.
Logged Threshold Alerts

This report displays a bar representing the total number of alerts logged during the reporting period, for each type of threshold alert logged, based on the Alert Description
attribute of the Threshold Alert Details entity.
Logged R/T Alerts

This report displays a bar representing the total number of alerts logged during the reporting period, for each type of real-time alert logged, based on the Access Rule
Description attribute of the Policy Rule Violation entity.
Violations/Incidents
See the Incident Management topic.
Predefined Reports Common

This section provides a short description of all predefined reports on both the default user and default administrator layouts.
The common reports are:

Data Sources
Status Monitor
The Status Monitor graphical report displays the current state of the GuardiumÂ® appliance: how many packets per second and requests per second it is processing, how
much disk space and memory is being used, and so forth. Each field is described in the following table.
The box displays the output of the Linux VMSTAT command. If you are familiar with that command, these statistics should be familiar to you.
Table 1. Status Monitor

Field Description
procs The number of processes:
r: Waiting for run time.
b: In uninterruptable sleep (blocked, waiting for another event).

Field Description
memory Memory use (kB):
swpd: Amount of virtual memory used.
free: Amount of idle memory.
buff: Amount used as buffers.
cache: Amount reserved for cache.

swap Amount of memory (kB):
si: Swapped in from disk.
so: Swapped out to disk.
io Input/Output blocks (kB/s):
bi: Blocks received from a block device
bo: Blocks sent to a block device
system System:
in: Interrupts per second, including the clock
cs: Context switches per second
cpu Percentage of total CPU time used by:
us: Time spent running non-kernel code
sy: Time spent running kernel code
id: Idle time (not including waiting for IO)
wa: Time spent waiting for IO
st: Time stolen from a virtual machine
(n)pps / (m)rps In the arrow next to the Analysis Engine, two averages are calculated for the last five seconds: n is the average number of network
packets per second, and m is the average number of network database requests per second.
Analysis Engine For the Analysis Engine, the first line lists the total number of messages queued for processing (q), followed by the number of
messages dropped (d) because the buffer was in danger of becoming filled. The second line lists the total number of messages
(q-d) ------ (p) processed (p). The number processed will be reset to zero whenever the inspection engine is restarted.
Server Type For each server type, the number of messages awaiting processing (q) is listed and the number of messages processed (p) is listed.
(q) ---- (p)

Free Disk Space The number of bytes free.
DB n% Full The percentage of the database space allocation that is used.
Files/Other The Files/Other portion of Status Monitor represents the data accumulated in nondb-sql logger.
Nondb-sql logger logs close session events arriving to the Analyzer from â€œignoredâ€ sessions that have been internally closed
by the Analyzer (INACTIVE_FLAG=-1). The Analyzer has the ability to close connections by timeout (if session has been inactive for
a long time). If close session data arrives to the Analyzer from â€œignoredâ€ session that has been closed by timeout, it is
recorded in the nondb-sql-logger section.
Analyzer never records data directly to database. This section also represents number of DB requests (like inserts into
GDM_SECURE_PARAMS) sent by Analyzer to Logger, as well as other supported protocols such as FTP

Default Layout Location
admin: available as drill-down from the Data Sources report

user: Discover > DB Discovery
Data Sources
Lists all datasources defined: Data -Source Type, Data-Source Name , Data-Source Description, Host, Port, Service Name, User Name, Database Name, Last Connect,
Shared, and Connection Properties..
You can restrict the output of this report using the Data Source Name run time parameter, which by default is set to â€œ%â€ to select all datasources.
Table 2. Data Sources

internal - not available Data-Sources not available
Data Source Name LIKE %

Period To <= NOW
Predefined Audit Processes

There is one predefined audit process named Appliance Monitoring, which contains the proceeding reports listed. This audit process is inactive by default. The
administrator can activate and schedule it according to his or her needs.
Note: When scheduling this audit process, check that the FROM/TO dates for each report make sense for the process interval being defined (for example, it doesnâ€™t
make sense to have a reporting period of one day if the audit process runs only once a week - you will miss six days of activity).
The Appliance Monitoring audit process contains the following reports:
Failed Logins to Guardium

Active Guardium Users
Aggregation/Archive Errors
Policy Related Changes
Inspection Engines and S-TAPÂ® Changes
Data Source Changes
CAS Instance Configuration Changes
CAS Instances
CAS Templates
Scheduled Jobs Excep
How to ask questions of the data

Use the Query Builder to define and modify questions about the collected data.
There is a distinction between queries and reports:
A query describes a set of information to be obtained from the collected data; for example, find all clients updating a specific database during weekend hours or
what unauthorized users have attempted to access sensitive data (Social Security numbers or credit card number).
A report describes how the data returned by a query is presented.
There is a separate Query Builder for each domain, and it is opened from the Query Finder for that domain (see Open the Query Finder section). Click Reports > Report
Configuration Tools > Query Builder.
The query builder contains three panes:
The Entity List pane identifies all entities and attributes that are contained in the domain. Entities are represented as folders, and attributes are the items within.
Click an entity folder to display its attributes, or click again to hide them. For a description of all entities and attributes, see Entities and Attributes in the Domains,
Entities, and Attributes help topic.
The Query Field pane lists all fields to be accessed, what is to be displayed for that field (its value, a count, minimum, maximum, or average), and the sort order. For
more information about using this pane, see the Query Fields Overview.
The Query Conditions pane specifies any conditions for selecting the fields that are listed (for example, â€œwhere VERB = UPDATEâ€ ). For more information
about using this pane, see the Query Conditions Overview in the Queries help topic.
For complete information, see the Queries help topic.
Open the Query Finder

There is a separate Query Builder for each reporting domain, so it is important to open the correct Query Builder. Otherwise, the information you want will not be
displayed. All domains are described in the Domains topic of the Domains, Entities, and Attributes Appendix.

After determining which domain to use, Click Reports > Report Configuration Tools > Query Builder.
Search for a Query

To locate and view a query definition in the Query Builder, there are several options:
1. Use the Query Finder - see Use the Query Finder.
2. From a report that is based on the query, click Edit this Report's Query in the toolbar of the report.
Use the Query finder

1. Open the Query Finder for the appropriate domain (see Open the Query Finder).
2. Optional. If you know the Main Entity for the query, select it from the list.
3. Click Search.
If there is only one query that is defined for the selected Main Entity, that query opens immediately in the query definition panel.
If there are multiple queries that are defined for the selected Main Entity, or if no Main Entity was selected, a list of queries display in the Query List panel.
If a Main Entity was selected for which no queries have been defined, you will be informed.
To open the Query Builder panel for one of the listed queries, click on it. To define a new query, click New.
Create a Query
2. Click New to open the New Query â€“ Overall Details panel.
3. Type a unique query name in the Query Name box. Do not include apostrophe characters in the query name.
4. Select the main entity for the query from the Main Entity list. The main entity controls the level of detail that is available for the query, and that it cannot be changed.
Basically, each row of data that is returned by the query represents a unique instance of the main entity, and a count of occurrences for that instance.
5. Click Next. The new query opens in the Query Builder panel. To complete the definition, see next section on Query Fields.


The Query Fields pane basically lists the columns of data to be returned by the query.
There are two ways to add a field to the Query Fields pane:
Pop-Up Menu Method:
1. Click the field to be added.
2. Select Add Field from the pop-up menu.
Drag-and-Drop Method:
1. Click the icon of the field (not on the field name).
2. Drag the icon to the Query Fields list and release it.
Regardless of the method that is used, the field is added to the end of the list.
Move or Remove Fields in the Query Fields Pane
To move a field in the Query Fields pane:
1. Mark the checkbox for the field.
2. Use the following buttons to move the field to the desired location:
Click Up to move the field up one row.
Click Down to move the field down one row.
Modify a Query
2. Use the Query Finder to open the query to be modified.
3. Refer to the Query Builder Overview topic to modify any component of the query definition.
Create a Report
Once a query has been defined, there are several options for adding a tabular report that is based on that query to an existing menu layout, quickly. These options apply
only for tabular reports.
2. Use the Query Finder to open the query to use for the report.
To create a report, click Create a Report. To redo an existing tabular report, click Regenerate.
To add a tabular report to the My Custom Reports tab, click Add to My Custom Reports in the panel. (If no tabular report has been generated yet for the query, you
need to click the Create a Report first.)
In order to see meaningful data in the tabular report, click in order to access the run-time parameters (change the time from and now).
How to report on dormant tables and columns

GuardiumÂ® offers functionality that can help data architects and DBAs discover which tables and which fields are not being used.
About this task

The basic concept is the following. You want to know which tables are not being accessed. You upload all table names from your database or from your Configuration
Management Database (CMDB) using Guardium's custom domain and custom query functions. Then you use the report (from the custom query) to populate a group of
objects.
Next, you use a report that uses monitored data to show all object names that have participated in a SELECT statement. There are predefined reports for this in Guardium
8, all starting with the prefix DW (Data Warehouse). Then, use the output to populate one of the predefined groups.
Finally, use a predefined report that shows all members in the first group that are not members in the second group.
There are two sets of such reports and groups â€“ one which focuses on tables and one which focuses on tables and columns. The only difference is that in the later case
groups are of a 2-tuple type (members that are a composite of a pair of value attributes, referred to as tuple).

Let's look at an example from start to finish involving an Oracle database and the EMP user.
Follow these steps.
1. Upload all table names and/or all table/column combinations from the set of system catalog tables (definitions of the database objects).
2. Use monitored data to determine which tables and/or table/columns have been accessed over a period of time.
3. Create a report of all items of step 1 that are not in step 2.
The following Guardium functions are used for this task.
External Data Correlation for uploading table names and columns names
Populate groups from queries
Reporting
Procedure
1. Upload all the tables from the system catalog. Do this by creating a custom table.
Prerequisites
a. Define datasource/test database connection

b. Upload data (create custom table)
c. Create new domain (merge custom tables with existing reports)
See External Data Correlation for further information.
The following example is available from Comply > Custom Reporting > Custom Table Builder > Upload Definition > Import Table Structure.
When the configuration is complete, click the Retrieve button.
Configuration - Upload Definition, Import Table Structure
Upload the data so that it is in the Guardium system (as a custom table) and if desired, schedule this upload. This data will be used to determine the superset of all
tables defined in the system.
Mapping all the objects (and/or objects-fields) in the system
In this example, dormant data based on table names is used. But the analysis can include columns, provided the upload tasks are defined to bring back pairs of
<object,field> and use tuple groups to compare with an observed tuple of object+field.
For instances of Object-Field, replace the DW Dormant Objects report with the DW Dormant Objects-Fields report. For instances of Object-Field, replace the DW
Select Object Access report with the DW Object-Field Access report.
Once you complete the upload, define a custom domain based on this single custom table and define a report that retrieves the table names.
Next, populate the group DW All Objects group from this report and schedule this Import from Query action if desired. This creates a group that has all the tables as
defined by the system catalog.
Note: When populating the group DW All Objects group, it should include the information to click Run Once Now -> Select All -> Click on Import button. Do the
same for Group Name "DW SELECT Accessed Objects". It needs to import all scheduled definitions.

When done, click the Save button.
2. Mapping the object directly
Use monitored data to determine which tables and/or table/columns have been accessed over a period of time.
Look at some additional predefined reports. The DW SELECT Object Access report shows all object names that have been accessed through a SELECT statement.
Now, populate the group DW SELECT Accessed Objects group from the report, filling in the filtering attributes that you require.
Note: When populating the group DW All Objects group, it should include the information to click in 'Run Once Now' -> Select All -> Click on Import button. Do the
same for Group Name "DW SELECT Accessed Objects". It needs to import all scheduled definitions.
The following example is available from Setup > Tools and Views > Group Builder > Chose DW All Objects > Populate from Query > DW Select Object Access.
When done, click the Save button.
Configuration - Populate Group from Query, Object Name
3. Create a report of all items of step 1 that are not in step 2.
Use the DW Dormant Objects report to view objects that are in the all objects group, but have not been used in a Select.
Contrast this report with the earlier Report â€“ Table Names. Notice that EMP is not in this report because it was used in a SELECT statement.
Note: Because group members are centrally managed and synchronized between the Central Manager and managed units, the content of this report may be
delayed by up to 30-minutes. If you need access to the information that is most up-to-date, run this report on the Central Manager or ask your Guardium
administrator to synchronize the managed unit from the Central Manager.
Further ways to access tables
Mapping objects indirectly
In addition to direct SELECT access, tables may be accessed through stored procedures and functions. In this case, you will need to do a bit more mapping to allow
Guardium to calculate such SELECTs.
First, use the report DW EXECUTE Object Access to fill in the group called DW EXECUTE Objects with a set of stored procedure names that are being executed.
Then, use indirect mapping to generate all the objects being used from within these procedures.
Assume that you have a procedure defined:
create or replace procedure num_depts(deptnums out NUMBER) is

begin
select count(*) into deptnums from dept;
end;
In this case, every execution of num_depts also does a select on DEPT.

Use the â€œpopulate group from queryâ€ feature to use the Object Name column in the DW EXECUTE Object Access report to populate the â€œDW Execute
Objectsâ€ group. Then, use this group to populate the DW EXECUTE Accessed Objects group.
In the Group Builder select the DW EXECUTE Objects from the list and click on Auto Generate Calling Prox. Select either Using Reverse Dependencies, which is
supported only for Oracle in Guardium 8, or Generate Selected Objects.
If you choose to use dependencies then you will need to choose a database that has access to DBA_DEPENDENCIES and what type of dependencies to follow.
Choose to append members to the DW EXECUTE Accessed Objects group.
The following example is available from Setup > Tools and Views > Group Builder > Chose DW EXECUTE Accessed Objects > Auto Generated Calling Prox > Using
Reverse Dependences > Analyze Stored Procedures.
Configuration - Auto Generated Calling Prox, Using Reverse Dependencies
This will add the dependent objects to the group DW EXECUTE Accessed Objects.
How to Generate API Call from Reports

Generate Guard API calls from a report either from a single row within a report or based on the whole report
Value-added: Through a GUI, by using existing data on the system that is displayed in reports as parameters for API calls, quickly and easily generate and populate API
calls without having to perform system level commands or type lengthy API calls to quickly perform operations such as create datasources, define inspection engines,

maintain user hierarchies, or maintain the Guardium features such as S-TAP.
Single Row API call
For this scenario, we will generate API function calls to populate the Data Security User Hierarchy.
1. To begin, let's show the current Data Security User Hierarchy for the user scott
2. To invoke an API function we must find a report that currently has the desired API functions linked to it. Since creating a user hierarchy is related to users, selection
of a user report should yield good results. For this scenario we've selected the User - Role report.
3. Double-clicking on a row for drill-down will display an option to Invoke...
4. Click on the Invoke... option to display a list of API functions that are mapped to this report
5. Click on the API you'd like to invoke; bringing up the API Call Form for the Report and Invoked API Function
6. Fill in the Required Parameters and any non-Required Parameters for the selected API call. Many of the parameters are pre-filled from the report but may be
changed to build a unique API call. For specific help in filling out required or non-required parameters please see the individual API function calls within the
GuardAPI Reference guide.

7. Use the drop-down list to select the Log level, where Log level represents the following (0 - returns ID=identifier and ERR=error_code as defined in Return Codes, 1
- displays additional information to screen, 2 - puts information into the Guardium application debug logs, 3 - will do both)
8. Use the drop-down list to select a Parameter to encrypt.

Note: Parameter Encryption is enabled by setting the Shared Secret and is relevant only for invoking the API function through script generation.
9. Choose to Invoke Now or Generate Script.
a. If Invoke Now is selected the API call will run immediately and display an API Call Output screen showing the status of the API call.
b. If Generate Script is selected: Open the generated script with your favorite editor or optionally save to disk to edit and execute at a later time -- replacing
any of the empty parameter values (denoted by '< >') if contained within the script.
Note: Empty parameters may remain in the script as the API call will ignore them
Example Script
# A template script for invoking guardAPI function create_user_hierarchy :
# Usage: ssh cli@a1.corp.com<create_user_hierarchy_api_call.txt
# replace any < > with the required value
grdapi create_user_hierarchy userName=jkoopmann parentUserName=scott
c. Execute the CLI function call.
Example Call
$ ssh cli@a1.corp.com<create_user_hierarchy_api_call.txt
10. Validate. For this scenario it is a redisplay of the Data Security User Hierarchy.
Â Multi Row API call
This scenario uses a custom report with mapped parameters to report fields. Please see additional scenarios further in this section for additional information.
1. To begin, let's show the current Data Security User Hierarchy for the user scott
2. Click on the Invoke... icon to display a list of APIs that are mapped to this report

3. Click on the API you'd like to invoke; bringing up the API Call Form for the Report and Invoked API Function. Invoking an API call from a report for multiple rows will
produce an API Call Form that displays and enables the editing of all records displayed on the screen (dependent on the fetch size) to a maximum of 20 records.
4. Use the check boxes to select / de-select the rows that will be targeted for the API call.
5. Fill in the Required Parameters and any non-Required Parameters for the selected API call. Many of the parameters are pre-filled from the report but may be
changed to build a unique API call. For specific help in filling out required or non-required parameters please see the individual API function calls within the
GuardAPI Reference guide. Additionally, use the set of parameters for the API to enter a value for a parameter and upon clicking the down arrow button populate
that parameter for all records.
- displays additional information to screen, 2 - puts information into the Guardium application debug logs, 3 - will do both)

a. If Invoke Now is selected the API call will run immediately and display an API Call Output screen showing the status of the API call. In this scenario the last
two API calls will fail since we can not have a cyclical relationship in the hierarchy.
b. If Generate Script is selected: Open the generated script with your favorite editor or optionally save to disk to edit and execute at a later time -- replacing
any of the empty parameter values (denoted by '< >') if contained within the script. With this scenario, we could easily delete the last two lines of the script --
knowing they would create cyclical errors.
Note: Empty parameters may remain in the script as the API call will ignore them.
Example Script
# A template script for invoking guardAPI function create_user_hierarchy :
# Usage: ssh cli@a1.corp.com<create_user_hierarchy_api_call.txt
grdapi create_user_hierarchy userName=ADAMS parentUserName=SCOTT
grdapi create_user_hierarchy userName=JOHNY parentUserName=SCOTT
grdapi create_user_hierarchy userName=MARY Â parentUserName=SCOTT
grdapi create_user_hierarchy userName=SCOTT parentUserName=SCOTT
grdapi create_user_hierarchy userName=SCOTT parentUserName=SCOTT
c. Execute the CLI function call.
Example Call
$ ssh cli@a1.corp.com<create_user_hierarchy_api_call.txt

9. Validate. For this scenario it is a re-display of the Data Security User Hierarchy.
How to use Constants within API Calls

Create a new entity attribute to be used during an API function call.
Value-added: Through a GUI, create a user-defined constant that can be used for filling in a parameter in an API function call .
1. From our report, we can modify it to have a field that we could use for parameter mappings.
2. Go to the Query Entities & Attributes report for the Client/Server entity within the ACCESS RULES VIOLATIONS domain. Double-click on a row and select the
Invoke... option.

3. Invoke the API function create_constant_attribute.
4. Fill in the constant value to use ('SCOTT'), fill in the attributeLabel you like to name it ('OracleTopParent'), and then click on the Invoke now button to create the
constant.
5. Clicking on the Invoke now button will produce a API Call Output status showing the constant was created.
6. A re-display of the Query Entities & Attributes report will show the new attribute created.

7. The newly create constant can now be mapped for the report. Double-click on the new row and select the Invoke... option.
8. Select the create_api_parameter_mapping option. Â
9. Fill in the functionName and the parameterName and click on the Invoke now button.

10. The newly created attribute must be added to the report. Edit the query through Query Builder and add the field.
11. Now when the report is displayed the new attribute is displayed.
12. To validate the new constant's usage, double-click on a row and select the Invoke... option.

13. Select the API function
14. Now the parentUserName is populated from the newly added constant. Click the Invoke now button.
15. Validate the new Data Security User Hierarchy.
How to use API Calls from Custom Reports

Link API functions to reports and map report fields to the API functional parameters.
Value-added: Through a GUI, quickly and easily map API parameters to custom report fields to be used in API function calls.
1. By default, a newly created custom report will not have any API functions linked to it. This can be seen by the proceeding custom report where double-clicking on a
row will only produce a list of additional drill-down reports to run but lacks the Invoke option.

2. The linking of API functions to reports is done through Guardium's Report Builder. Open Report Builder, find your custom report, and then click on the API
Assignment button.
3. The API Assignment panel shows all the API functions assigned to the selected report. Notice for our scenario the report selected has no API functions assigned to
it.
4. To assign an API function to a report, find an API you'd like to link to the report, click the greater than arrow, and then click the apply button. For our scenario we
selected create_uer_hierarchy. When selected a pop-up window will appear that shows the report parameter mappings (which report fields will be used when
calling the API function). Notice there are no mapped report fields to parameter names.

5. At this point, none of the report fields are mapped to the API parameters. Users can go to the Query Entities & Attributes report to create these mappings,
otherwise when invoking the API call none of the parameters will have values. add the API parameter mappings. Open the Query Entities & Attributes report and
create the mappings. Since our report for this scenario uses the Client/Server entity within the ACCESS RULES VIOLATIONS domain, filter the report by using the
customize button; modifying the report to display only the Client/Server entity.
6. Double-click on the attribute you'd like to assign to a parameter name and click on the Invoke... option.
7. Select the create_api_parameter_mapping API function.

8. Fill in the functionName and parameterName in the API Call Form and click on the Invoke now button.
9. Now, when we go back to the Report Builder for our report and look at the API Assignment; clicking on the create_user_hierarchy API function displays the API -
Report Parameter Mapping with our mapping of userName to the Report field Client/Server.DB User Name.
10. Click on the greater-than arrow '>' and click the Apply button

11. Now when we invoke the create_user_hierarchy API function through our report the parameter userName will be populated from the report. To see this, go back to
the report and double-click on a row and then click on the Invoke... option.
12. Click on the API function (in our case create_user_hierarchy).
13. Notice that the userName is now populated from the report field.
14. Fill in the parentUserName and click the Invoke now button.
15. Verify that the new Data Security User Hierarchy has been added.


External feeds allow you to send Guardium report data directly to an external database.
Sending reporting data to an external database is useful in several scenarios, for example when combining or correlating Guardium data with non-Guardium data, when
using Guardium data with external reporting tools, or when machine-parsing records in especially large reports.
Before using external feeds, verify the following prerequisites:
Map a feed between Guardium and an external database. External feeds currently support relational databases and may not function with other database types.
Create a report defining the data to send via the external feed. Predefined reports will not work with external feeds. If you want to use a predefined reports, make a
copy with the report and use the copy for the external feed.
Define an audit process that will use the external feed.
The first time that an optional external feed task runs, the necessary internal representation of the audit sources will be created. One limitation Â is that data that is time-
stamped with a date earlier than the audit source creation date cannot be stored. This means that the first time the task runs, it will only export data for the current date.
On subsequent executions of the task following that date, any data from that date forward can be exported. (In other words, the next day, you will be able to export that
day's data plus the prior day's data.)
Create an Optional External Feed Task

If you have not yet started to define a compliance workflow automation process, see Create a Workflow Process before performing this procedure.
2. Click External Feed.
3. Select the feed type from the Feed Type list. (The controls that appear next depend on the feed type selected.) One predefined feed type is Object Last Referenced.
Note: You must map an external feed before attempting to use this feature.
4. Select an event type from the Event Type list.
5. Select a report from the Report list. Depending on the report selected, a variable number of parameters appear in the Task Parameters pane.
6. In the Extract Lag box, enter the number of hours by which the feed is to lag, and mark the Continuous box to include data up to the time that the audit task runs.
Extract Log only works when the Continuous box is marked.
7. In the Datasources pane, identify one or more datasources for the external feed. For instructions on how to define or select datasources, see Datasources.
8. Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected. Count column is not supported in External
Feed.
9. Click Apply.

Related concepts:
Related tasks:

Learn how to map an external feed to send Guardium report data directly to an external database.
Before you begin

Verify the following prerequisites before mapping an external feed:
Identify the external database that will receive data from the feed, and gather the connection information required for that database (ip address, port number,
username, password, etc.). External feeds currently support relational databases and may not function with other database types.
Identify the Guardium report that will provide data to the external feed.
About this task

External feeds allow you to send Guardium report information directly to an external database. Anything that can be defined in a report can be sent via an external feed.
These feeds depend on mapping DOMAIN_ID and ATTRIBUTE_ID from Guardium's reporting mechanism to table fields on the external database. Each mapping consists
of the records in four tables (EF_MAP_TYPE_HDR, EF_MAP_TABLE, EF_MAP_COLUMN, and EF_MAP_GDM_TYPE). Use the grdapi_create_ef_mapping function to help create
these tables and establish the mapping.
Procedure
1. Generate a report with the data you would like to transfer using an external feed. You can do this from a central manager, aggregator, or stand-alone Guardium
instance, provided that system can access the report data you require.
2. From the CLI, run grdapi create_ef_mapping reportName="My report". In addition to establishing the mapping, the grdapi_create_ef_mapping function
also generates a sample create table statement to be used in subsequent steps.

3. On the Guardium system where your report is defined, search /var/log/guard for a filename like ef_sample_[my_report].sql. This file contains the example create
table statements. You must modify the statements in this file to match the requirements of your external database. After modifying the file, run the statements
against your external database to create the target tables.
4. The external feed should now be available for use in workflow processes defined through the audit process builder. See the Optional External Feed documentation
for additional information.

Related concepts:
Distributed Report Builder

This Central Manager feature provides a way to automatically gather data from all or a subset of the Guardium managed units that are associated with this particular
Central Manager. Distributed reports are designed to provide a high-level view, to correlate data from across data sources, and, to summarize views of the data. You would
continue to use aggregators for the row level data gathering across collectors.
This capability alleviates an issue that can arise in complex enterprise environments when users do not always know the exact managed unit that has the data that is
required to for a particular report. This can happen because the link between Guardium collectors and databases can change over time that is based on configuration
options such as load balancing. This is further complicated by considerations such as the time period and data retention policy on the Aggregator and Collectors.
It is easy to create a Distributed Report. Simply define it via the Distributed Report screen, add to a Pane and it is ready for your use.
Furthermore, this feature optionally makes use of data marts on the Central Manager to enable scheduled collection of aggregated data over time. In essence, the
distributed report data is stored on the Central manager as a flat table, so no complex joins are required to create the report you want, which can significantly improve
response time for these enterprise reports.
Distributed report data can be gathered from Collectors, Aggregators, and even Central Managers. The default distributed versions of the reports includes the host name
of the unit responsible for that data.
The following are predefined distributed reports:
Enterprise S-TAP Verification
Failed User Login Attempts
Scheduled Jobs Exceptions
Running Distributed reports: Immediate or scheduled
When you define a distributed report, run it immediately or schedule it to run in the background and gather the results to the Central Manager:
Immediate: This mode gathers data on demand (upon execution via the GUI) and displays results while gathering the results from the relevant managed
units. The distributed report includes a status indicator that data is still in transit or that all data has been received from a particular managed unit. In this
mode, data is not saved on the Central Manager. As soon as the report is closed, the data is gone.
Scheduled: This mode gathers data in advance in order to enable instant response. On the time interval you specify in the scheduler, all relevant, aggregated
data from the specified managed units is sent to a designated data mart table on the Central Manager machine and creates a default report against this table.
This table also has its own domain and entity to enable creation of additional queries and reports using the query builder. Those reports can be added to an
audit process in order to run the process periodically and assign the results of the process to a Role, User and/or User Group for review or sign-off.
Planning considerations for distributed reports
In a mixed environment where the Central Manager is 32-bit and managed units are 64-bit, the Distributed Report will not show information from the 64-bit
systems. To see information in this situation, the Central Manager needs to be upgraded to 64-bit.
Because of the coordination of data to be sent to the Central Manager, it is critical that the clock time on all managed units is set to the real-time at the time
zone where the managed units are located. Even a difference of ten minutes between the Central Manager and the managed units impact the performance
and reliability of the distributed reports.
Scheduled Distributed report definitions can be exported and imported, however immediate Distributed Report definitions cannot be exported or imported.
The schedule itself is not included in the exported and imported definition. It is recommended that you keep a record of the definitions and scheduling if
needed to re-create on another system such as a backup or test Central Manager. System backup does include distributed report configurations.
If you specify that report data is collected from both aggregators and collectors, it is conceivable that the default distributed report includes duplicate data
(although the Guardium host name is different). In this case, it is best to specify only collectors or only aggregators for the distributed report configuration.
Distributed reports are based on existing non-distributed reports. When defining a distributed report in scheduled mode, if the original query includes run-
time parameters, then you will be asked to provide those values (or wildcards, %).
Plan for the fact that now you will have data residing on your Central Manager in a database that you did not before. So you will need to plan for operational
changes for purging, for upgrades, and for backup.
Creating a distributed report
Distributed report building is available only from an appliance that is configured as a Central Manager. To access the distributed report builder when logged in as an
administrator, go to Reports > Report Configuration Tools > Distributed Report Builder.
From the Distributed Report Builder, you can select from a list of existing reports to modify the configuration or add to a pane, or click New to create a new
distributed report. In general, any existing report on the Central Manager can be distributed immediately or run on a schedule (or both).
Creating a new distributed report
From the Report Builder, select New, which clears any existing data in the report builder, in the Based on Report pulldown, select one of the existing reports that are
available for distribution. Each report from the list can be distributed once as immediate and once as scheduled. Those that are defined to be distributed

immediately have the term (Immediate) appended to the distributed report name.
Select an existing report to create one distributed report.
In the Gather Data From section of the builder, choose All Managed Units (that the Central Manager is managing) or specify certain Groups and/or specific Managed
Units.
Note: You can define managed unit groups from the Central Manager. Examples of groups are: Group of collectors versus aggregators; groups that are based on
application, responsibility, or geography.
In the Operation Mode section of the builder, choose the report operation mode:
Immediate: Run the report when the user requests it. When you select this option there are no additional options to consider. You can click Apply to save the
changes and then optionally click Add to Pane to add the report to the GUI.
Schedule: Run in a batch that prepares and gathers the data in advance.
With the Scheduled Report option, you specify the following additional values:
Time Granularity: Specify the time period for which the Data Mart is captured. The Data Mart extract is done at the next Time Granularity interval boundary
and covers the time interval specified. The Data Mart extract for a DAYS Granularity starts at Midnight and runs every X days. The Data Mart extract for a
HOURS Granularity starts at the next hour boundary and runs every X hours. The Data Mart extract for a MINUTES Granularity starts at the next X minute
boundary and runs every X minutes. For example, if you specify a Time Granularity of 1-hour for the Count Of Failed Logins report, the count is based on an
hourly aggregation of failed logins.
Purge After: Specify how long to keep the report data in the data mart before it is automatically purged.
Runtime parameters: Depending on what report you are basing the distributed report on, you must specify the runtime parameters. To see valid values for
these fields, examine the query for the original report, or specify the wildcard, %.
Click Apply. When the system is done saving the distributed report configuration, Modify Schedule and Roles are activated.
To create the schedule, click Modify Schedule, which takes you into the general-purpose scheduler.
The schedule definition is pushed down to the managed units and tells each managed unit when and how often to send the aggregated data to the Central Manager.
To specify which roles can see this distributed report, click Roles.
Modifying an existing distributed report
For existing distributed reports, you can:
Change the configuration, including managed units, schedule details, or runtime parameters
Add a report to a dashboard
Delete a distributed report
Create a scheduled report that is based on an existing immediate report. This option replaces the immediate report. You cannot create an immediate report
from an existing scheduled report.
To select an existing report, use the text search box or scroll through the list of existing reports and select the one you want to modify.
Viewing distributed reports
The following additional columns are included in distributed reports:
Source: The Guardium system where the data was gathered from.
TZ: Time Zone - because the Guardium system might be located in a different time zone from the Central Manager.
Date: This column shows the Start Period time for scheduled reports and enable grouping results according to hour/day. For Immediate mode, this column
shows start time and will not be meaningful.
Note: Only a maximum of three date fields are permitted.
Edit and update
For distributed reports, edit and update the base report and update the distributed report based on the updated report structure.
If a user changes the columns in a base report, or adds or removes the where clause in the base report, and then saves and re-generates the report, then to update
the distributed report based on this updated report, the user only needs to click on "Save report changes" on the existing distributed report for changes to take
effect.
Should the user choose to update the existing report parameter, user should first click on "Apply report changes", then update the parameter value, then click on
"Save report changes" for the updates to take effect.
More about time
When running a report, the report customizer lets you specify an absolute time window for the query (from 3-31-2014 8:00am to 3-31-2014 11:00am) or a relative
time window (NOW -3 HOUR).
For absolute time, each Guardium system will run in its local time. For example, if a distributed report gathers data from Guardium systems in Eastern Standard
Time (EST) and Pacific Standard Time (PST), then each system will execute the query based on local time. In the example (useful for checking morning peak hours,
midnight or any specific absolute time), a system in New York will gather the results from 08:00 - 11:00 EST and a system in California will gather the results from
08:00 â€“ 11:00 PST.
For a relative time specification, each system will run NOW â€“N according to the current time on that system. This is important for real-time reports. Absolute Time
cannot be used for real-time or near real-time reports. Use the Immediate mode for real-time monitoring.

Viewing Distributed Report Status
Every distributed report is accompanied by a status report that show the user what machines succeed in bringing in the results and what did not. The link to access
the status report is highlighted when you navigate to the report in the GUI.
For scheduled reports, clicking on a line on the Status Report enables execution of API to rerun the report on the specific unit(s).
If the specific run for Distributed Report in Scheduled mode comes back with an error, you can rerun the report from the status report as follows:
1. Double click on one of the rows in the status report to bring up the Invoke menu. Click on Invoke.
2. Click the selection, rerun_distributed_report.
3. This will open up a pop-up screen that lets you choose the specific run to rerun. Any row of the report can be opened, but only rows with ERROR status can
be rerun.
GuardAPI for Rerun Distributed Report
The retry command described in the GUI, for invoking the status report, can also be accessed via GuardAPI command.
Syntax
grdapi rerun_distributed_report
This diagram illustrates the process to run an Immediate Distributed Report.

This diagram illustrates the process to schedule a Distributed Report.
Distributed Report enhancement - set Target system to any Guardium system
The Distributed Reports distributes the query request to the specified Guardium systems, it gathers the data into the Target system, consolidates the results and
provides views on the consolidated results. The results are available via the Query Builder for additional queries definition.
The Distributed Report feature can now set the Target system to any Guardium system. The previous version does not allow setting the Target system and it always
goes to the Central Manager (CM).
Requirement justification
In many cases the CM is overloaded (regardless of the Distributed Report) and the CM is sometime used as an Aggregator which adds load to the CM.
In those cases it will be much more efficient to enable the user to determine the target system.
Solution
A target System can be set for each Distributed Report. A CLI command is available to set the optional Target systems. The list set via the CLI is shown in the
Distributed Report builder GUI.
Important note: This change affects the Distributed Report Scheduled mode only. The Immediate mode is not included in this change! This means that the
ad-hoc distributed report result viewer is accessible via the CM only.
The Distributed Report definition is still editable via the CM only.
GUI Change
A new field "Send Data To" is added to the Distributed Report Builder screen to enable the user to set the target System(s) (either Collector(s) or
Aggregator(s)) for the Distributed Report.
This field is relevant only in case of Scheduled Mode (otherwise, it is disabled).
The default is set to the CM.
The list of available Target Systems is limited to the Systems that were set via the CLI (see CLI list below).
The Distributed Report definition is editable via the CM and View-Only via the target.
The "Add To Pane" of the report (adding the report viewer to the menu) is available from the definition screen on the Target System and CM.
This option is available on CM even if the CM is not the Target System for that report. It's done to give a possibility to view Distributed Report Status on CM
but no data will be displayed in the report itself.
The CLI commands (available via the CM only)
1. Set System as a Target System
grdapi set_distributed_report_target target_host_name=[unit host name]
2. Cancel System to be a Target system
grdapi cancel_distributed_report_target target_host_name=[unit host name]
If there are still distributed reports with this unit as target then returns error and the list of such reports
3. Get list of Target system
grdapi get_distributed_report_target_info

Additional CLI commands
For scheduled distribute reports, store or show the value of a maximum number of rows per unit.
show scheduled_distributed
store scheduled_distributed
The Store command has one parameter, maximum_rows_per_unit. If the value of that parameter is greater than 15,000 or equals 0 (no limit), the user will see a
warning message:
"Depending on number of collectors, setting maximum number of rows per unit to a high value might have negative impact on performance".
How to create a Distributed Report

Guardium offers a function that provides a way to automatically gather data from all or a subset of the Guardium managed units that are associated with a particular
Guardium Central Manager.
About this task - In this example, we see how to get a broader view and correlation insight for Exceptions (for example, SQL Errors) that are recorded on specific
collectors.
Summary of steps
Prerequisites â€“ create group of Managed Units via the Central Management screen.
1. Create Distributed Report.
2. Review the data gathered.
3. Create additional summary reports on the data gathered.
Procedure
1. Click Reports > Report Configuration Tools > Distributed Report Builder.
2. Click New.
3. Select Based on Report from the list (the list shows the User-Defined Reports). For this example, choose Exceptions Details.
4. Move down the screen to specify the Managed Units to be included in this distributed report. For this example, choose two groups from the Group list and in
addition a few managed units from the Managed units list. In this example, leave the â€˜Central Managerâ€™ unchecked (in the case the Central Manager is also an
Aggregator, it might need to be included).
5. The next screen capture shows the setting for the Operation Mode. The Immediate mode is mainly for online / real-time monitoring, such as, view the recent Failed
Login Attempts, view recent Excessive Exception, or view real-time alerts. The Scheduled mode is an ongoing data-gathering that runs periodically based on the
Schedule defined. This example summarizes the exceptions every hour. There is a requirement for filling in values for Exception Description and Destination
Address.

6. Click Apply to create the Distributed Report.
7. Once applied, the new Distributed Report is added and highlighted in the list box.
8. The next step is to schedule it by clicking Modify Schedule (this is mandatory to activate the process).

9. This report can be limited to specific roles by clicking Roles and selecting the relevant Roles.
10. In this specific example, the report is performed hourly - there is no need to wait at least an hour to get the initial results.
Note: The line saying â€˜Distributed Report status â€“ click here for detailsâ€™, shows the status of data gathering, if data is missing from managed units then the
line is colored in red; clicking the line navigates to details report of status per units per hour.
11. The data is gathered from all the specified Managed Units and stored in new designated entity (table). This entity is now available via the Query Builder and Report
Builder to create additional Queries and Reports against this new table. The option to build additional Queries and Report are available via the Distributed Report
result screen as well. Click Edit the query for this report.
This default Report cannot be changed, click Clone, name it, remove all attributes and leave the Date, User Name, Exception Type Description, and Sum Of Count Of
Exceptions.
The following screen capture shows an example of the Correlate Total Exceptions By User (Distributed). This view sum the total exceptions per user from all databases
that are associated to the Guardium Managed Units selected for this Distributed Report. Likewise, you can view the Total Failed Login Attempts system wide, or the Total
Exceptions per Source Programs.
Assess and harden

The GuardiumÂ® Vulnerability Assessment solution is the first step in the security and compliance lifecycle management for any IT environment. You can use a set of
predefined or custom assessments and process workflow audits to identify and address database vulnerabilities in an automated fashionâ€”proactively improving
configurations and hardening infrastructures.
Introducing Guardium Vulnerability Assessment

Guardium Vulnerability Assessment enables you to identify and correct security vulnerabilities in your database infrastructure.
Vulnerability Assessment tests
Guardium provides several types of tests to enable you to assess your vulnerability.
Assessments
Assessments are a group of tests that scan database infrastructures for vulnerabilities and provide an evaluation of database and data security health with real-
time and historical measurements.
Required schema change
The schema used by vulnerability assessment tests on IBM DB2 for z/OS changed in Guardium V9.1. If you upgrade from a release prior to 9.1, you must update
your database in order to continue using these tests.
Assessing RACF vulnerabilities
If you use IBM DB2 for z/OS, you can use vulnerability assessment tests to assess your RACF vulnerabilities. You must have at least version 9.1 of Guardium
installed to use RACF assessments.
Configuration Auditing System
The Configuration Auditing System (CAS) tracks and reports changes to the server environment; for example, modified configuration files, environment or registry
variables, or other database or operating system components, including executable files or scripts used by the database management system or the operating
system. The data is available on the Guardium system and can be used for reports and alerts.
Introducing Guardium Vulnerability Assessment

Guardium Vulnerability Assessment enables you to identify and correct security vulnerabilities in your database infrastructure.
Database Vulnerability Assessment is used to scan the database infrastructure for vulnerabilities and provide evaluation of database and data security health, with real
Vulnerability Assessment uses three types of artifacts:
Test
A test checks the database environment for vulnerabilities for a particular threat or area of concern.
Assessment
An assessment is a job that includes a set of tests that are run together.
Data source
The source of data itself, such as a database or XML file, and the connection information necessary for accessing the data.
The GuardiumÂ® Vulnerability Assessment application enables organizations to identify and address database vulnerabilities in a consistent and automated fashion.
Guardiumâ€™s assessment process evaluates the health of your database environment and recommends improvement by:
Assessing system configuration against best practices and finding vulnerabilities or potential threats to database resources, including configuration and behavioral
risks. For example, identifying all default accounts that havenâ€™t been disabled; checking public privileges and authentication methods chosen, etc.
Finding any inherent vulnerabilities present in the IT environment, like missing security patches,
Recommending and prioritizing an action plan based on discovered areas of most critical risks and vulnerabilities. The generation of reports and recommendations
provide guidelines on how to meet compliance changes and elevate security of the evaluated database environment
Guardiumâ€™s Database Vulnerability Assessment combines two essential testing methods to guarantee full depth and breadth of coverage. It leverages multiple sources
of information to compile a full picture of the security health of the database and data environment.
1. Agent-based-Using software installed on each endpoint (e.g. database server). They can determine aspects of the endpoint that cannot be determined remotely,
such as administratorâ€™s access to sensitive data directly from the database console.
2. Scanning-Interrogating an endpoint over the network through credentialed access.
Included in the Guardium Vulnerability and Threat Management solution are:
Database Auto-Discovery performs a network auto-discovery of the database environment and creates graphical representation of interactions among database
clients and servers.
Database Content Classifier automatically discovers and classifies sensitive data, such as 16-digit credit card numbers and 9-digit Social Security
numbersâ€”helping organizations quickly identify faulty business or IT processes that store confidential data.
Database Vulnerability Assessment scans the database infrastructure for vulnerabilities and provides evaluation of database and data security health, with real
CAS (Configuration Auditing System) tracks all changes to items such as database structures, security and access controls, critical data values, and database
configuration files.
Compliance Workflow Automation automates the entire compliance process through starting with assessment and hardening, activity monitoring to audit reporting,
report distribution, and sign-off by key stakeholders.
CAS (Configuration Auditing System) plays an important role in the identification of vulnerabilities and threats. Guardium pre-configured and user-defined CAS templates
can be used in the Assessment test and bring a holistic view of the customerâ€™s database environment; With CAS, Guardium can identify vulnerabilities to the database
in the OS level such as file permissions, ownership and environment variables. These tests can be seen through the CAS Template Set Definition panel and have the word
Assessment in their name.
Note: Vulnerability Assessment (VA) and Configuration Auditing System (CAS) are only supported in English.
Common Vulnerabilities and Exposures (CVEÂ®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVEâ€™s
common identifiers makes it easier to share data across separate network security databases and tools, and provide a baseline for evaluating coverage such that, if a
report incorporates CVE Identifiers, users may quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.
Numerous organizations have made their information security products and services CVE compatible by incorporating CVE Identifiers. Guardium constantly monitors the
common vulnerabilities and exposures (CVE) from the MITRE Corporation and add these tests for the relevant database related vulnerabilities.

To aid in the finding of individual vulnerabilities while viewing the CVE names for specific databases, the user, when configuring tests through Security Assessment Builder,
can select the CVE radio button for the desired database and then select and add the appropriate CVE identifier. Additional information can always be found on the master
copy of the CVE list maintained by the MITRE Corporation.
To keep CVEs current within the Guardium solution, Guardium will download and use the most current CVE database to populate a database table with all current CVE
entries and candidates. Guardium the programmatically compares the downloaded CVE data with the CVE data already in the Guardium Vulnerability Assessment
repository; producing a list of new CVEs for review. Guardium Database Security Team then manually reviews these candidates for the Guardium Vulnerability
Knowledgebase, tests them and adds the relevant ones to the GA Guardium Vulnerability Assessment Knowledgebase. These tests are tagged with the appropriate CVE
number, and once in the GA repository, these tests can automatically run using the Guardium Vulnerability Assessment application.
Note:
For both Vulnerability Assessments and Entitlements Reporting, when looking for scripts to grant privileges for entitlement reporting, use scripts in the
gdmmonitor_scripts directory. Do not use the entitlement_monitor_role folder, which is no longer updated.
When using an expiring product license key, or license with a limited number of datasources, the following message may appear: Cannot add datasource. The
maximum number of datasources allowed by license has been reached. The License valid until date and Number of datasources can be seen on the
System Configuration panel of the Administrator Console. A Vulnerability or Classification process with N datasources are counted as N scans every time they run.
Guardium Vulnerability Assessments requires access to the databases it evaluates. To do this, Guardium provides a set of SQL scripts (one script for each database
type) that creates users and roles in the database to be used by Guardium.
The template scripts are available on the Guardium system once it is built and can be found and downloaded via fileserver at the following path: /log/debug-
logs/gdmmonitor_scripts/. More information is available in the README.txt file.
Guardium Vulnerability Assessment Test Exceptions

The Guardium vulnerability assessment test exception groups are pre-populated with the default members, schema, objects, or privileges created when a database is
installed. Use these groups to avoid false-positives when running vulnerability assessments. If an assessment fails, link the appropriate exception group to the test to
exclude the default members and run the test again: if the test now runs without violations, this indicates that the initial violations were due to the default members,
schema, objects, or privileges created when the database was installed.
Table 1. VA groups to test mapping

Group ID Group Name Test Name Test ID Database Type
82 Sybase Allowed Grants to Public No Non-Exempt Public Privileges 61 SYBASE ASE
83 MS-SQL Allowed Grants to Public No Non-Exempt Public Privileges 270 MSSQL
115 DB2 Allowed Grants to Public No Public Object Privileges 105 DB2 LUW
144 DB2 Allowed Grants to Public non- No Public Object Privileges 105 DB2 LUW
restrictive
116 Teradata Allowed Grants to Public Object privileges granted to public 2029 TERADATA
117 PostgreSQL Allowed Grants to Objects privileges granted to 315 POSTGRESQL

Public PUBLIC
118 Netezza Allowed Grants to Public Object privileges granted to public 2053 NETEZZA
(Netezza)
65 MS-SQL Database Administrators Only DBAs In Fixed Server Roles 159 MSSQL
165 Oracle Only DBA Access To Only DBA Access To SYS.USER$ 222 ORACLE
SYS.USER$
166 MS-SQL DDL granted to user DDL granted to user 321 MSSQL
167 MS-SQL Procedures granted to Procedures granted to users 322 MSSQL

users
168 MS-SQL No Individual User No Individual User Privileges 154 MSSQL

Privileges
170 Sybase IQ Procedures and Procedures and functions granted 2230 SYBASE IQ
functions granted to PUBLIC to PUBLIC.
171 Sybase IQ No individual procedures No individual procedures or 2227 SYBASE IQ

or functions privileges functions privileges.
172 MS-SQL No Access to Registry No Access to Registry Access 215 MSSQL

Access Extended procedures Extended procedures
173 MS-SQL Role granted to role Role granted to role 323 MSSQL
185 MS-SQL Access to server level Access to server level permissions 2289 MSSQL
permissions granted to non- granted to non-Database
Database Administrators Administrators
186 MS-SQL MSDB database Role MSDB database Role Members 2296 MSSQL
Members Privilege Privilege
48 DB2 Database Version+Patches Version: DB2 16 DB2 LUW
48 DB2 Database Version+Patches DB2 Patch Level 54 DB2 LUW
49 Informix Database Version+Patches Version: Informix 17 INFORMIX
49 Informix Database Version+Patches Informix Patch Level 55 INFORMIX

Group ID Group Name Test Name Test ID Database Type
50 MS Sql Server Database Version: Microsoft SQL Server 18 MSSQL

Version+Patches
50 MS Sql Server Database Microsoft SQL Server Patch Level 56 MSSQL

Version+Patches
51 MySql Database Version+Patches Version: MySql 19 MYSQL
51 MySql Database Version+Patches MySql Patch Level 57 MYSQL
52 Oracle Database Version+Patches Oracle Patch Level 58 ORACLE
52 Oracle Database Version+Patches Version: Oracle 20 ORACLE
53 Sybase Database Version+Patches Version: Sybase 21 SYBASE ASE
53 Sybase Database Version+Patches Sybase Patch Level 59 SYBASE ASE
109 Teradata PDE Version+Patches Version: Teradata PDE 284 TERADATA
109 Teradata PDE Version+Patches Teradata PDE Patch level 286 TERADATA
110 Teradata TDBMS Version+Patches Teradata TDBMS Patch level 287 TERADATA
110 Teradata TDBMS Version+Patches Version: Teradata TDBMS 285 TERADATA
111 Teradata TDGSS Version+Patches Version: Teradata TDGSS 290 TERADATA
111 Teradata TDGSS Version+Patches Teradata TDGSS Patch Level 288 TERADATA
112 Teradata TGTW Version+Patches Version: Teradata TGTW 291 TERADATA
112 Teradata TGTW Version+Patches Teradata TGTW Patch Level 289 TERADATA
113 Netezza Version+Patches Netezza version level 306 NETEZZA
113 Netezza Version+Patches Netezza patch level 307 NETEZZA
114 Postgress Version+Patches PostGreSQL version level 308 POSTGRESQL
114 Postgress Version+Patches PostGreSQL patch level 309 POSTGRESQL
169 SybaseIQ Database Version: Sybase IQ 377 SYBASE IQ

Version+Patches
169 SybaseIQ Database Sybase IQ Patch Level 378 SYBASE IQ

Version+Patches
MongoDB
Developed in 2007, MongoDB is a NoSQL, document-oriented database. MongoDB uses JSON documents with dynamic schemas (this format is called BSON). In
MongoDB, a collection is the equivalent of a RDBMS table while documents are equivalent to records in an RDBMS table.
MongoDB is the largest and fastest growing NoSQL database system. It tends to be used as an operational system and as a backend for web applications due to an ease of
programming for non-relationally formatted data like JSON documents which are often found in web applications.
First NoSQL database supported for Guardium Vulnerability Assessment (VA)
First non-JDBC database connection. Connection uses a Java driver.
MongoDB data sources support SSL server and client/server connections with SSL client certificates.
Guardium's VA solution for MongoDB Clusters can be run on mongos, a primary node and all secondary nodes for replica sets.
Entitlement reports and Query Based Builder are not supported for MongoDB.
MongoDB Datasource with SSL
You can import server cert which we do behind the scene for self signed. Customer can also import their certificate. Certificates also work on central manager and push
down to collectors.
CAS for MongoDB
The Mongo CAS Assessment template allows you to specify multiple paths in the datasource to scan various components of the file system.
Teradata Aster
Aster Data
Acquired by Teradata in 2011, typically used for data warehousing and analytic applications (OLAP). Aster Data created a framework called SQL-MapReduce that allows
the Structured Query Language (SQL) to be used with Map Reduce. Most often associated with clickstream kinds of applications.
A security assessment should be created to execute all tests on the queen node. All database connections for Aster Data goes through the queen node only.
Testing on worker and loader nodes are only required when performing CAS tests (File permission and File ownership).
Privilege tests loop through all the databases in a given Asterâ€™s instance.
SAP HANA

SAP HANA is an in-memory, column-oriented, relational database management system developed and marketed by SAP SE. HANA's architecture is designed to handle
both high transaction rates and complex query processing on the same platform.
Database privileges for vulnerability assessments and classification

Guardium provides a set of scripts to simplify the creation of groups or roles with minimum privileges required for running vulnerability assessments.
Deploying VA for DB2 for i
Enable a group of users to run vulnerability assessments, and configure and run the tests.
Using VA with Cloudera
Learn how to use Guardium vulnerability assessments with Cloudera distributions of Apache Hadoop.
Parent topic: Assess and harden
Database privileges for vulnerability assessments and classification

Guardium provides a set of scripts to simplify the creation of groups or roles with minimum privileges required for running vulnerability assessments.
Before you begin

This task requires downloading scripts from a Guardium system and running those scripts on a database server. You will need to identify the IP address of the machine
used to access the Guardium system. This could be the IP address of an individual workstation where you will download the scripts before transferring them to a database
server, or it could be the IP address of the database server itself.
About this task

Running Guardium vulnerability assessments and using the Guardium classifier requires access to the database and specific database privileges. Guardium provides a set
of scripts to simplify the creation of groups or roles with minimum privileges required for running vulnerability assessments. Once created, these groups or roles can be
assigned to any database user who needs to run an assessment. You will create a Guardium datasource with this user to perform the VA scan.
Scripts are provided to support most database types and are designed to be run in the database tool itself. Each script includes detailed instructions in the script header.
The privileges granted for each database type can be seen in the script looking at each grants.
Important: Before running any scripts, database administrators should read the instructions in the script headers and review the database actions that will be taken by the
script.
Procedure
1. On a Guardium system, enable the file server using the fileserver CLI command. For example, to enable the file server for one hour and download the scripts to a
system with IP address 10.0.0.1, use the following command:
fileserver 10.0.0.1 3600
When successfully initiated, the file server should display output similar to the following:
Starting the file server...

The file server is ready at https://guardium.host.com:8445
The timeout has been set to 3600 seconds and it may timeout during the uploading.
The upload will only be accessible from the IP you are logged in from: 10.0.0.1
Press ENTER to stop the file server.
2. On the machine where you will download the scripts, use a web browser to access the file server. For example, for a Guardium system running at
https://guardium.host.com:8445, access the scripts for vulnerability assessment and classification at the following URLs:
https://guardium.host.com:8445/log/debug-logs/gdmmonitor_scripts/
https://guardium.host.com:8445/log/debug-logs/classification_role/
Important: Discovery processes of the Guardium classifier require a higher level of database access than is required for vulnerability assessment tests. It is
recommended to use the scripts in gdmmonitor_scripts for vulnerability assessment and the scripts in classification_role for the classifier. Before running
any scripts, database administrators should read the instructions in the script headers and review the database actions that will be taken by the script. Before
running any scripts, database administrators should read the instructions in the script headers and review the database actions that will be taken by the script.
3. Download the required scripts using the web browser's Right-click > Save link as... action or a similar function. Review the README.txt files to identify the correct
scripts to use for specific database types.
Tip: The following scripts are for Microsoft SQL Server:
gdmmonitor-mss2000-only.sql is for Microsoft SQL Server 2000
gdmmonitor-mss.sql is for Microsoft SQL Server 2005 and newer
gdmmonitor-mss-SA.sql provides administrative privileges required for six of the Microsoft SQL Server vulnerability assessment tests. If you do not allow
these privileges, the tests will return errors indicating inadequate privileges. These six tests represent no more than 5% of the available tests.
What to do next
Once you have downloaded the scripts required for your database servers, closely review and follow the instructions in the script headers.
Parent topic: Introducing Guardium Vulnerability Assessment
Deploying VA for DB2 for i

Enable a group of users to run vulnerability assessments, and configure and run the tests.
About this task

Deployment Steps

1. Vulnerability Assessment is deployed from the Guardium system.
2. User runs a Guardium-supplied script against the target database to create a role with the appropriate privileges. User then creates a datasource connection to the
database.
3. Create a security assessment, then select your datasources and desired tests to execute.
4. Once the execution is done, a report is created, showing what tests have passed and/or failed along with detailed hardening recommendations.
IBM for i version support:
IBM for i 6.1, 7.1 and 7.2 partitions
VA test Coverage (115 tests in total):
Profiles with Special Authorities
Profiles with access to Database Function Usage
Password policies
Database Objects privilege granted to PUBLIC
Database Objects privilege granted to individual user
Database Objects privilege granted with grant option
Security APARs
Entitlement Reports:
Profiles with Special Authorities
Group granted to user
Database Objects privilege granted to PUBLIC
Database Executable Objects privileges granted to PUBLIC
Database Objects privilege granted to individual user
Database Objects privilege granted with grant option
Procedure
1. Use the Group Builder to create a group of users that you want to use VA. Open the Group Builder by clicking Setup > Tools and View > Group Builder. The next step
uses a script for a group named gdmmonitor.
2. Run the following script on your DB2 for i system to grant privileges needed for executing VA to the group. This is done outside the Guardium system using a
database native client.
grant select on SYSIBMADM.FUNCTION_INFO to gdmmonitor;

grant select on SYSIBMADM.FUNCTION_USAGE to gdmmonitor;
grant select on SYSIBMADM.GROUP_PROFILE_ENTRIES to gdmmonitor;
grant select on SYSIBMADM.SYSTEM_VALUE_INFO to gdmmonitor;
grant select on SYSIBMADM.USER_STORAGE to gdmmonitor;
grant select on Qsys2.Authorizations to gdmmonitor;
grant select on SYSIBMADM.USER_INFO to gdmmonitor;
grant select on QSYS2.SYSSCHEMAAUTH to gdmmonitor;
grant select on QSYS2.SYSTABAUTH to gdmmonitor;
grant select on QSYS2.SYSPACKAGEAUTH to gdmmonitor;
grant select on QSYS2.SYSROUTINEAUTH to gdmmonitor;
grant select on QSYS2.SYSSEQUENCEAUTH to gdmmonitor;
grant select on QSYS2.SYSCOLAUTH to gdmmonitor;
For IBM DB2 for i v7.1 and higher, also include the scripts:
grant select on QSYS2.SYSVARIABLEAUTH to gdmmonitor;

grant select on QSYS2.SYSXSROBJECTAUTH to gdmmonitor;
3. Create a JDBC connection to your DB2 for i system . Open Datasource Finder by clicking Setup > Tools and Views > Datasource Definitions, and then Security
Assessment from the Application Selection menu.
a. Click New and enter the appropriate information. For Connection Property, enter "property1=com.ibm.as400.access.AS400JDBCDriver;translate
binary=true".
4. Create an assessment using the Assessment Builder. Open the Assessment Builder by clicking Harden > Vulnerability Assessment > Assessment Builder.
a. Enter a description for the assessment.
b. Add the datasource created in the previous step by clicking Add Datasource, selecting the datasource from the Datasource Finder, and clicking Add.
Note: You must click Apply to save the assessment before you can configure tests.
5. Add tests to the assessment by clicking Configure Tests. Click the IBM for i tab, select the tests that you want to add, and click Add Selections.
6. Click Return to go back to the Security Assessment Finder. Run the test by clicking Run Once Now, or schedule the test using Audit Process Builder. Open the Audit
Process Builder by clicking, Discover > Classifications > Audit Process Builder.
7. Click View Results to view the details of all the executed tests, including recommendations for improving your score.
Results
What to do when a test fails?
You can patch your database if it is relating to patches.

You can re-configure database parameters to best practice recommendation

You can revoke objects or system privileges that are not required by your applications.
You can revoke objects granted directly to grantee and grant the object privileges to a role/group and assign the grantee to that role/group
You can change password policy setting or change users default password.
If your application required specific grant, you can create exception group and link that to your failed test and re-execute.
Using VA with Cloudera

Learn how to use Guardium vulnerability assessments with Cloudera distributions of Apache Hadoop.
Cloudera Manager
Datasource Setup
The Cloudera Manager datasource uses the Cloudera Manager Java API for a connection. It does not use JDBC.
The Cluster Name must be defined in the datasource GUI. The Cluster name is the Cluster display name in the Cloudera manager GUI on the left-hand side.
To execute Vulnerability Assessment tests for Cloudera Manager, you need to define a datasource user with the Read-Only role for most the Vulnerability
Assessment tests. Then, there are a small number of Vulnerability Assessment tests which require the datasource user have the Cluster Administrator role as the
minimum privilege to run the tests.
The following Vulnerability Assessment tests require the datasource user to have the Cluster Administrator role:
1. Authentication Backend Order
2. HTTP port for Admin Console
3. HTTPS port for Admin Console
4. Use TLS Authentication of Agents to server
5. Use TLS Encryption for Admin Console
6. Use TLS Encryption for Agents
This information is also available in the Cloudera Manager gdmmonitor script (/log/var-log-guard/gdmmonitor_scripts/gdmmonitor-Cloudera-Manager.sql).
If SSL is enabled, check â€œUse SSLâ€ and check Import â€œserver ssl certificateâ€
CAS Database Instance setting
The Account should be root.
The Directory will need to be defined as the Cloudera manager install path. For example: installpath=/opt/cloudera
Example of Cloudera Manager datasource settings.

Hive
Datasource Setup
Use the Apache Hive JDBC driver 1.1.1.
Kerberos - The User Name and Password must be a valid Kerberos User ID and Password. It is also used for CA. Test to make sure your Kerberos User ID and
Password can be used to login to the Hive beeline command line.
Make sure you have already created a Kerberos Configuration that defines your KDC and Realm for your appliance. On the Guardium GUI, go to Setup > Tools and
Views > Kerberos Configuration. If no Kerberos Configuration has been created, then click on + icon to create a new Kerberos Configuration.
After you have created a Kerberos Configuration, you can select it to configure your datasource setup.
If SSL is enabled, check â€œUse SSLâ€ box and check the â€œImport server ssl certificateâ€ box.

Note: Hive can only support either LDAP/SSL or Kerberos, not both.
CAS Database Instance setting
1. The Directory will need to be defined as the Cloudera manager install path. For example: installpath=/opt/cloudera
2. If HDFS is enabled for Kerberos, the Datasource User Name and Password must be a valid Kerberos User ID and Password. CAS scripts uses it for obtaining a
Kerberos ticket.
3. The Account must be root. For certain parameter tests that require CAS, it is important that the CAS user is root in order to access the real-time configuration
under the Cloudera agent process directory (/var/run/cloudera-scm-agent/process/).
Note: Guardium does not in any way modify or alter your configuration data.
For Hive
For the Privilege tests, the datasource account must be a member of the Sentry Admin group. See the Hive gdmmonitor script for steps to check the Sentry Admin
group.
When setting up Hive datasources, you can only perform a JDBC test connection when the datasource is pointing to your Hive server2. For all other Hive
datasources, you can clone this specific datasource using nodename where the Cloudera service is installed. Make sure the cloned datasource has a valid
Username and Password just like the Hive server2 datasource. For these datasources, you cannot perform a datasource test connection. However, Guardium relies
on the accuracy of the Username and Password from the datasource to perform a Kerberos connection using CAS when Kerberos enabled.
Vulnerability Assessment Tests
The Hive Privilege tests require Sentry Services to be installed and configured. Without Sentry, there is no security. Everyone can connect to Hive and access data.
The Vulnerability Assessment CAS test for HDFS parameters are from configuration files under the Cloudera agent process directory (/var/run/cloudera-scm-
agent/process/). The folder names inside these process directories change every time the Cloudera agent services is started.
Some of the HDFS parameter CAS tests require the datasource system to be a specific node configuration (for example, NameNode or DataNode). Some CAS tests
require Yarn, Mapreduce or Hive Server to be installed on the datasource system. Please select the tests carefully for your assessment based upon on your
datasource system configuration. If the requirements are not met for the test, then the test will error with the recommendation to execute these tests on the
correct Cloudera services. The requirements are also mentioned in the test description.

When creating a Hive datasource, it is recommended to have one datasource for each Cloudera service (NameNode, DataNode, HiveServer2, Hive metastore, Yarn
NodeManager and Yarn ResourceManager).
Regardless of the number of nodes in your cluster, if you have Guardium Hive datasource that cover all of these services, you then have properly setup your
environment to run Vulnerability Assessment.
For example
Vulnerability Assessment tests

Guardium provides several types of tests to enable you to assess your vulnerability.
Vulnerability Assessment Tests

GuardiumÂ® provides over two hundred predefined tests to check database configuration parameters, privileges, and other vulnerabilities. You can also define your own
tests.
A Vulnerability Assessment may contain one or more of the following types of tests.
Predefined Tests
Predefined tests are designed to illustrate common vulnerability issues that may be encountered in database environments. Because of the highly variable nature of
database applications and the differences in what is deemed acceptable in various companies or situations, some of these tests may be suitable for certain databases but
totally inappropriate for others (even within the same company). Most of the predefined tests are customizable to meet requirement of your organization. Additionally, to
keep your assessments current with industry best practices and protect against newly discovered vulnerabilities, Guardium distributes new assessment tests and updates
on a quarterly basis as part of its Database Protection Subscription Service. Please refer to Guardium Administration Guide for more details.
Predefined Tests include:
Behavioral Tests
Configuration Tests
Behavioral Tests
This set of tests assesses the security health of the database environment by observing database traffic in real-time and discovering vulnerabilities in the way information
is being access and manipulated.
As an example, some of the behavioral vulnerability tests included are:
Default users access

Access rule violations
Execution of Admin, DDL, and DBCC commands directly from the database clients
Excessive login failures
Excessive SQL errors
After hours logins
Excessive administrator logins
Checks for calls to extended stored procedures
Checks that user ids are not accessed from multiple IP addresses
Configuration Tests
This set of assessments checks security-related configuration settings of target databases, looking for common mistakes or flaws in configuration create vulnerabilities.
As an example, the current categories, with some high-level tests, for configuration vulnerabilities include:
Privilege
Object creation / usage rights
Privilege grants to DBA and individual users
System level rights
Authentication
User account usage
Remote login usage
Password regulations
Configuration
Database specific parameter settings
System level parameter settings
Version
Database versions
Database patch levels
Object
Installed sample databases

Recommended database layouts
Database ownership
Query-based Tests
A query based tests is either a pre-defined or user-defined test that can be quickly and easy created by defining or modifying a SQL query, which will be run against
database datasource and results compared to a predefined test value. See Define a Query-based Test for additional information on building a user defined query-based
test.
CAS-based Tests
A CAS-based test is either a pre-defined or user-defined test that is based on a CAS template item of type OS Script command and uses CAS collected data.
Users can specify which template item and test against the content of the CAS results. See Create a New Template Set Item for assistance on creating an OS Script type
CAS template.
Guardium also comes pre-configured with some CAS template items of type OS Script that can be used for creating a CAS-based test. These tests can be see through the
CAS Template Set Definition panel and have a name which contains the word Assessment. For instance, the Unix/Oracle set for assessments is named Guardium
Unix/Oracle Assessment. Additionally, any template that is added that involves file permissions will also be used for permission and ownership checking. See Modify a
Template Set Item for viewing these template sets and seeing those items with type OS Script.
Whether using a Guardium pre-configured or defining your own, once defined, these tests will appear for selection during the creation or modification of CAS-based tests.
See Define a CAS-based Test for additional information.
CVE Tests
Guardium constantly monitors the common vulnerabilities and exposures (CVE) from the MITRE Corporation and add these tests for the relevant database related
vulnerabilities.
Defining a query-based test

Create a test based on a query that runs an SQL statement.
Defining a CAS-based test
Vulnerability Assessments use the CAS mechanism to run-OS level tests on the database server, and identify vulnerabilities.
Defining a query-based test

Create a test based on a query that runs an SQL statement.
About this task

You can create a new query-based test by using any of these approaches:
New
Start from the beginning and define all the fields.
Clone
Clone an existing query-based test.
Modify
Modify an existing query-based test.
Procedure
1. Open the Assessment Builder by clicking Harden > Vulnerability Assessment > Assessment Builder.
2. From the User-defined tests, click Query-based Tests.
3. Click New, Clone or Modify to open the Query-based Test Builder.
4. Enter a unique Test Name.
5. Select a Database Type.
6. Select a Category.
7. Select a Severity.
8. Optional: Enter a Short Description for the test.
9. Optional: Enter an External Reference for the test.
10. Enter the Result text for pass that will be displayed when the test passes.
11. Enter the Result text for fail that will be displayed when the test fails.
12. Enter the SQL statement that will be run for the test.
Use the following convention to add and reference group members within a SQL statement:
For example:
To reference a group of users defined for the group MyUsersGroup and replace it with the actual members of the group use:
Select ... from DBA_GRANTS where ... AND USER in (~~G~MyUsersGroup~~) and ...
This will result in a SQL Statement such as the following where U1, U2, etc are the members of the MyUsersGroup group:
Select ... from DBA_GRANTS where ... AND USER in ('U1','U2','U3',...) and ...
If the group has no members, the database returns an error. In this case the reference is replaced with a single pair of quotation marks, like this:
Select ... from DBA_GRANTS where ... AND USER in ('') and ...
Use the following convention to replace a reference to a specific alias (of a specific group type) with the actual alias:

For example:
Select ... from USER_OBJECTS where ... AND OBJECT_TYPE = '~~A~GroupType~TYPE~~'
If there is an alias to TYPE of group type GrouptType it will replace the string and the resulting SQL will look like:
Select ... from USER_OBJECTS where ... AND OBJECT_TYPE = 'TYPE'
where TYPE is the actual ALIAS
13. Optional: Enter a SQL Statement for Detail, a SQL statement that retrieves a list of strings to generate a detail string of Detail prefix + list of strings. See the example
in Detail prefix.
Note: The detail generated is only displayed when the query-based test fails; allowing the user to enter a SQL statement that can retrieve the information that
caused the test to fail and help identify the cause of failure.
Note: Detail string can be seen within a Security Assessment Results by clicking on the Assessment Test Name and also queried through the Result Details attribute
of the Test Result Entity.
14. Optional: Enter a Pre-test check SQL statement. This statement is run before running the test. If the statement returns 0, the test is not run. If the test returns 1 or
an error, the test is run.
15. Optional: Enter a Pre-test fail message. This message is inserted into the assessment results if the test is not run due to the SQL statement returning 0.
16. Optional: In Loop databases, enter a list of databases through which the test should loop. The test returns the union or sum of the results returned from all the
specified databases. You can use this function only when the test returns an integer value, and only with these database types: Informix, SQL Server, Sybase SE,
PostgreSQL and MySQL. The looping is performed if the DB loop flag box is checked. One or more of the specified databases might be unavailable when the test is
run. In that case the test will either skip that database and continue, or stop and issue a failure message, depending on whether the Skip on error box is checked.
17. Optional: Enter a Detail prefix that will appear at the beginning of the detail string.
Example for SQL Statement for Detail & Detail prefix:

Test that checks for objects with certain grants.
Detail prefix: "Objects found with certain GRANT:"
SQL Statement for Detail: SELECT object FROM....--returning 4 records:
Obj1
Obj2
Obj3
Obj4
==> Details: Objects found with certain GRANT: Obj1, Obj2, Obj3, Obj4
18. Optional: Check the Bind output variable check box if the entered text in SQL statement is a procedural block of code that will return a value that should be bound
to an internal GuardiumÂ® variable that will be used in the comparison to the Compare to value.
Example (Oracle):
declare
retval integer := 0;
strval varchar2(255) := '';
nver number;
sver varchar2(255) := '';
begin
select VERSION
into sver
from V$INSTANCE;
nver := to_number(substr(sver,1,(instr(sver,'.',1,2) - 1)));
if nver >= 11.1 then
select VALUE
into strval
from V$PARAMETER
where NAME = 'sec_case_sensitive_logon';
end if;
if (nver < 11.1 or strval = 'TRUE') then
retval := 0;
else
retval := 1;
end if;
? := retval;
end;
19. Select the Return type that will be returned from the SQL statement.
20. Select the operator that will be used for the condition.
21. Enter in a Compare to value that will be used to compare against the return value from the SQL statement using the compare operator. It is this comparison that
determines whether this test have passed or failed. You may also click on the RE (regex) to define a regular expression for the compare value.
Click Back to cancel changes and return to the previous screen.
Click Apply to save the query-based test.
Results
You can add this newly created query-based test to an assessment.
What to do next
Parent topic: Vulnerability Assessment tests
Defining a CAS-based test

Vulnerability Assessments use the CAS mechanism to run-OS level tests on the database server, and identify vulnerabilities.
Before you begin
About this task

You can create a new CAS-based test by modifying an existing CAS-based test or by starting from the beginning and defining all the fields.
Procedure
1. Open the Assessment Builder by clicking Harden > Vunerability Assessment > Assessment Builder.
2. From the User-defined tests, click CAS-based Tests to open the CAS-based Test Finder panel.
3. Click New or Modify to create a new test.
4. Enter a unique Test name.
5. Select a database from the Database Type menu.
6. Select a category from the Category menu.
7. Select a category from the Severity menu.
8. Optional: Enter a Short Description for the test.
9. Optional: Enter an External reference for the test.
10. Enter a Result text for pass that will be displayed when the test passes.
11. Enter a Result text for fail that will be displayed when the test fails.
12. Enter a Recommendation text for pass that will be displayed when the test passes.
13. Enter a Recommendation text for fail that will be displayed when the test fails. Recommendation text for fail - To prevent cross site hacking, any name from this list,
used in the Recommendation text for fail text box, will be rewritten: expression; function; javascript; script; alert; eval; <img; ContentType
14. Select a template to use from the CAS Template menu.
15. Select an operator to use from the operator menu.
16. Enter a Search string that will be used with the operator to compare what is returned from the CAS template. This comparison that determines whether this test
passes or fails. You may also click on the RE icon to define a regular expression for the search string.
17. Optional: Check the Fail if match check box if the test should fail when a match is made with the search string.
18. Click Apply to save the CAS-based test.
Results
You can add this newly created CAS-based test to an assessment.
Parent topic: Vulnerability Assessment tests
Assessments
Assessments are a group of tests that scan database infrastructures for vulnerabilities and provide an evaluation of database and data security health with real-time and
historical measurements.
Creating an assessment
Create an assessment, or modify or clone an existing assessment.
How to create a security assessment
Run security assessments against selected datasources to proactively identify and address vulnerabilities, improve configurations, and harden infrastructures.
Running an assessment
To get the results of an assessment, it must be run once it is created.
Viewing assessment results
You can take various actions while you view the results of an assessment.
Creating a VA test exception
Use a test exception to exclude specific members of a group from a security assessment. Run the security assessment against the exception group to see if a
specific member of a group is affecting your assessment results. This is useful if you do not want to or are not authorized to change group settings.
VA summary
The following table list information per test and database key displayed in the VA summary table: test result by unique identifier; cumulative failed age; first failed
date/ last failed date; last passed date; and, last scanned date. This information is tracked and users can create a report on this information.
Creating an assessment
Create an assessment, or modify or clone an existing assessment.
Before you begin

Open the Assessment Builder by clicking Harden > Vulnerability Assessment > Assessment Builder.
About this task
Procedure
1. In the Security Assessment Finder panel, click New to create an entirely new assessment. Click Clone or Modify to work with an existing assessment. Clicking any of
these buttons opens the Security Assessment Builder panel. If you are creating an entirely new assessment, complete all of the following steps. If you are cloning
or modifying an existing assessment, enter a new Description and then modify only the fields that you want to change.
2. Enter a unique Description for the assessment
3. Add a datasource by clicking Add Datasource, entering the required information, and clicking Add.
4. Add tests to the assessment by clicking Configure Tests.
a. From the Tests available for addition pane, select the appropriate tab for the datasource you added previously.
b. Select the tests you want, and click Add Selections to add them to the assessment. Once added, your selections will appear in the Assessment Test
Selections pane.
c. Use the Assessment Test Selections to manage tests for your assessment. Delete any selected test, or click Adjust this test's tuning for any test to customize
the test's parameters.
5. Add Roles to the Assessment.
Note: You cannot assign roles to an assessment until you have assigned roles to the datasources it is based on.
6. Click Apply to save the assessment.

Click CAS Support to supply appropriate data for an assessment.
You can also Add Comments to any assessment to document or log what changes were made to assessments and why.
Results
Your new assessment is ready to be run.
Parent topic: Assessments
How to create a security assessment

Run security assessments against selected datasources to proactively identify and address vulnerabilities, improve configurations, and harden infrastructures.
About this task

The basic steps for creating a security assessment are:
1. Create the assessment

2. Add datasources to the assessment
3. Add tests to the assessment
Procedure
1. Create or modify an assessment by opening the Assessment Builder. Open the Assessment Builder by clicking Harden > Vulnerability Assessment > Assessment
Builder.
2. Create a new security assessment by clicking New.

3. Enter a unique name for the assessment in Description and click Apply to save the assessment.
4. Add a datasource to the assessment by clicking Add Datasource. Select a datasource from the Datasource Finder and click Add. Add a new datasource by clicking
, filling in the information in the Database Definition window, and clicking Apply. See Datasources for assistance.

After clicking the Add button, the datasource will appear in the Datasources section of the Security Assessment Builder.
5. Click Apply to save the assessment.

6. Click Configure Tests to add tests to the assessment. In the Tests available for addition panel, click the tab for the appropriate datasource you created, select the
tests you want to add to the assessment, and click Add Selections. Use the radio buttons to filter the tests to be added. See Predefined Tests, Query Based Tests,
CVE Tests, or APAR Tests for assistance.

7. Click Back to return to the Security Assessment Builder, and click Roles to add roles to the assessment.
Note: You cannot assign roles to the assessment until you have assigned roles to the datasources the assessment is based on.
8. Save your assessment by clicking Apply. The assessment can now be run against the selected datasources.
Running an assessment
To get the results of an assessment, it must be run once it is created.
Assessments run in a serialized mode one after the other. If more than one assessment is scheduled to run they will have to be queued. This queue can be viewed through
the Guardium Job Queue report.
Clicking the Run Once Now button will enter the assessment into the queue and immediately run it. A short period of time is required for the job to be executed and
become viewable. See Viewing assessment results for more information on the results of an assessment.
You can optionally define and schedule an automated process for running of an assessment definition. The Audit Process finder panel is the starting point for creating or
modifying an audit process schedule. create a schedule to automatically run your assessments by going to the Audit Process finder panel. See Compliance Workflow
Automation for assistance in defining an audit process

Viewing assessment results
You can take various actions while you view the results of an assessment.
View Results of an Assessment

View the results of an assessment in the Report Builder. Open the Report Builder by clicking Harden > Reports > Report Builder, and use the filters to find the report you
are looking for.
Interpreting the Results of an Assessment

An assessment evaluates multiple tests based on multiple reports. The overall results are displayed in a separate browser window entitled Security Assessment Results
and have the following sections:
Assessment Identity
The Assessment results identifies:
The assessment name

The date and time the assessment was run
The time period for the assessment
The Client and Server IP addresses or subnets
Assessment Selection
Use the drop-down menu to select and display past results for an assessment. The latest result is displayed by default.
Assessment Results History

The Assessment Results History shows the percentage of tests passing over a period of time. Further recommendations to improve the percentage of passing tests are
given under the Assessment Test Results section.
View log
When clicked, the Execution Log will be displayed in a new window that shows the runtime execution of the assessment test. A timestamp, along with events, and
messages can aid in the debugging of issues that might have caused certain tests to fail.
Results Summary
A tabular graph summarizes all the tests that were executed within this assessment. The X-axis represents the testâ€™s severity (CRITICAL, MAJOR, MINOR, CAUTION, or
INFO). The Y-axis represents the type of test (Privilege, Authentication, Configuration, Version, or Other). Within the grid is the representation of the number of tests that
have either Passed, Failed, or had an Error when trying to execute. These numbers are directly related to the detail for the assessment tests that is given under the
Assessment Test Results section.
Current filtering applied

If you would like to change the filtering from what is currently applied, use the following two options to filter the results as you would like:
Reset Filtering - Removes all filtering options selected through the Filter / Sort Controls options.
Filter / Sort Controls - Use this to open a filter/sort options for the report. Options allow you to filter by Severities, Datasource Severity Classification (DS sev. class), Scores
(pass, fail, or error), and Test Types (Observed/Database type). The sort option allows you to sort across combinations of severity, score, and datasource. Click Apply when
you would like the chosen filter/sort options to take effect.
Assessment Test Results

The Assessment Test Results section provides a detailed description of the test taken, information about the target datasource and datasource severity classification, and
the test's Pass/Fail status, severity, the external reference, and reason for the current status. Each test name is clickable and will filter all information off the report except
for relevant information about that particular test. A hover-over feature on the Reason field will display the recommendation to help remedy failed or tests in error.
The assessment results include a count of the number of tests and the number of passed tests in each of these categories:
CIS tests
CVE tests
STIG tests
These values are displayed in the assessment result viewer and available for reporting as part of the VA results domain.
Datasource Details
When expanded, the Datasource Details section will show all of the datasources that were referenced within this assessment including the datasource's specific
environmental information.
CVE and CVSS information

CVE Records and CVSS information will be displayed in the Assessment test result viewer.
The reference links are clickable (opens new window). Either section will be absent when there is no corresponding record for a result.
The CVSS fields of interest are:

CVSS Score
Access Complexity
Availability Impact
Confidentiality Impact
Integrity Impact
Authentication
Access Vendor
Source
Generated on Datetime
Working with failed tests

If some of the tests in your assessment show a failed status, you might want to take one of these actions:
Add an exception for the test

This action causes the test to always pass for a period of time. For example, you might have a group of servers that fail a test that checks that the latest available
service updates are applied. You cannot apply the updates until your weekend maintenance window. You do not want the test to keep failing until that time. Right-
click on the word Fail in the results panel and an Add Test exception popup menu appears. Specify an end date and time for the exception, and optionally a
comment. The test will pass, on all datasources, whenever it is run before the exception expires, whether it is run from this assessment or as part of another
assessment.
Add failing elements to an exception group
When a test fails, you can view more information by clicking the name of the test. The new panel will include an area titled Details. Elements of the test that failed
are displayed after this heading. If any elements are displayed, you can add them to an exception group for this test. To do this, click the heading Details: to open a
new dialog. This dialog displays the failing elements, with a check box next to each one. Check the boxes for the elements that you want to add to an exception
group and clear the other check boxes. Then select a group. If a default exception group is defined for this test, it will appear pre-selected in the dialog. A drop-
down list displays all other groups of type VA test exception that have been defined. To choose a group from the list, click the radio button next to the list, then
choose the group from the list. Click Save to implement your choices. To add remaining elements to a different group, click Details again.
Export to PDF or to SCAP or AXIS XML

You can generate a PDF version of Assessment result by clicking Download PDF.
Use the Download XML button to open two menu choices: Download as SCAP xml and Download as AXIS xml. Choose one of these selections in order to download to your
workstation an XML file representing the displayed assessment results. The file can be formatted for Security Content Automation Protocol (SCAP) XML or Apache
EXtensible Interaction System (AXIS) XML, which is used by QRadar.
Creating a VA test exception

Use a test exception to exclude specific members of a group from a security assessment. Run the security assessment against the exception group to see if a specific
member of a group is affecting your assessment results. This is useful if you do not want to or are not authorized to change group settings.
Procedure
1. Open the Group Builder by clicking Setup > Tools and Views > Group Builder.
2. Select VA Tests Exception from the Group Type menu to view the list of predefined exception groups.
3. Select a group from the Modify Existing Groups menu and click Modify.
4. Add the group members that you want to exclude from the VA test.
5. Open the Assessment Builder by clicking Harden > Vulnerability Assessment > Assessment Builder. Select an assessment from the Security Assessment Finder and
click Configure Tests.
6. Find the test you want add the exception to, and click the test's Adjust this test's tuning button from the Tuning column.
7. Select your exception group from the menu, and click Save. Run your assessment again to see if the exception group affects the outcome of the test.
Note: By default, Guardium includes an exception group called IBM iSeries Profile User Exclusions. You can clone and modify this group to suit your needs.
All the Database Objects privilege tests exclude default system schemas from Guardium groups.
VA summary
The following table list information per test and database key displayed in the VA summary table: test result by unique identifier; cumulative failed age; first failed date/
last failed date; last passed date; and, last scanned date. This information is tracked and users can create a report on this information.
VA Summary
The key may include, in addition to the three original elements, the datasource Name. The default is Host, port and Instance Name.
Use VA Summary Tracking in Query Builder to define queries and reports.
This table can be exported/imported. Import Data will override existing data on the Guardium system (per key).
Table 1. VA Summary
Table Column Type Description
VA_SUMMARY_ID Int Auto-increment â€“ primary key
DATA_SOURCE_HASH Varchar(40) Hash for the Key
DB_TYPE Varchar Database Type

Table Column Type Description
SERVICE_NAME Varchar Database instance Name (if part of the key, "N/A" otherwise)
DB_PORT Varchar Database Port (if part of the key, "N/A" otherwise)
DB_HOST Varchar Host / IP (if part of the key, "N/A" otherwise)
TEST_ID Int Id of the Test
FIRST_EXECUTION DateTime First time the test was executed
LAST_EXECUTION DateTime Last time the test was executed
FIRST_FAIL DateTime First time the test failed on this DB
LAST_FAIL DateTime Last time the Test failed on this DB
FIRST_PASS DateTime First time the Test passed on this DB
LAST_PASS DateTime Last time the Test passed on this DB
CURRENT_SCORE varchar Pass / Fail / Error
CURRENT_SCORE_SINCE Datetime Date Since the test is in the current status
CUMULATIVE_FAIL_AGE Int Cumulative fail age (in days)
CUMULATIVE_PASS_AGE Int Cumulative pass age (in days)
The CLI commands are: store va_test_show_query and show va_test_show_query. Use export va_summary to export this information.
The GuardAPI commands to change or display the key are: grdapi modify_va_summary_key and grdapi reset_va_summary_by_key. The GuardAPI command to reset
cumulative ages, both pass and fail, is grdapi reset_va_summary_by_id. Use grdapi export_va_summary to export this information.
An additional parameter, datasourceName, has been added to grdapi reset_va_summary_by_key and grdapi modify_va_summary_key.
The VA Summary entity has an additional attribute, Datasource Name, that is populated ONLY if the datasource name is part of the key.
Note: The GrdAPI command, modify_va_summary_key, will allow the key to be empty by calling the GrdAPI with all four parameters: useHost, usePort, useServiceName,
useDatasourceName, equal to false. In this case, when the key is empty, the VA Summary calculation is disabled (no summary data will be calculated, updated or saved).
Required schema change

The schema used by vulnerability assessment tests on IBM DB2 for z/OS changed in Guardium V9.1. If you upgrade from a release prior to 9.1, you must update your
database in order to continue using these tests.
About this task

When you upgrade your Guardium system to version 10.x, you must create new database tables on your database server. These tables add support for a new set of tests,
but you must create them whether you want to use the new tests or not.
In prior releases you created and populated tables in the gdmmonitor schema:
GDMMONITOR.OS_GROUP
GDMMONITOR.OS_USER
These tables are replaced by tables in the CKADBVA schema:
CKADBVA.CKA_OS_GROUP
CKADBVA.CKA_OS_USER
Procedure
1. Install Guardium 10.x
2. Copy create_CKADBVA-schema_tables_zOS.sql from the /var/log/guard/gdmmonitor_scripts directory on your Guardium system to your database server. Run the
fileserver command on your database server to retrieve the file.
3. The script contains instructions that describe steps to be performed before and after running the script. Read these instructions and run the script.
4. Populate the new tables with data similar to the data that was stored in the old tables.
Results
Your system is now configured to use current vulnerability assessment tests.
What to do next
Assessing RACF vulnerabilities

If you use IBM DB2 for z/OS, you can use vulnerability assessment tests to assess your RACF vulnerabilities. You must have at least version 9.1 of Guardium installed to
use RACF assessments.
About this task

Assess your Resource Access Control Facility (RACF) privileges whether they are granted within the database or external to the database. The tests, that comprise the
RACF vulnerability assessments, identify the access control for object privileges, database privileges, and system privileges.
In order to use these tests, you must obtain and install IBM Security zSecure Audit, Version 2.1. This product enables the commands that are used in these tests to
interact with RACF.
Tests that examine entitlements do not return a pass/fail grade; they return a list of entitled users. Examples of these reports include table and view privileges granted to
grantees and package privileges granted to grantees. In a large environment that includes very large numbers of users and applications, these reports generate an
overwhelming amount of data. When you run these reports in such a large environment, the process can run for a long time and consume large amounts of resources, and
it might eventually time out.
Procedure
1. Upgrade the database schema used to support vulnerability assessment on your database server.
2. Install zSecure Audit on your database server. Use the instructions and tools that are provided with zSecure Audit to learn how to populate approximately 24 tables
in the CKADBVA schema to support the new zSecure tests.
3. The zSecure team will issue a PTF that enables zSecure Audit to work with Guardium vulnerability assessment. Obtain this PTF and apply it according to the
accompanying instructions.
Results
Your system is now configured to take advantage of the new zSecure tests.
What to do next
Choose the new tests that you want to run to assess your RACF vulnerabilities. Configure and run the tests.
Configuration Auditing System

The Configuration Auditing System (CAS) tracks and reports changes to the server environment; for example, modified configuration files, environment or registry
variables, or other database or operating system components, including executable files or scripts used by the database management system or the operating system. The
data is available on the Guardium system and can be used for reports and alerts.
Note: The Configuration Auditing System is only supported in English.
CAS Agent
CAS is an agent installed on the database server and reports to the Guardium system whenever a monitored entity have changed, either in content or in ownership or
permissions. You install a CAS client on the database server system, using the same utility that is used to install S-TAPÂ®. CAS shares configuration information with S-TAP,
though each component runs independently of the other. Once the CAS client has been installed on the host, you configure the actual change auditing functions from the
GuardiumÂ® portal.
CAS Server
The CAS server is a component of Guardium and runs on the Guardium system. It runs as a standalone process, independent of the Tomcat application server. It is
controlled through the innittab file.
The CAS server is configured to use only a few of the available processors on the Guardium system. The number of processors that CAS uses is determined by using the
parameter divide_num_of_processors_by. This parameter is stored in the cas.server.config.properties file and its default value is 2. The number of available processors on
the Guardium system is divided by this value. This ensures that even when CAS uses 100% of the CPU on the allocated processors, the rest of the processors are available
for use by other applications.
CAS Server Authentication

In addition to the basic security SSL provides, Guardium provides CAS Server authentication support on the CAS client that runs on the database server. This will
guarantee that CAS client communicates only with Guardium's CAS server. Unauthenticated connections and Common Names (CN) mismatches will be reported in the
CAS log file.
When configured, when the CAS server starts it will load a signed certificate as well as a private key and assigns them to a server socket on which it accepts connections.
On the database server side the CAS client will support the following connection modes:
1. Non-secure connection (use_tls=â€™0')

2. Secure connection without authentication (use_tls ='1', guardium_ca_path=NULL). This mode forces the use of SSL as the means of communication with the CAS
server (i.e. uses SSL without server authentication).
3. Secure connection with server authentication ( use_tls ='1', guardium_ca_path=<public key location>). The public key is used by the CAS client in order to
authenticate the CAS server. The public key (ca.cert.pem) is going to be located under <install_dir>/etc/pki/certs/trusted.
ca.cert.pem - is a file containing Root Certificate Authorities certificates (which are self signed). In a browser equivalent those would be trusted CA certificates, such
as VeriSign's, etc.
All gmachine certificates are issued/signed by the root authority - that's how they are validate and how the chain of trust is established.
It is possible to set guardium_ca_path with either the full path including the actual public key file name , or just the directory name
(<install_dir>/etc/pki/certs/trusted), in which all the public keys within this directory will be used in order to authenticate the server. If guardium_ca_path is set
with a file or directory that doesn't contain the public key, the connection attempt will fail.
4. Secure connection with server authentication and common name verification. This mode has an additional check in which the certificate CN from the server is
compared with the one set in the parameter sqlguard_cert_cn. If sqlguard_cert_cn is NULL or empty this check will be disabled. Otherwise it needs to be set with
the same CN Guardium's self signed certificate has ('gmachine').

Note: All the parameters mentioned are from the guard_tap.ini file.
Using SSL with CAS

You can configure the CAS agent to use a Secure Sockets Layer (SSL) connection to send data to the CAS server. The CAS server that is installed with version 10.1 complies
with the requirements of US Federal Information Processing Standard 140-2 (FIPS 140-2). Only a FIPS-complint CAS agent can communicate with this CAS server using
SSL. If you want to use this approach, you must upgrade your CAS agents to the version delivered with this patch. You must also have IBM Java installed on the server
where the CAS agent runs, and the CAS agent must be configured to use it. In order to use FIPS communication, certificate-based authentication must be in use.
If you attempt to use an older CAS agent to communicate with the updated CAS server using SSL, you will see this message in the log file on the CAS agent system:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
You might also see this message in the CAS log file on the Guardium system
javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not

enabled or not supported
If you want to use a non-SSL connection between the CAS agents and the CAS server, you can continue to use your existing CAS agents.
Template Set
A CAS template set contains a list of item templates, bundled together, share a common purpose such as monitoring a particular type of database (Oracle on Unix, for
example), and is one of two types:
Operating System Only (Unix or Windows)

Database (Unix-Oracle, Windows-Oracle, Unix-DB2, Windows-DB2, etc.)
A database template set is always specific to both the database type and the operating system type.
CAS Template Item

The definition or set of attributes of a monitoring task over a single Monitored Entity. Users can define new CAS tests by creating new CAS templates or users can use
predefined CAS templates that can be modified.
A template item is a specific file or file pattern, an environment or registry variable, the output of an OS or SQL script, or the list of logged-in users. The state of any of
these items is reflected by raw data, i.e. the contents of a file or the value of a registry variable. CAS detects changes by checking the size of the raw data, or computing a
checksum of the raw data. For files, CAS can also check for system level changes such as ownership, access permission, and path for a file.
In a federated environment where all units (collectors and aggregators) are managed by one manager, all templates are shared by both collectors and aggregators and
CAS data can be used in reporting or vulnerability assessments. When the collector and aggregator (or host where archived data is restored) are not part of the same
management cluster the templates are not shared and therefore CAS data cannot be used by vulnerability assessments even when the data is present, to remedy this use
export/import of definitions to copy the templates from the collector to the aggregator (or restore target).
Note: CAS should not be asked to monitor more than 10,000 files per client.
Note: It is recommended to configure CAS to handle no more than 1,000 monitored files per hour.
Monitored Entity
The actual entity being monitored, can be A File (its content and properties), Value of an Environment Variable or Windows Registry, Output of an OS command or Script or
SQL statement
CAS Instance
Application of a CAS Template Set on a specific Host (creating an Instance of that Template Set and applying it on a specific host)
CAS Configuration
A CAS configuration defines one or more CAS instances, each of which identifies a template set to be used to monitor a set of items on that host.
Default Template Sets

For each operating system and database type supported, Guardium provides a preconfigured, default template sets for monitoring a variety of databases on either Unix or
Windows platforms. A default template set is one that will be used as a starting point for any new template set defined for that template-set type. A template-set type is
either an operating system alone (Unix or Windows), or a database management system (DB2Â®, InformixÂ®, Oracle, etc.), which is always qualified by an operating
system type - for example, UNIX-Oracle, or Windows-Oracle. Many of the preconfigured, default template sets are used within Guardium's Vulnerability Assessments
where, for example, known parameters, file locations, and file permissions can be checked.
You cannot modify a Guardium default template set, but you can clone it and modify the cloned version. Each of the Guardium default template sets defines a set of items
to be monitored. Make sure that you understand the function and use of each of the items monitored by that default template set and use the ones that are relevant to
your environment. After defining a template set of your own, you can designate that template set as the default template set for that template-set type. After that, any
new template sets defined for that operating system and database type will be defined using your new default template set as a starting point. The Guardium default
template set for that type will not be removed; it will remain defined, but will not be marked as the default.
Rationale for creating template sets to meet specific database configurations

Although Guardium supplies predefined CAS template sets for each database type, the wide variety of possible database configurations make means that you may have to
tweak the predefined template sets or create new ones to meet all of your needs in a production environment -- particularly as regards database software and data file
locations. You should plan on creating additional templates if you want CAS to monitor ownership of, permissions on, and changes to your database files.
For example, the predefined CAS template set for Oracle contains these templates, among others:

$ORACLE_HOME/oradata/../.*dbf
$ORACLE_HOME/oradata/../.*ctl
$ORACLE_HOME/oradata/../.*log
$ORACLE_HOME/../init.*.ora
As you can see, these file-pattern templates all start with the same root, $ORACLE_HOME (NOTE: This is not necessarily the $ORACLE_HOME environment variable
defined on your database server; by preference, CAS uses the datasource field â€œDatabase Instance Directoryâ€ as the value for $ORACLE_HOME).
It is possible that in a production environment your Oracle data files will not be in the same directory tree, or even on the same device, as your log files, and your Oracle
configuration files might be in still another location.
You might create additional CAS templates using absolute paths to allow CAS to find and monitor all of your Oracle files, for example:
/u01/oradata/mydb/*.dbf
/u01/oradata/mydb/*.ctl
/home/oracle11/admin/mydb/bdump/*.log
/home/oracle11/product/11.1/db_1/dbs/init*.ora
You can even use additional environment variables that are defined in your Oracle instance account. As an example, if you have variables defined as $ORA_DATA1,
$ORA_DATA2 and $ORA_SOFT you can use:
$ORA_DATA1/mydb/*.dbf
$ORA_DATA2/mydb/*.dbf
$ORA_DATA1/mydb/*.ctl
$ORA_DATA2/mydb/*.ctl
$ORA_SOFT/admin/mydb/bdump/*.log
$ORA_SOFT/product/11.1/db_1/dbs/init*.ora
Sourcing files from different locations

CAS templates assume that certain files, such as user profiles, are in specific locations. You can configure CAS to look for these files in other locations that you specify by
using a regular expression. To use this feature, add the user_profile_files parameter to the cas.client.config.properties file in the config directory. The format for each entry
is
identifying_string=comma-separated list of files
For example, suppose that you want to find .profile files in any DB2 userâ€™s home directory. For this example we assume that the names of all of these home directories
include the string "db2." Add this line to the properties file:
user_profile_files=.*db2.*=.profile
If you need to specify more than one pattern, use the bar symbol (|) to separate patterns. If you want to add the profiles of your mysql users to the previous entry, replace
the previous example with this:
user_profile_files=.*db2.*=.profile|.*mysql.*=.profile
Prerequisites, installing and running CAS on a Windows server

Learn about the CAS prerequisites, and how to install the CAS agent on your database server
Prerequisites, installing and running CAS on a Linux, UNIX server
Locating Java home directory and checking version
Locate the home directory and check the Java version before installing CAS.
CAS Start-up and Failover
Various failover and connect parameters can be modified through S-TAP Control Change Auditing.
CAS Templates
Guardium provides a set of CAS templates, one for each type of data repository.
Working with CAS Templates
This section describes how to maintain CAS templates
CAS Hosts
A Configuration Auditing System (CAS) host configuration defines one or more CAS instances.
CAS Reporting
This section describes Configuration Auditing System (CAS) reporting.
CAS Status
Open the Configuration Auditing System Status by clicking Manage > Change Monitoring > CAS Status
Prerequisites, installing and running CAS on a Windows server

Prerequisites on Windows
Table 1. Disk Space requirements for Windows servers
Disk Space Description
CAS Program files including Javaâ„¢ 277 MB

Table 2. Port Requirements for Windows servers

Guardium system connection to
Port Protocol ...
16017 TCP Clear (open the port) CAS
16019 TLS Encrypted CAS
Install CAS
Use the Windows installer, which is self explanatory.
CAS and the 64-bit Windows Registry

On Windows software configuration parameters are stored in the Registry tree in the key HKEY_LOCAL_MACHINE\SOFTWARE. Since a 64-bit machine can run both 64-bit
and 32-bit versions of the same application, there is a need to distinguish the configuration parameters of the 64 and 32 bit applications.
Microsoft's solution to the problem is to partition the registry. A special key, labelled WOW6432Node, is added to the Registry tree within the key
HKEY_LOCAL_MACHINE\SOFTWARE. When a 32-bit application tries to access the Registry through a path within the key HKEY_LOCAL_MACHINE\SOFTWARE, Windows
inserts the special key WOW6432Node into the path. This way the 32-bit application deals with the Windows Registry just as it would on a 32-bit machine, and Windows
takes care of redirecting to the correct partition.
CAS is a 32-bit Java application, so it would not normally have access to the 64-bit software configuration parameters. CAS has been enhanced to detect a 64-bit
environment and handle the partitioned Registry. CAS interest in the Registry is to retrieve values of Registry keys to detect changes or to compare against recommended
values.
As an example, suppose that CAS is to retrieve the value of HKEY_LOCAL_MACHINE\SOFTWARE\MyApp\Parameter1. That value could be in either, both, or neither
partition. If it is in neither partition, CAS will retrieve null. Otherwise, it returns a string which is the concatenation of the two values separated by the string
WOW6432Node. If the value is in the 64 but not the 32-bit partition, the string retrieved would look like Value64WOW6432Nodenull. Conversely, if the value is in the 32
but not the 64-bit partition, the string is nullWOW6432NodeValue32. Finally, if the value is in both partitions, the string returned is Value64WOW6432NodeValue32. This
new Registry value pattern search will search both Registry partitions when appropriate.
CAS Re-configuration of JAVA_HOME location

In most cases the installation program takes care of finding the JAVA_HOME value. This value is placed in the CAS configuration file.
If for any reason (for example, you install a new Java version after installing the GuardiumÂ® CAS product), you need to change the location of JAVA_HOME, follow the
following procedure.
1. Locate and open the CAS configuration file for editing. Its full path name is: <installation directory>/case/conf/wrapper.conf
2. Locate the following entry:wrapper.java.command=<value>
3. Replace value with the JAVA_HOME directory
4. Save the file.
Parent topic: Configuration Auditing System
Prerequisites, installing and running CAS on a Linux, UNIX server

Prerequisites on Linux, UNIX servers

Table 1. Disk Space Requirements for Linux, UNIX servers
CAS Program files including Javaâ„¢ AIXÂ®: 309 MB; HP-UX: 630 MB; Linux: 405 MB; Solaris: 390 MB
Java is required for CAS. You must obtain and install Java yourself (due to licensing
constraints).
HP-UX: Java 1.5 or higher

any server except HP-UX: Java 1.4.2 or higher
Table 2. Port Requirements for Linux, UNIX servers

Port Protocol ...
16017 TCP Clear CAS
16019 TLS Encrypted CAS
Install CAS client from the command line

1. Log on to the database server system using the root account.
2. Run the command guard-cas-setup, using the syntax:
guard-cas-setup -- install --java-home <JAVA_HOME> --install-path <INSTALL_PATH> --stap-conf <FULL_PATH_TO_GUARD_TAP_INI>

usage (variables are shown enclosed in angled brackets: < >):
guard-cas-setup -- uninstall
<guard-cas-setup> is the name of the script file
-- install indicates an install of CAS
-- uninstall indicates an uninstall of CAS
--java-home <JAVA_HOME> identifies the JAVA_HOME directory.

--install-path identifies the installation path
--stap-conf <FULL_PATH_TO_GUARD_TAP_INI>identifies where the guard_tap.ini file is located
CAS parameters are described in CAS parameters.
Start, and stop CAS from the command line

Depending on the install / uninstall scenario, you may need to start and stop CAS from the command line. One scenario might be not supplying the --stap-conf path to the
guard_tap.ini file as this is an optional parameter; resulting in CAS not starting. Use the following methods when needing to start or stop CAS:

2. For Red Hat Enterprise Linux 6: Stop / Start CAS using the stop cas or start cas commands.
3. All others:
a. Comment out (if stopping CAS) or remove comment (if starting CAS) the cas agent entry in the /etc/inittab file. In a default installation, this statement should
look like this:
cas:<nnnn>::respawn:/usr/local/guardium/guard_stap/cas/bin/run_wrapper.sh /usr/local/guardium/guard_stap/cas/bin
b. Save the /etc/inittab file.

c. Run the init q command
4. You may validate if CAS is running or not by issuing the ps -fe | grep cas command.
CAS Re-configuration of JAVA_HOME location

In most cases the installation program takes care of finding the JAVA_HOME value. This value is placed in the CAS configuration file.
If for any reason (for example, you install a new Java version after installing the GuardiumÂ® CAS product), you need to change the location of JAVA_HOME, follow the
following procedure.
1. Locate and open the CAS configuration file for editing. Its full path name is: <installation directory>/case/conf/wrapper.conf
2. Locate the following entry:wrapper.java.command=<value>
3. Replace value with the JAVA_HOME directory
4. Save the file.
Locating Java home directory and checking version

Locate the home directory and check the Java version before installing CAS.
About this task

When installing CAS on a UNIX system, there are two requirements:
Identify the JAVA_HOME directory. You will be prompted for its location during the CAS installation.
Verify that a supported version of Javaâ„¢ is installed. If a supported version is not installed, you must install it before installing CAS.
Note: To use CAS over SSL in a FIPS-compliant environment, you must install IBM Java on the server where the CAS agent runs.
The JAVA_HOME directory contains the Java command. For example:
If the java command is /usr/local/j2sdk1.4.2_03/bin/java

the JAVA_HOME directory is /usr/local/j2sdk1.4.2_03
Procedure
1. Enter the which java command. For example:
[root@yourserver ~]# which java

/usr/local/j2sdk1.4.2_03/bin/java
the JAVA_HOME directory is: /usr/local/j2sdk1.4.2_03

2. If the which java command returns a symbolic link, use the ls -ld <symbolic_link> command to determine the real Java directory name.
3. If the which java command returns the message command not found, Java may be installed, but it has not been included in the PATH variable. In this case, use the
find command to locate the Java directory; for example:
[root@yourserver ~]# find . -name java

./usr/bin/
4. To check the version number, from the java directory, run the java -version command. For example:
[root@yourserver ~]# /usr/local/j2sdk1.4.2_03/bin/java -version

java version "1.4.2_03"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_03-b02)
Java HotSpot(TM) Client VM (build 1.4.2_03-b02, mixed mode)
5. Note the Java version that is returned. You will not be prompted for this information, but in the event that an issue arises later, you will be able to eliminate the
possibility of an unsupported Java version.
CAS Start-up and Failover

Various failover and connect parameters can be modified through S-TAPÂ® Control Change Auditing.

When the CAS client starts on the host, it looks for a checkpoint file that it may have written to the system. This file tells CAS what it was doing the last time it was running.
CAS then connects to its Guardium system. If it has found a checkpoint file, CAS will ask the Guardium system to verify its version of its monitoring assignment against
what is stored in the GuardiumÂ® database. While the CAS client and the Guardium system have been disconnected, there may have been changes to the assignment.
When any differences are resolved, CAS will resume monitoring. If CAS does not find a checkpoint file, it will ask the Guardium system what it should do. If the Guardium
system finds the CAS host in its database, then the associated template sets will be sent to the CAS client, expanded into monitored items, and monitoring will begin. If
the Guardium system cannot find the CAS host in its database, it will add it to the database and send the default template set for the CAS host operating system.
When connectivity is lost between the CAS client and Guardium system, it may take the CAS client and Guardium system up to five minutes (the wait time for a CAS client
to expect a message from the Guardium system) to discover that it has lost contact with the primary Guardium system, but may happen sooner if the communication error
is detected.
If the CAS client loses its connection to the Guardium system or cannot make an initial connection, it opens a failover file and begins writing the messages that it would
have sent to the Guardium system, to the failover file. The path to this fail over file is stored in guard_tap.ini with the name cas_fail_over_file. When communication is
reestablished the CAS client shuts down and restarts, sends all messages stored in the failover file to the Guardium system, and deletes the file. If the CAS client was
unable to make the initial connection, it will use the checkpoint file to determine what to monitor, and continues doing what it was doing before communication failed.
When communication is lost, the client also starts a thread which periodically tries to reconnect with the primary Guardium system. The number of times CAS will attempt
to reconnect, and the average time interval between reconnect attempts, are configurable parameters. It will try to reconnect for a period of time set in guard_tap.ini with
the name cas_server_failover_delay. After that time has passed, the client will also try to connect to any secondary servers identified in guard_tap.ini. The secondaries will
be tried in the order of the value of the primary attribute listed in the SQL_Guard sections of guard_tap.ini. When primary is not 1, it is a secondary. While the client is
connected to a secondary server it will continue to try to reconnect to the primary server.
If the reconnect attempt limit is met, the CAS client stops trying to reconnect, but continues to write data to a failover file. To cap disk space requirements on the database
server, there are actually two failover files. CAS writes to one file until it reaches its maximum failover file size (which is configurable), and then switches to the other,
overwriting any previous data on that file. The default failover file size is 50MB (for each of the files).
You can specify one or more secondary Guardium systems when configuring the CAS client. In failover mode, CAS only tries to reconnect to its primary server until the
time specified by cas_server_failover_delay in guard_tap.ini is exceeded. At that time, CAS begins trying to connect to any of the secondary servers, as well as its primary
server (which is always the first server it tries to connect with during any reconnect attempt). While it is connected to a secondary server, CAS continues to try to reconnect
to its primary server.
Changes to the CAS client configuration can only be made from the primary server and only while the host is online. Whenever the configuration of the CAS client is
changed on the primary server and Guardium system is in standalone configuration, an export file is saved on the host. If the CAS client connects to a secondary server,
the saved export file is imported from the host to the secondary server.
There is no need to separately maintain configurations on both primary and secondary servers. However, if on the primary server, the parameters for an individual
monitored item have been changed from those defined in the template, then these changes will not be transferred to the secondary server. For example, even if the test
interval on a particular file was changed from the template default of 1 hr to 10 min, the test interval on the secondary server will again be 1 hr. Essentially, monitored
items are regenerated from the templates of the imported configuration. The delay before searching for secondary servers is based directly on time rather than failover file
size. The delay is set with the cas_server_failover_delay parameter in guard_tap.ini and has a default of 60 minutes.
Various failover and connect parameters can be modified through S-TAP Control Change Auditing.
As with S-TAP, CAS connectivity outages create exceptions on the Guardium system, so alerts can be issued within moments of detecting the outage.
Setting Up and Maintaining Secondary Servers

In the S-TAP/CAS configuration file on the database server system, one or more secondary Guardium servers can be defined. If the primary Guardium server becomes
unavailable, CAS on that database server system will connect to a secondary Guardium system (as described previously, see Start Up and Failover).
Rules of Failover
Rule # Guardium system Fails over to Valid
1 stand alone stand alone Yes
2 managed managed (same manager) Yes
3 managed managed (different manager) No
4 managed stand alone No
5 stand alone managed No
CAS Failover Limitations

1. CAS instances will not be relocated to the failed-over Guardium system when the source Guardium system is a managed unit and the target Guardium system is
either:
a stand-alone Guardium system
a managed unit which is being managed by a different manager
2. CAS import/export option will be limited to manager and stand-alone machines only.
Exporting CAS Hosts

1. Click Manage > Aggregation & Archive > Export to open the Definitions Export panel. Select CAS Hosts from the Type menu, select the to-be exported definitions
from the Definitions to Export menu, and click .in the Export
2. A file named exp_<date>_<time>.sql is saved on your system. This file will contain the definitions of all CAS hosts selected, and the definitions of any template sets
used by those CAS hosts.
Importing CAS Hosts

1. Click Manage > Aggregation & Archive > Import to open the Definitions Import panel.
2. Use the Browse and Upload buttons to select files and upload them, then select the definition from the Import Uploaded Definitions pane.

3. Click Import this set of definitions to import the definition.
4. Confirm the selected action (or not).
Note: An import operation does not overwrite an existing definition. If you attempt to import a definition with the same name as an existing definition, you are
notified that the item was not replaced. If you want to overwrite an existing definition with an imported one, you must delete the existing definition before
performing the import operation.
Maintaining Secondary Servers for a CAS Host

CAS configurations can also be maintained through the use of export and import operations. Since the import operation will not replace an existing definition, on each
secondary server you must delete the old CAS host definition before importing the new one.
Be sure to perform this procedure only while the selected CAS host is connected to its primary server.
1. Export the definition of the CAS host (see the previous section).
2. On each secondary server:
Delete the old CAS host definition that you want to replace.
Import the definitions that were exported from the primary server (see Importing CAS Hosts, previous).
CAS Client Ignore Change Alerts

The CAS client agent can avoid sending change notifications to the CAS server based on a predefined settings.
The CAS client agent will now look for a new parameter ignore_change_alerts in the CAS client agent's cas.client.config.properties configuration file.
If the parameter is not found or not set, the CAS client will work without any changes and the Ignore change alerts functionality will not be enabled (for example, the CAS
client will alert on any file change).
If the new parameter is set, CAS client agent will ignore sending change notifications based on the change-types specified in the parameter value.
The possible change-types are:
PERMISSION, SIZE, OWNER, GROUP, TIMESTAMP
Ignoring multiple change-types can be set by + delimited concatenation of any of the specified change-type.
For example:
In order to avoid sending change notification on OWNER and GROUP changes, set up the parameter as follows:
ignore_change_alerts=OWNER+GROUP
Note: In the initial installation or when defining a new template, the FIRST scan of the files will be performed and these files will appear in the CAS changes report
regardless to settings of Ignore change alerts.
Correcting an invalid non-IP hostname

In case the user installs CAS agent with a bogus tap_ip, guard_tap.ini param, or CAS_TAP_IP (GIM param), Windows datasources defined for that host might be useless (if
used for activity that requires accessing the remote database).
If the scenario happens, the user will have to delete the datasource and change the tap_ip parameter to the correct database server hostname/ip.
CAS Templates
Guardium provides a set of CAS templates, one for each type of data repository.
CAS templates - DB2

OS Script
Designates an OS script to be executed. Must begin with the variable $SCRIPTS, which refers to the scripts directory beneath the CAS home directory, and identify the
script to be executed, e.g., $HOME/ db2_spm_log_path_group_test.sh". The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the
script is stored in the GuardiumÂ® database to be used by security assessments. This can be either a shell/batch script to be run, or a set of commands that could be
entered on the command line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run
directly. On Unix the script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use
in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last
three arguments to the batch file execution. For example, if you had an OS Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2, then %3, %4 and %5 would
be the DB username, password, and instance name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $INSTHOME variable. Set the value of the
$INSTHOME variable in Database Instance Directory on the Datasource Definition panel. This is assumed to name a single file. Environment variables from the OS user
environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the DB2Â® user's home directory.
File Pattern
Designates a group of files to be tracked and monitored by security assessments. The path to the files can be absolute, or relative to the $INSTHOME variable. Set the
value of the $INSTHOME variable in Database Instance Directory on the Datasource Definition panel. A .. in the path indicates one or more directories between the portion
of the path before it and the portion of the path after it. A .+ in the path indicates exactly one directory between the portion of the path before it and the portion of the path
after it. For example: $INSTHOME/sqllib/../db2.* is just a short-hand for creating many single file identifications from a single identification string, a file pattern which
will match all files in the directory. A file pattern can be viewed as a series of regular expressions separated by /'s. A file is matched if each element of its full path can be

matched by one of the regular expressions in order. If an element of the pattern is an environment variable, it is expanded before the match begins. If .. is one of the
elements of the pattern, it will match zero or more directory levels. For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo. Using more
than one .. element in a file pattern should not be necessary and is discouraged because it makes the pattern very slow to expand. Because of the confusion with its use in
regular expressions \ cannot be used as a separator as it might be in Windows.
Additionally, the Guardium Unix/DB2 Assessment: UNIX - DB2 for Unix set includes the following templates:
Db2govd Setuid Bits Is Not Set
This test monitors that the SETUID bit on DB2GOVD has been disabled
Db2start Setuid Bits Is Not Set
This test monitors that the SETUID bit on DB2START has been disabled
Db2stop Setuid Bits Is Not Set
This test monitors that the SETUID bit on DB2STOP has been disabled
File ownership
This test monitors file ownership, and changes thereto, of DB2 files.
File permissions
This test monitors file permissions, and changes thereto, of DB2 files.
CAS templates - Informix

OS Script
script to be executed, e.g., $HOME/ informix_rootpath_owner.sh". The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is
stored in the Guardium database to be used by security assessments. This can be either a shell/batch script to be run, or a set of commands that could be entered on the
command line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run directly. On Unix the
script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts:
$UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments
to the batch file execution. For example, if you had an OS Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2, then %3, %4 and %5 would be the DB
username, password, and instance name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $ INFORMIXDIR variable. Set the value of the
$INFORMIXDIR variable in Database Instance Directory on the Datasource Definition panel. This is assumed to name a single file. Environment variables from the OS user
environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the InformixÂ® user's home directory.
Additionally, the Guardium Unix/Informix Assessment for Unix set includes the following templates:
Scan log files for errors
This test monitors for error in the online.log file
File ownership
This test monitors file ownership, and changes thereto, of Informix files.
File permissions
This test monitors file permissions, and changes thereto, of Informix files.
CAS templates - Oracle

OS Script
script to be executed, e.g., $SCRIPTS/oracle_user.sh. The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is stored in the
Guardium database to be used by security assessments. (This can be either a shell/batch script to be run, or a set of commands that could be entered on the command
line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run directly. On Unix the script is run
in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts: $UCAS is the
DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments to the batch
file execution. For example, if you had an OS Script template $SCRIPTS/mysql_mysqld_user.sh, then %3, %4 and %5 would be the DB username, password, and instance
name respectively. )
File
Designates a file to be tracked and monitored. The path to the file can be absolute, or relative to the $ORACLE_HOME variable. The value of the $ORACLE_HOME variable
is the value you set in the Database Instance Directory field of the Datasource Definition panel. (This is assumed to name a single file. Environment variables from the OS
user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the Oracle user's home directory.)
File Pattern
Designates a group of files to be tracked and monitored. The path to the files can be absolute, or relative to the $ORACLE_HOME variable. Set the value of the
$ORACLE_HOME variable in Database Instance Directory on the Datasource Definition panel. A .. in the path indicates one or more directories between the portion of the
path before it and the portion of the path after it. A .+ in the path indicates exactly one directory between the portion of the path before it and the portion of the path after
it. For example: $ORACLE_HOME/oradata/../*.dbf (This is just a short-hand for creating many single file identifications from a single identification string, a file pattern. A
file pattern can be viewed as a series of regular expressions separated by /'s. A file is matched if each element of its full path can be matched by one of the regular

expressions in order. If an element of the pattern is an environment variable, it is expanded before the match begins. If .. is one of the elements of the pattern, it will match
zero or more directory levels. For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo. Using more than one .. element in a file pattern
should not be necessary and is discouraged because it makes the pattern very slow to expand. Because of the confusion with its use in regular expressions \ cannot be
used as a separator as it might be in Windows. The file pattern shown previously is not correct because *.dbf is not a valid regular expression. It should be .*dbf.
Additionally, the default Guardium Unix/Oracle template set includes the following templates:
ADMIN_RESTRICTIONS Is On
This test monitors that the listener.ora parameter ADMIN_RESTRICTIONS is set properly.
File ownership
This test monitors file ownership, and changes thereto, of the Oracle data files, logs, executables, etc.
File permissions
This test monitors file permissions, and changes thereto, on the Oracle data files, logs, executables, etc.
This test scans the Oracle log files for occurrences of error strings.
SPOOLMAIN.LOG Does Not Exist
This test checks the existence of the Oracle SPOOLMAIN.LOG.
CAS templates - MongoDB

MongoDB is typically used as an operational system and as a backend for web applications due to ease of programming for non-relational formatted data like JSON
documents.
Use the Unix/MongoDB template to specify multiple paths and multiple directories in the datasource to scan various components as specified in the MongoDB datasource
definition.
Scan a file pattern by selecting template items beginning with a "$".
Do not select the $SCRIPTS/mongodb_unmask_value.sh item - it is a Guardium reserve item.
If the template item is not specified as part of the Database Instance Directory in the MongoDB datasource definition, the item will be skipped over and not scanned.
Note: For CAS scripts to work, you must enable log in for the MongoDB account on the Mongo DB server. To enable log in, log in as root, run the command chsh mongod,
and when prompted for new shell, enter /bin/bash.
Note: You can create your own template with multiple file paths for any type of datasource. When creating your own template, we recommend that you use the
Unix/MongoDB as a reference. To create a new template for a MongoDB datasource, you can clone and modify the Unix/MongoDB template.
Note: MongoDB datasources support SSL server and client/server connections with SSL client certificates. MongoDB connections use a Java driver, instead of a JDBC
database connection.
Note: The VA solution for MongoDB clusters can be run on mongos, a primary node and all secondary nodes for replica sets.
CAS templates - NetezzaÂ®

File Ownership
This test checks whether the files are owned and belongs to the correct group according to the definition within the CAS template.
File Permission
This test checks whether the file permission is properly set according to the definition within the CAS template.
Scan Log files for errors
This test checks for these events (FATAL, ERROR, DEBUG, ABORT and PANIC) in these two log files. /nz/kit/log/postgres/pg.log and /nz/kit/log/startupsvr/startupsvr.log
Configuration for Oracle RAC systems

This is the required configuration for Oracle RAC systems.
Change guard_tap.ini on each node installed with S-TAP:
unix_domain_socket_marker=<key>
where <key> value can be found in listener.ora in the IPC protocol definition
Example 1:
If the following is a description in the listener.ora
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ORCL))))
Then change the following parameter accordingly
unix_domain_socket_marker=ORCL
Example 2:
In the case where there is more than one IPC line in listener.ora, use a common denominator of all the key LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=
(PROTOCOL=IPC)(KEY=LISTENER)))) LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) LISTENER_SCAN2=
(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))) LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=
(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))
Guardium uses a string search in the path so LISTENER will work for all four and should be used in this case:
unix_domain_socket_marker=LISTENER
CAS templates - PostgreSQL

Note: It is very important that PostgreSQL_BIN and PostgreSQL_DATA environment variables are defined correctly. An invalid setting will cause other CAS assessment
tests not to work properly or at all.
File Ownership
File Permission
PostgreSQL_BIN environment variable defined
This test check if the $PostgreSQL_BIN environment variable is defined in your database server. This variable need to be defined under the root account for Unix/Linux or
you can add to .profile for root login. For Windows OS, it needed to be defined for the Administrator login. For Red Hat Linux, PostgreSQL BIN folder is usually in /usr/bin.
For Solaris, it is usually something like /data/postgres/postgres/8.3-community/bin/64. Setting this environment variable is very important as other assessment tests
relied on the location of this folder.
PostgreSQL_DATA environment variable defined
This test check if the $PostgreSQL_DATA environment variable is defined in your database server. This variable need to be defined under the root account for Unix/Linux or
you can add to .profile for root login. For Windows OS, it needed to be defined for the Administrator login. For Red Hat Linux, the default for DATA folder is usually in
/var/lib/pgsql/data. For Solaris, there is no consistent location. Setting this environment variable is very important as other assessment tests relied on the location of this
folder to find the correct configuration files.
CAS templates - SQL Server

OS Script
Designates an OS script to be executed. Output from the script is stored in the Guardium database. This can be either a shell/batch script to be run, or a set of commands
that could be entered on the command.
Registry Variable
Search Windows registry for specific key value that are required by security assessments test.
CAS templates - Sybase

OS Script
script to be executed, e.g., $HOME/sybase_sysdevice_type_test.sh. The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is stored
in the Guardium database to be used by security assessments. This can be either a shell/batch script to be run, or a set of commands that could be entered on the
command line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run directly. On Unix the
script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts:
$UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments
to the batch file execution. For example, if you had an OS Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2, then %3, %4 and %5 would be the DB username,
password, and instance name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $SYBASE variable. The value of the $SYBASE
variable is the value you set in the Database Instance Directory field of the Datasource Definition panel. This is assumed to name a single file. Environment variables from
the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the Sybase user's home
directory.
File Pattern
Designates a group of files to be tracked and monitored by security assessments. The path to the files can be absolute, or relative to the $SYBASE variable. The value of
the $SYBASE variable is the value you set in the Database Instance Directory field of the Datasource Definition panel. A .. in the path indicates one or more directories
between the portion of the path before it and the portion of the path after it. A .+ in the path indicates exactly one directory between the portion of the path before it and
the portion of the path after it. For example: $SYBASE/../.*dat" This is just a short-hand for creating many single file identifications from a single identification string, a file
pattern. A file pattern can be viewed as a series of regular expressions separated by /'s. A file is matched if each element of its full path can be matched by one of the
regular expressions in order. If an element of the pattern is an environment variable, it is expanded before the match begins. If .. is one of the elements of the pattern, it
will match zero or more directory levels. For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo. Using more than one .. element in a file
pattern should not be necessary and is discouraged because it makes the pattern very slow to expand. Because of the confusion with its use in regular expressions
\cannot be used as a separator as it might be in Windows.
Additionally, the Guardium Unix/Sybase Assessment : UNX - SYBASE set includes the following templates :
This test monitors for errors in Sybase log files.
sysdevice Owner is sysbase
This test monitors for ownership of sysdevice.
File ownership
This test monitors file ownership, and changes thereto, of Sybase files.
File permissions
This test monitors file permissions, and changes thereto, of Sybase files.

CAS templates - Teradata
File ownership
File permission
Aster Data
Aster Data was acquired by Teradata in 2011, typically used for data warehousing and analytic application (OLAP). Aster Data created a framework called SQL-
MapReduce that allows the Structured Query Language (SQL) to be used with Map Reduce. Aster Data is most often associated with clickstream kinds of
applications.
An Aster nCluster includes a Queen Node Group, a Worker Node Group, and a Loader Node Group. A CAS agent is installed on all three node groups.
A security assessment should be created to execute all tests on the queen node. All database connections for Aster Data go through the queen node only.
Testing on worker and loader nodes are only required when performing CAS tests (File permission and File ownership).
Privilege tests loop through all the databases in a given instance.
When running VA tests that require CAS access, and filling in the CAS datasource configuration choices, specify the usernname that Aster is installed under for
Database Instance Account. This username typically is called beehive.
For Database Instance Directory, this is the home directory of the beehive user. The default typically is /home/beehive.
When running VA tests that are do not use CAS, the customer should create their datasource, pointing to the QUEEN node within the cluster.
When running VA tests that are CAS dependent, if the node you are testing is one of the worker, then you would have to setup "Custom URL" in the datasource to
point to the Queen node as that is how it is listening.
Example
Host Name/IP = Worker.guard.xxx.xxx..com or 1xx.1xx.111.111 (This is the actual worker host even though worker is not listening to this. CAS needs this so it can
send and receive data from the Worker's node)
Port = 2046 or whatever the port used.
Database = beehive
Custom URL= jdbc:ncluster://aster6q:2406/beehive (This JDBC example shows that we are actually connecting to the aster6q which is the queen node on port
2406 and beehive database)
Database instance account = beehive
Database instance directory = /home/beehive
Working with CAS Templates

This section describes how to maintain CAS templates
Define a Template/Template Set

Create a New Template Set
Modify a Template Set
Clone a Template Set
Delete a Template Set
Create a New Template Set

1. Open the CAS Configuration Navigator by clicking Harden > Configuration Change Control (CAS Application) > CAS Template Set Configuration.
2. Click New to open the Monitored Item Template Definitions panel.
3. Select OS Type.
4. Select DB Type. If the template set does not require any specific DB type then select N_A as the DB Type.
5. Enter a unique name for Template Set Name.
Note: Template Set Names over 128 characters will be truncated
6. Click Apply to save the CAS Template Set Definition.
7. To add items to the new template set, click Add to Set and see Define a Template Set Item.
Finding the GuardiumÂ® CAS Panel

Access to CAS Configuration Functions, by default, is restricted to the admin user and to users who have been assigned the CAS role.
Click Harden. The list of CAS functions is listed within the Configuration Change Control (CAS Application) header.
Opening the CAS Configuration Navigator

The CAS Configuration Navigator panel is the starting point for creating or modifying CAS Template Sets.

Open the CAS Configuration Navigator panel by clicking Harden > Configuration Change Control (CAS Application) > CAS Template Set Configuration.
The list can be filtered by OS type and DB type.
Modify a Template Set

Use the CAS Configuration Navigator panel to modify an existing CAS template set. Once a template set is in use on any CAS host, the modifications that you can make to
that template set are limited. You will be able to make minor changes to various elements of the definition, but you will not be able to add or remove templates.
1. Open the CAS Configuration Navigator panel by clicking Harden > Configuration Change Control (CAS Application) > CAS Template Set Configuration.
2. Filter the template set list by OS Type or DB Type.
3. Select the Template Set that you want to modify and click Modify to open the CAS Template Set Definition panel.
4. Make your desired changes and click Apply to save them.
Clone a Template Set

3. Select the Template Set that you want to clone and click Clone to open the CAS Template Set Definition panel.
4. Once cloned, modify the clone to suit your needs.
Note: Predefined templates cannot be edited. They have the same restrictions as those that are in use by a CAS host. The customer must clone it, then edit the cloned
copy if they wish to make changes to it.
Delete a Template Set

3. Select the Template Set that you want to delete and click Delete.
Define a Template Set Item

Once a template set is in use on any CAS host, the modifications that you can make to that template set are limited. You will be able to make minor changes to various
elements of the definition, but you will not be able to add or remove templates.
Create a New Template Set Item

Modify a Template Set Item
Delete a Template Set Item
Create a New Template Set Item

2. Click New to open the Monitored Item Template Definitions panel.
3. Enter in a Template Set Name, select an OS Type and DB Type, and click Apply.
4. Click Add To Set to create a new item.
Modify a Template Set Item

4. Select the items you want to modify, and click Edit Selected.... Make your desired changes and click Apply to save them.
Delete a Template Set Item

4. Select the items you want to delete, and click Delete Selected.
CAS Item Template Definition Panel
Com
pon
ent Description
OS The operating system type: Windows or Unix. You can change this selection when the template set is empty, but you cannot change it if the template set contains
Type one or more items.
DB The database type (Oracle, MS-Sql, DB2Â®, Sybase, InformixÂ®, etc.) or N/A for an operating system template set. You can change this selection when the
Type template set is empty but you cannot change it if the template set contains one or more items.
Desc An optional name for the item used in reports and to identify the item in other CAS panels (the CAS Template Set Definition for example). If omitted, the item
ripti name defaults to the file name or pattern, variable name, or script (as appropriate for the type).
on
Type One of the following: SQL Query, OS Script, Environment Variable, Registry Variable, Registry Variable Pattern, File, and File Pattern.
See Template and Audit Types for further information.
Note: If being used with CAS-based assessment tests this must be of type OS Script.

Cont Type dependent text defining the specific item to monitor, or how to generate it.
ent
See Template and Audit Types for further information.
Note: For an OS script CAS will wait for a script to complete. To limit the time allowed for an OS script to run and allowing CAS to terminate the script, use the
cas_command_wait guard_tap.ini parameter. The default wait time is 300 seconds or 5 minutes. When changing this parameter there is no need to restart CAS.
Per For File and File Pattern Type only.

miss
ion Used for Unix only - the permissions that this file should not exceed.
Limit
File For File and File Pattern Type only. The owner of the file(s).
Own
er
File For File and File Pattern Type only. The group owner of the file(s).
Grou
p
Peri The maximum interval between tests, specified as a number of minutes(m), hours(h), or days(d). Data becomes available after the initial period is realized and up
od to and before the next period begins.
Kee If selected, a copy of the actual data is saved with each change. For example: for a file item, a copy of the file is saved. If selected, but the size of the raw data for
p the item is greater than the Raw Data Limit configured for this CAS host, no data will be saved.
Data
Use Indicates whether or not an additional comparison is done by calculating a checksum of the raw data using the MD5 algorithm. Computing the MD5 checksum is
MD5 time consuming for large character objects. However, it is a better indicator of change than just the size. The default is not to use MD5. If MD5 is used, but the size
of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped.
Ena Selected by default; indicates whether or not the item will be checked for changes.
bled
Template and Audit Types
Typ
e Description
SQL The content should be a valid SQL statement. The result returned by the statement will be compared to the result returned the last time the query was run. The
Que query will be run with the parameters specified in the datasource that is being used: username, password, DB port, and so forth. Care should be taken when filling
ry out these parameters in the datasource or the query will fail to return a result.
OS The content can be a valid command line entry, or the name of a file containing an OS executable script. The script is executed in the environment of the OS user
Scri specified in the Database Instance Account field of the datasource definition.
pt
Envi The content should name an environment variable that is defined in the context of the OS user specified in the Database Instance Account field of the datasource
ron definition.
me
nt
Vari
able
Reg The content is interpreted as the path to a variable in the Windows Registry of the host. The value found on that path is compared to the value found the last time
istr the path was traced.
y
Vari
able
Reg The content is a sequence of regular expressions that is used to match the components of paths in the Windows Registry. The pattern is used to develop registry
istr variable type monitored items which will be treated as described previously.
y
Vari The regular expressions are joined by / so that the pattern resembles a registry path. The more familiar \ character cannot be used, since that is a special character
able in the syntax of Javaâ„¢ regular expressions. If a / is needed in one of the regular expressions, it must be escaped with a \. (e.g. U\/235 would be used to match
Patt U/235).
ern
The pattern .. can be used to match zero or more components within a path. For example, HKLM/Software/../buzz will match HKLM\Software\buzz, or
HKLM\Software\one\two\three\buzz. This type of pattern can lead to a computationally expensive registry search, so use it carefully.
Other than these exceptions, the regular expressions follow the syntax of Java regular expressions.
File The content is interpreted as an absolute file path on the host. The characteristics of the file found on the path will be compared to the characteristic found the last
time the path was traced. The path may include environment variables which will be expanded in the context of the OS user specified in the datasource. The path
may also begin with a substitution variable, like "$SYBASE_HOME", which will be replaced by the value entered in the Database Instance Directory field of the
datasource definition.
File The content is a sequence of regular expressions that is used to match the components of file paths and to generate File type monitored items. The regular
Patt expressions are joined by / so that the pattern resembles an actual file path. As with registry patterns, the \ cannot be used for Windows files because of the
ern regular expression syntax. If the pattern begins with ?: on a Windows machine, the pattern match will be started on each of the drives of a multi-drive machine. The
.. construction described with registry patterns can also be carefully used in a file pattern. Environment variables from the context of the OS user can be used in a
file pattern and will be expanded before the expansion of the regular expressions.
GuardAPI commands
create_cas_template_set

create_cas_template
create_datasource
create_cas_host_instance
CAS Hosts
A Configuration Auditing System (CAS) host configuration defines one or more CAS instances.
Once you have defined one or more CAS template sets, and have installed CAS on a database server, you are ready to configure CAS on that host. A CAS host configuration
defines one or more CAS instances. Each CAS instance specifies a CAS template set, and defines any parameters needed to connect to the database. For each database
server on which CAS is installed, there is a single CAS host configuration, which typically contains multiple CAS instances - for example, one CAS instance to monitor
operating system items, and additional CAS instances to monitor individual database instances.
Define a CAS Instance

Modify a CAS Instance
Delete a CAS Instance
Disable a CAS Instance
Define a CAS Instance

1. Open the CAS Configuration Navigator by clicking Harden > Configuration Change Control (CAS Application) > CAS Host Configuration.
The menu lists all database servers where CAS has been installed and this host has connected to the Guardium system.
2. Use list filtering to filter by OS Type or DB Type and find the host you would like to work with.
3. Highlight the host you want to modify and click Modify.
4. Select a Template Set from the menu.
Note: CAS Instance cannot be defined if the host is off line or this is a secondary Guardium system for the host.
5. Click Add Datasource to open the Datasource Finder panel.
Note: If no compatible datasource is available for this template set on this host you may click New to open the Datasource Definition panel and add a datasource.
6. Select the datasource that you want to add to the template set, and click Add to add it to the template set.
Finding the GuardiumÂ® CAS Panel

Access to CAS Configuration Functions is restricted to the admin and users who have been assigned the CAS role.
Click Harden. All the CAS functions are listed within the Configuration Change Control (CAS Application) header.
Open the CAS Configuration Navigator

The CAS Configuration Navigator panel is the starting point for creating or modifying CAS Hosts.
Open the CAS Configuration Navigator panel by clicking Harden > Configuration Change Control (CAS Application) > CAS Host Configuration.
Modify a CAS Instance

1. Open the CAS Configuration Navigator
2. Use list filtering to filter by OS Type or DB Type and find the instance you would like to work with.
3. Highlight the host you want to modify and click Modify.
A list of defined CAS instances associated with the selected host will be displayed with the following information and editing options:
Table 1. Modify a CAS Instance

Component Description
Disable/Enable Instance Icon Click the Disable Instance icon to disable/enable the CAS instance
Delete Instance Icon Click the Delete Instance icon to delete the CAS instance
Datasource Identifies the datasource used by the instance. Click the Datasource to open the Datasource Definition panel to edit
the datasource definition
Template Set Identifies the CAS template set used by the instance. Click this link to open the Monitored Item Template Definitions
panel to view or modify the template set definition.
See Working with CAS Templates for more information
Monitored Items A count of items currently monitored by the instance. Click this link to open the Monitored Items Definitions panel
which displays the list of all items currently monitored.
See Viewing Monitored Items Lists for more information.
Note: There is a default of 10,000 monitored items that are viewable for reports regardless of the number of
monitored items defined. It is suggested that multiple instances be defined when the number of monitored items
approach this limit.
Delete a CAS Instance

1. Open the CAS Configuration Navigator

3. Click Delete Instance to delete a CAS instance. All collected change data will be deleted as well.
Disable a CAS Instance

1. Open the CAS Configuration Navigator.
3. Highlight the host you want to modify and click Modify, or double-click to open the Host Instance Definitions panel.
4. Click the Disable Instance icon to disable a CAS Instance. Change data will not be collected until the instance is enabled by again clicking on the icon.
View Monitored Item Lists

In the Host Instance Definitions panel, click a Monitored Items link to view the complete list of items monitored in the Monitored Items Definitions panel. The following
table describes the components seen on the Monitored Items Definitions panel for this Host Configuration.
All the monitored items refer to raw data, a character object on the host, the result of a SQL query, the output of an OS script, or the contents of a file. The size of that
character object is computed. If the item is a file, then the permissions, owner, group, and last modified time are also checked. If any of these have changed since the last
time the item was checked, the change will be noted.
Table 2. View Monitored Item Lists
Select Box Check the Select Box if you'd like to edit a monitored item individually or as a group.
Double click any monitored item to edit that item.

Item The name of the monitored item from the description in the CAS Item Template Definition panel
Type One of the following: OS Script, SQL Query, File, Environment Variable, or Registry Variable
OS Script or SQL Script: The actual text or the path to an operating system or SQL script, whose output will be compared
with the output produced the next time it runs
File or File Pattern: A specific file or a pattern to identify a set of files
Environment Variable or Registry Variable: An environment variable or a (Windows) registry variable
Period The average interval between tests, specified as a number of seconds(s), minutes(m), hours(h), or days(d).
Keep Data If marked a copy of the actual data is saved with each change. For example, for a file item, a copy of the file is saved. If
marked but the size of the raw data for the item is greater than the Raw Data Limit configured for this CAS host, no data
will be saved
Use MD5 Indicates whether or not the comparison is done by calculating a checksum of the raw data using the MD5 algorithm.
Computing the MD5 checksum is time consuming for large character objects. However, it is a better indicator of change
than just the size. The default is not to use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size
Limit configured for the CAS host, the MD5 calculation and comparison will be skipped.
GuardAPI Commands
delete_cas_host
list_cas_hosts
create_cas_host_instance
delete_cas_host_instance
list_cas_host_instances
update_cas_host_instance
CAS Reporting
This section describes Configuration Auditing System (CAS) reporting.
The admin user has access to all query builders and default reports. The admin role allows access to the default CAS reports, but not to the CAS query builders. The CAS
role allows access to both the default CAS reports and the query builders.
Accessing CAS Query Builders

Accessing Default CAS Reports
CAS Reporting Domains
Accessing CAS Query Builders

This section describes how to access the CAS Query Builders from the administrator and user portals. For help on how to use the query builders or report builders, see
Queries or Reports.
From the UI:
1. Open the Report Builder by clicking Investigate > Report Builder.

2. Click New, choose a Query from the menu, specify a report title, click Next, and fill out the rest of the Report Builder to suit your needs.
Accessing Default CAS Reports

View the default reports related to CAS by clicking Harden > Reports.
CAS Reporting Domains
Domai
n Description
CAS Track CAS template definitions. Templates identify items to be monitored for changes. Monitored items can be files, environment or registry variables, OS or
Templa SQL script output sets, or the set of logged on users.
tes
CAS Tracks CAS host configurations, where a configuration is the application of one or more template sets to a specific database server host. From configuration
Config instances you can see which items within template sets are enabled or disabled, or exactly which files are selected and monitored (or not) by file name pattern
templates.
CAS Tracks CAS host events, including servers or clients going in or out of service.
Host
History
CAS Tracks changes to monitored items (files, registry variables, etc.)

Change
s
CAS Templates Domain
Entity Description
Template Set Describes a template set definition
Template Describes a template item within a template set
Template Set Entity
Template A unique identifier for the template set, numbered sequentially

Set ID
DB Type Database Type (Oracle, MS-SQL, DB2Â®, Sybase, InformixÂ®, etc.) or N/A for an operating system template
Template The template name

Set Name
IsDefault Indicates whether or not this template is the default for the specified OS type and DB type combination
Editable Indicates whether or not this template can be modified. The default GuardiumÂ® templates cannot be modified. In addition, once a template set has been
used in a CAS instance, it cannot be modified. However, a template set can always be cloned and the cloned set can be modified.
Timestam Date and time the template was last updated

p
Template Entity
Attrib
ute Description
Temp A unique identifier for the template set, numbered sequentially

late
ID
Acces Depending on the Audit Type, this is the OS or SQL script, environment or registry value, or a file name or a file name pattern
s
Name
Audit The type of monitored item

Type
Audit The maximum interval (in minutes) between tests

Frequ
ency
(minu
tes)
Use Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last
MD5 time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS
host, the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for
the item and the size of the item are compared with the values saved the last time the item was checked.
Save Indicates if the Keep Data checkbox has been marked. If so, previous versions of the item can be compared with the current version.
Data
Descr Optional description of the template

iption
Times Date and time the template was last updated.

tamp

CAS Templates Domain Default Reports
Default Report Description
CAS Templates Report Lists CAS templates
CAS Templates Report
Entity Attribute Operator Default Value
Template Access_Name Like %
Template Set Template_Set_Name Like %
Template Audit_Type Like %
CAS Config Domain
Entity Description
Host Identifies a CAS host (a database server) and the current status of CAS (online/offline). This entity is also available in the CAS Host History domain
Instance For each host, an Instance Config entry describes a CAS instance, which contains database connection parameters (if needed) and identifies the template
Config set used by the instance. It provides current status of the instance (in use, enabled, or disabled) and the date of the last revision.
Monitored Identifies an item (a file or an environment variable, for example) monitored by a CAS instance. In contains the item definition and indicates whether or not
Item the item is enabled.
Details
Host Entity
Entity Description
Host Name Database server host name (may display as IP address)
OS Type Operating system: UNIX or WIN
Is Online Online status (yes or no) when record was written
Instance Config Entity
DB Type Database Type (Oracle, MS-SQL, DB2, Sybase, Informix, etc.) or N/A for an operating system instance
Instance The name of the instance
User The user name that CAS uses to log onto the database; or N/A for an operating system instance.
Port The port number CAS uses to connect to the database; this can be empty for an operating system instance
DB Home Dir The home directory for the database; this can be empty for an operating system instance
Template Set ID Identifies the template set used by this instance
Monitored Item Details Entity
Att
rib
ute Description
Te Database Type (Oracle, MS-SQL, DB2, Sybase, Informix, etc.) or N/A for an operating system instance
mpl
ate
ID
Mo The name of the instance

nito
red
Ite
m
Au The user name that CAS uses to log onto the database; or N/A for an operating system instance.
dit
Typ
e
Ena The port number CAS uses to connect to the database; this can be empty for an operating system instance
ble
d
In The home directory for the database; this can be empty for an operating system instance
Syn
ch
Au Identifies the template set used by this instance

dit
Fre
que
ncy
Use Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last
MD time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host,
5 the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for the item
and the size of the item are compared with the values saved the last time the item was checked.
Sav When marked, previous version of the item can be compared with the current version
e
Dat
a
Des Optional description of the instance

crip
tio
n
Te The template entry that is the basis for this monitored item, set from the Template entity Access Name attribute when the instance was created. Typically this will
mpl be the same as the monitored item, but in the case where a file pattern was used in the template, this will be the file pattern
ate
Co
nte
nt
CAS Config Domain Default Reports
Default Reports Description
CAS Instances Lists CAS instances
CAS Instance Config Lists CAS instance configuration changes
CAS Instances Report
Host Host_Name Like %
Host OS_Type Like %
Instance Config DB_Type Like %
Instance Config Instance Like %
CAS Instance Config Report
Host OS_Type Like %
Monitored Item Details Template_Id Like %
Drill-Down Reports
Report Description
Report Details Displays the monitored items included in the count of monitored item column
CAS Host History Domain
Entity List Domain Description
Host Identifies a CAS host (a database server) and the current status of CAS (online/offline). This entity is also available in the CAS Config domain.
Host Event Date and time of an event in the CAS client/server relationship, details a client or server going in and out of service.
Host Entity
Host Name Database server host name
Is Online Current online status (Yes/No)
Host Event

Event Time Date and time that the event was recorded
Event Type Identifies the event being recorded:
"Client Down": CAS stopped on database server host
"Client Up": CAS started on database server host
"Failover Off": A server is available (following a disruption), so CAS data is being written to the server
"Failover On": The server is not available, so CAS data is being written to the failover file
"Server Down": The database server stopped
"Server Up": The database server started
CAS Host History Domain Default Reports
Default Report Description
CAS Host History Report Lists CAS events for each CAS host
CAS Host History Report
Host OS_Type Like %
Host Event Event_Type Like %
CAS Changes Domain
Entity Description
Monitored Changes Created each time a monitored item changes
Host Configuration Created each time a monitored item changes
Saved Data Contains saved data for the changes made
Monitored Changes Entity
Change Identifier Unique identifier for the change
Sample Time Timestamp (date and time on host) that sample was taken
Saved Data ID Identifies the Saved Data entity for this change
Audit State Label ID Identifies the Host Configuration entity for this change
Timestamp Data and time this change record was created on the server (Guardium appliance server clock)
Owner UNIX only. If the item type is a file, the file owner
Permissions UNIX only. If the item type is a file, the file permissions
Size File size, but there are special values as follows:
-1, File exists, but has zero bytes
0, File does not exist, but this file name is being monitored (it never existed or may have been deleted)
Last Modified Timestamp for the last modification, taken from the file system at the sample time
Last Modified Date Date for the last modification
Last Modified Weekday Day of the week for the last modification
Last Modified Year Year for the last modification
Group UNIX only. If the item type is a file, the group owner
Host Configuration Entity
Audit State Unique numeric identifier for the configuration item

Label ID
Host Name Database server host name or IP address
DB Type Database Type (Oracle, MS-SQL, DB2, Sybase, Informix, etc.) or N/A if the change is to an operating system instance
Instance Name of the template set instance

Name

Type Type of monitored item that changed.
OS Script or SQL Script: A change triggered by the OS script contained in the monitored item template definition.
Environment Variable: An environment variable (Unix only)
Registry Variable: A registry variable (Windows only)
File: A specific file. There is no host configuration entity for a file pattern defined in the template set used by the instance. Instead, there is a separate
host configuration entity for each file that matches the pattern.
Monitored The name of the changed item, from the Description (if entered), otherwise a default name depending on the Type (a file name, for example).
Item
Saved Data Entity
Saved Data ID Unique numeric identifier for the saved data item
Saved Data The actual data saved
Timestamp Timestamp for when the saved data entity was recorded in the server database
Change Identifier Identifies the monitored changes entity for this saved data entity
CAS Changes Domain Default Reports
Default
Report Description
CAS Change For each monitored item, lists changes by owner. This report lists changes to the properties of the file, such as the owner or access permissions. It does
Details not list changes to the contents of the file.
CAS Saved For monitored items with the optional Keep data box checked, lists the data for each changed detected. This report lists changes to the contents of the
Data file, not to its properties.
CAS Changes Details
Host Configuration DB_Type Like %
Host Configuration Host_Name Like %
Host Configuration Instance_Name Like %
Host Configuration Monitored_Item Like %
Host Configuration OS_Type Like %
Host Configuration Type Like %
Drill-Down Reports
Report Description
Record Details Displays the saved data included in the Count of Saved Data column
CAS Saved Data
Host Configuration Host_Name Like %
Host Configuration Monitored_Item Like %
Monitored Changes Saved_Data_Id Like %
Drill-Down Reports
Report Description
View Difference Displays the difference between the selected data and prior version
CAS Status
Open the Configuration Auditing System Status by clicking Manage > Change Monitoring > CAS Status
For each database server where CAS is installed and running, and where this Guardium system is configured as the active GuardiumÂ® host, this panel displays the CAS
status, and the status of each CAS instance configured for that database server.
If you have trouble distinguishing the colors of the status indicator lights, hover your mouse over status lights, and a text box will display the current status.

CAS System The light found on this panel indicates whether CAS is actively running on the Guardium system.
Status indicator
light Red: CAS is not running on this Guardium system.
Green: CAS is active on this Guardium system.
CAS agent status These status lights indicate whether the individual CAS agent is connected to a Guardium system. Identify each CAS agent by referencing the IP
indicator lights address that appears before the row of status indicator lights
Red: Host and/or the CAS agent is offline or unreachable.
Green: Host and CAS agent are online.
Yellow: The Guardium system is a secondary for the CAS host.
Reset Reset the CAS agent on this monitored system. This stops and restarts the CAS agent on the database server.
Note: This will also reset checkpoint files; allowing for a fresh start and re-scan of files from scratch.
Delete (X) Remove this monitored system from CAS and also deleting the data on the Guardium system that was associated with the CAS client.
This button is disabled if the CAS agent is running on this system. You must stop the CAS agent to be able to delete. See Stopping and Starting the
CAS Agent for more information.
Red/Yellow/Gree Each set of lights indicates the status of a CAS instance on the monitored system. If the owning monitored system status is red (indicating that the
n light CAS agent is offline), ignore this set of status lights.
Red: The instance is disabled.
Green: The instance is enabled and online, and its configuration is synchronized with the Guardium system configuration.
Yellow: The instance is enabled, but the instance configuration on the Guardium system does not match the instance configuration on the monitored
system (it has been updated on the Guardium system, but that update has not been applied on the monitored system).
Refresh Click Refresh to re-check the status of all servers in the list. This button does not stop and/or restart CAS on a database server â€“ it only checks the
connection between CAS on the Guardium system and CAS on each database server.
Note: The TAP_IP entry in the guard_tap.ini file is required. If TAP_IP is missing CAS will not start and an error message will be logged in the log file on the CAS client.
Stopping and Starting the CAS Agent

There are several situations where you may need to stop or start the CAS agent on a monitored system.
Note: If you want to stop and restart the CAS agent, you can do so by clicking Manage > Change Monitoring > CAS Status.
Stopping CAS on a UNIX Host
1. Edit the file /etc/inittab.

2. Find the CAS respawn line:
cas:2345:respawn:/usr/local/guardium/guard_stap/cas/bin/run_wrapper.sh /usr/local/guardium/guard_stap/cas/bin
3. Comment out the line by inserting # in the first character position.

4. Save the file.
5. Enter the following command: init -q
6. Enter the following command: ps -er | grep cas
7. Note the PID of each of the processes listed.
8. For each of the processes listed, issue the following command: kill -9 <pid>
9. In the Configuration Auditing System Status panel of the Guardium administrator portal, the status light for this CAS host should be red, and the Remove button
should be enabled. This enables you to remove data from this CAS host from the Guardium system internal database.
Starting CAS on a Unix Host
Use this procedure to restart the CAS agent only when it has been stopped by editing the /etc/inittab file as described previously.
1. Edit the file /etc/inittab.

2. Find the line:
#cas:2345:respawn:/usr/local/guardium/guard_stap/cas/bin/run_wrapper.sh /usr/local/guardium/guard_stap/cas/bin
3. Uncomment the line, in our example (step 2.), by removing the # in the first character position. Depending on the operating system the comment character may be
something else.
4. Save the file.
5. Enter the following command to restart the CAS agent: init -q
Starting and Stopping CAS on a Windows Host
On Windows CAS runs as a System Service.
1. In the Services panel, highlight the Configuration Auditing System Client item.
2. Select either Start or Stop from the Action menu.
Configuring your Guardium system

You can configure several aspects of your Guardium system to enable you to meet your business goals effectively and efficiently.

System Configuration
Most of the information on the System Configuration panel is set by using the CLI at installation time.
Inspection Engine Configuration
An inspection engine monitors the traffic between a set of one or more servers and a set of one or more clients using a specific database protocol (Oracle or Sybase,
for example).
Portal Configuration
You can keep the GuardiumÂ® appliance Web server on its default port (8443) or reset the portal. We strongly recommend that you use the default port.
Managing the TLS version
You can disable TLS 1.0/1.1, and enable TLS 1.2 on all appliances, S-TAP agents, CAS and GIM clients.
Generate New Layout
Configure Authentication
By default, Guardium user logins are authenticated by Guardium, independent of any other application.
Global Profile
The Global Profile panel defines defaults that apply to all users.
Alerter Configuration
No e-mail messages, SNMP traps, or alert related Syslog messages will be sent until the Alerter is configured and activated.
Anomaly Detection
The Anomaly Detection process runs every polling interval to create and save, but not send, correlation alert notifications that are based on an alert's query.
Session Inference
Session Inference checks for open sessions that have not been active for a specified period of time, and marks them as closed.
Block S-TAP connection to Guardium (S-TAP Certification)
Use this function to control the specific S-TAP hosts whose clients are allowed access to the Guardium system.
IP to Hostname Aliasing
The IP-to-Hostname Aliasing function accesses the Domain Name System (DNS) server to define hostname aliases for client and server IP addresses.
System Backup
Use the System Backup function to define a backup operation that can be run on demand or on a scheduled basis. Use the Patch Backup function to create the
backup profile settings.
Configuring patch backup
Use this feature to store backup profile information.
Configure Permission to Socket connection
This topic applies to Custom Alerting Classes.
System Configuration
Most of the information on the System Configuration panel is set by using the CLI at installation time.
For instructions on how to configure the system, or to modify any other System Configuration settings, see Modify the System Configuration.
There must be a valid license to use various functions within the appliance. When a license is entered after the system starts, a restart of the GUI is needed.
About System Shared Secret

The GuardiumÂ® administrator defines the system shared secret in the System Configuration. The system shared secret is used for two general purposes:
To encrypt files that are exported from the appliance by archive/export activities
To establish secure communications between Central Managers and managed units
If you are using Central Management and/or aggregation, you must set the System Shared Secret for all related systems to the same value.
The system shared secret value is null at installation time. Depending on a companyâ€™s security practices, it may be necessary to change the system shared secret on a
periodic basis. Each appliance maintains a shared secret keys file, containing an historical record of all shared secrets defined on that appliance. The same system thus
will have no problem at a later date decrypting information that has been encrypted on that system.
When information is exported or archived from one system, and imported or restored on another, the latter must have access to the shared secret used by the former. For
these cases, there are CLI commands that can be used to export the system shared secrets from one Guardium system, and import them on another.
See the following commands in the CLI appendix:
aggregator backup keys file

aggregator restore keys file
Modifying the System Configuration

1. Click Setup > Tools and Views > System to open the System Configuration.
2. Make your changes.
3. Click Apply to save the updated system configuration.
Note: The applied changes do not take effect until the Guardium system is restarted. After you apply configuration changes, click Restart to stop and restart the system.
Table 1. System Configuration Panel Reference
Field or Control Description
Unique Global Identifier This value is used for collation and aggregation of data. The default value is a unique value that is derived from the MAC address
of the machine. Do not change this value after the system begins monitoring operations.

System Shared Secret Any value that you enter here is not displayed. Each character you type is masked.
The system shared secret is used for archive/restore operations, and for Central Management and aggregation operations. When
used, its value must be the same for all units that will communicate. This value is null at installation time, and can change over
time.
The system shared secret is used:
When secure connections are being established between a Central Manager and a managed unit.
When an aggregated unit signs and encrypts data for export to the aggregator.
When any unit signs and encrypts data for archiving.
When an aggregator imports data from an aggregated unit.
When any unit restores archived data.
Depending on your companyâ€™s security practices, you might be required to change the system shared secret from time to
time. Because the shared secret can change, each system maintains a shared secret keys file, containing a historical record of all
shared secrets defined on that system. This allows an exported (or archived) file from a system with an older shared secret to be
imported (or restored) by a system on which that same shared secret has been replaced with a newer one.
Caution: When used, be sure to save the shared secret value in a safe location. If you lose the value, you will not be able to
access archived data.
Retype Secret When you enter or change the system shared secret, retype the new value a second time. Any value that you enter here is not
displayed. Each character you type is displayed as an asterisk.
License Key The license key is inserted in the configuration during installation. Do not modify this field unless you are instructed to do so by
Technical Support. You might need to paste a new product key here if optional components are being added.
If you install a new product key on the central management unit, when you click Apply, you will receive a warning message that
reads: Warning: changing the license on a Central Management Unit requires refreshing all managed
units. After you click OK to close the message window, you must click Apply a second time to install the new product key. You
will know that the new license has been installed when you receive the message: Data successfully saved.
If you install a new product key on a Central Management Unit, you might get a warning that states the license applied to the CM
must be refreshed on the managed unit. This requires a refresh done from the Central Manager and is done by pressing the
refresh icon from the Central Manager to each of the collectors listed.
License entitles user to access products and the corresponding features.
License can be appended or overridden.
Active license is stored in LICENSE_KEY in ADMINCONSOLE_PARAMETER
Product types DAM; FAM; VA
Edition for product types: Express; Standard; Advanced
Number of Datasources If a limited license is applied, the maximum number of datasources permitted per datasource license is displayed.
Metered Scans Left If a limited license is applied, the number of vulnerability assessment scans permitted (datasource metering) per metering
license is displayed. Each time a vulnerability assessment is triggered, the scan counter decreases by one.
License valid until If a limited license is applied, a fixed date when the license will be disabled is displayed.
# of Licenses This value indicates the number of licenses remaining.
Note: Configure Network Address, These settings cannot configured through the GUI and appear grayed-out on the System Configuration user interface.
Secondary Management Interface
and Routing settings using the CLI
System Hostname The resolvable host name for the Guardium system. This name must match the DNS host name for the primary System IP
Address.
Domain The name of the DNS domain on which the Guardium system resides.
System IP Address The primary IP address that users and S-TAPÂ® or CAS agents use to connect to the Guardium system. It is assigned to the
network interface labeled ETH0.
SubNet Mask The subnet mask for the primary System IP Address.
Hardware (MAC) Address The MAC address for the primary network interface.

System IP Address (Secondary) Optional: A port can also be configured to team with the primary interface in order to provide high-availability failover IP teaming.
Alternatively, a port on the device can be configured as a secondary management interface with a different IP address, network
mask, and gateway from the primary.
These two options are mutually exclusive.
There are two different, and mutually exclusive, kinds of secondary management connections, both controlled by options to the
same CLI command:
Bonding or teaming
Turns eth0 and another specified network interface card (NIC) into a bonded pair with standby failover. To implement this
option, use the CLI command store network interface high-availability on <nic>, where nic is an available NIC.
Secondary interface
Allows the GUI and CLI to be accessible from another NIC in the Guardium system. To implement this option, use the CLI
command store network interface secondary on <nic> <ip> <mask> <gateway> to specify the secondary NIC, its IP
address and network mask, and optionally a gateway.
BOTH physical and VM systems have the same capabilities. dependent on the number of NICs installed on the Guardium system
or VM.
To display the network interfaces installed on the unit, use the show network interface inventory CLI command. For example:
show network interface inventory

Current network card configuration:
Device | Mac Address |Member of
-----------------------------------------
eth0 | 00:50:56:3b:c3:73 |
eth1 | 00:50:56:8a:0d:fa |
eth2 | 00:50:56:8a:0d:fb |
eth3 | 00:50:56:8a:00:c1 |
Note: The "Member of" will show which NICs are in a bond pair, if a bonding exists.
To locate the eth connectors on your appliance, use the show network interface port CLI command, which will blink the orange
light on that port, 20 times. For example:
guard14.xyz.com> sho net int port 3
The orange light on port eth5 will now blink 20 times.
Note: The secondary IP address and its associated port are NOT related to the high availability feature, which provides fail-over
support via IP Teaming for the primary connection. For more information about the high-availability option, see the store
network interface commands in the CLI Appendix. Â
SubNet Mask (Secondary) Optional. The subnet mask for the secondary System IP Address.
Default Route/ Secondary Route The IP address of the default router for the system./ The IP address of the Secondary Router
Primary Resolver Secondary Resolver The IP address for the Primary Resolver (DNS) is required. The secondary and tertiary are optional.
Tertiary Resolver
Test Connection Click Test Connection to test the connection to the corresponding DNS (Domain Name System) server. This only tests that there is
access to port 53 (DNS) on the specified host. It does not verify that this is a working DNS server. You will receive a message box
indicating if the DNS server responded.
Stop Click Stop to shut down the system.
Restart Click Restart to stop and then restart the system. You will be prompted to confirm the action.
Apply Click Apply to save the changes. The changes will be applied the next time the system restarts.
Parent topic: Configuring your Guardium system
Inspection Engine Configuration

An inspection engine monitors the traffic between a set of one or more servers and a set of one or more clients using a specific database protocol (Oracle or Sybase, for
example).
The inspection engine extracts SQL from network packets; compiles parse trees that identify sentences, requests, commands, objects, and fields; and logs detailed
information about that traffic to an internal database.
You can configure and start or stop multiple inspection engines on the GuardiumÂ® appliance.
Inspection engines cannot be defined or run on a Central Manager unit. However, you can start and stop inspection engines on managed units from the Central Manager
control panel.
Inspection engines are also defined on S-TAPs. If S-TAPs report to this Guardium appliance, be sure the appliance does not monitor the same traffic as the S-TAPÂ®. If
that happens, the analysis engine will receive duplicate packets, will be unable to reconstruct messages, and will ignore that traffic.
Selecting IP addresses
Each inspection engine monitors traffic between one or more client and server IP addresses. In an inspection engine definition these are defined using an IP address and
a mask. You can think of an IP address as a single location and a mask as a wild-card mechanism that allows you to define a range of IP addresses.
IP addresses have the format: n.n.n.n, where each n is an eight-bit number (called an octet) in the range 0-255.

For example, an IP address for your PC might be: 192.168.1.3. This address is used in the examples. Since these are binary numbers, the last octet (3) can be represented
as: 00000011.
The mask is specified in the same format as the IP address: n.n.n.n. A zero in any bit position of the mask serves as a wildcard. Thus, the mask 255.255.255.240
combined with the IP address 192.168.1.3 matches all values from 0-15 in the last octet, since the value 240 in binary is 11110000. But it only matches the values
192.168.1 in the first three octets, since 255 is all 1s in binary (in other words, no wildcards apply for the first three octets).
Specifying binary masks can be a little confusing. However, for the sake of convenience, IP addresses are usually grouped in a hierarchical fashion, with all of the
addresses in one category (desktop computers, for example) grouped together in one of the last two octets. Therefore, in practice, the numbers you see most often in
masks are either 255 (no wildcard) or 0 (all).
Thus a mask 255.255.255.255 (which has no zero bits) identifies only the single address specified by IP address (192.168.1.3 in the example).
Alternatively, the mask 255.255.255.0, combined with the same IP address matches all IP addresses beginning with 192.168.1.
Selecting all addresses

The IP address 0.0.0.0, which is sometimes used to indicate all IP addresses, is not allowed by Guardium. To select all IP addresses when using an IP address/mask
combination, use any non-zero IP address followed by a mask containing all zeroes (for example: 1.1.1.1/0.0.0.0). However, 0.0.0.0/0.0.0.0 is a valid combination.
Configure Settings that apply to all Inspection Engines

1. Click Manage > Activity Monitoring > Inspection Engines to open the Inspection Engine Configuration.
2. Refer to the table and make any changes desired.
3. Click Apply to save the updated system configuration when you are done making changes.
4. Optionally add comments to the Inspection Engine Configuration.
5. Click Restart Inspection Engines.
Note: The applied changes do not take effect until the inspection engines are restarted. After applying inspection engine configuration changes, click the Restart button to
stop and restart the system (using the new configuration settings).
Note: For HTTP support, there are Inspection Engine configuration limitations. The following Inspection Engine settings are not supported for HTTP: Default Capture
Value; Default Mark Auto Commit; Log Sequencing; Log Exception Sql String; Log Records Affected; Compute Avg. Response Time; Inspect Returned Data; Record Empty
Sessions.
Table 1. Settings that Apply to All Inspection Engines
Control Description
Default Capture Value Default value is false. Used by Replay function to distinguish between transactions and capture values, meaning that if you have a
prepared statement, assigned values will be captured and replayed. If you want to replay your captured Â prepared statements as
prepared statements the check box should be checked for the captured data.
Default Mark Auto Commit Default value is true. Due to various auto-commit models for different databases, this value is used by Replay function to explicitly
mark up the transactions and auto commit after each command.
Note: If the check box is checked then commits and rollbacks will be ignored. Databases currently supported include DB2Â®,
InformixÂ®, and Oracle.
Log Sequencing If marked, a record is made of the immediately previous SQL statement, as well as the current SQL statement, provided that the
previous construct occurs within a short enough time period.
Log Exception Sql String If marked, when exceptions are logged, the entire SQL statement is logged.
Log Records Affected Records affected - Result set of the number of records which are affected by each execution of SQL statements.
If marked, the number of records affected is recorded for each SQL statement (when applicable). Default value for log records
affected is FALSE (0).
Note: When using JDBC, this must be marked to properly log Oracle bind variable traffic
Note: The records affected option is a sniffer operation which requires sniffer to process additional response packets and postpone
logging of impacted data which increases the buffer size and might potentially have a adverse effect on overall sniffer performance.
Significant impact comes from really large responses. To prevent large amount of overhead associated with this operation, Guardium
uses a set of default thresholds that allows sniffer to decide to skip processing operation when exceeded.
Note: Usually, Records Affected is set correctly when the user turns on Log Records Affected via Inspection Engines > Log Records
Affected. However using MS-SQL via stored procedure will set Records Affected as -1.
Refer to Configuration and Control CLI Commands store max_results_set_size, store max_result_set_packet_size and store
max_tds_response_packets, to set levels of granularity.
Example of result set values:
Case 1, record affected value, positive number - this represents correct size of the result set.
Case 2, record affected value, -2 - This means number of records exceeded configurable limit (This can be tuned through CLI
commands).
Case 3, record affected value, -1 - This shows any unsupported cases of packets configurations by Guardium.
Case 4, record affected value, -2 - If the result set is sent by streaming mode.
Case 5, record affected value, -2 - Intermediate result during record count to update user about current value, ends up with
positive number of total records.
Note: Records Affected feature is not supported in DB2 when streaming to used to send the results.
Compute Avg Response Time When marked, for each SQL construct logged, the average response time will be computed.
Inspect Returned Data Mark to inspect data returned by SQL requests Â as well as update the ingress and egress counts.
If rules will be used in the security policy, this checkbox must be marked.
Record Empty Sessions When marked, sessions containing no SQL statements will be logged. When cleared, these sessions will be ignored.

Control Description
Parse XML The Inspection Engine will not normally parse XML traffic. Mark this checkbox to parse XML traffic.
Logging Granularity The number of minutes (1, 2, 5, 10, 15, 30, or 60) in a logging unit. If requested in a report, Guardium summarizes request data at
this granularity. For example, if the logging granularity is 60, a certain request occurred n times in a given hour. If the check box is
not marked, exactly when the command occurred within the hour is not recorded. But, if a rule in a policy is triggered by a request, a
real time alert can indicate the exact time. When you define exception rules for a policy, those rules can also apply to the logging
unit. For example, you might want to ignore 5 login failures per hour, but send an alert on the sixth login failure.
Max. Hits per Returned Data When returned data is being inspected, indicate how many hits (policy rule violations) are to be recorded.
Ignored Ports List A list of ports to be ignored. Add values to this list if you know your database servers are processing non-database protocols, and
you want Guardium to not waste cycles analyzing non-database traffic. For example, if you know the host on which your database
resides also runs an HTTP server on port 80, you can add 80 to the ignored ports list, ensuring that Guardium will not process these
streams. Separate multiple values with commas, and use a hyphen to specify an inclusive range of ports. For example:
101,105,110-223
Buffer Free: n % Display only. n is the percent of free buffer space available for the inspection engine process. This value is updated each time the
window is refreshed. There is a single inspection engine process that drives all inspection engines. This is the buffer used by that
process.
Restart Inspection Engines Click Restart Inspection Engines to stop and restart all inspection engines.
Add Comments Click Comment to add comments to the Inspection Engine Configuration.
Apply Click the Apply to save the configuration.
Note: Any global changes made (and saved by using Apply) do not take effect until you restart the inspection engines. However,
individual inspection engine attributes, such as exclude, sequence order, etc., take effect immediately.
Create an Inspection Engine

1. Click Manage > Activity Monitoring > Inspection Engines to open Inspection Engines.
2. Click Add Inspection Engine to expand the panel.
3. Enter a name in the Name box. It must be unique on the appliance. We recommend that you use only letters and numbers in the name, as the use of any special
characters prevents working with this inspection engine via the CLI.
4. From the Protocol box, select either the protocol to be monitored (Aster, Cassandra, CouchDB, DB2, DB2 Exit, exclude IE, FTP, GreenPlumDB, Hadoop, HIVE, HTTP,
HUE, IBM ISERIES, IMPALA, Informix, iNFORMIX Exit, KERBEROS, Maria,DB, MongoDB, MS SQL, Mysql, Named Pipes, Netezza, Oracle, PostgreSQL, SAP Hana,
Sybase, Teradata, WebHDFS or Windows File Share) or the keyword exclude IE. Select exclude IE if you want all traffic between the specified clients and servers to
be ignored.
Note: Exclude IE only works on ports, IP does not matter. Enter a range of ports to ignore. To exclude a specific IP for this port, the exclude DB Client IP can be used
within the inspection engine created. If there is a need not to pick up packets on a certain port range, define a separate inspection engine of the type Exclude IE
(IGNORE). The only values that have to be defined in that engine are PORT_RANGE_START and PORT_RANGE_END. This kind of exclusion might be needed, for
instance, when an all-inclusive Oracle Inspection Engine is defined with ports range 1024-65535, but certain ports have to be excluded. When using Oracle for
Windows, expand the port range to 1000 to 65535.
Note: When sending IPC traffic from the GreenPlum database, it will be logged on the Guardium system as PostgresSQL traffic. When sending TCP traffic from the
GreenPlum database, it will be logged on as GreenPlum database with the inspection engine. For TCP traffic, Guardium determines the database according to the
Port (port 5432 for GreenPlum). For IPC traffic, Guardium is using named pipe, and for GreenPlum database, the Guardium system is using PostgresSQL as the
name of the database. When both PostgresSQL and Greenplum database are on the same system, their IPC traffic will log in DB_PROTOCOL according to the first
PostgresSQL/Greenplum database IE set in the guard_tap.ini file.
5. In the DB Client IP/Mask boxes, enter a list of clients (a client host from which the database connection was initiated) to be monitored (or excluded if the Exclude
DB Client IP box is marked). The clients are identified by IP addresses and subnet masks. There are detailed instructions on how to use these fields in the overview.
Click the plus sign to add additional IP address and subnet mask. Click the minus sign to remove the last IP address and subnet mask.
6. In the DB Server IP/Mask boxes, enter a list of database servers (where a database sits) to be monitored. The servers are identified by IP addresses and subnet
masks. There are detailed instructions on how to use these fields in the overview.
Click the plus sign to add additional IP address and subnet mask. Click the minus sign to remove the last IP address and subnet mask.
7. In the Port box, enter a single port or a range of ports over which traffic between the specified clients and database servers will be monitored. Most often, this
should be a single port.
Warning: Do not enter a wide range of ports, just to be certain that you have included the correct one! You may cause the inspection engine to bog down attempting
to analyze traffic on ports that carry no database traffic or traffic that is of no interest for your environment.
8. Mark the Active on startup box if this inspection engine should be started automatically on start-up.
9. Mark the Exclude DB Client IP box if you want the inspection engine to monitor traffic from all clients except for those listed in the DB Client IP/Mask list. Be sure
that you understand the difference between this and the Ignore protocol selection. This includes all traffic except for the from IP addresses. To ignore a specific set
of clients without including all other clients, define a separate inspection engine for those clients and use the Ignore protocol.
10. Click Add to save the definition.
11. Optionally reposition the inspection engine in the list of inspection engines. Filtering mechanisms defined in the inspection engines are executed in the order. If
necessary, reposition the new inspection engine configuration, or any existing configurations, using the Up and/or Down buttons in the border of the definition.
12. Optionally click Start to start the inspection engine just configured. The Start button will be replaced by a Stop button, once the engine has been started.
13. Note: If you provide a value for TAP_IDENTIFIER and the value contains spaces, Guardium will automatically replace the spaces with hyphens. For example, the
value "Sample description" will become "Sample-description".
Start or Stop an Inspection Engine

Click Manage > Activity Monitoring > Inspection Engines to open the Inspection Engines. To start an inspection engine, click Start. To stop an inspection engine, click Stop.
Remove an Inspection Engine

If you are no longer using an inspection engine, we suggest that you remove the definition, so that it is not restarted accidentally.
1. Click Manage > Activity Monitoring > Inspection Engines to open the Inspection Engines.
2. If the inspection engine to be removed has not been stopped, click Stop.
3. To remove an inspection engine, click Delete.
Portal Configuration
You can keep the GuardiumÂ® appliance Web server on its default port (8443) or reset the portal. We strongly recommend that you use the default port.
1. Click Setup > Tools and Views > Portal to open the Portal.
2. If it is not marked, mark the Active on Startup checkbox (this should never be disabled).
3. Set the HTTPS Port to an integer value between 1025 and 65535.
4. Click Apply to save the value. (The Guardium security portal will not start listening on this port until it is restarted.) Or click Revert to restore the value stored by the
last Apply operation.
5. Click Restart to restart the Guardium Web server if you have made and saved any changes. You can now connect to the unit on the newly assigned port.
Note: To re-connect to the unit after it has restarted with the new port number, you must change the URL used to open the Guardium Login Page on your browser.
The Guardium Portal Configuration is used to define the way user passwords are authenticated when logging into the Guardium appliance. There are three choices.
These choices are Local (Guardium Default), RADIUS or LDAP.
The Portal configuration screen under Setup > Tools and Views > Portal is used for the following:
1. To define the best way to authenticate a user password.

2. To restart GUI to reset the authentication type.
The Local connection will work when a password for a given user is defined from a login. The login is defined using the accessmgr role. By default login into the accessmgr
account which has the accessmgr role. This role gives a user the ability to add or uploaded user accounts and create passwords.
When you define your username and password using the accessmgr role type, the defined password per user will be used when logging into the Guardium appliance.
The RADIUS connection allows login authentication through a radius server. The Radius/RSA server can be defined using both a password and a SecurID token number.
The SecurID token numeric password is displayed via a hardware token.
The Radius/RSA server is defined on a Windows server. The security RSA SecurID token is also defined and stored on the Radius server and does not have to be
downloaded in order for the Radius portal to work.
In addition, a Radius server connection can be defined using a UNIX platform. Radius is also defined as FreeRadius. User account and passwords are defined on the
Radius servers and do not have to be downloaded. In order to use FreeRadius, the client (Guardium server), username and passwords are defined on the FreeRadius UNIX
servers and used when the Radius Portal connection is defined.
The default portal is set to Local.
The LDAP connection will work when the password is defined and stored on a given LDAP server. In order for a user to use the LDAP portal and to login, a user account
name must be imported from the LDAP server first. Use the User LDAP Import function available from the accessmgr account to define the LDAP location and then import
the LDAP users. The password does not have to be uploaded.
Managing the TLS version

You can disable TLS 1.0/1.1, and enable TLS 1.2 on all appliances, S-TAP agents, CAS and GIM clients.
About this task

This feature was introduced in v10.1.4.
To increase the security of the Guardium system, from Guardium release v10.1.4, communications protocols TLS 1.0/1.1 can be optionally disabled. Disabling TLS 1.0/1.1
results in only the TLS 1.2 protocol being enabled. Communications may be less secure when using TLS 1.0/1.1.
You must disable TLS 1.0/1.1 from the Central Manager and/or standalone unit using the CLI. Your Guardium appliances, S-TAP agents, CAS and GIM clients must be at
specific versions to enable this feature.
The disablement of TLS 1.1 automatically checks to make sure managed units and S-TAPs are at specific versions, but cannot check CAS client versions. Customers using
CAS need to make sure their CAS clients are at version 10.1.4 and their database servers have Java 7 enabled. Lack of doing this will result in the inability to see CAS
connections to database servers.
You must also make sure all managed units have version 10.1.4 installed, and GIM Clients and S-TAPs are at a minimum version of 10.1.2. Failure to meet all requirements
will mean that TLS 1.0/1.1 will not be disabled.
To get information about, and to disable TLS1.0/1.1 on all units in a managed environment, (Central Manager, Aggregator, Managed units), the following commands should
be run on the Central Manager.
Procedure
1. Access the CLI as admin.
2. Enter the following command.
grdapi get_secured_protocols_info

Running this command from a Central Manager to propagate down to all managed units. The system outputs the enabled protocols (TLS 1.0/1.1 and TLS 1.2) and
indicates if the TLS 1.0/1.1 protocols can be disabled. Error codes 1000+ indicate an issue with a component that needs to be addressed by the admin before TLS 1.0/1.1
can be disabled. Messages are displayed indicating which component(s) do not meet the requirements for disabling TLS 1.0/1.1. Warning messages are generated for
managed units that are offline or unreachable. Offline units must be managed individually when they come back online.
3. To disable TLS 1.0/1.1, enter:
grdapi disable_deprecated_protocols
Running this command from a Central Manager to propagate down to all managed units. This command firsts run the version checks described above. If the requirements
for disablement are met, then this command changes the configuration settings for each service on the Central Manager as well as all managed units. If the requirements
for disablement are not met, then the system indicates that the deprecated protocols are enabled and must be kept enabled until all managed units and/or components
are upgraded.
4. For any managed unit that was offline during the disablement of depreciated protocols, Guardium users with admin role must manually start a CLI session on the
managed unit and execute local_disable_depreciated_protocols to make the configuration changes.
grdapi local_disable_deprecated_protocols
5. To revert to TLS 1.0/1.1, enter
grdapi enable_deprecated_protocols all=true
This GuardAPI command is a fallback that changes back the configuration settings and restart services on the Central Manager and all managed units to enable the
deprecated protocols. This GuardAPI command can be run with the all=true argument from a Central Manager to enable deprecated protocols on the Central
Manager and all managed units. Absence of the parameter all=true enable deprecated protocols on the appliance running the GuardAPI only.
6. Guardium users with admin role should check that communications between Central Managers and managed units are stable and working properly.
Generate New Layout

Generate a new layout for a role based on a user layout
The GuardiumÂ® administrator or access manager can generate, via CLI, a default layout for a role. After that, any new user who is assigned that role will have that layout
after logging in for the first time.
Note: Default .psml structures for user and role can be defined, via the GUI, by the admin user. See Portlet Editor for further information.
Use the generate-role-layout CLI command to generate a new layout for an existing role, based on the layout for the specified user. Once the new role layout has been
defined, any users who are assigned that role before they log in for the first time, will receive the layout for that role.
generate-role-layout
Syntax generate-role-layout <user> <role>
Note: user (login name) and role are not case-sensitive.
Parameters
If either of the following parameters contains spaces (John Doe is user , or DBA Managers is role), replace the space characters with underscore characters.
For example:
generate-role-layout John_Doe DBA_Managers
user - The name of the user whose layout will be used as a model for the role layout. If the user does not exist, you will receive the following error message: No such
user '<user>'.
role - The role to which the new layout will be attached.
Configure Authentication
By default, GuardiumÂ® user logins are authenticated by Guardium, independent of any other application.
For the Guardium admin user account, login is always authenticated by Guardium alone. For all other Guardium user accounts, authentication can be configured to use
either RADIUS or LDAP. In the latter cases, additional configuration information for connecting with the authentication server is required.
Note: FreeRadius client software is supported.
When an alternative authentication method is used, all Guardium users must still be defined as users on the Guardium appliance. It is only the authentication that is
performed by another application.
While user accounts and roles are managed by the accessmgr user, the authentication method used is managed by the admin user. This is a standard separation-of-duties
best practice.
To configure authentication, see the proceeding topic.
Configure Guardium Authentication

1. Click Setup > Tools and Views > Portal to open the Authentication Configuration.
2. Select the Guardium radio button in the Authentication Configuration panel.
3. Click Apply.

Configure RADIUS Authentication
2. Select the RADIUS radio button in the Authentication Configuration panel. Additional fields will appear in the panel.
3. In the Primary Server box, enter host name or IP address of the primary RADIUS server.
4. Optionally enter the host name or IP address of the secondary and tertiary RADIUS servers.
5. Enter the UDP Port used (1812 or 1645) by RADIUS.
6. Enter the RADIUS server Shared Secret, twice.
7. Enter the Timeout Seconds (the default is 120).
8. Select the Authentication Type:
PAP - password authentication protocol
CHAP - Challenge-handshake authentication protocol
MS-CHAPv2 - Microsoft version 2 of the challenge-handshake authentication protocol
9. Optionally click Test to verify the configuration. You will be informed of the results of the test. The configuration will also be tested whenever you click the Apply
button to save changes.
10. Click Apply. Guardium will attempt to authenticate a test user, and inform you of the results.
Configure LDAP Authentication

2. Select the LDAP radio button in Authentication Configuration.
3. In the Server box, enter the host name or IP address of the LDAP server.
4. Enter the Port number (the default is 636 for LDAP over SSL).
5. Enter the User RDN Type (relative distinguished name type) type, which is uid by default.
Note:
This attribute identifies a user for LDAP authentication. The Access Manager should be made aware of what attribute is used here, since the Access Manager
performs the LDAP User Import operation. Click on this help link LDAP User Import for further information on Importing LDAP Users.
If a user is using SamAccountName as the RDN value, the user must use either a =search or =[domain name] in the full name.
Examples: SamAccountName=search, SamAccountName=dom
6. Enter the User Base DN (distinguished name).

7. Mark or clear the Use SSL checkbox, as appropriate for your LDAP Server.
8. Optional. To inspect one or more trusted certificates, click Trusted Certificates and follow the instructions in that panel.
9. Optional. To add a trusted certificate, click Add Trusted Certificates and follow the instructions in that panel.
10. Optional. Click Test to verify the configuration. You will be informed of the results of the test. The configuration will also be tested whenever you click Apply to save
changes.
11. Click Apply. Guardium will attempt to authenticate a test user, and inform you of the results.
Global Profile
The Global Profile panel defines defaults that apply to all users.
Override the Default Aliases Setting

By default, for any new report, or for any report that is contained in a default layout, aliases are not used.
An alias provides a synonym that substitutes for a stored value of a specific attribute type. It is commonly used to display a meaningful or user-friendly name for a data
value. For example, Financial Server might be defined as an alias for IP address 192.168.2.18.
If you want to see aliases by default, you can change the default aliases setting for all reports, as follows:
Click Setup > Tools and Views > Global Profile to open the Global Profile.
Mark the Use Aliases in Reports unless otherwise specified check box.
Click Apply.
Customize the PDF Page Footer

PDF files created by various GuardiumÂ® components (audit tasks, for example) have a standard page footer. To customize that footer:
1. Click Setup > Tools and Views > Global Profile to open the Global Profile.
2. In the PDF Footer Text field, enter the text to be printed at the foot of each page.
Note: PDF footer text is not distributed from the Central Manager/ Aggregator to the Managed Units.
3. Click Apply.
Edit the Alert Message Template

To customize the message template used to generate alerts:
2. In the Message Template text box, edit the alert template text.
You can mark the no wrap check box to see where the line breaks appear in the message.
3. Click Apply when you are done.

4. Changes will not take effect until the inspection engines are restarted. To do that now, click Manage > Activity Monitoring > Inspection Engines to open the
Inspection Engines. Click Restart Inspection Engines.

Table 1. Alert Message Template Variables
Variable Description
%%addBaselineConstruct To add to baseline
%%AppUserName Application user name
%%AuthorizationCode Authorization code
%%category Category from the rule definition
%%classification Classification from the rule definition
%%clientHostname Client host name
%%clientIP Client IP address
%%clientPort Client port number
%%DBName Database name
%%DBProtocol Database protocol
%%DBProtocolVersion Database protocol version
%%DBUser Database user name
%%lastError Last error description; available only when a SQL error request triggering an exception rule contains a last error description field
%%netProtocol Network protocol, for K-TAP on Oracle, this may display as either IPC or BEQ
%%OSUser Session information. (OS_USER in GDM_ACCESS)
%%receiptTime Timestamp representing the time when the alert occurred
%%receiptTimeMills Numeric representing the time when the alert occurred, in milliseconds since the fixed date of Jan 1 1900
%%requestType Request type
%%ruleDescription The rule description from the policy rule definition
%%ruleID The rule number from the rule definition
%%serverHostname Server hostname
%%serverIP Server IP address
%%serverPort Server port number
%%serverType The database server type
%%serviceName Service name
%%sessionStart Session start time (login time)
%%sessionStartMills Numeric representing the start of the session where the alert occurred, in milliseconds since the fixed date of Jan 1 1900
%%severity Severity from the rule definition
%%SourceProgram Source program name
%%SQLNoValue SQL string with masked values. The value of SQL will be replaced by ? in the syslog.
%%SQLString SQL string (if any)
%%SQLTimestamp The time on the packet/request (TIMESTAMP in GDM_CONSTRUCT_TEXT)
%%Subject[ ] If this variable is used in the message template, all that appears between [ ] (for example, file name, email sender, description)
will be the subject line of the email sent to user.
%%violationID Numeric representing the POLICY_VIOLATION_LOG_ID of this alert in GDM_POLICY_VIOLATION_LOG (this is the same as the
Violation Log ID in the Policy Violations / Incident Management report)
Named Template
Message templates are used to generate alerts.
The feature defines multiple message templates and facilitates the use of different templates on different rules. In the past, only a single message template was available
for all rules, all receiver types, etc.
To add, modify and delete named message templates, click Edit. When creating a new named template, the starting value of the string is a copy of whatever is currently in
the Message template of the Global Profile. "R/T Alert" is the only level of severity permitted.
Predefined message templates have been created for the SIEM solutions, ArcSight, EnVision, and QRadar. The Guardium system comes preloaded with two certified
(agreed upon) templates to integrate with these two SIEM solutions.
The Named Template builder can select from two template types - Real-time Alerts and Audit Process Report.
Use the Audit Process Report to audit process tasks.
Click Edit Named Templates. Choose an SIEM and then click Modify. Select Real-time Alerts or Audit Process Report.
After editing, the multiple message templates can be selected from within the Policy Builder menu. See Policies.
Adding the QRadar template allows sending real-time alerts or Audit Process Report to QRadar using the LEEF Format (this is QRadar's format).

Follow the steps to send real-time alerts or Audit Process Results to the QRadar SIEM.
Real-time alert, Guardium to QRadar
1. Create an real-time alert.

2. Write to syslog
3. Select Template type (Read-time Alert)
4. Forward to Q1 Labs QRadar SIEM (via LEEF mapping/ predefined message template) - choose QRadar Named Template from Global Profile
5. From the CLI, run the CLI command "store remotelog" to forward the syslog messages to QRadar.
Audit Process Report, Guardium to QRadar
Click Harden > Vulnerability Assessment > Audit Process Builder to open the Audit Process Builder.
1. Create an Audit Process report (Audit Process Builder)

2. Write to syslog
3. Select Template type (Audit Process Report)
4. Forward to Q1 Labs QRadar SIEM (via LEEF mapping/ predefined message template) â€“ choose QRadar Named Template from Global Profile
5. From the CLI, run the CLI command "store remotelog" to forward the syslog messages to QRadar.
For example, here is the default LEEF template for the Databases Discovered report:
LEEF:0|IBM|Guardium|9.0|Databases Discovered|Time Probed=${1}|Server IP=${2}|Server Host Name=${3}|DB

Type=${4}|Port=${5}|Port Type=${6}
Here are the report columns that are mapped to the template:
Time Probed Server IP Server Host Name DB Type Port Port Type
1. Check Export to CSV file and Write to Syslog.

2. Select the Named Template, LEEF Discovered Databases
3. Configure Remote Syslog by using the store remotelog command. For example:
store remotelog add user.info 9.70.145.68 udp
This will now push all records from the audit process to the supplied IP address.
Sender Encoding
To encode outgoing messages (email and SNMP traps) in an encoding scheme other than UTF8, use the CLI command, store sender_encoding.
Filter templates of one type

There is a filter mechanism to select all Real Time Alerts or Audit Process Report. Check or clear each selection.
Envision 2 message template

GUARDIUM_ALERT:
rule-id=%%ruleID^^category=%%category^^classification=%%classification^^severity=%%severity^^session-start-time=%%sessionStart^^client-
hostname=%%clientHostname^^client-ip=%%clientIP^^server-type=%%serverType^^server-ip=%%serverIP^^src-program=%%SourceProgram^ôs-
user=%%OSUser^^db-user=%%DBUser^âpp-user=%%AppUserName^^service-name=%%serviceName^^req-type=%%requestType^^rule-
desc=%%ruleDescription^^sql=%%SQLNoValue
Threshold Default Template
As in real-time alerts, you can choose a template for the message that is sent when the threshold is reached. The template uses a predefined list of variables that
are replaced with the appropriate value for the specific alert.
Those variables are:
%%alertName - alert name
%%description - alert description
%%alertQueryValue - query value that caused the alert
%%alertThreshold - alert threshold
%%alertQueryFromDate - start of the query period
%%alertQueryToDate - end of the query period
%%alertBaseQueryValue - base query value of the alert
%%classification - alert classification
%%category - alert category
%%severity - alert severity
%%recommendation - recommended action for the alert
%%Subject[] - subject of the message
The default template for threshold alerts is as follows (can be cloned and edited):
%%Subject[Guardium Alert. Severity: (%%severity), Alert Name: %%alertName]
Alert Name: %%alertName. Alert Description: %%description.
Current value: %%alertQueryValue

Base query value: %%alertBaseQueryValue
Threshold: %%alertThreshold
Query period: %%alertQueryFromDate - %%alertQueryToDate
Alert Classification: %%classification
Category: %%category
Severity: %%severity
Recommended Action: %%recommendation
Customize real-time alerts and email

Control appearance of Prefix email subject with Guardium appliance name.
Control appearance of email subject in email body.
Add naming template parameter %%applianceHostName so Guardium users can add appliance hostname to Name Templates (any position subject or body).
To accomplish this, use two fields in ADMINCONSOLE_PARAMETERS table:
APPEND_APPLIANCENAME_SUBJECT
APPEND_SUBJECT_IN_BODY
Use the following CLI commands to control the content of these fields:
show alerter email append_name_subject
store alerter email append_name_subject
show or store the flag to append the appliance name in email subject
show alerter email append_subject_body
store alerter email append_subject_body show or store the flag to append email subject in the beginning of the email body
Each time the value in CLI changes, it takes effect immediately on the outgoing emails.
CSV Separator
To define a separator to be used in the audit process:
2. Choose Comma, Semicolon, Tab, or define your own in Other box to define the CSV Separator that is used.
3. Click Apply.
Add other HTML content to the Guardium Window

To add other HTML content to the Guardium window:
2. In the HTML - Left and HTML - Right text boxes, enter the HTML for the text or any other items you want to include on the window.
3. Optionally click the preview button to verify that your HTML is displayed as you expect.
4. Click Apply.
Add or Disable a Login Message

To add a message to display in a message box, each time a user logs in:
2. In the Login Message text box, enter the text that you want to display when each user logs in.
3. Mark the show login message box to enable the display of the login message (or clear the box to disable the display).
4. Click Apply.
Enable or Disable Concurrent Same-user Logins

By default, the same Guardium user can log in to an appliance from multiple IP addresses. You can disable concurrent logins from the same user. When disabled, each
Guardium user will be allowed to log in from only one IP address at a time. If a user closes their browser without logging out, the connection will time out due to inactivity,
so the user account will not be blocked for long.
To change this setting:
2. Locate the field Concurrent login from different IP.
3. Click Enable or Disable, depending on the current status, to change the setting.
Note: When the feature is disabled, an Unlock button appears next to the Enable button. You can click Unlock to allow a second user to log in with this user account,
from a different IP address. This is provided for support purposes.
Enable Data Level Security at the Observed Data Level

This feature assumes that specific Guardium users are responsible for certain specific databases. Therefore a mechanism exists that will filter results, system-wide, Â in a
way that each user will only be able to see the information from Â those databases that the user is responsible for.
Restriction: Data Level Security and the Investigation Dashboard cannot be enabled concurrently.
To change this setting:
2. Click the Enable or Disable button for the Data level security filtering option
Note: The datasec-exempt role is activated when data level security is enabled and the datasec-exempt role has been assigned to a user.
3. Additional choices include:

Show-all - Permits the logged-in viewer to see all the rows in the result regardless of who these rows belong to. When used with the Datasec-exempt role
permits an override of the data level security filtering.
Include indirect records - Permits the logged-in viewer to see the rows that belong to the logged-in user, but also all rows that belong to users under the
logged-in user in the user hierarchy.
Note: If data level security at the observed data level is enabled, then audit process escalation is allowed only to users at a higher level in the user hierarchy.
Default Filtering
Online viewer default setting and for audit process results distribution.
Show-all. The default setting is disabled.
Escalate result to all users

Escalate result to all users - A check mark in this check box escalates audit process results (and PDF versions) to all users, even if data level security at the observed data
level is enabled. The default setting is enabled. If the check box is disabled (no check mark in the check box), then audit process escalation is allowed only to users at a
higher level in the user hierarchy and to users with the datasec-exempt role. If the check box is disabled, and there is no user hierarchy, then no escalation is permitted.
Custom database table maximum size

Set the size of the custom database table (in MB). The Default value is 4000 MB.
At this point in the Global Profile menu is a button to see Current usage. Click on the Current Usage button to show values for INNODB, MYISAM and Total.
Note: The custom size limit is tested before importing data. The import can exceed the maximum size limit. After the limit is exceeded, the next import will be prevented.
SCP and FTP files via different ports

Change the ports that can be used to send files over SCP and FTP.
For Global Profile - Export and Patch Backup can be changed. The default port for ssh/scp/sftp is 22. The default port for FTP is 21.
Note: Seeing a zero 0 in the Guardium GUI as the port indicates that the default port is being used and that there is no need to change.
Add a logo to the Guardium Window

To add a company logo graphic to the Guardium window, or to add other HTML content to the Guardium window:
2. In Upload Logo Image, if you want to include a logo image in the portal window, enter an image file name or click Browse to select a file to upload to the Guardium
appliance, and then click Upload.
3. Refresh your browser window. The new logo appears.
Note: The name of the uploaded logo file cannot contain a single quotation mark, double quotation mark, less than sign, or greater than sign.
Encrypt Must Gather

Encrypt Must Gather was added to the Global Profile. Default value is cleared (Do not encrypt). If it is cleared, must gather output is just compressed and not encrypted.
When the check box is checked, all future must gather output will be encrypted. Encryption can be also set on by using the store encrypt_must_gather on CLI command
and set off by using store encrypt_must_gather off.
Check for Guardium updates

Adding a checkmark will display relevant ad-hoc Guardium patches, GPUs/CFPs/Bundles, Sniffer patches and security patches that are available for the customer to
download. Once the patch has been installed, it will disappear from the list.
Datasource connection timeout

Set the Datasource connection timeout in seconds. The default is 60 seconds.
The corresponding GrdAPI command to update this value is: grdapi update_datasource_connection_timeout timeoutInSecond=80
No e-mail messages, SNMP traps, or alert related Syslog messages will be sent until the Alerter is configured and activated.
Other components create and queue messages for the Alerter. The Alerter checks for and sends messages based on the polling interval that has been configured for it.
To configure, enable or disable individual correlation alerts, see Correlation Alerts. For correlation alerts and appliance alerts to be produced, Anomaly Detection must
also be started. For real-time alerts to be produced, a security policy must be installed.
Mail/SNMP/SYSLOG messages are sent out according to their priority.
Automatically activate the Alerter on startup

1. Click Setup > Tools and Views > Alerter to open the Alerter or click Protect > Database Intrusion Detection > Alerter to open the Alerter.
2. Mark the Active on Startup checkbox. Each time the appliance restarts, the Alerter will be activated automatically.
3. Click Apply.
4. If the Alerter is not running, and you want to start it, click Restart.

Set the frequency that the Alerter checks for and sends messages
2. Enter the Polling Interval, in seconds.
3. Click Apply.
Configure the Alerter to send SMTP (email) messages

Note: All remaining items in this topic are in the SMTP section of the Alerter panel.
2. Enter the IP address for the SMTP gateway, in the IP Address box.
3. Enter the SMTP port number (it is almost always 25) in the Port box.
4. Optional: Click the Test Connection hypertext link to verify the SMTP address and port. This only tests that there is access to specified host and port. It does not
verify that this is a working SMTP server. A dialog box is displayed, informing you of the success or failure of the operation.
Note: If this SMTP server uses authentication, you must supply a valid User Name and Password for that mail server in the following two fields. Otherwise, those
fields can be blank.
5. Enter a valid user name for your mail server in the User Name box if your SMTP server uses authentication.
6. Enter the password for the user in the Password box if your SMTP server uses authentication. Re-enter it in the Re-enter Password box.
7. In the Return E-mail Address box, enter the return address for e-mail sent by the system. This address is usually an administrative account that is checked often.
8. Select Auth in the Authentication Method if your SMTP server uses authentication. Otherwise, select None. When Auth is selected, you must specify the user name
and password to be used for authentication.
Note: The Alerter will not begin using a new configuration until it is restarted.
10. Click Restart to restart the Alerter with the new configuration.
Configure the Alerter to send SNMP traps

Note: All remaining items in this topic are in the SMTP section of the Alerter panel.
2. In the IP Address box, enter the IP address to which the SNMP trap will be sent.
3. Optional: Click the Test Connection hypertext link to verify the SNMP address and port (162). This only tests that there is access to specified host and port. It does
not verify that this is a working SNMP server. A dialog box is displayed, informing you of the success or failure of the operation.
4. In the â€ Trapâ€ Community box, enter the community name for the trap. Retype the community in the Retype Community box.
Note: The Alerter will not begin using a new configuration until it is restarted.
6. Click Restart to restart the Alerter with the new configuration.
Anomaly Detection
The Anomaly Detection process runs every polling interval to create and save, but not send, correlation alert notifications that are based on an alert's query.
This notification is run according to the schedule defined for each alert. See Alerter Configuration for more information about sending notifications.
The Anomaly Detection process uses the results of a correlation alert's query, which looks back over a specified period of time, and the correlation alert's threshold, to
determine whether a condition is satisfied (an excessive number of failed logins, for example). See Correlation Alerts for more information.
In a Central Manager environment, the Anomaly Detection panel for each Guardium system can be used to turn off correlation alerts that are not appropriate for that
particular Guardium system. Under Central Management, all correlation alerts are defined on the Central Manager, regardless of which Guardium system they were
created or updated. These correlation alerts are the same for all Guardium system, and when activated, are activated on all Guardium system by default.
Note: The Alerter component must be configured and started to send a saved alert message to SYSLOG, email, or an SNMP trap.
Note: Anomaly Detection does not play a role in the production of real-time alerts, which are produced by security policies.
Automatically activate Anomaly Detection on startup

1. Click Setup > Tools and Views > Anomaly Detection to open Anomaly Detection.
2. Mark the Active on Startup check box. Each time the Guardium system restarts, Anomaly Detection is activated automatically.
3. Click Apply.
Set the frequency that Anomaly Detection checks for appliance issues
2. Enter the Polling Interval in minutes.
3. Click Apply.
Enable or Disable Active Alerts

To disable an alert globally in a Central Manager environment, it is easier to clear the Active check box in the Modify Alert panel.
To enable or disable an alert on a single Guardium system in a Central Management environment, follow these steps:
1. Log in to the UI of the Guardium system on which you want to disable one or more alerts.
3. To disable an alert, select it from the Active Alerts box, and click Disable.
4. To enable an alert, select it from the Locally Disabled Alerts box, and click Enable.
Stop or Restart Anomaly Detection

2. Click Stop to stop Anomaly Detection, or click Restart to restart it.
Session Inference
Session Inference checks for open sessions that have not been active for a specified period of time, and marks them as closed.
To configure the Session Inference options:
1. Click Setup > Session Inference to open Session Inference.

2. Mark the Active On Startup box to start Session Inference on startup of the GuardiumÂ® system.
3. In the Polling Interval box, enter the frequency (in minutes) with which Session Inference checks for open sessions. The default is 120 (minutes).
4. In the Max Inactive Period box, enter the number of minutes of inactivity after which a session is marked closed. The default is 720 (minutes).
5. Click Applyto store the values in the configuration database. Session Inference will not begin using a new configuration until it is restarted.
6. Click Restart to restart Session Inference with the new configuration.
To stop Session Inference, open the Session Inference panel and click Stop.
Block S-TAP connection to Guardium (S-TAP Certification)

Use this function to control the specific S-TAP hosts whose clients are allowed access to the Guardium system.
About this task

When enabled, only the specified S-TAP clients are allowed to access the Guardium system.
You can also control this feature with the CLI command store stap approval or with the GuardAPI command, grdapi store_stap_approval.
If you use the CLI command store stap approval, the new configuration takes effect after you run the command restart inspection-core.
View approved STAPs in Manage > Reports > Change Monitoring > Approved Tap Clients or Reports > Real-Time Guardium Operational Reports > Approved Tap Clients.
Procedure
1. Access Manage > Activity Monitoring > S-TAP Certification.
2. Select S-TAP Approval Needed.
3. Specify the approved S-TAP client host IP addresses (not host name) in the Approved S-TAP Clients section, and click Add.
4. Repeat for each S-TAP client.
Results
Note: In a Central Managed environment, after you add the IP addresses to approved S-TAPs, there is a wait time for synchronization that might take up to an hour. After
synchronization is complete, the status of the approved S-TAPs appears green in Manage > Activity Monitoring > S-TAP Control
The IP-to-Hostname Aliasing function accesses the Domain Name System (DNS) server to define hostname aliases for client and server IP addresses.
There are two separate sets of IP addresses: one for clients, and one for servers. When IP-to-Hostname Aliasing is enabled, alias names will replace IP addresses within
GuardiumÂ® where appropriate.
1. Click Protect > Database Intrusion Detection > IP-to-Hostname Aliasing to open IP-to-Hostname Aliasing.
2. Mark the check box for Generate Hostname Aliases for Client and Server IPs (when available) to enable hostname aliasing.
A second check box can now be accessed. The name of this check box is Update existing Hostname Aliases if rediscovered.
3. Mark the check box to update a previously defined alias that does not match the current DNS hostname (usually indicating that the hostname for that IP address
has changed). You may not want to do this if you have assigned some aliases manually. For example, assume that the DNS hostname for a given IP address is
dbserver204.guardium.com, but that server is commonly known as the QA Sybase Server. If QA Sybase Server has been defined manually as an alias for that IP
address, and the check box for Update existing Hostname Aliases if rediscovered is marked, that alias will be overwritten by the DNS hostname.
4. Click Apply to save the IP-to-Hostname Aliasing configuration.
Click Run Once Now to generate the aliases immediately.
Click Define Schedule to define a schedule for running this task. See Scheduling for more information.
To view the aliases defined, see Aliases.
System Backup
Use the System Backup function to define a backup operation that can be run on demand or on a scheduled basis. Use the Patch Backup function to create the backup
profile settings.
System Backup

System backups are used to backup and store all the necessary data and configuration values to restore a server in case of hardware corruption.
All configuration information and data is written to a single encrypted file and sent to the specified destination, using the transfer method configured for backups on this
appliance.
To restore backed up system information, use the restore system CLI command. The CLI command, diag, can also be used, provided that diag is defined as a role for given
user.
System backup supports the following methods:
SCP - defined by default and accessible via CLI and the GUI
FTP - defined by default and accessible via CLI and the GUI
Centera - can be added to the GUI by logging into CLI and running the following command, store storage centera backup on
TSM - can be added by logging into CLI and running the following command, store storage tsm backup on
AMAZON S3 - is defined by default and accessible via CLI and GUI. It is accessible from CLI as long as it is defined in the GUI.
Softlayer - Softlayer cloud backup
Cleversafe - CleverSafe Functionality: Storing backups in a similar fashion to Amazon S3. Will draw a list of available buckets for you directly to the GUI. The first
listed name is the name of the bucket you saved to the DataBase. Note: You cannot make new buckets nor delete any buckets (from the Guardium UI/CLI).
Note: System restore must be done to the same patch level Â of the system backup. For example, if a customer backed up the appliance when it was on Version 7.0, Patch
7 and then wants to restore this backup into a newly-built appliance, then there is a need to first install Version 7.0, Patches 1 to 7 on the appliance and only then to
restore the file.
To back up system information:
1. Click Manage > Data Management > System Backup to open System Backup.
2. Select storage method radio button from the list. Depending on how the Guardium system has been configured, one or more of these buttons may not be available.
For a description of how to configure the archive and backup storage methods, see the description of the show storage-system and store storage-system
commands in Configuration and Control CLI Commands.
EMC CENTERA
TSM
SCP
FTP
AMAZON S3
Softlayer
Cleversafe
3. Perform the appropriate procedure depending on the storage method selected:
Configure SCP or FTP Archive or Backup
Configure EMC Centera Archive or Backup
Configure TSM Archive or Backup
Configure AMAZON S3 Archive or Backup
Configure Softlayer object storage cloud backup
Cleversafe - Enter> Valid Endpoint, Valid Bucket name, Valid Access Key, Valid Secret Key
4. Mark one or both of the Backup check boxes:
Mark the Configuration check box to back up all definitions.
Mark the Data check box to back up all data. (If you are archiving data on a regular basis, this is unnecessary.)
5. Use the Scheduling section to define a schedule for running this operation on a regular basis.
6. Click Save to verify and save the configuration changes. The system will attempt to verify the configuration by sending a test data file to that location.
If the operation fails, an error message will be displayed and the configuration will not be saved.
If the operation succeeds, the configuration will be saved.
7. Click Run Once Now to run the operation once.
Note: During a SCP/FTP/TSM/Centera/AMAZON S3/Softlayer file transfer, if the backup file transfer fails, the last file of each set of backup/archive files (system backup,
configuration backup, archive, CSV archive, etc.) will be saved in the diag/current folder. Then when the backup file destination is again online, a manual transfer of the
backup files can be made from the diag/current folder to the destination. The set of backup/archive files will only be saved in the diag/current folder if the file transfer is
unsuccessful. If during another backup file transfer there is a file transfer failure, the set of backup/archive files will again be saved in the diag/current folder. However, in
order to avoid saving too many files and running out of disk space, ONLY the latest file of each type will be saved. The earlier backup files will be overwritten.
Note: When performing a system backup and restore from one server, which has GIM defined, to another server, then the user must configure a GIM failover to the restore
server. This GIM configuration applies to a Backup Central Manager or a System backup and restore.
SCP and FTP files via different ports

Change the ports that can be used to send files over SCP and FTP.
For System Backup or Patch Backup - Set the protocol (SCP or FTP) and specify Host, Directory and Port. The default port for ssh/scp/sftp is 22. The default port for FTP is
21.
Prevent backup/archive scripts from filling up /var

The backup process will check for room in /var before running and fail. This process will also warn the user if there is insufficient space for backup.
The archive process will check the size of the static tables and make sure there is room in /var to create the archive.
An error is logged in the logfile and GUI if the backup is over 50%. For example:
ERROR: /var backup space is at 60% used. Insufficient disk space for backup.
Amazon S3 Archive and Backup in Guardium

Use this feature to archive and backup data, from Guardium, to Amazon S3.
Amazon S3 (Amazon Simple Storage Service) provides a simple web service interface that can be used to store and retrieve any amount of data, at any time, from
anywhere on the web. It gives any developer access to the same highly scalable, reliable, secure, inexpensive infrastructure that Amazon uses to run its own websites.

Prerequisites
1. An Amazon account.
2. Register for S3 service
3. Amazon S3 credentials are required in order to access Amazon S3. These credentials are:
Access Key ID - identifies user as the party responsible for service requests. It needs to be included it in each request. It is not confidential and does not
need to be encrypted. (20-character, alphanumeric sequence).
Secret Access Key - Secret Access Key is associated with Access Key ID calculating a digital signature included in the request. Secret Access Key is a secret,
and only the user and AWS should have it (40-character sequence). This key is just a long string of characters (and not a file) that is used to calculate the
digital signature that needs to be included in the request.
There are two archive operations available on the Administration Console, in the Data Management section of the menu:
Data Archive backs up the data that has been captured by the appliance, for a given time period.
Results Archive backs up audit tasks results (reports, assessment tests, entity audit trail, privacy sets and classification processes) as well as the view and sign-off
trails and the accommodated comments from work flow processes.
When Guardium data is archived, there is a separate file for each day of data.
Archive data file name format:
<time>-<hostname.domain>-w<run_datestamp>-d<data_date>.dbdump.enc
The archive function creates signed, encrypted files that cannot be tampered with. The names of the generated archive files should not be changed. The archive operation
depends on the file names created during the archiving process.
All configuration information and data is written to a single encrypted file and sent to the specified destination, using the transfer method configured for backups on this
appliance.
Backup system file format:
<data_date>-<time>-<hostname.domain>-SQLGUARD_CONFIG-9.0.tgz
<data_date>-<time>-<hostname.domain>-SQLGUARD_DATA-9.0.tgz
The Aggregation/Archive Log report can be used to verify that the operation completes successfully. There should be multiple activities listed for each Archive operation,
and the status of each activity should be Succeeded.
Regardless of the destination for the archived data, the Guardium catalog tracks where every archive file is sent, so that it can be retrieved and restored on the system
with minimal effort, at any point in the future.
A separate catalog is maintained on each appliance, and a new record is added to the catalog whenever the appliance archives data or results.
Catalog entries can be transferred between appliances by one of the following methods:
Aggregation - Catalog tables are aggregated, which means that the aggregator will have the merged catalog of all of its collectors
Export/Import Catalog - These functions can be used to transfer catalog entries between collectors, or to backup a catalog for later restoration, etc.
Data Restore - Each data restore operation contains the data of the archived day, including the catalog of that day. So, when restoring data, the catalog is also being
updated.
When catalog entries are imported from another system, those entries will point to files that have been encrypted by that system. Before restoring or importing any such
file, the system shared secret of the system that encrypted the file must be available on the importing system.
Enable Amazon S3 from the Guardium CLI
Amazon S3 archive and backup option is enabled by default in the Guardium GUI. To enable Amazon S3 via Guardium CLI, run the following CLI commands:
store storage-system amazon_s3 archive on

store storage-system amazon_s3 backup on
Amazon S3 requires that the clock time of Guardium system to be correct (within 15-minutes). Otherwise, this will result in an Amazon error. If there is too large a
difference between the request time and the current time, the request will not be accepted.
If the Guardium system time is not correct, set the correct time using the following CLI commands:
show system ntp server

store system ntp server (An example is ntp server: ntp.swg.usma.ibm.com)
store system ntp state on
User Interface
Use the System Backup screen (Manage > Data Management > System Backup) to configure the backup. After enabling Amazon S3 through the CLI commands, Amazon
S3 will appear in the list of protocols.
User input requires:
S3 Bucket Name (Every object stored in Amazon S3 is contained in a bucket. Buckets partition the namespace of objects stored in Amazon S3. Within a bucket, you
can use any names for your objects, but bucket names must be unique across all of Amazon S3.
Access Key ID
Secret Access Key
If bucket name does not exist, it will get created.

Secret Access Key is encrypted when saved into the database.
Check that files got uploaded on Amazon S3
1. Log onto AWS Management Console using your email address and password.
http://aws.amazon.com/console/
1. Click on S3.
2. Click on the bucket that you specified in Guardium UI.
Softlayer Object Storage

SoftLayer Object Storage is a redundant and highly scalable cloud storage service. Use it to easily store, search, and retrieve data across the Internet. It is based on the
OpenStack Swift platform and may be accessed through a RESTful API and Web Portal.
Information needed beforehand:
Authentication Endpoints - Authentication requests should be sent to the endpoint associated with the location of your Object Storage account.
https://dal05.objectstorage.softlayer.net/auth/v1.0
Container - The basic storage unit for all the data within Object Storage is a container. It stores data/files and must be associated with an Object Storage account.
X-Auth-User - Username to authenticate with: Tenant value:username
X-Auth-Key - API key (Password) to authenticate with.
Account credentials can be retrieved by logging onto https://control.softlayer.com/
System Backup by Softlayer from GUI
1. Click Manage > Data Management > System Backup, Manage > Data Management > Data Archive, or Manage > Data Management > Results Archive.
2. Select the Softlayer protocol.
3. Fill in Authentication Endpoint URL (example, https://dal05.objectstorage.softlayer.net/auth/v1.0)
4. Specify an Object Storage container name (example, yourname_Container)
5. Specify the X-Auth-User (Tenant value: Username) (example, username)
6. Fill in the X-Auth Key (example, password)
7. Specify what to Backup - Configuration or Data
8. Modify Scheduling or Run Once Now.
System Backup via CLI (Configuration)
Access CLI.
CLI> backup system.
1. DATA
2. CONFIGURATION
Please enter the number of your choice: (q to quit) 1
1. SCP
2. CONFIGURED DESTINATION
Make sure destination is configured in the GUI under the <System Backup> option
Please wait, this may take some time.
Performing a DEFAULT backup, config=
System Backup and System Restore
Access CLI.
CLI> restore system
1. SCP
2. FTP
3. TSM
4. CENTERA
5. AMAZONS3
7. SOFTLAYER

8. SFTP
Enter the SoftLayer Authentication Endpoint URL:
Enter Softlayer Object Storage Container name:
Enter Softlayer X-Auth-User:
Enter X-Auth-Key:
Enter a file name from list:
Authenticate success!
Download file success!
Select your recovery type, for most cases, use the normal option:
1. normal
2. upgrade
System Backup > Cleversafe
Prerequisite
The Guardium server must be set to the correct local time. Use NTPserver to change if necessary.
System Backup selections:
Authentication endpoint URL
(AWS) Access key
(AWS) Secret access key
Bucket name
Answer yes to all certificate questions.
Configuring patch backup

Use this feature to store backup profile information.
Procedure
1. Click Setup > Patch Backup to open the Patch Backup panel.
2. Choose the method of file transfer.
3. Enter the name of the host and the directory where the information is to be stored.
4. Enter a user name and password to own the file on the destination host.
5. Click Apply when you are finished.
Configure Permission to Socket connection

This topic applies to Custom Alerting Classes.
Follow this procedure to configure permissions for socket all connections that are used by custom classes.
1. Click Setup > Evaluations > Communication Permissions to open the Communication Permissions.
2. Click Add permission To Socket Connection to expand that pane.
3. Enter the IP address or Host name for the host.
4. Enter a Port number for the socket connection.
5. Enter a description.
6. Click Save.
Access Management Overview

Access management consists of four tasks: account administration, maintenance, monitoring, and revocation.
Access Management is separate from system administration duties.
There are two predefined users on a GuardiumÂ® appliance: accessmgr and admin.
accessmgr is the user name assigned to the access manager. By default, the access manager is the only user authorized to manage user accounts and security
roles.

admin is the user name assigned to the (primary) Guardium administrator. By default, the administrator does not have authority to manage user accounts or
security roles. The admin user has a more extensive set of privileges.
Note:
Admin and accessmgr roles can not be assigned to the same user. The same user may contain both of these roles through a legacy situation or as a result of an upgrade.
However, current use will not allow the two roles to be assigned to the same user.
In the past, when a unit was upgraded, the accessmgr role was assigned to the admin user, and the accessmgr user was disabled. In this upgrade situation, it was
necessary to first log in as admin and enable the accessmgr user, then log in as accessmgr (with initial password "accessmgr", the system prompted the user to change it),
and remove the accessmgr role from the admin user.
Access Management Selection

User Browser Â - Manage users
Role Browser - Manage permissions and customize layouts for roles
Role Permissions - Manage application permissions
LDAP User Import - Import users from LDAP
Data Security Selection

Datasources Associated
Datasources Not Associated
Servers Associated
Servers Not Associated
User Hierarchy
User-DB Association
Predefined Reports from Accessmgr

The following predefined reports are available from the Accessmgr user.
User and Role Reports

Defining and modifying users (see Manage Users) involves deciding both who will be using the Guardium system and to what roles (see Manage Roles) they will be
assigned. A role is a group of users, all of whom are granted the same access privileges.
The User and Role Reports consist of reports:
User - Role -- a report that shows, by user, the number of roles that user belongs to.
All Roles - User -- a report that shows, by role, the number or users that belong to that role.
Note: admin and access manager are pre-existing, other roles are created by the Access manager.
The following reports are available on a Central Manager or a standalone unit. If trying to use on a managed machine, an error message will appear. Servers Not Associated
will show servers from ALL managed units in Central Manager systems.
Datasources Associated
This report identifies Datasource Name, Host, Service Name, Login Name and Association Type. This information comes from the choices made in the User-Database
Associations activity. See the Data User Security - Hierarchy and Associations help topic.
Datasources Not Associated

This report is a list of datasources not associated with any users. This report identifies Datasource Name, Datasource Type, Host, and Service Name. This information
comes from the choices made in the User-Database Associations activity. See the Data User Security - Hierarchy and Associations help topic.
Servers Associated
This report identifies Server IP, Service Name, Login Name and Association Type. This information comes from the choices made in the User-Database Associations
activity. See the Data User Security - Hierarchy and Associations help topic.
Servers Not Associated

This report is a list of servers not associated with any users. This report identifies Server IP and Service Name. This information comes from the choices made in the User-
Database Associations activity. See the Data User Security - Hierarchy and Associations help topic.
Understanding Roles
Assign a role to a Guardium user to grant them specific access privileges. Some examples of roles are: CLI, admin, accessmgr, CAS, and user.
Roles and permissions provide different levels of access to users based on their job duties.
How to create a role with minimal access
This topic explains how to create a new role with minimal access permissions, for example an auditor role that can only access the Audit Process To-Do List and
view specific reports.
Manage Users
Use the access manager, assigned the user name accessmgr, to add user accounts, enable or disable user accounts, import members from LDAP, or edit user
permissions. Open the User Browser and browse the user accounts by clicking Access > Access Management > User Browser
How to create a user with the proper entitlements to login to CLI
Use this task to create a user who has the proper roles and entitlements to use CLI to run GuardAPI commands.
Importing Users from LDAP
You can import Guardium user definitions from an LDAP server by configuring an import operation to obtain the appropriate set of users.

Data Security - User Hierarchy and Database Associations
You can use data security features to create a hierarchy of users and associate users to specific databases and servers. Guardium data security features report on
which users accessed what information, and ensure that only specific users see information that they are responsible for.
How to define User Hierarchies
Use the UI from an access manager account to easily define user hierarchies.
Guardium UI Login using a Smart card
Guardium Smart card support meets the United States government mandate that all vendors must support multi-factor authentication for user access. Smart card
authentication is supported only for access to the web-based Guardium user interface (UI).
Understanding Roles
Assign a role to a Guardium user to grant them specific access privileges. Some examples of roles are: CLI, admin, accessmgr, CAS, and user.
The access manager defines roles and assigns them to users and applications. When a role is assigned to an application or the definition of an item (a specific query, for
example), only those Guardium users who are also assigned that role can access that component.
When user definitions are imported from an LDAP server, the groups to which they belong can optionally be defined as roles. For more information, see Importing Users
from LDAP.
Note: When assigning roles to a user, the admin and access manager role cannot be assigned to the same user.
Note: Custom-created roles cannot be combined with default-provided roles (examples are user, admin, accessmgr, cli, inv, datasec-exempt, review-only).
Note: Admin role and object owner have access to all objects by default.
Note: Taking a base role and customizing (with additional navigation items), and then copying this customized role, will result in a loss of the customization if the
customized or copied role is reset to default.
Default Roles
The Guardium system is pre-configured to support users who fall into four broadly defined default roles: admin, user, access manager, and investigations. The Guardium
access manager can create new roles as well.
Note: Note: If data level security at the observed data level is enabled (see Global Profile settings), then audit process escalation is allowed only to users at a higher level
in the Data Hierarchy (see Access Manager). The Datasec-exempt user can escalate, without restrictions, to anyone.
Table 1. Default Roles
Default Role Description
user Provides the default layout and access for all common users. This role can not be deleted.
admin Provides the default layout and access for Guardium administrators. Do not confuse the admin role with the admin user, which is a special
user account having the admin role, but also having additional powers that are reserved for the admin user account only. This role can not
be deleted.
accessmgr Provides the default layout and access for the access manager. This role can not be deleted.
cli Provides access to CLI. The admin user has default access to CLI. Everyone else must be given permission when users are created by
access manager and roles specified. The access manager can define as many users in the system and give them the CLI role. These users
have access to the CLI and all activities of their CLI sessions are associated with this user.
To run GrdAPI or CLI commands without admin rights, click the role CLI for Admin Console in the User Role Permissions selection.
See the topic, diag CLI Command, on how to manage the diag role.
inv Provides the default layout and access for investigation users. An investigation user must have the restore-to database name of INV_1,
INV_2 or INV_3, as the Last Name in their user definition. This is not enforced by the GUI, but is required for the application to function
properly. When assigned, the user role must also be assigned. This role can not be deleted.
Note: The Ad-Hoc Process for run once now button is available on all report screens for all users except investigation (INV) user.
datasec-exempt Data Security - Exempt. This role is activated when Data level security is enabled (see Global Profile in Administration Console) and the
datasec-exempt role has been assigned. If the user has this role, a Show all check box appears in all reports. If checked, all sniffed data
records are shown (no filter is applied). This role cannot be deleted in the Role Browser.
review-only A user that is specified by this role can view only results (Audit, Assessment, Classifier), Audit Results and the To Do List. This role cannot
be deleted in the Role Browser.
Users with this role is allowed to enter comments in the audit process viewer (not workflow or comments/data per row, but comments at
process/result level).
Users with this role cannot perform any changes/actions on any workflow automation result (escalate, reassign, etc).
Sample Roles
In addition to the default roles, a set of sample roles is also defined.
Table 2. Sample Roles

Sample Role Description
dba Users who have a database-centric view of security, allowing access to database-related reports and tracking of database objects
infosec Users who have an information security focus, including tracking access to the database, and handling network requests, audits, and
forensics
netadm Users who have a network-centric view, including IP sources for database requests
appdev Application developers, architects, and QA personnel who have an application-centric focus and want to track and report on SQL streams
generated by an application

Sample Role Description
audit Auditors and others who need to view audit reports
Note: If trying to copy this role, an embedded message will appear explaining that not all aspects of this role can be copied. The message
is: "Create a new role using the layout and permission from the "audit" role. Special privileges and actions associated with the "audit" role
will not be copied."
audit-delete This role is used to track or log when an audit process result has been deleted. Users with the audit-delete role can delete reports. Admin
users can also delete reports. Tracking is done through the User Activity Audit Trail report.
admin-console-only A user that is specified by this role can only access the admin console tab.
cas Configuration Auditing System (CAS)
vulnerability-assess A user that is specified by this role can view only vulnerability results.
diag A user that is specified by this role can access and run the diag commands in CLI.
workload-replay-admin A user that is specified by this role can define and modify the workload-replay functions.
workload-replay-user A user that is specified by this role can run the workload-replay functions.
fam A user that is specified by this role can define and modify the File Activity Monitor functions.
BaselII Accelerator - Basel II. This role can not be deleted.
Basel II Part 2 Sections 4 and 5 require that banking institutions must define a Securitization Framework around financial information and
estimate the associated operational risk.
DataPrivacy Accelerator - DataPrivacy. This role can not be deleted.
The Data Privacy Accelerator delivers a portfolio of pre-configured policies, real-time alerts, and audit reports that are specifically tailored
to the challenges of identify theft and based on industry best practices. With the Data Privacy Accelerator, security managers, privacy
officers, and database administrators begin by defining combinations of data elements â€“ called "privacy sets" â€“ whose access may
indicate hacking or inappropriate activities by internal users.
GDPR Accelerator - GDPR. This role can not be deleted.
The Guardium GDPR accelerator provides predefined reports based on GDPR groups and policies. To begin working with the GDPR
accelerator, assign the GDPR role to a Guardium user, then navigate to Accelerators > GDPR with that user account.
pci Accelerator - PCI. This role can not be deleted.
The PCI DSS is a set of technical and operational requirements designed to protect cardholder data and applies to all organizations who
store, process, use, or transmit cardholder data. Failure to comply can mean loss of privileges, stiff fines, and, in the case of a data breach,
severe loss of consumer confidence in your brand or services. The IBM Guardium accelerator helps guide you through the process of
complying with parts of the standard using predefined policies, reports, group definitions, and more.
sox Accelerator - SOX. This role can not be deleted.
SOX Section 404 requires that companies must establish and maintain an adequate internal control structure and procedures for financial
reporting.
Roles in a Central Manager Environment

In Central Manager environments, all User Accounts, Roles, and Permissions are controlled by the Central Manager. To administer any of these definitions, you must be
logged in to the Central Manager (and not to a managed unit).
Create a Role
1. Login as accessmgr, and open the User Role Browser by clicking Access > Access Management > Role Browser.
2. Click Add Role to open the Role Form panel.
3. Enter a unique name for Role Name and click Add Role.
Remove a Role
1. Open the User Role Browser by clicking Access > Access Management > Role Browser.
2. Click Delete for any role (some roles cannot be removed, and do not have the Delete option). This opens the Role Form for the role.
3. Click Confirm Deletion. A message displays informing you that all references to the role are removed, and you will be asked to confirm the action.
4. Click OK to confirm the deletion, or Cancel to abort the operation.
Parent topic: Access Management Overview

Roles and permissions provide different levels of access to users based on their job duties.
Examples of roles include user, admin, and audit. Using roles allows you to easily define permissions for an entire group of users. Only access managers can create new
roles and assign users to that role. As part of role creation, access managers can also customize the navigation menu and permissions for that role.
Creating customized roles involves several processes:
Creating a new role

Managing permissions for the role to limit what users can access
Optionally customizing the navigation menu for the role to further limit what users can see

Adding users to the role
There are two ways to limit access to specific applications:
Limit access from the application
Limit access from the application by deselecting the All Roles check box on the Role Permissions > Edit Application Role Permissions screen. Next, select the
individual roles that should have access to the application.
The process is the same if you find that the All Roles check box is already deselected: simply select or deselect the individual roles to grant or revoke access to the
application.
When All Roles is selected for a particular application, every currently-defined role will have access to that application.
Limit access from the role
Limit access from the role by navigating to the Role Browser > Manage Permissions screen and move individual applications from the Accessible applications list to
the Inaccessible applications list.
When managing permissions or customizing the navigation menu for a new role, the defaults shown in the Accessible applications list reflects any application with
the All Roles check box selected on the Role Permissions > Edit Application Role Permissions screen.
When working with roles and permissions, removing permissions for an application also changes the default permissions for new roles. That is, removing permissions for
an application means that any subsequent roles you create will also lack permissions for that application. If you want a new role to have permissions for an application
that no longer appears in the Accessible applications list by default, you will need to move the desired application from the Inaccessible applications list to the Accessible
applications list for the new role.
It is also possible to restrict access to specific tools by hiding menu items using the Role Browser > Customize Navigation Menu tool. This approach limits access without
altering the default application permissions, but it may be less secure than a permissions-based approach.
Best Practices:
After editing permissions for a role, review the navigation layout for that role as shown on theRole Browser > Customize Navigation Menu screen. Add or remove
items from the Navigation Menu list as needed to create a layout appropriate for the role.
Copy and edit predefined roles to establish the desired permissions and navigation menu. This approach allows you to revert to the original role if needed.

Related tasks:
Customizing the user interface
Managing users, roles, and the Guardium system (video)

This topic explains how to create a new role with minimal access permissions, for example an auditor role that can only access the Audit Process To-Do List and view
specific reports.
Procedure
1. Create a new role.
a. Log in as accessmgr, navigate to Access > Access Management, and select the Role Browser.
b. Click the Add Role button, give the role a name, and click the Add Role button to create the new role.
2. Manage permissions so the new role can only access the Audit Process To-Do List and the Report Builder (which is required for viewing reports).
a. From the Role Browser, click the Manage Permissions link for the new role.
b. Select the checkbox in the header of the Accessible Items list and use the arrow to move all items to the Inaccessible Items list. When creating a highly
restricted role, it is easier to begin by removing permissions.
c. In the Inaccessible items list, select the Audit Process To-Do List and the Report Builder, and use the arrow to move them back to the Accessible items list.
The new role now has access to only these two specific applications.
d. Click the OK button to commit your changes.
3. Customize the menus and navigation by defining which reports and applications are available to the new role.
a. From the Role Browser, click the Customize Navigation Menu link for the new role.
b. In the Navigation Menu list, select the Reports group so it is highlighted. The selected group acts as the destination for menu items added in subsequent
steps.
c. In the Available Tools and Reports list, expand the Reports section or use the Filter to identify specific reports, select the check box next to each item that
should be available to the new role, and use the arrow to add the items to the Navigation Menu list. Items moved into the Navigation Menu list will become
visible to users assigned to this role.
d. In the Navigation Menu list, remove access to the Report Builder by clicking the icons next to the Reports > Report Configuration Tools and Investigate
groups. This further simplifies the menu structure for this role and removes access to the Report Builder tool without also removing application permissions
that are required to access reports.
e. Click the OK button to commit your changes. You have now created a new role with very minimal privileges that can be assigned to users.
4. Optionally specify a custom home page for the new role.
a. From the Role Browser, click the Customize Navigation Menu link for the new role.
b. In the Navigation Menu list, specify a new default home page by selecting Comply > Tools and Views > Audit Process To-Do List and clicking the icon in
the toolbar. Users assigned to this role will now see the Audit Process To-Do List as the default screen after logging in.
c. Click the OK button to commit your changes.
5. Create a new user and add that user to the new role.
a. Navigate to Access > Access Management and select User Browser.
b. Click Add User, provide the required information, and click Add User to create the new user. You will now see the user you created listed in the User Browser.

When a new user is created, the account is disabled by default. Deselect the Disabled check box if you want the user to have immediate access to their
account.
c. From the User Browser, click the Roles link for the new user to view a list of available roles.
d. Select the Assign check box next to the custom role you created earlier. This will assign the user to the new role.
e. Deselect the Assign check box next to the user role. Deselecting the user role prevents the new user from inheriting the default user access and permissions.
f. Click Save to commit your changes.

Related concepts:
Manage Users
Use the access manager, assigned the user name accessmgr, to add user accounts, enable or disable user accounts, import members from LDAP, or edit user permissions.
Open the User Browser and browse the user accounts by clicking Access > Access Management > User Browser
Defining and modifying users involves deciding both who will be using the GuardiumÂ® system and to what roles they will be assigned. A group of users can all have the
same role and the same access privileges if you so choose. For more information on roles, see Understanding Roles.
Note: A default layout can be defined for a role, so that any new user assigned that role will have that layout. See Generate New Layout in the CLI Reference.
User definitions can be imported from an LDAP server, on demand or on a schedule.
Regardless of how users are defined to the Guardium system, the Guardium administrator can configure the system to authenticate users via Guardium, LDAP, or Radius.
When getting started with your Guardium system, an important early task is to identify which groups of users will use the system, and what their function will be. For
example, an information security group might use Guardium for alerting and troubleshooting purposes while a database administrator group might use Guardium for
reporting and monitoring. When deciding who will access the Guardium system, keep in mind that sensitive company data can be picked up by the system. Therefore, be
very aware of who will be able to access that data.
Once you decide which groups of users will use the Guardium system (and for what purpose), collect the following information for each user:
Userâ€™s first and last name

User account name (the name they will use to log in)
Userâ€™s email address
Userâ€™s function/role with Guardium
User Account Security

Several settings can be changed to provide additional security for user accounts. You can enable or disable these settings using the show and store password CLI
commands (see User Account, Password and Authentication CLI Commands in the CLI Reference).
By default, password validation is enabled. This means that a minimum of eight characters is required, and the password must contain at least one character from
each of the following categories:
Uppercase letters: A-Z
Lowercase letters: a-z
Digits: 0-9
Special characters: @#$%^&.;!-+=_
Note: If password validation is disabled, any characters are allowed.
By default, password expiration is enabled. Passwords can be configured to expire after a designated number of days.
By default, account lockout following a specified number of failed login attempts is enabled. Lockout can be configured to occur after a fixed number of attempts in
a given time, or after a total number of attempts for the life of the account.
Locked Accounts
1. Open the User Browser by clicking Access > Access Management to view the list of users.
2. Click Edit for any user, clear the Disabled check box, and click Update User to save changes.
Note: If the admin user account becomes locked, use the unlock admin CLI command to unlock it (see Configuration and Control CLI Commands in the CLI
Reference).
Create a User Account

1. Open the User Browser and click Add User to open the User Form panel.
2. Enter a unique name for Username. Do not include apostrophe characters in the name. User names are not case sensitive.
Note: When adding a user manually, from either the Add User panel or User LDAP Import, if there is no first name and/or last name, the login name will be used.
3. Enter a password and confirm it again in the Password (confirm) box. The password you assign will be temporary, and the user will be required to change it following
their first login.
Note: Passwords are case sensitive. When password validation is enabled (the default), the password must be eight or more characters in length, and must include
at least one uppercase alphabetic character (A-Z), one lowercase alphabetic character (a-z), one digit (0-9), and one special character from the following set:
@$%^&.;!-+=_
Note: Non-Latin characters, for example, Chinese, Japanese, are not supported in the username.
4. Enter the userâ€™s first and last name in the respective fields.
Note: Restrictions apply to the last name for those users assigned the Investigation Data Restore role (inv). If you want to assign a user the investigator role, their
last name must be INV_1, INV_2, INV_3. The UI will not restrict you from entering something different in this field, but the application will not function properly
unless the last name is entered as shown. Further, the investigator cannot be assigned any additional roles - they must be inv only. This is the only case where it is
not required to have a user or admin role.
5. (Optional) Enter the userâ€™s email address.
6. (Caution) The Disabled check box is checked by default. We suggest that you defer clearing the check box and enabling the account until after the correct set of
roles have been assigned for the user.

It is much simpler to assign the roles first, so that the user has all components in their layout the first time they log in. When a user logs in for the first time, their
layout is built using all of the roles assigned at that time. If roles are added later, the user has access to everything available to that role, but will have to add reports
or applications particular to that role manually.
7. Click Add User to save the new user account definition and close the panel.
This completes the user definition. We suggest that you add the appropriate roles for the user before informing them of their password for the initial login. See
Understanding Roles for more information.
Enable/disable many users

Open the User Browser and click Search Users to easily filter users by role. When you select a user, you have the option to enable or disable the user. Because users are
disabled by default, this menu can be very useful to easily change the status of many users.
Update a User Account

1. Open the User Browser and click Edit for the user you want to modify.
2. Replace any values in the User Form panel.
3. Click Update User to save changes.
Note: Changing a user's password will require the user to change it following their next login.
Enable a Disabled User Account

1. Open the User Browser and click Edit for the user you want to enable.
2. Clear the Disabled check box.
3. If the user has forgotten their password, enter a new password in both the Password and Password (confirm) boxes.
4. Click Update User.
Remove a User Account

1. Open the User Browser by clicking Access > Access Management .
2. Click Delete for the user you want to remove.
3. Click Confirm Deletion.
Note: Alerts that were sent to deleted user will be sent now to the admin; however this will not take effect until the access policy is re-installed.
Define the Data Security User Hierarchy

1. Click Data Security > User Hierarchy.
2. Select a user from the User menu to refresh the screen and display the selected user's current hierarchy in the user pane.
3. Right-click a user node for the following op:
Add User - Clicking Add User displays the Add User dialogue. Search or filter by role, and add a user as a descendent of the selected user.
This can create a measure of data-level security, by permitting the parent of a hierarchy to look at specified servers and databases, but not the children of the
hierarchy. Depending on the configuration, inheritance can also take place in that the parent inherits the data-level security of the child.
Note: Many-to-many relationships are permitted where a user may have more than one parent and a parent may have more than one user.
Unlink User from parent - will sever the descendent from the parent
Remove all descendents - will sever all descendents from the parent
4. Click Refresh Cached Hierarchy to apply the recent changes to the user hierarchy map.
5. Click Full Update Active User-DB Map to fully apply all recent changes to the active User-DB association map.
Note: Best practices dictate a Full Update Active User-DB Map after changing the User Hierarchy.
When you make a change to a hierarchy or to a database association (via UI or GuardAPI), this change DOES NOT take effect automatically. The Periodic Update will
NOT pick up this change, unless it is the FIRST time the Periodic Update has run. Otherwise, the user MUST click Full Update or run the Full Update GuardAPI
command for their changes to take effect.
A periodic update of the user hierarchy is run every 10 minutes automatically. This cannot be run manually. This is an incremental update, meaning that it is only
looking at new server IPs or Service Names that have been sniffed since the last time the periodic update was run. It compares the existing hierarchy and
associations against the new IPs/Service Names and determines what users should have access to these IPs/Service Names.
A full update of the user hierarchy is NOT run automatically. It is only run when the user executes it, either via the UI or GuardAPI function. This compares ALL
IPs/Service Names to the existing hierarchy and associations to determine who has access to what.
Define the Data Security User to Database Association

Use the Data Security User-DB Association to find, assign, or remove users from available servers and service names (databases).
1. Open the User-DB Association panel by clicking Data Security > User-DB Association.
2. Select the check boxes of the Server & Service Name Suggestion to find databases and service names to associate to users. Choices include:
Observed Accesses - Observed traffic from Guardium internal database table GDM_Access
Datasource Definitions - Existing datasource definition information such as name, database type, authentication information, and location of datasource.
S-TAPÂ® Definitions - Existing S-TAP definition information such as the IP address of the database server and the IP address of the Guardium host that will
receive data from S-TAP.
Auto-Discovered Hosts - Hosts discovered by the Guardium Auto-discovery process that were not previously known. Guardium's Auto-discovery application
can be configured to probe the network, searching for and reporting on all databases discovered.
Guardium Install Manager (GIM)-Discovered Systems - Hosts discovered by the GIM that were not previously known.
3. Click Go to find and display available servers, service names, and currently associated users.
Note: When traversing the node tree, numerical indicators are displayed next to each server and service name to provide a count of direct and descendant users
that have been associated. The indicators take the format of [nn] for direct association and (mm) for descendant association (a server or service name within the

current server has a user associated to it for example). Likewise, when viewing the users associated to a server or service name, if there is a user associated to a
larger level node in the tree, that user will be displayed.
4. Click a server or service name node to display associated users. With any node selected, you can do one of the following:
Click Add User to add a new user-DB association, click any users you want to add, and then click Add.
Click Add Group to add a new group-DB association. When Add Group is selected, groups that were created using the Group Builder for group type Guardium
Users will be displayed. Select the group you'd like to add and click Add.
Right-click any server or service name node to do one of the following:
5. Right-click any server or service name node, and you are presented with options to do one of the following:
Highlight the server
Expand or collapse the server
Find a server
Add server, service name, or unnamed service
Delete the server
6. Add an IP or IP/Service Name pair using the IP and Service Name fields before the tree structure.
Note: The Find button can be used to search the IP/Service Name tree structure. IP strings may be entered as partials or include the wild card * such that 192.168
and 192.168.*.* are both valid. Numeric values cannot trail the use of any wild card or be used with the wild card to form an octet. Service Name names may include
the wild card % anywhere within their name.
7. Click Full Update Active User-DB Map to fully apply all recent changes to the active User-DB association map.
Note: Best practices dictate a full update of the active User-DB map after changing the User-DB Association.
A full update of the user hierarchy is NOT run automatically. It is only run when the user executes it, either via the Full Update Activer User-DB Map button or the
GuardAPI function. This compares ALL IPs/Service Names to the existing hierarchy and associations to determine who has access to what.
A periodic update of the user hierarchy is run every 10 minutes automatically (cannot be run manually). This update is only looking at new server IPs or Service
Names that have been sniffed since the last time the periodic update was run. It compares the existing hierarchy and associations against the new IPs/Service
Names and determines what users should have access to these IPs/Service Names.
When you make a change to a database association (via UI or GuardAPI), this change DOES NOT take effect automatically. The periodic update will NOT pick up this
change, unless it is the FIRST time the periodic update has run. Otherwise, the user MUST click the Full Update Activer User-DB Map button, or run the full update
GuardAPI command for the changes to take effect.
How to create a user with the proper entitlements to login to CLI

Use this task to create a user who has the proper roles and entitlements to use CLI to run GuardAPI commands.
About this task

This how-to topic is important since (1) GuardAPI commands can be executed only through CLI, and (2) Most GuardAPI commands are associated with a specific
application and therefore with its roles; meaning that the standard CLI user (who has a hard coded "admin" role) cannot run many of the GuardAPI commands because
that user does not have the appropriate roles.
Procedure
1. Login as the accessmgr and open the User Browser by clicking Access > Access Management > User Browser.
2. Click Add User from the User Browser panel
3. Fill in the User Form, clear the Disabled check box to enable the user upon creation, and click Add User.

When a user is initially created they do not have the privilege to login to CLI and execute any of the GuardAPI commands. As an example, if we try and use one of
the CLI accounts (guardcli1,...,guardcli5) under the newly created user we are quickly disconnected and told that the user does not have the necessary role defined.
$ ssh -l guardcli1 192.168.1.89 guardcli1@192.168.1.89's password:

Last login: Tue Aug 10 18:37:25 2010 from 192.168.1.14
Welcome guardcli1 - your last login was Tue Aug 10 18:37:26 2010
Please enter your GUI login (one with ADMIN or CLI role defined):johnsmith
No such user or user does not have the necessary role defined.
Connection to 192.168.1.89 closed.
4. From the User Browser panel, click Roles for any user to bring up the User Role Form panel.
5. Check the CLI check box, and click Save to grant the user CLI access
Now when the user tries to use one of the CLI accounts (guardcli1,...,guardcli5) under the newly created user we are asked for a password and granted access to
the CLI.
$ ssh -l guardcli1 192.168.1.89

guardcli1@192.168.1.89's password:
Last login: Tue Aug 10 18:39:01 2012 from 192.168.1.14
Welcome guardcli1 - your last login was Tue Aug 10 18:39:02 2011
The 'set guiuser' command must be run (successfully) before any other commands will work
set guiuser admin
Enter current password
192.168.1.89>
6. Grant any additional roles, if desired, to allow access to the user to execute GuardAPI functions.
For example, if the user johnsmith were to issue the following GuardAPI command, he would find out he does not have any API commands to execute:
192.168.1.89 >grdapi commands user

ID=0
Matching API Function list:
ok
But if we were to grant johnsmith the accessmgr role (previously in step 5) the same GuardAPI command would result in the following API commands being
available:
192.168.1.89> grdapi commands user

ID=0 Matching API Function list :
create_db_user_mapping
create_user_hierarchy
delete_allowed_db_by_user
delete_db_user_mapping
delete_user_hierarchy_by_entry_id
delete_user_hierarchy_by_user
execute_ldap_user_import
list_allowed_db_by_user
list_db_user_mapping
list_user_hierarchy_by parent_user
update_user_db
ok
Importing Users from LDAP

You can import GuardiumÂ® user definitions from an LDAP server by configuring an import operation to obtain the appropriate set of users.
You can run the import operation on demand, or schedule it to run on a periodic basis. You can elect to have only new users imported, or you can have existing user
definitions replaced. In either case, LDAP groups can be imported as Guardium roles.
When importing LDAP users:
The Guardium admin user definition will not be changed in any way.
Existing users will not be deleted (in other words, the entire set of users is not replaced by the set imported from LDAP).
Guardium passwords will not be changed.
New users being added to Guardium:
Will be marked inactive by default
Will have blank passwords
Will be assigned the user role
Note:
Special characters in a user name is not supported.
When adding a user manually via Access Management (either from Add User or LDAP user import), if there is no first name and/or last name, the login name will be used.
This LDAP configuration menu screen has tool tips for certain menu choices. Move the cursor over a menu choice (such as Object Class for user), and a short description
will appear.
Guardium CLI users can not authenticate in the LDAP environment, as there is no privilege separation for the CLI users.
Configure LDAP User Import

The attribute that will be used to identify users is defined by the Guardium administrator, in the User RDN Type box of the LDAP Authentication Configuration panel. See
Configure LDAP Authentication for further information. The default is uid, but you should consult with your Guardium administrator to determine what value is being used.
If a user is using SamAccountName as the RDN value, the user must use either a =search or =[domain name] in the full name. Examples: SamAccountName=search,
SamAccountName=dom
Note: In order to configure LDAP user import, accessmgr user must have the privilege to run Group Builder. In certain situations, when changes are made to the role
privilege, accessmgr's privilege to Group Builder can be taken away. This results in an inability to save or run successfully LDAP user import. Go to the access management
portal, select Role Permissions from the choices. Choose the Group Builder application and make sure that there is a checkmark in the all roles box or a checkmark in the
accessmgr box.
1. Open the LDAP User Import panel by clicking Access > Access Management > LDAP User Import.
See Example of TivoliÂ® LDAP Configuration at the end of this help topic for reference in filling out the required information.
2. For LDAP Host Name, enter the IP address or host name for the LDAP server to be accessed.
3. For Port, enter the port number for connecting to the LDAP server.
4. Select the LDAP server type from the Server Type menu.
5. Check the Use SSL Connection check box if Guardium is to connect to your LDAP server using an SSL (secure socket layer) connection.
6. For Base DN, specify the node in the tree at which to begin the search. For example, a company tree might begin like: DC=encore,DC=corp,DC=root
7. For Attribute to Import, enter the attribute that will be used to import users (for example: cn). Each attribute has a name and belongs to an objectClass.
8. Check the Clear existing group members before importing check box if you want to delete all existing group members before importing.
9. For Log In As and Password, enter the user account information that will connect to the Guardium server.
10. For Search Filter Scope, select One-Level to apply the search to the base level only, or select Sub-Tree to apply the search to levels beneath the base level.
11. For Limit, enter the maximum number of items to be returned. We recommend that you use this field to test new queries or modifications to existing queries, so that
you do not inadvertently load an excessive number of members.
12. Optional: For Search Filter, define a base DN, scope, and search filter. Typically, imports will be based on membership in an LDAP group, so you would use the
memberOF keyword. For example: memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
13. Click Apply to save the configuration settings.
Note: The Status indicator in the Configuration - General section will change to LDAP import currently set up for this group as follows and the Modify Schedule and
Run Once Now buttons will be enabled. You can now import from your LDAP server.
Schedule LDAP User Import

If LDAP Import has not yet been configured, you must perform Configure LDAP User Import before performing this procedure.
Run LDAP User Import

When you run LDAP user import on demand, you have the opportunity to accept or reject each of the users returned by the query. This is especially useful for testing
purposes. If LDAP Import has not yet been configured, you must perform Configure LDAP User Import before performing this procedure.
2. Click Run Once Now. After the task completes, the set of members satisfying your selection criteria will be displayed in the LDAP Query Results panel.
3. In the LDAP Query Results panel, mark the check box for each user you want added, and click Import (or click Cancel to return without importing any users).
4. To view the added users, open the User Browser by clicking Access > Access Management > User Browser. Verify that the correct user accounts have been added.
Example of Tivoli LDAP Configuration

Table 1. Example of Tivoli LDAP Configuration
LDAP Host Name Values
Port 389
Server Type Tivoli Directory

LDAP Host Name Values
Use SSL connection Â
Base DN cn=sample realm,o=sample
Import Mode Choose Override existing attributes
Disable user if not on import Â

list
Enable new Imported Users Â
Log in as cn=root
Password Â
Search filter scope Sub-Tree
Limit Â
Attribute to Import as User cn (Configurable through Portal)

Login
Search filter Â
Object Class for User Fill with Default Value - |(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=person)
Import Roles Add a Checkmark
Attribute to Import as Role cn
Role Search Base DB Fill with Default Value - cn=sample realm,0=sample
Role filter Â
Object Class for Role Fill with Default Value - |(objectClass=groupOfNames)(objectClass=group)(objectClass=groupOfUniqueNames)
Attribute in User to Associate Fill with Default Value - memberOf

Role
Attribute in Role to Associate Fill with Default Value - member

User
Data Security - User Hierarchy and Database Associations

You can use data security features to create a hierarchy of users and associate users to specific databases and servers. GuardiumÂ® data security features report on which
users accessed what information, and ensure that only specific users see information that they are responsible for.
Follow these steps to enable and use Guardium data security features:
1. Enable Data Security

2. Create a User Hierarchy
3. Create a User to Database Association
4. Filter Results
When data security features are used with the Classification feature (which discovers and classifies sensitive data found in multiple places of the database), the Data Level
Security prevents a specified user from seeing classifier results from a specified datasource (datasource definition). Using Data Level Security can also prevent a specified
user from seeing Audit Task results when the task type is Classifier.
Enable Data Security

Restriction: Data Level Security and the Investigation Dashboard cannot be enabled concurrently.
1. Log in as the admin user and open the Global Profile by clicking Setup > Global Profile.
2. Click Enable for Data level security filtering.
Note: The status indicator icon for Data level security filtering will now appear as .
You can verify that Data level security filtering is enabled by referencing the Services Status panel (Setup > Services Status).
With data level security filtering enabled, log in as the accessmgr to use the User Hierarchy and User-DB Association features.
Create a User Hierarchy

The User Hierarchy shows you the parent-child relationships between all users. User hierarchies permit the parent of the relationship to look at specified servers and
databases, but not the children.
Log in as accessmgr and open the User Hierarchy by clicking Data Security > User Hierarchy.
Click Full Update Active User-DB Map to view the full hierarchy of users.
Use the Roles and Users filters to view the hierarchy for a specific user or role. Right-click a node in the hierarchy to expand or collapse the tree, or add a user to a
specific hierarchy.
Click Refresh Cached Hierarchy to update the hierarchy.
Note: Depending on the configuration, inheritance can also take place where the parent inherits the data-level security of the child.

Create a User to Database Association
The User-DB Association feature maps users to specific databases to ensure that users see only data that they are permitted to view.
Log in as accessmgr and open the User-DB Association by clicking Data Security > User-DB Association.
1. View the current mapping of users to databases by clicking Full Update Active User-DB Map.
2. Create a new User-DB association map by selecting options from the Server & Service Name Suggestion list and clicking Go.
Note: Once the map is fully updated, you will see a tree listing all your servers. Click any node in the tree to view which users are currently associated with that
node.
If you are using dual-stack configuration, there is a root node, and two trees of addresses to choose from. One tree is for the IPV4 address, and the longer tree is for
the IPV6 address.
Add a user or group to a node by selecting the node and clicking Add user or Add group.
Central Management
On a Central Management appliance, there is also a box on the User-Database Associations screen that allows a user to create database associations based on data from a
managed node. Select a remote source from only a box that appears for Central Management appliances. Also, there is a check box to get data from ALL managed nodes.
Filter Results
Data level security at the observed data level requires the filtering of data for specific users and the specific databases they are responsible for.
Filtering at the system level is based on the User Hierarchy and User-DB Association so that users will see only information from their assigned databases for the various
reports, audit processes, security assessments, and so on, within the Guardium system.
Log in as the admin user and use the Global Profile to filter results. Open the Global Profile by clicking Setup > Global Profile.
Default filtering:
Show all - This option is available only if the user logged in has the special role datasec-exempt defined, which allows the user to see all data as if there was
no data level security.
Include indirect records - This check box shows the viewer not only the rows that belong to the user logged in, but also all the rows that belong to other users
within that hierarchy.
Audit Process Escalation: Escalation is allowed for tasks on this type only to users who have the datasec-exempt role. Users without the datasec-exmpt role are not
shown in the escalation list.
Escalate results to all users - A check mark in this check box escalates audit process results (and PDF versions) to all users, even if data level security at the
observed data level is enabled. The default setting is enabled. If the check box is disabled (no check mark in the check box), then audit process escalation only will
be allowed to users at a higher level in the user hierarchy and to users with the datasec-exempt role. If the check box is disabled, and there is no user hierarchy,
then no escalation is permitted.
PDF and CSV generation for results (attached to email) distribution will use the default global profile values set in Administration Console parameters.
PDF and CSV generated from the viewer will use the same filtering as in the screen.
Note:
The Data Security User to Database Association filters reports only from the following domains: Access; Exception; and, Policy Violations (as well as custom domains using
these domains or tables from these domains). All other domains (reports) are not filtered by the Data Security User to Database Association.
Users with admin role will be able to see event types on all roles (the information will still be filtered based on observed data level security parameters).
If Data Level Security is turned on, predefined entities added to a custom domain need to be in the same domain(s) for the data level security filtering to work properly.
If Data Level Security is on, and two predefined entity subjects are trying to send data from two domains (not Custom Domains) that are using a filtering policy, then the
sending of the two predefined entity subjects will not be permitted. Data Level Security can only enforce one kind of filtering policy (for example, there can be only one
policy depending on server_ip/service_name and one policy depending on datasource).
How to define User Hierarchies

Use the UI from an access manager account to easily define user hierarchies.
About this task

The Data Security User Hierarchy represents the parent-child relationships between users; allowing for the creation and enforcement of a data-level security by permitting
the parent of a hierarchy to look at specified servers and databases, but not the children. Depending on the configuration, inheritance can also take place in that the parent
inherits the data-level security of the child.
Procedure
1. Login as accessmgr and click Data Security > User Hierarchy.
2. Select a user from the Users drop-down menu to display it in the Data Security User Hierarchy pane. This example uses john smith as a user.

3. To add a user to john smith's hierarchy, right-click on the user in the Data Security User Hierarchy pane, and select Add user from the drop-down menu.
4. After clicking Add user from the drop down list, the Add user dialog appears. Select one or more users that you would like to add to the user's hierarchy, and then
click Add.
5. After adding the users to a hierarchy, the Data Security User Hierarchy panel will be refreshed; allowing the user to drill down and see the new hierarchy.

6. Repeat the steps until all required users are defined to the data security user hierarchy.
Guardium UI Login using a Smart card

Guardium Smart card support meets the United States government mandate that all vendors must support multi-factor authentication for user access. Smart card
authentication is supported only for access to the web-based Guardium user interface (UI).
Before you begin

Details of the multi-factor authentication requirement are found in the Identification and Authentication (Organizational Users) (IA-2) section the Security and Privacy
Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53) document. NIST 800-53 is available through the NIST web site:
https://www.nist.gov .
Government applications refer to Personal Identification and Verification Cards (PIV). Civilian applications refer to Common Access Cards (CAC). PIV and CAC cards have
different certificate authorities, but the cards are otherwise the same.
Guardium Smart card support meets the HIGH confidence PIV assurance level described in the PIV Cardholder Authentication (6) section of the Personal Identity
Verification (PIV) of Federal Employees and Contractors (FIPS Publication 201-2) document. FIPS 201-2 is available through this NIST web site: https://www.nist.gov .
Prerequisites
The device requires the following:
Access to the Guardium UI via a web browser that can access the Smart card certificate
A Smart card reader
A valid PIV/CAC card
About this task

This task describes how to correctly associate the information on a Smart card with a Guardium user.
Create Guardium users to associate with Smart cards. If you want to associate existing users with Smart cards, you do not need to create any new users. For more
information about user creation and access management, see Access Management Overview.
1. Login to the Guardium UI as the admin user.

2. Navigate to Setup > Tools and Views > Portal.
3. Under the Authentication Configuration section, select the Smart Card option. If the Smart Card option is not present, verify that the Smart card patch is installed.
4. In the Regex Match Pattern field, provide a regular expression (regex) that matches user information on a Smart card.
Example
Create Users
The Guardium application provide various ways for users to be created. It doesnâ€™t matter how your users are created, and once you configure your web to use the
Smart card for authentication it only uses the Smart card credential to establish SSL/TLS communication (Guardium site uses https).
Here is an example how to manually create a user:
1. Login as Accessmgr on CM
2. Select AccessUser Browser.
3. Click Add.
4. Add Username Test Cardholder X
5. Add password twice
6. Enter first name and last name same as user
7. Click Add.
Now you will configure the mapping, so when a Smart card is present, the information on the Smart card will be correctly mapped to a user in the system.
1. Login as Admin from CM or standalone.

2. After you login, navigate to Setup > Tools and Views > Portal.

If you see a menu screen titled Authentication Configuration, then you have the Smart card support patch installed.
Now use a regular expression, in the Regex Match Pattern, to match the user information on the Smart card. Here is an example of a Regex Match Pattern:
CN ?= ?(.*?), ?OU ?= ?Test Agency, ?OU ?= ?Test Department, ?O ?= ?Test Government, ?C ?= ?US
This works with a Smart card with client certificate, the client certificate you selected to send to the webserver to establish HTTPS. On the Smart card you selected, this
client certificate gives to the webserver when the server requests it, which is exactly what happens when this feature is enabled. An example of the client certificate has
the details: Version, Serial number, Signature algorithm, Signature hash algorithm, Issuer, Valid from, Valid to, Subject.
In this example you can use one of the following patterns. They both will match the mapping. Pattern 1 is more exact. Pattern 2 depends on your purpose, you can write
your own to match your needs. You need to work with someone who is familiar with the data on the Smart card to write efficient mapping patterns.
Pattern 1:
CN ?= ?(.*?), ?OU ?= ?Test Agency, ?OU ?= ?Test Department, ?O ?= ?Test Government, ?C ?= ?US
Pattern 2:
CN ?= ?(.*?)
Both of the examples will get the value for CN attribute in the certificate subject which you can see by examine the detail of the certificate from the browser. In this case it
is Test Cardholder X. Configure this pattern correctly is probably the most important part to make sure the authentication on Smart card is successful.
Note that the regex validation tool currently available for other modules is not available for this purpose. (see Troubleshooting section, items 2 and 3).
Now save it. Note, you are not done yet and you need to enable it from CLI since part of the enablement can only be done after the server is shut down, during which there
is no GUI.
Before you leave GUI for the CLI part, you need to upload the root CA certificate to the trust store.
Upload the root CA certificate to web server trust store
This part describes how you upload the root CAâ€™s certificate into the trust store used by the GUI. Use the Import Certificate selection from the Guardium Portal and
Authentication Configuration screens.
If you do not have the root certificate of the CA that signed the certificates on the Smart cards, you can export a root certificate from a CA-signed user certificate or a
Smart card that contains one.
We assume you obtained the certification either by having it given to you by the customer or exporting it from a Smart card using certification management tools such as
certMgr.exe or tools like open SSL.
The public root certificate of a trusted CA. This is the most common source of a root certificate in environments that already have a Smart card infrastructure and a
standardized approach to Smart card distribution and authentication.
Select a certificate to use for Smart card authentication. The signing chain lists a series of signing authorities. The best certificate to select is usually the intermediate
authority above the user certificate.
Enabling the feature from CLI (can only be done in CLI)
To check the status, use the CLI command,
show system websmartcard
To turn on this CLI command, use
store system websmartcard on
To turn off this CLI command, use
store system websmartcard off
When the feature is turned off, the GUI is automatically restarted with the system using local authentication. This is also useful when you first deploy the system and the
regular expression you set is not quite right and you see errors.
Note: While the Smart card authentication is used to authenticate, the access control (for example, what module a user has access, what navigation the user has) is still
done through the same way as without Smart card authentication.
After enabling the feature
Once the feature is enabled, you can only access the site with a valid Smart card (PIV, CAC etc.)
Now when you visit the GUI site, youâ€™ll see an authentication prompt, asking you to choose a certificate.
The above details are for an administrator to set it up. As for end user, if it is set right, the user just needs to put the card in and the user will go straight to the site content.
For a user with a valid Smart card, when the user load the websites, the browser will prompt for a Smart card pin. This pin allows the client certificate on the card is access
when requested.
After the pin is provided, the regular Guardium login page will display with the user field pre-filled with the login extracted from the Smart card. Note there is no password
used here. The only thing you see in the user field is the extracted user place holder for mapping.
For example, if the certificate are valid and the root CA of the Smart card issuer for Test Cardholder X is loaded in Guardium web server (See section Upload the root
CAâ€™s certificate for how to do it), the user field will be pre-filled with Test Cardholder X and prompt you for the Smart card pin. This is to access the client certificate on
the Smart card. The client certificate stays on the Smart card and you cannot export it into a file. You may see the prompt twice and just provide the pin.
What to do next
Troubleshooting or recovery scenarios

After the feature is enabled, when you load Guardium URL, you see an error page.
Diagnostic: Most likely, your configuration of the matching regular expression is not right or you donâ€™t have a valid certificate on the card.
You created a matching Regex and it does not seem to be working. You remember that Guardium has a regex validation tool and used it thinking that if it works in the tool,
it's a good Regex. Unfortunately, while the test is successful in that tool, the Regex pattern doesn't work for Smart Card Configuration.
Diagnostic: That tool is to find if an expression can be found inside a text paragraph. So it won't work in this case. This configuration is to extract a piece of text from the
certificate text as displayed in the subject as shown in certificate details.
You didnâ€™t get prompt from the browser to select a certificate at all.
Diagnostic: PC/laptop is able to install the card reader and the Smart card. A copy of the certificate in the Smart card gets copied to the certmgr in Windows OS. However,
when accessing the site, browser (IE or Firefox or Chrome) does not read the certificate. In other words, all the three browsers are unable to read the certificate and there
is no prompt to choose the certificate.
This has been noted on all browsers on some laptops we tested. If this is the case, itâ€™s not only happening to Guardium site. Other sites that require Smart cards to
operate will also experience this. This is rare.
Solution: Contact the department that manages your Smart card.
Aggregation and Central management

Aggregation enables you to bring together data from multiple Guardium systems for a consolidated view. Central management enables you to maintain consistency among
your Guardium systems.
Aggregation
Collect and merge information from multiple GuardiumÂ® units into a single Guardium Aggregation appliance to facilitate an enterprise view of database usage.
Central Management
In a central management configuration, one Guardium unit is designated as the Central Manager. That unit can be used to monitor and control other Guardium
units, which are referred to as managed units. Un-managed units are referred to as stand-alone units.
Investigation Center
Investigation Center is an extension of the Aggregation Servers. Investigation Users (once defined) can restore data and results of selected historic dates and
perform forensic investigation. Once the days (dates) are restored, the investigation users can define and view reports using the standard Guardium UI, only in the
scope of the investigated dates.
Aggregation
Collect and merge information from multiple GuardiumÂ® units into a single Guardium Aggregation appliance to facilitate an enterprise view of database usage.
Aggregation Process
Accomplished by exporting data on a daily basis from the source appliances to the Aggregator (copying daily export files to the aggregator).
Aggregator then goes over the uploaded files, extracts each file and merges it into the internal repository on the aggregator.
For example, if you are running Guardium in an enterprise deployment, you may have multiple Guardium servers monitoring different environments (different geographic
locations or business units, for example). It may be useful to collect all data in a central location to facilitate an enterprise view of database usage. You can accomplish this
by exporting data from a number of servers to another server that has been configured (during the initial installation procedures) as an aggregation appliance. In such a
deployment, you typically run all reports, assessments, audit processes, and so forth, on the aggregation appliance to achieve a wider view, not always an enterprise view.
Note: The Aggregator does not collect data, but it is used to present the data from the collectors.
Pre-defined aggregation reports can be located on the Guardium Monitor tab, Enterprise Buffer Usage Monitor, and the Daily Monitor tab, Logging Collectors.
Appliance Types
Collector
Used to collect database activity, analyze it in real time and log it in the internal repository for further analysis and/or reacting in real-time (alerting, blocking, etc.).
Use this unit for the real-time capture and analysis of the database activity. Â
Aggregator (see notes 1, 2)

Used to collect and merge information from multiple appliances (collectors and other aggregators) to produce a holistic view of the entire environment and
generate enterprise-level reports. The Aggregator does not collect data itself; it just aggregates data from multiple sources.
Central Manager (see notes 1, 3, 4)

Use this Appliance to manage and control multiple Guardium appliances.
With Central Manager (CM), manage the entire Guardium deployment (all the collectors and aggregators) from a single console (the CM console).
This includes patch installation, software updates and the management and configuration of queries, reports, groups, users, policies, etc.
Note:
In many environments, the Central Manager is also the Aggregator. Central Manager and Aggregator can be installed on the same appliance.
Guardium appliance needs to be configured as an Aggregator at install time, in order to be promotable to a Central Manager.
One Central Manager per federated environment
Central Manager/Aggregator enforcement

Starting with v9.5 (v9.0 patch 500), the application will enforce that a Central Manager has to be an Aggregator-type appliance. This would mean that starting with
v9.5, only aggregator-type appliances would be promotable to the Central Manager appliance. Pre-existing pre-v9.5 CM appliances are not subject to this change.
Solution for unit showing as down after upgrade

Issue: When upgrading the Aggregator with search mode in CM_only or Local_only mode, this unit shows as down in search post upgrade. Also, if after upgrade,
user chooses to change search mode to all_machines search will not be available from the Aggregator.
Solution: Once the Aggregator unit has been upgraded and the user does not want to see the aggregator unit to show as down on the search tooltip, User can run
the two commands below
1. grdapi enable_quick_search schedule_interval=2 schedule_units=MINUTE
2. restart network
Note: If the environment was in and will be in cm_only or local_only mode, this step will not enable search from aggregator, just make it so that aggregator does not
show as down.
Terminology
Table 1.
Term Description
Guardium Appliance The physical or virtual Guardium box; can be either a â€œcollectorâ€ or an â€œaggregatorâ€ (with or without central management)
Guardium Unit See Guardium Appliance
Manager Unit An appliance configured as Central Manager
Managed Unit An appliance managed by the Central Manger
Standalone Unit An appliance not in a Central Manager environment
Purge For the best performance, purge all data that is not needed. Purge to free disk space.
Archive Compress the data of a single day into an encrypted file and send it to the aggregator.
Hierarchical Aggregation
Guardium also supports hierarchical aggregation, where multiple aggregation appliances merge upwards to a higher-level, central aggregation appliance. This is useful for
multi-level views. For example, you may need to deploy one aggregation appliance for North America aggregating multiple units, another aggregation appliance for Asia
aggregating multiple units, and a central, global aggregation appliance merging the contents of the North America and Asia aggregation appliances into a single corporate
view. To consolidate data, all aggregated Guardium servers export data to the aggregation appliance on a scheduled basis. The aggregation appliance imports that data
into a single database on the aggregation appliance, so that reports run on the aggregation appliance are based on the data consolidated from all of the aggregated
Guardium servers.
About the System Shared Secret

The Guardium administrator defines the System Shared Secret on the System Configuration panel, which is described in the following section. The system shared secret is
used for archive/restore operations, and for Central Management and Aggregation operations. When used, its value must be the same for all units that will communicate.
This value is null at installation time, and can change over time.
The system shared secret is used:
When secure connections are being established between a Central Manager and a managed unit.
When an aggregated unit signs and encrypts data for export to the aggregator.
When any unit signs and encrypts data for archiving.
When an aggregator imports data from an aggregated unit.
When any unit restores archived data.
Depending on your companyâ€™s security practices, you may be required to change the system shared secret from time to time. Because the shared secret can change,
each system maintains a shared secret keys file, containing an historical record of all shared secrets defined on that system. This allows an exported (or archived) file from
a system with an older shared secret to be imported (or restored) by a system on which that same shared secret has been replaced with a newer one. Shared secrets
(current and historic ones) can be exported from one appliance and imported to another through the CLI.
For aggregation to work, the shared secret must be set and be the same for aggregator and all aggregated collectors.
Aggregating, Archiving, and Purging Operations

Scheduled export operations send data from Guardium collector units to a Guardium aggregation appliance. On its own schedule, the aggregation appliance executes an
import operation to complete the aggregation process. On either or both units, archive and purge operations are scheduled to back up and purge data on a regular basis
(both to free up space and to speed up access operations on the internal database). The export, archive, and purge functions can work on the same data, but not the same
date ranges. For example, you may want to export and archive all information older than one day and purge all information older than one month, thereby always leaving
one month of data on the sending unit.
Note:
When setting the schedule of import on an aggregator, it should be planned to run after export is completed on all collectors.
CAS data is also aggregated and archived.
Note: The alert for no traffic is inactive for aggregator servers.
Managing Data on an Aggregator

Exporting Data
Stopping Export
Importing Data
Stopping Import
Archiving and Purging

Stopping Archiving and Purging
Verify Archiving and Purging Process
Reporting on Aggregation and Archiving Activity
Restoring
Exporting Data
Table 2. Exporting Data

Topic Description
Function Compress the data of a single day (midnight to midnight, typically - yesterday) Â into an encrypted file and send it to the aggregator (or to
an external repository on Archive).
Schedule Executed on a daily basis.
Starts immediately after midnight (00:10) to include full dayâ€™s data.
Assumed to take up to 2 hours to complete (Average â€“ dependent on amount of data).
High Level Process Create a temporary database.
Load the relevant data (last dayâ€™s activity) to the tmp db.
Update auto-increment IDs in tmp db to ensure uniqueness.
Create an encrypted compressed export file of the tmp database.
Copy the export file to the aggregator (or to an external repository on Archive).
To export data to an aggregation appliance, follow the procedure. You can define a single export configuration for each Guardium unit.
1. Click Manage > Data Management > Data Export to open Data Export.
2. Check the Export box as this will open additional options for exporting data.
3. In the boxes following Export data older than, specify a starting day for the export operation as a number of days, weeks, or months prior to the current day, which
is day zero. These are calendar measurements, so if today is April 24, all data captured on April 23 is one day old, regardless of the time when the operation is
performed. To archive data starting with yesterdayâ€™s data, enter the value 1.
4. Optionally, use the boxes following Ignore data older than to control how many days of data will be archived. Any value specified here must be greater than the
Export data older than value, so you always export at least two days of data. If you leave the Ignore data older than blank, you export data for all days older than the
value specified in the Export data older than row; It is recommended to always set the Ignore older than value, otherwise you will be exporting the exact same days
over and over again; overloading the network and the aggregator with redundant data (that will be ignored).
5. The Export Values box is checked by default. In some cases, where the collector resides in a country that prohibits the export of data, and the aggregation
appliance resides in another country, you would want to clear the Export Values check box, which would mask all fields containing database values.
6. In the Host box, enter the IP address or DNS host name of the aggregation appliance to which this systemâ€™s encrypted data files will be sent. There is also an
option to enable a secondary aggregation for export data over more then one aggregator. There are two Host boxes available, the first one is required, while the
Secondary Host is an option. This unit and the aggregation appliance to which it is sending data must have the same System Shared Secret. If not, the export
operation works, but the aggregation appliance that receives the data is not able to decrypt the exported file and the Import will fail. See System Shared Secret in
System Configuration for more information. The Shared Secret is required to be identical on both exporting system and receiving system. The reason for this is that
unless they have same shared secret, the configuration on the exporting system will not be set and there will be a message for a test file that can not be sent to the
receiving system.
8. Click the Save button to save the export and purge configuration for this unit. When you click the Apply button, the system attempts to verify that the specified
aggregator host will accept data from this unit. If the operation fails, the following message is displayed and the configuration will not be saved: A test data file
could not be sent to this host. Please confirm the hostname or IP address is entered correctly and the host is online.
9. Click Run Once Now to run the operation one time.
Stopping Export
To stop the export of data to an aggregation appliance:
1. Click Manage > Data Management > Data Export to open Data Export.
2. Clear the Export checkbox.
3. Click Save.
Note: Stopping an export after the Run Once Now button has been clicked is impossible.
Importing Data
The Guardium collector units export encrypted data files to another Guardium appliance configured as an aggregation appliance. The encrypted data files reside in a
special location on the aggregation appliance until the aggregation appliance executes an import operation to decrypt and merge all data to its own internal database.
Note: To avoid the possibility of importing files that have not completely arrived, the aggregation appliance will not import files that have changed in the last two minutes.
Table 3. Importing Data
Topic Description
Function Import and merge the imported data into the internal databases of the Aggregator.
Schedule Executed on a daily basis. Do not run more than once a day.
Starts at 02:00 (or after export has ended).
Assumed to take up to 3 hours to complete.
High Level Process (for each Construct the delete command for each purged table (tables and the purge conditions defined in AGG_TABLES).
purged day)
Execute the delete commands for each of the tables.

Follow the procedure to define the Data Import operation on an aggregation appliance. You can define only a single Data Import configuration on each unit.
1. Click Manage > Data Management > Import to open Import.

2. Check the Import checkbox which causes the appearance of an additional non-modifiable field indicating the location of the data files to be imported.
3. Click Apply to save the configuration. The Apply button is only available when you toggle the Import data from checkbox on or off.
5. Click Modify Schedule to schedule the operation to open the general-purpose task scheduler and run on a regular basis. This aggregation appliance and all units
exporting data to it must have the same System Shared Secret. If not, the export operations will still work, but the aggregation appliance will not be able to decrypt
the files of exported data.
Stopping Import
To stop importing data sent from other Guardium units:
1. Click Manage > Data Management > Import to open Import.

2. Clear the Import data box.
3. Click Apply to save the configuration. Stopping importing does not stop other Guardium units from exporting data to this system. To stop that, you must stop the
Export operation on each sending unit.
Note: Stopping an import once the RUN ONCE NOW button is clicked is impossible.
Archiving and Purging

Archiving and purging data on a regular basis is essential for the health of your Guardium system. For the best performance, we strongly recommend that you archive and
purge all data that is not needed. Important - purge to free disk space. For example, if you only need three moths of data on the Guardium appliance, archive and purge all
data that is older than 90 days.
The archive and purge process frees space and preserves information for future use. You should periodically archive and purge data from standalone units and from
aggregation units. The Guardiumâ€™s archive function creates signed, encrypted files that cannot be tampered with. Archive files are transferred and stored on external
systems such as file servers or storage systems.
Note:
If both Archive and Purge are scheduled, Purge will run after Archive.
Data that was archived on a collector can be restored either on another collector or an aggregator server. Restoring of data that was archived on an aggregator to a
collector machine is not supported.
Archiving data on aggregator system - on the first day of the month, all static tables are archived. On all other days, only additional data added to archived data will be
archived. This methodology is the same as used by collectors. Adding the static tables to the normal purge process eliminates the existence of orphans, freeing up disk
space and improving report performance.
Archive and export of static tables on an aggregator includes full static data only on the first day of the month (archive) or when the export configuration changes (export).
Use the CLI commands, store archive_table_by_date [enable | disable] or show archive_table_by_date. Other relevant CLI commands are store aggregator clean orphans
or show aggregator clean orphans.
Scheduling Data Management tasks - Default schedule times are supplied when the unit is built and these can be amended accordingly. The Data Management tasks
should be scheduled at less busy times, for example, overnight. They should be spaced out so as not to overlap (for example, the start of one task should not run into the
start of another before finishing.)
Aggregator Data Archive, when dealing with an Aggregator/ Central Manager that performs Data Imports and Data Archives. A default or common setting is to have the
Data Archive perform an Archive of data older than one day ignoring data older than two days. If it happens that the Data Archive is scheduled to run BEFORE the Data
Imports from other Collector(s)/Aggregator(s), then the Archive will NOT contain the Imports meant for that days Archive. Imagine the following schedule: Data Archive to
run at 30 minutes past Midnight; Data Imports to run at 6:00 AM for data older than 1 day - ignoring older than 2 days. When the Archive happens - it will not Archive any
relevant yesterday data - no Imports for that days data have yet occurred. In this example, the Data Archive should be re-scheduled to occur AFTER the Data Import(s)
have finished. This way the Archive would correctly contain data for yesterday.
Table 4. Archiving and Purging Data

Topic Description
Purge Function Delete old records from appliance (typically - older than 60 days) to free up space and speed up access operation to the internal
database.
Purging is based on dates (deleting whole daysâ€™ worth of data), but will not delete records that are still â€œin useâ€ (for example:
open sessions).
Schedule The default purge activity is scheduled every day at 5:00 AM.
Collectors, after the export/archive.
Aggregator, after the import.
Assumed to take up to 2 hours to complete.
High Level Process (for each Purge configuration is used by both Data Archive and Data Export.
purged day)
Use the Purge data older than field to specify a starting day for the purge operation as a number of days, weeks, or months prior to the
current day, which is day zero.

Topic Description
Default Purging The default value for purge is 60 days
The default purge activity is scheduled every day at 5:00 AM.
For a new install a default purge schedule will be installed that is based on the default value and activity
When a unit type is changed between manager managed or back to standalone the default purge schedule will be applied The purge
schedule will not be affected during an upgrade
It may be necessary to run reports or investigations on this data at some point. For example, some regulatory environments may require that you keep this information for
three, five, or even seven years in a form that can be queried within 24-hours. This functionality is supported by the Guardium restore capability, which allows you to
restore archived data to the unit.
The following sections describe how to define and schedule archiving and how to restore from an archive.
Note: The archive and restore operations depend on the file names generated during the archiving process. DO NOT change the names of archived files.
Archive data files can be sent to an SCP or FTP host on the network, or to an EMC Centera or TSM storage system (if configured). You can define a single archiving
configuration for each unit To archive data to another host on the network and optionally purge data from the unit, follow the procedure.
1. Click Manage > Data Management > Data Archive to open Data Archive.
2. Check the Archive checkbox to expose additional fields for the archive process.
3. In the boxes following Archive data older than, specify a starting day for the archive operation as a number of days, weeks, or months prior to the current day, which
is day zero. These are calendar measurements, so if today is April 24, all data captured on April 23 is one day old, regardless of the time when the operation is
performed. To archive data starting with yesterdayâ€™s data, enter the value 1.
4. Optionally, use the boxes following Ignore data older than to control how many days of data will be archived. Any value specified here must be greater than the
value in the Archive data older than field. If you leave the Ignore data older than row blank, you archive data for all days older than the value specified in the Archive
data older than row. This means that if you archive daily and purge data older than 30 days, you archive each day of data 30 times (before it is purged on the 31st
day). Depending on the archive options configured for your system (using the store storage-system CLI command), you may have EMC Centera or TSM options on
your panel. If you select one of those archive destinations, see the appropriate topic.
a. EMC Centera Archive and Backup
b. TSM Archive and Backup
5. Enter the IP address or DNS Host name of the host to receive the archived data
6. In the Directory box, identify the directory in which the data is to be stored. How you specify this depends on whether the file transfer method used is FTP or SCP.
For FTP, specify the directory relative to the FTP account home directory. For SCP, specify the directory as an absolute path.
7. In the Username box, enter the user name to use for logging onto the host machine. This user must have write/execute permissions for the directory specified in the
Directory box.
8. In the Password box, enter the password for the user, then enter it again in the Re-enter Password box.
9. Data Purge
10. Check the Purge checkbox to purge data, whether or not it is archived. When this box is marked, the Purge data older than fields display. It is important to note that
the Purge configuration is used by both Data Archive and Data Export. Changes made here will apply to any executions of Data Export and vice-versa. In the event
that purging is activated and both Data Export and Data Archive run on the same day, the first operation that runs will likely purge any old data before the second
operation's execution. For this reason, any time that Data Export and Data Archive are both configured, the purge age must be greater than both the age at which to
export and the age at which to archive.
11. If purging data, use the Purge data older than fields to specify a starting day for the purge operation as a number of days, weeks, or months prior to the current day,
which is day zero. All data from the specified day and all older days will be purged, except as noted otherwise. Any value specified for the starting purge date must
be greater than the value specified for the Archive data older than value. In addition, if data exporting is active (see Exporting Data to an aggregation appliance), the
starting purge date specified here must be greater than the Export data older than value. There is no warning when you purge data that has not been archived or
exported by a previous operation. The purge operation does not purge restored data whose age is within the do not purge restored data timeframe specified on a
restore operation. For more information, see Restoring Archived Data.
13. Click Save to verify and save the configuration changes. When you click the Save button, the system attempts to verify the specified Host, Directory, Username, and
Password by sending a test data file to that location.
Orphan cleanup on aggregators

When the aggregator includes restored data, orphans cleanup related to the restored data will be set to run according to the expiration date set when data was first
restored.
If any changes are done through GuardAPI commands related to the expiration date, this will not affect the date restored data that is available for Orphans cleanup.
For example: The user restores data and wants to keep this data for 7 days. This means the expiration date of this data will be in 7 days from today and this data will be
available for orphan cleanup after 7 days.
If the expiration date is changed (set to keep the data for shorter/longer period - it won't affect the date this data is available for orphan cleanup. Customer should pay
attention for this especially if they change the expiration period to be longer - in order not to lose data), then the rest of the data on the machine will be available for
orphan cleanup as first designed.
EMC Centera Archive and Backup

To use EMC Centera:
1. Click Manage > Data Management > Data Archive to open Data Export.
2. Click on the Data Archive or System Backup in the Data Management section. Initially, the Network radio button is selected by default, and the Network backup
parameters are displayed
3. Select the EMC Centera radio button. The EMC Centera parameters will be displayed on the panel.
4. In the Retention box, enter the number of days to retain the data. The maximum is 24855 (68 years). If you want to save if for longer, you can restore the data later
and save it again.
5. In the Centera Pool Address box, enter the Centera Pool Connection String; for example: 10.2.3.4,10.6.7.8/var/centera/profile1_rwe.pea

6. Click Upload PEA to upload a Centera PEA file to be used for the connection string.
7. Click Save to save the configuration. The system will attempt to verify the Centera address by opening a pool using the connection string specified. If the operation
fails, you will be informed and the configuration will not be saved.
TSM Archive and Backup

When you select TSM as an archive or backup destination, the TSM portion of the archive or backup configuration panel expands. Before setting TSM as an archive or
backup destination, the Guardium system must be registered with the TSM server as a client node. A TSM client system options file (dsm.sys) must be created (on your PC,
for example) and uploaded to Guardium. Depending on how that file is defined, you may also need to upload a dsm.opt file. For help creating a dsm.sys file for use by
Guardium, consult with your companyâ€™s TSM administrator. To upload a TSM configuration file, use the CLI command, import tsm config.
The TSM (or Spectrum Protect client) lifecycle is defined by the Spectrum Protect product terms.
To use TSM:
2. Select the TSM radio button. The TSM parameters will be displayed on the panel.
3. In the Password box, enter the TSM password that this Guardium unit uses to request TSM services, and re-enter it in the Re-enter Password box.
4. Optionally enter a Server name matching a servername entry in your dsm.sys file.
5. Optionally enter an As Host name.
6. Click Save to save the configuration. When you click the Apply button, the system attempts to verify the TSM destination by sending a test file to the server using the
dsmc archive command. If the operation fails, you will be informed and the configuration will not be saved.
Stopping Archiving and Purging

2. Clear the Archive or Purge box.
3. Click Save.
Verify Archiving and Purging Process

1. Click Reports > Guardium Operational Reports > Aggregation/Archive Log to open the Aggregation/Archive Log.
2. Check to ensure that each Archive/Purge operation has a status of Succeeded.
Reporting on Aggregation and Archiving Activity

1. Navigate to Manage > Reports > Data Management > Aggregation/Archive Log to open the Aggregation/Archive Log.
2. Define a query and build a report.
Restoring
As described previously, archives are written to a SCP or FTP host, or to a Centera or TSM storage system. To restore archives, you must copy the appropriate file(s) back to
the Guardium system on which the data is to be restored. There is a separate file for each day of data. Depending on how your archive/purge operation is configured, you
may have multiple copies of data archived for the same day. Archive and export data file names have the same format: <daysequence>-<hostname.domain>-w<run>
datestamp>-d<data_date>.dbdump/TAR file. To restore file for archived data (and not backup system), you need to use the GUI screen called Catalog Archive. The archive
and restore operations depend on the file names generated during the archiving process. DO NOT change the names of archived files. If a generated file name is changed,
the restore operation will not work.
For example: 732423-g1.guardium.com-w20050425.040042-d2009-04-22.dbdump/TAR file.
Unless you are restoring data from the first archive created during the month, you will need to restore multiple days of data. That is because when restoring data,
Guardium needs to have all of the information that it had when the data being restored was archived. After the archive was created, some of that information may have
been purged due to a lack of use. All information needed for a restore operation is archived automatically, the first time that data is archived each month. So, when
restoring data, you can restore the first day of the month and all the following days until the desired day or restore the desired day and then the first day of the following
month
For example, to restore June 28th, either restore June 1st through June 28th, or restore June 28th and July 1st.
To restore file for archived data (and not backup system), you need to use the GUI screen called Catalog Archive. The archive and restore operations depend on the file
names generated during the archiving process. DO NOT change the names of archived files. If a generated file name is changed, the restore operation will not work.
1. Click Manage > Data Management > Data Restore to open Data Restore.
2. Enter a date in the From box, to specify the earliest date for which you want data.
3. Enter a date in the To box, to specify the latest date for which you want data.
4. In the Host Name box, optionally enter the name of the Guardium appliance from which the archive originated.
5. Click Search.
6. In the Search Results panel, mark the Select box for each archive you want to restore.
7. In the Don't purge restored data for at least box, enter the number of days that you want to retain the restored data on the appliance.
8. Click Restore.
Troubleshooting
On an escalation to technical support, please supply a detailed log from the time when the problem occurred. Navigate to Manage > Reports > Data Management >
Aggregation/Archive Log and define a report for the time period in question.
Calculating maximum number of Collectors per Aggregator

When a Guardium system is built from an .ISO, a default value of 10 for the maximum number of collectors per aggregator is set.
When a customer upgrades the Guardium system, the system calculates the maximum number of collectors using the following logic:

1. Get number of collectors according to data in internal Guardium table. The default value is 10.
2. If results of step 1 is 0 (no collectors are found), the system sets this value to 10.
3. If a different number of collectors is found, the system will add 20 percent more to the number determined in step 2.
4. For example, if Step 1 did not find any collectors, then Step 2 will set a value of 10, and then Step 3 will add 20% to it and will make it 12.
5. Another example, in Step 1 the system found five collectors exporting to an aggregator. In this case, the value is set to 5. Step 2 is not relevant as result was 5 and
not 0. Step 3 will add 20% to 5 and will set this value to 6.
Parent topic: Aggregation and Central management
Central Management
In a central management configuration, one GuardiumÂ® unit is designated as the Central Manager. That unit can be used to monitor and control other Guardium units,
which are referred to as managed units. Un-managed units are referred to as stand-alone units.
The concept of a local machine can refer to any machine in the Central Management system. There are some applications (Audit Processes, Queries, Portlets, etc.) which
can be run on both the Managed Units and the Central Manager. In both cases, the definitions come from the Central Manager and the data comes from the local machine
(which might also be the Central Manager).
Once a Central Management system is set up, customers can use either the Central Manager or a managed unit to create or modify most definitions. Keep in mind that
most of the definitions reside on the Central Manager, regardless of which machine does the actual editing.
Note:
Using the Remote Source function, a user on the Manager can run any report on the managed unit (the user must have the correct role privileges) and view data and
information of that managed unit.
CAS template definitions are shared between all units of a federated environment just like all other definitions (reports, policies, alerts, etc.)
It is recommended that a user run CAS Reports on a manager, especially CAS Reports relating to CAS configurations, hosts, and templates.
If you use the Custom Domain Builder to create a report that uses some or all remote tables (tables that live on the manager in a Central Manager environment,
such as Datasource or Comments), this report does not work on a managed node. No data will be returned.
The Central Management page of a manager will no longer automatically refresh itself based on a certain interval. This page will timeout based on the GUI timeout
of the system.
After some time of inactivity, the system will log you out automatically and ask you to sign in again. The length of the GUI timeout can be set via the CLI command
show/store session timeout (default is 900 seconds). Status lights will refresh every five minutes when the session is active.
If a user is attempting to synchronize or upload any data from the Central Manager to managed nodes, all nodes that are involved in this type of activity MUST be on
the SAME version of Guardium.
During the Central Management Redundancy Transition, it can take up to five minutes for the Unit type Sync to occur depending on how many units are defined in
the Central Management environment.
Guardium Component Services

Identify Guardium components and the locations from which they are taken in a central management environment.
Implementing Central Management
Make one machine into a Central Manager, connect the other machines into a Central Management system, and register the Managed Units to communicate with
the Central Manager.
Using Central Management Functions
Use Central Management functions to synchronize portal user accounts, monitor managed units, and install security policies on managed units.
Guardium Component Services

Identify Guardium components and the locations from which they are taken in a central management environment.
That unit can be used to monitor and control other Guardium units, which are referred to as managed units. Unmanaged units are referred to as stand-alone units.
Table 1. Guardium Component Services

Users, Roles and Permissions Central Manager controls the definition of users, roles, groups and datamart tables for all managed systems. The Central Manager
exports the complete set of user, security role, group, and datamart tables definitions on a scheduled basis or on demand. The
managed units update their internal databases on an hourly basis. As a result, there might be a delay of up to an hour between the
time users, roles, permissions or datamart tables are added or modified on the Central manager and the time that the managed unit
applies those updates.
Note: If you have GuardiumÂ® users or security roles that are defined on an existing stand-alone unit that is about to be registered for
central management, those definitions will not be available after the system is registered, unless those users and security roles have
also been defined on the Central Manager. You cannot administer users or security roles on a managed unit. Those definitions can be
administered only when logged on to the Central Manager. When a unit is unregistered for central management, all added users and
security roles are removed leaving only the default users (admin, accessmgr). When installing an Accelerator add-in product (PCI,
SOX, etc.), in a Central Manager environment, install it first on the Central Manager and then on the managed unit. Add any roles and
users as required for the Accelerator on the Central Manager (and those will be synchronized with the managed unit from there).
Accelerator documentation is contained within the Accelerator module. See an overview of PCI Accelerator at the end of this
Component Services table.
Aliases and Groups On all processes that automatically generate aliases or groups, for example: import user groups from LDAP, group generation from
queries, alias generation from queries, classifier, etc. if the same group or alias is automatically generated on more than one managed
machine (managed by the same manager), then it might conflict with an existing group or alias, which will not be replaced.

Audit Processes The definitions of the Audit Process itself and all of its corresponding tasks are saved to the Central Manager and available to all
managed units. However, Schedules, Results, and To-Do lists are saved on the local machine. Â This means that the same Audit
Process tasks can be run on all Managed Units, plus the Central Manager. But it can be run at different times on different machines,
which can be useful if the Managed Units have different peak load periods. Each machine has its own set of results, which are based
on the data that the machine has collected; and each machine has its own set of To-Do lists for all users. Audit Process definitions are
exported from the Central Manager to the managed units as part of the user synchronization process (see Synchronizing Portal User
Accounts). When audit process results have been produced, the results are available to users, but on managed units, there might be a
delay of up to an hour before reports or monitors such as Outstanding Audit Process Reviews are updated.
Queries Each query can get only database information from a single machine. Queries that require access information including both Central
Manager definitions and Managed Unit data show no data, or missing data.
Policies Policy definitions are saved on the Central Manager. However, when you install a policy on a Managed Unit, a local copy is made and
saved on the Managed Unit. The reason for that is that the Managed Unit is needed to keep on monitoring the database activity and
using the policy even when the Central Manager is not available for any reason.
Note: Installing a policy on a managed node will not upload this policy to the Central Manager until the Refresh on the Central
Manager is clicked. Versions must be the same between Central Manager and Managed Unit when installing policies else policies will
not install and errors are generated.
Reports Report definitions are saved on the Central Manager.
When regenerate portlet is called on a Central Manager, it also sends a management (https) request to all managed units to
regenerate the portlet (with the report ID). When regenerate is called on a managed unit - if it is called from the screen (not the
management request), then it should send a management request to the manager to refresh the portlet (this would also send it to all
units). There is a persistence mechanism for management requests for the case a unit is down - see sections within this topic on
registration and policy installation.
From the Central Manager, reports and audit processes can use data from a managed unit but not managed aggregators. The managed
unit is selected as a run-time parameter, is referred to as a remote datasource, and presented as a filtered drop-down selection list
containing only managed units. When an audit process references a remote datasource, that audit process can be run from the Central
Manager only, so it will not appear in a list of audit processes that are displayed on a managed unit.
Note: Certain reports, on a Central Manager, of domain Sniffer Buffer Usage (for example, Request Rate, CPU Usage, Buffer Usage
Monitor) will NOT display any data. The reports will be empty.
Security Assessment Like the Audit Process, the definition of the Security Assessment itself is saved to the Central Manager. But the results are saved on
the local machine. This means that the same Security Assessment can be run on all Managed Units, plus the Central Manager.
Baselines Baselines are always saved on the Central Manager. However, baselines are GENERATED using the logged data that is local to the
machine on which it is generated. Therefore, if you want to include constructs from all Managed Units, you must regenerate the
baseline on ALL Managed Units and merge the new results into the existing baseline.
Comments Comments can be saved on either the local machine or the Central Manager, depending on what the comment is associated with. If
the Comment is associated with a definition that resides on the Central Manager, then it is also saved on the Central Manager. If the
Comment is associated with a Result on the local machine, OR something specific to a Managed Unit (like an Inspection Engine), the
Comment is also saved on the local machine.
Schedules Schedules are always saved on the local machine, even when the definition is saved on the Central Manager.
Non-Central Manager Tasks When a server is configured as a Central Manager, you must be aware of the tasks that cannot be performed on that unit, but rather
must be performed on other (non-Central Manager) units. Inspection engines cannot be defined on the Central Manager and can be
created only on the Managed Units. But Inspection engines can be viewed from the Central Manager.
Upgrade Considerations It is recommended to have your Central Manager and managed units on the same version. The Central Manager should be upgraded
first and then the managed units should follow. Having a manager in a different version than its managed units should be a temporary
thing and it is highly recommended to upgrade all managed units to the same version as the manager. Run Sync (Refresh) on all
managed nodes after upgrading, in order for these managed nodes to recognize the proper software version that they are.

PCI Accelerator for Compliance The PCI Data Security Standard consists of twelve basic requirements. Much of the requirements are focused on protecting physical
infrastructure (for instance, Requirement 1: Install and maintain a firewall configuration to protect data) or implementing procedural
best practices (for instance, Requirement 5: Use and regularly update anti-virus software). However, an extra emphasis is placed on
real-time monitoring and tracking of access to cardholder data and continuous assessment of database security health status (for
instance, Requirement 10: Track and monitor all access to network resources and cardholder data).
Guardium's PCI Accelerator for Database Compliance is tailored to simplify organizational processes that are needed to support these
monitoring and tracking mandates and to allow for cardholder data security. The Accelerator report templates can be customized to
directly reflect specific organizational and regulatory requirements. You can access these templates using the tabs that are provided:
PCI Data Security Standard overview

Plan and Organize
PCI Req. 10: Track and Monitor Access
PCI Req. 11: Regularly Test and Validate
PCI Policy Violations Monitoring
Other tools in the Guardium family of solutions are available to help meeting regulations include the following:
PCI Compliance Report Card - A detailed view of cardholder databases access security health that is used to automate the
compliance processes with continuous real-time snapshots customized for user-defined tests, weights, and assessments. The
Report Card can be generated using security assessment.
Full Audit Trail - The non-intrusive generation of a full audit trail for data usage and modifications that are required by
regulatory compliance.
Automated Scheduling - Automated scheduling of PCI work flows, audit tasks, and dissemination of information to responsible
parties across the organization.
The following table can help identify which components are taken from which location in a central management environment.
Table 2. Components and Location in Central Manager Environment

Central Manager Managed Unit
Users System Configuration
Security Roles Inspection Engines
Application Role Permissions Alerter (configuration)
Queries Anomaly Detection
Reports Session Inference
Time Periods IP-to-Hostname Aliasing
Alerts System Backup
Security Assessments Aggregation / Archiving
Audit Process Definitions Custom Alerting
Privacy Sets Custom Identification Procedures
Baselines Exported csv Output
Attention: The Baseline Builder and related functionality is deprecated starting with
Guardium V10.1.4.
Policies Schedules
Groups DB Auto-discovery Configurations
Aliases Audit Process Results
Users, Security Roles, Audit Process Definitions, and Groups are exported from the Central Manager to all managed units on a scheduled basis, as described later.
From the Central Manager, the administrator can:
Register Guardium units for management

Monitor managed units (unit availability, inspection engine status, etc.)
View system log files (syslogs) of managed units
View reports using data on managed units
View main statistics for managed units
Install Guardium security policies on managed units
Restart managed units
Manage Guardium inspection engines on managed units
Maintain the complete set of Users, Security Roles, Groups, and Application Role Permissions that are used on all managed systems
Patch distribution
Distribute Uploaded JAR files
Distribute Patch Backup Settings
Distribute Authentication Config
Distribute Configurations
Note: Application Role Permissions can also be changed by the administrator from any managed unit. When this happens, the permissions are changed for all managed
units.
Parent topic: Central Management

Implementing Central Management
Make one machine into a Central Manager, connect the other machines into a Central Management system, and register the Managed Units to communicate with the
Central Manager.
Implementing Central Management in a New Installation

Implementing Central Management in an Existing Installation
If the Central Management Unit is unavailable

Make one Machine the Central Manager, use the same shared secret, register units, and group managed units.
Implement Central Management in an existing Guardium environment and migrate a CAS collector with active instances to be managed.

Make one Machine the Central Manager, use the same shared secret, register units, and group managed units.
Make one machine the Central Manager

The first thing is to make one machine into a Central Manager. Select a machine. Then, complete the following steps.
1. Log in to the CLI of the Machine that you want to make the Central Manager.
2. Enter store unit type manager. This step makes the machine a Central Manager; however, it is not yet managing anything.
Use the Same Shared Secret

After you have a Central Manager, you must connect the other machines into a Central Management system. For security reasons, it is a requirement that the
communications between the machines be encrypted by using the same shared secret. To do this step, do the following action items.
1. Click Setup > Tools and Views > System to open System.
2. Set the shared secret to the same string on all systems.
Registering Units
Register managed units to communicate with the Central Manager.
Unregistering a Managed Unit
When a unit is unregistered, always unregister from the Central Manager. This method is the only way that the Central Manager decrements its count of managed
units.
Synchronizing Portal User Accounts
Manage portal user synchronization by using the Central Manager.
Parent topic: Implementing Central Management
Registering Units
Register managed units to communicate with the Central Manager.
You can register Guardium units for central management either from the Central Manager or from the unit itself. Regardless of how the registration is done, the Central
Manager and all managed units must have the same system shared secret. If the unit to be managed is already registered for central management with another manager,
unregister the unit from that central manager before you register it with the new manager. Be sure to understand exactly what happens to that unit when it is registered
and unregistered for central management.
Note: If the user that is logged in to a managed unit does not exist on the Central Manager, the session is invalidated. It remains invalidated until the unit is registered with
a Central Manager.
What Happens during Registration

The following actions happen on registration.
The unit type is set to managed and manager IP is stored.

Product key of manager is applied. (License key is not propagated with Ping or User sync. It is sent on registration or when the system refreshes.)
All job scheduling is reset to default.
All psml files (portal GUI customizations) are removed.
All local users and roles are removed.
List of threshold alerts that is not be evaluated is reset.
Users roles, permissions from manager are loaded.
Custom classes, user uploaded JARs, LDAP truststore from manager are uploaded.
Database connection from managed to manager is enabled.
Database connection from manager to managed is enabled.
CAS listener is started if needed.
After registration all definitions of reports, queries, groups, policies, audits, and more are retrieved from the Central manager.
If the Registered Unit Status Remains Offline

If you know the unit that is registered is online and accessible from the Central Manager, but its status remains offline, then complete the following steps.

Verify that the unit to be managed is online, accessible, and operational by using a browser window to log in to the Guardium system on that unit.
Click Refresh for the unit.
Check that you entered the correct IP address for the unit.
Check that the unit has the same shared secret as the Central Manager.
Note: If the registration of a unit is offline, the registration request persists. It is resent to the IP/port specified on a set interval until the unit registers. A registration
request that does not succeed expires after seven days.
Registering from a Managed Unit

On a managed unit, you can use the GUI to register the unit with the Central Manager. Otherwise, you can use the CLI register command as described in Registering a
Managed Unit with the CLI.
1. Click Setup > Central Management > Registration and Load Balance to open Central Management Registration.
2. For Host IP, enter the IP address of the Central Manager.
3. For Port, enter the https port for the Central Manager (usually 8443).
4. Click Register.
After you register on the managed unit, it initiates communication with the Central Manager, and nothing more needs to be done.
Note: The central management unit must be online and accessible by this unit when you register for central management. In contrast, when you register units for
management from the central management unit, you can register units that are not currently accessible.
Registering a Managed Unit with the CLI

1. On the managed unit, log in to the CLI.
2. Type register management <Manager IP> <Manager Port>
After you register on the managed unit, it initiates communication with the Central Manager, and nothing more needs to be done.
Registering units from the Central Manager

You can register units that are not currently accessible.
1. Navigate to Manage > Central Management > Central Management to open Central Management.
2. Click Register New. The unit Registration page opens.
3. Enter the Unit IP and port, and click Save. The Central Management page refreshes with the new unit.
Parent topic: Implementing Central Management in a New Installation
Unregistering a Managed Unit

When a unit is unregistered, always unregister from the Central Manager. This method is the only way that the Central Manager decrements its count of managed units.
Unregistering from the managed unit does NOT unregister the unit on the Central Manager. The Central Manager still counts that unit as a managed unit for licensing
purposes and treats the unit as managed. It might not allow another unit to be registered with the Central Manager. The unregister function on the managed unit is
included for emergency use ONLY. If a manager is no longer in service, then you must unregister the unit before you can register it to another manager.
If you unregister a unit from the managed unit, it still shows on the Central Manager screen. Pressing refresh for that unit reregisters it. Pressing any other operation for
that unit gives out a message that the unit is no longer managed and removes it from the manager.
On a managed unit, you can use the GUI to unregister the unit with the Central Manager. Also, you can use the CLI unregister command as described in Unregistering a
1. Log in as admin to the Guardium UI of the unit to be managed.

2. Click Set > Central Management > Registration and Load Balance to open Central Management Registration.
3. Click Unregister.
What Happens during Unregistration

The following actions take place upon unregistration.
The unit type is set to standalone.

The manager IP is cleared.
The product key is cleared (license is null until registration to new manager or a license is loaded manually).
The list of threshold alerts that is not evaluated is reset.
All job scheduling is reset to default.
Psml files are removed.
All users but the default users (admin, accessmgr) are removed.
The database connection from managed to manager is disabled.
The GUI is restarted.
After unregistration all definitions of reports, queries, groups, policies, audits, and more are retrieved from the local database, the definitions that are stored on Central
Manager are no longer accessible.
If you are unsure about how to verify, contact Guardium Support before you unregister the unit.
Unregistering a Unit from the Central Manager

1. Log in, as admin, to the Central Manager.
2. Click Manage > Central Management > Central Management to open Registration.
3. Mark the check box for the managed unit you want to unregister.

Unregistering a managed unit from the Central Manager screen removes it from the managed unit list and sets the unit to be a stand-alone unit.
Note: The product key of the unit is removed and unless the unit is registered to another manager the product key is placed in manually.
Unregistering from a Managed Unit

On a managed unit, you can use the UI to unregister the unit with the Central Manager. Also, you can use the CLI unregister command as described in Unregistering a
1. Log in, as admin, to the managed unit.

2. Click Setup > Central Management > Registration and Load Balance to open Registration.
To unregister a Managed Unit by using the CLI, complete the following steps.
1. On the Managed Unit, log in to the CLI.

2. Enter unregister management.
After you have unregistered from the Managed Unit, it severs communication with the Central Manager, and nothing more needs to be done.
Synchronizing Portal User Accounts

Manage portal user synchronization by using the Central Manager.
About this task

As mentioned earlier, the Central Manager controls the definition of Users, Security Roles, Groups, and datamart tables for all managed units. The Central Manager makes
an encrypted and signed copy of its complete set of User and Security Roles. In addition, the Central Manager transmits that information to all managed units.
Furthermore, some other definitions that are required for local processing (Groups and Group members, Audit processes, Aliases, and more) are also copied. The
managed units then update their internal databases on an hourly basis. This process means that there might be a delay of up to an hour before using these roles or
datamart tables.
A full user synchronization cycle occurs on registration or by pressing Refresh from the Central management screen. In both cases, the synchronized information is sent
from the manager and loaded on the managed units immediately.
Note: Use caution when setting the schedule so that it does not interfere with other scheduled jobs like Import which can fail to start.
Procedure
Click Manage > Central Management > Portal User Sync to manage portal user synchronization.
a. Click Modify Schedule to change the user synchronization task schedule by using the standard task scheduler.
b. If the task is actively scheduled, click Pause to stop further scheduled executions.
c. If the task is paused, click Resume to start running the task again (according to the defined schedule).
d. Click Run Once Now to run the synchronization task immediately.
Note: The task that is scheduled or Run Once Now refers to the collection of data and its transmission to the managed units only. The managed units might not use
that data to update their user tables until up to 1 hour after it is received.

Implement Central Management in an existing Guardium environment and migrate a CAS collector with active instances to be managed.
In an existing Guardium environment, refer to the procedure outlined to develop a plan for implementing central management. If you are converting an existing Guardium
unit to a Central Manager, keep in mind that a Central Manager cannot monitor network traffic. For example, inspection engines cannot be defined on a Central Manager.
1. Select a system shared secret to be used by the Central Manager and all managed units. For more information, see the system shared secret in System
Configuration.
2. Install the Central Manager unit or designate one of the existing systems as the Central Manager. In either case, use the store unit type command to set the
manager attribute for the Central Manager.
3. Any definitions from the stand-alone unit that you want to have available in the central management environment must be exported before the stand-alone unit is
registered for management. Later, those definitions are imported on the Central Manager. BEFORE exporting or importing any definitions, follow the procedure that
is outlined for each stand-alone unit that is to become a managed unit. Read through the introductory information under Export/Import Definitions.
Decide which definitions from the standalone system you want to have available after the system becomes a managed unit. Ignore any components on the
stand-alone system you do not want to have available.
Compare the security roles and groups that are defined on the stand-alone unit with those defined on the Central Manager. Under central management, a
single version of these definitions applies to all units. If a security role with the same name exists on both systems and it is used for different purposes, add a
new role on the Central Manager and assign the new role to the appropriate definitions after they are imported.
If the same group name exists on the stand-alone unit and the Central Manager but it has different members, create a new duplicate group on the stand-
alone system, taking care to select a group name that does not exist on the Central Manager. In all of the definitions to be exported, change the old group
name references to new group name references.
All security roles that are assigned to all definitions that are exported from the stand-alone system. When definitions are imported, they are imported
WITHOUT roles, so you must add them manually.
Check the application role permissions on each system. If any security roles assigned to an application on the stand-alone unit are missing from the Central
Manager, add them to the Central Manager.

Export all definitions from the stand-alone system that you want to have available after the system becomes a managed unit. (See Export/Import Definitions)
Do not export users or security roles. If you are unsure about a definition, export it in a separate export operation so that you can decide in the future
whether to import that definition to the Central Manager. After you register for central management, none of the old definitions from the stand-alone unit are
available.
On the stand-alone unit, create PDF versions audit process results and store them in an appropriate location. Under central management, only the audit
results produced under central management are available.
On the stand-alone unit, instruct all users to remove all portlets that contain custom report, and to not create any new reports until the conversion to central
management is complete.
On the Central Manager, manually add all users from the stand-alone unit.
On the stand-alone unit, delete all user definitions except for the admin user (which cannot be deleted).
Register the stand-alone unit for central management. See Registering Units for Central Management.
On the Central Manager, import all definitions that are exported from the stand-alone system. Check to make sure that references to included items
(receivers in alert notifications, for example) are correct. Reassign security roles, as necessary, to all imported definitions.
Inform users of the managed unit that they must use the Report Builder application to regenerate the portlets for any custom reports they want to display in
their layouts.
Migrating a stand-alone CAS collector to managed

Use the following steps when you migrate a CAS collector with active instances to managed.
1. Export the CAS host definitions from the stand-alone collector.

2. Manage the stand-alone collector.
3. Restart the CAS host from the GUI of the now managed collector.
4. Import the CAS host definition to the manager.
5. Restart the CAS host from the GUI of the managed collector again.
After these steps are performed, the CAS collector has the same instances and monitor the same files that it did when it was a stand-alone.
Note: The CAS data that was collected when it was a standalone is deleted. There is no collected CAS data unless a file changes.
Parent topic: Implementing Central Management
Using Central Management Functions

Use Central Management functions to synchronize portal user accounts, monitor managed units, and install security policies on managed units.
Deployment health views

The deployment health views gather and display information about your entire Guardium environment in powerful, easily consumed graphical views.
Enterprise load balancing
The enterprise load balancer dynamically allocates managed units to S-TAP agents based on system load and availability.
Deployment inventory
The inventory view provides centralized view of all database servers and any installed S-TAPs or GIM clients.
Resource deployment view
The resource deployment view provides a centralized view of all database servers and their associated collectors, aggregators, and central managers.
Creating managed unit groups
Organize managed units into groups and then take actions on those groups.
Monitoring Managed Units
Monitor managed units by using Central Management.
Installing Security Policies on Managed Units
Install a security policy on a manage unit.
Central Patch Management
Provide visibility and control over patch installation, status, and history.
Working with configuration profiles
Configuration profiles allow you to define configuration and scheduling settings from a central manager and distribute those settings to managed unit groups
without altering the configuration of the central manager itself.
Distribute Configuration
Configurations and their schedules, can be distributed, either all or individually, between the Central Manager and the managed units.
Distribute Authentication Configuration
Instead of configuring authentication on each appliance separately, Central Management authentication (Configure Authentication) can be configured once on the
central manager and then distributed to all managed units. This way, information is entered once and it applies to some or all units; some of the units may have a
different type of authentication.
Central Manager Redundancy
Use Central Manager Redundancy or Backup Central Manager (CM) to configure a secondary or backup CM in case the Primary CM becomes unavailable.
Deployment health views

The deployment health views gather and display information about your entire Guardium environment in powerful, easily consumed graphical views.
The deployment health views help you investigate system-utilization trends and quickly identify ailing or down systems. These views decrease reaction times and reduce
risks from problems in your Guardium deployment. The deployment health views are designed to work together by consolidating several different sources of information
into unique but related views.
Deployment health topology and table views
The deployment health topology and table views show the data flow relationships between systems in your environment. These views make it easy to identify
problematic systems and investigate the underlying issues.
Access the topology view by navigating to Manage > System View > Deployment Health Topology. Access the table view by navigating to Manage > System View >
Deployment Health Table.

Deployment health dashboard
The deployment health dashboard provides an at-a-glance summary of issues that are found across a Guardium deployment. The dashboard is especially useful for
identifying patterns and trends in the health data before investigating individual systems where problems are identified.
Access the dashboard by navigating to Manage > System View > Deployment Health Dashboard.
The following table summarizes the types of data available to each of the deployment health views.
Table 1. Summary of deployment health views

Â Dashboard Topology Table
Unit utilization
Correlation alerts Â Â
Self-monitoring Â Â
System requirements Â Â
Aggregation Â
Inspection engines (S-TAP verification Â Â

data)
Connectivity Â
S-TAP connectivity Â Â
Attention: The deployment health views present data gathered from an entire Guardium environment and are only available from a central manager.
Configuring a central manager for the deployment health views

To use the deployment health views, enable the collection of unit utilization data, configure correlation alerts, and configure data import and export for your
environment.
Learn more about how the deployment health topology and table views present the configuration of your Guardium environment and its data.
Learn more about how the deployment health dashboard presents data from your entire Guardium deployment.
Scenario: Troubleshooting overloaded systems using the deployment health topology view
This topic describes using the deployment health topology view to identify and fix an overloaded system in your environment.
Parent topic: Using Central Management Functions

To use the deployment health views, enable the collection of unit utilization data, configure correlation alerts, and configure data import and export for your environment.
About this task

From a central manager, the deployment health views display data from across a Guardium environment. The ability to display data about an entire deployment requires
the collection of unit utilization data, the configuration of correlation alerts, and that data import, export, and S-TAP verification is correctly configured. For a summary of
data that is displayed on the deployment health views, see Deployment health views.
It is likely that your deployment is already configured to support the deployment health views. Verify the configuration steps that are described in this procedure if you
notice any of the following issues on any of the deployment health views:
CM buffer usage report not scheduled

Unit utilization report not scheduled
Export not scheduled
Import not scheduled
No issues found
Status unavailable
Procedure
1. Configure the collection and processing of unit utilization data from the central manager. For more information, see Configuring unit utilization data processing.
2. Enable correlation alerts for inclusion on the deployment health dashboard.
a. Open Protect > Database Intrusion Protection > Alert Builder.
b. Select an existing alert and click the icon, or create a new alert by clicking the icon.
c. Provide a Category for the alert. Alerts without a specified category are displayed as Uncategorized.
d. Select the View in deployment health dashboard check box to include the alert on the dashboard.
Attention: Alerts must have the Severity set to LOW, MED, or HIGH to be included on the deployment health dashboard.
For more information about defining alerts, see Building alerts.
3. Configure data import and export from the central manager. For more information, see, Aggregation.
Tip: Use the distribute configuration profiles tool to simplify the process of configuring data import and export for a Guardium deployment. For more information,
see Working with configuration profiles.
4. Configure S-TAP verification for all supported S-TAPs. For more information, see Windows Inspection engine verification and UNIX Inspection engine verification.
Results
After you complete the configuration procedures and allow the data to update, the deployment health topology and deployment health table views will predominately
show status except for systems with preexisting health issues. The deployment health dashboard will include any preexisting unit utilization issues and begin showing
new correlation alert conditions.

When altering the unit utilization or data import and export schedules, wait up to 1 hour to allow the deployment health views to update with new information. The
availability of new correlation alert data depends on the notification frequency that is specified for an alert.
Parent topic: Deployment health views

Related concepts:
Aggregation
Related tasks:
Configuring unit utilization data processing
Correlation Alerts

Learn more about how the deployment health topology and table views present the configuration of your Guardium environment and its data.
The deployment health topology view is accessible from any central manager and provides an at-a-glance visualization of the entire Guardium environment that is
connected to that central manager. In addition to showing relationships between nodes in the environment, the deployment health topology view also provides health
information about all connected aggregators, collectors, and S-TAPs. Several investigation and resolution actions are available directly from the deployment health
topology view to help quickly address health issues that are discovered in your environment.
The default deployment health topology view is a data flow view that shows the data import and export relationships between aggregators and managed units. Open the
deployment health topology view at Manage > System View > Deployment Health Topology.
A sortable table view of the deployment health data is also available at Manage > System View > Deployment Health Table.
Data availability
Several factors influence that availability of system data and how that data is displayed on the deployment health topology and table views. For information about
configuring your system to use the deployment health views, see Configuring a central manager for the deployment health views.
Types of data
When correctly configured, the deployment health topology and table views display data that is collected from several different sources. The specific types of data
that are displayed depend on the unit type, as summarized in the following sections.
Connectivity
The connectivity category indicates whether systems in a Guardium environment are able to communicate.
Applies to central managers, aggregators, collectors, and S-TAPs

Examples include unit not responding and S-TAP not responding
Unit utilization
The unit utilization category provides information about how heavily Guardium systems are being loaded.
Applies to central managers, aggregators, and collectors

Examples include CPU load, free buffer space, and MySQL disk usage
For more information, see Unit Utilization Level.
Aggregation
The aggregation category provides information about data import and export flow between Guardium systems.
Applies to central managers (if configured as aggregators), aggregators, and collectors

Examples include import failed, export failed, and export not scheduled
For more information, see Predefined admin reports and Aggregation.
Inspection engines
The inspection engines category provides S-TAP verification information.
Applies to S-TAPs
Examples include S-TAP verification failed
For more information, see Configuring the S-TAP verification schedule, and Viewing S-TAP verification results.
Click the icon to open the Customize Settings dialog to define the types of data shown on the deployment health topology and table views.
Data latency
Several preset and user-defined schedules determine the latency of data that is displayed on the deployment health topology view. These schedules are
summarized in the following table.
Table 1. Deployment health topology view data latency

Health Node type Latency
category
Connectivity Aggregator or collector Less than 15 minutes
Connectivity S-TAP Less than 15 minutes if enterprise load balancing is enabled
Less than 1 hour if enterprise load balancing is not enabled

Health Node type Latency
category
Aggregation Central manager, aggregator, or Less than 1 hour

collector
Verification S-TAP Less than 1 hour
Unit Central manager, aggregator, or 1 - 2 hours, based on the recommended configuration. For more information, see Configuring unit utilization
utilization collector data processing.
Observe the following latencies for specific environment and configuration changes:
Newly registered aggregators or collectors become available to the deployment health views within 15 minutes.
Deleting the data export schedule or data export configuration from a collector are reflected on the deployment health views within 2 hours.
Data presentation
Health status
The deployment health topology view displays three categories of health information for Guardium systems: connectivity, unit utilization, and aggregation. Metrics
under these categories are assigned one of the following health statuses: status unavailable (least severe), no health issues, low severity, medium severity, and high
severity (most severe). The overall status is determined by the most severe status of any individual metric included under any of the health categories being
displayed. Data that has been excluded using the Customize Settings dialog is not used for determining the overall status of a system.
For example, if the Restarts metric under the Unit utilization category is assigned a High severity status, but no health issues exist under another category, the
Overall status for that system is High severity. This behavior ensures that the most severe condition is always visible at-a-glance as the overall status of a system.
At the Manage > System View > Deployment Health Topology view, detailed statuses for the available health categories are only displayed when at least one low,
medium, or high severity issue is found.
At the Manage > System View > Deployment Health Table view, detailed statuses for the available health categories are always displayed.
Health status roll-up
The deployment health topology view implements a health status roll-up strategy to efficiently display health information for an entire Guardium environment.
Using this strategy, child nodes are collapsed under their parent nodes, and the child's health status is rolled-up to the parent. The rolled-up status is expressed as
a small icon attached to the parent node.
Attention: Health status roll-up is only supported for S-TAP nodes rolling-up status to their parent collector.
For example, indicates a collector with no health issues, but the small red circle indicates that one or more S-TAPs that are associated with that collector has
high severity issues. Clicking the collector expands the node and reveals the associated S-TAPs and their health status. For example,
indicates four S-TAPs that are associated with the collector: two S-TAPs have high severity health issues, and two S-TAPs have low severity health issues.
Only the most severe status is rolled-up from the child to the parent node when the child nodes are collapsed. In the previous example, the parent node shows a
small red circle because one or more of its children has high severity issues. However, if one or more child nodes contain low severity issues but all the other child
nodes have no health issues, the parent node would display a small yellow circle.
Deployment presentation
Some deployment configurations display unexpectedly on the deployment health topology view. Several of these configuration scenarios are described in the following
sections.
Managed units before Guardium V10.1.3

Managed units before Guardium V10.1.3 may display incorrect or inconsistent unit utilization data when connected to a central manager at or after V10.1.3. To
correct the problem, log in to the CLI of the central manager and run the following command for each managed unit:
grdapi change_tracker_reset host=[managed unit host name or IP address]
Best practice: In a managed environment, it is recommended that all units operate at the same Guardium version level.
Managed units before Guardium V10.1
Managed units before Guardium V10.1 display Status unavailable under the Aggregation health section when viewed from either the Deployment Health Topology
page or the Deployment Health Table.
Best practice: In a managed environment, it is recommended that all units operate at the same Guardium version level.
Unsupported S-TAPs
The deployment health topology view displays any S-TAPs that are configured for S-TAP verification or that participate in enterprise load balancing. If an S-TAP
cannot be configured for S-TAP verification or to participate in enterprise load balancing, the S-TAPs will not be displayed.
S-TAP load balancing
If S-TAP load balancing is configured with the participate_in_load_balancing parameter and an S-TAP is configured to balance traffic across multiple collectors, the
deployment health topology view displays that S-TAP as a child node of each collector. For example, if S-TAP 1 is load balancing with Collector A and Collector B,
both Collector A and Collector B display S-TAP 1 as a child in the deployment health topology view.

Unmanaged units
If a collector exports data to a central manager or to an aggregator that is configured as a central manager, but that collector is not designated as a managed unit of
that central management cluster, the Overall status of the collector in the deployment health topology view is shown as Health status unavailable. No additional
information about the collector is made available through the deployment health topology view unless the collector is designated as a managed unit of the central
manager.
Collector exporting data to primary and secondary hosts
When a collector is configured to export data to both primary and secondary hosts, only the primary host is used for the deployment health topology view.

Related tasks:

Learn more about how the deployment health dashboard presents data from your entire Guardium deployment.
Data availability
Several factors influence that availability and latency of health data and how that data is displayed on the deployment health dashboard. The following table summarizes
the data included on the dashboard, trigger criteria, and data latency and purge information.
Table 1. Summary of deployment health dashboard data
Data source Information type Trigger criteria Data latency Data purge interval
System System configuration, such System does not meet Updated whenever the user-interface server Not applicable
resources as CPU cores, system minimum requirements is started or restarted
memory, /var disk capacity
Unit Unit utilization data such as Value exceeds unit utilization Updated within 1 - 2 hours, based on the Unit utilization data is purged after 60 days
utilization sniffer restarts, MySQL disk thresholds recommended configuration. For more
usage, and CPU load. information, see Configuring unit utilization Sniffer buffer usage data is purged after 14
data processing. days
System self- MySQL disk usage and Usage meets or exceeds Updated every 5 - 10 minutes. High-severity issues are purged after 7 days
monitoring system disk usage default thresholds (75% for
high severity, 90% for critical For high-severity, if the same event occurs Critical issues are never purged
severity) multiple times in a 15 minute period, the
timestamp is updated to reflect the most
recent instance. If the same event occurs
after a 15 minute interval, a new entry is
created with the most recent timestamp.
For critical issues, every instance of an event

is created with a unique timestamp.
Correlation Triggered correlation alerts An alert threshold is reached Updated based on the alert notification Data is purged after 7 days
alerts frequency. For more information, see
Correlation Alerts.
Important:
Only data from systems that are running Guardium V10.1.2 and later are included on the deployment health dashboard.
When you change the host name of a system, preexisting data that is associated with the original host name is no longer displayed on the deployment health
dashboard.
When a primary central manager transfers data to a backup central manager during a failover scenario, up to 30 minutes of data is unavailable to the deployment
health dashboard.
Data presentation
The deployment health dashboard formats and presents data through various tiles or small window-like containers. The following table summarizes the data that is
presented on each dashboard tile.
Table 2. Summary of deployment health dashboard tiles
Â Tile name
Data source Resource Unit utilization Unit Alerts (by category, name, Events High severity Critical
requirements issues utilization severity, or system)
timecharts
System resources Â Â Â Â Â
Unit utilization Â Â Â
System self-monitoring Â Â Â Â
(When usage (When usage

meets or meets or
exceeds 75% exceeds 90%
threshold) threshold)
Correlation alerts Â Â Â Â
The following tiles are displayed by default: alerts by name, critical issues, events timeline, high severity issues, and unit utilization issues.

Dashboard filter
The dashboard filter allows quick filtering of the data based on Guardium systems, issue severity, and time period. Filter settings affect the data displayed on the entire
dashboard unless noted otherwise.
The Guardium systems filter allows filtering the dashboard by unit type or by groups defined at Manage > Central Management > Managed Unit Groups.
By default, the dashboard displays all available issues: low, medium, high, and critical. Use the Severity menu to filter data on the dashboard by severity. Selecting high
filters the entire dashboard to display only high-severity issues. Selecting critical filters the entire dashboard to display only critical issues. It is possible to select both high
and critical issues to filter out all lower-severity data.
Notes:
Outstanding or unresolved critical issues are displayed on the dashboard regardless of the Severity filter setting.
For the unit utilization issues tile, the dashboard Severity filter is based on the overall unit utilization severity. For more information about how unit utilization
severity is assigned, see Unit utilization issues.
The time filter determines the range of data that is displayed on the dashboard. Default settings allow time periods from 1 hour to 3 weeks, but custom time periods are
also supported. The time filter does not apply to critical issues: critical issues are always displayed, regardless of the time filter setting.
Use the Add chart menu to add tiles to the dashboard or replace default tiles that you previously removed.
Dashboard summary
The dashboard summary provides overall counts of health issues that are detected in your Guardium deployment. The Collectors with issues and Aggregators with issues
counts indicate the number of systems--collectors and aggregators--that are detected with health issues. The Critical and High counts indicate the number of issues
detected from all systems that are included on the dashboard.
Note:
The Critical and High counts are not affected by adding or removing tiles from the dashboard.
The counts on the dashboard summary bar reflect the dashboard filter settings.
Alerts by category, name, severity, or system

The deployment health dashboard supports several tiles based on Guardium correlation alerts: Alerts by category, Alerts by name, Alerts by severity, and Alerts by system.
Add correlation alert tiles to the dashboard by using the Add chart menu.
Correlation alerts must be explicitly configured for inclusion on the deployment health dashboard. For information about configuring alerts for the dashboard, see
Configuring a central manager for the deployment health views.
Resource requirements
The resource requirements tile indicates whether systems in a Guardium deployment meet the minimum hardware requirements for CPU, memory, and /var disk capacity.
Any system resource that does not meet the minimum requirement is designated as a high-severity issue and displayed on both the resource requirements tile and the
high severity issues tile.
Use the Include healthy systems check box on the details view of the tile to include all available data for the systems and time frame that are indicated on the dashboard
filter bar. By including all available data, the Include healthy systems check box overrides the Severity setting of the overall dashboard filter. Systems without any detected
health issues are excluded by default.
A table that displays all met and unmet resource requirements in your Guardium deployment is also available at Manage > Central Management > System Resources.
Note:
System resource issues are not displayed in the Events timeline because they are not associated with a specific time stamp
Unit utilization issues

The unit utilization issues tile displays issues based on unit utilization thresholds. The issues that are displayed on the tile represent individual metrics that exceed their
respective thresholds. The overall severity is assigned based on the highest severity issue that is found in all available metrics for an individual system in a specified time
period. For more information about unit utilization thresholds, see Unit Utilization Level.
The details view of the unit utilization issues tile includes both a Period start time and a Timestamp:
The Period start time indicates that the CM buffer usage monitor data is rolled-up into hourly periods, for example periods starting at 13:00, 12:00, and 11:00.
The Timestamp indicates when the unit utilization levels data is added to the deployment health dashboard, either based on the unit utilization levels schedule or
by using run once now.
For more information, see Configuring unit utilization data processing.

The first time that unit utilization data is brought into the deployment health dashboard, all the unit utilization data has the same timestamp but different period start
times. Over time, the time stamps will appear at intervals based on the unit utilization levels schedule. For example, if the unit utilization levels data is collected every hour
at 40 minutes after the hour, you will see period start time and timestamp values as follows:
Table 3. Example unit
utilization period start
time and timestamp
values
Period start Timestamp
13:00 14:40
12:00 13:40
11:00 12:40

Use the Include healthy systems check box on the details view of the tile to include all available data for the systems and time frame that are indicated on the dashboard
filter bar. By including all available data, the Include healthy systems check box overrides the Severity setting of the overall dashboard filter. Systems without any detected
health issues are excluded by default.
Unit utilization timecharts

Unit utilization timecharts allow the observation of trends in unit utilization data over time. Unit utilization timecharts can be configured to show multiple unit utilization
metrics for a single Guardium system or to show a single unit utilization metric for multiple Guardium systems.
Unit utilization timecharts are structured based on the following criteria:
The x-axis represents the period start time

When multiple metrics are being charted and the values for the metrics are in the same range, one y-axis is drawn. For example, both MySQL disk usage and /var
disk usage are expressed as percentages and are drawn with the same y-axis.
When multiple metrics are being charted and the values of the metrics are not similar, two y-axes are drawn. For example, MySQL disk usage is expressed as a
percentage and flat log requests is expressed as an integer, so two y-axes are drawn: one displaying percentages and one displaying integers.
If the value of a metric falls outside the range of a y-axis, that value is displayed at the bottom of the chart. This behavior accommodates scenarios where different
metrics are expressed with similar units but significantly different values: for example, integers in the range of thousands versus millions.
Tip: Create multiple time charts when values are in significantly different ranges.
Note: Systems are not included on Timechart settings > Host name menu when unit utilization data does not exist for that system in the time frame that is specified on the
dashboard filter bar.
Related tasks:
Scenario: Troubleshooting overloaded systems using the deployment health topology view
This topic describes using the deployment health topology view to identify and fix an overloaded system in your environment.
About this task

This scenario involves identifying health issues from the deployment health topology view, assessing the root cause, and correlating that assessment with additional data
before resolving the problem and verifying the fix. The example described here involves an overloaded collector, but the process is applicable for other cases.
Procedure
1. On a central manager, navigate to Manage > System View > Deployment Health Topology.
2. Review the deployment topology and assess the overall health of systems in the environment. At a high level, icons indicate healthy systems while and
icons indicate systems with some health issues.
3. If you notice systems with or status icons, click the node to view an overlay with additional health information.
4. Use the information presented on the node overlay to begin diagnosing any health problems. For example, a collector with high or medium severity statuses for /var
disk usage, Restarts, Analyzer queue, and Logger queue indicates that the collector is overloaded.
5. After initially assessing health issues from the deployment health topology view, try to correlate your findings with additional data. For example, if you suspect that
a system is overloaded, begin monitoring the traffic for that system.
6. When you are confident that you have diagnosed the underlying health issues, take corrective actions. In the example of an overloaded system, you could establish
Enterprise load balancing or reassign S-TAPs to another collector. Typically, this set of symptoms would not occur if enterprise load balancing was already
configured and in use.
7. After taking corrective actions, the status of the node on the deployment health topology view will be updated following the next refresh of unit utilization and
central manager buffer usage monitor data. This refresh interval depends on your schedule for processing unit utilization data.

Related concepts:
S-TAP user's guide
S-TAP user's guide

The enterprise load balancer dynamically allocates managed units to S-TAP agents based on system load and availability.
Overview
Load balancing automatically allocates managed units to S-TAP agents when new S-TAPs are installed and during fail-over when a managed unit is unavailable. The load
balancing application also dynamically re-balances loaded or busy managed units by relocating S-TAP agents to less-loaded managed units.
The enterprise load balancing application automates several tasks:
It removes the need to manually evaluate the load of managed units before assigning those managed units to an S-TAP agent.
It eliminates the need to define fail-over managed units as part of post-installation S-TAP configuration because the load balancer dynamically manages fail-over
scenarios.
It removes the need to manually relocate S-TAP agents from loaded managed units to less loaded managed units.
Important: When using the enterprise load balancing application, the Guardium system assumes control over the allocation of managed units to S-TAP agents. This is an
automated and dynamic process: the S-TAPs change their associations based on the relative load of available manged units. Use the Load Balancer Events report to
review all load balancing activity.
Note: When configuring the S-TAP to use enterprise load balancing, the F5-based load balancing cannot be used.

Prerequisites
The enterprise load balancer runs on a central manager or managed unit, listens to port 8443, and uses Transport Layer Security (TLS). No new firewall or additional
system setup is required. S-TAPs must be at V10.1 or higher.
Load balancing is disabled by default on Guardium systems. For information about enabling S-TAPs to participate in load balancing, see Windows General parameters and
UNIX General Parameters.
How it works
The enterprise load balancing application works by collecting and maintaining up-to-date load information from all its managed units.
It uses the load information from managed units to create a load map. This load map provides the data that directs load balancing and managed unit allocation activities.
Use the GuardAPI command grdapi get_load_balancer_load_map to view the current load map at any time.
Load information is only collected from managed units that are online and configured with the parameter LOAD_BALANCER_ENABLED=1. Setting
LOAD_BALANCER_ENABLED=0 disables load balancing and prevents that managed unit from being dynamically allocated to S-TAP agents during load balancing activities.
Load collection errors from specific managed units are recorded in the Load Balancer Events report but do not interfere with the overall load collection and load balancing
processes. However, failure to collect load information from a managed unit excludes that managed unit from participation in load balancing processes.
Associating an S-TAP with managed units for enterprise load balancing

Learn how to use enterprise load balancing by creating and associating S-TAP groups with groups of managed units.
Viewing the enterprise load balancing load map
Learn how to view the current enterprise load balancer load map.
Viewing an enterprise load balancing activity report
View a report of enterprise load balancing events and activities.
Enterprise load balancing Guardium configuration parameters
This reference information provides detailed descriptions of the load balancer configuration parameters. On a CM, access from Manage > Central Management >
Enterprise Load Balance > Enterprise Load Balance Properties. On an MU, access from Setup > Central Management > Registration and Load Balance.
Associating an S-TAP with managed units for enterprise load balancing

Learn how to use enterprise load balancing by creating and associating S-TAP groups with groups of managed units.
About this task

Load balancing creates associations between S-TAP groups and groups of managed units such that S-TAPs within a group are allowed to be reallocated to the most-
available managed unit within a group. This task introduces you to the process of establishing associations between S-TAP groups and managed unit groups for the
purposes of enterprise load balancing.
Procedure
1. On a Central Manager, navigate to Manage > Central Management > Enterprise Load Balancer > Associate S-TAPs and Managed Units.
2. If an S-TAP group has not already been created or a new one is required, create a new S-TAP group.
a. Click the icon to open the Create New S-TAP Group dialog.
b. Provide a name in the Group Name field. For example, North_American_S-TAPs.
Recommendation: To ensure compatibility with other Guardium components, do not use spaces or special characters in group names.
c. Add group members by selecting from existing host names or adding new members using the Group Member field. S-TAPs indicated with a icon are
included with the new S-TAP group.
d. Click Create New Group to create the S-TAP group.
3. Associate the S-TAP group with a group of managed units.
a. Select the S-TAP group you want to associate. For example, North_American_S-TAPS.
b. Click Associate Managed Units to open the Associate Managed Unit Group dialog.
c. If necessary, create a new group of managed units.
i. Navigate to Manage > Central Management > Managed Unit Groups.
ii. Click the icon to open the Create New Managed Unit Group dialog.
iii. Provide a name in the Group Name field. For example, North_American_MUs.
iv. Add group members by selecting from existing Managed Unit IP addresses.
v. Click Create New Group to create the new group of managed units.
d. Select the group(s) of managed units to associate with the S-TAP group. For example, North_American_MUs.
e. Click Apply.
4. Click Save to complete the association between an S-TAP group and a group of managed units.
5. (Optional) Associate the S-TAP group with a failover group of managed units.
a. Select the S-TAP group you want to associate, that already is associated to a managed units group. For example, North_American_S-TAPS.
b. Click Associate Failover Groups to open the Associate Failover Group dialog.
c. If necessary, create a new group of managed units same as described above. Both Regular managed unit groups and failover groups are the same until
specified during association with S-TAP group.
d. Select the group(s) of managed units to associate with the S-TAP group. For example, North_American_MUs_failover.
e. Click Apply.
6. Click Save to complete the association between an S-TAP group and a group of managed units.

Parent topic: Enterprise load balancing
Viewing the enterprise load balancing load map

Learn how to view the current enterprise load balancer load map.
About this task

The enterprise load balancing application uses the load information from managed units to create a load map. This load map provides the data that directs load balancing
and managed unit allocation activities.
Procedure
1. To view the current load map as a report in the Guardium UI, navigate to Manage > Reports > Unit Utilization > Load Balancer.
2. It is also possible to view the current load map using the Guardium API. Issue the following GuardAPI command: grdapi get_load_balancer_load_map.
The load map should look like the following example:
ID=0
************ LOAD MAP *************
**************** LOADED MU LIST ***********************
**************** VACANT MU LIST ***********************

{
MU=myguard_01.domain.com
MU_QUEUE_SIZE(MB)=25.0
MU_TIMES_REBALANED=0
MU_EFFECTIVE_MAX_USED_QUEUE(%)=0.0
MU_MAX_LOAD_CONTIB_BY_STAP(MB)=0.0
MU_ADJUSTED_STAP_CONTRIB_IN_MB=0.0
MU_BASE_MAX_USED_QUEUE_IN_MB=0.0
IS_REBALANCABLE=true
INSTALLED_POLICIES=log full details|
APPLIANCE_RESOURCE_INFO={NUM_PROCESSORS=4,CPU_SPEED=2800,CPU_CACHE=25600,CPU_CORES=4,
CACHE_READ_RATE=7870,HARD_DRIVE_READ_RATE=186,MEMORY_SIZE=24607}
STAP_LIST=
{
STAP_IP=01_gct1.domain.com, STAP_HOST=01_gct1.domain.com, CONNECTED_TO_MU=gct1.domain.com,
PARTICIPATES_IN_LOAD_BALANCING=false, MAX_STAP_CONTIBUTION_TO_LOAD_IN_MB=0.0,
AVG_STAP_CONTIBUTION_TO_LOAD_IN_MB=0.0
}
{
}
{
}
}
**************** STAP -> MUS ALLOCATION TABLE ***********************

03_gct1.domain.com ----> gct1.domain.com
ok
Viewing an enterprise load balancing activity report

View a report of enterprise load balancing events and activities.
About this task

The Enterprise Load Balancer Events report shows all load balancing events and activities, including successful associations between S-TAP agents and managed units,
changes in managed unit load, and failed associations.
Procedure
To view the report, navigate to Manage > Reports > Activity Monitoring > Enterprise Load Balancer Events.
Enterprise load balancing Guardium configuration parameters

This reference information provides detailed descriptions of the load balancer configuration parameters. On a CM, access from Manage > Central Management >
Enterprise Load Balance > Enterprise Load Balance Properties. On an MU, access from Setup > Central Management > Registration and Load Balance.
Default value
Parameter (valid values) Description

STATIC_LOAD_COLLECTION_INTERVA 720 (â‰¥10) Static managed unit load collection interval (in minutes).
L
If ENABLE_DYNAMIC_LOAD_COLLECTION is set to 0, the load balancer collects the load from all the
managed units at the interval specified by STATIC_LOAD_COLLECTION_INTERVAL.
LOAD_BALANCER_ENABLED 1 (0 or 1) Controls the load balancer feature.
0 disables the feature

1 enables the feature
If disabled on the managed unit, the load balancer (running on the central manager) does not collect load
information from that managed unit. All the S-TAPs connected to that managed unit do not participate in
load balancing.
On the CM, enabling this parameter (after it was disabled) triggers an immediate full load collection from all
the managed units enabled for load balancing.
ENABLE_DYNAMIC_LOAD_COLLECTIO 1 (0 or 1) Controls the load collection method.

N
0 disables the dynamic load collection interval (uses STATIC_LOAD_COLLECTION_INTERVAL as the
collection interval)
1 enables dynamic load collection interval
When this parameter is enabled (set to 1), the collection interval is proportional to the number of managed
units (1 hour per 10 connected managed units). Changes to this parameter triggers an immediate
recalculation of the next full load collection time.
USE_APPLIANCE_HW_PROFILE_FACT 1 (0 or 1) The load balancer can use managed units' hardware profile indicators (specified by the parameter
OR APPLIANCE_HW_PROFILE_INDICATORS) when evaluating vacant managed units for relocating S-TAPs.
0 ignores hardware profile indicators

1 uses managed unit hardware profile indicators
MAX_RELOCATIONS_BETWEEN_FULL 3 (â‰¥-1) Defines the maximum number of S-TAP relocations (between managed units) allowed after a full load
_LOAD_COLLECTIONS collection.
Negative values means unlimited relocations are allowed.
ALLOW_POLICY_MISMATCH_BETWEE 1 (0 or 1) The load balancer can take into account managed units' installed policies.
N_APPLIANCES
0: does not allow S-TAP relocation to an MU that has a different policy.
1: allows an S-TAP relocation to an MU that has a different policy.
TIME_TO_IGNORE_STAP_CONNECTIO 10 (â‰¥5) When collecting the load statistics for S-TAPs of each managed unit, we want to avoid including data that
N_RELATED_LOAD represents the initial S-TAP connection to the managed unit. This data can indicate traffic spikes that
create a false-positive for the load balancer. The TIME_TO_IGNORE_STAP_CONNECTION_RELATED_LOAD
parameter tells the load balancer to ignore S-TAP load for the specified number of minutes after the S-TAP
has connected to the managed unit.
ENABLE_RELOCATION 1 (0 or 1) Relocation of resources (rebalancing) is a process that the load balancer executes after full load collection.
Relocation here means transferring S-TAPs from loaded managed units to vacant manged units.
0 does not allow relocating S-TAPs to vacant managed units

1 allows relocating S-TAPs to vacant managed units
LOADED_SNIFFER_QUEUE_USAGE_TH 0.6 (0.1 to 1 in A managed unit is considered loaded if its sniffer has at least one queue whose size reaches the
RESHOLD increments of 0.1) LOADED_SNIFFER_QUEUE_ USAGE_THRESHOLD.
This parameter should not be changed under normal circumstances.
DEFAULT_STAP_MAX_QUEUE_USAGE 0.15 (0.10 to 1 in When an S-TAP is initially assigned to a managed unit, the load balancer does not have load information
increments of about it. The value of this parameter defines the temporary sniffer max used queue until the real load is
0.10) collected from the managed unit (after the interval defined by the
TIME_TO_IGNORE_STAP_CONNECTION_RELATED_LOAD parameter).
DEFAULT_STAP_MAX_CONTRIBUTION 0.1 (0.1 to 1 in When an S-TAP is initially assigned to a managed unit, the load balancer does not have load information
_TO_MAX_QUEUE_USAGE increments of 0.1) about it. The value of this parameter defines the temporary max S-TAP load contribution to the temporary
max used queue until the real load is collected from the managed unit (after the interval defined by the
TIME_TO_IGNORE_STAP_CONNECTION_RELATED_LOAD parameter).
REBALANCE_IF_MU_CLASSIFIED_AS_ 1:168 (â‰¥0 : Loaded managed units can be rebalanced only if they have been classified as loaded a specified number of
LOADED_N_TIMES_IN_M_HOURS â‰¥0) instances over a specified period of hours. For example, a value of 1:168 requires that a managed unit be
classified as loaded at least 1 time during a period of 168 hours.
APPLIANCE_HW_PROFILE_INDICATO NUM_PROCESSOR The load balancer can take into account managed units' hardware profile indicators. A colon delimited list
RS S: CPU_SPEED: of indicators (column names from the table APPLIANCE_RESOURCE_INFO) are used by the load balancer to
CPU_CACHE: evaluate the hardware profile.
CPU_CORES:
MEMORY_SIZE This parameter should not be changed under normal circumstances.
(Columns names
from the table
APPLIANC

E_RESOU
RCE_INFO)
MAX_CONCURRENT_LOAD_COLLECTIO 10 (â‰¥1) The maximum number of concurrent load collection processes the load balancer runs at any given point in
NS time. That is, the number of concurrent, non-persistent, remote SQL connections from the Central Manager
to the managed unit.
MAX_RELOCATIONS_PER_MU_BETWE 3 (â‰¥-1) The maximum number of S-TAP relocations allowed from a specific managed unit during any one period of
EN_FULL_LOAD_COLLECTIONS full load.
This parameter is the maximum number of STAPs that can be relocated per MU. If you have 2 loading S-
TAPs, and the value is set to 1, then only one of these S-TAPs can be moved for a specific MU. If the value is
set to 0 then STAP does not relocate.
Negative values allow unlimited relocations.
ENABLE_FAILOVER_GROUPS_REBALA 0 (0 or 1) Controls automatic relocation of S-TAP from the failover group back to the main MU group once an MU is
NCE available again in the main MU group.
0: does not allow automatic relocation of an S-TAP back to main MU group.
1: allows automatic relocation of an S-TAP back to main MU group.

Related reference:
GuardAPI Enterprise Load Balancing Functions
Deployment inventory
The inventory view provides centralized view of all database servers and any installed S-TAPs or GIM clients.
Resource deployment view

The resource deployment view provides a centralized view of all database servers and their associated collectors, aggregators, and central managers.
Creating managed unit groups

Organize managed units into groups and then take actions on those groups.
About this task

Managed unit groups allow you to organize managed units into meaningful groups and then take actions on those groups. For example, you might create managed unit
groups for specific unit types, geographies, or lines of business. Actions you might take include installing policies or distributing patches or configurations to a group of
managed units.
Procedure
1. Navigate to Manage > Central Management > Managed Unit Groups.
2. From the Managed Unit Groups page, click to create a new managed unit group or to edit an existing group.
3. From the Create new managed unit group dialog, type a name for the group in the Group name field.
4. Use the icons to select managed units to include in the group.
5. When you have finished selecting managed units to include in the group, click the Save button. The new managed unit group will be saved and appear on the
Managed Unit Groups page.
6. Optionally, from the Managed Unit Groups page, click the icon to expand a group and view its managed units.
Results
Once defined, a managed unit group is available from the Manage > Central Management > Central Management page, the Manage > Central Management > Distribute
Configuration Profiles page, as a managed unit group within the Manage > Central Management > Enterprise Load Balance > Associate S-TAPs and Managed Units tool,
and in other locations where managed unit groups are used.
Monitoring Managed Units

Monitor managed units by using Central Management.
To monitor managed units:
1. Log in to the GuardiumÂ® GUI of the unit to be managed as the admin user.
2. Click Reports > Guardium Operational Reports > Managed Units to open Managed Units.
Each component of the Central Management pane is described in the table.
Table 1. Monitoring Managed Units

Control Description

Control Description
Select all check box Mark this box in the shaded area of column one to select all managed units.
Unselect all Clear all managed units.
Check box Mark this box to select the unit for wanted operation.
Refresh unit information Refreshes all information that is displayed in the expanded view of that unit and issues new requests to that unit. This
action also causes a full user synchronization cycle.
Reboot unit Reboots the unit at the operating system level. By default, the Guardium portal is started at startup.
Restart unit portal Restarts the Guardium application portal on the managed unit. You can then log in to that unit to do Guardium tasks
(defining or removing inspection engines, for example).
View unit SNMP attributes Opens the SNMP Viewer pane in a separate window. Clicking the refresh icon in the SNMP Viewer pane refreshes the
data in the window.
View unit syslog Opens the Syslog Viewer in a separate window, displaying the last 64 KB of syslog messages. Clicking the Refresh icon
in the Syslog Viewer pane refreshes the data in the window.
Shortcut to unit portal Opens the Guardium login page for the managed unit, in a separate browser window.
Unit Name The host name of the managed unit. If you hold the mouse pointer over the unit name, its IP address displays as a
tooltip. If the host name changes on the unit, the Central Manager no longer sees that unit when automatically
refreshing the Online status. If you suspect the host name was changed, use Refresh on the toolbar. Obtain the
changed host name and update the displayed current Online status and other information for that unit.
Online Indicates whether the unit is online. If the green indicator is lit, the unit is online; if the red indicator is lit, the unit is
offline. The Central Manager refreshes this status at the refresh interval that is specified in the central management
configuration (1 minute by default). If an error occurred connecting to a unit, the error description can be viewed as a
tooltip. Hover the mouse indicator over that unit's record in the management table.
Inspection Engines Click the icon to expand the list of inspection engines; click the icon to hide the list of inspection engines.
From here, depending on status, you might stop or start the inspection engine.
The information that is displayed for each inspection engine is as follows (This information is fetched from the
managed unit when the Refresh is pressed, not on every ping):
Name - The name of the inspection engine.
Protocol - The protocol that is monitored by the inspection engine: Oracle, MSSQL, Sybase, InformixÂ®, or DB2Â®
Active on Startup - Indicates if the inspection engine starts on system startup
Exclude From IP - Indicates if the list of from-IP addresses is to be excluded (not examined).
From-IP/Mask - A list of the IP addresses and subnet masks of the clients whose database traffic to the To-IP/Mask
addresses the inspection engine monitors.
Ports - The ports on which database clients and servers communicate; can be a single port, a list of ports, or a range of
ports
To-IP/Mask - A list of IP addresses and subnet masks of servers whose traffic from the corresponding client machine
(From-IP/Mask) is monitored.
Installed Security Policy The name of the security policy that is installed on the managed unit. This field is updated on every ping.
Model The Guardium model number of the managed unit.
Version The Guardium version number of the managed unit.
Last Patch The last patch installed.
Last Ping Time The last time that the unit was pinged by the Central Manager to determine the managed unit's online/offline status.
Selected Units Â
Group Setup Group Setup opens a new window that allows the user to maintain groups; creating new groups, removing groups, and
associating managed units with groups.
Unregister Unregister all selected units.
Restarting Â
Reboot Reboot the selected units.
Restart portal Restart the selected portal.
Restart Inspection Engines Restart the inspection engines of the selected units.
Distribution Â
Refresh Refresh the selected units.
Install Policy The policy name is a link that opens a new window with the policy's detail.
Patch Distribution Patch Distribution opens a new screen, display an available patch list with dependencies, and allow for the selecting of
a patch and installing it to all selected units. Schedule a patch up to one year in the future.

Control Description
Distribute Uploaded JAR files Click Harden > Vulnerability Assessment > Customer Uploads. Then, enter the name of the file to be uploaded.
Otherwise, click the Browse to locate and select that file. Upload one driver at a time.
Click Upload. You are notified when the operation completes, and the file that is uploaded is displayed. This action
brings the uploaded file to the Central Manager.
Select a check box of the managed unit or units where these JAR files are to be distributed. Click Distribute Uploaded
JAR files.
Distribute Patch Backup Settings This setting distributes the following to selected units:
PATCH_BACKUP_FLAG; PATCH_AUTOMATIC_RECOVERY_FLAG; PATCH_BACKUP_DEST_HOST;

PATCH_BACKUP_DEST_DIR; Â Â Â Â PATCH_BACKUP_DEST_USER; PATCH_BACKUP_DEST_PASS
Distribute Authentication Config Select the managed units that receive the distribution of the Central Management authentication.
Click Distribute Authentication Config to distribute the authentication configuration to all managed units selected.

Control Description
Distribute Configurations The following configurations are distributed to sync parameters between the Central Manager and the managed units:
Anomaly Detection - Active on startup, Polling interval

Alerter - all fields
Data Archive - all fields
Global profile - Concurrent Logins, Data Level Security, all fields except Named Templates (which are already
synced), PDF footer text, and logo image
IP-to-Hostname Aliasing - both check boxes
Results Archive - all fields
Results export - all fields Â
Session Inference - all fields
System Backup - all fields
Data export - all fields
Some of these configurations do not take effect until the portal is restarted (Anomaly Detection, Session Inference).
Other processes, such as the Alerter, need to be restarted, either directly through the admin portal of the managed
unit, or by rebooting all relevant managed units from the manager.
The Distribute Configurations does not restart the managed units. There is a separate icon for each managed unit to be
restarted.
Restart Portal restarts all of the selected units.
After Distribution, a message will display saying that the managed units will need to be restarted for all the
configurations to take effect on managed units.
Each parameter that has scheduling has a second check box. When this second box is checked, this parameter's
scheduling is distributed.
See Distribute Configuration for information on selectively distributing configurations.
Reboot or restart portal?
Alerter Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
Active on Startup check box. Each time the appliance restarts, the Alerter is activated automatically.
GUI restart does not take the Active on Startup value.
Distributing configuration from Central Manager to managed units needs a reboot on managed units to take full effect
The Alerter to be manually restarted on the managed units through the admin portal (Admin Console/ Alerter). Since
this restart cannot be done from the Central Manager, restart the managed units from Admin Console and get the same
effect.
Â
Anomaly Detection Â Â
Active on Startup check box. Each time the appliance restarts, Anomaly Detection is activated automatically.
GUI restart takes the Active on Startup value.
Distributing configuration from Central Manager to managed units needs restart portal on managed units to take full
effect
Â
Session Inference Â Â Â
Active On Startup check box to start Session Inference on startup of the Guardium appliance.
GUI restart takes the Active on Startup value.
Distributing configuration from Central Manager to managed units needs restart portal on managed units to take full
effect
Â
Results Export/System Backup/Data Archive/Result Archive/Data export
Distributing configuration from Central Manager to managed units takes effect without restart of portal on managed
units
Â
Global profile
Distributing configuration from Central Manager to managed units takes effect without restart of portal on managed
units (Though using a different named template applies only when policy is installed.)
Register New Opens the Unit Registration pane to register a new unit for management.
Patch Installation Status The Patch Installation Status screen displays, for each unit, failed installations and discrepancies. For example, having
one patch installed on part of the units only, regardless if it failed on other units or was not installed.

Use the Central Manager to assign correlation alerts to individual managed units or managed unit groups
This new feature is for a managed environment.
It allows the central manager to assign correlation alerts to individual managed units or managed unit groups. You can either assign it to a unit or group or you can exclude
it from a unit or group. You must also specify whether to run it on the Central Manager itself. The groups used are managed unit groups, the same types of groups that are
used on the Central Manager page.
In the managed environment, on the Central Manager, the alert builder has a new section for "Managed Units". In this section, you specify either single units or groups of
managed units to either include or exclude from an alert. You also specify with a checkbox whether that Central Manager itself is included or excluded. The default
behavior matches the existing behavior: alerts run everywhere. If you specify that alerts should not run everywhere, verify that the alerts run where you specify. The UI
includes four options for including/excluding single units or groups, and dialogs for selecting from the list of management groups and if desired, creating new management
groups, or editing existing managed unit groups.
On the individual managed units, the alert builder does not show any section on managed units, only the Central Manager can assign alerts to units and groups.
If there are entries in the alert table on a given managed unit, there will automatically be a system generated group created to exclude that unit for each alert it is excluded
from. This will occur when the alerts are started on that managed unit.
The alert panes on the anomaly detection page under admin console were used to enable/disable alerts locally. For this feature, the alert panes appear only on the Central
Manager.
On the managed units, there is now a table showing active alerts and whether they are enabled.
Installing Security Policies on Managed Units

Install a security policy on a manage unit.
About this task

To install a security policy on a managed unit:
Procedure
1. Click Setup > Tools and Views > Policy Installation to open Currently Installed Policies and the Policy Installer.
2. From the Policy list, select the policy that you want to install.
3. From the list, select an installation action. After you select an installation action, you are informed of the success (or failure) of each policy installation. If a selected
unit is not available (it might be offline or a link might be down), the Central Manager informs you of that fact. It continues attempting to install the new policy for a
maximum of seven days (on the condition that unit remains registered for central management).
4. From the Policy list, select the policy that you want to install.
5. The available installation actions include the following items:
a. Install and Override - delete all installed policies and install the selected one instead
b. Install last - installing the selected policy as the last one in the sequence; installing the policy after all currently installed policies and having the lowest
priority
c. Install first - installing the selected policy as the first one in the sequence; installing the policy before all currently installed policies.
Note: If you install a policy from the Central Manager, the selection of Run Once Now (and scheduler) updates existing groups within the installed policies.
To load changes to rules, including addition and subtraction of groups, you must either:
a. Initially install policies from the Collector, or

b. Reinstall policies from the Collector or Central Manager.
Central Patch Management

Provide visibility and control over patch installation, status, and history.
About this task

Provide visibility and control over patch installation, status, and history. On a Central management cluster provides a way to install patches on managed units from the
Central Manager.
When you install a patch, a date and time request can be specified to indicate when the patch is installed. If no date and time is entered or if now is entered, the
installation request time is immediate.
Note: A patch that is installed successfully can be installed again. This fact is important for batched patches. A warning informs you if the patch is already installed.
Log in to the GuardiumÂ® GUI of the unit to be managed as the admin user:
Procedure
1. Click Manage > Central Management > Central Management.
2. Select the units that need the patch, and click Patch Distribution
3. From the Patch Distribution screen select the patch you want to distribute and click Install Patch Now or Schedule Patch.
4. To see the status of the installation, click Manage > Central Management > Central Management and then select the units and click Patch Installation Status. The
Patch Installation Status screen displays, for each unit, failed installations and discrepancies. For example, having one patch installed on part of the units only,
regardless if it failed on other units or was not installed. To remove patches from the Patch Distribution screen, click the delete icon (red x) next to the patch. This
does not delete the patch from the patch distribution directory on the appliance, but will remove it from the display.


Configuration profiles allow you to define configuration and scheduling settings from a central manager and distribute those settings to managed unit groups without
altering the configuration of the central manager itself.
Before you begin

Before creating and distributing configuration profiles, verify the following prerequisites:
allow communication over port 8447 between the central manager and its managed units
the central manager and the managed units that will receive configurations must be at or above Guardium V10.1
About this task

Configuration profiles contain two types of information: one or more sets of configuration and scheduling settings, and a list of managed unit groups to be updated with the
configuration and scheduling settings. Once defined, configuration profiles can be stored, modified, and reused to distribute specific sets of configuration and scheduling
settings to specific groups of managed units.
Configuration profiles are defined independently of the local settings on the central manager. This allows you to quickly define configuration settings and deploy those
settings to managed unit groups without disrupting the configuration of your central manager or configuring each managed unit individually.
This task describes how to create, distribute, and save a configuration profile.
Procedure
1. Navigate to Manage > Central Management > Distribute Configuration Profiles.
2. Click or select an existing profile to begin working with a configuration profile.

3. From the Name and description panel, provide a name and optionally provide a description for the profile. Click Next to continue.
Optional: click the Roles button to specify security roles that can use the configuration profile.
4. From the What to distribute panel, click to define a new configuration, or select an existing configuration and click to edit.
a. From the Configuration type menu, select a configuration type to add to the profile.
b. Specify configuration and scheduling details for the selected configuration type. For more information about configuration settings, see the product
documentation for the configuration type you are defining.
Restriction: Distributing data export configuration settings to an aggregator will not distribute any purge settings. The existing purge settings on an
aggregator will be retained. Purge settings, including retention periods, will be distributed to and replace existing purge settings on collectors.
c. Click Save to finish editing the configuration details.
Continue adding or editing configurations as needed. Click Next to continue.
5. From the Where to distribute panel, select groups from the Managed unit groups table and use the icon to add the groups to the Selected groups table. Click
Next to continue.
Note: click to create a new managed unit group or to edit an existing group. Managed unit groups can also be defined and edited at Manage > Central
Management > Managed Unit Groups.
6. From the Distribute configurations panel, click Run Now to distribute the configuration profile to the selected groups. When the status indicates that distribution is
complete, click Next to continue.
7. From the Review results panel, review a summary of the distribution process and its results.
Optional: click Run Log to view a detailed log of the distribution process.
8. Click Save to save the configuration profile for reuse.
What to do next
If you need to move configuration profiles between central managers, use Manage > Data Management > Definitions Export and Manage > Data Management > Definitions
Import and select Configuration profile from the Type menu.
Related concepts:
Aggregation
Export/Import Definitions
Scheduling
Distribute Configuration
Configurations and their schedules, can be distributed, either all or individually, between the Central Manager and the managed units.
Procedure
1. Select the managed units that receive the configurations.
2. Click Distribute Configurations to display the Distribute Configurations window.
3. Check the appropriate boxes for those Configurations that you would like distributed. Use the check box in the header to select all configurations.
4. Check the appropriate boxes for those Schedules that you would like distributed. Use the check box in the header to select all schedules. If a configuration is not
scheduled, there is not a check box for it and displays 'n/a' instead.
5. Click Distribute to distribute the configurations and schedules.
6. Option: Click Cancel to abort distribution.
Results

If using the command, Central Management > Distribute Configurations > Global Profile, the following values are distributed:
ACTIVATE_ALIASES
CUSTOM_DB_MAX_SIZE
CHECK_CONCURRENT_LOGIN
HTML_BOTTOM_RIGHT
HTML_BOTTOM_LEFT
DISPLAY_LOGIN_MESSAGE
LOGIN_MESSAGE
CSV_DELIMETER
FILTERING_ENABLED
INCLUDE_CHILDREN_ON_FILTER
SHOW_ALL_RECORDS
ACCORDION_DISABLED
SCHEDULER_RESTART_INTERVAL
SCHEDULER_RESTART_WAIT_SHUTDOWN
ESCALATE_TO_ALL
MESSAGE_TEMPLATE
Distribute Authentication Configuration

Instead of configuring authentication on each appliance separately, Central Management authentication (Configure Authentication) can be configured once on the central
manager and then distributed to all managed units. This way, information is entered once and it applies to some or all units; some of the units may have a different type of
authentication.
Procedure
1. Ensure authentication (Configure Authentication) on both the central manager and the managed unit. So if LDAP authentication is being used, ensure that LDAP is
configured on the central manager and the managed unit.
2. Select the managed units to receive the distribution of the central management authentication.
3. Click Distribute Authentication Config to distribute the authentication configuration to all managed units selected.
Central Manager Redundancy

Use Central Manager Redundancy or Backup Central Manager (CM) to configure a secondary or backup CM in case the Primary CM becomes unavailable.
Central Manager redundancy supports the following:
1. Backup Central Manager - Make Primary CM link will be available after Primary Central Manager loses connection.
2. User Layouts will be retained.
3. User and roles are in the synch backup and will not rely on Portal User Sync.
4. User Group Roles Data will be retained.
5. A GuardAPI function make_primary_cm, has been added to allow switch to Central Manager from CLI.
6. Data is retained from Audit Process Builder processes after switching Primary Central Manager to Backup Central Manager.
7. Central Management backup includes all the definitions (reports, queries, alerts, policies, audit processes etc.), users and roles as it did before.
8. It includes the schedules for enterprise reports, distributed reports and LDAP.
9. It includes schedules for all audit processes, schedules and settings for data management processes such as archive, export, backup, and import.
10. It includes settings for Alerter and Sender.
11. User's GUI customization's, custom classes and uploaded JDBC drivers are included.
Note: Data, either collected data, audit results and custom tables data, is not included.
Note:
To list status of cm_sync_file(s) on Backup CM, use the CLI command, show local_cm_sync_file. To list the value of Backup CM IP for each managed unit, use the
GuardAPI command, grdapi show_backup_cm_ip (this API command can only run on a Central Manager).
Note: Failover with Central Manager load balancing - After failover, if the new Managed Units connect and then disconnect right away, the correct DB_USER will not be sent
until the failover message is received.
Perform these steps on your development or secondary servers and test. If successful, then perform these steps on your Primary or live Guardium Servers.
Install Patches on Central Manager
1. From the now Primary CM, login as CLI.
2. Install patches with the following CLI command, store system patch install scp
3. This CLI command will copy the files over to your Guardium Server and give you the ability to install them.
4. Watch these patches being installed with the following CLI command, show system patch install

5. Wait until the patch status shows â€œDONE: Patch installation Succeeded.â€ for both patches.
Install Patches on Backup CM
1. Login into the now Primary CM GUI as admin.
2. Select the Setup > Tools and Views and then choose Central Manager.
3. Click check boxes for the Backup CM managed unit ONLY on the Central Manager.
4. Click Patch Distribution and install all of the patches that you just installed onto the Primary CM.
Example to install a patch
1. Click Patch Distribution.
2. Click Install Patch Now.
3. Wait approximately 15 minutes to be sure the patch is installed on all managed servers.
4. To verify, login as CLI on the Backup CM and run CLI command, show system patch install, from Backup CM server.
Install Patches on all other managed servers (optional steps)
1. Repeat the previous steps to install patches on all managed servers.
2. Verify that all patches have been installed before going to the next procedure.
After all Patches have been installed on the CM and managed servers
1. Login as admin onto the now Primary CM.
2. Select Setup > Tools and Views and then choose Central Manager. Click Designate Backup CM.
3. Select Backup CM server from the returned list of eligible Backup CM candidates.
4. Click Apply.
5. Wait approximate two minutes for the Backup CM to sync and the NEW Backup CM file to be created and copied to the Backup CM.
6. Wait for two complete rounds of backups to complete (approximate 1 hour) for two Backup CM sync files that will be copied to the Backup CM and can be
viewed from the Guardium Monitor tab - Aggregation Archive Log Report.
7. Select Guardium Monitor and select Aggregation/Archive Log Report to view the progress of the creation of the Backup CM sync file.
8. Verify the Activity Backup has started and the cm_sync_file.tgz file has been created from the Aggregation/Archive Log Report.
a. Login as Admin from the GUI.
b. Select Guardium Monitor tab.
c. Select Aggregation/Archive Report.
d. Look for Backup Types.
9. When complete:
a. The patches have been installed on the CM.
b. The patches have been installed on the Backup CM.
c. Option: The patches have been installed on all other managed units.
d. Two Backup CM Sync files have been completed (see Aggregation/Archive Log file under Guardium Monitor Tab).
e. The following steps outline the process to convert the now Primary CM and its managed nodes to the Backup CM.
Note:
IMPORTANT: Wait approximately one hour to be sure at least TWO of the Backup CM sync files supporting Backup CM have completed.
The backups schedule for Backup CM sync files is approximately every 30 minutes.
The process will run on the CM to create a backup CM file and copy that file to the directory on the Backup CM.
Start the Backup CM Process after two sync file process have completed
Shutdown the Primary CM Guardium Server
If you have no access to shutdown the Primary CM, then go directly to the Backup CM and login as Admin. (select Setup > Tools and Views and then choose Central
Management) and click Make Primary CM). Skip to section â€œSteps to start the Backup CM configuration to become the Primary CMâ€ in this document.
1. Wait approximate five minutes and login again as admin in the GUI of the Backup CM.
2. Once the Primary CM is shutdown completely, you can continue onto the next step
Note:
If you are logged into the Primary CM and it goes down, you get a message indicating that the connection has timed out.
Steps to start the Backup CM configuration to become the Primary CM

The secondary CM will not be responsive for approximately five minutes. Login after five minutes and the Make Primary CM link will be available. The link is available
under the admin login and (Setup > Tools and Views > Central Management).
1. When the Primary Server goes down, you will get a message on the Backup CM â€œUnable to connect to Remote Manager, consider switching to (the name
of the backup CM)".
2. If you decide to switch:
a. Login as admin
b. Select Setup > Tools and Views.
c. Click Make Primary CM (do not click the â€œMake Primary CMâ€ link more than once. Also stay on this screen and do not select anything else during
the running of this process. A log file will be created that you can view to see the progress and completion of this process.) Be patient as this process
will take awhile to complete. There is a safeguard that if you do click this button more than once nothing will change with the current running process.
d. Within seconds you should get a message â€œAre you sure you want to make this unit the primary CM? Click OK.
e. Within a few seconds more you will get a message stating â€œThis may take a few minutesâ€ . The time it takes for the Backup CM to become the
primary CM depends on the amount of data backed up from the Backup CM sync file and the amount of managed nodes that switch to the Backup CM
which will become the Primary CM. Click OK.
As soon as we click OK a log file will be created called load_secondary_cm_sync_file.log that will allow you to view the progress of the switch to the
completion of the Backup CM switch process. This file can be viewed from your GUI. The following steps indicate how to view this log file.
f. The last message will take a while to be presented to the screen. It will be the last message before the Backup CM switch has completed. The
message is â€œGUI will restart now. Try to login again in a few minutes and the Backup CM will now become the Primary CMâ€ . Click OK.
Wait a few minutes for the Backup CM to become Primary and for all the managed nodes to complete switching over to the new Primary CM.
While the CM Backup Process is running â€“ viewing the progress log file
From the Backup CM while the Make Primary CM process is running, you can do the following to view the progress of the Backup CM becoming the Primary CM.
Prerequisite: You will need the IP of the server you are connected to in order to view the log files.
1. Login as CLI from your Backup CM server from a Putty.exe session
2. From CLI run Fileserver <IP> â€œenter your IP numberâ€ 3600", for example: fileserver 9.70.32.122 3600
3. From the GUI, enter the value: http://yourserver.x.x.x.com (will display in the CLI screen after entering the command, example:
http://joe.server.guardium.com (the server name will be the Backup CM server).
Fileserver Window on the UI will open to select file â€“ Select Sqlguard logs
4. Select the file: load_secondary_cm_sync_file.log. (The file will display in a list of files from Step #3.) This will allow you to view the progress of the Backup
CM becoming the Primary CM.
Locate log file for viewing
CM Backup Process is complete when you see this line in the load_secondary_cm_sync_file.log
Import CM sync info - DONE
5. Wait approximately 10 minutes for all the Managed units to become available to the New Primary CM.
After the Backup CM becomes the Primary and all Managed nodes are now managed by the Backup CM server
You can now bring up the old CM server. Once it is up and running, perform the following steps to add it as the Backup CM server.
1. Reboot Old Primary CM.
2. Once the Server is up, login as CLI.
3. Delete the manager unit type, enter delete unit type manager.
4. After it completes and you get an OK message from CLI.
5. VERY IMPORTANT: Wait approximately five minutes for the GUI to completely restart even after the deleted unit type displays a successful message and the
GUI restart message.
6. After five minutes, log into the New Primary CM to register Old CM as a managed unit.
7. Login as admin on New Primary CM.
8. Select Setup > Tools and Views > Central Management.
9. Click Register New.
10. Enter IP of the Old Primary CM that you just rebooted.
11. Enter 8443 as Port.
12. Click Save. (IMPORTANT: Be patient, do not click this button twice).
13. Wait a minute for the Old Primary CM to become registered.
14. Make the Old Primary CM a New Backup CM.
15. Click Designate Backup CM.

16. Click on Old Primary CM server.
17. Click Apply.
18. Old Primary CM server is NOW the New Backup CM server.
19. Refresh Central Management screen to see the New Unit type Backup CM defined.
20. This task is complete.
Report Data After Backup CM Process is complete
The following data is missing after the Backup CM process is completed. This is related to only the "first" switch from the Primary to the Secondary CM.
Missing Data:
1. Audit Process Results
2. Custom Table Data
3. Custom Report Data
4. VA Results
5. Classifier Results
6. DSD Results
7. CAS results
8. Datamart Data
9. Collected Data
10. Entitlement Data
The reports will be populated again is once you run these reports again on the New Primary CM. If you switch back to the old Primary CM, the data for these reports
will be presented.
Investigation Center
Investigation Center is an extension of the Aggregation Servers. Investigation Users (once defined) can restore data and results of selected historic dates and perform
forensic investigation. Once the days (dates) are restored, the investigation users can define and view reports using the standard GuardiumÂ® UI, only in the scope of the
investigated dates.
Each Guardium appliance maintains a Catalog of all the data and results archived. The Catalog contains information about the archive, its location and credentials to
access them. The Catalog is exported from the collectors and merged into a complete Catalog on the Aggregation Server as part of the aggregation process. With the
Catalog in place, investigation users can now select the desired dates for restoration and these dates will automatically be uploaded to the Investigation Center and
merged into that investigation userâ€™s view. In addition to merging collectorsâ€™ Catalogs through the Aggregation Server, it is also possible to Export and Import
Catalogs from Setup > Tools and Views.
Users and Roles

In a Guardium aggregation server there is a special investigation role (inv). Users with the inv role can perform forensic investigations on historic data.
An investigation user for the most part utilizes the same query and report definitions as any other user would. The biggest difference is that the investigation user sees
only data selected for his investigation database (multiple investigators can be configured to share an INV database). Selected data can be restored from archive or
viewed from the current database in the case of data that was not purged yet. An investigation user can also restore archived audit process results and view them.
Caution: Role inv is a special role which will cause the user to be connected to a separate, investigation-only internal database. It should be combined with the role user
and in general it is incompatible with all other roles.
Note: To correctly configure an investigation user, the user's Last Name must be set to the name of one of the three investigation databases, INV_1, INV_2, or INV_3
(case-sensitive).
When creating an investigation user, it is suggested that the user's name correspond or have some representation that denotes which investigation database that will be
used. For instance, if a user will be using the INV_1 database, the user's name could be john1 or inv1.
Note: The Run an Ad-Hoc Audit Process button is available on all report screens for all users except investigation (INV) user.
Audit Process and INV role

If the user is INV, then the audit process finder will show audit processes according to roles and ownership, but will only allow Clone or New for all audit processes not
owned by INV.
If the user is INV, then the audit process definition menu screen will permit the following:
Only Investigation users and/or specific email addresses are allowed as receivers (no regular users, no groups, no roles other than INV are permitted as receivers).
The Events and Additional Columns button within a saved Report Audit Task is always disabled. No API automation can be specified.
No schedule can be specified. Audit process on INV, data can be run only manually using the Run Now button. Â
Only audit tasks of type Report are allowed.
Active is disabled, Keep Days and Keep Runs fields are disabled.
If the user is not INV, the audit process finder will not display any audit process owned by an investigation user (regardless of the roles assigned).

When an audit process is ran on INV data, the result title is appended with the words Executed on Investigation center by and the name of the INV user.
A comment is attached to the results specifying the dates and source hosts of the data mounted on the Investigation database at execution time.
The results can be viewed either from the Audit Process Builder or for the result navigation list.
Results of audits run on Investigation center cannot be archived and the results are discarded when investigation data is discarded.
Investigation Context
Guardiumâ€™s Investigation Center supports one to three concurrent investigation periods, dubbed INV_1, INV_2 and INV_3, each can hold separate historic data and
provides means to forensic investigation of that period. When creating an investigation user, the user's last name is must be either INV_1, INV_2, or INV_3 to associate
that user with one of the investigation databases. When logged into the Investigation Center (using one of the investigation users) a label specifies the selected
investigation period.
GUI
A user with the investigation role will see two additional tabs that are particular to the Investigate Center.
Auditing tab gives access to restored audit process results

Volume management tab allows the user to set or modify the investigation period, select audit process results to restore and discard data at the end of an
investigation.
Working with Investigation Center

Restore an Investigation Period
Restore Audit Results
View Restore Log
Viewing Restored Audit Results
Restore an Investigation Period

After logging into the Guardium interface as a user with the inv role:
1. Click Manage > Data Management > Data Restore to open the Data Restore Search Criteria.
2. C
3. Click Data Restore to open the Restored Data panel. If a prior restore was performed, this panel will display the currently mounted data periods being used. At this
point, you may click Discard Data to un-mount all previously mounted data periods.
4. Click Re-Select Investigation Period to open the Data Restore Search Criteria panel.
5. Enter the start date in the From: box for the beginning time period you wish to search
6. Enter the end date in the To: box for the ending time period you wish to search
7. Optionally, enter a Host name to aid in filtering the result set on the host name
8. Click Search to view the result set - this will search the catalog for all archives matching the search criteria.
9. From the result set produced, check the Select box(es) of those periods you wish to restore. You may also click Select All or Unselect All to speed the selection
process.
10. Click Restore to restore the selected periods. Depending on the number of periods to restore, and whether the datasets are local to the system, the restore process
could take long time.
11. You can monitor the progress of the restore process in the View Restore Log panel.
Note: Data of Â any day restored to Investigation Center that falls within the merge period is also merged into the Guardium application database and is visible by non-inv
users.
Restore Audit Results

A checkbox in Audit Process builder allows to specify if results of a process should be archived or not. Only results of processes marked for archive for which all signers
had signed are archived. Results of a specific runs are packed, zipped and stored, the location is recorded in the catalog and is used by the Restore Audit Results for
selection and restore. Archived results from the Guardium Audit process can be restored to an Investigation Center and contain the results, the view and signoff trails as
well as the comments associated with these results.
1. Click the Volume Management tab.

2. Click Audit Results Restore to open the Restored Results panel. If a prior restore was performed, this panel will display the currently restored results being used. At
this point, you may click Discard Data to un-mount all previously mounted results.
3. Click Audit Results Restore to open the Results Restore Search Criteria panel.
4. Enter the start date in the From: box for the beginning time period you wish to search.
5. Enter the end date in the To: box for the ending time period you wish to search.
6. Optionally, enter a Host name, Audit Process, or Run No to aid in filtering the result set.
7. Click Search to view the result set.
8. From the result set produced, check the Select box(s) of those results you wish to restore. You may also click Select All or Unselect All to speed the selection
process.
9. Click Restore to restore the selected results. Depending on the number of results to restore, and whether the datasets are local to the system, the restore process
could take long time.
10. You can monitor the progress of the restore process in View Restore Log.
View Restore Log

The restore log provides a view to the Archive/Restore of past and current restore attempts and filtered for the user currently logged in. This log enables the user to
validate a successful restore for both data and audit results.

After logging into the Guardium interface as a user with the inv role: Click Restore Log to open My Restore Log. From this panel you will be able to see the status of all
restore attempts.
Viewing Restored Audit Results

1. Click the Auditing tab.

2. Click the Results Navigation link to open the Audit Process Finder panel.
3. From the drop down list (if there are audit processes), select a process.
4. Click View to open another window and view the available reports for the audit results.
Managing your Guardium system

Management tasks include monitoring your systemâ€™s health and managing artifacts such as groups, domains, and notifications.
Guardium Administration
GuardiumÂ® administrators perform various administration and maintenance tasks.
Certificates
Check certificates periodically to avoid loss of function. Use CLI commands to obtain and install new certificates.
Use unit utilization reports to identify under- and over-utilized systems in your Guardium environment.
Customer Uploads
Database Activity Monitor Content Subscription (previously known as Database Protection Subscription Service) supports the maintenance of predefined
assessment tests, SQL based tests, CVEs, APARs, and groups such as database versions and patches.
Services Status panel
The Services Status panel is a centralized place to check status of services such as CAS or alerter, and if necessary, investigate each service further. Open the
Services Status panel by clicking Setup > Tools & Views > Services Status. Each time the Services Status panel is opened, the status of each service is refreshed.
Archive, Purge and Restore
Archive and purge operations should be run on a scheduled basis. Use Data Archive and Results Archive to store captured and information for auditing. Amazon S3
Archive and Backup in Guardium also appears at the end of this topic.
Guardium catalog
When you archive data from your Guardium system, the Guardium catalog tracks where every archive file is sent, so that it can be retrieved and restored.
How to manage backup and archiving
Establish data retention practices; control activity volume; manage scheduling of data archive and purge, and monthly backups.
Exporting Results (CSV, CEF, PDF)
CSV, CEF, and PDF files can be created by workflow processes. This function exports all such files that are on the Guardium system.
If you have multiple systems with identical or similar requirements, and are not using Central Management, you can define the components that you need on one
system and export those definitions to other systems, provided those systems are on the same software release level.
Distributed Interface
Use this configuration screen to define the Distributed Interface and upload the Protocol Buffer (.proto) file to the DIST_INT database.
Manage Custom Classes
Upload and maintain custom classes used in alerts or evaluations. Manage custom classes by clicking Setup > Custom Classes.
SSH Public Keys
Use this information to create, modify or remove an SSH Public Key.
How to install an appliance certificate to avoid a browser SSL certificate challenge
Use IBM Security Guardium CLI commands to create a certificate signing request (CSR), and to install server, certificate authority (CA), or trusted path certificates
on your Guardium system.
Self Monitoring
The Guardium solution monitors itself to minimize disruptions and correct problems automatically whenever possible.
Groups
Using groups makes it easy to create and manage classifier, policy and query definitions, as well as roll out updates to your S-TAP's and GIM clients. Rather than
having to repeatedly define a group of data objects for an access policy, put the objects into a group to easily manage them.
Security Roles
Security roles are used to grant access to data (groups, queries, reports, etc.) and to grant access to applications (Group Builder, Report Builder, Policy Builder, CAS,
Security Assessments, etc).
Notifications
Use the Alerter and Alert Builder to create notifications. When email or other notifications are required for alerting actions, follow this procedure for each type of
notification to be defined.
How to create a real-time alert
Send a real-time alert to the database administrator whenever there are more than three failed logins for the same user within five-minutes.
Custom Alerting Class Administration
Use a custom alert class to send alerts to a custom recipient. Upload the custom class, then use the Alert Builder to designate the custom class as an alert
notification receiver.
Predefined Alerts
Table describing the predefined alerts found in the Alert Builder.
Scheduling
The general purpose scheduler is used to schedule many different types of tasks (archiving, aggregation, workflow automation, etc.).
Aliases
Create synonyms for a data value or object to be used in reports or queries.
Dates and Timestamps
Use a calendar tool to select an exact date, and a relative date picker to select a date that is relative to the current time.
Time Periods
Use the Time Period Builder to create time periods that can be used for policy rules and query conditions.
Time Periods
Policy rules and query conditions can test for events that occur (or not) during user-defined time periods.

Comments
Comments apply to definitions and to workflow process results.
How to install patches
Install a single patch or multiple patches as a background process.
Support Maintenance
The Support Maintenance feature is password protected and can be used only as directed by Technical Support. Contact Technical Support if you require more
information.
Guardium Administration
GuardiumÂ® administrators perform various administration and maintenance tasks.
Any user assigned the admin role is referred to as a Guardium administrator. This is distinct from the admin user account.
Admin role Privileges

The Guardium admin role has privileges that are not explicitly assigned to that role. For example, when a user with the admin role displays a list of privacy set definitions,
all privacy sets defined on the Guardium system display, and the user with the admin role can view, modify, or delete any of those definitions. When a user without the
admin role accesses the list of privacy sets, that user will see only those privacy sets that he or Â she owns (i.e. created), and all privacy sets that have been assigned a
security role that is also assigned to that user.
CLI diag Command Access

Use of the diag CLI command requires an additional password, which can be the password of any user with the admin role.
If automatic account lockout is enabled (a feature that locks a user account after a specified number of login failures), the admin user account may become locked after a
number of failed login attempts. If that happens, use the unlock admin CLI command to unlock it.
Note: The access manager (accessmgr) can unlock accounts from the User Browser. Open the User Browser by clicking Access > Access Management > User Browser.
Admin user Privileges

The admin user has additional privileges that are not granted to the admin role, as follows:
Access to all users' to-do lists

Owner of imported definitions
Access management functions
Admin User To-Do List Powers

The To-do List is a workflow automation feature that controls the distribution of audit process results to users. The admin user has special privileges and responsibilities in
this area. If a user account is disabled, all audit process results for that user will be reassigned to the admin user automatically. If a user is unavailable for any other
reason, audit process results may be installed in that user's to-do list, i.e., awaiting sign-off before being released to the next results receiver. The admin user can open
any user's to-do list, and take any actions available to that user. When the admin user performs any actions on another user's to-do list, that fact is noted in the audit
process activity log, for example, User admin signed results on behalf of user x.
Imported Definition Ownership

When definitions are exported, all roles are removed, and the owner is changed to the admin user. This is the only way to control how the definition will be used on the
importing system.
Access Management and the Administrator

For security purposes, there is a separation of duties for the access manager and admin. Admin users cannot have access manager privileges, and vice versa.
The next time the admin user logs in, access manager functionality will be available to them. This is possible for the admin user only (and not for other users having the
admin role).
Note:
The same user may contain both of these roles through a legacy situation or as a result of an upgrade. However, current use will not allow the two roles to be assigned to
the same user.
In the past, when a unit was upgraded, the accessmgr role was assigned to the admin user, and the accessmgr user was disabled.
In this situation, to configure the accessmgr and admin, log in as admin and enable the accessmgr user, then log in as accessmgr (the default initial password
isguardium), and remove the accessmgr role from the admin user.
Parent topic: Managing your Guardium system
Certificates
Check certificates periodically to avoid loss of function. Use CLI commands to obtain and install new certificates.
Certification Expiration
Expired certificates will result in a loss of function. Run the show certificate warn_expire command periodically to check for expired certificates. The command displays
certificates that will expire within six months and certificates that have already expired. The user interface will also inform you of certificates that will expire. To see a
summary of all certificates, run the command show certificate summary.

For more information, see the full list of Certificate CLI Commands.
New Certificates
To obtain a new certificate, generate a certificate signed request (CSR) and contact a third-party certificate authority (CA) such as VeriSign or Entrust. Guardium does not
provide CA services and will not ship systems with different certificates than the ones that are installed by default. The certificate format must be in PEM and include
BEGIN and END delimiters. The certificate can either be pasted from the console or imported through one of the standard import protocols.
You can generate a certificate signed request (CSR) with one of the following commands:
create csr alias - This command creates a certificate request with an alias.
create csr gui - This command creates a certificate request for the tomcat.
create csr sniffer - This command creates a certificate request for the sniffer.
Note: Do not perform this action until after the system network configuration parameters have been set.
To install a new certificate through the command line interface, use one of the following commands:
store certificate gim - This command stores GIM certificates in the keystore.
store certificate gui - This command stores tomcat certificates in the keystore.
store certificate keystore - This command asks for a one-word alias to uniquely identify the certificate and store it in the keystore.
store certificate mysql - This command stores mysql client and server certificates.
store certificate stap - This command stores S-TAP certificates.
store certificate sniffer - This command stores sniffer certificates.
To install a new certificate key through the command line interface, use one of the following commands:
store cert_key mysql - This command stores the certificate key of a mysql client and server.
store cert_key sniffer - This command stores the sniffer certificate key.
Backup and Default Options

You can choose to restore certificates and certificate keys with the backup or default parameter. Use the backup parameter to restore a certificate to the last saved
certificate. Use the default parameter to restore a certificate to the original certificate that Guardium supplied.
Changes in Commands
Some certificate commands have been changed.
csr is now create csr gui.

create system csr is now create csr sniffer.
restore keystore is now restore certificate keystore backup.
restore system-certificate is now restore certificate sniffer default.
show system certificate is now show certificate sniffer.
store system certificate is now store certificate sniffer.
store trusted certificate is now store certificate keystore.
store certificate console is now store certificate gui.
New Commands
The following commands are available for use.
create csr alias

restore certificate keystore default
restore certificate sniffer backup
show certificate all
show certificate gim
show certificate gui
show certificate keystore alias
show certificate keystore all
show certificate mysql client
show certificate mysql server
show certificate summary
show certificate warn_expired
Deprecated Commands
The following commands have been deprecated.
csr
store certificate console
store system key
show system key
store system certificate
show system certificate
Full List of Commands

Use the following commands to create, restore, show, or store certificates.
create csr gui

create csr alias

create csr sniffer
restore certificate keystore default
restore certificate keystore backup
restore certificate sniffer backup
restore certificate sniffer default
show certificate all
show certificate gim
show certificate gui
show certificate keystore alias
show certificate keystore all
show certificate mysql client
show certificate mysql server
show certificate sniffer
show certificate summary
show certificate warn_expired
store certificate sniffer
store certificate gui

Use unit utilization reports to identify under- and over-utilized systems in your Guardium environment.
Open the unit utilization reports by clicking Manage > Reports > Unit Utilization, and then selecting one of the reports.
The default unit utilization reports include the following:
Buff Usage Monitor

CPU Tracker
Enterprise Buffer Usage Monitor
Unit Utilization
Utilization Parameters
Most parameters are averaged for a specific unit over a specific time range. The number of restarts is a count of the sniffer restarts during a specific time range based on
the different PIDs.
The parameters supported are:
Number of restarts
Sniffer memory
Free buffer space
Analyzer queue
Logger queue
Restriction: There is a limit of 500 SQLs in the logger queue. If more than 500 SQLs try to fill this queue at the same time, any additional SQLs beyond the queue
limit will log RA=-1.
MySQL disk usage
System CPU load
Number of requests
Number of full SQL
Quick search disk usage
Quick search number of documents
Flat log requests
Thresholds
For each parameter there are two thresholds defined that separate three utilization levels: Low, Medium, and High.
Utilization levels:
Low: value is less than Threshold1

Medium: value is greater than Threshold1, and less than Threshold2
High: value is greater than Threshold2
There is also an overall utilization level for each unit. For each period of time, this level is the highest level for all levels during that period.
Reporting
View the available unit utilization reports by clicking Manage > Reports > Unit Utilization.
The Unit Utilization Levels tracking option allows you to create custom queries and reports.
Using aliases is recommended when using unit utilization data in custom and predefined reports. Otherwise, utilization levels will display as numbers: 1, 2, 3, instead of
Low, Medium, High.
The list of attributes includes:

Host name
Period start
Number of restarts
Number of restarts level
Sniffer memory
Sniffer memory Level
Percent MySQL memory level
Free buffer space
Free buffer space level
Analyzer queue
Analyzer queue level
Logger queue
Logger queue level
MySQL disk usage
MySQL disk usage level
System CPU load
System CPU load level
System var disk usage level
Overall unit utilization level
Number of requests
Number of requests level
Number of full SQLs
Number of full SQLs level
Number of exceptions level
Number of policy violations level
Number of flat log requests
Number of flat log requests level
Note: Each parameter has a value and a level which is calculated based on the value and the thresholds.
Throughput information available in Unit Utilization

Throughput data is collected on each collector unit. The CM consolidates all throughput data and creates an enterprise custom table that is added to predefined utilization
reports.
Throughput information collected:
Number of requests (for the period) (from construct instance)

Number of full SQLs (for the period) (from construct text)
By default, throughput information is collected every hour.
GuardAPI and CLI commands for Unit Utilization

Guard APIs:
listUtilizationThresholds
updateUtilizationThresholds
reset_unit_utilization
CLI commands:
store monitor gdm_statistics

show monitor gdm_statistics

This procedure describes how to configure Guardium systems for processing and displaying unit utilization data.

This procedure describes how to configure Guardium systems for processing and displaying unit utilization data.
About this task

For a centrally managed environment, viewing unit utilization information requires scheduling two processes on the central manager: uploading data for the central
manager buffer usage monitor, and processing the unit utilization data.
For a standalone system, viewing unit utilization information only requires scheduling the processing of unit utilization data. There is no need to schedule data upload for a
central manager buffer usage monitor when working with a standalone system.
Procedure

1. For a centrally managed environment, define a schedule on the central manager for uploading the central manager buffer usage monitor data.
a. Navigate to Reports > Report Configuration Tools > Custom Table Builder.
b. From the Custom Tables screen, select CM Buffer Usage Monitor and click Upload Data to continue.
c. From the Upload Data screen, click Modify Schedule to define a schedule for uploading the central manager buffer usage monitor data. Click Save after
defining a schedule, then click Back to return to the Upload Data screen. Scheduling the process to run once every hour is a reasonable starting point for
many deployments, but you may want to adjust the interval around your available resources or data-currency needs.
Important: To ensure that the most recent data is available for unit utilization reports, define a schedule that processes the buffer usage monitor data before
processing the unit utilization data. Additionally, the buffer usage monitor data should not be scheduled to run exactly on the hour.
Best practice: Define schedules that process the buffer usage monitor data at 10-minutes after the hour and unit utilization data at 40-minutes after the
hour.
d. From the Upload Data screen, optionally click Run Once Now to immediately upload the data.
2. For a centrally managed environment or for a standalone system, define a schedule for processing unit utilization data. In a centrally managed environment, you
only need to define the unit utilization schedule on the central manager.
a. Navigate to Manage > Unit Utilization > Unit Utilization Levels.
b. From the Unit Utilization Levels screen, click Modify Schedule to define a schedule for processing unit utilization data. Click Save after defining a schedule,
then click Back to return to the Unit Utilization Levels screen. Scheduling the process to run once every hour is a reasonable starting point for many
deployments, but you may want to adjust the interval around your available resources or data-currency needs.
Important: To ensure that the most recent data is available for unit utilization reports, define a schedule that processes the unit utilization data after
processing the buffer usage monitor data.
Best practice: Define schedules that process the buffer usage monitor data at 10-minutes after the hour and unit utilization data at 40-minutes after the
hour.
c. From the Unit Utilization Levels screen, optionally click Run Once Now to immediately process the data.
Results
After completing these steps, navigate to Manage > Reports > Unit Utilization to view unit utilization reports. In a centrally managed environment, data will be available for
the central manager and its managed units. For a standalone system, data will only be available for that individual system. If you did not use the Run Once Now option
when defining the schedules, you must wait until those processes run before the unit utilization reports will update with the latest data.
Parent topic: Unit Utilization Level
Customer Uploads
Database Activity Monitor Content Subscription (previously known as Database Protection Subscription Service) supports the maintenance of predefined assessment
tests, SQL based tests, CVEs, APARs, and groups such as database versions and patches.
Uploads are used to keep information current and within industry best practices to protect against newly discovered vulnerabilities. Distribution of updates is done on a
quarterly basis.
Use Customer Uploads to upload the following: DPS update files; Oracle JDBC drivers; MS SQL Server JDBC drivers; and, DB2 for z/OS license jar.
Note: If a custom group exists with the same name as a predefined GuardiumÂ® group, the upload process will add Guardium in front of the name for the predefined
group.
1. Open Customer Uploads by clicking Harden > Vulnerability Assessment > Customer Uploads.
2. For DPS Upload, click Browse to locate and select the file to be uploaded.
Note: Reference the Import DPS pane to see what files have been uploaded.
3. For Upload DB2 z/OS License jar, click Browse to locate and select the file.
4. Use Upload Oracle JDBC driver or Upload MS SQL Server JDBC driver to upload open source drivers. After uploading, you will see the databases added to the
Datasource finder. Upload one driver at a time.
Note: There are two instances where open source drivers are recommended over Oracle Data Direct drivers or MS SQL Data Direct drivers.
a. To support Windows Authentication for MS SQL Server. In all other uses, the Data Direct driver pre-loaded in the Guardium appliance is sufficient.
b. When using the Value Change Tracking application for Oracle version 10 or higher, the open source driver is recommended in order to support using streams
instead of triggers.
Use keywords to search and download open source JDBC drivers (for example: open source JDBC driver for MS SQL).
5. Use the Central Manager to distribute the .jar file to managed units. After the file is successfully uploaded, the GUI needs to be restarted on the Central Manager
and the managed units.
Note:
If you will be exporting and importing definitions from one unit to another, be aware that subscribed groups are not exported. When exporting definitions that reference
subscribed groups, you must ensure that all referenced subscribed groups are installed on the importing unit (or central manager in a federated environment).
When uploading DB2Â® z/OSÂ® license jar files, the license will take effect after restart of the GUI.
Note: If the DPS stops for any reason (for example, a server restart or a GUI restart), it is recommended to wait 30 minutes before starting the DPS upload process again.
Enable ASO on the Oracle server using latest Oracle DataDirect driver
Refer to the following when enabling ASO on the Oracle server using the latest Oracle DataDirect driver.
SQLNET.CRYPTO_CHECKSUM_SERVER = required
SQLNET.ENCRYPTION_SERVER = required
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128)
#SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1)
The Oracle JDBC driver will work and does not require specifying a connection property.

But the latest Oracle JDBC driver must be downloaded from Oracle. The filename is ojdbc7.jar. Use keywords to search and download open source JDBC drivers (for
example: open source JDBC driver for Oracle). Then upload that driver to the appliance using the Guardium Customer Uploads function.
If you continue to use Oracle DataDirect driver, then you need to specify a connection property to the datasource.
Use the following when defining the Oracle DataDirect driver connection property:
DataIntegrityLevel=required;EncryptionLevel=required;DataIntegrityTypes=(MD5,SHA1)
Note: The current Oracle DataDirect driver does not support SHA-256. So SHA-1 has to be used. That is why sqlnet.ora reference
(#SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256)) had to be commented out. However, if a Guardium customer must connect using SHA-256, they
should use the Oracle JDBC driver instead.
Data Direct references:
https://www.progress.com/documentation/datadirect-connectors
Download the Oracle database JDBC User' Guide PDF for a list of command references.
Use a TAB Delimited file (.TXT) when creating and saving a Datasource Upload file from the Customer Upload functionality
If you choose to use a comma delimited file structure (.CSV), it will not behave as intended if any column value contains a comma.
Follow these steps
1. If using EXCEL, save file as a TAB Delimited (.TXT) file.

2. If using OpenOffice or Libre Office then save a (.CSV) file with TAB Delimiters.
3. Log in as admin and open Customer Uploads by clicking Harden > Configuration Change Control (CAS Application) > Customer Uploads.
4. For Upload CSV to Create/Update Datasources, click Browse..., and select the tab delimited file.
Create Datasource for CSV uploaded via the Upload CSV menu
Follow the proceeding steps to create a Tab Delimited .TXT formatted file containing datasource information. This Tab Delimited .TXT file can then be used with the
Customer Upload function in the Guardium application to many datasource types.
Use the function to import datasources was not always compatible with each Guardium Software Release. This procedure will enable the uploading of any datasource.
The following is a list of Header Columns that should be added to an Excel spreadsheet when creating the .TXT tab delimited datasource upload file:
Column Values (accepted for .CSV datasource upload file)
Table 1. create_datasource
Parameter Description
application Required. Identifies the application for which the datasource is being defined. It must be one of the following:
ChangeAuditSystem
Access_policy
MonitorValues
DatabaseAnalyzer
AuditDatabase
CustomDomain
Classifier
AuditTask
SecurityAssessment
Replay
Stap_Verification
compatibilityMode Compatibility Mode: Choices are Default or MSSQL 2000. The processor is told what compatibility mode to use when monitoring
a table.
conProperty Optional. Use only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with this
datasource. The required format is property=value, where each property and value pair is separated from the next by a comma.
For a Sybase database with a default character set of Roman8, enter the following property: charSet=utf8
customURL Optional. Connection string to the datasource; otherwise connection is made using host, port, instance, properties, etc. of the
previously entered fields. As an example this is useful for creating Oracle Internet Directory (OID) connections.
dbInstanceAccount Optional. Database Account Login Name (software owner) that will be used by CAS
dbInstanceDirectory Optional. Directory where database software was installed that will be used by CAS
dbName Optional. For a DB2 or Oracle datasource, enter the schema name. For others, enter the database name.
description Optional. Longer description of the datasource.
host Required. Can be the host name or the IP address.
name Required. Provides a unique name for the datasource on the system.

owner Required. Identifies the Guardium user account that owns the datasource.
password Optional. Password for owner. If used, user must also be used.
port Optional (integer). Port number.
serviceName Required for Oracle, InformixÂ®, DB2, and IBMÂ® ISeries. For a DB2 datasource enter the database name, for others enter the
service name.
severity Optional. Severity Classification (or impact level) for the datasource.
shared Optional (boolean). Set to true to share with other applications. To share the datasource with other users, you will have to assign
roles from the GUI.
type Required. Identifies the datasource type; it must be one of the following:
DB2
DB2 for i
DB2 for z/OS
Informix
MS SQL Server
MS SQL Server (DataDirect)
MySQL
NA
Netezza
Oracle (DataDirect)
Oracle (Service Name)
Oracle (SID)
PostgreSQL
Sybase
Sybase IQ
Teradata
The following can be used when the application is CustomDomain or Classifier:
TEXT
TEXT:FTP
TEXT:HTTP
TEXT:HTTPS
TEXT:SAMBA
user Optional. User for the datasource. If used, password must also be used.
environmentTitle Required for cloud database service protection. Account name.
region Required for cloud database service protection. The AWS region.
objectLimit Required for cloud database service protection. The maximum number of objects found in the classification process that are
added automatically to the list of audited objects. See Cloud database service protection
primaryCollector Relevant for cloud database service protection. The collector that extracts the audit data from the cloud database.
Notes:
1. Each of the column names must be included in the Excel spreadsheet SAVED as a TAB delimited (.TXT) file.
2. The Created Datasource name (what is shown when looking for the datasource) is made up of both the name column and the type column.
3. Upload file MUST be saved as a Column Tab Delimited file type.
Steps to create and upload txt file in a Text CSV format file and add Datasource Data
1. Create the Excel spreadsheet file save as a Tab Delimited .TXT file with the following headers and datasource data to support the datasource import capability.
2. Create and save your .txt file to your PC or UNIX/Linux device for uploading into the Guardium application.
3. Login as admin and open Customer Uploads by clicking Harden > Configuration Change Control (CAS Application) > Customer Uploads
4. From Upload CSV to Create/Update Datasources, click Browse and select the .txt file containing the tab delimited datasource information.
5. Click Upload.

A message will display showing which values from the .txt file were uploaded:
1. New: Per file upload (if save file and added New Datasource member(s), these members will be have the status of NEW.
2. Update: Upload SAME datasource that you made changes on will give an Update status.
3. Fail: Displayed failed datasource or errors
Services Status panel

The Services Status panel is a centralized place to check status of services such as CAS or alerter, and if necessary, investigate each service further. Open the Services
Status panel by clicking Setup > Tools & Views > Services Status. Each time the Services Status panel is opened, the status of each service is refreshed.
Say that you set up a policy that sends a real-time alert whenever there are more than three failed log-ins in 5 minutes. To protect against this possible intrusion, you must
make sure that the policy was installed, and that the alerter is on.
Use the Services Status panel to verify that both of these services are configured properly.
Clicking any service takes you to its configuration page, where you can, as relevant, turn the service off or on, restart a service, configure a service, etc.
If for some reason the policy didn't install correctly, click Setup > Tools & Views > Policy Installation to go to Policy Installer, view the currently installed policies, and
make the necessary changes.
Each service displays one of the following icons:
Service is running/scheduled:
Service is paused:
Service is off:
Archive, Purge and Restore

Archive and purge operations should be run on a scheduled basis. Use Data Archive and Results Archive to store captured and information for auditing. Amazon S3 Archive
and Backup in Guardium also appears at the end of this topic.
Data Archive and Results Archive can be found by clicking Manage > Data Management.
Data Archive backs up the data that has been captured by the Guardium system, for a time period. When configuring Data Archive, a purge operation can also be
configured. Typically, data is archived at the end of the day of everyday to ensure that in the event of a catastrophe, only one day of data is lost. The purging of data
depends on the application and is highly variable, depending on business and auditing requirements. In most cases, data can be kept on the Guardium systems for
more than six months.
Results Archive backs up audit tasks results (reports, assessment tests, entity audit trail, privacy sets, and classification processes) as well as the view and sign-off
trails and the accommodated comments from workflow processes. Results sets are purged from the system according to the workflow process definition.
the location from where it is archived varies depending on your requirements.
Scheduled export operations send data from GuardiumÂ® collector units to a Guardium aggregation server. On its own schedule, the aggregation server executes an
import operation to complete the aggregation process. On either or both units, archive and purge operations are scheduled to back up and purge data regularly (both to
free up space and to speed up access operations on the internal database).
Archive files can be sent using SCP or FTP protocol, or to an EMC Centera or TSM storage system (if configured). You can define a single archiving configuration for each
Guardium system.
Guardiumâ€™s archive function creates signed, encrypted files that cannot be tampered with. DO NOT change the names of the generated archive files. The archive and
restore operations depend on the file names that are created during the archiving process.
Archive and export activities use the system shared secret to create encrypted data files. Before information encrypted on one system can be restored on another, the
restoring system must have the shared secret that was used on the archiving system when the file was created.
Whenever archiving data, be sure to verify that the operation completes successfully. To do this, open the Aggregation/Archive Log by clicking Manage > Reports > Data
Management > Aggregation/Archive Log. There should be multiple activities that are listed for each archive operation, and the status of each activity should as completed.
Perform System Backup tasks by clicking Manage > Data Management > System Backup. You can also perform backup tasks from the CLI. See File handling CLI
commands for further information.
Default Purging
The default value for purge is 60 days
The default purge activity is scheduled every day at 5:00 AM.
For a new install, a default purge schedule is installed that is based on the default value and activity.
When a unit type is changed to a managed unit or back to a standalone unit, the default purge schedule is applied.
The purge schedule will not be affected during an upgrade.
When purging a large number of records (10 million or higher), a large batch size setting (500k to 1 million) is the most effective way to go. Using a smaller batch
size or NULL causes the purge to take hours longer. Smaller purges finish quickly, so a large batch size setting is only relevant for large purges.
Note: Setting batch size is not available in the UI. Use the GuardAPI command grdapi set_purge_batch_size batchSize to set batch size.
How to determine what days are not archived

Use the Report Builder to view the list of all files with archive dates. Open the Report Builder by clicking Manage > Reports > Report Builder. From the Query menu, select
Location View. Dates not on this report indicate that those dates have not been archived. Run archive for the dates not on the list, if required.
Configure Data Archive and Purge

1. Open the Data Archive by clicking Manage > Data Management > Data Archive.
2. To archive, check the Archive check box. Additional fields will appear in the Configuration panel.
3. For Archive data older than, enter a value and select a unit of time from the menu. To archive data starting with yesterdayâ€™s data, enter the value 1, and select
Day(s) from the menu.
4. Use Ignore data older than to control how many days of data is archived. Any value that is specified here must be greater than the Archive data older than value.
Note: If you leave this field blank, you archive data for all days older than the value specified in Archive data older than. This means that if you archive daily and
purge data older than 30 days, you archive each day of data 30 times (before it is purged on the 31st day).
5. Check the Archive Values check box to include values from SQL strings in the archived data. If this box is cleared, values are replaced with question mark characters
on the archive (and hence the values will not be available following a restore operation).
6. Select a Protocols option, and fill in the appropriate information. Depending on how your Guardium system has been configured, one or more of these buttons might
not be available. For a description of how to configure the archive and backup storage methods, see the description of the show and store storage-system
commands.
7. Perform the appropriate procedure, depending on the storage method selected:
8. Check the Purge check box to define a purge operation.
IMPORTANT: The Purge configuration is used by both Data Archive and Data Export. Changes that are made here apply to any executions of Data Export and vice
versa. In the event that purging is activated and both Data Export and Data Archive are run on the same day, the first operation that runs will likely purge any old
data before the second operation's execution.
For this reason, any time that Data Export and Data Archive are both configured, the purge age must be greater than both the age at which to export and the age at
which to archive.
9. If purging data, use the Purge data older than field to specify a starting day for the purge operation as a number of days, weeks, or months before the current day,
which is day zero. All data from the specified day and all older days are purged, except as noted. Any value that is specified for the starting purge date must be
greater than the value specified for the Archive data older than value. In addition, if data exporting is active, the starting purge date that is specified here must be
greater than the Export data older than value. See the IMPORTANT note.
Note:
There is no warning when you purge data that has not been archived or exported by a previous operation.
The purge operation does not purge restored data whose age is within the do not purge restored data timeframe that is specified on a restore operation.
11. Click Save to save the configuration changes. The system attempts to verify the configuration by sending a test data file to that location.
If the operation fails, an error message is displayed and the configuration will not be saved.
If the operation succeeds, the configuration is saved.

After selecting SCP or FTP in an archive or backup configuration panel, the following information must be provided:
1. For Host, enter the IP address or host name of the host to receive the archived data.
2. For Directory, identify the directory in which the data is to be stored. How you specify this depends on whether the file transfer method used is FTP or SCP.
For FTP: Specify the directory relative to the FTP account home directory.
For SCP: Specify the directory as an absolute path.
3. For Port that can be used to send files over SCP and FTP. The default port for ssh/scp/sftp is 22. The default port for FTP is 21.
Note: Seeing a zero (0) for port indicates that the default port is being used and that there is no need to change.
4. For Username and Password, enter the credentials for the user logging on to the SCP or FTP server. This user must have write/execute permissions for the directory
that is specified in Directory.
For Windows, a domain user is accepted with the format of domain\user
5. Click Save to save the configuration.

This backup or archiving task copies files to an EMC Centera storage system off-site. A license is needed with user name and password from EMC. Four main actions are
needed for this task:
1. Establish account with an EMC Centera on the network (IP addresses and a ClipID are needed)
2. Configure the data and/or configuration files from a Guardium system
3. Define and export a library
4. Confirm that your files are stored on the EMC Cetera storage system.
CLI action
From the CLI, run these commands:
store storage-system centera backup ON

show storage-system
Configure Centera Archive or Backup

Open System Backup by clicking Manage > Data Management > System Backup. Select EMC Centera, the following information must be provided:
1. For Retention, enter the number of days to retain the data. The maximum is 24855 (68 years). If you want to save it for longer, you can restore the data later and
save it again.
2. For Centera Pool Address, enter the Centera Pool Connection String; for example: 10.2.3.4,10.6.7.8?/var/centera/us1_profile1_rwe.pea txt
Note: This IP address and the .PEA file comes from EMC Centera. Â The question mark is required when configuring the path. The .../var/centera/... path name is
important as the backup might fail if the path name is not followed. The .PEA file gives permissions, username, and password authentication per Centera backup
request.
3. Click Upload PEA File to upload a Centera PEA file to be used for the connection string. The Centera Pool Address is still needed.
Note: If the message Cannot open the pool at this address.. appears, check the size of the Guardium system host name. A timeout issue has been
reported with Centera when using host names that are fewer than four characters in length.
4. Click Save to save the configuration. The system attempts to verify the Centera address by opening a pool using the connection string specified. If the operation
fails, you will be informed and the configuration will not be saved.
5. Click Run Once Now to perform the backup using the downloaded .PEA file.
Confirm that your files have been copied to the EMC Centera. The name of the files and a ClipID are required for this task.

Before archiving to a TSM server, a dsm.sys configuration file must be uploaded to the Guardium system, via the CLI. Use the import tsm config CLI command. After you
select TSM in an archive or backup configuration panel, provide following information:
1. For Password, enter the TSM password that this Guardium system uses to request TSM services, and re-enter it in the Re-enter Password box.
2. Optionally, enter a Server name matching a servername entry in your dsm.sys file.
3. Optionally, enter an As Host name.
4. Click Save to save the configuration. When you click the Save button, the system attempts to verify the TSM destination by sending a test file to the server using the
dsmc archive command. If the operation fails, you will be informed and the configuration will not be saved.
5. Return to the archiving or backup procedure to complete the configuration.
Configure Results Archive

1. Open the Results Archive by clicking Manage > Data Management > Results Archive (Audit).
2. In the files following Archive results older than, specify a starting day for the archive operation as a number of days, weeks, or months before the current day, which
is day zero. To archive results starting with yesterdayâ€™s data, enter the value 1, and select Day(s) from the list.
3. Optionally, use the fields following Ignore results older than to control how many days of results are archived. Any value that is specified here must be greater than
the Archive results older than value.
4. Select a storage method from the radio buttons. Depending on how the Guardium system has been configured, one or more of these buttons might not be available.
For a description of how to configure the archive and backup storage methods, see the description of the show storage-system and store storage-system
commands in Configuration and Control CLI Commands.
EMC CENTERA
TSM
SCP
FTP
5. Perform the appropriate procedure depending on the storage method selected:
7. Click Save to verify and save the configuration changes. The system attempts to verify the configuration by sending a test data file to that location.
If the operation fails, an error message is displayed and the configuration will not be saved.
If the operation succeeds, the configuration is saved.
Restore Data
If this system is not the system that generated the archive to be restored, you must create a location entry in the catalog via Catalog Archive, then click Add (reference:
Guardium catalog) or GuardAPI (reference: CLI and API > GuardAPI Reference > GuardAPI Catalog Entry Functions). When the Data Restore is started this information is
used to transfer the file to the system before processing the data.
Before Restoring Data
Before restoring from TSM, a dsm.sys configuration file must be uploaded to the Guardium system, via the CLI. Use the import tsm config CLI command.
Before restoring from EMC Centera, a pea file must be uploaded to the Guardium system, via the Data Archive panel.
Before restoring or importing a file that was encrypted by a different Guardium system, make sure that the system shared secret used by the Guardium system that
encrypted the file is available on this system (otherwise, it will not be able to decrypt the file). See About the System Shared Secret in System Configuration.
Before restoring on a Guardium collector run the CLI command stop inspection-core to stop the inspection-core process.
Note: The data cannot be captured during the restore process.
To restore data:
1. Open Data Restore by clicking Manage > Data Management > Data Restore.
2. Enter a date in From to specify the earliest date for which you want data.
3. Enter a date in To to specify the latest date for which you want data.
4. For Host Name, optionally enter the name of the Guardium system from which the archive originated.
5. Click Search.
6. In the Search Results panel, check the Select check box for each archive you want to restore.
7. In the Don't purge restored data for at least field, enter the number of days that you want to retain the restored data on the system.
8. Click Restore.

Note: The restore of data archived from a collector should be done only to: the same collector; an aggregator; or, a different collector dedicated to investigation that is not
part of an aggregation cluster. In the case of a crashed collector, a system backup can be restored onto a new, clean collector.

Use this feature to archive and backup data, from Guardium, to Amazon S3.
Amazon S3 (Amazon Simple Storage Service) provides a simple web service interface that can be used to store and retrieve any amount of data, at any time, from
anywhere on the web. It gives any developer access to the same highly scalable, reliable, secure, inexpensive infrastructure that Amazon uses to run its own web sites.
Prerequisites
1. An Amazon account.
2. Register for S3 service
3. Amazon S3 credentials are required in order to access Amazon S3. These credentials are:
Access Key ID - identifies user as the party responsible for service requests. It needs to be included it in each request. It is not confidential and does not
need to be encrypted. (20-character, alphanumeric sequence).
Secret Access Key - Secret Access Key is associated with Access Key ID calculating a digital signature included in the request. Secret Access Key is a secret,
and only the user and AWS should have it (40-character sequence). This key is just a long string of characters (and not a file) that is used to calculate the
digital signature that needs to be included in the request.
Data Archive backs up the data that has been captured by the system, for a given time period.
Results Archive backs up audit tasks results (reports, assessment tests, entity audit trail, privacy sets, and classification processes) as well as the view and sign-off
trails and the accommodated comments from work flow processes.
When Guardium data is archived, there is a separate file for each day of data.
Archive data file name format:
<time>-<hostname.domain>-w<run_datestamp>-d<data_date>.dbdump.enc
Guardium's archive function creates signed, encrypted files that cannot be tampered with. The names of the generated archive files should not be changed. The archive
operation depends on the file names that are created during the archiving process.
All configuration information and data is written to a single encrypted file and sent to the specified destination, using the transfer method that is configured for backups on
this system.
Backup system file format:
<data_date>-<time>-<hostname.domain>-SQLGUARD_CONFIG-9.0.tgz
<data_date>-<time>-<hostname.domain>-SQLGUARD_DATA-9.0.tgz
Use the Aggregation/Archive Log report in Guardium to verify that the operation completes successfully. Open the Aggregation/Archive Log by clicking Manage > Reports >
Data Management > Aggregation/Archive Log. There should be multiple activities that are listed for each Archive operation, and the status of each activity should be
Succeeded.
Regardless of the destination for the archived data, the Guardium catalog tracks where every archive file is sent, so that it can be retrieved and restored on the system
with minimal effort, at any point in the future.
A separate catalog is maintained on each system, and a new record is added to the catalog whenever the system archives data or results.
Catalog entries can be transferred between appliances by one of the following methods:
Aggregation - Catalog tables are aggregated, which means that the aggregator will have the merged catalog of all of its collectors
Export/Import Catalog - These functions can be used to transfer catalog entries between collectors, or to backup a catalog for later restoration, etc.
Data Restore - Each data restore operation contains the data of the archived day, including the catalog of that day. So, when restoring data, the catalog is also being
updated.
When catalog entries are imported from another system, those entries will point to files that have been encrypted by that system. Before restoring or importing any such
file, the system shared secret of the system that encrypted the file must be available on the importing system.
Enable Amazon S3 from the Guardium CLI
Amazon S3 archive and backup option is not enabled by default in the Guardium GUI. To enable Amazon S3 via Guardium CLI, run the following CLI commands:
store storage-system amazon_s3 archive on

store storage-system amazon_s3 backup on
Amazon S3 requires that the clock time of Guardium system to be correct (within 15-minutes). Otherwise, this results in an Amazon error. If there is too large a difference
between the request time and the current time, the request will not be accepted.
If the Guardium system time is not correct, set the correct time using the following CLI commands:
show system ntp server

store system ntp server (An example is ntp server: ntp.swg.usma.ibm.com)
User Interface
Use the System Backup to configure the backup. Open the System Backup by clicking Manage > Data Management > System Backup.
User input requires:

S3 Bucket Name (Every object that is stored in Amazon S3 is contained in a bucket. Buckets partition the namespace of objects that are stored in Amazon S3.
Within a bucket, you can use any names for your objects, but bucket names must be unique across all of Amazon S3.
Access Key ID
Secret Access Key
If bucket name does not exist, it will get created.
Secret Access Key is encrypted when saved into the database.
Check that files got uploaded on Amazon S3
1. Log onto AWS Management Console using your email address and password.
http://aws.amazon.com/console/
1. Click S3.
2. Click the bucket that you specified in Guardium UI.
How to purge data from the Guardium appliance

Two areas can get full on a Guardium appliance which can then cause the GUI to stop:
The internal database
The filesystem itself (usually the /var partition)
As user CLI, check if the database is full with this CLI command:
support show db-status free %
If this comes back with 10% or less, the database is 90% full or more.
To check if /var partition (filesystem) is 90% full or more. run a must gather command from the CLI:
support must_gather system_db_info
You should be able to use fileserver to check the df -k output within the system_output.txt file that can be seen in fileserver
must_gather/system_logs/system_output.txt
or extracted from the system.<datetime>.tgz file once you have downloaded it
Inside the system_output.txt file you can find the detail.
Here the /var partition is 65% full.
==========2016-11-30 08:36:09 ... Output of df command:==========
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/sda3 10154020 2272668 7357232 24% /
/dev/sda2 28571320 17384504 9712052 65% /var
/dev/sda1 505604 33476 446024 7% /boot
tmpfs 6169768 0 6169768 0% /dev/shm
The later Guardium versions have a safety catch/feature that will stop the main processes from collecting any more data when the database or filesystem reaches a
certain level .
The default is to stop the processes when the database and /or the filesystem reaches a 90% full level. as per this example v10.1 documentation. You can check the
current value of the safety catch via CLI:
CLI> show auto_stop_services_when_full
Note: If the auto_stop_services_when_full is switched off the appliance may go on to fill the system to 100% preventing you from accessing the system at all.
You should never need to or want to set the auto_stop_services_when_full to OFF unless used temporarily in the specific circumstance described in the answer below
when you should then use it as described before switching it back to ON once you have resolved the space problem.
Note: You must stop inspection-core before switching the auto_stop off - this will avoid the system filling any further .
So in this case the system will automatically stop inspection-core and other processes when the filesystem or database is 90% full. This includes the GUI interface - so
you won't be able to connect to the GUI at that point.
If you attempt to restart stopped services with this command below then the system (and GUI interface) is likely to stop again after 5 minutes for the same reason. restart
stopped_services
Note: This command should only be used once you are sure that space has been recovered.
Before the database or the filesystem fills to the "auto stop" level you should receive warnings in the system log (messages file)
Alerts can be made to email you about the space problems before the auto stop is triggered. see Guardium Full database Alert
You can run a must_gather command and look inside the compressed file that gets created to check the latest messages file within

>>>Purging Data from the internal database when the GUI is down
If the auto stop has been triggered then this stops services such as the GUI - which stops you from making an emergency purge of data via the "Run Once Now " purge
option
To make that emergency purge, do the following:
Make sure that the inspection-core is switched off on Collectors to stop more data flooding into the appliance
stop inspection-core
Check that NO database commands are running except the show processlist - (if needed let any running commands finish before the next step )
support show db-processlist running
You should be able to simply restart gui to gain access to the GUI to perform the purge as per What can I do if I see my Guardium Appliance getting full?
If there is a problem where GUI keeps going down every 5 minutes - then you can then consider switching the auto_stop_services_when_full to off TEMPORARILY to allow
you to restart gui and purge some data. Just restarting GUI on its own might only stay running for 5 minutes - the main nanny process might stop the services again before
enough data is purged or before you've had time to set the purge going.
Note: If the auto_stop_services_when_full is switched off the appliance may go on to fill the system to 100% preventing you from accessing the system at all.
You should never need to or want to set the auto_stop_services_when_full to OFF unless used temporarily in the specific circumstance described here when you should
then use it as described before switching it back to ON once you have resolved the space problem.
You must stop inspection-core before switching the auto_stop off - this will avoid the system filling any further )
CLI> store auto_stop_services_when_full off
CLI> show auto_stop_services_when_full [off | restart | gui ]
Now you can go to the GUI and then Data Management Archive and set a purge running to clear some data.
Keep checking the database full and the Aggregation Archive log will show when the purge process is finished.
Once it is finished and you have space on the system you should set the auto_stop back on and then restart the stopped services thus
store auto_stop_services_when_full on
restart stopped services
If needed, then start the inspection-core.
Now data should start to be collected again.
If the system has filled up it usually means that too much activity is being recorded.

Advanced Guardium system management and configuration (video)
Preventing and reacting to Guardium database full issues (video)
Guardium catalog
When you archive data from your Guardium system, the Guardium catalog tracks where every archive file is sent, so that it can be retrieved and restored.
About this task

A separate catalog is maintained on each Guardium system, and a new record is added to the catalog whenever you archive data or results. Catalog entries can be
transferred between appliances by one of the following methods:
Aggregation: catalog tables are aggregated, which means that the aggregator has the merged catalog of all of its collectors.
Export/Import Catalog: these functions can be used to transfer catalog entries between collectors, or to back up a catalog for later restoration.
Data Restore: each data restore operation contains the data of the archived day, including the catalog of that day. When you restore data, the catalog is also
updated.
You can archive a catalog, export a catalog to external storage, or import a catalog that has been stored.
When catalog entries are imported from another system, those entries point to files that have been encrypted by that system. Before you restore or import any such file,
the system shared secret of the system that encrypted the file must be available on the importing system. You can use the aggregator backup keys file and aggregator
restore keys file CLI commands to copy the shared secrets from one Guardium system to another.
Archiving a catalog
Procedure
1. Click Manage > Data Management > Catalog Archive.

2. You can display available catalog entries for a range of dates, or add a catalog entry. To display catalog entries:
a. Enter a date in From to specify the earliest date for which you want data.
b. Enter a date in To to specify the latest date for which you want data.

c. Optional: For Host Name, enter the name of the GuardiumÂ® system from which the archive originated.
d. Click Search.
To add a catalog entry:
a. Click Add.
b. Enter a File Name.
c. Enter a Host Name.
d. Enter the Path for the file.
Note:
For FTP: specify the directory relative to the FTP account home directory
For TSM: Specify the directory as an absolute path of the original location.
e. Enter a User Name and Password for access to this location.

f. In the Retention field, enter the number of days this entry is to be kept in the catalog (the default is 365).
g. Select an option from the Storage System menu on which the file is contained.
h. Click Save.
3. To remove a catalog entry, open the catalog, select the entry, and click Remove Selected.
Exporting a catalog
Procedure
1. Click Manage > Data Management > Catalog Export.

2. Select a definition type from the Type dropdown list. TheDefinitions to Export list is populated with definitions of the selected type.
3. Select all of the definitions of this type that you want to export and click Export. Depending on your browser security settings, you might see a message that asks
whether you want to save the file or open it.
4. Choose a location to save the exported file.
Importing a catalog
Procedure
1. Click Manage > Data Management > Catalog Import.

2. Click Browse to locate and select the file.
3. Click Upload. You are notified when the operation completes and the definitions that are contained in the file are displayed. Repeat to upload more files.
4. Click Import to import the uploaded files or click Remove without Importing to remove the uploaded files without importing the contents.
How to manage backup and archiving

Establish data retention practices; control activity volume; manage scheduling of data archive and purge, and monthly backups.
Value-added: Best Practices. Protect your data from loss. Make your data readily accessible for auditing purposes.
Use the System Backup function to define a backup operation that can be run on demand or on a scheduled basis.
System backups are used to back up and store all the necessary data and configuration values to restore a server in case of hardware corruption.
There are two archive operations available. Go to Manage > Data Management to select the Data Archive or Results Archive functions:
Data Archive backs up the data that has been captured by the Guardium system, for a given time period. When configuring Data Archive, a purge operation can also
be configured. Typically, data is archived at the end of the day on which it is captured, which ensures that in the event of a catastrophe, only the data of that day is
lost. The purging of data depends on the application and is highly variable, depending on business and auditing requirements. In most cases data can be kept on the
machines for more than six months.
Results Archive backs up audit tasks results (reports, assessment tests, entity audit trail, privacy sets, and classification processes) as well as the view and signoff
trails and the accommodated comments from workflow processes. Results sets are purged from the system according to the workflow process definition.
the location from where it is archived varies depending on the customer's requirements.
Whenever archiving data, be sure to verify that the operation completes successfully. To do this, log in as admin user, and open the Aggregation/Archive Log by clicking
Manage > Reports > Data Management > Aggregation/Archive Log. There should be multiple activities listed for each Archive operation, and the status of each activity
should be Succeeded.
Data backup
There are three types of recommended data backups:
1. Full/system backups:
a. Weekly or daily full backups of the Central Manager unit (assuming a standalone Central Manager).
b. Monthly for aggregators and collectors during a quiet off-hour period
2. Daily archives (think of these archives as incremental backups) for aggregators and collectors. The archive files from the aggregators are much larger than those
from the collectors. For example, if an aggregator has ten collectors sending data to it, the starting point for the size of the archive file is equal to those of all ten
collector archive files. However, it is much larger than the entire combined collector archives because the aggregator archive files contain extra data that is not sent
by the collectors every day.

3. Results archive (this is a specialized subset of the data in the daily and full backups) for aggregators. An alternative to using the Results archive is to save a PDF file
from the Audit Process after all users complete the review process.
Data retention
The data backup and archive files serve two purposes: disaster recovery, and historical investigation or auditing.
The following suggestions can be modified based on your corporate data retention policy. For example, some organizations are mandated to keep all backups for 18
months.
For disaster recovery
Keep a rolling three months full backup from each unit
Keep a rolling 2-weeks worth of daily archives from the managed collectors
Note: If you have stand-alone collectors, the daily archives should be kept according to your data-retention policy.
For historical investigation or auditing purposes
All daily archives from the aggregators for the period required by your auditing or corporate data-retention policies.
Storage capacity
The following are only estimates/ranges of backup and archive file sizes for auxiliary storage capacity planning purposes.
The actual sizes vary depending on (1) the volume and granularity of the database activity that is logged on the Guardium collectors, and (2) the retention period of the
backup files.
Daily Archives
Collector: approximately 40 MB (privileged user monitoring) to 1 GB (Comprehensive monitoring with full details logged on all traffic).
Aggregator: a rough multiple of the number of collectors, for example, Number of collectors multiplied by 40 MB.
Monthly System Backups â€“ assuming a 50% full database on a Dell R610 or IBM xSeries 3550 M4 (600 GB Disks)
Note: The backup gets roughly a 1:8 compression for the backup file.
Collector: 7 â€“ 10 GB
Aggregator: 16 â€“ 20 GB
Central Manager (no aggregation): << 1 GB
Results Archives
Depends on the number and frequency of audit processes implemented.
Control activity volume

Controlling the volume of activity monitored (on the database server) and logged (on the collector) helps to reduce network utilization; reduce the Guardium systemâ€™s
database disk consumption; and improves the overall capacity and performance of the IBM Security Guardium infrastructure.
This control is primarily achieved in the policy rules, and via the inspection engine configuration.
The following are general guidelines:
Avoid using port ranges in inspection engines
Identify all trusted applications and batch programs (these programs generally generate the bulk of the database activity) and if possible, ignore/skip their activity
by using the Ignore STAP Session or Skip Logging actions.
Unless necessary, avoid using the Log Full Details action.
If possible, use the Selective Audit policy (with the Ignore S-TAP session rules) to minimize network traffic.
If no extrusion rules are used, for example, result sets are not examined, consider using the Ignore Responses per Session action to eliminate result sets being sent
to the Guardium system.
Establish a process to periodically review and update policy rules, including groups, to accommodate new databases and applications.
Establish a process to periodically monitor SQL Errors and provide to the DBA and Application development teams for remediation.
Scheduling
The following tables provide a summary of the key schedules to be configured on your Guardium systems. Following the tables is a brief explanation of each process.
Use the Aggregation/Archive log to record the time and status of these processes to assist with adjusting your scheduling times.
The following table lists a schedule of tasks for a Guardium system that is deployed as a collector.
Function Schedule
Data export (to the Aggregators) Daily*: 12:30 AM
Data Archive and Purge Daily: 01:30 AM AND Purge for 15 days

Audit/Workflow jobs Daily: 03:00 AM (if standalone)
CSV/CEF export to the SCP/FTP Server Daily: 05:00 AM, if configured in the Audit jobs AND after the audit jobs complete.
Host name Aliasing Daily: 10:00 PM
Policy Reinstallation Daily: 11:00 PM
System Backups Monthly: First Sunday of each Month at 6:00 AM
The following table lists a schedule of tasks for a Guardium system that is deployed as an aggregator.
Function Schedule
Data Archive and Purge Daily: 4:00 AM AND Purge for 30 days
Data Import (from the Collectors) Daily 1:15 AM
Audit/Workflow jobs Daily: 03:30 AM
CSV/CEF export to the SCP/FTP Server Daily: 05:15 AM, if configured in the Audit jobs AND after the audit jobs complete.
Hostname Aliasing Daily: 10:00 PM
System Backups Monthly: First Sunday of each Month at 7:00 AM

Note: Avoid scheduling before 12:15 a.m. to avoid any conflicts with the internal start-of-day processing on each Guardium system.
The daily Data Archive should be set to Archive data older than 1-Day and Ignore data older than 2-days. The first run archives all data in the database and subsequent
processes will only archive yesterday's data.
The amount of data kept online is constrained by the size of the database on each Guardium system, so the Purge process helps to manage how much data is kept online,
and it works with the Daily Archive. Guardium recommends keeping the minimum amount of data necessary to avoid filling up the database and help with database
performance.
For collectors, Guardium recommends 15 days for the collector and 30 days for the aggregator. The actual length, however, depends on how much data is recorded (for
example, numbers of S-TAPS, policy rules, and collectors).
Data Export and Import
The previous dayâ€™s logged activities are exported daily (a push process) from the collectors to their assigned aggregators for aggregated-reporting. This activity is the
counterpart to the Data Import on the aggregator.
Note: For convenience, purge can be configured on either the Archive or Export setup screens.
The Data Import process is scheduled only on an aggregator. It imports and processes the previous dayâ€™s data exported from the collectors.
Monthly Backups
As noted previously, the system backups are full backups and used for disaster recovery. Here is an example of the monthly schedule for the first Sunday of each month
starting at 6:00 AM.
Exporting Results (CSV, CEF, PDF)

CSV, CEF, and PDF files can be created by workflow processes. This function exports all such files that are on the Guardium system.
CEF/CSV files that are created by workflow processes can also be written to syslog. When that happens, those files are not available to be exported by the means
described here. Those files should be accessed from syslog by other means.
To export CSV, CEF, and PDF files:
1. Open the Results Export (files) by clicking Manage > Data Management > Results Export (Files).
2. Choose an option from the Protocols radio buttons: SCP, FTP, Amazon S3, or Softlayer.
3. For Host, enter the IP address or DNS host name of the host to receive the files.
4. For Directory, identify the directory in which the data is to be stored. How you specify this directory depends on the protocol you selected.
For FTP: Specify the directory relative to the FTP account home directory.
5. Change the Port that can be used to send files over SCP and FTP. The default port for SSH, FTP, and SFTP is 22. The default port for FTP is 21.
6. For Username and Password, enter the credentials for the user logging in to the host machine. This user must have write/execute permissions for the directory that
is specified in the Directory field.
8. Click Save to save the configuration. The system attempts to verify the configuration by sending a test data file to that location. If the operation fails, it displays an
error message.
10. To verify that files have been exported, check the Aggregation/Archive Log. There should be a Send activity for each CSV or CEF file exported.
To define a default separator, open the Global Profile by clicking Setup > Tools and Views > Global Profile.
To enter a label to be included in all file names, go to Tools > Audit Process Builder.
Note:
The Syslog maximum message size is 4000. CSV results are truncated if they exceed this limit.
Set the encoding to UTF-8 no matter what application is used to read .CSV files. Excel defaults to a different character set and can corrupt the .CSV files. Also, when using
Excel, import the .CSV file and select UTF-8 encoding instead of just opening the file and having Excel launch based on file association.

If you have multiple systems with identical or similar requirements, and are not using Central Management, you can define the components that you need on one system
and export those definitions to other systems, provided those systems are on the same software release level.
You can export one type of definition (reports, for example) at a time. Each element that is exported can cause other referenced definitions to be exported as well. For
example, a report is always based on a query, and it can also reference other items, such as IP address groups or time periods. All referenced definitions (except for
security roles) are exported along with the report definition. However, only one copy of a definition is exported if that definition is referenced in multiple exported items. An
export of policies or queries exports only the groups that are referenced by the exported policies or queries. Previously an export of policies or queries would export all
groups.
Export and Import Definitions are used to save and then restore functional data from a given Guardium system. For example, this function enables you to create a
report on one Guardium system and then import that same report onto another server with the same Guardium installed version.
Note: This function is not the same as a full backup of the server. Backups should still be defined and run on a scheduled or manual basis.
Export Definitions - Are used to save and share defined functional values such as Reports/Queries, CAS data, Classifier Data, and so on. The export types are saved
onto your PC as a .sql file type.
Import Definitions - This function is used to import the exported definitions onto servers that use the SAME Guardium Software version. For example, if you export
definitions from a Guardium V10 system, then you can import those definitions only onto another V10 system.
Note:
When you export graphical reports, the presentation parameter settings (colors, fonts, titles, and so on) are not exported. When imported, these reports use the
default presentation parameter settings for the importing system.
Subscribed groups are not exported. When you export definitions that reference subscribed groups, the user must ensure that all referenced subscribed groups are
installed on the importing appliance (or Central Manager in a federated environment).
The logs of Export/Import Definitions have the same retention period than the monitored database activity logs.
Comments are not included in export.
When audit process definitions of scheduled runs (including schedule time) are exported to another system, the ACTIVE check box in Audit Process Builder is not
checked (INACTIVE).
Schedule Start Time of an audit process defined on one appliance and exported to another (unrelated) appliance - In the case that the original schedule start time is
defined, it is retained. If the original schedule start time is not defined (empty), then the imported schedule start time is set to the time it was imported.
When you export a datasource with an open source driver, the open source driver is not included in the export. The user needs to first upload the open source driver
into the new system before importing the datasource definition that was created using it, otherwise the data direct driver will be substituted for the open source
driver when it is imported.
Large complex imports can take a very long time and can exceed the length of the user's session. If this happens and the session times out, the import continues to
run in the background until it completes.
When you export the definition of classifier policies - any custom evaluation classes associated with the policies are not exported with the definition. For the
imported policies to work custom evaluation classes must be uploaded separately.
Exporting/Importing definitions between different languages does not work. For example, trying to export a file from a GuardiumÂ® system with a language of
Simplified Chinese and import that file to a Guardium system of English will not be successful.
Export to XACML Protocol

Guardium supports export of Policy Rules to a XACML file, and import of XACML files to another Guardium system.
The XACML (eXtensible Access Control Markup Language) is a declarative access control policy language that is implemented in XML and a processing model, describing
how to interpret the policies.
The export/Import to standard XACML is used as a bidirectional interface to transfer policies rules between Optim Designer and Guardium.
Optim Designer can convert data values for various purposes and through various means. In the core Optim runtime (z/OS and Distributed) this is achieved through the
invocation of data privacy functions that are declared within column maps. In Optim Privacy this is specified, by the user, as the application of a data privacy policy on an
attribute, referenced by an entity within a data access plan.
Customers who bought both products, Optim Privacy and Guardium, will be able to Export to XACML the policies and privacy information from one product and Import to
the other product.
Note: XACML imports from previous versions of Guardium are not supported.
To export Guardium policies to XACML, follow these steps:
1. Click Manage > Data Management > Export.

2. Select Policy from the Type menu.
3. Check the Export to XACML File check box.
4. Select definitions from the Definitions to Export menu.
5. Click Export.
To Import an XACML file from another Guardium system or Optim Privacy, open the Definitions Import by clicking Manage > Data Management > Import.
Importing Groups
When you import a group that already exists, members may be added, but no members will be deleted.
Importing Aliases
When you import aliases, new aliases may be added, but no aliases will be deleted.
Ownership of Imported Definitions

When a definition is created, the user who creates it is saved as the owner of that definition. The significance of this is that if no security roles are assigned to that
definition, only the owner and the admin user have access to it.

When a definition is imported, the owner is always changed to admin.
Roles for Imported Definitions

References to security roles are removed from exported definitions. So any imported definitions will have no roles assigned.
Users for Imported Definitions

A reference to a user in an exported definition causes the user definition to be exported. When definitions are imported, the referenced user definitions are imported only
if they do not exist on the importing system. In other words, existing user definitions are never overwritten. This has several implications, as described in Duplicate Role
and User Implications.
In addition, imported user definitions are disabled. This means that imported users can receive email notifications that are sent from the importing system, but they are
not able to log in to that system, unless and until the administrator enables that account.
Duplicate Group and User Implications

If a group that is referenced by an exported definition exists on the importing system, the definition of that group from the exporting system will not be not imported. This
may create some confusion if the group is not used for the same purposes on both systems.
If a user definition exists on the importing system, it may not be for the same person that is defined on the exporting system. For example, assume that on the exporting
system the user jdoe with the email address john_doe@aaa.com is a recipient of output from an exported alert. Assume also that on the importing system, the jdoe user
already exists for a person with the email address jane_doe@zzz.com. The exported user definition is not imported, and when the imported alert is triggered, email is sent
to the jane_doe@zzz,.com address. In either case, when security roles or user definitions are not imported, check the definitions on both systems to see if there are
differences. If so, make the appropriate adjustments to those definitions.
Definition Types for Exporting
Table 1. Definition Types for Exporting

Can Be Exported Cannot be Exported
Alert Custom Alerting Class
A check box in the Definitions export screen will Exclude group members. See description in Group line item.
Alias Custom Assessment Test
Audit Process Custom Identification Procedure
Auto-discovery Process Â
CAS Hosts Â
CAS Template Sets Â
Classification Process Access Rule
Classifier Policy Â
Custom Class Connection Permission Â
Custom Domain Â
Custom Table Â
Datasource Â
Event Type Â
Group Â A check box in the Definitions export screen will Exclude group members. This check box is visible only for
data sets that have groups somewhere in the export hierarchy (for example, export of an alert includes also
the query of the alert and the query might include groups in the query conditions). If the export of
datasource does not include groups, the checkbox is not visible. When that checkbox is set, the export file
includes groups (if groups are linked to the exported definition) but members of the groups are not exported.
The checkbox is not set by default, its state is not persistent, and only applies to the current export.
Named Template Â
Period (time period) Â
Policy (but not an included Baseline) Â
Privacy Set Â
Query Â
Replay Â
Report A check box in the Definitions export screen will Exclude group members. See description in Group line item.
Â
Role Â
Security Assessment Â
User Â
Users database mapping Â
Users database permission Â
Users Hierarchy Â

Export Definitions
1. Open the Definitions Export pane by clicking Manage > Data Management > Export.
2. Select an option from the Type menu. The Definitions to Export menu will be populated with definitions of the selected type.
3. Select all of the definitions of this type to be exported.
Note: Do not export a Policy definition whose name contains one or more quote characters. That definition can be exported, but it cannot be imported. To export
such a definition, make a clone of it, naming the clone without using any quote characters, and export the clone.
4. Click Export. Depending on your browser security settings, you may receive a warning message asking if you want to save the file or to open it using an editor.
5. Save the exported file in an appropriate location.
Import Definitions
1. Open the Definitions Import pane by clicking Manage > Data Management > Import.
2. Click Browse to locate and select the file.
3. Click Upload. You are notified when the operation completes and the definitions contained in the file are displayed. Repeat to upload additional files.
4. Use the Fully synchronize group members checkbox to set the behavior of how to add new group members imported directly or via other datasets such as queries
or policies. If not checked, new members that are in the import are added, but members not in the import are not removed. If checked, then group members not in
the import are removed. Use the Set as default button next to the checkbox to save the checkbox setting.
5. Click Import this set of Definitions to import a set of definitions, or click Remove this set of Definitions without Importing to remove the uploaded file without
importing the definitions.
6. You will be prompted to confirm either action.
Note: An import operation does not overwrite an existing definition. If you attempt to import a definition with the same name as an existing definition, you are
notified that the item was not replaced. If you want to overwrite an existing definition with an imported one, you must delete the existing definition before
performing the import operation.
Distributed Interface
Use this configuration screen to define the Distributed Interface and upload the Protocol Buffer (.proto) file to the DIST_INT database.
From this database, Query Domain metadata is built automatically. After the metadata is built, the user can go to the Custom Domain Builder to modify or clone the data
and build custom reports. The distributed interface data uses protocol buffers. Protocol buffers are a flexible, efficient, and automated mechanism for serializing
structured data.
For Universal Feed type 3, upload the protocol definition file for configuration of DIST_INT database by clicking Manage > Data Management > Distributed Interface.
Note: Click Maintenance to manage the table engine type and table index. The table engine types for universal feed tables (InnoDB and MyISAM) will appear for all
universal feed tables as the data stored on the Guardium internal database is MYSQL-based. See External Data Correlation for further information on InnoDB and MyISAM
maintenance.
Configure the Distributed Interface

1. Open the Distributed Interface Finder by clicking Manage > Data Management > Distributed Interface.
2. Click New to create a new Distributed Interface, or select an existing Distributed Interface from the Distributed Interface Finder and click Modify or Delete.
3. For Vendor ID, enter the ID of the vendor (for example, 20000).
4. For Domain name, enter the name of the domain that will be selectable from Custom Domain Builder.
5. Check the Included in aggregation
6. For File Name, click Browse to select a file.
7. Click Apply to save this configuration.
8. Build a custom report in the Custom Domain Builder. Open the Custom Domain Builder by clicking Setup > Tools & Views > Custom Domain Builder.
Example of a .proto file

package bim;
option java_package = "com.ibm.infosphere.bim.proto";
option java_outer_classname = "BimEvent";
// NOTE: AssetID and Property_type (== Property name!) are strings.
// For AssetID , it is safest to use a UUID since it provides world-wide unique ID.
// This will be the key to the table of current metrics and property values.
// per each asset, per each property , there will be one value (recent, or min, or max,etc)
message EventTypeID {
required string eventType = 1; //e.g. Schema change
}
message AssetID {
required string assetId = 1;
}
message InfoPropertyID {
required string propertyName = 2;
}
message MetricPropertyID {
}
message AssetRelationID {
// These are asset "native" ids
required string sourceAssetId = 1;
required string targetAssetId = 2;
}
message RelationPropertyID {
required string assetRelationId = 1;
}

message Event {
optional InnerEvent innerEvent = 1;
}
message InnerEvent {
// Common for all events
optional EventTypeID eventTypeId = 1;
optional string description = 2;
optional string time = 3;
optional string agentId = 4;
// Event can be for asset info, or metric property
optional AssetInfoEvent assetInfoEvent = 5;
optional MetricPropertyEvent metricPropertyEvent = 6;
optional AssetRelationEvent relationEvent = 7;
optional RuleEvent ruleEvent = 8;
}
message AssetInfoEvent {
optional AssetID unique_key__ = 1;
optional string assetType = 2;
optional string assetName = 3;
optional string gdm_server_ip = 4;
optional string gdm_service_name = 5;
repeated InfoProperty property = 6;
}
message InfoProperty {
optional InfoPropertyID unique_key__ = 1;
optional string value = 2;
}
message MetricPropertyEvent {
optional AssetID assetId = 1;
repeated MetricProperty property = 2;
}
message MetricProperty {
optional MetricPropertyID unique_key__ = 1;
optional string stringValue = 3;
optional double doubleValue = 4;
enum Data_type {
DOUBLE = 1;
LONG = 2;
INT = 3;
FLOAT = 4;
DATE = 5;
BOOLEAN = 6; // convention is to store it
as 0 and 1 in the double_value
STRING = 7; // stored in string_value
}
optional Data_type dataType = 5;
optional string unit = 6; // unit for the value
}
message AssetRelationEvent {
optional AssetRelationID unique_key__ = 1;
required string relationshipType = 2;
repeated RelationshipProperty property = 3;
optional bool deleted = 4;
}
message RelationshipProperty {
optional RelationPropertyID unique_key__ = 1;
optional string value = 2;
}
message RuleEvent {
optional string ruleName = 1;
optional bool enabled = 2;
}
// --- Metadata --- All unique identifier must be defined here
message Identifier {
optional InfoPropertyID infoPropertyId = 1;
optional MetricPropertyID metricPropertyId = 2;
optional AssetRelationID assetRelationId = 4;
optional RelationPropertyID relationshipPropertyId = 5;
}
Manage Custom Classes

Upload and maintain custom classes used in alerts or evaluations. Manage custom classes by clicking Setup > Custom Classes.
After you compile a class, it must be uploaded to the GuardiumÂ® system.
Uploading a Custom Class

1. You can upload a custom class for alerts or evaluations. Upload a custom class by clicking Setup > Custom Classes, then either Alerts > Upload or Evaluations >
Upload
2. Enter a description for the custom class.
3. Click Browse to locate and select the class file that you want to upload.
4. Click Apply.
Updating a Custom Class

1. Select Setup > Custom Classes, then either Alerts > Update or Evaluations > Update.
2. Select the description of the class to be updated.
3. Click Browse to locate and select the class file that is to be used for the update.
4. Click Apply.
Deleting a Custom Class

1. Select Setup, then either Alerts > Delete or Evaluations > Delete
2. Select the description of the class to be deleted.
Note: You cannot remove a class that is in use by some other component (the installed policy, for example).
3. Click Delete.
SSH Public Keys

Use this information to create, modify or remove an SSH Public Key.
1. Click Manage > Activity Monitoring > SSH Public Key Management, and do one of the following:
To create a key, click New.
To generate a key, click Generate.
To modify a key, select it from the list and click Modify.
To remove a key, select it from the list and click Remove.
2. Fill in the appropriate information on the SSH Public Key Edit panel and click Apply to save.
How to install an appliance certificate to avoid a browser SSL certificate challenge

Use IBM Security Guardium CLI commands to create a certificate signing request (CSR), and to install server, certificate authority (CA), or trusted path certificates on your
GuardiumÂ® system.
About this task

Eliminate the Certificate Error warning screens saying:
There is a problem with this website's security certificate. The security certificate presented by this website was issued for a
different website's address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to
the server.
See Certificate CLI Commands for more information on all the certificate commands.
Note: One prerequisite is that you must provide a public certificate from a CA you will be using to sign your certificates (Verisign, Thwate, Geotrust, GoDaddy, Comodo,
within-your-company, etc).
Note: Guardium does not provide CA services and will not ship systems with different certificates than the one installed by default. A customer that wants their own
certificate will need to contact a third-party CA.
Note: If the certificate is not self-signed, you MUST obtain also the public certificate for each signer up to the lowest level (for example, the certificate that is self-signed).
You can use the command, openssl x509 -in t.pem -text -noout, to show contents of a x509 certificate.
Procedure
1. Have available the public certificate from the CA (Certificate Authority) you will be using to sign your certificates (from Verisign, Thwate, Geotrust, GoDaddy,
Comodo, in-house, etc).
2. Log into the CLI on the individual Guardium system you wish to have a signed certificate on.
Before executing the command, obtain the appropriate certificate (in PEM format, not binary format) from your CA, and copy the certificate, including the Begin and
End lines, to your clipboard.
3. Enter the command, store certificate keystore. The following prompt will be displayed:
What is a one-word alias we can use to uniquely identify this certificate?
Enter a one-word name for the certificate and press Enter.
The following instructions will be displayed:
Please paste your CA certificate, in PEM format. Include the BEGIN and END lines, and then press CTRL-D.
Paste the PEM-format certificate to the command line, then press CRTL-D. You will be informed of the success or failure of the store operation.
Now the CA you will sign with is set as trusted on the Guardium system.
4. Next, from the CLI command prompt, type: create csr gui.
Fill in the requested information. If the CN (common name) of the certificate is not set to the hostname.domain of the box, certificate errors from the browser will
result.
There are no parameters, but you will be prompted to supply the organizational unit (OU), country code (C), and so forth. Be sure to enter this information correctly.
The last prompt is as follows:
What encryption algorithm should be used (1=DSA or 2=RSA)?
DSA, or the Digital Signature Algorithm, is a federal information processing standard (FIPS) for digital signatures. RSA is a public-key cryptosystem that involves key
generation, encryption, and decryption. The default encryption algorithm is RSA.

After you respond to the last prompt, the system displays a description of the request, followed by the request itself, and followed finally by additional instructions.
For example:
This is the generated CSR: Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=MA, L=Littleton, O=XYZCorp,
OU=Accounting, CN=g2.xyz.com -----BEGIN NEW CERTIFICATE REQUEST-----
MIICWjCCAhcCAQAwVDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB1dhbHRoYW0xETAPBgNVBAoTCEd1
YXJkaXVtMRUwEwYDVQQLEwxndWFyZGl1bS5jb20xCTAHBgNVBAMTADCCAbgwggEsBgcqhkjOOAQB
MIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2
y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQT
WhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3e
y7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8
FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
TDv+z0kqA4GFAAKBgQCONsEB4g4/limbHkuZ5YnLn9CGM3a2evEnqjXZts4itxeTYwPQvdkjdSmQ
kaQlBxmNUsZOJZrq5nC5Cg3X9spa+BzFr+PgR/5zka17nHcxKXCjVjLk451L67KllXv61TUfv/bU
PKmiaGKDttsP2ktG4dBFXQdICJEGo0aNFCYn6qAAMAsGByqGSM44BAMFAAMwADAtAhUAhHTY5z9X NiBAuyAC9PS4GzleYakCFF2kcfxfjX1BFy5I228XWMAU0N95
-----END NEW CERTIFICATE REQUEST-----
Note: For Common Name, use hostname in FQDN format (fully qualified domain name). But if you connect to the GUI normally using the short hostname (for
example, system1) instead of FDQN (system1.us.ibm.com), you will get a certificate error "Address Mismatch" you will either have to change the CN=system1 or
connect with https://system1.us.ibm.com:8443/sqlguard to make use of the certificate.
Note: Country Code must be 2 letters.
Note: Keysize can be 1024 or 2048.
5. Copy and paste the generated hash from ---Begin CSR---- to ---End CSR--- into a text document. Now send this off to your CA for them to return the signed key.
Before continuing, check the Subject line to verify that you have entered your company information correctly. From this point forward, use whatever procedure you
would normally use to obtain a server certificate from your CA.
Note: â€¢ When submitting the request to your CA make sure you request the certificate to be in PKCS#7 PEM format.
6. The CA signs the CSR and sends you back your signed key.
7. Now, go back to the CLI prompt on the Guardium system and have the signed key from the CA handy. Type the following: store certificate gui.
Enter the command exactly as shown. You will receive the following information and prompt:
Please paste your new server certificate, in PEM format.
Include the BEGIN and END lines, and then press CTRL-D.
Paste the PEM-format certificate to the command line, then press CRTL-D. You will be informed of the success or failure of the store operation.
-----BEGIN CERTIFICATE----- MIIDvTCCAqegAwIBAgIBATALBgkqhkiG9w0BAQUwcjELMAkGA1UEBhMCVVMxEzAR

BgNVBAgTCldhc2hpbmd0b24xDzANBgNVBAcTBllha2ltYTEMMAoGA1UEChMDSUJN
MRUwEwYDVQQLEwxHdWFyZGl1bURlbW8xGDAWBgNVBAMTD0d1YXJkaXVtRGVtb19D
QTAeFw0xMTAzMjUxNTM1MTRaFw02OTEyMzEyMzU5NTlaMHIxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpXYXNoaW5ndG9uMQ8wDQYDVQQHEwZZYWtpbWExDDAKBgNVBAoT
A0lCTTEVMBMGA1UECxMMR3VhcmRpdW1EZW1vMRgwFgYDVQQDEw9HdWFyZGl1bURl
bW9fQ0EwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIBCgKCAQEAw08aZVJNdnC69LR6
YtvHO+KbsqA89vCezLw7xmEa7F6+io0NofIFX7b7FvSkxzx1SO4eStaQSTDBxOGk
mqK2vk3VeJk9+lItofUuQXl1CZ1R4wQPMRfaWgELt+t94XB3Y1zmI68vwfr1fB32
u3Yjpt4aq27sTMrjEqZIyDqQ7hQ1tpMtoBUqNi54wN+OJjhtpNYDAkCHs+3NPqXE
6HeL7W5X6PJ+YCyyZiXeqQ+T8qdpH0KDVJGJLGX1YC+0WnQz/S2kaaRfxe6Nhe6q
YeYaD09tlWkVrZQm8a76SDULjzjrQ4wNoTJu17JQk7Uc835RE/bF5WMsaN5HGs3s
9zP3uwIDAQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAw
HQYDVR0OBBYEFINmKThm8tA+Z8cyFC7MOZ7v398SMB8GA1UdIwQYMBaAFINmKThm
8tA+Z8cyFC7MOZ7v398SMAsGCSqGSIb3DQEBBQOCAQEAcXttcJwy1aowq9wtJksK
q6n6laEFR38i+pLJ6kArjoJGP5WxFdaYcDQr5cAw2Q6YFZvQGaYAqiSS6ezF20PT
3BrrP+Mg/SK8jgPvM0ekodmpr385iQqSDneTTwPPrIaQBrrtb2510wHSEyiVcRRI
4vn3ktVahjiSMD92bfmZilPYQ51pD0jFgGFFRvekulPWGWv7iuCT+alCM99/76xR
uWrRc7cxypfxK1yymptizZVrxLHS47VVoXzmZ7yO3kfhhdZbBmoXg1MDM82rVdnp
WVQdlSasn8deHaVG//RsCrWx4PxN8TVIDGbfh0nWRYU4zPORvWst3fa+h9B2W55z /A== -----END CERTIFICATE-----
8. For the final step, restart the UI using the command restart gui.
You have now successfully installed one certificate for one Guardium unit. Repeat the steps for every Guardium system on-site.
Self Monitoring
The Guardium solution monitors itself to minimize disruptions and correct problems automatically whenever possible.
Guardium uses a three-pronged approach to ensuring that it is available, functioning properly, has not been tampered with, and alerts users of problems:
Reports - Whether textual or graphical, reports are at the core of the GuardiumÂ® solution. By using Guardiumâ€™s Query Builder and Report Builder, a user can
effectively report on any of the self-monitoring data collected through associated domains and entities. Many of the predefined reports can be enhanced through
more detailed effort to provide higher levels of granularity. A specific query builder has been created (VA Test Tracking) to report on tests that are available for
security assessments.
Alerts - In addition to building reports, a user can define an alert against those reports through defined thresholds--indicating an exception or policy rule violation.
These alerts can either be real-time or determined through historical analysis. These alerts can then trigger notification to users through SMTP, SNMP, syslog, or a
custom Javaâ„¢ class.
Self-Monitoring Utility - Guardium has implemented an internal self-monitoring demon (always running) service utility on collectors and aggregators that wakes up
every 5 minutes and does system scan, checking components for optimal configuration, operational effectiveness, and repairs when necessary. For example if the
utility finds the Web Server down, it will first validate a complete shutdown of the service, restart the service, and then alerts an administrative user.
Components Monitored
Table 1. Components monitored

Components How to access

System Manage > System View > System Monitor
Disk space(%full) Alert: You can use the Queries and Correlation Alerts, utilizing the Sniffer Buffer domain and Sniffer Buffer
Usage entity to create alerts
CPU Load Reports > Guardium Operational Reports > Buff Usage Monitor
Uptime and Reboots Alert: You can use the Queries and Correlation Alerts, utilizing the Sniffer Buffer domain and Sniffer Buffer
Memory Usage
Monitoring Engine (sniffer) - Status:

up/down/stuck/overloaded
CPU Usage
Memory Usage
Overload and delays (queues)
Failed Logins Manage > System View > System Monitor.
Alert: You can use the Queries and Correlation Alerts, utilizing the Guardium Login domain and Guardium
Users Login entity to create alerts
Lost requests Manage > Reports > Activity Monitoring > Dropped Requests
Alert: You can use the Queries and Correlation Alerts, utilizing the Exceptions domain and Exceptions
entity to create alerts
Change in data patterns Reports >Real-time Operational Reports > Values Changed Alert: See Viewing an Audit Process Definition
for alert: Data Source Changes - alert on any data source changes
Packets rates Reports >Guardium Operational Reports > Buffer Usage Monitor
Request rates Alert: You can use the Queries and Correlation Alerts, utilizing the Sniffer Buffer domain and Sniffer Buffer
Ignored data
Scheduled Jobs Exceptions Reports >Guardium Operational Reports > Scheduled Job Exceptions, or See Predefined admin Reports:
Alert: You can use the Queries and Correlation Alerts, utilizing the Exceptions domain and Exception Type
entity to create alerts.
Audit processes status Reports >Guardium Operational Reports > Number of Active Audit Processes, or See Predefined admin
Reports.
Alert: You can use the Queries and Correlation Alerts, utilizing the Audit Process domain and Audit Process
entity to create alerts
Inspection Engine Changes Reports >Activity Monitoring > S-TAP Configuration Change History
Alert: See Viewing an Audit Process Definition for alert: Inspection Engines and S-TAP - alert on any
activity related to inspection engine and S-TAP configuration
Guardium Users Activity - Login/logout Reports >Guardium Operational Reports > Logins to Guardium, or See Predefined admin Reports
Alert: You can use the Queries and Correlation Alerts, utilizing the Guardium Login domain and SQL Guard
Login entity to create alerts
Failed Logins Reports >Guardium Operational Reports > Logins to Guardium, or See Predefined admin Reports
Alert: See Viewing an Audit Process Definition for alert: Failed Logins To Guardium - alert if have more than
5 failed logins in the last 11 minutes, or Select Tools > Report Building > drop-down Report Title:
Guardium Logins, See Reports for additional information
User Activity Audit Trail Reports >Guardium Operational Reports > User Activity Audit Trail, or See Predefined admin Reports
Alert: You can use the Queries and Correlation Alerts, utilizing the Guardium Activity domain and SQL
Guard User Activity Audit entity to create alerts
Note: User activity includes those instances where a user changes to the root shell -- providing a log of
their root activity.
Creation/Deletion of Users/Roles Reports >Guardium Operational Reports > User Activity Audit Trail, or See Predefined admin Reports
Alert: See Viewing an Audit Process Definition for alert: Guardium - Add/Remove Users - alert on any
Addition or Removal of Guardium User
Permissions monitoring Reports >Guardium Operational Reports > Guardium Users, Guardium Roles, or Guardium Applications
Alert: You can use the Queries and Correlation Alerts, utilizing the Application domain and Application
Data entity to create alerts

S-TAPÂ® Info (Central Manager) Report: See S-TAP Reports. On a Central Manager, an additional report, S-TAP Info, is available. This report
monitors S-TAPs of the entire environment. Upload this data using the Custom Table Builder. This report is
the result of uploading data using remote sources on a Central Manager and using that data to see a
consolidated view of S-TAPs.
S-TAP info is a predefined custom domain which contains the S-TAP Info entity and is not modifiable like
the entitlement domain.
Guardium nanny process

The Guardium nanny is an internal process that monitors the system's critical resources and then alert when potential problems are emerging. Nanny alerts go to syslog,
can be forwarded and sent as emails to the administrator, and in some cases take remedial actions.
The nanny watches key components and critical resources within the Guardium systemâ€”guaranteeing their availability and reliability. These resources and components
include:
Web service monitoring - service port (default 8443) not responding or tomcat service is not up
syslog message
mail admin
will issue restarts of the web service
Inspection Engine activity - snif overloaded, not responding, or failure
syslog message
mail admin
mail guardium support (optional)
will try and fix by restarting the snif under certain conditions
will try and respawn snif if process dies
Diskspace utilization - alerts when > 75% on the critical partitions
syslog message
alert admin
will perform preventive action by cleaning temporary files when over 95% Â
Failed login (ssh) to the appliance - checks for ssh daemon's messages and alerts on failed ssh login attempts
mail admin Â (it's already in syslog)
Monitor internal database (TURBINE) - verify service is up, status, and capacity utilization monitoring
syslog message
mail admin
restart service
File System utilization - every five minutes, Nanny.pl checks file system at /var, warning alert when > 75% in the /var directory, critical alert and services stopped
when >90% in /var directory
syslog message
alert admin
Admin clean-up required, using CLI commands: show filesystem usage, clear filesystem dir, and restart stopped_services
How to monitor the Guardium system via alerts

Monitor the capacity, performance and availability of the IBM Security Guardium system using a combination of built-in and custom correlation alerts.
Monitoring with SNMP
There is an SNMP agent installed on Guardium systems, and read-only access is provided using the SNMP community name of guardiumsnmp.
Running Query Monitor
The Running Query Monitor displays the status of active user queries, and enables you to set a timeout value for all Report/Monitor queries.
How to monitor the Guardium system via alerts

Monitor the capacity, performance and availability of the IBM Security Guardium system using a combination of built-in and custom correlation alerts.
Alert users to issues that may affect system performance, such as: CPU utilization, database disk space, inactive STAPs, and no traffic situations.
The Sniffer Buffer Usage domain is the basis for most of the following alerts.
Sniffer Restart Alert

An alert will be sent if the sniffer on a collector has restarted at least three times an hour.
Create a Query using the Sniffer Buffer Usage domain with the columns and Fields as shown â€“ there are no conditions.
This is an example of the output from the Query:

Define the alert.
High CPU Utilization

Using the Enterprise Buffer Usage domain, create an alert to monitor system CPU utilization. Here is an example of a query for CPU utilization which exceeds 75%.
The alert will then be setup to fire only if the utilization is exceeded for 360 times in a 24-hour period, for example, 25% of the day.
Note: The Sniffer buffer usage domain is populated once a minute, so there are 1440 entries in a 24-hour period.
To define the alert, click Protect > Database Intrusion Detectioin > Alert Builder..

Database Disk Space Alerts
Use the Query Builder to Build two reports (they are similar) and two alerts â€“ one for the collector and the other for the aggregator since the database size is fixed on the
collector but dynamic on the aggregator (up to the size of the var partition).
Aggregator Disk Space Alert
1. Create a new Query with Sniffer Buffer Usage as the main entity.
2. Configure the fields and conditions.
1. Setup a new alert in the Alert Builder. Open the Alert Builder by clicking Protect > Database Intrusion Detection > Alert Builder.
Collector Disk Space Alert
Repeat the previous steps to create an alert for monitoring disk space on the collectors.
1. Create a Query.
1. Use the Alert Builder to set up a new alert.

Data Import, Merge (Aggregation), Archive or Backup Failure Alerts
This is a built-in alert and must be activated and scheduled.
Inactive S-TAP Alerts

This is a built-in alert and needs to be activated and scheduled.
For STAPs configured with a primary and secondary collector, if the STAP cannot communicate with the primary (for example, due to network issues), it will failover to the
secondary. Unless the former-primary collector is able to ping the STAP, it will then generate an inactive STAP alert.
Note: STAPs in a cluster configuration can generate false alerts if misconfigured.
No Traffic Alerts
This is a built-in alert and needs to be activated and scheduled.
This alert checks for traffic from an active inspection engine, from which the collector previously received traffic, AND for traffic that is processed by the policy. If both
conditions are not satisfied within 48 hours, an alert will be generated.
Application Monitoring via Ad-hoc Reports

As a general rule, avoid invoking ad-hoc queries/reports on the collector with time spans > 1 hour. Large/long running queries should be invoked on the aggregator and are
best scheduled using the Audit Process.
The following two reports should be scheduled, from the Central Manager, to run weekly on each collector.
Note: These reports also need to be scheduled individually on EACH aggregator.
Custom Sniffer Buffer Usage Report
Using the Sniffer Buffer Usage domain, create a report with the following fields:

STAP Status Report
This report displays the key parameters for ALL STAPs and inspection engines for a given collector. The report cannot be modified but can be run on each collector, or from
the Central Manager pointing to each collector in turn, or scheduled via the Audit process on each collector.
Parent topic: Self Monitoring
Monitoring with SNMP

There is an SNMP agent installed on GuardiumÂ® systems, and read-only access is provided using the SNMP community name of guardiumsnmp.
When querying, a value of -1 (minus one) indicates a NULL in the database. The table at the end of this section lists the available SNMP OIDs.
SNMP Examples
From a Unix session, you can display SQL Guard SNMP information using the snmpget or snmpwalk commands. (Use snmpget -h or snmpwalk -h to display command
syntax.) Various UI-based software packages are available for displaying SNMP information. Those alternatives are not described here.
Table 1. SNMP Examples

SNMP Examples
Disk space used and available:
> snmpget -v 2c -c guardiumsnmp a1.corp.com UCD-SNMP-MIB::dskAvail.1
UCD-SNMP-MIB::dskAvail.1 = INTEGER: 1043856
> snmpget -v 2c -c guardiumsnmp a1.corp.com UCD-SNMP-MIB::dskUsed.1
UCD-SNMP-MIB::dskUsed.1 = INTEGER: 914856
Â
To list total memory and used memory:
> snmpget -v 2c -c guardiumsnmp a1.corp.com
HOST-RESOURCES-MIB::hrStorageSize.101
HOST-RESOURCES-MIB::hrStorageSize.101 = INTEGER: 2067352
> snmpget -v 2c -c guardiumsnmp a1.corp.com HOST-RESOURCES-MIB::hrStorageUsed.101
HOST-RESOURCES-MIB::hrStorageUsed.101 = INTEGER: 1017548
Â
To list the available memory:
> snmpwalk -v 2c -c guardiumsnmp a1.corp.com memAvailReal
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 1049564
Â
To list values relating to cpu usage:
> snmpwalk -v 2c -c guardiumsnmp a1.corp.com ssCpuRawUser
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 89240
> snmpwalk -v 2c -c guardiumsnmp a1.corp.com ssCpuRawSystem
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 195310
> snmpwalk -v 2c -c guardiumsnmp a1.corp.com ssCpuRawNice

SNMP Examples
UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 11
Note: Adding the RawUser, RawSystem, and RawNice numbers provides a good approximation of total CPU usage.
> snmpwalk -v 2c -c guardiumsnmp a1.corp.com ssCpuRawIdle
UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 26734332
Â
Guardium SNMP OID

Table 2. Guardium SNMP OID
SNMP OID Description
.1.3.6.1.4.1.2021.9.1.7.1 Disk space available in / directory
UCD-SNMP-MIB::dskAvail.1 Â
.1.3.6.1.4.1.2021.9.1.7.2 Disk space available in /var directory
UCD-SNMP-MIB::dskAvail.2 Â
.1.3.6.1.4.1.2021.9.1.8.1 Disk space used in / directory
UCD-SNMP-MIB::dskUsed.1 Â
.1.3.6.1.4.1.2021.9.1.8.2 Disk space used in /var directory
UCD-SNMP-MIB::dskUsed.2 Â
.1.3.6.1.2.1.25.2.3.1.5.1 Total memory available
HOST-RESOURCES-MIB::hrStorageSize.1 Â
.1.3.6.1.2.1.25.2.3.1.6.1 Memory in use
HOST-RESOURCES-MIB::hrStorageUsed.1 Â
.1.3.6.1.4.1.2021.8.1.101.1 Open monitored session count
UCD-SNMP-MIB::extOutput.1 Â
.1.3.6.1.4.1.2021.8.1.101.2 Requests logged by the current sniffer process (set to zero for each restart)
.1.3.6.1.4.1.2021.8.1.101.3 Last session timestamp
.1.3.6.1.4.1.2021.8.1.101.4 Last construct timestamp
.1.3.6.1.4.1.2021.8.1.101.5 Memory used by the sniffer process
.1.3.6.1.4.1.2021.8.1.101.7 Packets in on ETH1/ out on ETH2; usually only one number (inbound) when a SPAN port or TAP is used
Other MIBs accessible in the machine are: SNMPv2-MIB, IF-MIB, RFC1213-MIB, and HOST-RESOURCES-MIB.
Running Query Monitor

The Running Query Monitor displays the status of active user queries, and enables you to set a timeout value for all Report/Monitor queries.
Open the Running Query Monitor by clicking Manage > Activity Monitoring > Running Query Monitor.
From the Running Query Monitor, you can:
Set the query timeout for all reports and monitors that are running in a portlet. Other query processes, such as policy simulations, audit processes, and internal
processes are not affected by this timeout value. The default is 180 seconds (3 minutes).
Kill any currently running user query. Some queries that are listed in this panelâ€“audit processes, for exampleâ€“can exceed the query timeout specified. That is
expected, because the Report/Monitor query timeout applies only to reports and monitors running in a portlet.
We do not recommend setting the Query Timeout higher than the default setting (180 seconds) for an extended time. If you set this limit higher, it increases the chances of
overloading the system with ad-hoc reporting activity.

To change the timeout setting, type a number of seconds in the Report/Monitor Query Timeout (seconds), and click Update. You will be informed when the update finishes.
Groups
Using groups makes it easy to create and manage classifier, policy and query definitions, as well as roll out updates to your S-TAP's and GIM clients. Rather than having to
repeatedly define a group of data objects for an access policy, put the objects into a group to easily manage them.
Groups Overview
Group together similar data objects and use them in creating query, policy, and classification definitions. Use one of the many predefined groups, or create your own
group using the Group Builder.
Using the group builder
The group builder provides at-a-glance information about group membership and use and several convenient methods for populating groups.
Using the group builder (legacy)
Using groups in queries and policies
Short overview of conditional operators for queries and where to use groups in policies.
Example: Using groups to create rules and policies
Use groups to quickly specify rule conditions in a policy.
Predefined Groups
This section details the predefined groups in GuardiumÂ®.
Groups Overview
Group together similar data objects and use them in creating query, policy, and classification definitions. Use one of the many predefined groups, or create your own group
using the Group Builder.
There are many places where groups are practical to use. By grouping together similar data objects, you can use the whole set of objects in policies, classifications,
queries, and reports, rather than having to select multiple data objects individually.
If you need to make changes to a query or policy, rather than applying those changes to each individual object, you can apply those changes to the group.
S-TAPs and GIM also use groups to make it easier to roll out updates across managed servers.
Group Builder
The Group Builder allows you to create a new group or modify an existing group from the user interface.
Open the Group Builder by clicking Setup > Group Builder.
The Group Filter screen allows you to easily sort through groups based on application type, group type, description or category.
Types of groups
The field Group Type refers to the type of data that will be grouped together. For example, Server IP expects data arranged as an IP address and Users expects to see
names of users on the application.
Tuple groups
A tuple group allows multiple attributes to be combined together to form a single composite group member. Three of an ordered set of values are called 3-tuple. An n-
tuple is one with an n-set of value attributes. This simplifies the specification of conditions for reporting and policy rules.
Examples of tuple groups are:
Tuple groups - Object/Command, Object/Field, Client IP/DB User, Server IP/DB User
3-tuple groups - Client IP/Source Program/DB User, DB User/Object/Privilege
5-tuple group - Client IP/Source Program/DB User/Server IP/Service Instance
7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name
Tuple supports the use of one slash and a wildcard character (%). It does not support the use of a double slash (//).
Note: Tuple query - If the user tries to use LIKE GROUP condition and the data has '\' in it, the result may not be correct. The user should use IN GROUP instead, if data
has '\' in it.
Predefined groups
There are a number of predefined groups that are included with Guardium. Use the Group Filter and Group Type menu to browse the list of groups and find the one that
best suits your needs.
Group types DB User/DB Password are by default only available to admin users. Modify the group roles if you want to change this default setting.
Overlapping group memberships

Groups members can be in more than one group.
For example, two predefined groups, Create Commands and DDL Commands, both have a member named CREATE TABLE. If you are querying for either of these groups, all
of the CREATE TABLE members from the reporting period will be counted in that group.
In some cases you may want to define a set of groups so that each member belongs to only one group. For example, suppose that for reporting purposes you need to
group database users into one of two groups: employees or consultants. You would define each of those groups with the same sub-group type (Employee-Status, for

example). When sub-groups are used, the system will not allow you to add a member to a sub-group if that member has already been added to another group with the
same sub-group type.
Wildcards in members
Group members can include wildcard (%) characters for when the group is used in a query condition or policy rule.
Table 1. Wildcards in members

Member Matches Does NOT Match
aaa% aaa zzzaaa
aaazzz aaz
%bbb bbb,zzbbb bb
bbbzzz
%ccc% ccc cc
ccczz zzzcczzz
zzzccczzz
Managed Unit Groups

There is a distinction between managed unit groups and the groups created through the group builder used for grouping elements to simplify creating and managing
policies and to clarify the presentation of reports. For more information about managed unit groups, see Creating managed unit groups.
Parent topic: Groups
Using the group builder

The group builder provides at-a-glance information about group membership and use and several convenient methods for populating groups.
Use the group builder to create and populate groups from a variety of sources including CSV files, external datasources, and existing groupd. In addition, the builder
provides at-a-glance information about group membership and where groups are used in security policies, classifier policies, queries, and reports.
Tip:
Guardium V10.1.4 introduces the new group builder interface described in this information. The new group builder is accessible at Setup > Tools and Views > Group
Builder.
The original group builder is accessible at Setup > Tools and Views > Group Builder (Legacy) and described at Using the group builder (legacy).
Creating and editing groups

Learn how to create and edit groups.
Viewing group membership and where groups are used
Learn how to view group membership and identify the policies, reports, and queries where groups are used.
Populating groups
The group builder supports several methods of adding members to groups.
Creating and editing groups

Learn how to create and edit groups.
Parent topic: Using the group builder
Creating a group
Procedure
1. Open the group builder by navigating to Setup > Tools and Views > Group Builder.
2. Click the icon on the Group Builder table.

3. Use the Create new group dialog to define a new group. Provide a group description and use the Application type and Group type menus to define the group.
4. After defining the new group, use the Members tab to populate the group. For information about populating groups, see Populating groups.
5. Click Save to create finish defining the new group.
Editing a group
Procedure
2. Select a group from the Group Builder table and click the icon.
3. Use the Edit group dialog to modify group settings. To add members to the group or modify group membership, use the Members tab. For information about
populating groups, see Populating groups.
4. Click Save to finish editing the group.

Viewing group membership and where groups are used
Learn how to view group membership and identify the policies, reports, and queries where groups are used.
Viewing group membership
About this task
The Members and Populated by columns of the Group Builder table summarize how many members are in a group and how the group is populated. The following
procedure describes how retrieve detailed information about group membership and the methods used for populating the group.
Procedure
2. Open the Edit group dialog by selecting a group from the Group Builder table and clicking the icon.
3. View group membership on the Edit group dialog by clicking the Members tab.
Identify where a group is used
About this task
The Used in classifier, Used in policy, and Used inquery columns of the Group Builder table provide an overview of where groups are used in Guardium. The following
procedure describes how retrieve detailed information about the policies, queries, and reports where a group is used.
Procedure
2. Open the details panel by selecting a group from the Group Builder table and clicking Actions > View details.
Attention: The View details action is only enabled when the selected group is being used, for example by policies or queries.
3. Use the Policies and Queries tabs on the details panel to view where the selected group is used in security policies, classifier policies, queries, and reports.
Populating groups
The group builder supports several methods of adding members to groups.
Procedure
1. Click the icon to create a new group or select a group from the Group Builder table and click the icon to edit an existing group.
2. Select the Members tab of the Create new group or Edit group dialog.
3. Populate the group using one of the following methods:
Use the icon to manually define group members.

Use the Import menu to add group members using one of the following methods:
From CSV
From group
From external datasource
From query
From LDAP
Tip: Once configured, import actions that can be scheduled will appear as tabs on the Create new group or Edit group dialog. One-time actions such as
Import from CSV cannot be scheduled and will not introduce a new tab to the dialog.
Some group types also support advanced methods for populating groups, including the following:
Using stored procedure analysis on datasources
Using database dependencies
Using reverse dependencies
Using observed procedures
Generating selected objects
Important: Using the group builder introduced with Guradium V10.1.4, advanced import actions are invoked on a target group that is populated based on the
results of analysis performed on a user-selected input group. This represent a change in behavior from the legacy group builder, where advanced actions
were invoked on a source group containing the input to be analyzed, with the results of the analysis being imported into a user-selected group.
Importing from external datasources

Learn how to quickly populate Guardium groups with data from your own databases and keep those groups in sync with your data.
Importing from external datasources

Learn how to quickly populate Guardium groups with data from your own databases and keep those groups in sync with your data.
About this task

Using Import > From external datasource automates the creation of custom tables, domains, and queries to populate Guardium groups from your own datasources. Once
created, these artifacts represent a durable connection between Guardium and your data: updates to your data become reflected in the associated Guardium groups.
Procedure

1. Select Import > From external datasource to open the Import from external datasource dialog.
2. Use the Datasource menu to import data from a datasource. Click the icon to define a new datasource or the icon to edit an existing datasource.
3. Use the Table name and Column name fields to identify the location of data to import from your datasource.
4. Click OK to continue.
Results
Completing the Import from external datasource dialog automatically creates or updates the following Guardium artifacts:
Custom table
Custom datasource
Custom domain
Custom query
Group
These artifacts are available through standard Guardium tools using naming conventions described in the following table, where [table name] and [column name] are taken
from the Table name and Column name fields of the Import from external datasource dialog.
Table 1. Import from external datasource: summary of artifacts created.

Artifact Guardium tool Naming convention Example Schedul
ed
Custom table Custom Table Builder > Edit Data [table name]_[column name]_[datasource ID] USERS_ADMIN_12345 Â
Custom datasource Custom Table Builder > Upload Data [datasource name]_[datasource type](Custom user_repository(Custom Domain)
Domain)
Custom domain Custom Domain Builder [group type]_[table name]_[column USERS_USERS_ADMIN_12345 Â

name]_[datasource ID]
Custom query Custom Query Builder [group type]_[table name]_[column USERS_USERS_ADMIN_12345 Â

name]_[datasource ID]
Group Group Builder > Populate from Query Â PCI Admin Users
Attention: Imported names are truncated after 64 characters.

Parent topic: Populating groups
Using the group builder (legacy)

Creating a new group
Use the group builder to manually create a group of data objects.
Modifying a group
Make modifications to your group, such as adding a member or changing the category of the group. Exercise caution when modifying or deleting a group, as changes
made could possibly affect other users or policies.
Populating groups
After creating a group or finding the one you want to work with, populate the group with members. Use the Group Builder (Legacy) to manually add members to a
group, or through several automated import methods.
Creating a new group

Use the group builder to manually create a group of data objects.
Procedure
1. Open the Group Builder by clicking Setup > Group Builder (Legacy).
2. Click Next to bypass the filter and create a new group.
3. In the Create New Group panel, select an option from the Application Type menu to determine which application you will use the group with.
4. Enter a unique Group Description for the new group - do not include apostrophe characters in this field.
5. Select a Group Type Description to choose which type of data you are grouping.
6. Enter a Category, which is an optional label that you can filter by and use to group items (that the filter has isolated) of policy violations and reports.
7. Enter a Classification, which is another optional label that you can filter by and use to group items for policy violations and reporting.
8. Select Hierarchical to create a group of groups, where the admin user has access and then passes it along to users in groups in the hierarchy.
9. Click Add to add the group.
Parent topic: Using the group builder (legacy)
Modifying a group
Make modifications to your group, such as adding a member or changing the category of the group. Exercise caution when modifying or deleting a group, as changes made
could possibly affect other users or policies.
Procedure
1. Open the Group Builder (Legacy) by clicking Setup > Group Builder (Legacy).
2. Use the Group Filter to find the group you want to modify, or leave the filter empty and click Next to look at the complete list of groups.
3. When modifying a group, a best practice is to clone the group , save it as a new group, and then modify the clone to prevent undesired effects on the rest of your
Guardium system.

The Modify Existing Groups pane allows you to:
Modify, clone, or delete any group

Assign or modify roles
Populate your group from a query, LDAP server, or using Auto Generated Calling Prox functionality.
4. With any group selected, click Modify to be able to:

modify the category of the group
add a new member to the group
rename a group member
reset a group's membership to the predefined members
add comments
create an alias for a group
populate a group from LDAP
Modifying group category
Procedure
Select a group from the Group Members list, enter the new category name into the Category field and click Modify Category to save changes.
Adding a group member

Create a new member and add it to a group, or add an existing member to a group.
Procedure
If you have a new member you want to add to a group, enter the member's name into the Create & add a new Member named field and click Add.
Note: When adding to a group of objects, valid member names may be composed of object_name, schema.object_name, use a wildcard such as %object_name, or a
combination of all three.
The new member is now added to the Group Members list.
Renaming a group member
Procedure
1. Select the group member to be re-named from the Group Members list. This will also display the current group member name in Rename Selected Member to.
2. Change the name of the group member in the Rename selected Member to field and click Update.
Resetting to the predefined group membership

Click Reset to Predefined for any group to replace the current group members with the set of predefined group members.
Adding a comment to a group

Click Add Comments for any group to add comments for your future reference.
Creating an alias for a group
Procedure
1. Click Aliases to open the Alias Quick Definition window.

2. For each group member you want to create an alias for, enter a value into the Alias column and click Apply.
Populating groups
After creating a group or finding the one you want to work with, populate the group with members. Use the Group Builder (Legacy) to manually add members to a group, or
through several automated import methods.
How to populate a group from LDAP

How to import data from an LDAP server to use in GuardiumÂ® groups.
Populating a group from a query
Create a query, and use the results to populate a group. This option of populating groups is most useful after the external data correlation has uploaded a custom
table to the Guardium system.
Populating a group from stored procedures
There are several different methods for populating command or object groups from stored procedures. The auto-generated calling prox functionality in the Group
Builder allows you to analyze command or object groups for specific group members and add those members into a new group.

Guardium groups and policies (video)
How to populate a group from LDAP

How to import data from an LDAP server to use in GuardiumÂ® groups.
About this task

Configure Guardium with your LDAP server, and then import on demand, or schedule an import in the future.
When importing LDAP users:
The Guardium admin user account will not be changed in any way.
You have the option to clear existing members from a group before importing.
Existing user passwords will not be changed.
By default, new users are disabled when added, assigned the user role, and have blank passwords.
Note:
Special characters are not supported in user names.
If you are scheduling an import, consider any other scheduled imports you may have at that time, as this will affect the behavior of existing scheduled imports.
Procedure
Configure your LDAP server with your Guardium system. Open the Group Builder by clicking Setup > Group Builder (Legacy), and fill out the required information.
a. For LDAP Host Name, enter the IP address or host name for the LDAP server to be accessed.
b. For Port, enter the port number for connecting to the LDAP server.
c. Select the LDAP server type from the Server Type menu.
d. Check the Use SSL Connection check box if Guardium is to connect to your LDAP server using an SSL (secure socket layer) connection.
e. For Base DN, specify the node in the tree at which to begin the search. For example, a company tree might begin like this: DC=encore,DC=corp,DC=root
f. For Attribute to Import, enter the attribute that will be used to import users (for example: cn). Each attribute has a name and belongs to an objectClass.
g. Check the Clear existing group members before importing check box if you want to delete all existing group members before importing.
h. For Log In As and Password, enter the user account information that will connect to the Guardium server.
i. For Search Filter Scope, select One-Level to apply the search to the base level only, or select Sub-Tree to apply the search to levels beneath the base level.
j. For Limit, enter the maximum number of items to be returned. We recommend that you use this field to test new queries or modifications to existing queries, so that
you do not inadvertently load an excessive number of members.
k. Optional: For Search Filter, define a base DN, scope, and search filter. Typically, imports will be based on membership in an LDAP group, so you would use the
memberOF keyword. For example: memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
l. Click Apply to save the configuration settings.
The Status indicator in the Configuration - General section will change to LDAP import currently set up for this group as follows and the Modify Schedule and Run
Once Now buttons will be enabled. You can now import from your LDAP server.
What to do next
Run or schedule an import.
Schedule an LDAP import by clicking Modify Schedule, filling out the schedule information, then clicking Save.

To run the import on demand, click Run Once Now. After the task completes, the set of members satisfying your selection criteria will be displayed in the LDAP
Query Results panel.
Note:
When you import on demand, you have the opportunity to accept or reject each entry returned from the LDAP server.
When you schedule an LDAP import, all of the LDAP entries that satisfy your search criteria will be imported.
Verify that members have been added to a group by selecting the group in the Group Builder, then clicking Modify , and looking at the group's membership.
For larger groups, it may be easier to verify members by using the Guardium Group Details report (Reports > Guardium Group Details).
Populating a group from a query

Create a query, and use the results to populate a group. This option of populating groups is most useful after the external data correlation has uploaded a custom table to
the Guardium system.
Procedure
1. Open the Group Builder by clicking Setup > Group Builder (Legacy). Use the filter to find the group you want to populate, or click Next and find the group from the
list of all groups.
2. With a group selected, click the Populate From Query button to open the Populate Group From Query Set Up panel.
3. From the Query menu, select the query to be run.
a. Depending on the type of group being populated, different fields will appear. For most group types, the Fetch Member From Column menu will appear.
b. For paired attribute groups (Object/Command, Object/Field, or Client IP/DB User), two menus will appear: Choose Column for Attribute 1 and Choose
Column for Attribute 2.
c. Select the column (or columns) to be used to populate the group, and any additional parameters for the query. The run-time parameters for the query will
then be added to the pane.
4. Select the Clear existing group members before importing box to delete existing group content before importing new members.
5. Optional: Select a remote source (only available from a Central Manager).
6. Click Save to save the definition.
7. Click Run Once Now to run the query immediately, or click Modify Schedule to set a schedule for the query in the future.
Populating a group from stored procedures

There are several different methods for populating command or object groups from stored procedures. The auto-generated calling prox functionality in the Group Builder
allows you to analyze command or object groups for specific group members and add those members into a new group.
About this task

The Group Builder (Legacy) can automatically populate command or object group types through two ways:
By analyzing stored procedure source code. To use this option, GuardiumÂ® must access the database on which the stored procedures have been defined, and the
stored procedures must not be stored in encrypted format.
By analyzing stored procedures in database traffic that has been monitored and logged by Guardium. To use this option, the Guardium appliance must be inspecting
the appropriate database streams, and logging the information (as opposed to using ignore session or skip logging actions), and the analysis task must run while the
data is still on the unit (as opposed to, for example, after an archive/purge operation).
There are two groups involved when populating a group from stored procedures:
The receiving group is the one to which members will be added.

The starting group which will be analyzed. This group must be an existing commands or objects group. The search-and-add process is recursive. For example, if the
stored procedure named prox_one is added to the receiving group, and prox_one is referenced in prox_two, prox_two will also be added to the receiving group.
Note: Wildcards are not supported in the group members field for stored procedures.
Procedure
1. Open the Group Builder by clicking Setup > Group Builder (Legacy).

2. Choose a starting group to analyze that is either a commands or objects group type.
3. With the starting group selected, click Auto Generated Calling Prox. You will be presented with five options:
a. Using DB Sources: Populate a group by analyzing the stored procedure definitions from one or more databases.
b. Using Database Dependencies: Populate a group of objects or a group of qualified objects by analyzing Functions, Java classes, Packages, Procedures,
Synonyms, Tables, Triggers and/or Views.
c. Using Reverse Dependencies: Populate a group by computing a set of objects used when starting from a set of objects.
Note: The Using Reverse Dependencies option is only available for Oracle.
d. Using Observed Procedures: Populate a group by analyzing the CREATE PROCEDURE and ALTER PROCEDURE commands as they are observed in the
database traffic.
e. Generate Selected Object: Populate a group by reverse analysis of observed stored procedures. Starting from a set of stored procedures, compute all the
tables that these procedures use (directly or indirectly).
Note: The Generate Selected Object option can only be used with object group type.
Populating a group using database sources

Populating a group using database dependencies
Use this option to populate groups based on Database Dependencies such as Functions, Java classes, Packages, Procedures, Synonyms, Tables, Triggers and/or
Views. This option will only work with Oracle databases on object group types. This option does not work on Command group types because dependency
information in the database is only related to objects.
Populating a group using reverse dependencies
Generate Selected Object populates the group through reverse analysis of observed stored procedures.
Populating a group using observed procedures
Guardium will populate a group by inspecting all changes or additions to stored procedures. This keeps the mapping information up-to-date through continuous
analysis of changes to stored procedures.
Populating a group using generate selected object
The Generate Select Object option is a part of the Auto Generated Calling Prox functionality that populates an objects group type through reverse analysis of
observed stored procedures.
Populating a group using database sources

Before you begin
To use this option:
You must know where the stored procedures of interest are defined.
The sources must not be stored in encrypted format.
You must have access to the stored procedure sources on those databases.
About this task

Guardium will analyze the stored procedure source code, on one or more database servers. Select a group and then run the Auto Generated Calling Prox process to scan
your stored procedures. This process will check the selected group to see if any of the objects in that group can be accessed or if any of the commands in that group can
be executed. Any matches will be added to a new group. To populate a group using database sources:
Procedure
list of all groups.
Note: This option can only be used with commands or objects group types.
2. With the group selected, click Auto Generated Calling Prox, and select the Using DB Sources option. This opens the Analyze Stored Procedures panel.
3. Click Add Datasource and select a datasource from the Datasource Finder. The selected datasource will appear in the Datasources pane.
4. Optional: Fill in the Query parameters. Some fields only apply to certain databases.
For Sybase, MS SQL Server, and Informix, enter a database name to restrict the operation to that database. If it is blank, all stored procedures in the
master database will be analyzed.
For MySQL, Oracle or DB2 only, enter a schema name to restrict the operation to databases owned by that schema. For MySQL only, the Schema Owner is in
the form user_name@host, where host can be a specific IP or it can be a % to specify all hosts. To get all hosts, enter the schema name followed by %.
For MySQL, Oracle or DB2 only, enter a stored procedure name in Object Name. Wildcard characters may be used. For example, if only interested in the
procedures beginning with the letters ABC, enter ABC% in the Object Name box.
5. In the Source Detail Configuration section, do one of the following:
Add members to an existing group by checking the Append check box, and then selecting a group from the Existing Group Name menu.
Add members to a new group by entering the new group name in New Group Name.
Note: Do not include apostrophe characters in a group name.
6. Select Flatten Namespace to create member names using wildcard characters, so that the group can be used for LIKE GROUP comparisons. For example, if sp_1, is
discovered, the member %sp_1% will be added to the group, and in a LIKE GROUP comparison, the values sp_101, sp_102, sss_sp_103, etc. would all match.
7. Click Analyze Database to begin populating the group. The operation may take an extended amount of time to complete.
Parent topic: Populating a group from stored procedures
Populating a group using database dependencies

Use this option to populate groups based on Database Dependencies such as Functions, Java classes, Packages, Procedures, Synonyms, Tables, Triggers and/or Views.
This option will only work with Oracle databases on object group types. This option does not work on Command group types because dependency information in the
database is only related to objects.
About this task

When specifying the group type, keep in mind that only Object or Qualified Object group types work with this option. A qualified object requires five value attributes: server
IP, instance, DB name, owner and object. This is also called a 5-tuple object.
An example of what a Qualified Objects group member looks like is 192.168.1.0+guardium+oracle+admin+fininacial object.
Procedure
list of all groups.
2. With the objects or qualified objects group selected, click Auto Generated Calling Prox, and select the Using Database Dependencies option. This opens the Analyze
Stored Procedures panel.
4. Optional: Fill in the Query parameters.
Add members to an existing group by checking the Append box, and then selecting a group from the Existing Group Name menu.
Note: Do not include apostrophe characters in a group name, and make sure that the new group is fully qualified (includes five value attributes: server IP,
instance, DB name, owner and object).
6. Select Flatten namespace to create member names using wildcard characters, so that the group can be used for LIKE GROUP comparisons. For example, if sp_1, is
7. In the Include Types section, select database dependencies: Functions, Java classes, Packages, Procedures, Synonyms, Tables, Triggers and/or Views.
8. Click Analyze Database to populate the group. You will be informed of the results.
Populating a group using reverse dependencies

Generate Selected Object populates the group through reverse analysis of observed stored procedures.
About this task

These options from the Group auto-populate menu compute a set of objects used when starting from a set of objects. For example, starting from a set of stored
procedures, compute all the tables that these procedures use (directly or indirectly).
Procedure
list of all groups.
Note: The Reverse Dependencies option is available only for Oracle.
2. With the group selected, click Auto Generated Calling Prox, and select the Using Reverse Dependencies option. This opens the Analyze Stored Procedures panel.
4. Optional: Fill in the Query parameters.
To add members to an existing group, select Append, and then select the group from the Existing Group Name list.
To add members to a new group, enter the new group name in New Group Name.
7. In the Include Types section, select database dependencies: Functions, Java classes, Packages, Procedures, Synonyms, Tables, Triggers and/or Views.
8. Click Analyze Database to populate the group. You will be informed of the results.
Populating a group using observed procedures

Guardium will populate a group by inspecting all changes or additions to stored procedures. This keeps the mapping information up-to-date through continuous analysis
of changes to stored procedures.
Procedure
list of all groups.
2. With the starting group selected, click Auto Generated Calling Prox, and select the Using Observed Procedures option. This opens the Analyze Observed Stored
Procedures panel.
3. To edit an existing configuration, select it from the Source Details menu. To create a new configuration, leave the selection on New.
4. In the Access Information section, select all of the database servers to be analyzed. You can choose any combination of the check-boxes.
8. Set a schedule for the group by doing one of the following:
To run the query immediately and get results now, Click Run Once Now.
To define a schedule for the operation, click Modify Schedule.

Populating a group using generate selected object
The Generate Select Object option is a part of the Auto Generated Calling Prox functionality that populates an objects group type through reverse analysis of observed
stored procedures.
About this task

Guardium will populate the group by inspecting all changes or additions to stored procedures. This keeps the mapping information up-to-date through continuous analysis
of changes to stored procedures.
Procedure
list of all groups.
2. With the starting group selected, click Auto Generated Calling Prox, and select the Generate selected object option. This opens the Analyze Observed Stored
Procedures panel.
3. To edit an existing configuration, select it from the Source Details menu. To create a new configuration, click New.
4. In the Access Information section, select all of the database servers to be analyzed. You can choose any combination of the check-boxes.
5. In the Source Detail Configuration section, enter a name, and choose an option from the Verb menu.
8.
10. Set a schedule for the group by doing one of the following:
To run the query immediately and get results now, Click Run Once Now.
To define a schedule for the operation, click Modify Schedule.
Using groups in queries and policies

Short overview of conditional operators for queries and where to use groups in policies.
Queries
Queries use conditional operators with groups. Here are examples of each conditional operator:
IN GROUP - If the value matches any member of the selected group, the condition is true. IN ALIASES GROUP, this operator works on a group of the same type as
IN GROUP, however assumes the members of that group are aliases. Note that the IN GROUP/IN ALIASES GROUP operators expect the group to contain actual
values or aliases respectively. Query Builder will look for records with database values matching the aliases value in the group.
NOT IN GROUP - If the value does not match any member of the selected group, the condition is true. NOT IN ALIASES GROUP, this works on a group of the same
type as NOT IN GROUP, however assumes the members of that group as aliases.
IN DYNAMIC GROUP - If the value matches any member of a group that will named as a run-time parameter, the condition is true. IN DYNAMIC ALIASES GROUP,
this works a group of the same type as IN DYNAMIC GROUP, however assumes the members of that group as aliases.
NOT IN DYNAMIC GROUP - If the value does not match any member of a group that will named as a run-time parameter, the condition is true. NOT IN DYNAMIC
ALIASES GROUP, this works a group of the same type as NOT IN DYNAMIC GROUP, however assumes the members of that group as aliases.
Note: The group may contain either aliases or actual values according to the operator used (IN GROUP OR IN ALIASES GROUP) can not be used at the same time.
LIKE GROUP - If the value is like any member of the selected group, the condition is true. This condition enables wildcard (%) characters in the group member
names.
Note: A like member value uses one or more wildcard (%) characters, and matches all or part of the value. For a like comparison, alphabetic characters are not case
sensitive. For example, %tea% would match tea, TeA, tEam, or steam.
Policies and rules

When creating a rule as part of a policy, groups simplify the process of specifying the parameters you want.
Anywhere there is a Group drop-down menu on the rule definition pane you can select a group.
Further, if you want to create or modify a group on the fly, click the Groups icon to open a Group Definition window and make your desired changes.
For example: if you want to capture activity occurring on your production servers, rather than typing in full IP addresses each time, you could create a group Production
Servers and use that.
Example: Using groups to create rules and policies

Use groups to quickly specify rule conditions in a policy.
About this task

Each policy is composed of one or more rules. Specify which conditions will enact a rule, and then choose one or more actions to take when that rule is triggered. This
example shows you how to use groups to identify unauthorized users, log details of their access on a group of sensitive objects, and send an alert indicating that the
access occurred.

Procedure
1. Login to your Guardium system, and open the Policy Builder by clicking Setup > Tools and Views > Policy Builder for Data.
2. Create a new policy by clicking the icon to open the Policy Definition window.
3. Define the policy definition, then click Apply to save the policy.
4. Click Edit Rules to open the Policy Rules window and begin adding rules to the policy.
5. Click Add Rules > Add Access Rule to add a new rule to the policy.
6. Begin by providing a Description for the rule. Optionally provide Category and Classification labels.
7. Specify where to look for data. From the Server IP row, select the (Public) PCI Authorized Server IPs group. The rule will apply to all activity from all PCI servers.
Note: You can view the members of any group or modify any group by going to the Group Builder.
8. Specify unauthorized users. From the DB User row, mark the Not check box and select the (Public) Authorized Users group. The rule will apply to all users who are
not in the (Public) Authorized Users group.
9. Specify sensitive objects. From the Object row, select the (Public) PCI Cardholder Sensitive Objects group. The rule will now apply to all unauthorized users on PCI
servers looking to access PCI sensitive objects.
10. Add an action to the rule by clicking Add Action and selecting Action > LOG FULL DETAILS from the menu. Click Apply to save the rule. This action logs details of the
access, including an exact timestamp of the access.
11. Add another action to the rule by clicking Add Action and selecting Action > ALERT ONCE PER SESSION from the menu. Specify an alert destination, then click
Apply to save the rule. This action sends or logs an alert indicating that the rule was triggered.
12. Click Save to save the rule.
13. Install the policy.
a. Find the policy that you created. Click Back twice, or click Policy Builder to get to the Policy Finder and browse the list of policies.
b. With the policy selected, choose Install & Override from the installation action menu.
c. Click OK to confirm the policy installation, and then check Latest Logs and Violations to verify the policy was installed.
The policy is now installed and active. Any person not in the (Public) Authorized Users group attempting to access an object in the (Public) PCI Cardholder
Sensitive Objects groups will have their session logged and will trigger an alert indicating the access.
Predefined Groups
This section details the predefined groups in GuardiumÂ®.
The following table describes the predefined groups that are included with your Guardium system. To view the list of all groups, open the Group Builder by clicking Setup >
Group Builder. Select SQL_APP_NAME from the Applications menu, and click Next. From the next screen, manage members from Selected Groups. The term Group Type
refers to expectations on the type of data designated by the label. For example, the group type Server IP expects data arranged as an IP address (192.168.1.0) and the
group type Users expects to see names of users of the application.
Additional predefined groups do get added periodically and these additional predefined groups may not be described here. Open the Group Builder to see all existing
groups.
Predefined groups of group type DB User/DB Password are allowed only to users with the role of admin. Users can, if preferred, add other roles or even allow the groups to
all roles.
Table 1. Predefined Groups

SQL_APP_NAME GROUP_DESCRIPTION MEMBERS
DB2Â® zOS Groups zOS Audit Dynamic SQL Group Type for DB2 commands
DB2 zOS Groups zOS Audit Query Group Type for DB2 commands
DB2 zOS Groups zOS Audit Updates Group Type for DB2 commands
DB2 zOS Groups zOS Audit Deletes Group Type for DB2 commands
DB2 zOS Groups zOS Audit Inserts Group Type for DB2 commands
DB2 zOS Groups zOS Audit Utilities Group Type for DB2 commands
DB2 zOS Groups zOS Audit Object Maintenance Group Type for DB2 commands
DB2 zOS Groups zOS Audit User Maintenance Group Type for DB2 commands
DB2 zOS Groups zOS Audit User Authorization Changes Group Type for DB2 commands
DB2 zOS Groups zOS Audit DB2 Commands Group Type for DB2 commands
DB2 zOS Groups zOS Audit Plan/ Package Maintenance Group Type for DB2 commands
IMSâ„¢ zOS Groups zOS IMS Audit Query Group Type for IMS commands
IMS zOS Groups zOS IMS Audit Updates Group Type for IMS commands
IMS zOS Groups zOS IMS Audit Deletes Group Type for IMS commands
IMS zOS Groups zOS IMS Audit Inserts Group Type for IMS commands
IMS zOS Groups zOS IMS Audit DB Commands Group Type for IMS commands
Policy Builder Cardholder Objects Group Type, Objects
Policy Builder Financial Objects Group Type, Objects
Policy Builder PHI Objects Group Type, Objects
Policy Builder Authorized Client IPs Group Type, Client IP
Policy Builder Production Users Group Type, Users
Policy Builder PII Objects Group Type, Objects

Policy Builder Production Servers Group Type, Server IP
Policy Builder Financial Servers Group Type, Server IP
Policy Builder Functional Users Group Type, Users
Policy Builder Sharepoint Servers Group Type, Server IP
Security Assessment Builder DB2 Database Version+Patches Used for (specific) database version and patch level tests.
InformixÂ® Database Version+Patches
MS Sql Server Database Version+Patches
MySql Database Version+Patches
NetezzaÂ® Version+Patches
Oracle Database Version+Patches
Postgress Version+Patches
Sybase Database Version+Patches
Teradata PDE Version+Patches
Teradata TDBMS Version+Patches
Teradata TDGSS Version+Patches
Teradata TGTW Version+Patches
Security Assessment Builder DB2 Allowed Grants to Public TUPLE, Object/Command Application 8 (Security assessment)
Informix Allowed Grants to Publics List of objects/commands for which grants to public are allowed.
MS-SQL Allowed Grants to Public These objects will be skipped on MS-SQL and Sybase tests that check grants
to public.
MYSQL Allowed Grants to Public
Note:
Netezza Allowed Grants to Public
Exceptions group can contain a regular expression or just a member. If
Oracle Allowed Grants to Public regular expression, the group member must start with (R) (case sensitive),
and the records in the detail will be checked against the regular expression
Postgres Allowed Grants to Public
after the (R).
Teradata Allowed Grants to Public
For example if a group member is:
(R)SYSTEM.[a-z]+ Â each detail record will be checked using pattern:

SYSTEM.[a-z]+
If the member does not start with (R) the detail record will be considered an
exception only if it is equal to the group member.
Note a group may contain a mix of regular expressions and specific

exceptions.
Security Assessment Builder MS-SQL Extended Procedures Allowed Group Type is Objects
Security Assessment Builder MS-SQL Database Administrators Group Type is Users
Security Assessment Builder Teradata Profile Group Type is Objects
Â Â Â
Public Account Management Commands Commands used to maintain accounts (users, roles, permissions),
examples: REVOKE, GRANT, ALTER/CREATE/DROP USER
Public Account Management Procedures Account Management Objects, stored Procedures used to maintain accounts
(users, roles, permissions)
Public Active Users Group Type is Users
Public Admin Users Default administrative users (DBAs and SysAdmins)
Public Administration Objects Privileged Objects, objects that only DBA or Sys Accounts should access.
These accounts are locked for "public" by default.
Public Administrative Commands Privileged Commands, privileged Commands, should be executed only by
DBAs. Examples: GRANT, BACKUP, DDL commands
Public Administrative Programs Database utilities (clients) that come with database and usually reside on
the database server and could used by the server itself
Public ALTER Commands Examples, alter database, alter procedure, alter profile, alter session, alter
user
Public Application Privileged Commands Public privileged commands that should be revoked from "public", but not
revoked since they are used by the application
Public Application Privileged Procedures Application Privileged Objects, public privileged procedures that should be
revoked from "public" but not revoked since they are used by the application

Public Application Schema Users Application Users, database user used by the application to maintain/user
the application tables
Public Archive Candidates Group Type is Objects
Public Authorized Source Programs Group Type is Source Programs
Public Authorized Users Group Type is Users
Public Connection Profiling List Group Type is Client IP/Src App/DB User/Server IP/SVC. Name
List of allowed connections
Public CREATE Commands Examples, create context, create database link, create function, create
statistics, create type, create user
Public Credentials Related Entities Guardium Audit Types, Self-Monitoring, examples, allowed_role,
LDAP_config, Turbine_user_group_role
Public Data Transfer Commands Backup Commands, commands dealing with backup/restore of database
data
Public Data Transfer Procedures Data Transfer Objects, procedures dealing with backup/restore of database
data (mostly on MSS and SYB)
Public DB Predefined Users Either non-admin predefined users or all predefined users, including
administrative ones
Public DBCC Commands Group Type is Commands
Public DDL Commands Data Definitions Language, schema-privileged commands, examples, ALTER,
CREATE, DROP
Public DML Commands DML Commands, examples, insert, truncate, update
Public DROP Commands Examples, drop_context, drop_event_monitor, drop_procedure, drop_role
Public DW All Object-Field There are five predefined reports that use monitored data to show object
names. These reports all start with the prefix DW (Data Warehouse). See the
DW All Objects help topic, How to report on dormant tables/columns, for further
information on how to use these predefined reports.
DW Execute Accessed Objects
DW Select Accessed Objects
DW Select Accessed Objects/Fields
Public EBS App Servers Group Type is Client IP
Public EBS DB Servers Group Type is Server IP
Public EXECUTE Commands Examples, call, execute, execute function
Public GRANT Commands Examples, grant, grant objectives, grant system privileges
Public Guardium Audit Categories for Detailed Reporting Guardium patches, TURBINE_USER_GROUP_ROLE
Public ICM App Servers Group Type is Client IP
Public ICM DB Servers Group Type is Server IP
Public ImportLDAPUser Group Type is Objects
Public ImportLDAPUser_bindValues Group Type is Objects
Public Inspection Engine Entities Examples, adminconsole_sniffer, software_tap_db_client,

software_tap_db_server
Public Javaâ„¢ Commands Examples, alter java, create java, drop java
Public KILL Commands Example, kill
Public Masked_SP_Executions_MS_SQL_SERVER For MS SQL Server, a group that includes a collection of stored procedures
(SP) names. If there is an execution of an included procedure, than
everything will be masked, even if in quotes. Predefined as empty.
Public Masked_SP_Executions_Sybase For Sybase, a group that includes a collection of stored procedures (SP)
names. If there is an execution of an included procedure, than everything
will be masked, even if in quotes. Predefined as empty.
Public MongoDB Skip Commands Group Type is Commands
Public MS-SQL Replication Procedures Group Type is Objects
Public MS-SQL Security System Procedures Group Type is Objects
Public MS-SQL System Procedures Group Type is Objects
Public Oracle EBS HRMS Sensitive Objects Group Type is Objects
Public Oracle EBS-PCI Group Type is Objects
Public Oracle EBS-SOX Group Type is Objects
Public Oracle Predefined Users Group Type is Users

Public Peer Association Commands Commands dealing with links/replications of data, examples, links, log
shipping, replications, snapshots
Public Peer Association Procedures Peer Association Objects, procedures dealing with links/replications of data
Examples: Links, log shipping, replications, snapshots
Public PeopleSoft Objects Group Type is Objects
Public PeopleSoft Sensitive Objects Group Type is Objects
Public Performance Commands Examples, analyze, create statistics, update all statistics
Public Policy Related Entities Examples, access_rule, gdm_install_policy_header
Public Potential Overflow Objects Group Type is Objects
Public Procedural Commands Examples, begin, call, execute, exit, repeat, set
Public PROCEDURE DDL Examples, alter procedure, create procedure, drop procedure
Public PSFT App Servers Group Type is Client IP
Public PSFT DB Servers Group Type is Server IP
Public Public executable procedures Execute-Only Objects, procedures/functions/Packages that by default

granted access to public
Public Public selectable object Select-only Objects, tables that by default granted access to public
Public RESTORE Â Commands Examples, restore database, restore log
Public REVOKE Commands Examples, revoke object privileges, revoke system privileges
Public Risk-indicative Error Messages SQL errors related to security
Public Sharepoint Servers Â
Public SAP-PCI Group Type is Objects
Public SAP App Servers Group Type is Client IP
Public SAP DB Servers Group Type is Server IP
Public SAP HR Sensitive Objects Group Type is Objects
Public Select Command Examples, select, select list
Public Sensitive Objects Examples, activity, sales
Public SIEBEL App Servers Group Type is Client IP
Public SIEBEL DB Servers Group Type is Server IP
Public Siebel SIA Sensitive Objects Group Type is Objects
Public SPECIAL CASE Source Program Group Type is Source Programs
Public Suspicious Objects Group Type is Objects
Public Suspicious Users Group Type is Users
Public System Configuration Commands Database configuration commands (subset of Administrative Commands)
Examples: ALTER DATABASE, ALTER SYSTEM
Public System Configuration Procedures System Configuration Objects (subset of Administration Objects)
Public Terminated DB Users Group Type is Users
Public Vulnerable Objects (with wildcards) Database objects with reported vulnerabilities
Public Windows File Share Verbs Group Type is Commands
Public DB2 Default Users Group Type is DB User/DB Password
IBM iSeries Default Users
Informix Default Users
MS-SQL Server Default Users
MYSQL Default Users
Netezza Default Users
Oracle Default Users
PostgreSQL Default Users
Sybase Default Users
Teradata Default Users

Public Hadoop Skip Commands Group Type is Command
Hadoop Skip Objects Group Type is Object
Not Hadoop Server Group Type is Server IP
Public Replay - Exclude from Compare Group Type is Objects
Replay - Include in Compare
Audit Process Builder Â Predefined as empty.
Baseline Builder Â Predefined as empty.
Attention: The Baseline Builder and related functionality is deprecated

starting with Guardium V10.1.4.
Classifier Â Predefined as empty.
Express Security Â Predefined as empty.
Security Roles
Security roles are used to grant access to data (groups, queries, reports, etc.) and to grant access to applications (Group Builder, Report Builder, Policy Builder, CAS,
Security Assessments, etc).
By default, when a component is initially defined, only the owner (the person who defined it) and the admin user (who has special privileges) are allowed to access and
modify that component.
You can allow other users to access the components you define by assigning security roles. For example, if you assign a security role named DBA to an audit process, all
users assigned the DBA role will be able to access that audit process.
Note: In order to configure LDAP user import, accessmgr user must have the privilege to run the Group Builder. In certain situations, when changes are made to the role
privilege, accessmgr's privilege to Group Builder can be taken away. This results in an inability to save or run successfully LDAP user import. Go to the access management
portal, select Role Permissions. Choose the Group Builder application and make sure that there is a checkmark in the all roles box or a checkmark in the accessmgr box.
Assign Security Roles

1. Open or select the item to which you want to assign one or more security roles (a policy or report definition, for example).
2. Click Roles.
3. Check all of the roles you want to assign from the Assign Security Roles list. You can only assign roles that are assigned to your account.
4. Click Apply.
Define a new Security Role

By default, only the special accessmgr user is allowed to create or remove security roles.
1. Login as accessmgr and open the User Role Browser by clicking Access > Access Management > User Role Browser.
2. At the end of the role browser, click Add Role.
3. In the Role Form panel, enter a new Role Name and click Add Role.
Remove a Security Role

By default, only the special accessmgr user is allowed to create or remove security roles. To remove a role assigned to a component, see Assign security roles to a
component.
1. Login as accessmgr and open the User Role Browser by clicking Access > Access Management > User Role Browser.
2. Click Delete for any role, and then click Confirm Deletion.
Notifications
Use the Alerter and Alert Builder to create notifications. When email or other notifications are required for alerting actions, follow this procedure for each type of
notification to be defined.
Alerter configuration
1. Before you choose alerting actions, you must be configure the email SMTP settings in theAlerter
2. Open the Alerter by clicking Protect > Database Intrusion Detection > Alerter.
3. Fill out the SMTP and/or SNMP information.
4. After filling out each section, click Test Connection, and verify that the connection is working. You will receive a message stating the connection is unreachable if the
connection is not working.
6. At a minimum, IP Address/Host name, port, and return email address must be specified.
7. Select Mail from the Notification Type menu. If the Severity of the message is HIGH, the Urgent flag is set.
8. Select a user (which can be an individual or group) from the Alert Receiver list. Additional receivers for real-time email notification are Invoker (the user that
initiated the actual SQL command that caused the trigger of the policy) and Owner (the owner/s of the database). The Invoker and Owner are identified by retrieving
user IDs (IP-based) configured by using the GuardiumÂ® APIs.

9. Click Add.
Build an alert
1. After configuring the Alerter, open the Alert Builder by clicking Protect > Database Intrusion Detection > Alert Builder.
2. Fill out the information in the Settings, Alert Definition, Alert Threshold, and Notification sections and click Apply.
3. Choose who will receive the notifications by clicking Add Receiver.. and choosing a user.
How to create a real-time alert

Send a real-time alert to the database administrator whenever there are more than three failed logins for the same user within five-minutes.
About this task

Generate real-time security alerts whenever suspicious activity is detected or access policies are violated.
Follow these steps:
1. Create a policy
2. Add rules to the policy
3. Install the policy
4. Setup a real-time alert when the policy is enacted
Prerequisites
Configure SMTP in the Alerter. Open the Alerter by clicking Protect > Database Intrusion Detection > Alerter, and then fill out the SMTP information.
Note: Policy violations can also be seen as a report in Incident Management See Policies for complete information.
Procedure
1. Create a policy.
a. Open the Policy Builder by clicking Setup > Tools and Views > Policy Builder for Data or Applications.
b. Click New, or modify an existing policy by selecting the policy from the Policy Finder and clicking Modify.
c. Fill out the required information and click Apply to save the policy.
2. Add rules to the policy.
a. After saving the policy, click Edit Rules to see the existing policy rules.
b. Click Add Rules... and then you are presented with five rule options.
c. Choose Add Exception Rule and fill out the required information.
The Exception Rule Definition screen begins with the following items:

Description - Enter a short, descriptive name for the rule.
Category - The category will be logged with violations, and is used for grouping and reporting purposes. If nothing is entered, the default for the policy
will be used.
Classification - (optional) Enter a classification. Like the category, these are logged with exceptions and can be used for grouping and reporting
purposes
Severity - Select a severity code from the menu: INFO, LOW, NONE, MED, or HIGH (the default is INFO).
d. Use the remaining fields to specify how to match the rule - where to search, what to search for, who to search for, and when to search.
e. Enter a period "." in the DB User field to count each individual value separately.
f. From the Excpt. Type (exception type) menu, select LOGIN_FAILED.
g. Use the Minimum Count to set the minimum number of times the rule must be matched before the action will be triggered. For this example, choose 1. The
count of times the rule has been met will be reset each time the action is triggered or when the reset interval expires.
h. Use the Reset Interval to set the number of minutes after which the rule counter will be reset to zero. The counter is also reset to zero each time that the rule
action is triggered. For this example, choose 5.
i. Check the Cont. to next rule check box to continue testing rules once this rule is satisfied and its action is triggered. If this is not selected, no additional rules
will be tested when this rule is satisfied.
j. Check the Rec. Vals. check box to indicate that when the rule action is triggered, the complete SQL statement causing that event will be logged and available
in the policy violation report. If not marked, the SQL String attribute will be empty.
3. Add an action when the rule is triggered.
a. From the Actions section of the Exception Rule Definition screen, click Add Action.
b. Select an option from the Action menu and click Apply. For this example, choose ALERT PER MATCH to get a notification every time the rule is enacted.
c. Select an option from the Notification Type menu. You must configure the Alerter for mail or SNMP notification types.
d. Add an alert receiver, and click Apply to save the action.
a. Click Setup > Tools and View > Policy Installation.
b. Find the policy from the Policy Installer menu, select an installation action, and click Modify Schedule or Run Once Now. Your policy is now installed. Your
alert receiver will receive real-time notifications when the policy rules are enacted.
Custom Alerting Class Administration

Use a custom alert class to send alerts to a custom recipient. Upload the custom class, then use the Alert Builder to designate the custom class as an alert notification
receiver.
Before you can use a custom class, you must upload it onto the Guardium system. Click Setup > Custom Classes > Alerts > Upload Alerting Class to upload a
custom alerting class. Click Browse to select a file, then Apply to save.

After uploading the custom class, use it in an alert with the Alert Builder. Open the Alert Builder by clicking Manage > Database Intrusion Detection > Alert Builder.
Fill out the required information, select CUSTM from the Notification Type menu, and click Save.
Predefined Alerts
Table describing the predefined alerts found in the Alert Builder.
Guardium comes with a set of predefined alerts that can be found in the Alert Builder. Open the Alert Builder by clicking Protect > Database Intrusion Detection > Alert
Builder. When you open the Alert Builder, you are presented with a list of all existing alerts in the Alert Finder. Select an alert from the finder and click Modify to edit it.
In the Modify Alert screen, modify any part of the alert, such as receivers or threshold.
You cannot modify the default queries that the alerts are based on. If you want to modify a query, click the Edit this Query icon for any query to open the Query Builder.
Once in the builder, clone any query, and then modify the clone to suit your needs.
After making changes to an alert, click Apply to save them.
The following table describes all predefined alerts.
Table 1. Predefined Alerts

Alert Description
Active S-TAPs Changed Checks for changes to Active S-TAPÂ® inspection engines done during the last accumulation interval. The alert will
trigger if at least one inspection engine has been changed during the period. By default the alert checks every 1/2 hour
and checks the last hour.
Aggregation/Archive Errors Alert once a day on all aggregation or archive tasks that did not complete successfully.
Connection Profiling Alert Alert runs every 60 minutes and sends notice to predefined group, Connection Profiling List - Name List of allowed
connections
CAS Instance Config Changes Alert once a day on any CAS instance configuration changes.
CAS Templates Changes Alert once a day on any CAS template configuration changes.
Data Source Changes Alert once a day on any data source definition changes.
Database disk space Alert every 10 minutes if internal database is more than 80% filled. See the Self Monitoring help topic for more
information on Disk Space (% full) and the GuardiumÂ® Nanny process.
Enterprise No Traffic Enterprise No Traffic Alert runs only on Central Manager systems. It is based on a query similar to the query on the No
Traffic alert and retrieves the records with: timestamp between X and Y, when X is a query parameter and Y is query
from date generated by the alert mechanism based on the accumulation interval (same way the existing no traffic alert
works).
Enterprise S-TAPs changed This alert will only run Central Manager systems.
Failed Logins to Guardium Every 10 minutes alert if there have been more than 5 failed login attempts on the Guardium appliance.
Guardium - Add/Remove Users Alert once a day if any Guardium users have been added or removed.
Guardium - Credential Activity Alert once a day if there have been any Guardium credential changes, including LDAP configuration changes.
Inactive Managed Unit Alert runs 30 minutes and sends a notice once a day to the predefined group that is called "Managed Units Alert".
Inactive S-TAPs Since Alert once an hour on all S-TAPs that have not been heard from.
Inspection Engines and S-TAP Alert once a day on any activity related to inspection engine and S-TAP configuration.
No Traffic Alert to Indicate whether there is no traffic from specific database servers. This alert will alert when there is no traffic
collected from a server from which the Guardium system was collecting traffic at some point during the last 48 hours.
The alert will trigger when there is no traffic within the period defined in the accumulation interval.
For example if the accumulation interval is 60 minutes the alert will send an email if there was no traffic from a specific
database server in the last hour but there was some traffic in the last 48 hours. Â The alert will send an email (by
default) only every 24 hours. Parameters such as accumulation interval, notification interval, run frequency etc. can be
customized. Parameters such as Threshold, Per Line, operator, query etc. should not be changed, as changes to these
parameters will cause the alert not to work properly. Â Note the No Traffic query should not be cloned.
No Traffic by Server/Protocol Similar to the regular No traffic alert with the following differences: The alert is per service Name/Net Protocol, and will
report per line. There is a new additional parameter: Active Traffic Interval that determines when the last request from
each server was received. The alert will trigger under the following conditions: There was No traffic during the alert
interval from each server/net protocol but there was traffic since: Active Traffic Interval for that combination.
Unlike the regular No traffic alert that will trigger if there was no traffic during the alert interval but there was traffic in
the previous 48 hours per server IP.
Policy Changes Alert Alert once a day if there have been any security policy changes.
Queries Running Long Time Notify if a query takes more than 900 seconds to run.
Scheduled Job Exceptions Alert every 10 minutes on any scheduled job exception (including assessment jobs).
Scheduling
The general purpose scheduler is used to schedule many different types of tasks (archiving, aggregation, workflow automation, etc.).

Depending on the type of task being performed, not all of the features described here may be available - for example, the schedules for some types of tasks can be
paused, while others cannot be (they can only be stopped or started).
Note: Be aware of scheduling anomalies that can occur when scheduling tasks during Daylight Savings Time. Â
Define or Modify a Schedule

1. In a task (for example, Audit Process Builder), click Define Schedule or Modify Schedule to open the Schedule Definition panel.
2. Fill in the Start Time. The default is 12 a.m. (Midnight).
3. Optionally, to run the task more than once a day:
Select a value from the Restart list (every hour up to every 12 hours). The default is Run only once, meaning the task will not be restarted during the day.
Select a value from the Repeat list (every minute up to every 59 minutes). The default is Do not repeat.
4. From the Schedule by list, select one of the following:
Day/Week to define a schedule based on one or more days of the week (Monday, Tuesday, Wednesday, etc.).
Month to define a schedule based on one or more days of the month, for every month or specific months.
If you selected Day/Week from the Schedule by list, mark each day of the week you want the task run, or click Every day to select all days (or to clear all days if they
are already selected).
OR
If you selected Month from the Schedule by list, do one of the following:
To select a numbered day (the 15th, for example):

Select the Day button.
Select a day: 1-31, depending on the month selected.
Select Every month, or one or more specific months.
To select a weekday occurrence within the month (the first Monday, for example):
Select the button.
Select a week relative to the start of the month: First, Second, Third, etc.
Select a weekday: Sunday, Monday, Tuesday, etc.
Select either Every month, or one or more specific months.
5. From the Schedule Start Time list, select the hour and minute at which you want to run the task. If a time is chosen earlier than NOW, the Scheduler Start Time will
revert to NOW.
6. Click Apply.
Pause a Schedule
Note: Note that not all types of scheduled tasks provide a pause option.
1. Click Pause and

2. Confirm the action.
Remove a Schedule
After a schedule has been defined, a Remove button appears in the Schedule Definition panel.
1. Click Define Schedule or Modify Schedule to open the Schedule Definition panel.
2. Click the Delete button.
Aliases
Create synonyms for a data value or object to be used in reports or queries.
Aliases Overview
An alias is used to display a meaningful or user-friendly name for a data value.
For example, Financial Server might be defined as an alias for IP address 192.168.2.18. Once an alias has been defined, users can display report results, formulate
queries, and enter parameter values using the alias instead of the data value.
Aliases can be defined in a number of ways:
Through the IP-to-Hostname Aliasing tool - use this tool to generate aliases for discovered client and server IPs.
Click Protect > Database Intrusion Detection > IP-to-Hostname Aliasing to open the IP-to-Hostname Aliasing tool.
Through the Alias Builder â€“ use this method to define aliases manually.
Open the Alias Builder by clicking Comply > Tools and Views > Alias Builder.
Through a query.
While using the Group Builder, with the Alias Quick Definition.
Note: Aliases changes on the Central Manager or managed units will not be available on other systems until either GUI is restarted or any aliases changes are made
through their GUI.
IP-to-Hostname Aliasing

One of the more common applications of aliases is to use them as synonyms for IP addresses. Use this tool to schedule the discovery of client and server IP's and
generate aliases for them.
1. Open the IP-to-Hostname Aliasing tool by clicking Protect > Database Intrusion Detection > IP-to-Hostname Aliasing.
2. Check the Generate Hostname Aliases for Client and Server IPs (when available) check box.
3. Check the Update existing Hostname Aliases if rediscovered check box if you want the tool to continually look for and update hostname aliases.
4.
5. Click Apply to save your configuration, then schedule the operation.
Click Run Once Now to start the tool immediately.
Click Define Schedule... to schedule the tool in the future.
Click Pause to pause the generation of client and server IPs aliases.
Alias Builder
Use this method to manually create an alias.
1. Open the Alias Builder by clicking Setup > Tools and Views > Alias Builder.
2. Select the attribute type for which you want to define aliases.
3. Filter your search on that attribute type using the Value and Alias fields and click Search.
4. If any results match your search, they will display in the value and alias table. Click Apply for the search results, or add a new alias by specifying a Value and Alias
name, then clicking Add.
5. Add a comment to an alias by clicking the Item Comments icon . This can be helpful for quickly referencing what an alias refers to in the future.
Define Aliases Using a Query

Use this method to create aliases from a query. When a custom table has been uploaded to GuardiumÂ®, that table can be used to map aliases to specific values.
1. Open the Alias Builder by clicking Setup > Tools and Views > Alias Builder.
2. Select the attribute type for which you want to define aliases from the Alias Finder and click Populate from Query to open the Builder Alias From Query Set Up
panel.
3. Fill out the required information and click Save to save the alias.
Select the query to be run from the Query menu.
Choose a value for both Choose Column for Value Column and Choose Column for Alias Column.
After selecting column values, more fields display that you must fill in (From Date, To Date, Remote Source, and any additional parameters for the selected
query).
Check the Clear existing group members before Importing check box to delete the existing content of the group before populating from query.
Click Save to save.
With the query saved, the Scheduling buttons become active. Click Modify Schedule to run the query in the future, or click Run Once Now to run it
immediately.
Alias Quick Definition from Group Builder

Use this method to create an alias for a group on the fly while creating or populating a group.
1. Open the Group Builder by clicking Setup > Group Builder. Select any group from the list, and click Modify.
2. Click Aliases... to open the Alias Quick Definition window. Type in an alias for any group(s), and save the alias by clicking Apply.
GuardAPIs for Aliases

Use these GuardAPI commands to create, update and delete alias functions:
grdapi create_alias
grdapi update_alias
grdapi delete_alias

Dates and Timestamps

Use a calendar tool to select an exact date, and a relative date picker to select a date that is relative to the current time.
There are two tools that are used to populate date fields: a calendar tool to select an exact date, and a relative date picker to select a date that is relative to the current
time (now -1 day, for example). In addition, exact or relative dates can be entered manually.
Be aware that when selecting or entering dates, the date on the system on which you are running your browser may not be the same as the date on the GuardiumÂ®
appliance to which you are connected.
Timestamps in Queries
Caution need to be taken when including Timestamps in queries.
First, be aware of the distinction between a timestamp (lowercase t) and a Timestamp (uppercase T).
A timestamp (lowercase t) is a data type containing a combined date-and-time value, which when printed displays in the format yyyy-mm-dd hh:mm:ss (e.g., 2005-
07-17 15:40:25). When creating or editing a query, most attributes with a timestamp data type display with a clock icon in the Entity List panel.
A Timestamp (uppercase T) is an attribute defined in many entity types. It usually contains the time that the entity was last updated.
Including a Timestamp attribute value in a query will produce a row for every value of the Timestamp. This may produce an excessive amount of output. To get around this,
use the count aggregator when including the Timestamp in a query, and then drill down on a report row, to view the individual Timestamp values for the items included in

that row only, in a drill-down report. See Aggregate Fields in Queries.
When displaying a Timestamp value in a query that contains Timestamp attributes in multiple entities, be careful to select the Timestamp attribute from the appropriate
entity type for the report. For example, if the query will display information from both the Client/Server and the Session entities, with the Session selected as the main
entity, you can display a Timestamp attribute from one or both entities. If you include the Client/Server Timestamp, you will see the same value printed for every Session
for a given client-server connection â€“ it will always be the time at which that particular Client/Server was last updated. If you include the Timestamp attribute from the
Session, you will see the time that each Session listed was last updated.
Tip: If your report displays times that are all the same when you expect them to be different, you have probably included a Timestamp attribute from an entity too high in
the entity hierarchy for the level of detail you want on the report.
Select an Exact Date from Calendar

To use the Calendar Window to select an exact date:
1. Click the Calendar button for the field where you want to insert a date. This opens a calendar in a separate window.
Click the arrow buttons to display the previous or next month in the calendar window.
2. Click on any date to select that day. The calendar window will close and the selected date will be inserted into the date field next to the calendar tool that was
clicked.
Note: The default time for a date selected using the calendar is always 00:00:00 (the start of the day). To specify any other time of day, type over this value, entering
the desired time in 24-hour format: hh:mm:ss, where hh is the hour of the day (0-23), and mm and ss are minutes and seconds respectively (both 0-59).
Enter an Exact Date Manually

1. Click the field where you want to enter the date and enter the date in yyyy-mm-dd format, where:
yyyy is optional and may be any positive integer value. If omitted, yyyy defaults to the current year. If a one- or two-digit year is entered, the century portion
of the date defaults to 19.
mm is the month (1-12)
dd is the day of the month (1 to 28, 29, 30, or 31, depending on the month)
2. If no time is entered, the time defaults to 00:00:00 (the start of the day). To specify any other time of day, type over this value, entering the desired time in 24-hour
format: hh:mm:ss, where hh is the hour of the day (0-23), and mm and ss are minutes and seconds respectively (both 0-59).
Select a Relative Date from Date Picker

Rather than specify an exact date, it is often more convenient to specify dates relative to either the current date (now) or some other date (the first Monday, for example).
For example, to always include information from the previous seven days in a query, itâ€™s more convenient to define relative dates (e.g., start = now minus seven days
and end = now). The Relative Date Picker tool can be used to select a relative date for many types of tasks.
1. Click the Relative Date Picker button next to any field where a relative date is allowed. This opens the Relative Date Picker window.
2. Select Now, Start, or End from the list. Regardless of your choice, the display changes to provide for additional selections.
3. From the middle list, select this, last, or previous, which is relative to the unit (day, week, month, or day of the week selected in the next list) as follows:
This is the current unit
Last is the current unit minus one
Previous is current unit minus two
4. Select the day, week, month, or a specific day: Monday-Friday.
5. Click the Accept button when you are done. The relative date will be inserted into the field next to the Relative Date Picker button that was clicked.
6.
Enter a Relative Date Manually

To enter a relative date manually, follow one of the procedures. The keywords are not case sensitive but each component must be separated from the next by one or more
spaces.
There are three general formats you can use to enter a relative date:
NOW minus a specified number of minutes, hours, days, weeks, or months
OR
The Start or End of the current, last or previous day, week, or month
OR
The Past or Previous day of the week (Sunday, Monday, Tuesday, etc.)
Relative to NOW
1. Click in the field where you want to enter the relative date.
2. Enter the keyword NOW.
3. Enter a negative integer specifying the relative number of hours, days, weeks, or months (no space is allowed between the minus sign and the integer). Â
4. Enter a keyword for the units used: HOUR, DAY, WEEK, or MONTH. Be aware that the plural (hours, days, etc.) is not allowed. Example: now -14 day
Relative to a Day, Week or Month

2. Enter the keywords START OF or END OF.
3. Enter THIS or LAST, followed by DAY, WEEK, or MONTH. Example: end of last week
Relative to a Day of the Week


2. Enter the keywords START OF or END OF.
3. Enter LAST or PREVIOUS, followed by SUNDAY, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, or SATURDAY. Example: start of previous Tuesday
Time Periods
Use the Time Period Builder to create time periods that can be used for policy rules and query conditions.
When monitoring database activity, use time periods to specify when you want to monitor. Use the Time Period Builder to create new time periods or modify existing ones.
Add a Time Period

1. Navigate to the Time Period Builder by clicking Setup > Tools and Views > Time Period Builder.
2. Expand the Add Time Period pane by clicking the + button.
3. Fill in the information and click Add to add the time period.
Do not include apostrophe characters in the Time Period Description.
Check the Contiguous check box to define a single time period that may span multiple days. A workweek is defined as contiguous, whereas a workday is
defined as non-contiguous.
Remove a Time Period

1. Navigate to the Time Period Builder by clicking Setup > Tools and Views > Time Period Builder.
2. Check the check box for the time period you want to remove, and click Delete.
Time Periods
Policy rules and query conditions can test for events that occur (or not) during user-defined time periods.
There is a set of pre-defined time periods (7x24, After Hours Work, Before Hours Work, Evening, Regular Work Day, Saturday, Sunday, and Week End), and users can
define their own.
Add a Time Period

1. Navigate to the Time Period panel:
Setup> Tools and Views > Time Period builder
2. Expand the Add Time Period pane by clicking the + button.
3. Enter a unique description for the period in the Time Period Description box. Do not include apostrophe characters in the description.
4. Optionally mark the Contiguous box to define a single time period that may span multiple days. Leave this box cleared to define a fixed time period on one or more
days.
Example: Contiguous vs. Non-Contiguous Time Periods
The following two time periods both begin 09:00 Monday and end 17:00 Friday:
Workweek is defined Contiguous.
Workday is defined Non-Contiguous.
The first time period, Workweek, defines a single 164-hour period beginning at 9 AM on Monday and ending at 5 PM on Friday, whereas the second time period,
Workday, defines five separate eight-hour time periods (9 AM â€“ 5 PM), on five consecutive days (Monday â€“ Friday)
5. Enter a beginning time in hours (00-24) and minutes (00-59) in the Hour From box.
6. Enter an ending time in hours (00-24) and minutes (00-59) in the Hour To box.
7. Select a beginning day of the week in the Weekday From box.
8. Select an ending day of the week in the Weekday To box.
9. Optionally click the Comments button to add comments (see Commenting).
10. Click the Add button.
Remove a Time Period

1. Navigate to the Time Period panel:
Setup> Tools and Views > Time Period builder
2. Mark the Select checkbox for the time period you want to remove.
3. Click the Delete button. You will be prompted to confirm the deletion. Note that you cannot delete a time period that is used by an existing policy rule.
Comments
Comments apply to definitions and to workflow process results.
Comments can be added or viewed in several places throughout the UI. You can add a comment to a group or alias for reference purposes, or add a comment to report to
ease auditing requirements. For example, an auditor may want to know why a configuration change was made on a certain date. Use a comment to easily reference the
reason why the change was made.
Comments apply to definitions (groups, aliases, reports, policies), and to workflow process results. You can add multiple comments to a component, and you can add
comments to comments, but you cannot modify or delete existing comments.
There are two different kinds of comments:

Comments Entities are stored on the Central Manager, and will be available within that Central management environment, given the usual constraints regarding
roles and permissions.
Local Comments Entities are defined on a single unit, and remain local to that unit. Local Comments from the standalone or managed unit are not stored on the
Central Manager.
Add or View Comments

1. To view comments, open the User Comments window by clicking Comply > Reports > User Comments.
2. Throughout the UI, there are different ways to add a comment to an entity or report.
Add a comment to a group by modifying the group, and clicking Add Comments from the Manage Members for Selected Group screen.
Add a comment to an alias by opening the Alias Builder and clicking the Item comments icon . Open the Alias Builder by clicking Setup > Tools and Views
> Alias Builder
Report Comments
View a report of all user comments by clicking Comply > Reports > User Comments.
The Local Comments entity is used in a Central Manager environment only. Local comments remain local to the system on which they were defined, and are not
stored on the Central Manager.
The Comments entity contains comments that are stored on the Central Manager.
How to install patches

Install a single patch or multiple patches as a background process.
About this task

Use this topic to provide visibility and control over patch installation, status and history.
See Central Management for more information.
This how-to topic uses a combination of commands from the CLI and choices from the GUI to help you install the latest Guardium patch. The Guardium system must be
rebooted after installing a patch.
Important: Patches downloaded in ZIP format must be unzipped outside the Guardium system before uploading and installing. Observe the following restrictions for any
patch with database structure changes:
Perform or schedule the patch installation during quiet time on the Guardium system to avoid conflicts with long-running processes such as heavy reports, audit
processes, backups, and imports.
The exact time required for patch installation depends on database utilization, data distribution, and other considerations.
Install patches in a top-down manner, first patching a central manager before patching aggregators and finally collectors.
In the procedure below, you will follow these steps from the Guardium system that is designated and configured as the Central Manager:
1. Backup the system profile, using the CLI command store backup profile.
2. Enter the CLI command store system patch install to install a single patch or multiple patches to the Central Manager from a network location.
3. Click Setup > Tools and Views > Patch Distribution to move patches from the CM to managed units.
Procedure
Backup the system profile
1. Using a SSH client, log into the IBM Security Guardium Central Manager as the CLI user.
2. Enter the following command: store backup profile
3. The following dialog will appear:
Do you want to setup for automatic recovery? (Y/n)

Enter the patch backup destination host:
Enter the patch backup destination directory:
Enter the patch backup destination user:
Enter the patch backup destination port if you have a special port for SCP operation, or press ENTER to use the default port:
Enter the patch backup destination password:
4. Use the following CLI command if the patch installation failed, patch revert failed, and the automatic restore failed or disabled. The following command gets the
pre-patch backup file and restore it on the system. If the pre-patch backup file is currently located on the system, enter the file name. Otherwise, the pre-patch
backup profile information is used to get the file.
CLI>show backup profile patch backup flag is 1 patch backup automatic recovery flag is 1 patch backup dest host is
patch backup dest dir is patch backup dest user is patch backup dest port is patch backup dest pass is CLI>restore pre-patch
backup
Install the patch(es) to the Central Manager
Note: A compressed patch file may contain multiple patches, but only one patch can be installed at a time. To install more than one patch, choose all the patches that
need to be installed, separated by commas. Internally the CLI submits requests for each patch on the list (in the order specified by the user) with the first patch taking the
request time provided by the user and each subsequent patch three minutes after the previous one. In addition, CLI will check to see if the specified patch(es) are already
requested and will not allow duplicate requests.
5. Enter the following command:
store system patch install <type> <date> <time>

where <type> is sys, ftp, scp, or cd and <date> and <time> are the patch installation request date and time formatted as YYYY-mm-dd and hh:mm:ss. If date
and time are not entered or if "now" is entered, the installation request time is NOW.
Table 1. Patch install type descriptions and parameters

Name Description
sys The sys option is for use when installing a second or subsequent patch from a compressed file that has been copied to the Guardium system by
using this command previously. Use this option to apply a second or subsequent patch from a patch file that has been copied to the IBMÂ®
GuardiumÂ® system by a previous store system patch execution.
Install from /var/log/guard/patches

ftp or scp The ftp and scp options copy a compressed patch file from a network location to the Guardium system. To install a patch from a compressed patch
file located somewhere on the network, use the ftp or scp option, and respond to the prompts as shown below.
Important: Patches downloaded in ZIP format must be unzipped outside the Guardium system before uploading and installing. Observe the
following restrictions for any patch with database structure changes:
Perform or schedule the patch installation during quiet time on the Guardium system to avoid conflicts with long-running processes such as
heavy reports, audit processes, backups, and imports.
Please enter the following information for file transfer:

Host to import patch from:
User on (host name):
Full path to the patch, including name (file name may use wildcard *):
(LDAP password)Password:
Enter the scp/ftp port if you need to use a special port, else just press Enter key to continue:
The file transfer process can take a while to complete.
Leave the terminal open and do not answer any questions until the transfer is complete.
Starting transfer, please wait.
The file transfer is complete.
The backup profile is not set for saving the backup file when patch installation failed.
If you want to save the backup file, please answer NO to the question and run CLI command store backup profile to
set up the parameters.
Do you want to continue (yes or no)? yes
List the files in the patches directory:
1. (name of file)
Please choose patches to install (1-1, or multiple numbers separated by ",", or q to quit): 1
Install item 1
Patch has been submitted, and will be installed according to the request time, please check installed patches
report or CLI (show system patch installed).
Please don't forget to remove your media if necessary.
cd The cd option is for use in installing the patch from a DVD disk. To display a complete list of applied patches, see the Installed Patches report on the
Guardium Monitor tab of the administrator portal. There is also an Available Patches report on this same Guardium Monitor tab. To install a patch
from a DVD, insert the DVD into the IBM Guardium DVD ROM drive before executing this command. A list of patches contained on the DVD will be
displayed.
To delete a patch install request, use the CLI command delete scheduled-patch
Patches remain after installation only on the Central Manager. Standalone or managed unit patch files ARE deleted after installation.
To display the available patches: show system patch available
To display the already installed patches and patches scheduled to be installedâ€”showing date/time and the install status: show system patch
installed
Use the fileserver command to start an HTTPS-based file server running on the Guardium appliance. This facility is intended to ease the task of uploading
patches to the unit, or downloading debugging information from the unit. Each time this facility starts, it deletes any files in the directory to which it uploads
patches.
Note: Any operation that generates a file, that the fileserver will access, should finish before the fileserver is started (so that the file is available for the
fileserver).
a. To start the file, enter the fileserver command: fileserver
b. Starting the file server. You can find it at https://(name of unit)
c. Press ENTER to stop the file server.
d. Open the fileserver in a browser window, and to one of the following:
To upload a patch, click Upload a patch and follow the directions.
To download log data, click Sqlguard logs, go to the file you want, right-click on it, and download as you would any other file.
e. When you are done, return to the CLI session and press Enter to terminate the session.
Use the UI to move the patch(es) from Central Manager to managed units
6. Click Setup > Tools and Views > Patch Distribution.
The Patch Distribution button will open a new screen, display an available patch list with dependencies, and allow for the selecting of a patch and installing it to all
selected units. The list of available patches is constructed out of the available patches and evaluating the currently installed patches on each of the selected units
along with the dependency list of available patches. Patches available but not installable (a dependent patch is missing) are shown in the list as grayed out and
cannot be selected. The selection of patch to install is a single selection - only one patch can be installed at a time. Once a patch is selected and the install button
pushed a command is sent to all selected units to install that patch; this process of installing patches will happen in the background.
7. Navigate to Central Management > Central Management > Patch Distribution.

8. Click on Patch Installation Status. The Patch Installation Status screen will display for each unit, failed installations and discrepancies - situations such as having
one patch being installed on part of the units only, regardless if it failed on other units or was not installed.
Results
The patched systems are now ready to be used; however, remember that the Guardium system must be rebooted after installing a patch.

How to download and install a Guardium patch (video)

Support Maintenance
The Support Maintenance feature is password protected and can be used only as directed by Technical Support. Contact Technical Support if you require more
information.
Product integration
You can integrate IBM Guardium with other products.
Configure BIG-IP Application Security Manager (ASM) to communicate with Guardium system
Use the Big-IP ASM (from F5 Networks) together with Guardiumâ€™s real-time database activity monitoring to solve the problem of identity propagation between
web application and database application server layers.
Hadoop Integration
This topic introduces fundamental concepts and processes for monitoring Hadoop data with Guardium.
PIM Integration with Guardium DAM
Privileged Information Management (PIM) helps organizations to automate and track the use of shared privileged identities and monitor the usage of these shared
privileged identities.
QRadar and Guardium integration
QRadar and Guardium can work together in a two-way information flow to have the Guardium data protection policies updated automatically and nearly in real-time
in response to security intelligence events from QRadar.
OPTIM to Guardium Interface
An OPTIM to Guardium interface, using Protobuf (Universal Feed Agent), sends Optim activity logs to Guardium.
Combining real-time alerts and correlation analysis with SIEM products
Distribute contextual knowledge of database activity patterns, structures, and protocols directly to the third-party database of the SIEM system.
How to transfer sensitive data to InfoSphere Discovery
Take sensitive data information, identified and classified in IBM Security Guardium and transfer that information to InfoSphereÂ® Discovery.
CEF Mapping
The CEF standard from ArcSight defines a set of required fields, and a set of optional fields.
LEEF Mapping
Log Event Extended Format (LEEF) from QRadar
Configure BIG-IP Application Security Manager (ASM) to communicate with Guardium system
Use the Big-IP ASM (from F5 Networks) together with Guardiumâ€™s real-time database activity monitoring to solve the problem of identity propagation between web
application and database application server layers.
This solution uses Googleâ€™s protocol buffers (.protobuf) as the wire format between BIG-IP ASM and the GuardiumÂ® system.
Information about configuring the integration between Big-IP ASM and Guardium real-time database activity monitoring is provided at the F5 website:
http://www.f5.com/pdf/deployment-guides/ibm-guardium-asm-dg.pdf.
Parent topic: Product integration
Hadoop Integration
This topic introduces fundamental concepts and processes for monitoring Hadoop data with Guardium.
Capacity planning
The following sizing guidelines assume an average volume of audited traffic. Higher volumes of audited traffic may require additional resources.
10 management or server nodes per collector

20 or more data nodes per collector, where S-TAPs are required for the data nodes (S-TAPs are not required for all components)
Possibly additional nodes per collector if physical appliances are used
It is also possible to size by the Processor Value Unit (PVU) of the nodes, but this may result in over-sizing if auditing low volumes of traffic. The capacity sizing guideline is
4000 PVU per collector.
Integration scenarios
If you are using SSL encryption with Cloudera, see Hadoop integration using Cloudera Navigator.
If you are using SSL encryption with a Hortonworks Hadoop cluster, see Hadoop integration using Hortonworks and Apache Ranger.
Note: Redaction of returned data using Hive is not supported. If you require data redaction with Hive, see Hadoop integration using a standard Guardium S-TAP.
If you do not require SSL encryption for your Hadoop cluster, see Hadoop integration using a standard Guardium S-TAP.
Hadoop integration using a standard Guardium S-TAP

Learn how to integrate Hadoop using a standard Guardium S-TAP for HDFS and MapReduce monitoring.
Hadoop integration using Cloudera Navigator
Learn how to integrate Haddop using Cloudera Navigator, Cloudera's native data governance solution.
Hadoop integration using Hortonworks and Apache Ranger
Apache Ranger, included with the Hortonworks Data Platform, offers fine-grained access control and auditing over Hadoop components such as Hive, HBASE, and
HDFS by using policies.


S-TAP configuration parameters for Hadoop
Hadoop integration using a standard Guardium S-TAP

Learn how to integrate Hadoop using a standard Guardium S-TAP for HDFS and MapReduce monitoring.
Hadoop deployments include two fundamental components:
Hadoop Distributed File System (HDFS), which is stores data

MapReduce or MapReduce 2), which provides a framework for accessing and analyzing data
Capturing activity on these two components covers basic auditing requirements because all data except management console traffic goes through HDFS.
Be aware that HDFS activity is not auditor-friendly, as it is somewhat like monitoring file access in a relational database. Consider monitoring activity from other
components used in your environment, such as Hive, Big SQL, or Impala. These components support monitoring that more closely resembles database accesses.
Redaction and blocking policies

Guardium supports redaction using extrusion rules and blocking using S-GATE Terminate for Hive and Impala. Blocking for BigSQL was supported in V9.x when the S-TAP
is used.
For detailed instructions on using redaction and blocking policies with Hadoop, see the IBM Security Guardium Deployment Guide for Hadoop Systems.
Kerberos
Guardium supports the use of Kerberos secure clusters with some restrictions. In order to decrypt Kerberos user IDs, Guardium requires that keytab files be generated
and placed in a specific location. Detailed instructions are available in the IBM Security Guardium Deployment Guide for Hadoop Systems.
Attention: Kerberos configuration may be required only if you are using HBase or Hive.
Recommendations and limitations

Several recommendations and recommendations should guide your Guardium and Hadoop integration.
S-TAPs and inspection engines with Hadoop
Deploy Guardium S-TAPs and configure inspection engines for use with Hadoop.
Guardium policies and rules with Hadoop
Begin creating Guardium policies and rules for monitoring Hadoop activity.
Guardium reporting with Hadoop
Use built-in Guardium reports for Hadoop or define custom reports using Hadoop objects and commands.
Parent topic: Hadoop Integration
Recommendations and limitations

Several recommendations and recommendations should guide your Guardium and Hadoop integration.
Deployment recommendations
To avoid flooding the collector and to make problem diagnosis simpler, consider the followin tactics to reduce the amount and types of traffic processed by the Guardium
collector:
To limit data that must flow across the network to the appliance, restrict the number of inspection engines you configure.
To limit the amount of data that is logged on the collector, put conditions on the policy.
One strategy might be to configure and test with Hive command line queries before adding additional inspection engines and opening the policy to additional, higher-
volume traffic such as HDFS.
For each new inspection engine that is configured, you must restart S-TAP.
Remember to monitor the Guardium system as more services generate traffic. The Guardium deployment redbook includes details on how to monitor the system and
make sure the traffic is not excessive for the collector.
Limitations
The following restrictions apply when monitoring Hadoop with a standard Guardium S-TAP:
SSL encryption is not supported unless using Hortonworks with Ranger or Cloudera with Cloudera Manager. Ranger and Cloudera Manager integration is covered in
a separate section of this information.
UID chaining is not supported.
Blocking and redaction is only supported for Big SQL, Hive, and Impala.
Configuration audit system and sensitive data discovery are not supported at this time.
Guardium currently does not support administration command auditing, for example starting and stopping services.
Guardium load balancing and failover options are not supported when using Kerberos, however F5 or other load balancing in which a virtual IP address is used may
be an option.
Considerations for IBM InfoSphere BigInsights and Big SQL

Unlike most other Hadoop distributions, the following restrictions apply to Hadoop on GPFS and Big SQL.
Hadoop on PGFS (IBM Spectrum Scale)

The GPFS deployment of BigInsights requires HDFS Transparency Connector.
Big SQL

An S-TAP must be installed on all nodes in which a Big SQL engine is installed. The support for Big SQL is comprehensive and is similar to what Guardium already
supports for DB2.
If Kerberos or GPFS is used, you must configure a special communications exit on each Big SQL node. Guardium provides a dynamically loaded shared library that
interacts with Big SQL, and Big SQL will invoke functions within that library at run time when it performs SQL and utility requests.
Restriction: Only monitoring and auditing are supported using the exit methodology with Big SQL: redaction and blocking are advanced features that are only
supported using an S-TAP.
Parent topic: Hadoop integration using a standard Guardium S-TAP
S-TAPs and inspection engines with Hadoop

Deploy Guardium S-TAPs and configure inspection engines for use with Hadoop.
Deploying S-TAPs and GIM clients

Only S-TAP and GIM clients are needed since Guardium does not yet support CAS and database discovery for Hadoop. As with any S-TAP deployment, be sure to
download the correct S-TAP for your operating system and kernel level.
Attention: An S-TAP is recommended for edge nodes, particularly if you are using them as a landing zone for data.
Configuring inspection engines

After S-TAPs are deployed, the appropriate inspection engines must be defined from the Guardium appliance. Inspection engines specify the traffic that is monitored from
a particular S-TAP host. For example, on a particular S-TAP host, an inspection engine might indicate that Guardium should monitor traffic from ports 8032 and 60000.
Inspection engines also specify the protocol to monitor, such as Hadoop or HTTP.
Before configuring inspection engines, work with the Hadoop administrator to gather the following information for each Hadoop node to be monitored:
Hadoop node and service to be monitored

port numbers for the services
server IP addess (i.e. S-TAP host IP address)
Determine the inspection engine protocol based on the Hadoop node type and service as indicated in the following table.
Table 1. Inspection engine protocols for Hadoop nodes and services.
Hadoop node Hadoop service Inspection engine protocol
Namenode HDFS node name Hadoop
Namenode HTTP port for WebHDFS WEBHDFS
Namenode Resource manager for YARN Hadoop
Job tracker MapReduce job tracker Hadoop

Note: This node is required only for MapReduce1.
HBase master HBase master Hadoop
HBase region HBase region Hadoop
hiveserver2 Thrift protocol messages HIVE
Hive metastore Thrift protocol messages, used for getting Impala and HADOOP
Hive database user from Hue.
Note: Requires using a computed attribute.
Impala daemons Impala IMPALA
Impala Impala from Hue HIVE

Note: Impala from Hue uses hiveserver2.
Management node BigSQL server DB2
Compute node BiGSQL server DB2
Hue node Hue user interface with Oracle, MySQL, or PGSQL HUE
backend
Solr search node Solr search HTTP

For example, an HDFS name node might use port 8020, the Hadoop protocol, and have a host address of 10.0.0.21.
Given this information, you can configuring an inspection engine by navigating to Manage > Activity > Monitoring > S-TAP Control in the Guardium user interface, or by
using Guardium API commands. An example Guardium API command might looks like the following:
grdapi create_stap_inspection_engine client=0.0.0.0/0.0.0.0 protocol=HADOOP

ktapDbPort=8020 portMax=8020 portMin=8020 connectToIp=127.0.0.0 stapHost=10.0.0.21
Restrictions:
Hive CLI is deprecated in Hadoop distributions and is not supported by Guardium.

Impala requires configuring inspection engines for all nodes running an Impala daemon.
HBase requires S-TAPs on all data nodes including the master node.
If you are using Big SQL with Kerberos or GPFS, you must configure the S-TAP with the DB2_Exit, which is a safe and efficient way to capture Big SQL/DB2
encrypted traffic and/or GPFS. However, blocking and redaction are not supported in this scenario. Additional information about Big SQL support is available on IBM
developerWorks for Guardium.
Additional examples and more detailed instructions are available in the IBM Security Guardium Deployment Guide for Hadoop Systems.

Guardium policies and rules with Hadoop
Begin creating Guardium policies and rules for monitoring Hadoop activity.
For monitoring purposes, it is useful to think in terms of the user, the data object being monitored, and what actions or commands are being executed. In Guardium
terminology, these are the DB User, the object, and the verb or command, respectively. These entities can be used in policy rules to trigger particular actions, such as real
time alerts.
Guardium policy rule actions allow you to filter traffic for performance in addition to logging or alerting on policy violations. For Hadoop traffic, you cannot use session-
level filtering actions such as ignore S-TAP session. This is because Hadoop does not do session-management in the same way as relational databases where you log into
the database--which establishes a session--and then generate SQL traffic within that session before logging out. With Hadoop, each command is its own session and can
spawn many more sessions as work is distributed throughout the cluster.
Guardium cannot usually catch failed logins for command line components, although Guardium can see failed logins from Hue and through IBM BigSQL.
You will get permission exceptions on the file system level, so you report on those using the exceptions domain.
Begin creating policies from the built-in Hadoop policy to ensure traffic is being captured. Itâ€™s recommended that you test the default policy in a low traffic test
environment, and you may even add one more access rules to restrict traffic to a single server type--such as Hive--to reduce the amount of noise you see. Once you are
comfortable that traffic is flowing to the collector, you can clone the default policy and create one that aligns with your security and compliance requirements.
For detailed instructions and an example of policies for a production Hadoop environment, see the IBM Security Guardium Deployment Guide for Hadoop Systems.
Guardium reporting with Hadoop

Use built-in Guardium reports for Hadoop or define custom reports using Hadoop objects and commands.
Guardium includes several built-in reports for Hadoop. To see the list of available reports, navigate to My Dashboards > Create a new dashboard and click Add Report. In
the Add a Report window, type hadoop into the search field to see a list of available Hadoop reports.
Some of the built-in reports provide component-based reporting, which are useful when validating your configuration and that you are sucesfully catching traffic from the
component. Other reports are more focused on security and compliance, such as Hadoop - Permissions report, Hadoop - Privileged users accessing sensitive objects,
Hadoop - Exception report, and Hadoop - User login.
This section includes lists of objects and commands or verbs used with Hadoop. You can cut and paste the commands into a group in Guardium using the Group Builder
tool. You will also need to create groups of users and objects based on your own environment.
Hadoop objects
HDFS files/directories
MapReduce 2 job name
Prior to MapReduce 2, the MapReduce job name was not logged as a separate object, but you could obtain it by using the built in MapReduce report and its
computed attributes to get the job name from the full message.
IBM Big SQL, Impala, Hive, HBase table and view names
HDFS commands
Read commands for HDFS:
getFileInfo
getBlockLocations
getFileLocation
getListing
Write commands for HDFS:
addBlock
complete
create
delete
mkdirs
rename
HBase commands
Read commands for HBase:
list
scan
Write commands for HBase:
createTable
disableTable
deleteTable
multi

Typically, this is an insert/update command. With the Ranger integration deployment option, this is a put command.
drop
Big SQL, Hive, and Impala objects and commands

The Big SQL, Hive, and Impala query languages are like SQL and support the normal parsing and logging rules used with most other relational databases in
Guardium. Many of these commands are already included in Guardium command groups, such as ALTER commands, CREATE commands, and administrative
commands. The extent of SQL syntax support varies greatly among these distributions, with Big SQL having the most extensive support.
Hadoop integration using Cloudera Navigator

Learn how to integrate Haddop using Cloudera Navigator, Cloudera's native data governance solution.
Guardium supports auditing for Cloudera Hadoop using a standard S-TAP. For more information, see Hadoop integration using a standard Guardium S-TAP.
Guardium also provides the capability to subscribe to audit events when Cloudera Navigator is configured with Kafka as an alternative logging destination. Audited activity
is sent to a Kafka cluster where the Guardium S-TAP consumes the events and sends them to the Guardium collector appliance for parsing and logging. nce the data is in
Guardium, it is highly protected and all normal Guardium functions can be used such as real time alerting and integration with SIEM, reporting and workflow, and
analytics.
Compared to integration using a standard Guardium S-TAP, Cloudera Navigator integration supports SSL encryption for clients that access Hadoop data. When using
Cloudera Navigator integration, data is decrypted before the Guardium appliance receives it.
Restriction: Guardium-based blocking is not supported for any Hadoop components when using Cloudera Navigator integration.
Prerequisites
Guardium integration with Cloudera Navigator requires the following minimum software release levels:
IBM Security Guardium and S-TAP at V10.1.2 or later

CDH 5.7, Cloudera Manager 5.8, and the version of Kafka included with those releases
Architecture and data flow

Rather than having an S-TAP reside on the Hadoop servers, the Cloudera Manager agent sends audit events from the Hadoop component logs to the Cloudera Navigator
audit server. At that point, Cloudera Navigator writes the audit events to its audit database. To integrate with Guardium, establish Kafka as an additional logger: Guardium
will gather event records from Kafka.
Configuration is quite flexible in that you can install the S-TAP on a node in the Hadoop cluster or on a separate server outside of the Hadoop cluster as long as that server
has network connectivity to the Kafka cluster and the Guardium appliance. You can only specify one S-TAP per Kafka cluster, but that S-TAP can send traffic to multiple
Guardium systems using standard high availability or load balancing techniques.
In this configuration, Cloudera Navigator produces the log events for each Hadoop component, and the S-TAP consumes those events. Using the Guardium user interface,
you will be specifying the message topic identifier that Cloudera Navigator uses so that the Guardium S-TAP knows which events it is supposed to pick up.
Recommendation: Use a secure Kafka cluster to ensure that your audit events are secure.
Planning the integration with Cloudera Navigator

Complete and verify the tasks in this topic before configuring the integration.

Planning the integration with Cloudera Navigator

Integrating with Cloudera Navigator requires gathering some information from the administrators responsible for Cloudera and Kafka as well as from the data security
team responsible for Guardium. Gather the following information before you begin:
Host and ports for the Kafka bootstrap servers

Whether TLS and Kerberos are used in the Kafka cluster.
The host and port for the server where the S-TAP is installed. Verify that there is network connectivity between this server and both the Kafka cluster and the
Guardium system.
The operating system and version used on the S-TAP host so you can download and install the correct S-TAP.
The host for the Guardium system. This is required for installing and configuring the S-TAP.
1. Configure the solution for monitoring

This section describes how to configure the solution for monitoring.
2. Configure Guardium and Cloudera Navigator communication
Learn how to establish communication between the Guardium system and Cloudera Navigator using a Kafka cluster.
Parent topic: Hadoop integration using Cloudera Navigator
Configure the solution for monitoring


Procedure
1. Configure the Cloudera Navigator auditing component.
For more information, see the Cloudera documentation and IBM Security Guardium Activity Monitoring for Cloudera Hadoop Using Navigator Integration.
2. Ensure that TLS/SSL is configured correctly for Kafka.
The Kafka cluster you use for producing Cloudera audit events must not be configured to require SSL client authentication. For more information, see IBM Security
Guardium Activity Monitoring for Cloudera Hadoop Using Navigator Integration.
3. Install the Guardium S-TAP on a server.
Use any available method to install the S-TAP on the designated server inside or outside of the Hadoop cluster. In Guardium, navigate to Manage > System View >
S-TAP Status Monitor to verify connectivity between the S-TAP and the Guardium system.
For a reference of Hadoop related S-TAP configuration parameters, see S-TAP configuration parameters for Hadoop.
4. Configure publication of Cloudera Navigator audit events to Kafka.
The Navigator administrator or full administrator must do this task from Cloudera Manager. For more information, see IBM Security Guardium Activity Monitoring for
Cloudera Hadoop Using Navigator Integration.
5. Configure Guardium and Cloudera Navigator communication

6. Validate the configuration.
After configuring the solution, return to Manage > System View > S-TAP Status Monitor and verify that the S-TAP status is still green. Inspection engine verification
is not supported for Hadoop sources and will always indicate an Unverified status.
7. Install Guardium and Cloudera Navigator policies.
For monitoring and auditing, there is virtually no difference in policy rules when using the Cloudera Navigator integration than when using the normal S-TAP
monitoring for Hadoop. To begin, install a Guardium policy or use the default policy, run HDFS or Hive commands on the Cloudera cluster, and verify that you can
see the traffic in a Guardium report. For more information, see IBM Security Guardium Activity Monitoring for Cloudera Hadoop Using Navigator Integration.
Parent topic: Planning the integration with Cloudera Navigator

Next topic: Configure Guardium and Cloudera Navigator communication
Configure Guardium and Cloudera Navigator communication

Learn how to establish communication between the Guardium system and Cloudera Navigator using a Kafka cluster.
About this task

Go to Setup > Tool and Views > Hadoop Monitoring then select the plus icon inthe Add cluster information tile,
Procedure
1. Navigate to Setup > Tool and Views > Hadoop Monitoring and click the plus icon in the Add cluster information tile.
2. Use the S-TAP host name menu to select an S-TAP that is connected to the Guardium system.
3. Provide a Topic name for the Kafka cluster.
Unless this was changed in the Kafka cluster configuration settings, use NavigatorAuditEvents (default value).
4. Use the Bootstrap servers section to specify one or more Kafka nodes to take the initial connection from the Guardium S-TAP.
Any nodes that are leaders of a partition for the topic will handle consumer requests. For the initial connections, it's best to specify more than one server to provide
a failover in case one of the bootstrap servers is down.
5. If your Kafka cluster is configured with TLS, check the Enable TLS check box.
Restriction: Guardium does not support Kafka clusters configured to require SSL client authentication.
6. If the Kafka cluster requires Kerberos authentication, check the Use Kerberos check box.
a. Use the Principal filed to provide the Kerberos principal name for the S-TAP.
For example, guardium/FullyQualifiedDomainName@kerberosDomain.
b. In the Path to keytab file field, provide the full path to the Kerberos keytab file on the S-TAP server.
For example, /etc/krb.keytab. Make sure the keytab is owned by the S-TAP user and group and is only readable by the user.
7. Click Save.
The resulting tile will show that you have configured Hadoop monitoring and the S-TAP staus should be green.
Parent topic: Planning the integration with Cloudera Navigator

Previous topic: Configure the solution for monitoring
Hadoop integration using Hortonworks and Apache Ranger

Apache Ranger, included with the Hortonworks Data Platform, offers fine-grained access control and auditing over Hadoop components such as Hive, HBASE, and HDFS by
using policies.
The audit data is written to both HDFS and to Solr (recommended). Guardium can integrate with Ranger in two ways:

For auditing, Guardium acts as another logger source for Ranger Auditing. Audited activity is sent to the Guardium collector where it is parsed and logged. Once the
data is in Guardium, it is highly protected in the hardened appliance, and all normal Guardium functions can be used such as real time alerting and integration with
SIEM, reporting and workflow, and analytics.
For blocking, Guardium extends Ranger access control policies, using what is known in Ranger as dynamic policies.
Unlike Hadoop integrations that rely on a standard Guardium S-TAP for monitoring and blocking, integration with Ranger supports SSL encryption between clients and
Hadoop data. With Ranger integration, the data is decrypted before it is sent to the Guardium system for auditing. In addition to SSL support, Ranger integration using
dynamic policies enables blocking support for more components than is supported using standard S-TAP.
Although you can use both inspection engines and Ranger integration in the same cluster, it is unlikely that you would use both approaches simultaneously. See Hadoop
Integration for more information about selecting an integration path.
Prerequisites
Integration with Ranger requires the following:
IBM Security Guardium 10.1 (S-TAP and Appliance)

Hortonworks 2.3 or later with Ranger
Architecture and data flow

The important difference with this architecture is that the S-TAP is not collecting audit data directly from the Hadoop component; rather, it is the Ranger plugins that are
writing the audit messages to log4j, which forwards them to S-TAP, which then sends the messages to the Guardium collector for logging, alerting, reporting, and
analytics.
You must configure the S-TAP, by specifying log4j_reader_enabled=1, to turn on the Ranger integration.
The configuration is quite flexible in that you can install S-TAPs on more nodes. You can configure Ranger to send all component traffic to one S-TAP or you could specify,
for example, that all HBase traffic goes to one S-TAP and Hive and HDFS goes to another.
Blocking is implemented by extending Ranger access control policies to honor blocking policy rules that are specified on the Guardium appliance. The actual
implementation of blocking is performed as an access denial from Ranger. For more information about how blocking fits into the architecture and data flow and guidance
for implementing blocking, see IBM Security Monitoring and Blocking for Hortonworks Hadoop Using Apache Ranger Integration.
Planning the integration with Hortonworks and Apache Ranger


Planning the integration with Hortonworks and Apache Ranger

Topology of S-TAPs and collectors

Determine the required topology:
Number of collectors needed

Components monitored by each S-TAPs
Some customers prefer to have one S-TAP for each component. At a minimum, we recommend one S-TAP for HBase and one S-TAP for everything else.
Tip: An S-TAP is not required to sit on the same node as any particular component. It's possible--and even advisable if supporting Hadoop HA--to establish a dedicated
Linux box for an S-TAP.
When configuring the number of connections for an S-TAP, use the following rule of thumb:
HBase: one plus the number of region servers

Everything else: one plus one for each component monitored
Attention:
For blocking, verify access to all HBase region servers, since you will need to copy the Guardium plugin JAR file to each of these region servers.
For configuring high availability failover scenarios, record the failover node IP addresses or host names.
High availability and failover

Hadoop uses secondary nodes for high availability to handle data requests should the primary node fail. There are several options for S-TAP deployment so that you can
continue to collect audit data in a failover scenario.
Install the S-TAP and set it up on a system that is not part of the Hadoop cluster
This provides a simple configuration where, when the components fail over, the new node automatically uses the S-TAP as a remote logger. No changes are needed
to any configurations or S-TAPs.
Use localhost for HDFS and Hive S-TAP and a separate system for HBase
Install an S-TAP for HDFS and Hive using localhost in the S-TAP host field, then use a separate system such as an edge node for HBase. This provides an
alternative to installing S-TAPs on all nodes and region servers and is the recommended approach.
Install the S-TAP on the nodes in the cluster
In this model, you install an S-TAP on the primary and standby node for each component.

Using localhost in the S-TAP host field, install an S-TAP on every node in the cluster and every region server for HBASE. This is approach is not recommended.
Guardium load balancing

Guardium S-TAP and enterprise load balancing options are supported when Ranger integration is enabled.
Gather Ambari and Ranger information

A significant portion of setup is done through Ambari, the Hadoop administrative interface. To complete configuration, you will need the following information:
Ambari
A user ID and password who has privileges to update and save the log4j configuration, such as a Service Administrator account. For simplicity, refer to this as
the admin account and password.
Port and IP address or hostname.
Cluster name.
Ranger
The following information is only needed if configuring blocking. For more information about configuring blocking, see IBM Security Monitoring and Blocking for
Hortonworks Hadoop Using Apache Ranger Integration.
A Service Administrator account that can update and save the log4j configuration.
Port and IP address or hostname.
Open the required ports

Ensure that the following ports are opened (assuming use of default ports):
For monitoring, open port 5555 between the node(s) that S-TAP is on and the Ranger server.
For blocking, open port 5556 to allow communication between S-TAP and all nodes in the cluster that have the Guardium plugin.
Parent topic: Hadoop integration using Hortonworks and Apache Ranger

Before you begin

Before you begin configuring Guardium communication with Ranger, configure the Ranger plugins using Ambari. Refer to the IBM Security Monitoring and Blocking for
Hortonworks Hadoop Using Apache Ranger Integration guide or the Hortonworks documentation for details.
Two Hadoop auditing configuration settings are missing from documentation. Add the following steps to the install manual:
Configure Ranger plugin to write audit logs to log4j
HDFS
In section â€œCustom ranger-hdfs-auditâ€ add:
xasecure.audit.destination.log4j=true
xasecure.audit.destination.log4j.logger=xaaudit
Hive
In section "Advanced ranger-hive-audit.xml" add:
Configuring Ranger using the Python scripts is recommended over configuring Ranger from the GUI.
1. Configure Guardium and Ranger communication

Learn how to establish communication between the Guardium system and Ranger.
2. Install and configure S-TAPs
Install and configure S-TAPs for Ranger integration.
3. Enable monitoring for Hadoop services
Enable monitoring for specific Hadoop components.
What to do next
Once you have completed these setup steps, install Guardium and Ranger policies. For monitoring and auditing, there is virtually no difference in policy rules when using
Ranger than when using standard S-TAP monitoring for Hadoop. For more information, see IBM Security Monitoring and Blocking for Hortonworks Hadoop Using Apache
Ranger Integration.
Parent topic: Hadoop integration using Hortonworks and Apache Ranger
Configure Guardium and Ranger communication

Learn how to establish communication between the Guardium system and Ranger.

About this task
This task describes how to establish communication between the Guardium system and Ranger.
Procedure
1. Navigate to Setup > Tools and Views > Hadoop Monitoring.
2. Click the in the Add cluster information section to begin defining a new configuration.
3. Use the Name field to provide a name for the configuration.
4. Select Hortonworks from the Hadoop distribution menu.
5. In the Host name/IP field, provide the host name or IP address of the Ambari server.
6. In the Port number field, provide the Ambari server port number. If you leave this field blank, the configuration will use the default port of 8080.
7. In the Cluster name field, provide the Hadoop cluster name.
8. In the User name field, provide an Ambari administrator user name.
9. In the Password field, provide a password for the Ambari administrator account.
10. Click the Test Connection button to verify the configuration.
Results
The new configuration will be available from the Hadoop Monitoring page.
Parent topic: Configure the solution for monitoring
Next topic: Install and configure S-TAPs
Install and configure S-TAPs

Install and configure S-TAPs for Ranger integration.
Before you begin

Review Planning the integration with Hortonworks and Apache Ranger for information about S-TAP requirements and deployment options.
Procedure
1. Install S-TAPs and enable them for the Ranger integration. You may need more than one S-TAP to handle the traffic, for example configure one S-TAP on the name
node for HDFS, Hive and Kafka traffic and one S-TAP on the HBASE master node for all HBase traffic.
2. Configure guard_tap.ini for auditing.
a. Open guard_tap.ini in a text editor. You must edit the file directly, as there is no UI or GIM support for these settings.
b. Add the parameters listed below. Update the values to reflect you
; Settings for log4j

logging log4j_reader_enabled=1
log4j_port=5555
log4j_listen_address=0.0.0.0
; Maximum number of connections to support from the log4j service
log4j_num_connections=50
c. Restart the S-TAP after updating any settings.

Previous topic: Configure Guardium and Ranger communication
Next topic: Enable monitoring for Hadoop services
Enable monitoring for Hadoop services

Enable monitoring for specific Hadoop components.
About this task

This task describes how to define which Hadoop components are enabled for monitoring with Guardium.
Procedure
1. Navigate to Setup > Tools and Views > Hadoop Monitoring.
2. To begin configuring services, click the for a Hadoop cluster.

3. Use the Service menu to select the Hadoop component on which to enable monitoring.
4. Use the S-TAP host name / IP menu to select the S-TAP tat should collect audit events from Ranger.
5. In the Port number field, provide the listener port number. If you leave this field blank, the service will use the default port of 5555.
6. Select Activate monitoring immediately to enable monitoring for the selected services.
7. Click the Save button to save the services configuration.
Attention: The Hadoop administrator must restart the Hadoop service to activate the changes made to the services configuration. Before restarting the service, have
the administrator verify the following log4j configuration:
#â€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ
€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œ
â€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€
Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ€Œâ

€Œâ€Œâ€Œ Configuration for Guardium integration with Ranger log4j logging.
log4j.appender.guardlistener=org.apache.log4j.net.SocketAppender
log4j.appender.guardlistener.Port=5555
log4j.appender.guardlistener.RemoteHost=hw-cl5-01.guard.swg.usma.ibm.com
log4j.logger.xaaudit=ALL,guardlistener
Also have the Hadoop administrator verify the following settings in custom ranger-<service>-audit:
Results
From the Hadoop Monitoring page, verify that the enabled services are marked with a green check mark icon.
Previous topic: Install and configure S-TAPs
PIM Integration with Guardium DAM

Privileged Information Management (PIM) helps organizations to automate and track the use of shared privileged identities and monitor the usage of these shared
privileged identities.
The idea is to integrate PIM activity data with Guardium DAM data, in order to allow visibility to the actual user (person) that logged in to the database.
The diagram illustrates the integration.
The main purpose of this integration is:
Provide visibility in the Guardium appliances to PIM data such as Lease history (who used the shared accounts), credentials and databases managed by PIM.
Provide DAM information correlated with PIM information, for example, Guardium can show today's Database user along with actual requests issued by a specific
user. This integration will allow use of both the Database user and the actual PIM user that leased the shared ID.
Installation
Guardium patch (v10.1p103) can be used to install PIM integration functionality. PIM integration can be used on standalone Guardium systems as well as in
federated environments.
Note: It is assumed that the PIM activity data is already implemented.
Follow these steps
1. Bring data to the Guardium system.
Select a datasource and then select from the Guardium UI: Reports > Report Configuration Tool > Custom Table Builder.
Locate and select three PIM predefined tables and, for each one of them, schedule Automatic Data Upload.

Upload PIM tables to Guardium System
If using a Guardium Central Manager, select from the Guardium UI: Manage > Central Manager > PIM Data Distribution. Do this to schedule data distribution
from the Central Manager to all managed units.
2. Once data is brought to the managed units, use this CLI command, store pim_correlation_mode, to enable correlation of PIM data with Guardium session
data.
CLI command
store pim_correlation_mode
Usage: store pim_correlation <state>
where state is on/off. On is to enable and off is to disable.
Show command
show pim_correlation_mode
3. To run correlation , select from the Guardium GUI:Comply > Custom Reporting > PIM data correlation.
Correlated data can be seen through reports in Access domain
PIM session in Access Domain
QRadar and Guardium integration

QRadar and Guardium can work together in a two-way information flow to have the Guardium data protection policies updated automatically and nearly in real-time in
response to security intelligence events from QRadar.
IBM QRadar is a security intelligence tool that provides threat protection by monitoring security information and events, using customizable rules to detect anomalies, as
well as providing tools for incident forensics and vulnerability management.

IBM Guardium is a solution for data security and data privacy that helps ensure the integrity of data stored in servers. Guardium uses policies and inclusion/exclusion lists
(called Guardium groups) to control access to data.
The QRadar and Guardium solution leverages the QRTrigger framework for triggering actions in response to QRadar security events. Based on configuration settings,
QRadar events will cause new members to be added to Guardium groups based on information carried in the event itself. Furthermore the Guardium policy associated
with the group is automatically reinstalled so that membership change takes effect immediately.
Note that the QRadar and Guardium solution can be used to update a single Guardium collector, or a group of them being controlled by a Guardium Central Manager (CM).
QRadar and Guardium together

Traditional QRadar and Guardium integration is a one-way information flow where Guardium sends alerts and Vulnerability Assessment (VA) reports to QRadar.
Common alerting use cases for databases:
Failed logins
Unauthorized access
SQL Error codes (for example, SQL injection attacks)
Users trying to escalate their privileges
Users creating triggers and views to indirectly access sensitive data
Now QRadar and Guardium can work together in a two-way information flow.
Additional use cases:
Block access from a machine that became compromised
Increase audit levels for access by a user ID that became suspicious
Increase audit levels for access by a privileged shared user ID that was on-boarded in a Privileged Identity Management (PIM) system
Updating Guardium policies based on QRadar events

The steps to deploying the QRadar and Guardium solution are:
1. Install the solution files.
2. Set up a client ID and secret in Guardium.
3. Configure a Forwarding Destination in QRadar.
4. Configure Rules to dispatch QRadar Events to the solution.
5. If necessary, define Guardium Groups and Policies for integration.
Note that Guardium version 10.1 and later has three predefined groups designed to support this integration:
QRadarBlockingConnection
QRadarAlertingConnection
QRadarLogConnection
Each of these groups has the following tuple structure:
<Client IP>,<Src App>,<DB User>,<Server IP>,<Svc. Name>,<OS User>,<DB Name>
There is a predefined Guardium policy called "QRadarPolicy" with three rules: A blocking rule, an alerting rule, and a logging rule. Each rule is tied to its respective group
from the list above.
How to install QRadar and Guardium solution

For complete instructions on installing the QRadar and Guardium solution, go to the IBM Developerworks article:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/W746177d414b9_4c5f_9095_5b8657ff8e9d/page/QRGuardium
Setting up Guardium
In order for the QRadar and Guardium solution to be able to authenticate to the Guardium REST API, a client ID must be registered in Guardium and the associated client
secret retrieved.
Registering a client ID is done using the grdapi command line utility of Guardium. This operation is performed only once. The result of the client ID registration is a JSON
entry containing details for the new client, including the client secret.
> grdapi register_oauth_client client_id=qrguardium

ID=0
{"client_id":"qrguardium","client_secret":"3ac89782-ce55-
4f24-b795-b6c76ecc4045",
"grant_types":"password","scope":"read,write","redirect_uri"
:"https://joeApp"}
ok
Troubleshooting logs

The QRadar and Guardium solution provides a number of log files to assist in managing and troubleshooting operations. These log files include:
Table 1. Log files

Pzrameter name Description
guardiumEvents_audit.log This an audit log of all changes made to Guardium based on QRadar events. Each line is a JSON object that includes identifiers,
timestamp and details of the Event handled.
QRListener.log Log output from the Listener process that receives forwarded event data from QRadar.
HANDLER_<event name>.log Log output from the dedicated handler AL for a specific Event.
RESPONSE_<event name>.log Log output from a custom response AL if this AL implements logging based on its AssemblyLine name. For example this can be
done by setting the Log Appender File Path parameter to be computed using this Javascript:
return â€œlogs/â€
+ task.getShortName()
+ â€œ.logâ€ ;

Directory integrator integrations (video)
OPTIM to Guardium Interface

An OPTIM to Guardium interface, using Protobuf (Universal Feed Agent), sends Optim activity logs to Guardium.
The objective of this interface is to use Guardium auditing capabilities for OPTIM activities. The auditing capabilities include: Reporting tools (user-defined queries and
reports); Audit Processes (workflow automation that enables assigning a task to a role/user/group, user-defined status-flow process, escalation, export...): and,
Thresholds Alerts.
The Optim-audit activity information includes the access details, session number, activity type (verb), table (object), details (fields), execution time (response time) and
number of errors (records affected).
The data is mapped to the Guardium standard object model.
Enabling OPTIM auditing requires enabling via OPTIM and the steps required in Guardium are: (1) link user to Optim Audit Role; (2) add the predefined reports to the
appropriate pane; (3) enable sniffer; and, (4) set policy action to Log Data With Values.
This interface includes an optim-audit role, a default layout (psml file) for the optim-audit role, and seven predefined reports.
These reports are:
Optim - Failed Request Summary per Optim Server

Optim - Request Execution per User
Optim Server Optim - Table Usage Details
Optim - Request Log
Optim - Table Usage Summary
Optim - Request Summary
Note: When creating the optim-audit role and user, only one tab OPTIM Audit will display. Similar to roles with custom layouts that customers can generate, this is a role
layout that is meant to be used alone (the optim-audit user has no interest in the other user role tabs) but since the user role is required, layout merging has been turned
off when the user has the optim-audit role so that they get only the items of optim interest. Other roles that work in this same way are "review-only" and "inv".
Note: After creating and saving the optim-audit role, click the Generate Layout selection within the User Browser menu and click Reset to get the layout associated with
the role. Do this again if changing roles within the User Browser.
Combining real-time alerts and correlation analysis with SIEM products

Distribute contextual knowledge of database activity patterns, structures, and protocols directly to the third-party database of the SIEM system.
About this task

GuardiumÂ® pre-processes large volumes of database traffic and distills important information. Then, it provides the condensed summary to external SIEM (Security
Incident Event Manager) systems such as ArcSight, Envision, and QRadar. Thus, SIEM products do not have to work as hard to process large traffic streams. Rather, it can
concentrate on correlating all activity, alerting on unauthorized or suspicious behavior, and helping with the regulatory compliance requirements on event logs.
This Guardium SIEM (Security Incident Event Manager) integration can be done in one of the following ways:
Syslog forwarding (the most common method for alerts and events)
Using the CLI command, store remotelog, to specify the Syslog forwarding to facility/priority, and host (destination).
Using Guardium templates for ArcSight, Envision, and QRadar
SCP/FTP (CSV or CEF Files sent to an external repository and the SIEM system must upload and parse from this external repository.)
Guardium distributes its contextual knowledge of database activity patterns, structures, and protocols directly to the third-party database of the SIEM system (Guardium
has credentials to the SIEM system. It can also write directly to the SIEM database in the SIEM schema. Contact Guardium support as Guardium's entities must be
mapped to the third-party schema.
Note: The SIEM system must enable remote logging as well to know to listen for the correct facility/priority which is defined within syslog.
By combining Guardium's real-time security alerts and correlation analysis with SIEM and log management products, companies can enhance their ability to:

Proactively identify and mitigate risks from external attacks, trusted insiders, and compliance breaches;
Implement automated controls from Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI-DSS), and data privacy regulations;
Manage system and network events alongside critical logs and events from the core of their data centers â€“ enterprise databases and applications â€“ for
enterprise-wide correlation, forensics, incident prioritization, and reporting.
Security Information and Event Management (SIEM) solutions, also referred to as Security Event Management (SEM) solutions, are offered by companies such as QRadar,
ArcSight, CA, Cisco MARS, LogLogic, RSA enVision and SenSage. SIEM products are complementary to Guardium's database activity monitoring solution. They can also use
Guardium's filtering and preprocessing of database events to provide 100% visibility and database analytics for SOX, PCI-DSS, and data privacy.
SIEM technology provides real-time analysis of security alerts that are generated by network hardware and applications. It helps companies to respond to network attacks
faster and to organize the massive amounts of log data that is generated daily. SIEM solutions are log-based correlation engines.
SIEM solutions are primarily focused on detection and security, but not on auditing. They assemble data from other logs and analyze it at a high level. They correlate much
more data such as IP addresses and routers but have little database visibility. They do not have forensics-quality, digitally signed, audit monitoring capabilities so they can
be used for immediate information, but not historical proof.
Security information and event management (SIEM) users are faced with the challenge of importing raw logs that are generated by internal DBMS utilities. The
performance of DBMS logging utilities, the unfiltered information that they produce, and the lack of necessary granular information create challenges.
Through the Guardium user interface, Guardium can be configured easily to integrate with various SIEM tools.
Note: With SIEM integration, the reports and policies do not change on the Guardium system. Users can continue with their existing policies and reports, trigger alerts, and
send reports to the SIEM system.
For SIEM-Guardium Integration, there are predefined templates for QRadar, Envision, and ArcSight so you do not need to define them. You can select the appropriate
message template within the rule action.
You can change the default message template, specify the parameters for syslog forwarding, and create the CSV or CEF file to export.
Note: CEF is only used for ArcSight. The other SIEM products have a different format and do not use CEF.
In order for the SIEM product to recognize the information that is being sent, the message template must be changed through the Global Profile. This formatting
agreement between the SIEM solution and Guardium allows SIEM products to parse incoming messages and update its own database with the new event/data.
1. To open the Global Profile, click Setup > Tools and Views > Global Profile.
2. Click Edit to Named template.
3. Select a template or create a new template with the Icon.
The Guardium appliance can be configured to send Syslog messages to remote systems. Specific types of Syslog messages can be sent to specific hosts. The Syslog
message type is determined from the facility-priority of the message.

The following are examples of facility: all, auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, mark, news, security,
Syslog, user, uucp. The following are examples of priority: alert, all, crit, debug, emerg, err, info, notice, warning.
Reports containing information that can be used by other applications or reports that contain large amounts of data can be exported to a CSV file format. Report, Entity
Audit Trail, and Privacy Set task output can be exported to CSV (Delimiter-separated Value) files. Additionally, CSV file output can be written to Syslog. If the remote Syslog
capability is used, the output CSV file is forwarded to the remote Syslog locations.
Each record in the CSV or CEF files represents a row on the report. Contact Guardium Support for a tool that permits the reformatting of CSV files before export.
The Guardium appliance can be configured to send Syslog messages to remote systems, using the store remotelog CLI command. Specific types of Syslog messages can
be sent to specific hosts. The Syslog message type is determined from the facility-priority of the message.
Examples of facility are: all, auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, mark, news, security, Syslog, user,
uucp. Examples of priority are: alert, all, crit, debug, emerg, err, info, notice, warning.
Reports containing information that can be used by other applications, or reports containing large amounts of data, can be exported to a CSV file format. Report, Entity
Audit Trail, and Privacy Set task output can be exported to CSV (Delimiter-separated Value) files. Additionally, CSV file output can be written to Syslog. If the remote Syslog
capability is used, this action results in the immediate forwarding of the output CSV file to the remote Syslog locations.
Each record in the CSV or CEF files represents a row on the report.
To send Syslog messages and export reports to CSV files, complete the following steps.
Note: Do not zip the file within the audit process definition so that the SIEM vendor can parse it correctly.
1. To open the Audit Process Finder, click Comply > Tools and Views > Audit Process Builder.
2. Click the Icon to add a process or select an existing process from the drop-down list.
3. Click New Audit Task under Audit Tasks.
4. Enter a description and select Report.
5. Select a report from the drop-down list and enter the CSV/CEF File Label.
6. Select Export CSV file and Write to Syslog. Choose a named template from the drop-down list.
7. Under Task Parameters, choose the Enter Period From >= and Enter Period To <= by using the calendar icon.
8. Click Apply.
CSV/CEF files can also be exported on a schedule to the SIEM host. Modify or add an audit task.
1. Click Comply > Tools and Views > Audit Process Builder to open the Audit Process Finder and modify or add an audit task.
2. Choose Export CSV file or Export CEF file.
Note: ACCESS reports can be saved and forwarded in CEF or LEEF format but other reports, such as Guardium Logins, Aggregation Activity Log, and CAS events
cannot be mapped to CEF or LEEF.
3. Uncheck the Write to Syslog. Otherwise, Syslog messages will be generated instead of a file.
4. Open the CSV/CEF Export menu by clicking Manage > Data Management > Results Export (Files).
5. Select either the SCP or FTP Protocol. Then enter the Host, Directory, Username, Port, and SCP/FTP password.
6. In the Scheduling section, define the Start Time, Restart frequency, Repeat frequency, Schedule by Day/Week or Month, Schedule Start Time. Check the box to
automatically run dependent jobs.
7. Click Save to commit the changes or Reset to clear the fields.
To have a policy alert that is routed to Syslog, exception rules, access rules, and extrusion rules must be modified to trigger notifications to be sent to Syslog. This action
can be accomplished by going to the Policy Builder. Policy rules can be sent as email or sent to Syslog and forwarded.
1. To open the Policy Builder, click Setup > Tools and Views > Policy Builder.
2. Select the policy and click Edit Rule.
3. Click Add Rule... > Add Exception Rule.
4. Enter the Description, Category, Classification, and select a Severity level from the drop-down list.
For every policy rule violation logged during the reporting period, the Policy Violations report provides the Timestamp from the Policy Rule Violation entity, Access Rule
Description, Client IP, Server IP, DB User Name, Full SQL String from the Policy Rule Violation entity, Severity Description, and a count of violations for that row. With this
report, users can group violations and create incidents, set the severity of each violation, and assign incidents to users.
How to transfer sensitive data to InfoSphere Discovery

Take sensitive data information, identified and classified in IBM Security Guardium and transfer that information to InfoSphereÂ® Discovery.
Both IBM Guardium and InfoSphere Discovery have the capability to identify and classify sensitive data, such as Social Security Numbers or credit card numbers.
A customer of the IBM Guardium product can use a bidirectional interface to transfer identified sensitive data information from one product to another.
Note: In IBM Guardium , the Classification process is an ongoing process that runs periodically. In InfoSphere Discovery, Classification is part of the Discovery process that
usually runs once.
Note: The data will be transferred via CSV files.
The summary of Export/Import procedures is as follows:
Export from Guardium - Run the predefined report (Export Sensitive Data to Discovery) and export as CSV file.
Import to Guardium - Load to a custom table against CSV datasource; define default report against this datasource.
Follow these steps:
1. Export from Guardium - Export Classification Data from IBM Guardium to InfoSphere Discovery
2. As an admin user in the GuardiumÂ® application, go to Tools > Report Building >Classifier Results Tracking > Select a Report > Export Sensitive Data to Discovery
(See screenshot).
Note: Add this report to the UI pane (it is not by default).

3. Click on Customize icon on Report Result screen and specify the search criteria to filter the classification results data to transfer to Discovery.
4. Run the report and click on Download All Records icon.
5. Save as CSV and import this file to Discovery according to the InfoSphere Discovery instructions.
6. Import to Guardium - Import Classification Data from InfoSphere Discovery to IBM Guardium
7. Export the classification data as CSV from InfoSphere Discovery based on InfoSphere Discovery instructions.
8. As an admin user in the Guardium application, go to Tools > Report Building >Custom Tables screen, select ClassificationDataImport and click on Upload Data
button. (See screenshot).
9. In Upload Data screen, click on Add Datasource, click on New button, define the CSV file imported from Discovery as new datasource (Database Type = Text). See
the following screenshot of CSV Datasource definition.

Note: Alternatively you can load the data directly from Discovery database if you know how to access the Discovery database and Classification results data.
10. After defining the CSV as Datasource, click on Add button in Datasource list screen.
11. In Upload data screen click on Verify Datasource and then Apply.
12. Click on Run Once Now button to load the data from the CSV.
13. Go to Report Builder, select Classification Data Import report, Click on Add to Pane to add it to your Portal and then navigate to the report.
14. Access the Report, click on Customize to set the From/To dates and execute the report.
The report result has the classification data imported from InfoSphere Discovery. Double click to invoke APIs assigned to this report. The data imported from Discovery
can be used for the following:
Add new Datasource based on the result set.

Add/Update Sensitive Data Group.
Add policy rules based on datasource and sensitive data details.
Add Privacy Set.
Table 1. CSV Interface signature

Interface Signature Example
Type DB2Â®
Host 9.148.99.99
Port 50001
dbName (Schema name for DB2 or Oracle, db name for others) cis_schema
Datasource URL Â

Interface Signature Example
TableName MK_SCHED
ColumnName ID_PIN
ClassificationName SSN
RuleDescription Out-of-box algorithm of InfoSphere Discovery
HitRate 70% - not available for export in Guardium Vers. 8.2
ThresholdUsed 60% - not available for export in Guardium Vers. 8.2

CEF Mapping
The CEF standard from ArcSight defines a set of required fields, and a set of optional fields.
The latter are called extensions in the CEF standard. Data is mapped to these fields from GuardiumÂ® configuration information and reports. Note that not all Guardium
fields map to a CEF field, so there may not be a one-to-one relationship between the rows of a printed report and the CEF file produced for that report. Also note that this
facility is intended to map data from data access domains (Data Access, Exceptions, and Policy Violations, for example), and not from Guardium self-monitoring domains
(Aggregation/Archive, Audit Process, Guardium Logins, etc. ).
Note: Analyzed Client IP has a map for CEF source. If the query used for the CEF does NOT contain the Client IP but contains the analyzed client IP, the analyzed client IP
will be used for the source. If both included in the query, then Client IP takes precedence.
The CEF fields in the following table are always present.
Table 1. Required CEF Fields Mapping

CEF Field Guardium Mapping
Version 0 (zero); Currently the only version for the CEF format
Device Vendor Guardium
Device Product Guardium
Device Version Guardium software version number
Signature ID ReportID
Name Report Title
Severity Numeric severity code in the range 0-10, with 10 being the most important event. Â If not reset in the report, 0 (zero, which
translates to Info for Guardium).
The CEF extension fields are optional, and will be present only when the mapping applies. For example, if the report does not contain an access rule description, the act
field (the first extension field) will not be present. For more detailed information about the Guardium entities and attributes, see the appropriate entity reference topic.
Table 2. CEF Mapping, Guardium Version 8.2

CEF Field Entity Attribute
severity Policy Rule Violation Severity
act Policy Rule Violation Access Rule Description
app Client/Server DB Protocol
app Exception Database Protocol
dst Client/Server Server IP
dst Exception Destination Address
dhost Client/Server Server Host Name
dpt Session Server Port
dpt Exception Destination Port
dproc Client/Server Source Program
duid Client/Server OS User
duser Client/Server DB User Name
duser Exception User Name
end Exception Exception Timestamp
end Policy Rule Violation Timestamp
end Access Period Period End
end Session Session End
msg Exception Exception Description
msg Message Text Message Text
msg Message Text Message Subject
src Client/Server Client IP
src Client/Server Analyzed Client IP

src Exception Source Address
shost Client/Server Client Host Name
smac Client/Server Client MAC
spt Session Client Port
spt Exception Source Port
start Exception Exception Timestamp
start Policy Rule Violation Timestamp
start Access Period Period Start
start Session Session Start
proto Client/Server Network Protocol
request FULL SQL Full Sql
request SQL Sql
cs1 Session Uid Chain
cs2 Session Uid Chain Compressed

Table 3. CEF Mapping, Guardium Version 9.0
severity Policy Rule Violation Severity
act Policy Rule Violation Access Rule Description
app Client/Server DB Protocol
app Exception Database Protocol
dst Client/Server Server IP
dst Exception Destination Address
dhost Client/Server Server Host Name
dpt Session Server Port
dpt Exception Destination Port
dproc Client/Server Source Program
duid Client/Server OS User
duser Client/Server DB User Name
duser Exception User Name
end Exception Exception Timestamp
end Policy Rule Violation Timestamp
end Access Period Period End
end Session Session End
msg Exception Exception Description
msg Message Text Message Text
msg Message Text Message Subject
src Client/Server Client IP
src Client/Server Analyzed Client IP
src Exception Source Address
shost Client/Server Client Host Name
smac Client/Server Client MAC
spt Session Client Port
spt Exception Source Port
start Exception Exception Timestamp
start Policy Rule Violation Timestamp
start Access Period Period Start
start Session Session Start
proto Client/Server Network Protocol
request FULL SQL Full Sql
request SQL Sql
cs1 Session Uid Chain
cs2 Session Uid Chain Compressed

For more information about CEF, search the web for Common Event Format: Event Interoperability Standard, or visit the ArcSight Website: www.arcsight.com.
LEEF Mapping
Log Event Extended Format (LEEF) from QRadar
The LEEF format consists of an optional syslog header, an LEEF header and a collection of attributes describing the event.
Syslog_Header(optional) LEEF_Header|Event_Attributes
The LEEF header is pipe (â€˜|â€™) separated and attributes are tab separated
Example
Jan 18 11:07:53 host LEEF:Version|Vendor|Product|Version|EventID|Key1=Value1<tab>Key2=Value2<tab>Key3=Value3<tab>...<tab>KeyN=ValueN
Table 1. LEEF Parameters

Parameters Description
LEEF: Version Version Integer identifying the version of LEEF used for the log message
Vendor String identifying the vendor of the device or application sending the event log
Product Product String identifying product sending the event log Note: The combination of vendor and product must be unique
Version String identifying the version of the device or application Sending the event log
EventID ID that uniquely identifies the event
Attributes 1..N A set of key value pairs attributes for the event separated by the tab character. Â Order is not enforced. Â
A pre defined set of keys are defined and should be used when possible. Â
LEEF format is extensible and allows for additional key value pairs to be added to the event log. Â
Keys must not contain spaces or equal signs Â
Values must not contain tabs

Example:
Jan 18 11:07:53 192.168.1.1 LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=172.5.6.67 dst=172.50.123.1 sev=5 cat=anomaly msg=there

are spaces in this message
Character Encoding
UTF8
Predefined Attributes
Table 2. Predefined Attributes
Key Name Data Type Max Length Description
Cat string Â Event category
devTime date Â Time the device or application emitted the event
devTimeFormat string Â Defined by the java SimpleDateFormat. Â This is only required if using a
customized date format. Â See Date Format section for further details.
proto integer Â Transport protocol
sev integer (1-10) Â Severity of this event
src IPv4 or IPv6 address Â Source address
dst IPv4 or IPv6 address Â Destination address
VSrc IPv4 or IPv6 address Â Virtual source address
srcPort integer Â Source Port. The valid port numbers are between 0 and 65535.
dstPort integer Â Destination Port. The valid port numbers are between 0 and 65535.
srcPreNat IPv4 or IPv6 address Â Source address for the message before Network Address Translation (NAT)
occurred
dstPreNat IPv4 or IPv6 address Â Destination address for the message before Network Address Translation (NAT)
occurred
srcPostNat IPv4 or IPv6 address Â Source address for the message after Network Address Translation (NAT)
occurred
dstPostNat IPv4 or IPv6 address Â Destination address for the message after Network Address Translation (NAT)
occurred
usrName string 255 User name associated with the event
srcMAC MAC address Â Six colon-separated hexadecimal numbers. Example: 1:2D:67:BF:1A:71
dstMAC MAC address Â Six colon-separated hexadecimal numbers. Example: 11:2D:67:BF:1A:71

Key Name Data Type Max Length Description
srcPreNATPort integer Â Source Port. The valid port numbers are between 0 and 65535.
dstPreNATPort integer Â Destination Port. The valid port numbers are between 0 and 65535.
srcPostNATPort integer Â Source Port. The valid port numbers are between 0 and 65535.
dstPostNATPort integer Â Destination Port. The valid port numbers are between 0 and 65535.
identSRC IPv4 or IPv6 address Â Â
identHostName string 255 Host name associated with the event. Typically, this parameter is only
associated with identity events
identNetBios string 255 NetBIOS name associated with the event. Typically, this parameter is only
associated with identity events
identGrpName string 255 Group name associated with the event. Typically, this parameter is only
associated with identity events.
Custom Attributes
In some cases custom attributes may be required to identify more information about the event being generated. In these cases vendors may define their own custom
attributes and include them in the event log. Custom attribute fields should be used only when there is no acceptable mapping in to a predefined field.
Custom attributes keys must be:
Single word no spaces

Alphanumeric
Clear and concise
Cannot be named the same as any predefined attribute key
Custom attributes may be used for viewing in the QRadar Event Viewer by creating custom properties.
Custom attributes may be used by the QRadar reporting engine by creating customer properties.
Custom attributes can NOT be used for event correlation
Note: Add databaseName=%%DBname to the LEEF template in order to capture the MS-SQL database name. Update the existing LEEF template or make a new template
by cloning.
Date Formats
You can use any of these predefined formats:
1. Milliseconds since January 1, 1970 (integer)

2. MMM dd yyyy HH:mm:ss, for example, Jun 06 2012 16:07:36
3. MMM dd yyyy HH:mm:ss.SSS, for example, Jun 06 2012 16:07:36.300
4. MMM dd yyyy HH:mm:ss.SSS zzz, for example, Jun 06 2012 02:07:36.300 GMT
If these formats are not suitable, you can define a custom date format in the dTime field by specifying the date format using the dTimeFormat key.
For further information on specifying a date format, visit the SimpleDateFormat page at: http://java.sun.com/javase/6/docs/api/java/text/SimpleDateFormat.html
Troubleshooting problems
To isolate and resolve problems with your IBM products, you can use the troubleshooting and support information. This information contains instructions for using the
problem-determination resources that are provided with your IBM products, including IBM Guardium.
Techniques for troubleshooting problems

Troubleshooting is a systematic approach to solving a problem. The goal of troubleshooting is to determine why something does not work as expected and how to
resolve the problem. Certain common techniques can help with the task of troubleshooting.
Problems and solutions
Search here for solutions to problems that you encounter.
Techniques for troubleshooting problems

Troubleshooting is a systematic approach to solving a problem. The goal of troubleshooting is to determine why something does not work as expected and how to resolve
the problem. Certain common techniques can help with the task of troubleshooting.
The first step in the troubleshooting process is to describe the problem completely. Problem descriptions help you and the IBM technical-support representative know
where to start to find the cause of the problem. This step includes asking yourself basic questions:
What are the symptoms of the problem?

Where does the problem occur?
When does the problem occur?
Under which conditions does the problem occur?
Can the problem be reproduced?
The answers to these questions typically lead to a good description of the problem, which can then lead you to a problem resolution.
What are the symptoms of the problem?

What is the problem? This question might seem straightforward, however, you can break it down into several more-focused questions that create a more descriptive
picture of the problem. These questions can include:
Who, or what, is reporting the problem?

What are the error codes and messages?
How does the system fail? For example, is it a loop, hang, crash, performance degradation, or incorrect result?
Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of the most important steps in resolving a problem. Many layers of technology can exist between
the reporting and failing components. Networks, disks, and drivers are only a few of the components to consider when you are investigating problems.
The following questions help you to focus on where the problem occurs to isolate the problem layer:
Is the problem specific to one platform or operating system, or is it common across multiple platforms or operating systems?
Is the current environment and configuration supported?
Do all users have the problem?
(For multi-site installations.) Do all sites have the problem?
If one layer reports the problem, the problem does not necessarily originate in that layer. Part of identifying where a problem originates is understanding the environment
in which it exists. Take some time to completely describe the problem environment, including the operating system and version, all corresponding software and versions,
and hardware information. Confirm that you are running within an environment that is a supported configuration; many problems can be traced back to incompatible levels
of software that are not intended to run together or have not been fully tested together.
When does the problem occur?

Develop a detailed timeline of events leading up to a failure, especially for those cases that are one-time occurrences. You can most easily develop a timeline by working
backward: Start at the time an error was reported (as precisely as possible, even down to the millisecond), and work backward through the available logs and information.
Typically, you need to look only as far as the first suspicious event that you find in a diagnostic log.
To develop a detailed timeline of events, answer these questions:
Does the problem happen only at a certain time of day or night?

How often does the problem happen?
What sequence of events leads up to the time that the problem is reported?
Does the problem happen after an environment change, such as upgrading or installing software or hardware?
Responding to these types of questions can give you a frame of reference in which to investigate the problem.
Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problem occurs is an important part of troubleshooting. These questions about your environment
can help you to identify the root cause of the problem:
Does the problem always occur when the same task is being performed?
Does a certain sequence of events need to happen for the problem to occur?
Do any other applications fail at the same time?
Answering these types of questions can help you explain the environment in which the problem occurs and correlate any dependencies. Remember that just because
multiple problems might have occurred around the same time, the problems are not necessarily related.
Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can be reproduced. Typically, when a problem can be reproduced you have a larger set of tools or
procedures at your disposal to help you investigate. Consequently, problems that you can reproduce are often easier to debug and solve.
However, problems that you can reproduce can have a disadvantage. If the problem is of significant business impact, you do not want it to reoccur. If possible, recreate the
problem in a test or development environment, which typically offers you more flexibility and control during your investigation.
Can the problem be re-created on a test system?

Are multiple users or applications encountering the same type of problem?
Can the problem be re-created by running a single command, a set of commands, or a particular application?
Getting fixes from Fix Central

You can use Fix Central to find the fixes that are recommended by IBM Support for a variety of products, including Guardium. With Fix Central, you can search,
select, order, and download fixes for your system with a choice of delivery options. A product fix might be available to resolve your problem.
Contacting IBM Support
IBM Support provides assistance with product defects, answers FAQs, and helps users resolve problems with the product.
Basic information for IBM Support
Before you call IBM Support, collect basic information about IBM Guardium (collector, aggregator, Central Manager; UNIX/Linux S-TAP; Windows S-TAP).
Exchanging information with IBM
To diagnose or identify a problem, you might need to provide IBM Support with data and information from your system. In other cases, IBM Support might provide
you with tools or utilities to use for problem determination.
Subscribing to Support updates
To stay informed of important information about the IBM products that you use, you can subscribe to updates.
Parent topic: Troubleshooting problems
Getting fixes from Fix Central

You can use Fix Central to find the fixes that are recommended by IBM Support for a variety of products, including Guardium. With Fix Central, you can search, select,
order, and download fixes for your system with a choice of delivery options. A product fix might be available to resolve your problem.

About this task
Procedure
To find and install fixes:
1. Obtain the tools that are required to get the fix. If it is not installed, obtain your product update installer. You can download the installer from Fix Central. This site
provides download, installation, and configuration instructions for the update installer.
2. Select Guardium as the product, and select one or more check boxes that are relevant to the problem that you want to resolve.
3. Identify and select the fix that is required.
4. Download the fix.
a. Open the download document and follow the link in the Download Package section.
b. When downloading the file, ensure that the name of the maintenance file is not changed. This change might be intentional, or it might be an inadvertent
change that is caused by certain web browsers or download utilities.
5. Apply the fix.
a. Follow the instructions in the Installation Instructions section of the download document.
b. For more information, see the Installing fixes with the Update Installer topic in the product documentation.
6. Optional: Subscribe to receive weekly email notifications about fixes and other IBM Support updates.
Parent topic: Techniques for troubleshooting problems
Contacting IBM Support

IBM Support provides assistance with product defects, answers FAQs, and helps users resolve problems with the product.
Before you begin

After trying to find your answer or solution by using other self-help options such as technotes, you can contact IBM Support. Before contacting IBM Support, your
company or organization must have an active IBM maintenance contract name, and you must be authorized to submit problems to IBM. For information about the types of
available support, see the Support portfolio topic in the "Software Support Handbook".
Procedure
To contact IBM Support about a problem:
1. Define the problem, gather background information, and determine the severity of the problem. For more information, see the Getting IBM support topic in the
Software Support Handbook.
2. Gather diagnostic information.
3. Submit the problem to IBM Support in one of the following ways:
Online through the IBM Support Portal: You can open, update, and view all of your service requests from the Service Request portlet on the Service Request
page.
By phone: For the phone number to call in your region, see the Directory of worldwide contacts web page.
Results
If the problem that you submit is for a software defect or for missing or inaccurate documentation, IBM Support creates an Authorized Program Analysis Report (APAR).
The APAR describes the problem in detail. Whenever possible, IBM Support provides a workaround that you can implement until the APAR is resolved and a fix is
delivered. IBM publishes resolved APARs on the IBM Support website daily, so that other users who experience the same problem can benefit from the same resolution.
How to upload data to a support ticket (PMR) (video)
Guardium troubleshooting and support (video)
Basic information for IBM Support

Before you call IBM Support, collect basic information about IBM Guardium (collector, aggregator, Central Manager; UNIX/Linux S-TAP; Windows S-TAP).
Use support must_gather commands, which can be run through the CLI to generate specific information about the state of any Guardium system. This information can
also be collected through the Guardium GUI.
This information can be uploaded from the Guardium system and sent to IBM Support whenever a Problem Management Report (PMR) is logged.
Gathering support information results

To gather support information, click Manage > Maintenance > Support Information Gathering. Complete the following sections.
1. Describe the support information gathering session.

2. Complete the PMR number.
3. To send the results to an email address, specify email: and complete the email address.
4. Schedule a start time by clicking the calendar icon.
5. Check off gather log information that is related to the following categories:
Aggregation
User Interface
Backup
DB User
Scheduler
System DB
Network

Deployment Health
Alert
Audit
Central Manager
Purge
Sniffer
Patch Install
Advance Threat Scanning
6. Input a value to gather information for a certain amount of time in minutes. The default value is 10 minutes. This value is the time period the logs will be gathered
for. If you specify an email, the logs are gathered for 10 minutes from the time you start the process and an email is sent afterwards. You must reproduce the
problem and generate the log information during the specified time period so that the logs can contain the debug information that is needed to troubleshoot
problems.
7. Input the maximum number of rows that appears in the result log file.
8. When you are finished with the configuration, click Start.
9. Go to Support Information Results to view the results. You can open or save the .tgz file.
Must Gather for Guardium Appliance with CLI

IBM Guardium Collector, Aggregator, or Central Manager
The must_gather commands can be run at any time by the user through the CLI. Complete the following steps.
1. Open a putty session (or similar) to the appropriate collector, aggregator, or Central Manager.
2. Log in as user cli.
3. Depending on the type of issue, paste the relevant must_gather commands into the CLI prompt. More than one must_gather command might be needed to
diagnose the problem. The commands are listed and described in the following list.
support must_gather agg_issues (aggregation process)
support must_gather alert_issues (alerts)
support must_gather app_issues (application)
support must_gather audit_issues (audit process)
support must_gather backup_issues (backup process)
support must_gather cm_issues (Central Manager)
support must_gather datamining_issues (data mining)
support must_gather miss_dbuser_prog_issues (system database user)
support must_gather en (entitlement optimization)
support must_gather network_issues (network architecture)
support must_gather ocr_issues
support must_gather patch_install_issues (patch installation and upgrades)
support must_gather purge_issues (purge process)
support must_gather scheduler_issues (scheduler function)
support must_gather sniffer_issues (sniffer function)
support must_gather system_db_info (Guardium system database or operating space performance)
The output is written to the must_gather directory with a file name such as the following example:
must_gather/system_logs/.tgz
4. Send the resulting output to IBM Support.
By using fileserver <ip address>, you can upload the .tgz files and send to IBM Support.
Send the file through email or upload to ECUREP by using the standard data upload. Specify the PMR number and file to upload.
Must Gather for UNIX/Linux S-TAP

The guard_diag script produces statistics on the server that helps Guardium with diagnostics.
Explanation of guard_diag:
Diagnostic Script (guard_diag)
General Overview:
There is now a diagnostics script (guard_diag) that runs out of /usr/local/guardium/guard_stap/guard_diag when S-TAP logging is set to level 7 from the GUI. It is also
possible to transfer this script to a machine that is running S-TAP.
Usage: ./guard_diag output_dir
The script prompts for the location if the script cannot automatically determine where S-TAP is installed. The run time is about 1.5 minutes and if no output directory is
specified, the script places the generated .tar file in /tmp. When the script runs and enables logging from the GUI, the .tar file is placed in /var/tmp. The file name is
derived from the machine name, and the time/date run; it always starts with diag.ustap.
General System Data Collected:
Uname -a
List of kernel modules installed
Output for one cycle
Uptime
Processor number and type
Dump of most recent syslog
Netstat output
IPC list

Disk free statistics
copy of /etc/services
Directory listing of /etc
Various platform-specific information
Contents of /etc/inittab
S-TAP Data Collected:
S-TAP version
Contents of guard_tap.ini
Ls -l on the K-TAP device nodes
30s trace of S-TAP
K-TAP statistics
List of all the files in the installation directory
K-TAP khash
Verbose debug log for K-TAP (2) and S-TAP(4)
Known Issues:
Tusc is not installed on all HP-UX operating systems, so tracing the S-TAP PID does not work.
gzip isn't always installed on the system. The fall back is to compress (final extension of .tar.Z) and failing that, the .tar file is placed in the output directory.
Topas output on AIX is best interpreted by the terminal since it contains control codes that makes it mostly unintelligible when it is opened in an editor.
The non-root S-TAP has a number of issues concerning the diagnostics script.
In Linux, /var/log/messages is only readable by the root.
Some Solaris operating systems might not be configured correctly and causes netstat to print an error.
The path for the non-root user is rather basic, and as a result, some commands might not run at all. Notably, this known issue happens on HP-UX with gzip.
Platforms Supported:
Linux
HP-UX
AIX
Solaris
Requirements for STAP: None
Requirements for Linux: None
Requirements for AIX: topas
Requirements for Solaris: top, prtdiag, psrinfo
Requirements for HP-UX: tusc
Must Gather for Windows S-TAP

Running this script generates the following text files in the current directory:
stap.txt
tasks.txt
system.txt
evtlog.txt or evtlog2008.txt
reg.txt
Notes:
1. This diag script can be run with any S-TAP version.

2. Rename the diag script to diag.bat and place it under directory where S-TAP was installed. Then, you can run it manually. It generates text files with diagnostic
information.
3. Submit the results to Guardium L3 Support or Research & Development.
The script collects the following data:
Content of %system%guard_tap.ini.
The Guardium S-TAP installation log
All running tasks
List of all installed kernel drivers
OS information that is collected from the system information utility
ipconfig /all
netstat -nao
Ping and trace results from the database server to the Guardium system
CPU usage for guardium_stapr
Overall system CPU usage
Guardium_stapr process handle count and memory usage
Event log messages that are generated by S-TAP
System event log messages
The following registry entries:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall?
HKLMSYSTEMCurrentControlSetServices?
HKLMSYSTEMCurrentControlSetControlGroupOrderList?
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLServer
Encrypt Must Gather

Encrypt Must Gather was added to the Global Profile screen. To go to the Global Profile screen, click Setup > Global Profile.. The default value is cleared (Do not encrypt).
If it is cleared, must gather output is compressed and not encrypted (current function). When the check box is checked, all future must gather output is encrypted.
Encryption can be also set by store encrypt_must_gather on CLI command and cleared by using the command store encrypt_must_gather off.
GuardAPI Must Gather

Use the GuardAPI command to run the GuardAPI Must Gather collection of information from a script.
grdapi must_gather --help=true.
The following function parameters are listed.
ID=0
commandsList - String -required - Constant values list
description - String
email - String
maxLogLength - Integer - Constant values list
pmrNumber - String
runDuration - Integer - Constant values list
startRun - Date
To get a Constant values list for a parameter, call the function with --get_param_values=<param-name>
The --commandsList requires a string. The --description is also a required string. The --runDuration indicates how long the must_gather runs. Type in an email address to
send the must_gather report. The --maxLogLength parameter is a required integer that sets the maximum length of the log report. The --pmrNumber is the problem
management report number that is used by IBM Support to track and resolve customer reports. The --startRun is a required date such as now. You can get a list of values
for each parameter by calling the function grdapi must_gather --get_param_values=<param-name>.

Exchanging information with IBM

To diagnose or identify a problem, you might need to provide IBM Support with data and information from your system. In other cases, IBM Support might provide you
with tools or utilities to use for problem determination.
Sending information to IBM Support

To reduce the time that is required to resolve your problem, you can send trace and diagnostic information to IBM Support.
Procedure
To submit diagnostic information to IBM Support:
1. Open a problem management record (PMR).

2. Collect the diagnostic data that you need. Diagnostic data helps reduce the time that it takes to resolve your PMR. You can collect the diagnostic data manually or
automatically:
Collect the data manually.
Collect the data automatically.
3. Compress the files by using the .zip or .tar file format.
4. Transfer the files to IBM. You can use one of the following methods to transfer the files to IBM:
The Service Request tool
Standard data upload methods: FTP, HTTP
Secure data upload methods: FTPS, SFTP, HTTPS
Email
All of these data exchange methods are explained on the IBM Support website.
Receiving information from IBM Support

Occasionally an IBM technical-support representative might ask you to download diagnostic tools or other files. You can use FTP to download these files.
Before you begin
Ensure that your IBM technical-support representative provided you with the preferred server to use for downloading the files and the exact directory and file names to
access.
Procedure
To download files from IBM Support:
1. Use FTP to connect to the site that your IBM technical-support representative provided and log in as anonymous. Use your email address as the password.
2. Change to the appropriate directory:
a. Change to the /fromibm directory.
cd fromibm
b. Change to the directory that your IBM technical-support representative provided.
cd nameofdirectory
3. Enable binary mode for your session.

binary
4. Use the get command to download the file that your IBM technical-support representative specified.
get filename.extension
5. End your FTP session.
quit
Subscribing to Support updates

To stay informed of important information about the IBM products that you use, you can subscribe to updates.
About this task

By subscribing to receive updates about Guardium, you can receive important technical information and updates for specific IBM Support tools and resources. You can
subscribe to updates by using one of two approaches:
RSS feeds and social media subscriptions

The following RSS feeds and social media subscriptions are available for Guardium:
RSS feed 1
RSS feed 2
RSS feed 3
For general information about RSS, including steps for getting started and a list of RSS-enabled IBM web pages, visit the IBM Software Support RSS feeds site.
My Notifications
With My Notifications, you can subscribe to Support updates for any IBM product. (My Notifications replaces My Support, which is a similar tool that you might have
used in the past.) With My Notifications, you can specify that you want to receive daily or weekly email announcements. You can specify what type of information
you want to receive (such as publications, hints and tips, product flashes (also known as alerts), downloads, and drivers). My Notifications enables you to customize
and categorize the products about which you want to be informed and the delivery methods that best suit your needs.
Procedure
To subscribe to Support updates:
1. Subscribe to the Guardium RSS feeds.

2. Subscribe to My Notifications by going to the IBMÂ® Support Portal and click My Notifications in the Notifications portlet.
3. Sign in using your IBM ID and password, and click Submit.
4. Identify what and how you want to receive updates.
a. Click the Subscribe tab.
b. Select the appropriate software brand or type of hardware.
c. Select one or more products by name and click Continue.
d. Select your preferences for how to receive updates, whether by email, online in a designated folder, or as an RSS or Atom feed.
e. Select the types of documentation updates that you want to receive, for example, new information about product downloads and discussion group
comments.
f. Click Submit.
Results
Until you modify your RSS feeds and My Notifications preferences, you receive notifications of updates that you have requested. You can modify your preferences when
needed (for example, if you stop using one product and begin using another product).
Related Information
IBM Software Support RSS feeds
Subscribe to My Notifications support content updates
My Notifications for IBM technical support
My Notifications for IBM technical support overview
Problems and solutions

Search here for solutions to problems that you encounter.
User Interface
Policies
Reports
Assess and Harden
Access Management
Aggregation
Central Management
S-TAPs and other agents
GIM
File activity troubleshooting
Installing Your Guardium System
Parent topic: Troubleshooting problems

User Interface
Changes are not saved when you add an inspection engine
If your changes are not saved when you add an inspection engine, check that the parameters are valid.
HTTP error 403
If you receive a HTTP error 403, you can disable the Cross-Site Request Forgery (CSRF) protection feature to prevent the error.
Java.lang.IllegalStateException
If you receive a java.lang.IllegalStateException error, clean up the Java servlets.
Pages are not loading correctly
If pages do not load correctly, restart the GUI or use a different browser.
Parent topic: Problems and solutions
Changes are not saved when you add an inspection engine

If your changes are not saved when you add an inspection engine, check that the parameters are valid.
Symptoms
When you add an inspection engine, the new settings remain for a few minutes and then disappear.
Causes
There is an error in one or more parameter values with either the new inspection engine or a different inspection engine in the S-TAP configuration file guard_tap.ini.
Environment
The Guardium collector user interface is affected.
Resolving the problem

Check that every parameter that must be set for the inspection engine is set to a valid value. For example, some database types require that you set db_install_dir to the
path of the installation directory on the server. However, for other database types, this parameter must not be set or must be set to NULL. Check the specific requirements
for your database type in the S-TAP Help Book and make sure that everything is correctly set.
Parent topic: User Interface
HTTP error 403

If you receive a HTTP error 403, you can disable the Cross-Site Request Forgery (CSRF) protection feature to prevent the error.
Symptoms
When you refresh the IBM Security Guardium GUI from the system main page, you receive in the following error:
HTTP Status 403-

type Status report
message
description Access to the specified resource () has been forbidden
Causes
The cause is a feature in Guardium designed to prevent Cross-Site Request Forgery (CSRF). CSRF protection is enabled by default.
Environment
All Guardium configurations (collector, aggregator, central manager) are affected.

You can disable this feature by using the following CLI command: store gui csrf_status off
Note: If you turn off CSRF protection, the security level of the Guardium system is reduced.
The following command enables protection against Cross-Site Request Forgery. It is enabled by default: store gui csrf_status on
You can check the status by running this CLI command: show gui csrf_status
Java.lang.IllegalStateException
If you receive a java.lang.IllegalStateException error, clean up the Java servlets.
Symptoms
You receive the following error message.

There has been an Error. Please Contact your System Administrator
(java.lang.IllegalStateException)
Causes
The error is raised when a method is invoked and the Java VM is in a state that is inconsistent with the method. There might also be corrupted Java servlets that are
caused by deadlocks.
Environment
The Guardium system is affected.

Wait a few minutes and retry. If the error persists, restart the GUI by logging in as user cli and executing the command restart GUI.
To clean up the Java servlets, run the command support clean sevlets.
If the problem is not resolved, please collect the following tomcat logs and contact IBM Security Guardium Technical Support.
tomcat_log/localhost.<date_stamp>.log
tomcat_log/catalina.<date_stamp>.log
Pages are not loading correctly

If pages do not load correctly, restart the GUI or use a different browser.
Symptoms
You might see a blank screen or other errors. The problem appears to happen with certain browsers on specific systems but not with others.
Causes
The cause might be restricted to a localized browser or there is a Java virtual machine issue.
Environment
The collector, aggregator, and central manager are affected.

To resolve the problem, run restart GUI from the CLI prompt on the Guardium system. If that does not help, try the following actions.
Restart the system.

Uninstall and reinstall the Java virtual machine.
Uninstall and reinstall the browser.
Use a different browser.
Policies
Query does not appear in the co-relation alert definition
If the query does not appear in the co-relation alert definition, check the count field and sort by time stamp.
Rule does not trigger
If a rule with a value in the policy command field does not trigger as expected, reconfigure the rule.
Redact function causes overly masked result
If the redact function causes an overly masked result, use the regular expression [\x0c]{1}[0-9]{8}([0-9]{4}).
SSH sessions and automated CRON jobs that log in to your Oracle database are shown as failed logins
If SSH sessions and automated CRON jobs that log in to your Oracle database are shown as failed logins, amend the policy.
The Guardium internal database is filling up
If the Guardium internal database is filling up, you can purge the data manually or as part of the regular purge strategy.
Query does not appear in the co-relation alert definition

If the query does not appear in the co-relation alert definition, check the count field and sort by time stamp.
Symptoms
You created an access query for creating a co-relation alert. However, in the co-relation alert definition, this query does not appear in the drop-down list.
Causes
The co-relation alert search in the report is based on the time stamp.

Environment
The collector and aggregator are affected.

Mark the Add Count check box and sort by time stamp.

Symptoms
Rules with a value in the policy Command field do not trigger as expected.
Causes
The cause is a misconfiguration in the command field. The Guardium parser does not consider the command modifiers to be a part of a command.
Environment
Guardium Collectors. The command field in the policy rule is also affected when it is used with wildcard (%).

The value in the Command field of the rule must match a value exactly that is shown in SQL Verb, plus a wildcard (%) as needed. This example is correct.
GRANT
GRANT%
This example is incorrect.
GRANT% TO PUBLIC
%GRANT% ADMIN OPTION%
ADMIN OPTION and TO PUBLIC do not match and cannot trigger a rule because the Guardium parser does not recognize them as a part of a command. Generally, the
parser does not consider command modifiers to be part of a command. Instead, create a report to inspect the traffic that the policy monitors and include the SQL Verb
field from the Command entity in that report. Anything that is listed in the SQL Verb field is recognized by the parser and can be used in the Command field of a policy rule.
Several commands can be added to a group and the group can be used in the rule instead of a single command. In this case, each group member must match an entry in
SQL Verb. Guardium includes several such command groups that you can use or clone.
Redact function causes overly masked result

If the redact function causes an overly masked result, use the regular expression [\x0c]{1}[0-9]{8}([0-9]{4}).
Symptoms
The redact function causes an overly masked result or an ORA-03106 error in Oracle traffic.
Causes
The redact function in the Guardium policy rule is doing a pattern match with the result set. It has a feature to replace the matched string with the user specified character.
Environment
Guardium collectors are affected.

Use the regular expression [\x0c]{1}[0-9]{8}([0-9]{4}). This regular expression ensures that it starts with the length of the column followed by 12 digits and
replaces the last 4 digits.
SSH sessions and automated CRON jobs that log in to your Oracle database are shown as
failed logins
If SSH sessions and automated CRON jobs that log in to your Oracle database are shown as failed logins, amend the policy.
Symptoms
SSH sessions and automated CRON jobs that log in to your Oracle database through SQLPLUS and RMAN with /as sysdba show as failed logins.

Causes
Oracle responds to these logins with the following error on such attempts, even if it is not shown on the screen.
ORA-01-17: invalid username/password; logon denied.
This error triggers the failed login alert. For example, if the database user WRONGLOGIN is a member of the DBA group, and logs as sqlplus WRONGLOGIN as sysdba,
the database authentication of WRONGLOGIN fails. This failure causes the ORA-01-17 error alert to trigger and is reflected in the Guardium log. However, users with
sysdba privileges can connect to the database without database authentication so the session is allowed to continue. Both events are captured and recorded.
Environment

You can amend the policy to include an allow action before the rule that alerts about failed logins. Create an exception rule in the policy with the following conditions.
Client IP=<Server IP>

Source program = SQLPLUS
DB user in trusted group
OS user in group of Oracle DBAs
Net protocol = BEQUEATH (if local BEQUEATH, not TCP)
This rule skips the failed login alerts that are caused by the ORA-01-17 error but are still logged. To filter the failed login alerts out of the reports, add these conditions to
the end of the conditions list:
AND
(
client IP<>server IP OR
src prg <> SQLPLUS OR
db user NOT IN group of trusted OR
os user NOT IN group of oracle DBAs OR
net protocol <>BEQUEATH (if this is local BEQUEATH, not TCP )
)
The Guardium internal database is filling up

If the Guardium internal database is filling up, you can purge the data manually or as part of the regular purge strategy.
Symptoms
The Guardium internal database is filling up and most of the data is in the GDM_POLICY_VIOLATIONS_LOG table.
Causes
A change to the policy can cause a policy violation rule to be triggered frequently. You might find that most of the data is stored in the GDM_POLICY_VIOLATIONS_LOG
table.
Environment
The Guardium collector is affected.
Diagnosing the problem

Run the CLI command support show db-top-tables all.

Check the Policy Violations / Incident Management report to identify which policy rule is getting triggered constantly. Then, adjust the policy rule to prevent it from getting
triggered as often.
The excess data in the GDM_POLICY_VIOLATIONS_LOG table is purged as part of the regular purge strategy. However, if you would like to manually clean data from
GDM_POLICY_VIOLATIONS_LOG table, you can use the command support clean DAM_data policy_violations<start_date><end_date>.
Reports
Cannot modify the receiver table for an Audit Process after it has been executed at least once
If you cannot modify the receiver table for an audit process, clone the audit process and replace the original.
Cannot see multi-byte characters
If you export a Guardium report to PDF and the characters are not correct, switch the PDF font configuration.
File system is almost full
If the Guardium file system is almost full, change the log rotation strategy.
Guardium audit reports viewed in Microsoft Excel have rows with unexpected characters
If you view an Audit report in .csv and see rows with unexpected characters, use another .csv viewer or view it as a .pdf file.
Reports show IP address as 0.0.0.0

Request was interrupted or quota exceeded error message
If you receive an error message that states the request was interrupted or the quota was exceeded when you run a report, divide the report into pieces of shorter
reporting interval.
Scheduled Job Exceptions every 5 minutes
If you receive a Scheduled Job exception every 5 minutes, deactivate the alert from the Anomaly Detection page.
Scheduled jobs exception: merge required, delay executing process
If you receive an error message that states merge required, delay executing process, reschedule the Audit process.
The database user is not shown correctly in Guardium reports when you monitor Teradata
If Guardium reports do not show the database user correctly when you monitor Teradata, configure the Teradata Database.
Unexpected results in Guardium reports with embedded commands
If you receive unexpected results in Guardium reports, configure your policy rules to handle depth by using tuples.
Cannot modify the receiver table for an Audit Process after it has been executed at least once
If you cannot modify the receiver table for an audit process, clone the audit process and replace the original.
Symptoms
After an audit process runs at least once, you can neither remove nor add a receiver. You can also not modify the following properties for a receiver.
Action Req.
Cont.
Appv. if Empty
Causes
After an Audit Process runs at least once, the receiver table is locked and you cannot modify most of the properties.
Environment

The following steps enable you to modify the receiver table.
1. Clone the audit process.

2. Make changes to the cloned audit process.
3. Delete the original audit process. However, if you do not want to lose the audit process history, you can rename the audit process.
4. Rename the cloned audit process to the name of the original one.
Cannot see multi-byte characters

If you export a Guardium report to PDF and the characters are not correct, switch the PDF font configuration.
Symptoms
You can view reports in the GUI. However, when you export the report to PDF, the characters are not correct or missing. The characters appear as question marks or other
symbols in the PDF report.
Causes
The default font in Guardium PDF exports does not show multi-byte characters correctly. For example, Greek, Cyrillic, and Chinese characters do not display correctly.
Environment

In version 9 and later, switch the PDF font configuration to resolve the problem.
1. Log in as a user in the CLI.
2. Run the command store pdf-config multilanguage_support
3. Select 2 Multi-language.
File system is almost full

If the Guardium file system is almost full, change the log rotation strategy.

Symptoms
The file system is filling up and approaching 100%.
Causes
Alerts and reports are sent to the syslog and can fill up the file system.
Environment
The collector or aggregator might be affected.

By default, the log files rotate weekly and keep five files. However, you can change the log rotation strategy for the log files. Use the following command to keep fewer
messages in the system.
store logrotate [agg|message] [daily|weekly|monthly] [# of rotations]
Guardium audit reports viewed in Microsoft Excel have rows with unexpected characters
If you view an Audit report in .csv and see rows with unexpected characters, use another .csv viewer or view it as a .pdf file.
Symptoms
When you view an Audit report (in .csv format) in Microsoft Excel, you notice that certain rows are filled with unexpected characters. The characters might look similar to
what you find in the full SQL column. The problem is not seen in .pdf reports or in GUI reports.
Causes
Microsoft Excel has a limit on what a cell can contain of 32,767 characters. If your captured SQL is longer than this limit, it will spill over onto the next row.
Environment
The Collector, Aggregator, and Central Manager are affected.

Use another .csv viewer that has a larger limit on characters per cell or view the audit report as a .pdf file instead.
Reports show IP address as 0.0.0.0

Symptoms
The IP address shows as 0.0.0.0. in Guardium.
Causes
While Guardium is decrypting the traffic, the IP address is initially recorded as 0.0.0.0 because the sniffer does not know what the actual IP address is. After the
decryption is completed, a separate thread repopulates the session tables with the correct IP address.
Environment
Any database that encrypts the database traffic is affected.

Run the same report after a few minutes. To view the correct client IP for newer traffic, add the field Analyzed Client IP from the client/server domain to the report. It is
possible that for some rows, the Analyzed Client IP is blank. If it is blank, the decryption for that piece of traffic is not completed.
Request was interrupted or quota exceeded error message

If you receive an error message that states the request was interrupted or the quota was exceeded when you run a report, divide the report into pieces of shorter reporting
interval.
Symptoms
When you run a report in Guardium, you receive the following error message.Request was interrupted or quota exceeded.
Causes

The error message Request was interrupted or quota exceeded appears when an interactive report does not complete within the 3-minute time limit. The
underlying cause is generally the size of the report.
Environment

To resolve the problem, complete one of the following options.
Divide the report into pieces of a shorter reporting interval. This action is the most recommended method. If a report exceeds 4 GB, it causes a MYSQL table data
pointer size exhaustion.
Increase the query timeout value to a larger value. Click Manage > Activity Monitoring > Running Query Monitor to open the Running Query Monitor.
Uninstall and reinstall the browser. Type a number of seconds in the Report/Monitor Query Timeout box, and click Update.
Run the report in the background. Reports that run in the background are not subject to the query timeout.
Run the report as an audit process.

Symptoms
Rules with a value in the policy Command field do not trigger as expected.
Causes
The cause is a misconfiguration in the command field. The Guardium parser does not consider the command modifiers to be a part of a command.
Environment
Guardium Collectors. The command field in the policy rule is also affected when it is used with wildcard (%).

The value in the Command field of the rule must match a value exactly that is shown in SQL Verb, plus a wildcard (%) as needed. This example is correct.
GRANT
GRANT%
This example is incorrect.
GRANT% TO PUBLIC
%GRANT% ADMIN OPTION%
ADMIN OPTION and TO PUBLIC do not match and cannot trigger a rule because the Guardium parser does not recognize them as a part of a command. Generally, the
parser does not consider command modifiers to be part of a command. Instead, create a report to inspect the traffic that the policy monitors and include the SQL Verb
field from the Command entity in that report. Anything that is listed in the SQL Verb field is recognized by the parser and can be used in the Command field of a policy rule.
Several commands can be added to a group and the group can be used in the rule instead of a single command. In this case, each group member must match an entry in
SQL Verb. Guardium includes several such command groups that you can use or clone.
Scheduled Job Exceptions every 5 minutes

If you receive a Scheduled Job exception every 5 minutes, deactivate the alert from the Anomaly Detection page.
Symptoms
You receive the same message in the Scheduled Jobs Exceptions report at regular short intervals, typically every 5 minutes. This interval is the same as the polling interval
that anomaly detection runs on.
An example of the Scheduled Jobs Exceptions report might look like the following.
Timestamp Exception Description Count of Exceptions

2013-12-05 15:51:22.0 java.lang.NumberFormatException: empty String 1
The same exception appears every 5 minutes.
Causes
One of the active alerts is causing the error.
Environment
Guardium collectors and the Aggregator are affected.

You can check the polling interval and active alerts in the Anomaly Detection page. Click Protect > Database Intrusion Detection > Anomaly Detection to open the Anomaly
Detection page.

Identify the exact alert that is causing the problem and deactivate it.
1. Deactivate one alert from the Anomaly Detection page.
2. Wait for the length of the polling interval to elapse.
3. Check to see whether the errors stop with that alert deactivated.
4. If not, reactivate the alert and deactivate the next one.
5. Repeat steps 2-5 until you try all alerts.
If you find the alert that is causing the problem and need assistance to understand or stop the error, contact IBM Guardium Technical Support and provide the following
items:
1. The exact error text and screen capture.
2. Output of the following CLI commands. If requested, specify the length of one polling interval.
support must_gather app_issues
support must_gather alert_issues
Scheduled jobs exception: merge required, delay executing process

If you receive an error message that states merge required, delay executing process, reschedule the Audit process.
Symptoms
You receive the following message. Merge required, delay executing Process. You might receive several of these messages over a short period.
Causes
The audit process requires the merge process to finish before it can run.
Environment
The aggregator is affected.

Click Reports > Guardium Operational Reports > Aggregation/Archive Log to open the Aggregation/Archive Log. You can also diagnose the problem in agg_progress.log.

Reschedule the audit process to run at least 10 minutes after the merge process.
The database user is not shown correctly in Guardium reports when you monitor Teradata
If Guardium reports do not show the database user correctly when you monitor Teradata, configure the Teradata Database.
Symptoms
When you view records from the monitored Teradata Database in Guardium reports, the database user name field does not show up as expected. The user name is
truncated or missing.
Causes
The Teradata Database is not enabled to return the full user name.
Environment
Any Guardium collector that captures data from the Teradata database is affected.

Use the following command to enable the Teradata Database to return the full user name, in the correct character set, to the monitoring application. Other applications are
not affected.

gtwcontrol -u yes -d
The -d command displays the updated GDO settings.
Note: This setup returns the user name in unencrypted form. If encryption is enabled, the system returns an error message.
Unexpected results in Guardium reports with embedded commands

If you receive unexpected results in Guardium reports, configure your policy rules to handle depth by using tuples.
Symptoms
You see results in your reports that you do not expect or that you believe should be filtered out by the policy. Conversely, you do not capture statements that you expect to
capture.
Causes
The SQL usually has several objects and commands that are embedded in the statement. The policy or report definition is not configured to deal with objects or
commands at different depths.
Environment

Verify that your conditions match the correct object name. Use the correct main entity to show objects or SQL verbs at different depths. If you still see unexpected
behavior, use the group builder to define a group of tuples to use in the policy. A tuple allows multiple attributes to be combined to form a single group member.
Note: Tuple supports the use of one slash and a wildcard character (%). It does not support the use of a double slash.
Assess and Harden

CAS is not working with Java 1.7 on Windows
If Guardium change audit system is not working with Java version 1.7 on Windows, copy msvcr100.dll to your CAS bin folder.
Vulnerability Assessment exception group members appear in failed test
If members of a test exception group appear in a failed vulnerability assessment test, use an escape sequence for the backslash character.
CAS is not working with Java 1.7 on Windows

If Guardium change audit system is not working with Java version 1.7 on Windows, copy msvcr100.dll to your CAS bin folder.
Symptoms
Guardium CAS works with older Java versions but not with Java 1.7.
Causes
msvcr100.dll is missing from <GUARDIUM STAP directory>\cas\bin\
Environment
Guardium CAS on Windows is affected.

To resolve the problem, complete the following steps.
1. Find the path where Java 1.7 is installed on your system such as C:\Program Files (x86)\Java\jre7\bin
2. Find the location of the library jvm.dll within the Java path found in the previous step.
3. Edit the cas.cfg file in the <CAS directory>\conf directory. For example, C:\Program Files (x86)\GUARDIUM_STAP\cas\conf\cas.cfg is a typical file path.
4. Find the line corresponding to the JVM such as ;JVM=c:\program files\java\jre1_2_3\bin\client\jvm.dll.
5. Remove the semicolon from the beginning of the line. Then, set the JVM to the path of the library jvm.dll in step 2. JVM=C:\Program Files
(x86)\Java\jre7\bin\server\jvm.dll.
6. Copy msvcr100.dll from the bin folder in your Java 7 installation directory to your <CAS directory>\bin folder. For example, copy C:\Program Files
(x86)\Java\jre7\bin\msvcr100.dll to C:\Program Files (x86)\Guardium\GUARDIUM_STAP\cas\bin\msvcr100.dll.
7. Restart the change audit system.
Note: This is only needed for Java version 1.7. For older versions of Java, this step is not needed.
Parent topic: Assess and Harden
Vulnerability Assessment exception group members appear in failed test

If members of a test exception group appear in a failed vulnerability assessment test, use an escape sequence for the backslash character.
Symptoms
Some members of a test exception group appear in the details field when you run a vulnerability assessment. The group contains members with a backslash character and
a REGEX tag such as (R)US\John Doe.
Causes
Special characters can trigger errors when Guardium parses the exception group.
Environment

Use an escape sequence for the backslash character or do not use the REGEX tag (use an exact match). Either of these examples work.
US\John Doe
(R)US\\John Doe
The REGEX tag (R) is used to trigger a regular expression search of the details field to remove any string that matches the regular expression. A backslash or any other
character that has a meaning in a regular expression needs a backslash escape sequence to avoid parsing errors. If you do not use the (R) tag, the group member must
exactly match the entire line in the details field for Guardium to make a match. To pass the vulnerability test, the details field of the test must be empty.
Parent topic: Assess and Harden

Cannot configure STAP after upgrade
Configure S-TAP in Guardium after you upgrade S-TAP.
Guardium fails to recognize the network device VMXNET x
If Guardium fails to recognize the network device VMXNET x, install Guardium on a virtual machine and add the network adapter.
Guardium network interface error after system board replacement
If you receive an error message after a hardware repair, reset the network parameters.
Guardium virtual machine is not accessible from the network
If the Guardium virtual machine is not accessible from the network, run the command store network interface inventory and restart the system.
SSLv3 is enabled
If you receive a warning that SSLv3 is enabled, disable SSLv3 to prevent the POODLE exploit.
Cannot configure STAP after upgrade

Configure S-TAP in Guardium after you upgrade S-TAP.
Symptoms
After you upgrade S-TAP using the Guardium Installation Manager (GIM), you cannot configure the database path parameters in the Inspection Engine in Guardium even
though the installation results for the module show as successful.
Causes
K-TAP is not properly upgraded if the new S-TAP is installed as a fresh module. Because the old K-TAP module is not removed, there is a protocol mismatch between the
old K-TAP module and the new S-TAP.
Environment
S-TAP installed in UNIX and Linux such as AIX, HP-UX, Linux, and Solaris.

To diagnose the problem, run the guard_diag utility to collect must gathering data for Guardium S-TAP.
The following lines are seen in the syslog file.
STAP and KTAP Protocol Version Mismatch,

Exit!!!!!: No such file or directory
Tap_controller::init failed
GUARD-01: Error Initializing STap
The modules log file lists the old K-TAP. For example: ktap_24276 338760 0

To resolve the problem, follow these steps in the GIM modules installation pane.
1. Set K-TAP Live Update to Y.

2. Set K-TAP_ENABLED to Y and reinstall the new S-TAP.
Guardium fails to recognize the network device VMXNET x

If Guardium fails to recognize the network device VMXNET x, install Guardium on a virtual machine and add the network adapter.
Symptoms
Guardium fails to recognize the network device VMXNET x during the installation on VMware. You receive the error eth0: unknown interface: No such device
when you install Guardium on VMware as a guest. The error message appears after you restart the system.
Causes
VMXNET x virtual network adapter requires a specific driver that is only contained in VMware tools and no operating system has the driver. Guardium is running on Linux
and the installer does not have a driver for VMXNET x.
Environment
The Guardium system is affected.

Resolve the problem by completing the following steps.
1. Create a virtual machine on VMware by using a default network adapter such as E1000 or Flexible.
2. Install Guardium on the virtual machine.
3. Install the current GPU cumulative patch for Guardium.
4. After the installation, log on to the CLI console and run the command setup vmware_tools install to install VMware tools.
5. Shut down the Guardium system from the CLI console with the command stop system.
6. Edit the virtual machine settings with a VMware client tool such as VMware Infrastructure Client. Select the current network adapter and remove it.
7. Add the network adapter called VMXNET.
8. Restart the Guardium system.
Guardium network interface error after system board replacement

If you receive an error message after a hardware repair, reset the network parameters.
Symptoms
After a hardware repair such as replacing the system board on the Guardium appliance, the network connectivity is lost. The following error message occurs for each
network interface when the appliance is rebooted.
rtnetlink answers: no such device
Causes
After you replace the system board, the MAC address will change. This change causes a disparity between the actual MAC address and what is stored in the interface
configuration files.
Environment
Any Guardium appliance (collector, aggregator, or central manager) on which the system board has been replaced and all Guardium versions are impacted.

Log in to the appliance from the console as user CLI and reset the network parameters by running the following commands.
store network interface inventory

restart network
store network interface ip<IP_address>
store network interface mask<netmask>
store network routes defaultroute<gateway_address>
restart network
If the problem is still not resolved, contact Guardium Support for manual intervention.
Guardium virtual machine is not accessible from the network

If the Guardium virtual machine is not accessible from the network, run the command store network interface inventory and restart the system.
Symptoms

You implemented a new Guardium system as a virtual machine and performed all the required initial network configuration. However, you cannot ping the system using
the IP address and the system is not accessible in the network.
Causes
The MAC address assigned to the virtual machine by the virtual environment does not match the MAC address in Guardium.
Environment

To diagnose the problem, ping the IP address on a network. Use the command ping<appliance's ip address>. If it fails, show the MAC address for the system.
1. Log in as user "cli" .

2. Run the command show network macs to show the MAC address stored in the Guardium configuration.
3. From the administration utility for your virtual environment, check the MAC address for the virtual machine.
a. Open the VMWare Workstation.
b. Right-click the virtual machine and select Settings or Properties to open the Virtual Machine Settings.
c. Select Network Adapter under Hardware.
d. Click Advanced to open the Network Adapter Advanced Settings.
e. Compare the MAC address from steps 2 and 3.

To resolve the problem, complete the following steps.
1. Log in to the Guardium system as user "cli".

2. Run the command store network interface inventory.
3. Enter y to reset the NICs.
4. Restart the system with the command restart system.
SSLv3 is enabled
If you receive a warning that SSLv3 is enabled, disable SSLv3 to prevent the POODLE exploit.
Symptoms
You receive the following warning: SSLv3 is enabled.
Causes
SSLv3 contains a protocol vulnerability known as Padding GuardiumÂ® On Downgraded Legacy Encryption (POODLE). If SSLv3 is enabled on your system, this vulnerability
allows attackers to force an SSL/TLS fallback to SSLv3, break the encryption, and intercept network traffic in plaintext. The vulnerability is detailed in the National
Vulnerability Database as CVE-2014-3566.
Guardium recommends disabling SSLv3 on all systems to prevent the POODLE exploit, and SSLv3 is disabled by default on new Guardium systems. However, older
systems and some upgrade scenarios may leave SSLv3 enabled.
This topic describes how to check the status of SSLv3 and disable it if necessary.
Attention: Disabling SSLv3 can disrupt connectivity between a Guardium v10 Central Manager and some managed units running Guardium v9 before GPU 500. If you have
a mixed environment with managed units running Guardium v9 before GPU 500, either upgrade the managed units to GPU 500 or apply patch 9501 before disabling
SSLv3.

1. Verify the status of SSLv3 using the following CLI command: show sslv3.
If the output indicates SSL setting is disabled, SSLv3 is disabled. No additional steps are required to disable SSLv3.
If the output indicates SSL setting is enabled, SSLv3 is enabled. Continue with this procedure to disable SSLv3.
2. Disable SSLv3 using the following CLI command: store sslv3 off. The command output should be similar to the following:
Current SSL setting is enabled. Will change to disabled.

Restarting gui
Changing to port 8443
From port 8443
Stopping.......
ok
3. Verify that SSLv3 is now disabled: show sslv3. The output should now indicate SSL setting is disabled.
Access Management

Cannot log in to Guardium except as admin or accessmgr
If you cannot log in to the Guardium GUI except admin or accessmgr, check the authentication configuration settings.
Guardium accessmgr password reset
If you lose the accessmgr password and cannot log in, contact Guardium support.
Cannot log in to Guardium except as admin or accessmgr

If you cannot log in to the Guardium GUI except admin or accessmgr, check the authentication configuration settings.
Symptoms
You are unable to log in to Guardium with any user except admin or accessmgr. You see an invalid user name or password error despite using the correct user and
password as defined by accessmgr. You receive the following error message. Invalid user name and/or password. Please reenter your credentials..
Causes
The authentication setting is not configured as local.
Environment

To solve the problem, change the authentication setting to local. This action enables you to log in as any user defined in the accessmgr.
Parent topic: Access Management
Guardium accessmgr password reset

If you lose the accessmgr password and cannot log in, contact Guardium support.
Symptoms
You lost the Guardium accessmgr password and cannot log in to the GUI. The account is also locked after successive failed attempts.
Causes
Guardium prohibits multiple failed login attempts.
Environment

Log in to the CLI and run the following command: support reset-password accessmgr<N>|random.
You can use <N> or random where <N> is a number in the range of 10000000 - 99999999. Random automatically generates a number in the range of 10000000 -
99999999. Open a PMR with IBM Guardium support and send the following output.
G10.ibm.com> support reset-password accessmgr random

Password for accessmgr account have been successfully reset using keyword:<passkey>
Please provide these number to Guardium Customer Service to receive actual account password.
ok
After you receive the new password, unlock the account.
1. Use the following command to unlock the account. unlock accessmgr.

2. Log in as accessmgr and edit the accessmgr details to enter a temporary password.
3. Log in again with the temporary password.
4. When you are prompted, enter a new password.
Parent topic: Access Management
Aggregation
Cannot convert Guardium collector to aggregator
If you cannot convert a Guardium collector to a Central Manager aggregator, reinstall Guardium and select aggregator during installation.
Data Export configuration change from a Guardium managed system's GUI fails with error
If a Data Export configuration change fails, make sure that the shared secret key is the same on the collector and aggregator.
Difference between audit process results and report
If there is a difference between your audit process results and the report, check that all appliances are set to the same timezone.
HY000 errors after restoring the configuration in an aggregator
If you receive HY000 errors after you restore the configuration in an aggregator, run a dummy import.

Cannot convert Guardium collector to aggregator
If you cannot convert a Guardium collector to a Central Manager aggregator, reinstall Guardium and select aggregator during installation.
Symptoms
You try to convert a Guardium collector to an aggregator with the command store unit type manager aggregator.
However, the following command shows that the unit type is still listed as manager.
> show unit type

Manager
Causes
A collector cannot be converted to an aggregator with a CLI command.
Environment

To convert a collector to an aggregator, reinstall the Guardium product and select aggregator as the unit type during installation. After you install the aggregator, you can
convert it to a central manager aggregator with the command store unit type manager.
Central Manager/Aggregator enforcement

Starting with v9.5 (v9.0 patch 500), the application will enforce that a Central Manager has to be an Aggregator-type appliance. This would mean that starting with
v9.5, only aggregator-type appliances would be promotable to the Central Manager appliance. Pre-existing pre-v9.5 CM appliances are not subject to this change.
Parent topic: Aggregation
Data Export configuration change from a Guardium managed system's GUI fails with error
If a Data Export configuration change fails, make sure that the shared secret key is the same on the collector and aggregator.
Symptoms
You attempt to save new settings for the data export and get the error when you click Apply to save the configuration:
Please correct the following errors and try again:

A test data file could not be sent to this host with the parameters given. Please confirm the hostname or IP address is entered
correctly, the host is online, the target directory exists and can be written to by the user given, and the password given is
correct for that user.
Causes
Guardium attempts to log in with scp to the target host with the user and password that are specified in the Data Export configuration. Then, Guardium attempts to copy a
test file to the target directory. The shared secret on this system does not match the Shared Secret on the aggregator you are trying to set this system to export to.
Environment
The Guardium configurations: collector and aggregator are affected.

Make sure that the shared secret key is the same on the collector and aggregator. You can use one of the following methods:
1. If you know the shared secret on the aggregator, set the shared secret on the collector to the same value. You can use one of these methods:
From CLI: use command store system shared secret to set the Shared secret key
From GUI, set the shared secret key under Setup > System > System Configuration.
2. Back up the current shared secret on the aggregator and restore it to the collector.
On the aggregator, run the CLI command.
aggregator backup keys file <user@host:/path/filename>

Parameters
user@host:/path/filename
For the file transfer operation, specify a user, host, and full path name for the backup keys file. The user that you specify must have the authority to write to
the specified directory.
On the collector, run this command to restore the shared secret key:
aggregator restore keys file<user@host:/path/filename>
3. Reset the shared secret for both appliances to be the same.

Note: If you change the shared secret for the aggregator, you need to reset the shared secret for all other Guardium systems that export to it.
Difference between audit process results and report

If there is a difference between your audit process results and the report, check that all appliances are set to the same timezone.
Symptoms
You set a report to run on the aggregator as part of an audit process with time parameters, for example, Start of Last Day and End of Last Day. When you look at the results
of that report, the first time stamps are always at a set tme after 00.00 for example, 02.00. Additionally the last time stamps are always at a set time before 23.59 for
example, 21.59. However, when you run the report interactively, the time stamps are shown as expected.
Causes
The collector and aggregator time zones might not be set the same.
Environment

Check that all appliances are set to the same timezone. Use the following command. show system clock timezone.

If the collector and aggregator are not set in the same timezone, configure the timezone of the appliances with the CLI.
store system clock timezone list

store system clock timezone <timezone>
Verify that the time is correct on the appliance with the following commands.
show system clock datetime

store system clock datetime
The datetime can also be synchronized by using an NTP server with the following commands.
show system ntp all

store system ntp state
store system ntp server
HY000 errors after restoring the configuration in an aggregator

If you receive HY000 errors after you restore the configuration in an aggregator, run a dummy import.
Symptoms
When you restore the configuration of an aggregator or the Central Manager, you receive one or both of these messages.
ERROR 1031 (HY000) at line 1: Table storage engine for 'GUARD_USER_ACTIVITY_AUDIT' doesn't have this option
ERROR 1031 (HY000) at line 1: Table storage engine for 'AGGREGATOR_ACTIVITY_LOG' doesn't have this option
Causes
This error condition can occur if there is a temporary mismatch in the internal databases.
Environment

To resolve the problem, run a dummy import.
Central Management
A user is disabled in a Guardium managed unit, but shows as enabled on Central Manager
If a user is disabled in a Guardium managed unit but shows as enabled on Central Manager, run the Portal User Sync.
Central Manager does not recognize the new version of upgraded units
If the Central Manager does not recognize the new version of upgraded units, select the upgraded units and refresh the page.
Scheduled tasks do not fire at the scheduled time
If scheduled tasks do not fire at the scheduled time, schedule the import time to run after the portal user sync.
Torque exception in Central Management view of GUI
If there is a torque exception in Central Management, delete the custom group and create a new group.
A user is disabled in a Guardium managed unit, but shows as enabled on Central Manager

If a user is disabled in a Guardium managed unit but shows as enabled on Central Manager, run the Portal User Sync.
Symptoms
A user is disabled in the managed unit. The user's account is re-enabled in the Central Manager but the user is still showing as disabled in the managed unit. The user's
account shows as enabled in the Central Manager.
Causes
The user's account in the Central Manager is not synchronized with the managed unit.
Environment
A combination of the Central Manager, collector, or aggregator might be affected.

To synchronize the current user status between the Central Manager and the managed unit, run a Portal user sync.
1. Log in to the Central Manager as an admin user.

2. Click Manage > Central Management > Portal User Sync to open the Portal User Synchronization.
3. Click Run Once Now.
If the user's account between the managed unit and the Central Manager is still not synchronized, contact the IBM Guardium Technical Support for assistance.
Central Manager does not recognize the new version of upgraded units
If the Central Manager does not recognize the new version of upgraded units, select the upgraded units and refresh the page.
Symptoms
The Central Manager might not immediately recognize the new version of an upgraded aggregator or collector it manages. Pushing a patch from the Central Manager,
which requires the new version, can result in an error that shows the unit is still at the previous version.
The managed unit's old version still displays in the Central Management view of the GUI. The unit ping times in that view, which implies good communication between the
Central Manager and managed units.
Causes
The GUI needs to be refreshed to pull the new version information.
Environment
The Guardium Central Manager is affected.

In the Central Management view of the GUI, select the upgraded units and push Refresh. This action pulls the new version information from the units.
Scheduled tasks do not fire at the scheduled time

If scheduled tasks do not fire at the scheduled time, schedule the import time to run after the portal user sync.
Symptoms
Import fails and you receive the following message in agg_progress.log.
* 05/20 04:00:01 --- Import cannot start

(guard_agg|turbine_backup.sh|restore_from_file.pl already running)
* 05/20 20:00:46 --- Merge cannot start - aggregation still active
Causes
There is a conflict with the Central Manager portal user sync.
Environment

Find out which task is running in the background. Click Reports > Guardium Operational Reports > Aggregation/Archive Log to open the Aggregation/Archive Log.

To resolve the problem, schedule the import time to run after the portal user sync. Run the portal user sync every hour and the import time 30 minutes after that time.
Torque exception in Central Management view of GUI

If there is a torque exception in Central Management, delete the custom group and create a new group.
Symptoms
Selecting a certain custom group in the Central Management view of the Guardium GUI displays an error instead of the managed units in the group.
org.apache.torque.TorqueException: Failed to select one and only one row.
After the exception appears, it shows for any group or view under the Central Management tab. The exception even appears for groups that were previously working until
you log out of the GUI and log back in.
Causes
This torque exception might occur if one of the managed units in the group was unregistered from the managed unit instead of the Central Manager.
Environment
Guardium Central Manager is affected.

Delete the custom group and create a new group that contains the same members.
S-TAPs and other agents

AIX 6.1 fails when you install or upgrade IBM Security Guardium S-TAP
If the operating system fails when you install or upgrade Guardium S-TAP on AIX 6.1, apply the Fix Packs AIX 6.1.
Error opening shared memory area when you configure Guardium COMM_EXIT_LIST for DB2
If you receive an error message when you configure Guardium COMM_EXIT_LIST, authorize the DB2 instance owner with the guardctl command.
Guardium fails to collect shared memory traffic from Informix
If Guardium fails to collect shared memory traffic from Informix, check the inspection engine configuration.
High CPU and I/O Use in Guardium STAP host
If you observe a high CPU or I/O usage, review the configuration for all of the inspection engines.
Missing information from the login packet
If you are missing information from the login packet, collect the S-TAP debug trace and slon trace.
Nanny process is killing sniffer
If the nanny process is killing the sniffer, you might have too much traffic coming in.
Sniffer cannot connect to UNIX S-TAP
UNIX S-TAP cannot start
If a UNIX S-TAP cannot start, its buffer size might be too large.
S-TAP does not start automatically on Linux
If the S-TAP agent for DB2 or Oracle does not start automatically on Linux, check for the /etc/event.d/ directory.
S-TAP returns not FIPS 140-2 compliant
If you receive an error that about FIPS 140-2, change the configuration through the S-TAP Control page.
The K-TAP kernel module is still present after the uninstallation of S-TAP
If the K-TAP kernel module is still present after the uninstallation of S-TAP, manually remove it.
UNIX S-TAP cannot read more than 16 inspection engines
If UNIX S-TAP cannot read more than 16 inspection engines, change listening port parameters or use PCAP.
Windows S-TAP service crashes on startup with error ID 1000
If the S-TAP crashes with error ID 1000, check the SOFTWARE_TAP_IP parameter in the guard_tap_ini configuration file.
z/OS S-TAP fails to show active the Guardium system
If z/OS S-TAP fails to show active on the Guardium system, restart the inspection-core.
AIX 6.1 fails when you install or upgrade IBM Security Guardium S-TAP
If the operating system fails when you install or upgrade Guardium S-TAP on AIX 6.1, apply the Fix Packs AIX 6.1.
Symptoms
The operating system fails when you install or upgrade Guardium S-TAP on AIX 6.1. The AIX crash memory dump shows the following stack trace.
Error ID: DD11B4AF Resource Name: SYSPROC

Detail Data: 00007FFFFFFFD080 0000000000473260
0000000000020000 8000000000029032
Symptom Information:
Crash Location: [0000000000473260] execvex_common+1880
Component: COMP Exception Type: 131
Stack Trace:

[0000000000473260] execvex_common+1880
[000000000047744C] execve+A8
[F1000000C083E84C] my_execve+424
Causes
This crash is a known issue in AIX version 6.1 due to a system crash in the execvex_common code path.
Environment
Any S-TAP to be installed in AIX 6.1 Operating System is affected.

To apply the Fix Pack AIX 6.1 6100-08-04 and resolve the problem, see http://www-01.ibm.com/support/docview.wss?uid=isg1IV50179
Parent topic: S-TAPs and other agents
Error opening shared memory area when you configure Guardium COMM_EXIT_LIST for DB2
If you receive an error message when you configure Guardium COMM_EXIT_LIST, authorize the DB2 instance owner with the guardctl command.
Symptoms
After you configure DB2 COMM_EXIT_LIST to use Guardium libguard and restart the DB2 server, you get the following error in the DB2 diag log.
2013-06-28-11.41.12.306169-300 E870950E486 LEVEL: Severe

PID : 15764 TID : 139905833363200 PROC : db2sysc 0
INSTANCE: db2001 NODE : 000
APPHDL : 0-16
HOSTNAME: dbhost1
EDUID : 54 EDUNAME: db2agent () 0
FUNCTION: DB2 UDB, DRDA Communication Manager, sqljcCommexitLogMessage,
probe:234
DATA #1 : String with size, 91 bytes
WARNING: Shmem_access /.guard_writer0 failed Error opening shared memory area errno=2 err=8
Causes
The following message indicates that the Guardium library was unable to create the shared memory device that it requires.
Shmem_access /.guard_writer0 failed

Error opening shared memory area
errno=2
err=8
The DB2 instance owner must be added as an authorized user using the guardctl command.
Environment
Guardium collectors that use DB2 Exit (Version 10) Integration with S-TAP are affected.

The DB2 instance owner must be added as an authorized user by using the guardctl command.
1. Stop the DB2 instance.
2. Authorize the DB2 instance owner.
3. Start the DB2 instance.
If the Guardium Installation Manager (GIM) is not installed, authorize the DB2 instance owner with the following command.
<guardium_installdir>/bin/guardctl authorize-user<db2 instance owner>
If the Guardium Installation Manager (GIM) is installed, authorize the DB2 instance owner with the following command.
<guardium_installdir>/modules/ATAP/current/files/bin/guardctl authorize-user<db2 instance owner>
For example, if the DB2 instance owner is db2001 and GIM is installed in /usr/local/guardium, the command is
/usr/local/gim/modules/ATAP/current/files/bin/guardctl authorize-user db2001.
Guardium fails to collect shared memory traffic from Informix

If Guardium fails to collect shared memory traffic from Informix, check the inspection engine configuration.
Symptoms
Guardium S-TAP does not collect shared memory traffic from Informix.
Causes

The inspection engine is not correctly configured.
Environment
Any S-TAP collection from any Informix system can be affected.

Check the inspection engine configuration under Manage > Activity Monitoring > S-TAP Control. Ensure that the value in the Process Name field matches the result of the
following command on the database server.
ls -lrt /INFORMIXTMP/.inf.*
Informix: /INFORMIXTMP/.inf.sqlexec Applies to all Informix platforms but Linux. For Informix with Linux, example: /home/informix11/bin/oninit
Informix must be running for this command to return a value.
For Linux servers using A-TAP, A-TAP must be configured to collect any shared memory traffic. Set the value to the same value as the --db-info parameter in the A-TAP
configuration before you activate A-TAP.
High CPU and I/O Use in Guardium STAP host

If you observe a high CPU or I/O usage, review the configuration for all of the inspection engines.
Symptoms
You observe a high CPU or I/O usage by the Guardium S-TAP process.
Causes
The following items are common causes.
1. An error in the configuration of one of the inspection engines. If there are errors in an inspection engine, the S-TAP process restarts frequently or tries to reconnect
to the inspection engine repeatedly.
2. The K-TAP portion of the S-TAP is sending connection information along with a confirmation request to the S-TAP. This step is causing delays.
3. ORACLE RAC is used, but the unix_domain_socket_marker parameter is not set in the S-TAP configuration file to avoid monitoring potentially large amounts of
Oracle RAC traffic.
4. The User ID Chain (UID chain) feature is enabled, for example, parameter hunter_trace=1 in the S-TAP configuration file. Hunter trace is used for UID chain and can
be quite CPU intensive for S-TAP.
5. The firewall is enabled (firewall_installed=1). This firewall forces S-TAP to request verdicts for each new session that is observed which can hurt S-TAP
performance.
Environment
S-TAP installed in AIX

Based on the cause, take the corresponding actions.
1. Review the configuration for all of the inspection engines and make sure that there are no errors in any of the parameters. For example, make sure the database
installation directory, executable, ports, and any other parameters applicable to your inspection engine are correctly set with no misspellings or wrong values.
2. Set S-TAP configuration parameter ktap_fast_tcp_verdict to 1 (ktap_fast_tcp_verdict = 1 in the guard_tap.ini configuration file) and restart the S-TAP. Here are the
possible settings.
ktap_fast_tcp_verdict=0: KTAP confirms that the session is the database connection that the inspection engine configured by checking ports and Ips.
ktap_fast_tcp_verdict=1: KTAP does not send the request to S-TAP while the session's ports are in the range.
3. Disable the UID Chain feature if not needed by setting hunter_trace=0 and restarting the S-TAP.
4. Set firewall_installed=0 if SGATE is not needed and restart the S-TAP.
Missing information from the login packet

If you are missing information from the login packet, collect the S-TAP debug trace and slon trace.
Symptoms
You encounter issues in Guardium relating to missing information from the login packet such as database user name, source program, or database name.
Causes
Login packets might miss information when the session is too short.
Environment

The Guardium collector is affected.

Collect the S-TAP debug trace on the database server where the Guardium S-TAP is installed and the slon trace on the collector.
Refer to the Technotes in the Related URL section for details on collecting each of these traces.
1. Run both traces at the same time.

2. Generate a new database session that re-creates the issue while both traces are running. Login packets are only sent when the database connection is open.
3. Add session start, client port, and server port to your existing report. Refresh the report after you re-create the issue with the new connection.
4. Confirm that the traces are running during the session by checking the session start.
5. Leave the session open for at least 5 minutes to allow the sniffer to analyze the login packets.
6. Send the session with the missing fields. State the application name you used to generate the session, database name, DB user you connected as, type of
connection, SQL statement, and any other pertinent details.
7. Collect the S-TAP debug trace file on the database server, the slon trace on the Guardium collector, and the current sniffer must gather.
Nanny process is killing sniffer

If the nanny process is killing the sniffer, you might have too much traffic coming in.
Symptoms
A message similar to the following is reported one or more times in Guardium system log (messages) or Alerts:
Nanny process error condition. The nanny process killed the sniffer. VmData was number and was over the limit.
Causes
The sniffer memory usage reached over 90% of the available memory and the nanny process has restarted it, which is expected behavior of the product.
Environment
Guardium collector

If you are observing this message frequently, there is too much traffic coming to the Guardium system. Reduce traffic to this Guardium system to resolve this message. For
example, you may move some STAPs to a collector with less load, ignore some traffic in your policy, or implement load balancing to spread the traffic among more than
one collector.
If the message is observed on very few occasions, it is most likely a momentary spike in traffic. To resolve the message, identify the reason for the spike and avoid the
trigger. For example, you can review which processes were running at that time, identify the ones generating more traffic. If this message always coincides with a
particular process or processes running, reduce the concurrent traffic at that time. For example, you can move heaviest process to run at a different time, or ignore some
of this traffic through a policy.
Sniffer cannot connect to UNIX S-TAP

Symptoms
When you specify a different number of threads, such as 20, by using the command snif -t 20, the sniffer cannot connect to the UNIX S-TAP. In the GUI console, the status
of the S-TAP is inactive.
Causes
The sniffer starts with six threads by default. When the number of threads exceeds the limitation, the sniffer cannot connect to the UNIX S-TAP because of undefined
behavior.
Environment
UNIX S-TAP is affected.

Reduce the number of threads to make sure that the connection can be established successfully.
UNIX S-TAP cannot start

If a UNIX S-TAP cannot start, its buffer size might be too large.
Symptoms

The S-TAP cannot start and issues the following messages:
mmap: Not enough space

Can't initialize: Can't mmap buffer file /tmp/stapbuf/192.168.100.107.0.buf
Error Initializing: Stap cannot initialize SQLGuard queue
Causes
The S-TAP is unable to allocate enough memory to match the buffer file.

Reduce the buffer file size for the S-TAP. The size is specified in the buffer_file_size parameter in the guard_tap.ini file.
S-TAP does not start automatically on Linux

If the S-TAP agent for DB2 or Oracle does not start automatically on Linux, check for the /etc/event.d/ directory.
Symptoms
The S-TAP process does not automatically start on Linux even though the /etc/inittab file shows a correct U-TAP entry.
Causes
Various Linux distributions such as RedHat 6 deprecated the use of the traditional init daemon that uses the etc/inittab file. They replaced it with an init process called
upstart. Upstart uses the /etc/event.d and /etc/init directories for the automated start, stop, and respawn of processes such as U-TAP.
The S-TAP installer now checks for the existence of the /etc/event.d directory. If it exists, then entries in /etc/init are created for use by upstart. If it does not exist, then
entries in /etc/inittab are created for use by the traditional init daemon.
If /etc/event.d is missing for any reason on a system with upstart, the inittab file is populated instead. The S-TAP process does not start or respawn when needed.
Environment
S-TAPs running on Linux are affected.

Check for the existence of the /etc/event.d/ directory.
If the /etc/event.d/ directory does not exist, complete the following steps to resolve the situation.
1. Uninstall the existing S-TAP installation.

2. Create the /etc/event.d dir as user root (mkdir /etc/event.d) .
3. Install the S-TAP.
S-TAP returns not FIPS 140-2 compliant

If you receive an error that about FIPS 140-2, change the configuration through the S-TAP Control page.
Symptoms
Supported: - Solaris X86 - Linux x86/64 - Linux x86/32 - Linux S390X - Linux IA64
Not Supported: - Solaris SPARC - AIX PowerPC - HPUX RISC - HPUX IA64 - Linux PowerPC
You see the following message in the S-TAP event log.
LOG_ERR: To enable FIPS 140-2 mode set use_tls=1
Causes
FIPS 140-2 is a U.S. government security standard for cryptographic modules. If you see this message, it indicates that the S-TAP configuration does not meet government
requirements.
Note: This message does not indicate that there is an error with the S-TAP.
Environment
Guardium S-TAP is affected.
Supported: Solaris X86; Linux x86/64; Linux x86/32; Linux S390X; Linux IA64
Not Supported: Solaris SPARC; AIX PowerPC; HPUX RISC; HPUX IA64; Linux PowerPC

To enable FIPS compliance, the guard_tap.ini file must have the following settings.

use_tls=1
You can change the configuration by using one of the following methods.
1. Click Manage > Activity Monitoring > S-TAP Control.

2. Modify the details section for the relevant S-TAP and use the TLS check boxes.
3. Restart the S-TAP.
You can also edit the guard_tap.ini file on the DB server directly and restart the S-TAP.
The K-TAP kernel module is still present after the uninstallation of S-TAP
If the K-TAP kernel module is still present after the uninstallation of S-TAP, manually remove it.
Symptoms
The K-TAP kernel module is still present after the uninstallation of S-TAP on a Solaris server.
Causes
The server did not restart properly to remove the K-TAP kernel module on Solaris servers.
Environment
The Solaris server after the uninstallation of S-TAP is affected.

Check on the Solaris server by running both modinfo | grep ktap and ls -al /dev/*tap*.

Manually remove the K-TAP kernel with the following steps.
1. Check that /etc/init.d/upguard is removed.

2. Remove /kernel/drv/sparcv9/ktap* and /kernel/drv/ktap*.
3. Run modinfo | grep ktap to get the name of the loaded driver.
4. Then, run rem_drv<loaded driver>. For example: rem_drv ktap_36821.
5. Remove /dev/ktap* and /dev/guard_ktap.
6. Restart the server.
7. Run modinfo | grep ktap to make sure that the driver is no longer loaded.
8. Remove GIM and gsvr entries from /etc/inittab (if you are using GIM only).
9. Manually clean up remaining files in /usr/local/guardium.
UNIX S-TAP cannot read more than 16 inspection engines

If UNIX S-TAP cannot read more than 16 inspection engines, change listening port parameters or use PCAP.
Symptoms
UNIX S-TAP reads only the first 16 port_range definitions in the inspection engine settings.
Causes
By design K-TAP can read only 16 port_range definitions.
Environment
UNIX S-TAP that uses K-TAP and defines more than 16 inspection engines is affected.

Use port_range_start and port_range_end parameters to include all of the required ports in the first inspection engine definition. This action intercepts all of the
traffic from the specified port range. If you need to ignore some ports in the range, you can define a policy to ignore the unnecessary server ports.
The following example defines listening ports 50000 - 50020 as target ports to be monitored.
[DB_0]
port_range_end=50020
port_range_start=50000
Otherwise, use PCAP for TCP connections by setting ktap_local_tcp=1 and devices=<device_name>.
[TAP]
ktap_local_tcp=1
devices=<Network Device Name>

Windows S-TAP service crashes on startup with error ID 1000

If the S-TAP crashes with error ID 1000, check the SOFTWARE_TAP_IP parameter in the guard_tap_ini configuration file.
Symptoms
The S-TAP on a Windows server does not start. The Windows event log shows errors from Guardium S-TAP with event ID 1000.
Log Name: Application

Source: Application Error
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
Description:
Faulting application name: guardium_stapr.exe, version: 9.0.0.0
Exception code: 0x40000015
Causes
S-TAP cannot connect to the Windows system because the wrong SOFTWARE_TAP_IP is specified in the guard_tap.ini file.
Environment
Any Guardium S-TAP for Windows is affected.

Ensure the SOFTWARE_TAP_IP parameter in the guard_tap.ini configuration file matches the correct IP address of the Windows server. This parameter is passed on the
installation CLI or in the IBM Guardium Installation Manager (GIM) parameters.
z/OS S-TAP fails to show active the Guardium system

If z/OS S-TAP fails to show active on the Guardium system, restart the inspection-core.
Symptoms
z/OS S-TAP fails to show active on the Guardium system after you start it for the first time. The policy is correctly configured with a DB2 or IMS Collection Profile and
installed. The z/OS S-TAP is properly configured to use port 16022. All messages on the mainframe indicate connectivity.
Causes
If the collector has not been actively used as a collector since being built and configured, the sniffer appears to time out port 16022.
Environment
z/OS is affected.

Restart the inspection-core by using the CLI command restart inspection-core.
GIM
Error installing the Guardium Installation Manager (GIM)
If GIM does not install properly, create the directory manually.
Guardium Installation Manager (GIM) service does not start in Windows
If the Guardium Installation Manager (GIM) service does not start in Windows, reinstall GIM in a folder that is reserved for 32-bit applications.
Error installing the Guardium Installation Manager (GIM)

If GIM does not install properly, create the directory manually.
Symptoms
When you attempt to install the Guardium Installation Manager (GIM) on RHEL6, you see the following error message.
cp: cannot stat `/usr/local/GIM/modules/central_logger.log': No such file or directory Installation failed
Causes

Various Linux distributions such as RedHat 6 deprecated the use of the traditional init daemon that uses the etc/inittab file. They replaced it with an init process called
Upstart. Upstart uses the /etc/event.d and /etc/init directories for the automated start, stop, and respawn of processes.
Environment
The Guardium Installation Manager (GIM) is affected.

To fix the issue, complete the following steps.
Remove the partial GIM installation.

Create the /etc/event.d directory manually with the command mkdir /etc/event.d
Run the GIM installer.
Parent topic: GIM
Guardium Installation Manager (GIM) service does not start in Windows

If the Guardium Installation Manager (GIM) service does not start in Windows, reinstall GIM in a folder that is reserved for 32-bit applications.
Symptoms
After you successfully installed the Guardium Installation Manager (GIM) on Windows, you notice that the service is not running.
Causes
GIM is a 32-bit application. If you are using a Windows 64 bit, GIM might be installed in Program Files instead of Program Files(x86).
Environment
GIM is affected.

Install GIM in Program Files(x86) because it is a Windows folder that is reserved for 32-bit applications.
Parent topic: GIM
File activity
File activity is not logged in investigation dashboard or reports
File activity from removable disk is not logged in investigation dashboard
File activity appears in reports but not the investigation dashboard
Some files missing from classification results
Partial file discovery (entitlement) results in reports and investigation dashboard
Reports and investigation dashboard are not showing complete discovery (entitlement) results.
File classification results are missing from reports and investigation dashboard
FAM bundle fails to install
After installing the GIM client, the FAM bundle installation fails.
File activity is not logged in investigation dashboard or reports

Symptoms
There is no file activity logged in the investigation dashboard or predefined reports, such as: File Activities, File Entitlement, Files Count of Activity Per Client, Files Count
of Activity Per Server, Files Count of Activity Per User, Files Privileges

Check the following:
Verify the FAM license is installed and the S-TAP is active

Make sure you are not logged in as root in your file server for activities. Activities from root, (UID0) are not logged by default.
On Linux/AIX, check the file path specified in your policy rule. For example, /testdir/ monitors a file called testdir and not the files in a directory called testdir.
Specify /testdir/* to monitor files in the testdir directory.
On Windows, if you use domains and your policy rule specifies a user, make sure the domain is specified. For example, svldev\Maryjane instead of just Maryjane.
Parent topic: File activity troubleshooting

Symptoms

Environment
FAM_SCAN_EXCLUDE_REMOTE_DIRECTORIES is set to true

Install the file activity monitoring policy before mounting the removable disk.
File activity appears in reports but not the investigation dashboard

Symptoms
You see file activity in the predefined reports, but not in the investigation dashboard.

Verify the configuration using the guard API:
To send crawled data to quick search: grdapi enable_fam_crawler activity_schedule_interval=2 activity_schedule_units=MINUTE entitlement_schedule_interval=10
entitlement_schedule_units=MINUTE
To enable quick search (with option to also include violations): grdapi enable_quick_search includeViolations=true schedule_interval=2 schedule_units=MINUTE
Some files missing from classification results

Symptoms
Some files are missing in the classification results.
Causes
The following are file types are not supported for classification: DAT, JPG, JPEG, GIF, TIF, TIFF, BMP, WAV, MOV, MP3, MP4, AVI, MPG, WMA, WMV, P7S, XFDL, XFD, FRM,
JAR
Partial file discovery (entitlement) results in reports and investigation dashboard

Reports and investigation dashboard are not showing complete discovery (entitlement) results.
Symptoms
The discovery (entitlement) results that appear in reports and investigation dashboard is incomplete. Results for some files do not appear.

Verify that the document types and locations are included in your GIM configurations for discovery. Check the following GIM configuration parameters:
FAM_SCAN_EXCLUDE_FILES
FAM_SCAN_EXCLUDE_DIRECTORIES
FAM_SCAN_EXCLUDE_EXTENSIONS
FAM_SCAN_EXCLUDE_FILES
FAM_SCAN_MAX_DEPTH
File classification results are missing from reports and investigation dashboard
Symptoms
File classification results are missing from reports and investigation dashboard.
Causes
Classification is an additional process that goes beyond metadata discovery.

Assuming your software requirements are met for the IBM Content Classification engine (http://www-01.ibm.com/support/docview.wss?uid=swg27020838) that is used
for classification, verify the following GIM configurations:
Ensure that the GIM parameter FAM_IS_DEEP_ANALYSIS= TRUE

Verify that Decision Plan names are correct in FAM_ICM_CLASS_DECISION_PLANS setting and that the list of Decision Plans is delimited with a semicolon
Verify that all listed Decision Plans (,dpn) files exist in the following location on the file server: %FAM_HOME%\conf\ContentClassification

User response: Optional. When you have particular actions that are performed by particular users, use one or more of the ts*Response elements.
FAM bundle fails to install

After installing the GIM client, the FAM bundle installation fails.
Symptoms
When attempting to install the FAM bundle, the system responds with a message similar to:
-1,GIM - Failure point : dependancy_violation (Dependancy violation (FAM) : Missing mandatory dependency - STAP at GIM.pm line
3176, <MYFILE> line 20.
Causes
The S-TAP bundle must be installed before installing the FAM bundle.

Verify the S-TAP for FAM is installed, then install the FAM bundle. See Installing and activating file activity monitoring components.
Installing Your Guardium System

Checksum error during S-TAP installation
If you receive a checksum error, set the transfer mode to binary on the FTP client.
Guardium S-TAP returns an illegal cp: option - f error message
If the S-TAP installation fails with cp: illegal option - f, run the command which cp and change the file path.
Installing a new Guardium patch does not complete
If you cannot complete the installation of a new Guardium patch, stop the interfering process and reinstall the patch.
Missing file or directory after new Guardium S-TAP installation
Partition error installing Guardium
If you receive a partition error, select Custom installation and specify the disk location and size explicitly.
Patch installation fails: No such file or directory
If the patch installation fails, check that the file matches the MD5SUM of the downloaded patch.
Checksum error during S-TAP installation

If you receive a checksum error, set the transfer mode to binary on the FTP client.
Symptoms
You receive an error similar to the following when you run the S-TAP installer to install Guardium S-TAP on UNIX or Linux.
./guard-stap-v81_r26808_1-aix-6.1-aix-powerpc.sh
Verifying archive integrity...Error in checksums: 2082112805 is
different from 3728267449
Causes
The installer file is corrupted. The file became corrupted when the file was transferred to the database server or when the product was downloaded.
Environment
S-TAP on UNIX or Linux is affected.

To resolve the problem, make sure that the transfer mode is set to binary on the FTP client. Then, try the transfer to the database server again. If the process fails,
download the product again.
Parent topic: Installing Your Guardium System
Guardium S-TAP returns an illegal cp: option - f error message

If the S-TAP installation fails with cp: illegal option - f, run the command which cp and change the file path.
Symptoms
The S-TAP installation fails with the following error message.
A directory called 'guardium' containing Guardium software needs to be created under a path provided.
Enter the path prefix [/usr/local]? /opt/guardium
Directory /opt/guardium/guardium/guard_stap does not exist, would you like to create it [Y/n]? Y
Run STAP as root, or as user 'guardium' [R/u]? R
Please be patient... This might take more than a minute.

Copying installation files...
cp: illegal option -- f
UX:vxfs cp: INFO: V-3-21462: Usage: cp [-i] [-p] f1 f2
cp [-i] [-p] f1 ... fn d1
cp [-i] [-p] [-r|-R] [-e { force | ignore | warn}] d1 d2
Causes
The path to/usr/bin/cp is different from what the installer expects.
Environment
The UNIX/Linux database server is affected.

Run the command which cp
If which cp returns a value other than /usr/bin/cp, run the command export PATH=/usr/sbin:/usr/bin:$PATH.
Rerun the command which cp to confirm that the path is /usr/bin/cp.
Installing a new Guardium patch does not complete

If you cannot complete the installation of a new Guardium patch, stop the interfering process and reinstall the patch.
Symptoms
When you install a new patch it does not complete. The status column in the CLI command show system patch installed shows one of the following messages.
STEP: Setting â€œjavaâ€ off

STEP: Setting â€œameiâ€ off
STEP: Setting â€œsqlwâ€ off
Causes
Tomcat, the inspection core, or another process on the machine interfered with the patch installation.
Environment
The Collector, Aggregator, and Central Manager are affected.

To install the new Guardium patch, stop any processes from interfering with the installation.
1. Delete the patch that is stuck by using the command delete scheduled-patch.
2. Restart the system by using the command restart system.
3. After the system restarts, stop the GUI and inspection core by using the commands stop gui and stop inspection-core.
4. Reinstall the patch and restart the GUI and inspection core by using the commands restart gui and start inspection-core.
Missing file or directory after new Guardium S-TAP installation

Symptoms
When you attempt to install S-TAP, you receive the following error message.
Tap_controller::init failed Opening pseudo device /dev/guard_ktap No such file or directory
In addition, /dev/*ktap* does not exist.
Causes
There are many possible reasons why the K-TAP device creation can fail. The following are the most common causes.
You did not use the module files, including the K-TAP module for the Linux kernel.
You did not specify the Flex Loading option to load the K-TAP module from the module files.
A previous K-TAP module from an old installation is still running or installed.
Environment
All Linux and UNIX operating systems in which the IBM Guardium S-TAP product can be installed are affected.

To resolve the problem, take the following steps.

1. Run these commands as root.
<STAP directory>/KTAP/guard_ktap_loader stop

<STAP directory>/KTAP/guard_ktap_loader uninstall
<STAP directory>/KTAP/guard_ktap_loader install
<STAP directory>/KTAP/guard_ktap_loader start
2. Check whether the K-TAP device is now created with the command ls /dev/*ktap*. If it was created, issue is resolved. If not, continue to next step.
3. Stop the S-TAP process guard_stap if it is running. You can check whether it is running with command ps -ef | grep guard_stap.
4. Verify that the S-TAP process is not running with the command ps -ef | grep guard_stap.
5. Uninstall the S-TAP.
6. Confirm that the S-TAP directory is gone.
7. Check whether a K-TAP module is still running from an old installation. Use the appropriate command for your operating system.
Linux : lsmod | grep ktap

Solaris : modinfo | grep tap
HP-UX : lsdev | grep tap
AIX : genkex | grep tap
If a device such as ktap_<release> is listed, then a K-TAP module is running.

8. If you find a K-TAP module is running in previous step, run the following steps to stop and uninstall the K-TAP module.
<STAP directory>/KTAP/guard_ktap_loader stop

<STAP directory>/KTAP/guard_ktap_loader uninstall
Restart the server.

9. If you are using the Guardium Installation Manager (GIM), go to Manage > Module Installation > Set up by Client (Legacy), select the client and click Reset Clients.
Wait for the server to reappear in the client list.
10. Reinstall the S-TAP. If you are using GIM to install the S-TAP, reinstall the S-TAP bundle with GIM and the following commands.
KTAP-ALLOW_COMBOS=Y
KTAP_LIVE_UPDATE=Y
KTAP_ENABLED=Y
Partition error installing Guardium

If you receive a partition error, select Custom installation and specify the disk location and size explicitly.
Symptoms
When you install the Guardium appliance in VMWare, you receive the following error:
Error Partitioning
Could not allocate requested partitions:
Partitioning failed: Could not allocate partitions as primary partitions.
Not enough space left to create partition for /boot.
Causes
When you install the Guardium system with VMWare, if you select Typical, VMWare uses configuration parameters that are predefined for the OS type in VMWare. These
configuration parameters might not be suitable for this installation.
Environment

Select Custom installation and specify the disk location and size explicitly. Specify a disk size that is large enough for your monitoring and audit needs. After it is
configured, Guardium does not support adding disk space to the system.
Patch installation fails: No such file or directory

If the patch installation fails, check that the file matches the MD5SUM of the downloaded patch.
Symptoms
Patch installation in Guardium fails with the error patch.reg: No such file or directory.
Causes
The following cases can cause the patch installation to fail.
The patch was not downloaded in binary mode and corrupted the file.
The compressed file itself was uploaded to the Guardium system.
The patch was received from Guardium support and has the PMR number prefixed to the file name.
The patch was uploaded to the Guardium system from a Windows FTP server.
Environment


Verify that the contents of the file match the MD5SUM of the downloaded patch. If the compressed file cannot be extracted or the MD5SUM does not match, download the
file in binary mode.
If the compressed file itself was uploaded to the Guardium system, extract the compressed file and upload only the patch.
If there is a PMR number prefixed to the file name, remove the number and then upload the patch to the Guardium system.
If the patch is uploaded from a Windows FTP server, specify the exact file name with the correct case.
Windows: S-TAP user's guide

Guardium S-TAP is a lightweight software agent installed on database servers and file servers. The information collected by the S-TAPs is the basis of all Guardium traffic
reports, alerts, visualizations, etc.
For data activity monitoring, the S-TAP monitors activity between the client and the database and forwards that information to the Guardium collector. The database traffic
is logged into the collector based on criteria specified in the security policy. It is also possible to reduce the amount of traffic that is originally sent to the collector by
ignoring trusted connections or ignoring traffic from specific IPs.
For file activity monitoring, unlike data activity, the policy rules are pushed down to the file server and thus only data that is specified in the security policy is forwarded to
the collector.
Windows: Install, Upgrade, Uninstall S-TAP

Windows: Configuring S-TAP
Learn to configure the S-TAP.
Windows: S-TAP operation and performance
Windows: Install, Upgrade, Uninstall S-TAP

Windows: S-TAP support matrix
Select your S-TAP setup depending on the data you want to monitor or block. Use this table to identify the monitoring mechanisms that can perform the operations
you require, per operating system and database.
Windows: Prerequisites: installing S-TAP
Windows: Installing an S-TAP agent
Install an S-TAP on Windows using the Monitoring Agents tool (from v10.1.3), Guardium Installation Manager (GIM), the interactive installer, or the command line
installer.
Windows: S-TAP installation flow on Oracle RAC
Configure S-TAPs in an Oracle RAC.
Windows: Upgrading and Removing an S-TAP
Learn how to upgrade or remove S-TAPs on Windows.
Windows: When to restart or reboot the database after S-TAP installation or upgrade
This topic details the situations, after S-TAP installation, of when to restart and when to reboot the database server or database instance. Restart/reboot
requirements are the same for GIM and non-GIM implementations.
Parent topic: Windows: S-TAP user's guide
Windows: S-TAP support matrix

Select your S-TAP setup depending on the data you want to monitor or block. Use this table to identify the monitoring mechanisms that can perform the operations you
require, per operating system and database.
For example, you may want to track or perform one or more of the following:
local traffic only

local and network traffic
shared memory
encrypted data
monitor and block
monitor only
This table covers the most common platforms, database types, and protocols, supported by Guardium's monitoring mechanisms. The table presents general guidelines.
There may be other combinations that are not presented here that are supported. Some of the supported setups presented here may be dependent on specific
configurations. Contact Technical Support to verify the best setup for your specific needs. Empty cells indicate that the combination is not supported.
OS Database Network traffic Local traffic Encrypted Protocol Kerberos Blocking Redaction
traffic
Windows MS SQL Server Supported Supported Supported for TCP, NMP Supported Supported Supported
TCP and NMP
Windows DB2 Supported, also Supported, also DB2 Exit TCP, SHM Â Supported Supported
with DB2 Exit with DB2 Exit (Except DB2 (Except DB2
Exit) Exit)
Windows Oracle Supported Supported Supported (ASO, TCP, NMP, BEQ Â Supported Supported
SSL)

OS Database Network traffic Local traffic Encrypted Protocol Kerberos Blocking Redaction
traffic
Windows Informix Supported Supported Â TCP Â Supported Supported
Windows Sybase Supported Supported Â TCP Â Supported Supported
Windows MySQL Supported Supported Â TCP Â Supported Supported
Windows PostgreSQL Supported Supported Â TCP Â Supported Supported
Windows MongoDB Supported Supported Â TCP Â Supported Supported
Windows CouchDB Supported Supported Â TCP Â Supported Supported

Parent topic: Windows: Install, Upgrade, Uninstall S-TAP
Windows: Prerequisites: installing S-TAP

Windows: S-TAP disk space requirements
Verify the disk space requirements before installing your S-TAP.
Windows: Guardium port requirements for S-TAP
If there is a firewall between GuardiumÂ® components (for example, between a Guardium system and an S-TAP on a Windows database server), you must verify
that the ports used for connections between those components are not being blocked.
Windows: S-TAP disk space requirements

Verify the disk space requirements before installing your S-TAP.
Table 1. Windows S-TAP Disk Space Requirements

S-TAPÂ® Program files GIM Install: 300 MB
non-GIM Install: 180 MB

Buffer file If you configure the S-TAP to use a buffer file, the size defaults to 50 MB. The size is controlled by the
buffer_file_size configuration file parameter.
Parent topic: Windows: Prerequisites: installing S-TAP
Windows: Guardium port requirements for S-TAP

If there is a firewall between GuardiumÂ® components (for example, between a Guardium system and an S-TAP on a Windows database server), you must verify that the
ports used for connections between those components are not being blocked.
Use your firewall management utility to check, and open as relevant, the ports listed below.
Table 1. Port Requirements for Windows servers

Port Protocol Guardium system connection to ...
9500/9501 TCP Alive messages
9500 TCP Clear S-TAPÂ®
9501 TLS Encrypted S-TAP

Parent topic: Windows: Prerequisites: installing S-TAP
Windows: Installing an S-TAP agent

Install an S-TAP on Windows using the Monitoring Agents tool (from v10.1.3), Guardium Installation Manager (GIM), the interactive installer, or the command line installer.
Depending on your license key, you can use the same S-TAP agent for both file and database activity monitoring. There are no specific S-TAP parameters for FAM.
The Base Filtering Engine (BFE) service must be running for the S-TAP installation. If the service exists but is not running, Guardium attempts to start it.
S-TAPs require .NET Framework 4.5 or higher version. If the .NET 4.5 or higher environment does not exist, S-TAP will install .NET 4.5.2.
When installing the Windows S-TAP in a Non-ASCII environment (for example, Japanese), use either the server with that language pack or set the system locale to that
location (Japan).
S-TAP installation creates one installation log: C:\IBM Windows S-TAP.ctl.
Auto-discovery of database instances

When installing an S-TAP, you have the option of auto-discovering database instances and creating inspection engines for the discovered instances. The auto-discovery
process runs once at the time of S-TAP installation and does not automatically repeat.
Auto-discovery supports these database types: MS SQL Server, DB2, Oracle, Informix, MongoDB, CouchDB. To create inspection engines on other discovered databases,
see the Discovered Instances report.
During an upgrade, auto-discovery discovers additional database instances but does not create inspection engines for the new instances. Auto-discovery adjusts any
preexisting inspection engines. This means that if you have added an inspection engine for a database that does not exist or specified a port that does not work, the auto-

discovery process adjusts that inspection engine during the upgrade.
If you do not want the S-TAP installation to perform automatic discovery of databases during installation or upgrade, you can prevent it during the S-TAP installation
process by following the procedure described for each Windows S-TAP installer.

During installation of an S-TAP on Windows, you can configure the S-TAP to use Enterprise Load Balancing features. For more information, see Enterprise Load Balancing.
Windows: Installing S-TAP agent with GIM (v10.1.4)

The Guardium Installation Manager (GIM) is the recommended method for installing S-TAPs on your database servers. GIM enables you to install, upgrade, and
manage agents on individual servers or groups of servers. This includes monitoring processes that were installed under its control, modifying agent parameters,
and performing other management tasks.
Windows: Installing S-TAP agent with GIM (v10.1-10.1.3)
Windows: S-TAP GIM installation parameters
Understand the parameters (each with a short description) that are typically used in your GIM installation.
Windows: Installing S-TAP agent using the interactive installer
The interactive installer is useful for smaller deployments or whenever a guided, step-by-step installation experience is required.
Windows: Installing S-TAP agent using the command line interface
The command-line installer provides a scriptable solution that is especially useful for managing large deployments.
Windows: S-TAP command line installation parameters
Understand the parameters (each with a short description) that you can use in your script and GIM installation.

Related concepts:
Windows: Installing S-TAP agent with GIM (v10.1.4)

The Guardium Installation Manager (GIM) is the recommended method for installing S-TAPs on your database servers. GIM enables you to install, upgrade, and manage
agents on individual servers or groups of servers. This includes monitoring processes that were installed under its control, modifying agent parameters, and performing
other management tasks.
Before you begin

Verify the following before you begin:
Review the Windows S-TAP installation requirements at Windows: Prerequisites: installing S-TAP.
Verify that your database server and operating system are supported.
Verify that the intended S-TAP installation directory is empty or does not exist.
The GIM client is installed on the database server where you will install an S-TAP.
The GIM client on the database server is communicating with the Guardium system.
Obtain the S-TAP module from either Fix Central, or your Guardium representative.
About this task

After installing a GIM client on the database server, installation of the S-TAP for Windows is scheduled from the Guardium system.
The only required parameter is WINSTAP_INSTALL_DIR.
The parameter WINSTAP_INSTALL_DIR cannot be modified after the installation. All other parameters can be modified after installation.
You can input any parameter in the Setup by Client page, in the Choose parameters ribbon, using the command WINSTAP_CMD_LINE with the syntax parameter=value for
[TAP] parameters, or with the syntax -param value for CLI parameters (Windows: S-TAP command line installation parameters), and they are added or updated in the
guard_tap.ini.
CAUTION:
There is no validation of input to this field.
Procedure
1. Upload the Windows S-TAP module for installation.
a. On the Guardium system, navigate to Manage > Module Installation > Upload Modules.
b. Click Choose File and select the S-TAP module you want to install.
c. Click Upload to upload the module to the Guardium system. After uploading, the module will be listed in the Import Uploaded Modules table.
d. In the Import Uploaded Modules table, click the check box next to the S-TAP module you want to install. The module will be imported and made available for
installation. After the module is imported, the Upload Modules page will be reset and the Import Uploaded Modules table will be empty.
2. Follow the GIM instructions in Set up by Client and refer to Windows: S-TAP GIM installation parameters.
While the default parameters are acceptable for most installations, you are required to provide a WINSTAP_INSTALL_DIR value. The default value is
C:/Program Files/IBM/Windows S-TAP. This is the only required parameter.
If WINSTAP_TAP_IP (equivalent to the -taphost command line parameter) is not specified, the GIM_CLIENT_IP value is used.
If WINSTAP_SQLGUARD_IP (equivalent to the -appliance command line parameter) is not specified, the GIM_URL value is used.
Optionally enable enterprise load balancing. See the parameter description in Windows: S-TAP GIM installation parameters.
To enable auto_discovery of database instances, set WINSTAP_NOAUTODISCOVERY to 0.
What to do next

Monitor installation of the S-TAP module using the Module Status table on the Common Modules screen. You can also view the status of the module installation by
reviewing the report at Manage > Reports > Install Management > GIM Clients Status.
Verify that the S-TAP is communicating with the Guardium system by navigating to Manage > Activity Monitoring > S-TAP Control and reviewing the S-TAPs status and
configuration.
Parent topic: Windows: Installing an S-TAP agent

Related concepts:
Windows: Installing S-TAP agent with GIM (v10.1-10.1.3)

Before you begin

The GIM client is installed on the database server where you will install an S-TAP.
The GIM client on the database server is communicating with the Guardium system.
About this task

After installing a GIM client on the database server, installation of the S-TAP for Windows is scheduled from the Guardium system.
The only required parameter is WINSTAP_INSTALL_DIR.
The parameter WINSTAP_INSTALL_DIR cannot be modified after the installation. All other parameters can be modified after installation.
[TAP] parameters, , or with the syntax -param value for CLI parameters (Windows: S-TAP command line installation parameters), and they are added or updated in the
guard_tap.ini.
CAUTION:
Procedure
1. Upload the Windows S-TAP module for installation.
2. Select client systems where you want to install an S-TAP.
a. Navigate to Manage > Module Installation > Setup by Client.
b. On the Client Search Criteria screen, specify search criteria for the clients where you want to install the S-TAP, then click Search to continue. Search for
clients using any combination of the following search criteria:
Select a client group.
Search by client hostname, IP address, or operating system.
Leave all search criteria fields empty to return a list of all available clients.
c. On the Clients screen, click the check box next to the clients where you want to install the S-TAP, then click Next to continue.
3. Select and configure the S-TAP module before installing to client systems.
a. From the Modules table on the Common Modules screen, select the S-TAP module for installation, then click Next to continue.
Use the Display Latest Versions and Display Bundles Only check boxes to filter the list of available modules.
Use the Module Status table to review information about the selected module on the target clients.
b. From the Client Module Parameters screen, specify installation parameters for the S-TAP.
To apply the same parameters to multiple clients, specify installation parameters in the Common Module Parameters fields, click the check box next
to clients listed in the Client Module Parameters tables, and then click Apply to Selected.
To apply unique parameters to individual clients, specify installation parameters directly in the Client Module Parameters table.
Attention:
While the default parameters are acceptable for most installations, you are required to provide a WINSTAP_INSTALL_DIR value. The default value is
C:/Program Files/IBM/Windows S-TAP.
If WINSTAP_TAP_IP (equivalent to the -taphost command line parameter) is not specified, the GIM_CLIENT_IP value is used.
If WINSTAP_SQLGUARD_IP (equivalent to the -appliance command line parameter) is not specified, the GIM_URL value is used.
c. Once you have specified installation parameters for the S-TAP, apply those parameters to the selected clients by clicking Apply to Client.
4. Install the S-TAP to the selected clients.
a. From the Client Module Parameters screen, click Install/Update.
b. On the Schedule Date dialog, provide a date or time to begin the installation, then click Apply. To begin the installation immediately, use a value of now in the
Schedule Date field.
What to do next

Monitor installation of the S-TAP module using the Module Status table on the Common Modules screen. You can also view the status of the module installation by
reviewing the report at Manage > Reports > Install Management > GIM Clients Status.
configuration.

Related concepts:
Windows: S-TAP GIM installation parameters

All parameters are listed in Windows: Editing the S-TAP configuration parameters.
CAUTION:
Do not modify advanced parameters unless you are an expert user or you have consulted with IBM Technical Support.
Table 1. Parameters applicable to all .NET installers
GIM parameter Description
QUIET Install silently. (Does not require value)
WINSTAP_INSTALL_DIR This is the install directory. Default install path is C:/Program Files/IBM/Windows S-TAP
WINSTAP_ENABLEGAM Enables the Guardium Agent Monitor service (GAM).

Table 2. Other S-TAP Parameters
WINSTAP_ENABLEGAM Enables the Guardium Agent Monitor service (GAM).
WINSTAP_TAP_IP The local/client IP. Required for unattended installation.
WINSTAP_SQLGUARD_IP The SQLGUARD IP. You can set up multiple appliances by specifying this parameter multiple times, each with a unique
value.
Table 3. S-TAP Parameters with Applicable Value ON. These parameters are on by default with their value set to ON. Unless described
otherwise, setting these parameters to any value other than ON turns the parameter off.
TCP_DRIVER_INSTALLED TCP_DRIVER_INSTALLED=1. Use TCP driver.
NAMED_PIPE_DRIVER_INSTALLE NAMED_PIPE_DRIVER_INSTALLED=1. Specifies the named pipe used by MS SQL Server for local access. If a named pipe is used,
D but nothing is specified in this parameter, S-TAP attempts to retrieve the named pipe name from the registry.
DB2_TAP_INSTALLED Enables sniffing DB2 shared memory traffic.
DB2_EXIT_DRIVER_INSTALLED Enables DB2 Integration with S-TAP.
FAM_DRIVER_INSTALLED Enables FAM S-TAP.
ORA_DRIVER_INSTALLED Enables sniffing Oracle ASO and SSL traffic.
KRB_MSSQL_DRIVER_INSTALLED Deprecated from v10.1.4. It appears in the guard_tap.ini file but it does not affect the configuration.
This parameter is used to decrypt MSSQL SSL and Kerberos encrypted traffic. Set to 1 or 2 to collect MSSQL encrypted traffic and
Kerberos tickets. If set to 1, when STAP starts, it will pre-collect usernames correlated with SIDs, collecting them for number of
seconds defined in krb_mssql_driver_user_collect_time. When set to 2, the pre-collection isnâ€™t done and the usernames are
correlated at run time.
Table 4. Enterprise Load Balancing parameters
WINSTAP_LOAD_BALANCER_IP Required if you are configuring load balancing.
This option specifies the IP address of the central manager or managed unit this S-TAP should use for load balancing.
S-TAP parameters cannot be changed via the interactive installer during upgrade. Use the Guardium UI after the upgrade to
change S-TAP parameters.
If configuring the enterprise load balancer to run on a managed unit, the S-TAP must be at V10.1 or higher.
WINSTAP_INITIAL_BALANCER_TAP Optional. The application group name that this S-TAP belongs to for enterprise load balancing.
_GROUP Attention: Group names with spaces or special characters are not supported.
WINSTAP_INITIAL_BALANCER_MU Optional. The MU group name the app-group will be associated with. Requires a defined LB-APP-GROUP. An MU group must
_GROUP already exist on the Central Manager before it can be used during installation of S-TAP
Attention: Group names with spaces or special characters are not supported.
WINSTAP_LOAD_BALANCER_NUM_ The number of managed units the enterprise load balancer allocates for this S-TAP.
MUS
Windows: Installing S-TAP agent using the interactive installer

The interactive installer is useful for smaller deployments or whenever a guided, step-by-step installation experience is required.
Before you begin

Identify the IP address of the database server or domain controller where you will install the S-TAP, including any virtual IP addresses.
Identify the IP address of the Guardium system that will control the S-TAP.
About this task

When installing an S-TAP on a database server, you must provide the IP address or host name of the Guardium system that will receive data from the S-TAP. After the S-
TAP has connected to the Guardium system, navigate to the Manage > Activity Monitoring > S-TAP Control page and complete the S-TAP configuration.
Note: Windows S-TAP parameters cannot be changed via the interactive installer during upgrading. The user can use the GUI after the upgrade to change Windows S-TAP
parameters.
Procedure
1. Log on to the database server using a system administrator account.
2. Copy the S-TAP module to your database and start the Guardium Windows S-TAP Install Wizard.
Attention: When installing an S-TAP on Windows 2012 or later, you must use administrative privileges. To do this, right-click the installer and choose Run as
Administrator.
3. Read the license agreement on the Guardium License screen. To continue installation, select I accept the terms of the license agreement and click Next.
4. Provide the requested content on the Customer Information screen, then click Next to continue. The default values are appropriate for most installations.
5. Select one of the following installation types, and then click Next to continue:
Typical: a typical installation will be appropriate for most users.
Compact: a compact installation assumes that additional features such as Enterprise Load Balancing are not required.
Custom: a custom installation allows you to modify additional S-TAP installation options such as the software choices, installation directory and the user
account that runs the Windows S-TAP process.
6. Optionally, enable Enterprise Load Balancing by selecting the Enable Load Balancing checkbox on the Load Balancing Options screen. Click Next to continue.
a. If you enable Enterprise Load Balancing, provide the load balancer IP address in the Load Balancer Host Address field.
b. Click the Advanced Options button to specify any additional Enterprise Load Balancing options. For more information, see Enterprise Load Balancing.
7. Verify the Software Tap Host Address and provide Appliance Address(es) on the Network Addresses screen, then click Next to continue.
The Software Tap Host Address specifies the address of the local machine where the S-TAP is being installed.
The Appliance Address(es) specify the Guardium system addresses that will control the S-TAP. Provide multiple addresses (typically not more than three) on
separate lines to establish failover systems for the S-TAP or when configuring S-TAP load balancing with the participate_in_load_balancing parameter.
Attention: If you do not want the S-TAP service to be enabled after installation, deselect the Start S-Tap Service checkbox. Deselecting the Start S-Tap Service
checkbox also disables the automatic discovery of databases and creation of inspection engines.
The Install Wizard Completed screen appears following a successful installation.
8. Click Finish to close the installer.
What to do next
configuration.
Windows: Installing S-TAP agent using the command line interface

The command-line installer provides a scriptable solution that is especially useful for managing large deployments.
Before you begin

Identify the IP address of the database server or domain controller where you will install the S-TAP, including any virtual IP addresses.
Identify the IP address of the Guardium system that will control the S-TAP.
Procedure
1. Log on to the database server using a system administrator account.
2. Copy the installer to your database, and using the Windows Command Prompt, navigate to the Windows S-TAP installer directory. For example,
cd c:\Windows-STAP-V10.5.0.89
You should find a setup.exe executable in the installer directory.

3. Install the S-TAP using the setup.exe executable with the appropriate parameters. The required parameters are:
INSTALLPATH, the default is used if you do not specify
TAPHOST
APPLIANCE
All parameters, except INSTALLPATH, can be updated after the installation. A typical install command is:
setup.exe -UNATTENDED -APPLIANCE 10.0.147.234 -TAPHOST 10.0.145.41
where:

-UNATTENDED (required) invokes the command-line installer.
-APPLIANCE specifies the IP address of the Guardium system that will control the S-TAP.
-TAPHOST (required) specifies the client IP address where the S-TAP is being installed.
For a complete description of the setup.exe executable and its parameters, see Windows: S-TAP command line installation parameters
What to do next
configuration.

Related reference:

Understand the parameters (each with a short description) that you can use in your script and GIM installation.
In a CLI installation, you install an S-TAP using the setup.exe executable with the appropriate parameters, in this format:
Setup.exe -PARAMETER value
Do not use â€œ=â€ signs to assign values to the parameters. The only time â€œ=â€ is used is when you want to add a parameter to the TAP section of the
guard_tap.ini file directly as it is typed in the command line.
If you want to add additional parameters not specified here but required in the guard_tap.ini file, you can append the [TAP] section by specifying the parameter and value
with an = sign, for example:
setup.exe -UNATTENDED -INSTALLPATH "C:/Program Files/IBM/Windows S-TAP" -APPLIANCE 10.0.148.160 -TAPHOST 10.0.146.160 QRW_INSTALLED=0
QRW_DEFAULT_STATE=0
Important: The TAPHOST, APPLIANCE, INSTALLPATH attributes are required.

Table 1. Parameters applicable to all installers
Command line parameter GIM parameter Description
UNATTENDED QUIET Install silently. (Does not require value)
INSTALLPATH WINSTAP_INSTALL_DIR This is the install directory. Default install path is C:/Program Files/IBM/Windows S-TAP
ENABLEGAM WINSTAP_ENABLEGAM Enables the Guardium Agent Monitor service (GAM).
UNINSTALL Â Uninstall. A value is not required.
CUSTOMER Â To change customer name
COMPANY Â To change company name
SERVICEUSER Â To specify a user to run the service under
SERVICEPASSWORD Â The password for the user

Command line parameter Description
NOAUTODISCOVERY To prevent Auto-Discovery from running upon install. A value is not required.
ENABLEGAM Enables the Guardium Agent Monitor service (GAM).
START Controls whether S-TAP is started or not after installation.

Attention: This parameter defaults to on and can be disabled only by setting its value to 0. Any value other than 0 results in this
parameter being on.
TAPHOST The local/client IP. Required for unattended installation.
APPLIANCE The SQLGUARD IP. You can set up multiple appliances by specifying this parameter multiple times, each with a unique value.
Table 3. S-TAP Parameters with Applicable Value ON. These parameters are on by default with their value set to ON. Unless described
otherwise, setting these parameters to any value other than ON turns the parameter off.
Command line parameter Description
TCP Use TCP driver.
NMP Specifies the named pipe used by MS SQL Server for local access. If a named pipe is used, but nothing is specified in this parameter,
S-TAP attempts to retrieve the named pipe name from the registry.
DB2SHMEM Enables sniffing DB2 shared memory traffic.
DB2EXIT Enables DB2 integration with S-TAP.
FAM Enables FAM S-TAP.
ORACLEPLUGIN Enables sniffing Oracle ASO and SSL traffic.
MSPLUGIN Deprecated from v10.1.4. It appears in the guard_tap.ini file but it does not affect the configuration.
This parameter is used to decrypt MSSQL SSL and Kerberos encrypted traffic. Set to 1 or 2 to collect MSSQL encrypted traffic and
Kerberos tickets. If set to 1, when STAP starts, it will pre-collect usernames correlated with SIDs, collecting them for number of
seconds defined in krb_mssql_driver_user_collect_time. When set to 2, the pre-collection isnâ€™t done and the usernames are
correlated at run time.

Command line parameter GIM parameter Description
LOAD-BALANCER-IP WINSTAP_LOAD_BALANCER Required if you are configuring load balancing.

_IP
This option specifies the IP address of the central manager or managed unit this S-TAP should use for load
balancing.
S-TAP parameters cannot be changed via the interactive installer during upgrade. Use the Guardium
UI after the upgrade to change S-TAP parameters.
If configuring the enterprise load balancer to run on a managed unit, the S-TAP must be at V10.1 or
higher.
LB-APP-GROUP WINSTAP_INITIAL_BALANC Optional. The application group name that this S-TAP belongs to for enterprise load balancing.
ER_TAP_GROUP Attention: Group names with spaces or special characters are not supported.
LB-MU-GROUP WINSTAP_INITIAL_BALANC Optional. The MU group name the app-group will be associated with. Requires a defined LB-APP-GROUP.
ER_MU_GROUP An MU group must already exist on the Central Manager before it can be used during installation of S-TAP
LB-NUM-MUS WINSTAP_LOAD_BALANCER The number of managed units the enterprise load balancer allocates for this S-TAP.
_NUM_MUS
Windows: S-TAP installation flow on Oracle RAC

Configure S-TAPs in an Oracle RAC.
Procedure
1. Install S-TAP on all nodes. In case GIM is used, install GIM client on all nodes, then install S-TAP on all nodes.
2. Configure the STAP parameter STAP_TAP_IP: public IP configured for the node. (Can be configured through GIM UI.)
The parameter STAP_ALTERNATE_IPS is not required.
If the Oracle database is encrypted (ASO/SSL) make sure the parameter ORA_DRIVER_INSTALLED=1
If the Oracle inspection engine is auto-discovered, it should already contain all required parameters including INSTANCE_NAME.
Windows: Upgrading and Removing an S-TAP

Learn how to upgrade or remove S-TAPs on Windows.
Upgrade a Windows S-TAP using the command line
About this task
If a prior version of the Windows S-TAP has been installed, an upgrade can be performed from the command line using the setup program.
Procedure
1. Log on to the database server system using a system administrator account.

2. Change to the directory containing the S-TAPÂ® setup program.
3. Run the setup program with the following options: setup -UNATTENDED
Attention: Some files from the previous release will not be fully removed until the next scheduled reboot.
Remove a Windows S-TAP using Add/Remove Programs
About this task
This procedure will remove the installed S-TAP while making sure the configuration file is saved for future use.
Procedure

2. Copy the current S-TAP configuration file to a safe location (a non-Guardium directory). Look for this file in C:Program Files (x86)\IBM\Windows S-
TAP\Bin\guard_tap.ini.
3. From the Add/Remove Programs control panel, remove GUARDIUM_STAP.
Attention: Some files will not be fully removed until the next scheduled reboot.
Remove a Windows S-TAP using the command line
About this task
This procedure will remove the installed S-TAP while making sure the configuration file is saved for future use.
Procedure

2. Copy the current S-TAP configuration file to a safe location (a non-Guardium directory). Look for this file in C:Program Files (x86)\IBM\Windows S-
TAP\Bin\guard_tap.ini.
3. Change to the directory containing the S-TAP setup program.
4. Run the setup program with the following options: setup -UNINSTALL
Attention: Some files will not be fully removed until the next scheduled reboot.
Windows: When to restart or reboot the database after S-TAP installation or upgrade
This topic details the situations, after S-TAP installation, of when to restart and when to reboot the database server or database instance. Restart/reboot requirements are
the same for GIM and non-GIM implementations.
Windows S-TAP installation and upgrade does not require reboot of the database server unless stated otherwise in the release notes or as an exception in this document.
If you are not certain about reboot requirement for particular version you are using, you should check with your Technical Support representative.
Reboot database servers only when you need to upgrade the driver
Windows: Configuring S-TAP

Learn to configure the S-TAP.
Windows: Configure S-TAP from the GUI

View all S-TAPs managed by this Guardium system, manage individual STAPs, and perform a few operations on all STAPs.
Windows: Discover database instances
The Guardium S-TAP Discovery application periodically discovers database instances and sends the details to the primary (current active) S-TAP system.
Windows: Configuring an Inspection Engine
Configure or modify an inspection engine in the S-TAP Control pane.
Windows: Inspection engine verification
S-TAP verification confirms that the STAPs and their inspection engines in your environment are running and actively monitoring database activity. Understand
verification, and define a schedule to regularly verify S-TAPs.
Windows: S-TAP Load Balancing models and configuration guidelines
Understand the S-TAP load balancing models, and choose the one appropriate to your setup
Windows: Set up S-TAP authentication with SSL certificates
Set up authentication between an S-TAP server and Guardium system.
Windows: Using DB2 exit library
The DB2 exit mechanism enables Guardium to pick up all DB2 traffic, whether encrypted or not and whether local or remote. This solution simplifies the S-TAP
configuration, and provides native DB2 support.
Windows: Editing the S-TAP configuration parameters
You can modify the S-TAP configuration after it is installed using GIM, the UI, or for advanced users, the configuration file on the database.
Windows: Configure S-TAP from the GUI

About this task

Prerequisite: You must be logged in to the Guardium system that is the active host for the S-TAP.
Some configuration changes require that the S-TAP agent be restarted manually, as indicated in the parameter descriptions.
Sometimes a user is unable to make a decision during the process of installing an S-TAP or may make the wrong decision and it goes undetected until after the installation
process is complete. For instance a user may forget to type in or use the wrong IP address when defining a SQL Guard IP. These types of mistakes can be remedied by
modifying the S-TAP configurations.
Parameters in the GUI may be safely changed. Parameters that are not in the GUI rarely need changing and should normally be left unmodified; they are for use by
Guardium Technical Support or advanced users.
If you have installed your S-TAP by using the Guardium Installation Manager (GIM), you can update some parameters through the GIM GUI or API.
Procedure
1. Click Manage > Activity Monitoring > S-TAP Control to open S-TAP Control.
2. Perform operations on all S-TAPs in the page.
Refresh: refresh display of S-TAPs.
Add All to Schedule: add all displayed S-TAPs to the S-TAP verification schedule.
Remove All from Schedule: remove all displayed S-TAPs from the S-TAP verification schedule.
Comments: add comments. See Comments
3. Identify the S-TAP to be configured by its IP address or the symbolic host name of the database server on which it is installed. View and perform operations on
individual S-TAPs.
Option Description

Option Description
Delete: Click Delete to remove an S-TAP.
Deleting S-TAPs is useful to clean up your display when you know that an S-TAP has become inactive, or when the
Guardium unit is no longer listed as a host in the S-TAP's configuration file. In either of these cases, the S-TAP displays
indefinitely with an offline status if you do not delete it.
You cannot remove an active S-TAP from the list. Clicking delete does not stop an S-TAP from sending information, nor
does it remove the Guardium host from the list of hosts stored in the S-TAP's configuration file.
Refresh: Click Refresh to fetch a copy of the latest S-TAP configuration from the agent. (There is no auto-refresh of the S-TAP
display.)
Opens the S-TAP Commands popup, where you can run various commands on the S-TAP host.
Restart: Restarts the S-TAP. Not usually needed, and if yes, it's easier to simply kill it from the database server.
Send Command: S-TAP logging
Reinitialize buffer: reset the K-TAP statistics along with deleting the S-TAP buffer
Run Diagnostics: Run the S-TAP diagnostics script (and upload the results to the Guardium system)
Record Replay Log: Records all data to a file on DB server (RECORD) and sends data to collector (REPLAY)
Revoke Ignore: All sessions ignored by a revokable ignore policy will be un-ignored and start capturing the traffic
again for those sessions
Run Database Instance Discovery: Runs the discovery process, once immediately. (If enabled to run automatically,
it runs, by default, every 24 hours.)
Opens the S-TAP configuration window. Parameters that do not appear in the GUI are advanced parameters. Do not
Edit S-TAP configuration:
modify them if you are not an advanced user, or have not been instructed to modify them by Guardium Technical Support.
See GUI parameters:
Windows: General parameters
Windows: Configuration Auditing System (CAS) parameters
Windows: Guardium Hosts (SQLGuard) parameters
Windows: Inspection engine parameters
Show S-TAP Event Log: Click to open the S-TAP event log, where you can see events such as connect, disconnect, GIM server configuration, and
so on. This log is very useful for troubleshooting.
Add to Schedule checkbox Adds the individual S-TAP to the scheduled verification.
Revoke All Ignored Sessions A database could be running many sessions, some of which are currently ignored. Clear this option to stop ignoring traffic
checkbox from that server.
Parent topic: Windows: Configuring S-TAP
Windows: Discover database instances

The Guardium S-TAP Discovery application periodically discovers database instances and sends the details to the primary (current active) S-TAP system.
The Guardium Discovery Agent is a software agent automatically installed with the S-TAP package on a database server. The instance discovery agent reports database
instances, listener, and port information to the Guardium system. Discovery does not find and report on every detail of the DB instances on the server.
Auto-discovery is enabled by default. Configure it with the parameter winstap_discovery_interval.
Database types supported by S-TAP Discovery

MS SQL Server, DB2, Oracle, Informix, MongoDB, CouchDB.
Newly discovered database instances can be seen in the Discovered Instances report. From this report, datasources and inspection engines can quickly be added to
Guardium using the Actions menu.
If databases on the database server are not operational (started) or are added later, the Discovery Agent can still discover these instances by running the Run Discovery
Agent command from the STAP Control window (Manage > Activity Monitoring > S-TAP Control. Click , and select Run Database Instance Discovery).
S-TAP Discovery can be run manually but this action is not suggested. The main reason to run it manually is for debugging purposes. If a new request comes in from the
user interface while a scheduled discovery is running, the new request is ignored.
Note: In order to avoid an instance where S-TAP discovery does not open the Informix database, it is recommended to start Informix databases using the full path to the
executable.
The S-TAP Discovery application parameters should be left at their default values, except for advanced users. Discovery application are described in Linux and UNIX
systems: Discovery parameters.
Discovery also uses these parameters:
Software_tap_host: IP address or hostname of the database server on which the S-TAP is installed
sqlguard_ip: S-TAP discovery results are sent to this IP. (The Guardium system with primary=1 in the SQLguard parameters. )
Windows: Configuring an Inspection Engine

Before you begin

You must be logged in to the Guardium system that manages the S-TAP.
About this task

Do not configure an S-TAP inspection engine to monitor network traffic that is also monitored directly by a Guardium system that is hosting the S-TAP, or by another S-TAP
reporting to the same Guardium system. That would cause the Guardium system to receive duplicate information: it would not be able to reconstruct sessions, and would
ignore that traffic.
Procedure
1. Navigate to Manage > Activity Monitoring > S-TAP Control.
2. In the row of the S-TAP, click . The S-TAP Configuration window opens.
3. Scroll to the bottom of the inspection engines, and click next to Add Inspection Engine....
4. Select the protocol and enter the port range. The window refreshes with the relevant parameters, some with their default values.
5. Configure all required parameters, and click Add. If you are missing parameters, the system informs you what is missing.

Related reference:

S-TAP verification confirms that the STAPs and their inspection engines in your environment are running and actively monitoring database activity. Understand verification,
and define a schedule to regularly verify S-TAPs.
Verification checks sniffer operation and communication between the Guardium system and the inspection engines. You can enable verification for all S-TAP clients on
your system, or individual S-TAP clients, or individual inspection engines.
Verification is supported for these database types:
DB2
DB2 Exit (DB2 version 10)
FTP
Kerberos
Mysql
Oracle
PostgreSQL
Sybase
Windows File Share
exclude IE
MSSQL
named pipes
There are two types of verification:
Standard verification
Checks the sniffer operation, and the communication between the S-TAP and the inspection engine. It submits invalid login request and verifies that the
appropriate error message is returned.
Advanced verification
Use advanced verification to avoid failed login requests, and manage individual IEs. For avoiding failed login requests, you must identify or create a datasource
definition associated with the target database. The datasource definition includes credentials, which the verification process uses to log in to the database. Then it
submits a request to retrieve data from a nonexistent table in order to generate an error message.
For both types of verification requests, the results are displayed in a new dialog that provides information about the tests that were performed and recommended actions
for tests that failed.
Windows: S-TAP verification

The S-TAP verification process checks several configuration parameters and attempts to connect to the inspection engines.
Windows: Configure standard verification
Use this task to configure all inspection engines on a specific S-TAP client host.
Windows: Configure advanced verification
Windows: Configuring the S-TAP verification schedule
You can configure the schedule for running S-TAP verification.
Windows: S-TAP verification

Before connecting to the database, the verification process checks whether the sniffer process is running on the Guardium system. The sniffer is responsible for
communicating with each S-TAP and processing the data that is received. If the sniffer is not running, responses from the S-TAP are not recognized.
The verification process attempts to log in to your database's STAP client with an erroneous user ID and password, to verify that this attempt is recognized and
communicated to the Guardium system.
Next the verification process checks whether it can connect to the selected inspection engine on the database server. It expects to receive a response that indicates a
failed login. If a different response is received, you might have to investigate further.

Some error messages from individual databases do not indicate a specific problem. For example, on several supported databases, the error code returned for a wrong port
can also mean that the database itself is not started.
View the verification results in the S-TAP Verification page (Manage > Reports > Activity Monitoring > S-TAP Verification page). Failed checks are shown first, with
recommendations for next steps. Checks that succeeded are shown in a collapsed section at the end of the list. In some situations, it might be useful to review the
successful checks in order to choose among possible next steps.
Parent topic: Windows: Inspection engine verification
Windows: Configure standard verification

About this task

As an alternative to this procedure, you can use the GRDAPI command verify_stap_inspection_engine_with_sequence.
Procedure
1. Access Manage > Activity Monitoring > S-TAP Control.
2. Use these options:
Add All to Schedule: add all inspection engines for all displayed S-TAPs to verification.
Remove All from Schedule: remove all inspection engines for all displayed S-TAPs from verification.
Add to Schedule: add all inspection engines of the selected S-TAP client to the schedule.
If an S-TAP does not have the option All Can Control enabled, you can only change its status if your Guardium system is the primary system for this S-TAP.
3. Click Refresh.
4. To verify now, go to Manage > Activity Monitoring > S-TAP Verification Scheduler and click Run Once Now.
Windows: Configure advanced verification

Before you begin

Use this task to configure verification on individual inspection engines, including advanced verification.
About this task
Procedure
1. Access Manage > System View > S-TAP Status Monitor.
2. Click anywhere in the row of the S-TAP.
The window refreshes with the individual inspection engines of this host.
3. To verify now, select one or more inspection engines and click Verify.
4. Configure advanced verification.
a. Click one inspection engine, and click Advanced Verify.
b. Optionally, under Datasource, select Show only matching S-TAP host or select a name from the Name drop-down list to search for a specific inspection
engine.
c. Click Close.
5. To add to or remove from verification.
a. Select one or more inspection engines.
b. Click Add to Schedule or Remove from Schedule
Windows: Configuring the S-TAP verification schedule

You can configure the schedule for running S-TAP verification.
About this task

The same schedule is used for all S-TAPs that are scheduled for verification.
Once a schedule is defined, you can click the Pause button to temporarily stop the verification process while keeping it active. Use the Run Once Now button to run the
verification once in real-time.
Procedure
1. Click Manage > Activity Monitoring > S-TAP Verification Scheduler to open the S-TAP Verification Scheduler.
2. In the S-TAP Verification Scheduler portion of the page, click Modify Schedule.
3. In the Schedule Definition dialog, use the drop-down lists and check boxes to schedule when verification runs. This schedule is applied to all S-TAPs that are
scheduled for verification.
4. Click Save to save your changes.

Windows: S-TAP Load Balancing models and configuration guidelines
Each load balancing model is described here, along with its specific parameter requirements.
Note: This topic described S-TAP load balancing, and not Enterprise Load Balancing.
Failover
S-TAP sends traffic to one collector (primary) and fails over to the secondary as needed. The S-TAP agents are configured with a primary and at least one secondary
collector IP. If the S-TAP agent cannot send the traffic to the primary collector for various reasons, the S-TAP agent automatically fails over to the secondary. It continues
to send data to the secondary host until either the secondary host system becomes unavailable, the primary host becomes available again, or until the S-TAP is restarted
(at which point it attempts to connect to its primary host first). If the secondary host system becomes unavailable, it fails over to another secondary if there is one defined.
In the second case S-TAP fails over from the secondary Guardium host back to the Primary Guardium host. It's recommend setting up a primary and up to two secondary
collectors. You can either define one collector as a standby failover collector only, or a few failover collectors. When using one standby failover, one collector is usually
sufficient for 4-5 collectors. When using a few failover collectors, each one should run at a maximum 50% capacity, so that there are always resources for additional load.
Choose the setup that works best with your architecture, database, and data center layout. If the primary becomes available, the S-TAP fails back from the secondary
Guardium host back to the Primary Guardium host.
The S-TAP restarts each time configuration changes are applied from the active host.
In the S-TAP Control window, Details section: set Load Balancing to 0; In the Guardium Hosts section: add at least one secondary Guardium Host.
Additional failover configuration should be left at the default values, except by advanced users.
Before designating a Guardium system as a secondary host for an S-TAP, verify these items.
The Guardium system must have connectivity to the database server where S-TAP is installed. When multiple Guardium systems are used, they are often attached
to disjointed branches of the network.
The Guardium system must not have a security policy that will ignore session data from the database server where S-TAP is installed. In many cases, a GuardiumÂ®
security policy is built to focus on a narrow subset of the observable database traffic, ignoring all other sessions. Either make sure that the secondary host will not
ignore session data from S-TAP or modify the security policy on the Guardium system as necessary.
Load balancing
This configuration balances traffic from one database onto multiple collectors. This option might be good when you must monitor all traffic (comprehensive monitoring) of
an active database. (Note that for outliers detection, the collectors need to be under the same aggregator and central manager in order for the aggregator to process all
related data.) When the generated traffic is large and you need to house the data online on a collector for an extended period, this method might be your best choice
because it performs session-based load balancing across multiple collectors. An S-TAP can be configured in this manner with up to 10 collectors.
In the S-TAP Control window, Details section: set Load Balancing to 1 for load balancing.
Grid
With Grid, the S-TAP communicates to the collector through a load balancer, such as f5 and Cisco. The S-TAP agent is configured to send traffic to the load balancer. The
load balancer forwards the S-TAP traffic to one of the collectors in the pool of collectors. You also can configure failover between load balancers for continuous monitoring
if the load balancer should fail.
S-TAPs in the F5 environment upload their log files and results of running diagnostics (all files from ..\Logs folder except for memory dumps) to the active collector and
central manager (if exists) to the location ./var/IBM/Guardium/log/stap_diagnostic/
In the S-TAP Control window, Details section: set Load Balancing to 3 for the grid model.
In addition, set:
All can control=1

Guardium Host=<the IP of the Virtual IP of the balancer, to which all S-TAP database clients point to>
The persistence of S-TAP is configured by the failover parameters:
TAP_MIN_TIME_BEFOREFAILOVER: The time interval, in minutes, after which the S-TAP switches to secondary Guardium system if: it cannot connect to its
primary Guardium system; it can connect to its primary Guardium system but cannot write to its buffer. Default is 5.
TAP_MIN_HEARTBEAT_INTERVAL: Maximum time the S-TAP attempts to write to the primary Guardium system buffer before attempting to write to the
secondary Guardium buffer. Default is 30 sec, meaning it tries to write at least 5*60/30 times before failover.
Redundancy
In redundancy, the S-TAP communicates its entire payload to multiple collectors. The S-TAP is configured with more than one collector (often only two) and
communicates the identical content to both. This option provides full redundancy of the same logged data across multiple collectors. It can also be used for logging data
and alert on activity at different levels of granularity.
In the S-TAP Control window, Details section: set Load Balancing to 2 for redundancy.
Windows: Set up S-TAP authentication with SSL certificates

S-TAPs can be configured to only connect to a certain group of machine(s) that authenticate with a given certificate or set of certificates. Â These certificates can either be
generated locally on the Guardium system and sent off to the Certificate Authority (CA) for signing or can be created at the CA and installed whole on the Guardium
system.
Windows: Generating certificate signing request (CSR) on Guardium system

Use this procedure to generate a certificate signing request locally on the Guardium system, for sending to the Certificate Authority (CA) for signing.

Windows: Installing an SSL certificate generated outside of the Guardium system
Use this procedure to install the SSL certificate that was created by the CA.
Windows: Configuring the S-TAP to use x.509 certificate authentication
Windows: Generating certificate signing request (CSR) on Guardium system

Procedure
1. Log into your Guardium system with CLI.
2. Enter: cli> create csr sniffer
3. Enter the requested data.
When you've finished, it looks like:
4. Copy from the -----BEGIN CERTIFICATE REQUEST----- to the -----END CERTIFICATE REQUEST----- into a file and send this to your CA for signing.
The CA will sign the certificate and send you back a public key that looks something like:

5. Have this file handy to either copy its contents or import it to the Guardium system. Enter: cli> store certificate sniffer [console | import]
6. If console, copy-paste from -----BEGIN CERTIFICATE----- all the way to -----END CERTIFICATE----- (including those within the copy) and paste into the CLI when
prompted. Â If choosing import, tell the Guardium system where to import the file from.
It asks you to confirm that you want to store the certificate, and when you confirm, it stores it.

7. Restart the inspection-core for the new certificate to take effect.
Parent topic: Windows: Set up S-TAP authentication with SSL certificates
Windows: Installing an SSL certificate generated outside of the Guardium system

About this task

If the CA is sending you a whole certificate to install, you need two files, the private key in PKCS#8 (password protected) format, and the public key in PEM format. The
certificate generated needs to be a 2048 bit RSA key.
The CA sends you two files, and the public cert for your CA. Â
The public-cert of your CA looks like:

The public-cert specific to you/this Guardium system looks like:
The private key (encrypted with pkx#8) looks like:
Have these files handy to either import (via scp/ftp/etc) to the Guardium system or to copy-paste into the cli interface on the Guardium system.
Procedure
1. Log in to the Guardium system via CLI.
2. Store the private key by entering: cli> Â store certificate keystore [import | console] The import takes the saved file, and then copies and pastes the contents of the
file into your console interface. It asks for the password that the file was saved with. Â Either you provided this to the CA for creation of the certificate, or more
likely, they provided you with a password when they sent your files. Here's what it looks like on the Guardium system:

3. Import the signed certificate with: cli> Â Â store certificate sniffer [import | console] It displays the information on the cert and then asks you to confirm storing the
cert. It looks like:

Windows: Configuring the S-TAP to use x.509 certificate authentication

About this task
First, take note of what you have assigned as the CA and the CN of the certificate. Â If you don't remember, use the CLI command show system certificate to display the
values.
You need the CN of the cert installed on the Guardium system and the public-key for the CA that signed the certificate on the Guardium system. You also might want a
Certificate Revocation list signed by the same CA that signed the Guardium system cert, but it's not necessary.
The relevant parameters in the guard_tap.ini are:

If you do not choose to use a value for a parameter, do not include it in the guard_tap.ini. This is pertinent to the CRL path in particular, or if you want to shut off certificate
authentication and go back to TLS.
Procedure
1. Copy the public key [and the CRL if wanted] for the CA that the CA sent you to a directory on the S-TAP host.Â Take note of this directory.
2. Set guardium_ca_path=[path-to-CA.pem]
3. Set sqlguard_cert_cn=[the full CN or partial CN (using * as a wildcard) of the Guardium system]
4. If you want to use a certificate revocation list at this time, set guardium_crl_path=[path-to-crl.crl] It should look like:
guardium_ca_path=/var/tmp/pki/Victoria_QA_CA.pem
sqlguard_cert_cn=sample1_qa.victoria
guardium_crl_path=/var/tmp/pki/Victoria_QA_CA.crl
5. Change tls=1.
6. Restart the S-TAP You are now connected using Openssl.
Windows: Using DB2 exit library

The DB2 exit mechanism enables Guardium to pick up all DB2 traffic, whether encrypted or not and whether local or remote. This solution simplifies the S-TAP
configuration, and provides native DB2 support.
About this task

DB2 exit embeds a Guardium library into DB2 via the DB2_Exit mechanism. The DB2_Exit communicates directly with the Guardium S-TAP to forward all DB2 traffic,
whether encrypted or not, and both local and remote. DB2 exit captures TCP as well as SHM traffic.
DB2 exit supports terminate, and UID chain.
Limitations:
DB2 Exit does not support Guardium data masking (scrub/redact).

The Guardium firewall (V10.1.2 and later) requires DB2 version 10.1 or later.
Stored Procedures: DB2-Exit monitors stored procedures. Since Guardium does not know what is in the stored procedure, SQL from inside the procedure is not
captured.
Procedure
1. Create a new folder within the DB2 SQLLIB folder, for each instance$DB2PATH\security\plugin\commexit\instance_name For example: C:\Program
Files\IBM\SQLLIB\security\plugin\commexit\DB2_01
2. Copy the corresponding DLLs from the S-TAP installation directory into the created directories:
For 32-bit DB2:
db2fexitx86.dll
db2exitx86.dll
For 64-bit DB2:
db2exitx64.dll
db2fexitx64.dll
3. Stop the DB2 instance(s), and issue the following command:
for 32 bit: UPDATE DBM CFG USING COMM_EXIT_LIST db2fexitx86
for 64 bit: UPDATE DBM CFG USING COMM_EXIT_LIST db2fexitx
4. Start the DB2 instances.
5. Add an inspection engine for DB2 Exit with protocol DB2 Exit. Navigate to Manage > Activity Monitoring > S-TAP Control. See parameter descriptions in Windows:
Inspection engine parameters. You can also modify the guard_tap.ini, but it's much easier to use the GUI since it fills in some of the information automatically and
does some validation. If modifying the guard_tap.ini
[DB_DB2_EXIT1]
DB_TYPE=DB2_EXIT
INSTANCE_NAME=Service_name
In the TAP section, set the parameter DB2_EXIT_DRIVER_INSTALLED=1
The service name is not the instance name. You can determine the service name by using the db2tap utility in the S-TAP installation folder, or from the control
panel. Set the instance name to the portion of the service name that follows the second dash ( - ) delimiter. For example, if the service name in the control panel is
DB2 - DB2COPY1 - DB2-01-0, set INSTANCE_NAME to DB2-01-0.
6. To stop using the feature and stop DB2, issue the following command and then restart the DB2: db2 UPDATE DBM CFG USING COMM_EXIT_LIST NULL
Windows: Editing the S-TAP configuration parameters

You can modify the S-TAP configuration after it is installed using GIM, the UI, or for advanced users, the configuration file on the database.
Note: Parameters in the GUI may be safely changed. Parameters that are not in the GUI are advanced, and rarely need changing. They are normally be left unmodified;
they are for use by Guardium support or advanced users.
CAUTION:
You can some modify parameters in the GUI. See Windows: Configure S-TAP from the GUI.

GIM is an easy method for modifying parameters, if the S-TAP bundle was installed with GIM. See the instructions for v10.1.4 and higher: Set up by Client; and for v10.1-
10.1.3: GIM user interfaces.
[TAP] parameters, and it is added or updated in the guard_tap.ini.
CAUTION:
There is no validation of the input when using the command WINSTAP_CMD_LINE. Use this command carefully. Do not modify advanced parameters unless you are an
expert user or you have consulted with IBM Technical Support.
If it is necessary to modify the configuration file from the database server, follow the procedure described in this section.
The S-TAP needs restarting after you modify the guard_tap.ini. If you're using GIM, it restarts the S-TAP automatically.
CAUTION:
Parameters must be added to their relevant section: [Version], [TAP], [SQLGuard], [DB_<name>].

2. Stop the S-TAP.
3. Make a backup copy of the configuration file: guard_tap.ini. The default file locations is \Program Files\IBM\Windows S-TAP\Bin\
4. Open the configuration file in a text editor.
5. Edit the file as necessary.
6. Save the file.
7. Restart the S-TAP and verify that your change has been incorporated.

These parameters describe a Guardium system to which this S-TAP can connect. All parameters in this section are basic, and appear in the [SQL_GUARD] section.
These parameters define basic properties of the S-TAP running on a Windows server and the server on which it is installed, and do not fall into any of the other
categories.
These parameters affect the behavior of the inspection engine that the S-TAP uses to monitor a data repository on a Windows server.
Windows: Firewall parameters
These parameters affect the behavior of the S-TAP with respect to the firewall.
Windows: Query rewrite parameters
The query rewrite parameters affect the behavior of the S-TAP with respect to discovery.
Windows: Discovery parameters
The discovery parameters define the behavior of the auto-discovery feature, for discovering database instances and sending the results to the current active S-TAP.
Windows: Debug parameters
These parameters affect the behavior of S-TAP debugging.
These parameters affect the behavior of CAS.
Windows: Driver parameters
These parameters affect the behavior of several drivers with which the S-TAP interacts.

GUI GIM guard_tap.ini Default Description

value
Â PRIMARY Â Indicates the primary Guardium system for this S-TAP. In guard_tap.ini: 0=secondary, 1=primary
(chec
kmark
indica
tes
the
prima
ry
host)
Â Â TAP_GUARD_TCP_PORT 9500 Read only. Port used for S-TAP to connect to Guardium system.
Guard WINS SQLGUARD_IP NULL IP address or hostname of the Guardium system that acts as the host for the S-TAP. You can define
ium TAP_S multiple hosts by adding [SQLGuard_1], [SQLGuard_2], and so on.
Host QLGU
ARD_I
P
Parent topic: Windows: Editing the S-TAP configuration parameters

These parameters define basic properties of the S-TAP running on a Windows server and the server on which it is installed, and do not fall into any of the other categories.
These parameters are stored in the [VERSION] section of the S-TAP properties file.
Table 1. S-TAP configuration parameters in the [VERSION] section
GUI guard_tap.ini Description

GUI guard_tap.ini Description
Â STAP_CLIENT_BUILD Read only. The build version of the installed S-TAP.
Version PROTOCOL_VERSION Read only. The version of the Guardium system.

These parameters are stored in the [TAP] section of the S-TAP properties file.
Table 2. S-TAP configuration parameters in the [TAP] section
GUI GIM guard_tap.ini Default value Description
Â Â TAP_TYPE wstap Read only. The type of installed S-TAP agent:
Version Â TAP_VERSION Â Read only. The version of S-TAP installed on the server.
S-TAP TAP_IP Â Read only. Used by the file system monitoring service, instead of the SOFTWARE_TAP_HOST
Host parameter. Both parameters should have the same value.
All can WSTA ALL_CAN_CONTROL 0 0=S-TAP can be controlled only from the primary Guardium system. 1=S-TAP can be controlled
control P_AL from any Guardium system.
L_CA
N_CO
NTRO
L
Load WINS PARTICIPATE_IN_LOAD_BALAN 0 Controls S-TAP load balancing (not enterprise load balancing) to Guardium systems:
balanci TAP_ CING
ng PART 0: No load balancing.
ICIPA 1: Load balancing. Traffic is balanced between the primary and secondary servers, defined
TE_I in the SQLGuard section.
N_LO 2: Redundancy. Fully mirrored S-TAP sends all traffic to all primary and secondary servers,
AD_B defined in the SQLGuard section.
ALAN 3: Hardware load balancing. Guardium uses a load balancer such as F5 or Cisco. S-TAP
CING sends the traffic to the load balancer, which forwards it to one of the collectors in the pool.
Use the primary parameter in the SQLGUARD section to specify primary, secondary, etc. servers.
If this parameter is set to 0, and you have more than one Guardium system monitoring traffic,
then the non-primary Guardium systems are available for failover.
TLS USE_TLS 0 1=use SSL to encrypt traffic between the agent and the Guardium system.
Use
0=do not encrypt. Warning - the traffic between the agent and Guardium system is in clear text.
Guardium recommends encrypting network traffic between the S-TAP and the collector
whenever possible, only in cases where the performance is a higher priority than security should
this be disabled.
TLS Â FAILOVER_TLS 1 1= If ssl connection is not possible for any reason, fail over to using non-secure connection.
Failove 0=use only secure connections.
r
Â NUMBER_OF_PROCESSORS 4 Read only. Number of processors on the machine
Â Â ALTERNATE_IPS Â Comma-separated list of alternate or virtual IP addresses used to connect to this database
server. This is used only when your server has multiple network cards with multiple IPs, or virtual
IPs. S-TAP only monitors traffic when the destination IP matches either the S-TAP Host IP
defined for this S-TAP, or one of the alternate IPs listed here, so it's recommend that you list all
virtual IPs here.
Â DB2_TAP_INSTALLED 0 Set to 1 for sniffing DB2 shared memory traffic. Starts the DB2 TAP Service when set to 1.
Â DB2_EXIT_DRIVER_INSTALLED Â DB2 Integration with S-TAP: set to 1 to enable DB2 Exit library integration 1) Let S-TAP capture
all DB2 traffic directly from the DB2 engine - Note, that it is only for specifc DB2 releases - 10.1
and onwards 2) When using this method, Firewall and Scrub/Redact functionality are not
supported. Also, stored procedures will not be captured. 3) It lets us pick up all DB2 traffic ,
regardless of encryption/network protocol. 4) This solution simplifies the S-TAP configuration for
customers that will deploy this version of DB2, and gives them native DB2 support.
Â DB2_SHMEM_DRIVER_INSTALL Â Deprecated, and replaced by db2_tap_installed.

ED
Â DB2_SHMEM_DRIVER_LEVEL Â Deprecated
Â Â DC_COLLECT_FREQ 24 Specifies the frequency of collection in hours. Minimum is 1, maximum is 24. GuardiumDC is a
service that collects updates of user accounts (SIDs and usernames) from the primary domain
controller and then signals the changes to Guardium_S-TAP to update S-TAP internal
SID/UserName? map. If S-TAP cannot find resolved SID in the map, it tries to get it from the
primary Domain Controller, in which case S-TAP logs a message into debug log (level 7) The
account name *** has been retrieved for SID ***.
Â Â DC_COLLECT_MAXUSERS 200,000 The maximum number of users to collect. Minimum is 10,000.
Â DOMAIN_CONTROLLER Â The name of the specific controller from which the SID/usernames map should be read.
Â HIGH_RESOLUTION_TIMER 0 0: send time stamps in milliseconds. 1: send time stamps in microseconds, but use milliseconds
system timer (to reduce system performance hit - multiply milliseconds by 1000). 2: send time
stamps in microseconds, use high resolution windows timer (most accurate). For cases 1 and 2,
the S-TAP will indicate to the Guardium system that micro seconds are sent, by setting the
reserved byte in PacketData to 1.
Â BUFFER_FILE_SIZE 50 Advanced. The initial size of the buffer. The range is 5 to 1000 in MB.

Â Â BUFFER_FILE_NAME Â The full path of the memory mapped file if BUFFER_MMAP_FILE=1. Default is WSTAP working
folder/StapBuffer/STAP_buffer.dtx
Â BUFFER_MMAP_FILE 0 1=memory mapped file option. 0=virtual memory allocation
Â SOFTWARE_TAP_HOST Â The database server host on which S-TAP is installed. It can be an IP address or a name
recognized by the DNSserver. There is no default. An invalidly configured SOFTWARE_TAP_HOST
is automatically replaced with a valid local IP.
Â TCP_ALIVE_MESSAGE 1 This parameter is deprecated since Guardium v10.x. Guardium collectors no longer send UDP
alive messages.
Compr COMPRESSION_LEVEL 0 Compression level, from 1 to 9.

es. 0=no compression.
level
Â DISABLE_SHARED_MEMORY_IF_ 0 Â
TURNED_ON
Â FILE_SNIFFER_FREQUENCY 45 Frequency, in seconds, of:
registration attempts with a Guardium system if a previous attempt was not successful
S-TAP checks for new logs available from Program Files\IBM\Windows S-TAP\Logs for
uploading onto collector
Â MAXIMUM_PACKET_NUM 300,000 Deprecated
Â MIN_BYTES_TO_COMPRESS 500 Advanced. Minimum size of message to compress.
Â NOT_SEND_TO_SQLGUARD 0 Advanced. Send nothing to the Guardium system.
Â RECV_LEVEL 0 Advanced.
Messag REMOTE_MESSAGES 1 1=Send messages to the active Guardium system. 0=Do not send messages
es:
remote
Â SEND_LEVEL 0 Advanced. Used for thread prioritization.
Â SNIFFED_UDP_PORTS 88 Deprecated.
Â SYNCH_FLAG 1 Read only. Deprecated in v10.0. Indicates whether parameters are synchronized with the UI.
Â TAP_DBSERVER_NAMES Â Â
Â TAP_MIN_HEARTBEAT_INTERVA 30 Maximum time the S-TAP attempts to write to the primary Guardium system buffer before
L attempting to write to the secondary Guardium buffer. Default is 30 sec, meaning it tries to write
at least 5*60/30 times before failover, by default (using also TAP_MIN_TIME_BEFOREFAILOVER).
Â Â TAP_MIN_TIME_BEFOREFAILOV 5 The time interval, in minutes, after which the S-TAP switches to secondary Guardium system if: it
ER cannot connect to its primary Guardium system; it can connect to its primary Guardium system
but cannot write to its buffer.
Â TCP_BUFFER_SIZE 60000 Advanced. Minimum number of bytes to collect before sending a message to the Guardium
system
Â TIME_NETWORK 0 Advanced. Used for debug only.
Â WEB_SERVER_CONNECTIONS 1 Maximum number of DB connections by .net app.
Â WEB_SERVER_INSTALLED 0 Deprecated. Formerly used to enable IIS tap.
Â WEB_SERVER_PORT 9000 Port for web-server
Â GUARDIUM_CA_PATH NULL Location of the Certificate Authority certificate.
Â SQLGUARD_CERT_CN NULL The common name to expect from the Sqlguard certificate.
Â GUARDIUM_CRL_PATH NULL The path to the Certificate Revocation list file or directory.
Â TAP_FAILOVER_SESSION_QUIES 240 The number of seconds after failover, when unused sessions in the failover list from the previous
CE active servers can be removed from the current active server,
Â TAP_FAILOVER_SESSION_SIZE 8192 Size, in MB, of the failover session list. 0=no failover sessions should be saved
Â DB_IGNORE_RESPONSE Â Ignore response at inspection level. Use this function to ignore all database responses at the S-
TAP level, without sending anything to the Guardium system. In certain environments, where
only interested in client transactions, this function saves bandwidth and processing time for the
S-TAP and the Guardium system. Use this function for an easier configuration for ignoring
unwanted responses from the database, without loading the network. Database types can be
listed as comma separated or ALL can be specified to ignore responses from all types of
databases, for example, DB_IGNORE_RESPONSE=ALL or DB_IGNORE_RESPONSE=MSSQL,DB2.
Supported DB types: ALL, MSSQL_NP, MSSQL, MYSQL, TRD, PGRS, MSSYB, ORACLE, DB2,
DB2_EXIT, INFORMIX, KERBEROS, FTP, CIFS.
Â DB_IGNORE_RESPONSE_FILTE 0.0.0.0/0.0.0.0 Comma separated list of IP/MASKs to be response-ignored. Any DB responses of the type
R specified by DB_IGNORE_RESPONSE to the specified IP/MASKs are ignored
NULL: no filtering of responses
0.0.0.0/0.0.0.0: all IPs are filtered

Â DB_IGNORE_RESPONSE_LOCAL 1 filtering of local db responses 0:no, 1:yes

Note: TCP traffic is not considered Local traffic for db_ignore_response_local parameter.
Â DB_IGNORE_RESPONSE_BYPAS 65535 DB_IGNORE_RESPONSE starts when bypass bytes are reached.

S_BYTES
Â DB_IGNORE_RESPONSE_RESET 1 Reset DB_IGNORE_RESPONSE_BYPASS_BYTES on each request.

S_PER_REQUEST
Â UPLOAD_FEATURE 1 Controls uploading of all log files from Program Files\IBM\Windows S-TAP\Logs onto the
collector.

These parameters affect the behavior of the inspection engine that the S-TAP uses to monitor a data repository on a Windows server.
These parameters are stored in the individual [DB_<name>] inspection engine section of the S-TAP properties file, with the name of a data repository. There can be
multiple sections in a properties file, each describing one inspection engine used by this S-TAP.
GUI guard_tap.ini Default value Description
Protoc DB_TYPE Â The type of data repository being monitored.

ol
Instan INSTANCE_NAME Â The name of the database instance on this server. Required for MS SQL Server is using encryption;
ce MS SQL Server using Kerberos Authentication; DB2 Exit traffic collection; DB2 SHM traffic. (Default is
Name MSSQLSERVER.)
Port PORT_RANGE_START Â Starting port range specific to the database instance. Together with TAP_DB_PORT_MAX defines the
range range of ports monitored for this database instance. There is usually only a single port in the range.
For a Kerberos inspection engine, set the start and end values to 88-88. If a range is used, do not
include extra ports in the range, as this could result in excessive resource consumption while the S-
TAP attempts to analyze unwanted traffic.
Port PORT_RANGE_END Â Ending port range specific to the database instance.

range
Name NAMED_PIPE sql\query,sqlloc Specifies the named pipe used by MS SQL Server for local access. If a named pipe is used, but
d Pipe al,\MSSQLSERV nothing is specified in this parameter, S-TAP attempts to retrieve the named pipe name from the
ER registry.
Client NETWORKS Â Identifies the clients to be monitored, using a list of addresses in IP address/mask format:
Ip/Ma n.n.n.n/m.m.m.m. If an improper IP address/mask is entered, the S-TAP does not start. Valid values:
sk
null=select all clients
127.0.0.1/255.255.255.255=local traffic only
Client Ip/Mask (networks) and Exclude Client Ip/Mask (exclude networks) cannot be specified
simultaneously.
If the IP address is the same as the IP address for the database server, and a mask of
255.255.255.255 is used, only local traffic will be monitored. An address/mask value of
1.1.1.1/0.0.0.0 monitors all clients.
Exclu EXCLUDE_NETWORKS Â A list of client IP addresses and corresponding masks that are excluded from monitoring. This option
de allows you to configure the S-TAP to monitor all clients, except for a certain client or subnet (or a
Client collection of these). Client Ip/Mask (networks) and Exclude Client Ip/Mask (exclude networks)
Ip/Ma cannot be specified simultaneously.
sk
Proce TAP_DB_PROCESS_NAMES Â Database service executables that are to be monitored. For example, a DB2 IE would be
ss TAP_DB_PROCESS_NAMES=DB2SYSCS.EXE. For Oracle or MS SQL Server only, when named pipes
Name are used. For Oracle, the list has two entries: oracle.exe,tnslsnr.exe. For MS SQL Server, the list is just
one entry: sqlservr.exe.
Identi TAP_IDENTIFIER NULL Optional. Used to distinguish inspection engines from one another. If you do not provide a value for
fier this field, Guardium auto-populates the field with a unique name using the database type and GUI
display sequence number.
These additional parameters are used with IBM DB2 databases.
Table 1. Additional S-TAP configuration parameters for a DB2 inspection engine

DB2 Shared DB2_FIX_PACK_ADJUSTMENT 80 Required when DB2 is selected as the database type, and shared memory connections are
Mem. Adjust. monitored. The offset to the server's portion of the shared memory area. Offset to the beginning
of the DB2 shared memory packet, depends on the DB2 version: 32 in pre-8.2.1, and 80 in 8.2.1
and higher.
Â DB2_LOG_SIZE Â Advanced. The maximum file size, in MB, that the functional DLL can keep buffered before it
starts throwing away log entries.

DB2 Sh. Mem. DB2_CLIENT_OFFSET 61440 The offset to the client's portion of the shared memory area. Required when DB2 is selected as
Client Pos. the database type, and shared memory connections are monitored. The client offset can be
calculated by taking the value of the DB2 parameter ASLHEAPSZ and multiplying by 4096 to get
the appropriate offset. The default for this parameter is 61440 decimal. This parameter is
calculated by taking the DB2 database configuration value of ASLHEAPSZ and multiplying by
4096. To get the value for ASLHEAPSZ, execute the following DB2 command: db2 get dbm cfg
and look for the value of ASLHEAPSZ. This value is typically 15 which yields the 61440 default. If
it's not 15, take the value and multiply by 4096 to get the appropriate client offset.
DB2 Shared DB2_SHMEM_SIZE 131072 DB2 shared memory segment size. Required when DB2 is selected as the database type, and
Mem. Size shared memory connections are monitored.
Windows: Firewall parameters

CAUTION:
These are advanced parameters and are usually modified by IBM Technical Support only.
G
I
M guard_tap.ini Default value Description
W FIREWALL_INSTALLED 0 Firewall feature enabled. 1=yes, 0=no.

S
T
A
P
_
F
I
R
E
W
A
L
L
_
I
N
S
T
A
L
L
E
D
W FIREWALL_TIMEOUT 10 Time, in seconds to, wait for a verdict from the Guardium system if the firewall timed out. Look at
S firewall_fail_close value to know whether to block or allow the connection. The value can be any integer
T value.
A
P
_
F
I
R
E
W
A
L
L
_
T
I
M
E
O
U
T

G
I
W FIREWALL_FAIL_CLOSE 0 If the verdict does not come back from the Guardium system and the firewall_timeout expires: if
S firewall_close = 0 the connection goes through; if firewall_close=1 the connection is blocked.
T
A
P
_
F
A
I
L
_
C
L
O
S
E
W FIREWALL_DEFAULT_STATE 0 0: An event triggers traffic in a session to be watched and checked for firewall policy violations.
S 1: All traffic is watched by default for firewall policy violations
T
A
P
_
D
E
F
A
U
L
T
_
S
T
A
T
E
W FIREWALL_FORCE_WATCH NULL When the firewall feature is enabled and firewall_default_state is 0, the session is watched automatically
S when its client IP matches one of this list of IP/MASK values. The list itself is separated with commas, for
T example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2
A
P
_
F
O
R
C
E
_
W
A
T
C
H
W FIREWALL_FORCE_UNWATCH NULL When the firewall feature is enabled and firewall_default_state is 1, the session is unwatched
S automatically when its client IP matches one of this list of IP/MASK values. The list itself is separated with
T commas, for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2,
A
P
_
F
O
R
C
E
_
U
N
W
A
T
C
H

Windows: Query rewrite parameters
CAUTION:
GIM guard_tap.ini Default Description
Value
WINSTAP_QRW_INSTAL QUERY_REWRITE_INST 0 Enable / disable the Dynamic Data Masking for Databases feature. When set to 0, all other
LED ALLED parameters in this group are ignored.
0=No
1=Yes
WINSTAP_QRW_DEFAU QUERY_REWRITE_DEF 0 Sets the query rewrite activation trigger. Must be 0 if firewall_default_state=1.
LT_STATE AULT_STATE
0=QRW activated per session when triggered by a rule in the installed policy
1=QRW activated for every session regardless of the installed policy
WINSTAP_QRW_FORCE QUERY_REWRITE_FOR NULL Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to watch
_WATCH CE_WATCH automatically. Valid when qrw_default_state is 0. Cannot be configured to the same range as
firewall_force_watch.
WINSTAP_QRW_FORCE QUERY_REWRITE_FOR NULL Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to exclude
_UNWATCH CE_UNWATCH from watching. Valid when firewall_default_state is 1. Cannot be configured to the same range as
firewall_force_unwatch.
WINSTAP_QUERY_REW QUERY_REWRITE_FAIL 8 If the verdict does not come back from the Guardium system and the QUERY_REWRITE_TIMEOUT
RITE_FAIL_CLOSE _CLOSE expires: if QUERY_REWRITE_CLOSE=0 the query rewrite operation proceeds; if
QUERY_REWRITE_CLOSE=1 the connection is terminated.
WINSTAP_QUERY_REW QUERY_REWRITE_TIME 10 If the verdict does not come back from the Guardium system and the QUERY_REWRITE_TIMEOUT
RITE_TIMEOUT OUT expires: if QUERY_REWRITE_CLOSE=0 the query rewrite operation proceeds; if
QUERY_REWRITE_CLOSE=1 the connection is terminated.
Windows: Discovery parameters

CAUTION:
GIM guard_tap.ini Default value Description
WINSTAP_DISC DISCOVERY_INTERVAL 24 The time interval, in hours, at which auto-discovery runs. Set to 0 to disable.
OVERY_INTERV
AL
Windows: Debug parameters

CAUTION:
These parameters are stored in the [DEBUG_OPTIONS] section of the S-TAP properties file:
guard_tap.ini Default value Description
DEBUG_BUFFER 1 1=log the contents of local packets
DEBUG_FIREWALL 1 1=log firewall events

These parameters are stored in the [TAP] section of the S-TAP properties file:
Table 1. More S-TAP configuration parameters for debugging
DEBUG_MAX_FILE_SIZE 200

DEBUGLEVEL 0 Level of debug messages to store. Leave at 0 unless directed by IBM Technical Support.
0
Only critical error information
From v10.1.4: Two "startup" debug logs saved in bin\..\logs. Filename syntax:
startup_hostname_timestamp.new and startup_hostname_timestamp.old. Files from bin\..\logs get
uploaded automatically if upload_feature is on.
1
All previous messages plus repeatable critical error information
From v10.1.4: Two "normal" debug logs saved in bin\StapBuffer. Filename syntax:
stap_hostname_timestamp.new and stap_hostname_timestamp.old. Files from bin\StapBuffer are not
uploaded.
2
Not used
3
All messages from level 1, plus brief information about packets sent to a Guardium system
4
All messages from level 3, plus local sniffing log
5
All messages from level 4, plus network sniffing log
6
All messages from level 5, plus heartbeat receiving log
7
All messages from level 6, plus miscellaneous debugging information
DUMP_FILE_MODE 0 Enables capture of dump files if S-TAP crashes. When the parameter is not zero, a new dump file is opened
every time the S-TAP starts; it is empty if there is no crash.
0: no crash dumps generated

1: crash dumps generated, written to the file stap.diag which is created in the S-TAP working directory.
S-TAP copies any existing stap.diag file to a backup file before overwriting the stap.diag file.
2: time-stamped crash dumps generated, written to a file stap-TIMESTAMP.diag which is created in
the S-TAP working directory, where TIMESTAMP identifies when the crash dump was generated. If you
have issues with crashes, use this option to capture all dumps, not just the most recent one. The
timestamp will also help with debugging. This option uses more diskspace, however.
DEBUG_FILE_MODE <install Deprecated in V10.1.4. Location of the S-TAP debug file. Default until 10.1.4 is <install
folder>/StapBuffe folder>/StapBuffer/stap.txt.
r/stap.txt
v10.1.4 and higher: If the debuglevel > 0, then the log from the previous S-TAP session (if it exists) is saved
as: %STAP_DIR%\Bin\StapBuffer\stap_%HOSTNAME%%YY-MM-DD%%HHMMDD%.old and the new log is
created as: %STAP_DIR%\Bin\StapBuffer\stap_%HOSTNAME%%YY-MM-DD%%HHMMDD%.new. In
addition to this, start-up logs containing just messages related to S-TAP start-up are always generated in
%STAP_DIR%\Logs: startup_%HOSTNAME%%YY-MM-DD%%HHMMDD%.old and
startup_%HOSTNAME%%YY-MM-DD%%HHMMDD%.new.
STACK_TRACE_FILE_MODE Â Deprecated in V10.1.3. Similar to dump_file_mode
KERNEL_DEBUG_LEVEL 0 Â
SYSLOG_MESSAGES 1 1= send messages to EventViewer. 0=do not send messages.
WER_DUMP 1
WER_DUMP_FOLDER None If the parameter is not set, the following value is used. If the STAP installation folder is rooted anywhere but
C:\Program Files (x86)\... then the WER dump folder is set to the full path ending in ...\Windows S-
TAP\Bin\..\Logs. If the STAP installation folder contains the text "(x86)" in it, the dump folder is set to
C:\Guardium\Dumps and that path will be created by the STAP process.
For example, if Windows S-TAP is installed to C:\PROGRAM FILES\IBM\WINDOWS S-TAP and uses default
values for WER_DUMP_FOLDER, WER_DUMP_COUNT, Windows S-TAP uses the following registry settings,
then Windows S-TAP crash dump is generated via Windows Error Reporting (WER) facility when it's crashed.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error
Reporting\LocalDumps\guardium_stapr.exe
DumpCount REG_DWORD 0x1
DumpFolder REG_EXPAND_SZ C:\PROGRAM FILES\IBM\WINDOWS S-TAP\Bin\..\LOGS\
DumpType REG_DWORD 0x2
WER_DUMP_COUNT 1 Max value is 5.



CAS_SERVER_PORT 16017 The port for communication with the CAS agent. 16017 for unencrypted; 16019 for
encrypted.
Windows: Driver parameters

These parameters affect the behavior of several drivers with which the S-TAP interacts.
CAUTION:
Default
guard_tap.ini value Description
WFP_DRIVER_INSTALLED 1 WFP driver is used instead of LHMON. This option can be supported on Windows 2008 SP2 or
newer because Windows supports WFP API since this version. This parameter is ignored when
tcp_driver_installed=1
TCP_DRIVER_INSTALLED 1 Use TCP driver.
ORA_DRIVER_INSTALLED 1 Set to 1 for sniffing Oracle ASO and SSL traffic.
ORA_DRIVER_LEVEL 0 Advanced. Used for thread prioritization.
NAMED_PIPES_DRIVER_INSTALLED 1 Set to 1 for local named pipes sniffing
NAMED_PIPES_DRIVER_LEVEL 0 Advanced. Used for thread prioritization.
SHARED_MEMORY_DRIVER_LEVEL 0 Advanced. Used for thread prioritization.
KRB_MSSQL_DRIVER_INSTALLED 2 Deprecated from v10.1.4. It appears in the guard_tap.ini file but it does not affect the
configuration.
This parameter is used to decrypt MSSQL SSL and Kerberos encrypted traffic. Set to 1 or 2 to
collect MSSQL encrypted traffic and Kerberos tickets. If set to 1, when STAP starts, it pre-collects
usernames correlated with SIDs, collecting them for the number of seconds defined in
krb_mssql_driver_user_collect_time. When set to 2, the pre-collection isnâ€™t done and the
usernames are correlated at run time.
In V10.1, this parameter is used to enable/disable Correlation. If it is set to non-zero value, use
Correlation. If zero, don't use Correlation. The default is non zero value.
KRB_MSSQL_DRIVER_LEVEL 0 This parameter is deprecated from v10.1.4. Controls thread priorities of different sniffers.
KRB_MSSQL_DRIVER_NONBLOCKING 0 This parameter is deprecated from v10.1.4. It appears in the guard_tap.ini file but it does not
affect the configuration.1=get domain user names from the domain controller in a separate thread.
In this case the first packet with the new user does not resolve the user SID into domain user
name.
KRB_MSSQL_DRIVER_USER_COLLECT_TIME 30 This parameter is deprecated from v10.1.4. Use the Correlation driver introduced in 10.1.Time
limit for collecting SIDs at STAP startup.
CORRELATION_TIMEOUT 5 The number of seconds the WFP and NMP sniffers wait for correlation to occur before giving up
and resuming the flow of traffic to the appliance. The default is 5 seconds.
KRB_MSSQL_DRIVER_ONDEMAND 0 Deprecated in v9.0 GPU patch 50. Set to 1 if you want to save time by resolving user SIDs into
domain user names only for Kerberos tickets from new users for the running STAP instance.
Windows: S-TAP operation and performance

Windows: Starting S-TAP using GIM
With GIM, you can start S-TAP without logging into the database server.
Windows: Stopping S-TAP using GIM
With GIM, you can stop S-TAP without logging into the database server.
Windows: Starting S-TAP without GIM
Learn to start S-TAP from the database server.
Windows: Stopping S-TAP without GIM
Learn to stop S-TAP from the database server.
Windows: Monitoring S-TAP in the GUI
Use these standard reports and views to monitor your STAP status in the GUI.
Windows: S-TAP statistics
The S-TAP statistics are stored in the database table STAP_Statistic on the collector. This table stores the statistics sent by the S-TAP to the sniffer. There is no pre-
defined report for this table.
Windows: Monitoring with the Guardium Agent Monitor
The Guardium Agent Monitor (GAM) process monitors Guardium agent performance and responsiveness. It is good for detailed analysis during troubleshooting.
Windows: Troubleshooting S-TAP problems
You can use the S-TAP Status monitor tab of the SystemÂ View to begin investigating any problems. Sometimes you might need to use other tools, particularly if you
are monitoring databases for which the inspection engines cannot be verified.
Windows: Starting S-TAP using GIM

With GIM, you can start S-TAP without logging into the database server.
About this task

Use the following steps to change the WINSTAP_ENABLED parameter and schedule the S-TAP startup on the database server.
Procedure
1. Click Manage > Module Installation > Set up by Client to open the Client Search Criteria.
2. Click Search to perform a filtered search.
3. Select the Clients that will be the target for the action (starting S-TAP)
4. Click Next to open the Common Modules panel.
5. Select the Module for WINSTAP.
6. Click Next to open the Module Parameters panel.
7. Select the clients that will be the target for the action (starting S-TAPÂ®).
8. Change the WINSTAP_ENABLED parameter to 1 (one).
9. Click Apply to Clients to apply to the targeted clients.
10. Click Install/Update to schedule the update to the targeted clients. This update can be scheduled for NOW or some time in the future. When the schedule is run for
this update the S-TAP service on the targeted clients starts at the specified time.
Parent topic: Windows: S-TAP operation and performance
Windows: Stopping S-TAP using GIM

With GIM, you can stop S-TAP without logging into the database server.
About this task

Use the following steps to change the WINSTAP_ENABLED parameter and schedule the S-TAP stop on the database server.
Procedure
1. Click Manage > Module Installation > Set up by Client to open the Client Search Criteria.
2. Enter Client Search Criteria if you want to perform a filtered search of registered clients.
3. Click Search to perform filtered search and display the Clients panel.
4. Select the clients that will be the target for the action (stopping S-TAP).
6. Select the Module for WINSTAP.
8. Select the client that will be the target for the action (stopping S-TAP).
9. Change the WINSTAP_ENABLED parameter to 0.
10. Click Apply to Clients to apply to the targeted clients
11. Click Install/Update to schedule the update to the targeted clients. This update can be scheduled for NOW or some time in the future. When the schedule is run for
this update the S-TAP service on the targeted clients is stopped at the specified time.
Windows: Starting S-TAP without GIM

Learn to start S-TAP from the database server.
About this task

Note: When Windows S-TAP encounters a fatal error during start up that is due to configuration problems (unknown local IP address, more than 1 primary SQL-Guard
defined, etc.) it logs the reason to the Windows event log. In some cases an exit after a failure may cause a crash and another logged event. This crash should not cause
any concern if it is preceded by the event explaining the reason for the failure.
Procedure
2. From the Services control panel, start the IBM Security Guardium S-TAP.
3. Log in to the Guardium system to which this S-TAP reports. Verify that the Status light in the S-TAP control panel is green.
Windows: Stopping S-TAP without GIM

Learn to stop S-TAP from the database server.
Procedure
2. From the Services control panel, stop the IBM Security Guardium S-TAP.
3. Log in to the UI of the Guardium system to which this S-TAP was reporting, verify that the Status light in the S-TAP control panel is now red.

You can create alerts that are based on exceptions that are created by S-TAPs, but other domains that are used by S-TAP reports are system-private and cannot be
accessed by users. Â
System View
S-TAP Status Monitor in the System Monitor window: For each S-TAP reporting to this Guardium system, this report identifies the S-TAP Host, S-TAP Version, DB Server
Type, Status (active or inactive), Last Response Received (date and time), Instance Name, Primary Host Name, and true/false indicators for: MS SQL Server Shared
Memory, DB2Â® Shared Memory, Win TCP, Local TCP monitoring, Named Pipes Usage, Encryption, Firewall, DB install Dir, DB port Min and DB Port Max.
S-TAP Status Monitor: For each S-TAP reporting to this Guardium system, this report identifies the S-TAP Host, DB Server Type, S-TAP Version, Status (active or inactive),
Inspection Engine status, Last Response Received (date and time), Primary Host Name, and true/false indicators for: Firewall and Encrypted. Click the S-TAP Status and
the Inspection Engine status to see the Verification status on all Inspection Engines.
S-TAP Events: For each S-TAP reporting to this Guardium system, this report identifies the S-TAP Host, Timestamp, Event type (Success, Error Type, and so on), and Tap
Message.
If no messages display in the S-TAP Events panel, the production of event messages may have been disabled in the configuration file for that S-TAPÂ®. If this is the case,
you may be able to locate S-TAP event messages on the host system in the Event Log.
Tap Monitor
Primary GuardiumÂ® Host Change Log: Log of primary host changes for S-TAPs. The primary host is the Guardium system to which the S-TAP sends data. Each line of the
report lists the S-TAP Host, Guardium Host Name, Period Start, and Period End.
S-TAP Status: Displays status information about each inspection engine that is defined on each S-TAP Host. This report does not have From and To date parameters, since
it is reporting current status. Each row of the report lists the S-TAP Host, DB Server Type, Status, Last Response, Primary Host Name, Yes/No indicators for the following
attributes: Shared Memory Driver Installed, DB2 Shared Memory Driver Installed, Named Pipes Driver Installed, and App Server Installed. In addition, it lists the Hunter
DBS.
Inactive S-TAPs Since: Lists all inactive S-TAPs that are defined on the system. It has a single runtime parameter: QUERY_FROM_DATE, which is set to now -1 hour by
default. Use this parameter to control how you want to define inactive. This report contains the same columns of data as the S-TAP Status report, with the addition of a
count for each row of the report.
Windows: S-TAP statistics

The S-TAP statistics are stored in the database table STAP_Statistic on the collector. This table stores the statistics sent by the S-TAP to the sniffer. There is no pre-defined
report for this table.
To access, use the GUI. You can create alerts based on results.
The time interval is in hours (example, 5 is every 5 hours). Use - (minus) for a time interval less than 1 hour.
Fields in Table
TIMESTAMP
SOFTWARE_TAP_HOST
TOTAL_BYTES_SO_FAR
TOTAL_BYTES_DROPPED_SO_FAR
TOTAL_BYTES_IGNORED
TOTAL_BUFFER_INIT
IOCTL_REQUESTS
TOTAL_RESPONSE_BYTES_IGNORED
System CPU%
System Idle%
STAP CPU%
Buffer recycled

The Guardium Agent Monitor (GAM) process monitors Guardium agent performance and responsiveness. It is good for detailed analysis during troubleshooting.
Note: The GAM service should be off by default as it requires configuration specific to the environment in which it is installed. Improper configuration can cause very
serious operational issues. This is a tool to aid in troubleshooting and otherwise is not required.
Monitoring covers:
CPU usage
Memory
Handles
Number of threads
Alive - responsiveness (supported agents only, currently S-TAP is the only supported agent) (See Responsiveness)

If a monitored agent exceeds a configured threshold, or if it does not respond to the console request, the following actions can be taken, in any combination:
Automatically run diag.bat

Automatically stop/restart the service
Automatically perform a core dump
Guardium Agent Monitor is installed when S-TAP is installed but is not enabled by default. When S-TAP is uninstalled, GAM is uninstalled.
Note: Just like S-TAP, GAM requires administrative privileges. When installing, run with "Run as Administrator" as an administrative user.
The default install location for GAM is the parent folder of S-TAP (C:\Program Files\IBM\Guardium Agent Monitor\).
The default location for GAM output is the \Bin\ subfolder.
After enabling GAM, make sure the process is running on the database server (resmon.exe).
GAM Configuration
The Guardium Agent Monitor runs with its configuration file, resmon.ini, as its argument. The monitor is controlled by using the resmon.ini file. See sample resmon.
Note that the default values for all of the parameters are at the bottom in the sample ini.
Global Configuration
NUMBER_OF_SERVICES: Number of services being monitored
UPDATE_INTERVAL: The length of the interval between polling metrics, in seconds
DEBUG: 1 enables the GAM debug log, 0 disables the log
NUMBER_BYTES_IN_LOG: Maximum number of KB for the GAM log
CPU Threshold Configuration
CPU_LOAD_LIMIT: Percentage CPU threshold at which either action is taken, or UPDATE_INTERVAL starts counting occurrences of reaching threshold
CPU_INTERVALS_ALLOWED: Number of intervals the CPU can be above the threshold before triggering an action (used in conjunction with UPDATE_INTERVAL to
set a time limit)
UPDATE_INTERVAL: 0 = action is taken when CPU reaches its load limit. 1 = action is taken when CPU has reached its load limit the number of times specified by
CPU_INTERVALS_ALLOWED
CPUAVE: Defines the type of CPU average. 1 = usage averaged across all CPU cores (system average), 0 = percentage of the core used by the process.
Memory Usage, Handle Count and Thread Count Thresholds Configuration
For these metrics there are two thresholds, limit and peak limit. An action is triggered when a limit threshold is passed for more intervals than allowed, or when a
peak limit threshold is passed. Metrics refers to CPU, memory, and so on.
[METRIC]_LIMIT: Lower level threshold. An action is triggered if this limit is exceeded for more intervals than [METRIC]_INTERVALS_ALLOWED
[METRIC]_INTERVALS_ALLOWED: Number of intervals allowed for the lower limit threshold before an action is triggered (used with UPDATE_INTERVAL for time
limit)
[METRIC]_PEAK_LIMIT: Upper level threshold. An action is triggered if this threshold is exceeded once
Note: [METRIC]_INTERVALS_ALLOWED is used in conjunction with UPDATE_INTERVAL to set a time limit for the threshold. (for example, UPDATE_INTERVAL=1,
CPU_INTERVALS_ALLOWED=10, CPU_LOAD_LIMIT=10 means an action is triggered if the CPU load is over 10% for over 10 seconds).
Responsiveness
NAMEDPIPE_INTERVAL: The interval, in seconds, at which the S-TAP agent is pinged to verify responsiveness. Set to "0" to disable
Action Configuration
The actions that can be triggered are described under Core Dump Configuration and Diagnostic Configuration. The second and third actions are only initiated if they
are triggered within the ACTION_RESET_INTERVAL of the previous action. If the ACTION_RESET_INTERVAL time has elapsed with no new triggers, then the next
trigger starts a new cycle starts with the FIRST_ACTION.
FIRST_ACTION: 0 = no action. 1 = stop then restart the service. 2 = stop the service.
SECOND_ACTION: The action initiated the second time there is a trigger during the ACTION_RESET_INTERVAL. 0 = no action. 1 = stop then restart the service. 2 =
stop the service.
THIRD_ACTION: The action initiated the third time there is a trigger during the ACTION_RESET_INTERVAL. 0 = no action. 1 = stop then restart the service. 2 = stop
the service.
ACTION_RESET_INTERVALS: Number of seconds before resetting the actions.
Core Dump Configuration
A core dump can be taken every time an action is triggered.
ACTION: 1 = take a core dump whenever an action is triggered; 0 = no core dump is taken.
MAX_NUM_DUMP: The maximum number of core dumps to be stored in the dump directory (keeping the latest).
MDTIMEOUT: Core dump timeout time (in milliseconds)
Diagnostic Configuration

A diagnostic file can be run whenever an action is triggered. The diag.bet diagnostic script, found in the same folder as the service's executable path, runs with the
DIAG_PARAMETER parameters.
DIAGACTION: 1 = run the diagnostic script whenever an action is triggered; 0 = no diagnostic script is run.
DIAGNAME: Name of the diagnostic file to be run (must be in the same folder as the service executable)
DIAG_PARAMETER: Parameters to be used when running the diagnostic file
Example of resmon.ini
;Semi-colon at the beginning of the line indicates a comment

;
[Global]
NUMBER_OF_SERVICES=1
;
;Interval for checking thresholds (seconds)
UPDATE_INTERVAL=1
;
;Enables monitor log
DEBUG=1
;
;"0" means it won't take minidump for action. "1", it will take minidump
ACTION=1
;
;The maximum number of dump stores in dump directory
MAX_NUM_DUMP=3
;
;The average CPU time, "0" is percentage of one core, "1" is average percentage of all cores in system
CPUAVE=1
;
;miniDump timeout in milliseconds
MDTIMEOUT=1000
;Maximum number of BYTES for monitor log (in KB)
NUMBER_BYTES_IN_LOG=200
;
;Configuration for the service
[Service1]
Name=GUARDIUM_STAP
;
;Interval to check aliveness (supported agents only), set to "0" to disable
NAMEDPIPE_INTERVAL=30
;
;Run diagnostic on action, set to "1" to enable
DIAGACTION=0
;
;Diagnostic file name
DIAGNAME=diag.bat
;
;Diagnostic parameters. If the parameter has spaces it needs to be enclosed with quotes
DIAG_PARAMETER=
;
;Percentage of cpu limit
CPU_LOAD_LIMIT=10
;
;Maximum sequential intervals over CPU_LOAD_LIMIT allowed
CPU_INTERVALS_ALLOWED=10
;
;Memory limit (KB)
MEM_USAGE_LIMIT=150000
MEM_USAGE_PEAK_LIMIT=200000
MEM_USAGE_INTERVALS_ALLOWED=30
;
;Handle limit
HANDLE_COUNT_LIMIT=500
HANDLE_COUNT_PEAK_LIMIT=1000
HANDLE_COUNT_INTERVALS_ALLOWED=20
;
;Thread limit
THREAD_COUNT_LIMIT=200
THREAD_COUNT_PEAK_LIMIT=300
THREAD_COUNT_INTERVALS_ALLOWED=20
;
;'1' take action, then restart the service
;'2' take action, then stop the service without start
FIRST_ACTION=1
SECOND_ACTION=1
THIRD_ACTION=2
;
;Reset interval in seconds
ACTION_RESET_INTERVALS=60
Windows: Troubleshooting S-TAP problems

You can use the S-TAP Status monitor tab of the SystemÂ View to begin investigating any problems. Sometimes you might need to use other tools, particularly if you are
monitoring databases for which the inspection engines cannot be verified.
If an S-TAP is not connected to your Guardium system

Check whether the IBM Security Guardium S-TAP service is running on the database server:
Check the IBM Security Guardium S-TAP service and see that it's running.

How can I find the S-TAP version?
From the GUI, the S-TAPÂ® version number is displayed in Manage > System View > S-TAP Status Monitor
Alternatively, you can display the S-TAP version number from the command line of the database server.
Run debug from the command line to quickly identify configuration issues
Turn on debug from the GIM GUI or the command line. See debug levels in Windows: Debug parameters.
Verify the connection between the database server and the Guardium system
Verify that you can ping the Guardium system at sqlguard_ip from the database server.
If the ping is successful, verify that you can telnet to the following ports on the Guardium system: 16016/16018
If there is a firewall between the database server and the Guardium system
Verify that the following ports are open for traffic between these two systems: TCP Port 16016 or TLS Port 16018 for encrypted connections.
Note: Use the following command to check the port availability: nmap -p port guardium_hostname_or_ip
Verify that the sqlguard_ip parameter is set to the correct guardium_hostname_or_ip for the Guardium system that you are connecting to.
2. Locate the S-TAP Host for the IP address that corresponds to your database server.
3. Expand the Guardium Hosts subsection, and verify that the active Guardium Host is correctly configured.
4. If necessary, click Modify to update the Guardium Hosts.
Verify that the S-TAP process is not repeatedly restarting

On the database server, run the command ps -eaf | grep stap to verify that the process for S-TAP is not changing.
Verify that S-TAP Approval is not turned on
If S-TAP Approval is turned on, any new S-TAP that connects to the Guardium system is refused.
1. Click Manage > Activity Monitoring > S-TAP Certification to open S-TAP Certification.
2. Look at the S-TAP Approval Needed check box. If this box is checked, new S-TAPs can connect to this Guardium system only after they have been added to
the list of approved S-TAPs.
3. If S-TAP Approval is turned on, select Daily Monitor > Approved Tap Clients to view a list of approved S-TAPs. If the S-TAP that you are investigating is not on
this list, return to the S-TAP Certification pane, enter the IP address of the S-TAP in the Client Host field, and click Add.
S-TAP verification issues
communicated to the Guardium system. Your S-TAP could be configured in a way that prevents the inspection engine message from reaching the Guardium system
from which the request was made.
These configuration details include:
Load balancing: if the S-TAP is configured to return responses to more than one Guardium system, the error message could be sent to a different Guardium
system.
Failover: If secondary Guardium systems are configured for the S-TAP, the error message could be sent to a secondary Guardium system if the primary
Guardium system is too busy.
Db_ignore_response: if the S-TAP is configured to ignore all responses from the database, it does not send error messages to the Guardium system.
Client IP/mask: if any mask is defined that is not 0.0.0.0, it could prevent the error message from being sent.
Exclude IP/mask: if any mask is defined that is not 0.0.0.0, it could prevent the error message from being sent.
Related topics:

Linux and UNIX systems: S-TAP user's guide

Guardium S-TAP is a lightweight software agent installed on database servers and file servers. The information collected by the S-TAPs is the basis of all Guardium traffic
reports, alerts, visualizations, etc. This sections covers the S-TAP in Linux, Solaris, AIX and HP-UX servers.
For data activity monitoring, the S-TAP monitors activity between the client and the database and forwards that information to the Guardium collector. The database traffic
is logged into the collector based on criteria specified in the security policy. It is also possible to reduce the amount of traffic that is originally sent to the collector by
ignoring trusted connections or ignoring traffic from specific IPs.
For file activity monitoring, unlike data activity, the policy rules are pushed down to the file server and thus only data that is specified in the security policy is forwarded to
the collector.
S-TAP takes care of upgrading S-TAP kernel components at boot time --adjusting to kernel upgrades in Linux environments.
Linux and UNIX systems: S-TAP functionality

Familiarize yourself with these concepts before starting an S-TAP installation on a UNIX system.
Linux and UNIX systems: Installing S-TAP agents
Verify prerequisites, then install an S-TAP on Linux, Solaris, AIX and HP-UX servers using the Deploy Monitoring Agents tool, Guardium Installation Manager (GIM),
the RPM, or the shell installer.
Linux and UNIX systems: Uninstalling an S-TAP
Perform this procedure before installing a new version of S-TAPÂ® if you want to save the old configuration file.
Linux and UNIX systems: Upgrading S-TAP and K-TAP
Upgrade S-TAP to continue capturing data from pre-existing sessions, and maintain its configuration, without reboot. You can also upgrade K-TAP as part of the S-
TAP upgrade.
Linux and UNIX systems: Configuring S-TAP
Linux and UNIX systems: S-TAP operation and performance

Linux and UNIX systems: S-TAP functionality
Familiarize yourself with these concepts before starting an S-TAP installation on a UNIX system.
Linux and UNIX systems: S-TAP support matrix

Select your S-TAP setup depending on the data you want to monitor or block. Use this table to identify the monitoring mechanisms (Exit libraries, K-TAP, A-TAP) that
can perform the operations you require, per operating system and database.
Linux and UNIX systems: Linux, Solaris, AIX, and HP-UX S-TAP monitoring mechanisms
The Guardium UNIX S-TAP uses several different monitoring mechanisms to collect database traffic. During configuration, you can choose the method that best
meets your requirements. All mechanisms filter the traffic to reduce network overhead and increase performance.
Linux and UNIX systems: S-TAP to collector encryption
S-TAP agents can be configured to communicate with collectors over the network in an encrypted (TLS) manner.
Linux and UNIX systems: UID chains
UID chain is a mechanism that allows S-TAP (by way of K-TAP) to track the chain of users that occurred before a database connection. It is supported for Solaris
Zones, AIX WPAR, Solaris 8/9, Solaris 11 SPARC.
Linux and UNIX systems: Proxy firewall
Learn how to monitor traffic that originates from a proxy server.
Parent topic: Linux and UNIX systems: S-TAP user's guide

Select your S-TAP setup depending on the data you want to monitor or block. Use this table to identify the monitoring mechanisms (Exit libraries, K-TAP, A-TAP) that can
perform the operations you require, per operating system and database.
For example, you may want to track or perform one or more of the following:
local traffic only

local and network traffic
shared memory
encrypted data
monitor and block
monitor only
This table covers the most common platforms, database types, and protocols, supported by Guardium's monitoring mechanisms. The table presents general guidelines.
There may be other combinations that are not presented here that are supported. Some of the supported setups presented here may be dependent on specific
configurations. Contact Customer Support to verify the best setup for your specific needs. Empty cells indicate that the combination is not supported.
The exit libraries are preferred over all other monitoring mechanisms. If you cannot use an exit library, K-TAP is the next choice, then A-TAP, and finally PCAP.
OS Database Network Local traffic Encrypted Shared Kerberos Blocking Redaction UID Chain
traffic traffic Memory
AIX Oracle K-TAP K-TAP A-TAP (ASO, Â K-TAP K-TAP, A-TAP K-TAP K-TAP
SSL)
AIX Sybase ASE K-TAP K-TAP A-TAP (SSL) Â K-TAP K-TAP, A-TAP K-TAP K-TAP, A-TAP
(A-TAP only
when
configured for
real IPs)
AIX Sybase IQ K-TAP K-TAP A-TAP A-TAP (Sybase Â K-TAP, A-TAP K-TAP K-TAP
(decrypts login 16.1 does not
packets only, support DB
no TLS username)
support)
AIX DB2 DB2 Exit, K- DB2 Exit, K- DB2 Exit DB2 Exit, K- K-TAP DB2 Exit, K- K-TAP DB2 Exit, K-
TAP TAP TAP TAP TAP
AIX Informix Informix Exit, Informix Exit, Informix Exit Informix Exit, Â Informix Exit, Informix Exit, Informix Exit,
K-TAP K-TAP K-TAP K-TAP K-TAP K-TAP
HP-UX Oracle K-TAP K-TAP A-TAP (ASO, Â K-TAP K-TAP, A-TAP K-TAP K-TAP
SSL)
HP-UX Sybase ASE K-TAP K-TAP A-TAP (Sybase Â Â K-TAP, A-TAP K-TAP K-TAP, A-TAP
15 only) (A-TAP only
when
configured for
real IPs)
HP-UX Sybase IQ K-TAP K-TAP Â Â Â K-TAP K-TAP K-TAP
HP-UX DB2 DB2 Exit, K- DB2 Exit, K- DB2 Exit DB2 Exit, K- K-TAP DB2 Exit, K- K-TAP DB2 Exit, K-
TAP TAP TAP TAP TAP
HP-UX Informix Informix Exit, Informix Exit, Informix Exit Informix Exit, Â Informix Exit, Informix Exit, Informix Exit,

Linux DB2 DB2 Exit, K- Â DB2 Exit DB2 Exit, A- K-TAP DB2 Exit, K- K-TAP DB2 Exit, K-
TAP TAP TAP, A-TAP (A- TAP
TAP with Linux
2.6.36 and
higher only)
Linux Informix Informix Exit, Informix Exit, Informix Exit Informix Exit, Â Informix Exit, Informix Exit, Informix Exit,
K-TAP K-TAP A-TAP K-TAP, A-TAP K-TAP K-TAP
(A-TAP with
Linux 2.6.36
and higher
only)
Linux Oracle K-TAP K-TAP A-TAP (ASO, Â K-TAP K-TAP, A-TAP K-TAP K-TAP
SSL) (A-TAP with
Linux 2.6.36
and higher
only)
Linux Postgres K-TAP K-TAP A-TAP Â Â K-TAP, A-TAP K-TAP K-TAP, A-TAP
(A-TAP with (A-TAP only
Linux 2.6.36 when
and higher configured for
only) real IPs)
Linux Sybase IQ K-TAP Â A-TAP (x86_64 A-TAP (Sybase Â K-TAP, A-TAP K-TAP K-TAP, A-TAP
only) 16.1 does not (A-TAP with (A-TAP only
support DB Linux 2.6.36 when
username) and higher configured for
only) real IPs)
Linux Sybase ASE K-TAP K-TAP A-TAP Â Â K-TAP, A-TAP K-TAP K-TAP, A-TAP
Linux 2.6.36 when
only) real IPs)
Linux MongoDB K-TAP K-TAP A-TAP Â Â K-TAP, A-TAP K-TAP K-TAP, A-TAP
Linux 2.6.36 when
only) real IPs)
Linux Teradata Teradata Exit, Â Teradata Exit, Â Â Teradata Exit, K-TAP K-TAP, A-TAP
K-TAP A-TAP K-TAP, A-TAP (A-TAP only
(ATAP with when
Linux 2.6.36 configured for
and higher real IPs)
only)
Linux Netezza K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Linux Cassandra K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Linux SAP HANA K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Linux MySQL K-TAP K-TAP Â Â Â K-TAP K-TAP K-TAP
Linux MemSQL K-TAP K-TAP K-TAP Â Â K-TAP K-TAP K-TAP
Linux Vertica K-TAP K-TAP Â Â Â K-TAP K-TAP K-TAP
Linux Hadoop K-TAP, Cloudera Â Â Hortonworks Â K-TAP

(Cloudera / Cloudera Navigator, and Apache
Hortonworks) Navigator, Hortonworks Ranger
Hortonworks and Apache
and Apache Ranger
Ranger
Linux Greenplum K-TAP K-TAP A-TAP Â Â K-TAP, A-TAP K-TAP K-TAP

(Linux 2.6.36
and higher
only)
Linux MariaDB K-TAP K-TAP Â Â Â K-TAP K-TAP K-TAP
Linux Aster K-TAP K-TAP Â Â Â K-TAP K-TAP K-TAP
Linux Couch K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Linux Hive K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Linux Accumulo K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Linux Impala K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Linux Hue K-TAP K-TAP Â Â Â K-TAP K-TAP K-TAP

Linux WebHDFS K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Linux Solar K-TAP Â Â Â Â K-TAP K-TAP K-TAP
Solaris Oracle K-TAP K-TAP A-TAP (ASO, Â K-TAP K-TAP, A-TAP K-TAP K-TAP
SSL)
Solaris Sybase ASE K-TAP K-TAP A-TAP (Sparc Â K-TAP K-TAP, A-TAP K-TAP K-TAP, A-TAP
only) (A-TAP only
when
configured for
real IPs)
Solaris Postgres K-TAP K-TAP A-TAP (9.3 and Â Â K-TAP, A-TAP K-TAP K-TAP, A-TAP
higher) (A-TAP only
when
configured for
real IPs)
Solaris Sybase IQ K-TAP K-TAP Â Â Â K-TAP K-TAP K-TAP
Solaris DB2 DB2 Exit, K- DB2 Exit, K- DB2 Exit DB2 Exit, K- K-TAP DB2 Exit, K- K-TAP DB2 Exit, K-
TAP TAP TAP TAP TAP
Solaris Informix Informix Exit, Informix Exit, Informix Exit Informix Exit, Â Informix Exit, Informix Exit, Informix Exit,
Parent topic: Linux and UNIX systems: S-TAP functionality
The Guardium UNIX S-TAP uses several different monitoring mechanisms to collect database traffic. During configuration, you can choose the method that best meets
your requirements. All mechanisms filter the traffic to reduce network overhead and increase performance.
You choose the mechanism during installation. All mechanisms filter the traffic so that only database-related traffic for specific sets of client and server IP addresses is
collected. The mechanisms are presented here in order of preference: exit libraries, K-TAP, A-TAP, PCAP. See Linux and UNIX systems: S-TAP support matrix and choose
the mechanism that meets your needs.
Exit libraries
The exit libraries are the preferred monitoring mechanism. They give the best performance, and can handle both local and network traffic, whether encrypted or
not. They always capture DB_USER. The only disadvantage is that exit libraries are only available on some databases.
They require configuration on the database, and if you upgrade the S-TAP version, then the exit library also requires an update.
Exit libraries are supported only for DB2, Informix, and Teradata.
K-TAP
K-TAP is a kernel module that is installed into the operating system. It supports all protocols and connection methods (for example, TCP, TLI, SHM, Named Pipes).
When enabled, it observes access to a database server by hooking into the mechanisms that are used to communicate between the database client and server.
Use DB2 and Informix exit libraries with K-TAP to capture shared memory traffic on DB2 and Informix servers. This method is preferable to using A-TAP.
With Linux, the kernel frequently updates, and there are many kernel versions. The K-TAP version depends on the Linux version. See Linux and UNIX systems:
Building a K-TAP.
K-TAP is installed during S-TAP installation. If K-TAP fails to install, PCAP is installed instead. After it is installed, it can be enabled or disabled with a configuration
file setting. If you do not load K-TAP during the S-TAP installation, and decide later that you want to use it, you need to reconfigure and restart the S-TAP.
A-TAP
The A-TAP (application-level tap) sits in the application layer to support monitoring of encrypted database traffic, which cannot be done in the kernel by K-TAP. A-
TAP monitors communication between internal components of the database server. It picks up unencrypted data in the application layer, and sends it to the K-TAP.
K-TAP is a proxy to pass data to S-TAP, which then sends it to the Guardium collector.
With A-TAP, instead of capturing data from the kernel, where the data is still encrypted, Guardium captures data by loading a TAP library before executing the
original database binary. The A-TAP libraries are a no-op (no interface). The libraries tap the database in application-mode, after the data is decrypted or before it is
encrypted by the database. Hence there are no changes made to how the database would normally operate other than the encrypted traffic is now being captured
by Guardium. This means that you do not need to update scripts and tools to call the Guardium code before executing the Oracle code.
A-TAP is included in every S-TAP but must be configured separately for each database instance to be monitored. See Linux and UNIX systems: A-TAP management.
Restrictions:
A-TAP is not supported in an environment where a 32-bit database is located on a 64-bit server.
Monitoring: When using A-TAP, redaction is not supported. Blocking is supported for Linux kernels at 2.6.36 or later releases.
When to use A-TAP?
A-TAP is required when DBMS encryption in motion is used, but there may be other internal database implementation details such as shared memory that require
it.
Informix and DB2 on Linux integrate with Guardium more closely using an exit and thus are the recommended method for shared memory support when applicable.
PCAP
PCAP is a packet-capturing mechanism that listens to network traffic from and to a database server. In a UNIX environment, since the K-TAP captures all network
traffic, PCAP is rarely used. PCAP is used to capture local TCP/IP traffic on the device.
Restriction:

PCAP only works on ports (no shared memory, and so on).
Tip: The PCAP uses the client IP/mask values for all local inspection engines to determine what to monitor and report. A PCAP that is installed with an S-TAP with
multiple inspection engines that have different client IP/mask values, captures traffic from all clients that are defined in all inspection engines. The PCAP might be
processing and sending more information to the Guardium system than you intend.

S-TAP agents can be configured to communicate with collectors over the network in an encrypted (TLS) manner.
Guardium recommends encrypting network traffic between the S-TAP and the collector whenever possible, only in cases where the performance is a higher priority than
security should this be disabled. There is a small impact on performance when enabling encryption. The default S-TAP configuration is no encryption, to avoid any
performance impact.
Before you determine the best choice for your environment, consider the following factors:
Configuring the S-TAP with TLS requires extra time for encryption that might affect performance on the database server where the S-TAP agent is installed. The
appliance (collector) also requires time to decrypt this traffic.
If applications and database users are communicating with the database in an unencrypted manner, configuring the S-TAP agent to communicate over the network
with encryption may not make your network safer.
In general, it makes sense to encrypt S-TAP traffic if the data that is sent to an appliance on a different network is encrypted, or if the database traffic that is monitored is
network encrypted.
Encryption is enabled during the inspection engine configuration, and can be modified at any time.
Linux and UNIX systems: UID chains

UID chain is a mechanism that allows S-TAP (by way of K-TAP) to track the chain of users that occurred before a database connection. It is supported for Solaris Zones,
AIX WPAR, Solaris 8/9, Solaris 11 SPARC.
A user can change user names several times before connecting to the database; for example, by running ssh informix@barbet, su - db2inst1, su -, su - oracle9, and then
running sqlplus scott/tiger@onora1. With UID Chains, Guardium can trace this process back to the process that called it, and back to the original (offending) user.
For Solaris Zones, user IDs may be reported instead of user names.
The SSH client's IP address and port are added to the UID chain.
Postgres on Solaris 11 with zones is not supported, due to zone configuration not allowing access from master to slave zones in some directories.
Solaris Zones and AIXÂ® WPAR: set the db2bp_path in the guard_tap.ini file to the full path of the db2bp executable file, the full path of the relevant db2bp as seen
from the global zone/wpar.
No UID Chains for Inter-process Communication (IPC) on Solaris 8/9.
UID chains are not detected for Hadoop databases.
The hunter_trace parameter is required for TCP/IP connections on UNIX S-TAPÂ®. Set hunter_trace = 1 during installation to enable uid_chain for local TCP/IP
connections.
If the process that starts the session exits before STAP can examine it, UID chain does not work
UID chain does not support local TCP on Linux for DB2. In addition, DB2 exit requires a specific version of the database to support UID chains.
When running as a non-root user, UID chain does not work for DB2 Shared Memory (SHM) with S-TAP.
Guardium does not log UID chain for network traffic.
Guardium might not log UID chain for very short sessions since Guardium relies on the process ID of the application to determine the UID chain. If the process that
starts the session exits before STAP can examine it, UID chain does not work.
Restriction: UID chain is not supported in any scenario that requires A-TAP for intercepting the traffic, including:
ATAP intercepting Oracle ASO encrypted traffic

ATAP intercepting Sybase encrypted traffic
ATAP intercepting Teradata encrypted traffic
DB2 or Informix Shared memory traffic on Linux (requires ATAP)
Purging of UID Chain Records
UID Chain Records older than 2 hours are purged when the regular inference process runs. Records older than 1 day are purged on a nightly basis.
Linux and UNIX systems: Proxy firewall

Learn how to monitor traffic that originates from a proxy server.
While S-TAP is normally deployed on a database server, a K-TAP based firewall can be deployed to a proxy server. By utilizing S-GATE, you can monitor traffic that
originates from the proxy server. See Linux and UNIX systems: Application server parameters and S-GATE Actions (Blocking Actions) in the Policies help topic for more
information on setting appserver parameters and using S-GATE within Policies.
Linux and UNIX systems: Installing S-TAP agents

Verify prerequisites, then install an S-TAP on Linux, Solaris, AIX and HP-UX servers using the Deploy Monitoring Agents tool, Guardium Installation Manager (GIM), the
RPM, or the shell installer.

Depending on your license key, you can use the same S-TAP agent for both file server and database activity monitoring. FAM does not require any specific S-TAP
configuration.
S-TAP Linux, Solaris, AIX and HP-UX installation flow
This flow describes installing S-TAP on a single database reporting to one collector. See the related topics for additional information on S-TAP in clusters and zones.
1. Plan the installation, review these topics:

Enterprise Load Balancing
2. Verify prerequisites.
Linux and UNIX systems: Database version and directory requirements
The database has sufficient disk space available (Linux and UNIX systems: Disk space requirements for S-TAP).
The ports that are required for communication between the collector and the S-TAP are open (Linux and UNIX systems: Port requirements for S-TAP).
Identify required IP addresses and check database connectivity (Linux and UNIX systems: System details and checks).
If you are installing with GIM, the GIM client must be installed on the target database server. See Installing the GIM client on a UNIX server.
3. Install S-TAP by one of
Linux and UNIX systems: Installing S-TAP agent with GIM (v10.1-10.1.3)
Linux and UNIX systems: Installing the S-TAP client with GIM (v10.1.4)
Linux and UNIX systems: Installing and updating S-TAP using RPM
Linux and UNIX systems: Installing the S-TAP client using the shell installer
During S-TAP installation, if auto-discovery is enabled, it auto-discovers databases and creates inspection engines for the discovered databases. The auto-
discovery process runs once at the time of S-TAP installation and does not automatically repeat. You can modify the configuration after the installation is complete.
4. Configure any of the optional components if required by your system.
Linux and UNIX systems: Kerberos-authenticated database traffic

Linux and UNIX systems: Solaris Zones S-TAP configuration
Linux and UNIX systems: Oracle RAC S-TAP configuration
5. Reboot or restart if required (Linux and UNIX systems: When to restart or reboot after S-TAP install or upgrade).
6. Complete the S-TAP configuration.
Linux and UNIX systems: Configure S-TAP from the GUI
Advanced users only: Linux and UNIX systems: Editing the S-TAP configuration parameters
7. If required, configure Enterprise Load Balancing.
Linux and UNIX systems: S-TAP installation prerequisites

Linux and UNIX systems: Install the S-TAP agent
Install an S-TAP client on a Linux, Solaris, AIX, and HP-UX server by using one of: Guardium Installation Manager (GIM), the GIM Deploy Monitoring Agents tool, the
RPM, the shell installer, or a native installer, as best suits your needs.
Linux and UNIX systems: Special environments configuration
Use these procedures for as relevant for systems with Zones, RAC, WPAR, clusters.
Linux and UNIX systems: S-TAP installation prerequisites

Review these database releases, patch level components, and directories, before you install an S-TAP or any associated agent.
Linux and UNIX systems: Disk space requirements for S-TAP
Review these disk space requirements before you install an S-TAP or any associated agent.
Linux and UNIX systems: Port requirements for S-TAP
If a firewall is located between the Guardium system and an S-TAP agent, verify that the ports that are used for connections between those components are open.
Linux and UNIX systems: System details and checks
Verify you have these system details, and that your database is communicating with the Guardium System.
Parent topic: Linux and UNIX systems: Installing S-TAP agents

Review these database releases, patch level components, and directories, before you install an S-TAP or any associated agent.
Table 1. Linux, Solaris, AIX and HP-UX database versions requirements

DB Type Version
Linux make version 3.81 or later. To view your version of the make utility, run the command: make -v
Oracle ASO, HP-UX 11.11 LD_PRELOAD must be installed. It is installed by patch PHSS_28436 or later.
TLS For S-TAPÂ® on a server, either /dev/random or /dev/urandom must be present on the server. See the TLS port requirements in Linux
and UNIX systems: Port requirements for S-TAP.
Note: A root user that installs GIM or S-TAP needs permissions to create and delete users and groups.
Table 2. Required directories per platform
Requirement Type Linux Solaris AIX HP-UX
Installation folder does not exist /usr/local/guardium/guard_stap /usr/local/guardium/guard_stap /usr/local/guardium/guard_stap /usr/local/guardium/guard_stap

or is empty
File exists /bin/sh /bin/sh /bin/sh /bin/sh

Requirement Type Linux Solaris AIX HP-UX
File exists /bin/sed or /bin/sed or /bin/sed or /bin/sed or

/usr/bin/sed /usr/bin/sed /usr/bin/sed /usr/bin/sed
File exists tar, awk, grep, tr tar, awk, grep, tr tar, awk, grep, tr tar, awk, grep, tr
File exists dd dd dd prealloc

and and and
/dev/zero /dev/zero /dev/zero
File exists uudecode in uudecode in uudecode in uudecode in

/usr/bin or /usr/bin or /usr/bin or /usr/bin or
/tmp or perl exists /tmp or perl exists /tmp or perl exists /tmp or perl exists
Parent topic: Linux and UNIX systems: S-TAP installation prerequisites
Linux and UNIX systems: Disk space requirements for S-TAP

Review these disk space requirements before you install an S-TAP or any associated agent.
Table 1. Linux, Solaris, AIX and HP-UX: S-TAP Disk Space Requirements
S-TAPÂ® Program files GIM Install: AIX: 400 MB; HP-UX: 500 MB; Linux: 450 MB; Solaris: 400 MB
non-GIM Install: AIX: 300 MB; HP-UX: 400 MB; Linux: 350 MB; Solaris: 300 MB
FAM program files: 600 MB minimum
Buffer file By default, the S-TAP uses anonymous memory to stage data for transmission to the Guardium system. If you
configure the S-TAP to use a buffer file, the size defaults to 50 MB. The size is controlled by the buffer_file_size
parameter in the guard_tap.ini file.
Linux and UNIX systems: Port requirements for S-TAP

If a firewall is located between the Guardium system and an S-TAP agent, verify that the ports that are used for connections between those components are open.
Use your firewall management utility to check, and open as relevant, the ports listed.
Table 1. Port Requirements for Linux, Solaris, AIX

and HP-UX servers
Port Protocol ...
16016 TCP Clear S-TAP
16018 TLS Encrypted S-TAP
16020 TCP Regular pooled connections
16021 TLS TLS pooled connections
16022 TCP Feed protocol
16023 TLS Encrypted S-TAP TLS

Linux and UNIX systems: System details and checks

Verify you have these system details, and that your database is communicating with the Guardium System.
Obtain the IP address of the database server on which you are installing S-TAP. If virtual IPs are used, note those as well (you will need to configure those later,
when completing the configuration).
If installing on the central manager, identify the IP address of the collector that will control this S-TAP, and to which this S-TAP will report.
Verify connectivity between the database server and the collector. On the database, enter nmap -p <port> <ip_address>. For example, to check that port 16018
(the port GuardiumÂ® uses for TLS) is reachable at IP address 192.168.3.104, enter the command
nmap -p 16018 192.168.3.104
Typical output looks like:
Starting nmap V. 3.00 Interesting ports on g4.guardium.com (192.168.3.104): Port State Service 16018/tcp open unknown
Linux and UNIX systems: Install the S-TAP agent

Install an S-TAP client on a Linux, Solaris, AIX, and HP-UX server by using one of: Guardium Installation Manager (GIM), the GIM Deploy Monitoring Agents tool, the RPM,
the shell installer, or a native installer, as best suits your needs.
In v10.1.4 and higher, use the GIM deploy monitoring agents tool to automatically activate GIM clients, install S-TAP, and begin monitoring database traffic. See Quick
start for deploying monitoring agents.
When you install an S-TAP client, the installation program checks whether the guardium group exists. If the group does not exist, the installation program creates it. If you
use certain components or features, such as A-TAP or DB2 Exit, you must add users to this group to ensure proper functioning. These requirements are described in the

relevant sections.
The installation process creates log files for the whole STAP package (S-TAP, K-TAP, A-TAP, Tee, P-CAP, Discovery). The log files are good for troubleshooting failed
installations. Locations include /var/tmp, /tmp, and /var/log.
The installation process updates inittab, upstart, and rc scripts.
S-TAP installs into /usr/local/guardium
In rare cases you will need to run the S-TAP as guardium (and not root). This can cause other issues and should only be used when necessary. Running S-TAP as the
Guardium user can cause some database or protocol to stop working because of permission levels. Verify that the database path or exec file has permission that allows
the user Guardium to read. Depending on your environment, typical limitations are:
Discovery has limited functionality

wait_for_db_exec might not work. So for cluster, check the database path or exec file for permission that allow for Guardium user to read.
Database on AIXÂ® WPAR and Solaris Zones may not work, check the permission to access the install path or exec file
For Oracle BEQ, restart S-TAP after starting or restarting the database.
For InformixÂ® shared memory, restart S-TAP after starting or restarting the database.
For DB2 shared memory,
When ktap_fast_shmem is set to 0, if shmctl failed because of permission issue, then in most cases S-TAP should be changed to run as root.
When ktap_fast_shmem is set to 1, if shared memory segment has read permission by group, then make sure the DB2 instance has been added to user
(Guardium) group. But still on each server, only one set of configuration of DB2Â® can be supported
If shared memory segment has read permission by DB2 user only, then S-TAP has to run as root. (Open a DB2 shared memory session, run the command
ipcs -ma, check MODE on the output.)
Use the Guardium Installation Manager to install the S-TAP agent either from a stand-alone Guardium appliance, or from the Central manager to schedule
installation on one or more databases.
Linux and UNIX systems: S-TAP GIM installation parameters
You can install, uninstall, and update S-TAP on a Linux server using the RPM. The advantage of installing by RPM is that you install and maintain STAP using the
same method that you manage all other software on the database server.
Use the shell installer, either in interactive mode or non-interactive mode, to install the S-TAP client on Linux, Solaris, HPUX, and AIX database servers.
Linux and UNIX systems: S-TAP install script parameters
Understand the script parameters for installing S-TAPs.
Linux and UNIX systems: Install and uninstall S-TAP with native installers
The native installer provides a shell for the shell installer. The only advantage is that it ensures that S-TAP is registered in the operating system asset repository.
This registration is not required by Guardium for the installation of the S-TAP, but it might be a requirement at your company. Use the native installer only when
necessary.
Linux and UNIX systems: When to restart or reboot after S-TAP install or upgrade
This topic details the situations, after S-TAP installation, of when to restart and when to reboot the database server or database instance. Restart/reboot
requirements are the same for GIM and non-GIM implementations.
Linux and UNIX systems: Work with K-TAP
Learn about K-TAP.
Use the Guardium Installation Manager to install the S-TAP agent either from a stand-alone Guardium appliance, or from the Central manager to schedule installation on
one or more databases.
Before you begin

Verify all Linux and UNIX systems: S-TAP installation prerequisites.
Obtain the correct S-TAP installer script, from either Fix Central, or your Guardium representative. The script name identifies the database server operating system.
About this task

After the installation, you can manage all parameters and monitor processes that were installed under its control. If you install by using one of the other installation
methods, fewer agent parameters can be modified using GIM.
Procedure
1. Verify that the GIM client is installed on the database server. See Installing the GIM client on a UNIX server.
2. Upload the relevant S-TAP module to the Guardium Installation Manager appliance.
a. Go to Manage > Module Installation > Upload Modules.
b. Click Choose File and select the S-TAP module that you want to install.
c. Click Upload to upload the module to the appliance. The module appears in the Import Uploaded Modules table.
d. In the Import Uploaded Modules table, click the check box next to the S-TAP module you want to install. The module imports and becomes available for
installation. The Upload Modules page resets and the Import Uploaded Modules table is now empty.
3. Follow the GIM instructions in Set up by Client and Linux and UNIX systems: S-TAP GIM installation parameters. These parameters are mandatory:
STAP_TAP_IP: the IP address or FQDN of the database server or node on which the STAP is being installed (equivalent to the -taphost command line
parameter). If not specified, the GIM_CLIENT_IP value is used.

STAP_SQLGUARD_IP: the IP address or FQDN of the primary collector with which this STAP communicates (equivalent to the -appliance command line
parameter). If not specified, then, the GIM_URL value is used.
Attention: See the enterprise load balancing parameters in Linux and UNIX systems: S-TAP GIM installation parameters.
What to do next
Verify S-TAP status:
Monitor installation of the Guardium clients by navigating to Manage > Module Installation > Set up by Client (v10.1.4: Legacy). Click Search, then click the next
to the S-TAP.
View the module status in the report at Manage > Reports > Install Management > GIM Clients Status
Verify that the row of the S-TAP has a green status (first column) in Monitor > Maintenance > S-TAP Logs > S-TAP Staus
Parent topic: Linux and UNIX systems: Install the S-TAP agent
Related concepts:
Before you begin

About this task

After the installation, you can manage all parameters and monitor processes that were installed under its control. If you install by using one of the other installation
methods, fewer agent parameters can be modified using GIM.
Procedure
1. Verify that the GIM client is installed on the database server. See Installing the GIM client on a UNIX server.
2. Upload the relevant S-TAP module to the Guardium Installation Manager appliance.
3. Select client systems where you want to install an S-TAP.
a. Navigate to Manage > Module Installation > Setup by Client.
b. On the Client Search Criteria screen, specify search criteria for the clients where you want to install the S-TAP, then click Search to continue. Search for
clients using any combination of the following search criteria:
Select a client group.
Search by client hostname, IP address, or operating system.
Leave all search criteria fields empty to return a list of all available clients.
c. On the Clients screen, click the check box next to the clients where you want to install the S-TAP, then click Next to continue.
4. Select and configure the S-TAP module before installing to client systems.
a. From the Modules table on the Common Modules screen, select the S-TAP module for installation, then click Next to continue.
Use the Display Latest Versions and Display Bundles Only check boxes to filter the list of available modules.
Use the Module Status table to review information about the selected module on the target clients.
b. From the Client Module Parameters screen, specify installation parameters for the S-TAP. These parameters are mandatory:
STAP_TAP_IP: the IP address or FQDN of the database server or node on which the STAP is being installed (equivalent to the -taphost command line
parameter). If not specified, the GIM_CLIENT_IP value is used.
STAP_SQLGUARD_IP: the IP address or FQDN of the primary collector with which this STAP communicates (equivalent to the -appliance command line
Attention: See the enterprise load balancing parameters in Linux and UNIX systems: S-TAP GIM installation parameters.
To apply the same parameters to multiple clients, specify installation parameters in the Common Module Parameters fields, click the check box next
to clients listed in the Client Module Parameters tables, and then click Apply to Selected.
To apply unique parameters to individual clients, specify installation parameters directly in the Client Module Parameters table.
c. Once you have specified installation parameters for the S-TAP, apply those parameters to the selected clients by clicking Apply to Client.
5. Install the S-TAP to the selected clients.
a. From the Client Module Parameters screen, click Install/Update.
b. On the Schedule Date dialog, provide a date or time to begin the installation, then click Apply. To begin the installation immediately, use a value of now in the
Schedule Date field.
What to do next
Monitor installation of the Guardium clients by navigating to Manage > Module Installation > Set up by Client . Click Search, then click the next to the S-TAP.
View the module status in the report at Manage > Reports > Install Management > GIM Clients Status
Related concepts:

Linux and UNIX systems: S-TAP GIM installation parameters

All parameters are listed in Linux and UNIX systems: Editing the S-TAP configuration parameters.
CAUTION:
STAP_TAP_IP The IP address or FQDN of the database server or node on which the STAP is being installed (equivalent to the -taphost command
line parameter). If not specified, the GIM_CLIENT_IP value is used.
STAP_SQLGUARD_IP The IP address or FQDN of the primary collector with which this STAP communicates (equivalent to the -appliance command line
STAP_ADDITIONAL_SQLGUARD_IP List of space delimited additional SQLGUARD IP addresses.

S
STAP_ENABLED Enables STAP when installation is complete. Default=1 (yes)
KTAP_ENABLED Controls the Kernel TAP module. Default=1 (yes)
KTAP_ALLOW_MODULE_COMBOS For Linux only. If the bundle does not have an exact kernel match, it installs the best match. If the K-TAP cannot be installed or
does not start, a query is presented to the user whether to continue installation. Default=N
KTAP_LIVE_UPDATE Enables the KTAP update without requiring a server reboot. Default=Y
STAP_LOAD_BALANCER_IP Required if you are configuring load balancing. If blank, enterprise load balancing is disabled.
This option specifies the IP address of the central manager or managed unit this S-TAP should use for load balancing.
If configuring the enterprise load balancer to run on a managed unit, the S-TAP must be at V10.1 or higher.
STAP_INITIAL_BALANCER_TAP_GR Optional. The application group name that this S-TAP belongs to for enterprise load balancing.
OUP Attention: Group names with spaces or special characters are not supported.
STAP_INITIAL_BALANCER_MU_GR Optional. The MU group name the app-group will be associated with. Requires a defined LB-APP-GROUP. An MU group must
OUP already exist on the Central Manager before it can be used during installation of S-TAP
STAP_LOAD_BALANCER_NUM_MUS The number of managed units the enterprise load balancer allocates for this S-TAP.
You can install, uninstall, and update S-TAP on a Linux server using the RPM. The advantage of installing by RPM is that you install and maintain STAP using the same
method that you manage all other software on the database server.
Before you begin

About this task

RPM names have the format: guard-stap-10.1.0.89165-1-rhel-6-linux-x86_64.x86_64.rpm, where the first three numbers are the release number of STAP
(10.0.0, 10.1.2, etc) and the fourth number is the code revision (89165). The number immediately following is the package iteration which would increment in the case of
adding KTAP modules to the RPM.
There is a single RPM for the 32-bit S-TAPs and two RPMs for the 64-bit S-TAPs so that the 64-bit S-TAP does not have a dependency on 32-bit libraries if 32-bit exit
libraries are not required. The extra RPM looks like guard-stap-32bit-exit-libs-10.1.0.89165-1-rhel-6-linux-x86_64.x86_64.rpm and has a dependency on the main RPM.
By default, the installation process checks the Linux kernel to determine whether a K-TAP module has been created to work with that kernel. If it exists, it installs (sets
ktap_installed = 1). If there is none, K-TAP does not install unless you have enabled Loader Flexibility, which aids in the installation of currently built modules when an
exact match does not exist. When Loader Flexibility is enabled, it attempts to build a K-TAP to match your Linux kernel.
v10.12 and higher: RPM installs S-TAP to /opt/guardium; this location cannot be changed. tap_ip is set automatically to the hostname of the system. sqlguard_ip is set to
127.0.0.1 as a placeholder for proper configuration. Complete the configuration after the installation, as described in this procedure.
v10.12 and higher: RPM logs are saved to /opt/guardium/rpm_logs
v10.12 and higher: You can run the guard-config-update script as root user or a non-root user. Use the help command to see your permitted functions.
Procedure
1. Unzip the S-TAP package and copy the RPM to /tmp of the database server.
2. v10.12 and higher: To enable Loader Flexibility, set the Linux environment variable NI_ALLOW_MODULE_COMBOS="Y"
3. Install the RPM.

a. To get the RPM name, run: rpm -qa | grep guard_stap
b. Run the command: rpm -i <RPM_NAME>.
The S-TAP installs.
c. v10.1.2 and higher: Complete the configuration by running the script guard-config-update using the parameters described in 4.
d. v10.1: Complete the configuration by updating S-TAP parameters in the UI. See Linux and UNIX systems: Configure S-TAP from the GUI.
The S-TAP shell installer does not install if there is already an RPM installed (preventing double installation).
4. v10.1.2 and higher: To configure or update: log in to the system as root, change directory to /opt/guardium and run the script guard-config-update using the
relevant options and actions from the following list:
[--stap-dir] S-TAP install directory if not default (default:/usr/local/guardium)
[--set-tap-ip [IP or hostname]] Set tap_ip in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini (default:
rh5u9x64t.guard.swg.usma.ibm.com)
[--set-sqlguard-ip [IP or hostname]] Set sqlguard_ip in SQLGuard_0 section in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini (default:
127.0.0.1)
[--add-sqlguard [ID] [IP or hostname]] Add SQLGuard_ID section to S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini
(V10.1.4 and higher)
[--remove-sqlguard [ID]] Remove SQLGuard_ID section from S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini
[--modify-sqlguard [ID] [parameter] Set SQLGuard_ID section parameter to value in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini.
[value]] Parameters:
sqlguard_ip
IP address or hostname of SQLGuard unit
sqlguard_port
Port used to connect to SQLGuard unit (default: 16016)
primary
Order of preference (1=primary, 2=secondary, 3=tertiary and so on)
num_main_thread
Number of main connections to use for this SQLGuard, used with participate_in_load_balancing = { 1, 4 } (default:
1)
connection_pool_size
Number of data connections per main connection to SQLGuard unit (default: 0)
[--modify-tap [parameter] [value]] Set TAP section parameter to value in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini. Parameters:
tap_debug_output_level
Set debugging level (must be an integer >= 0, but not 2 or 3)
participate_in_load_balancing
Set participate in load balancing (values: 1, 2, 3, 4). (See Linux and UNIX systems: S-TAP Load Balancing models
and configuration guidelines)
use_tls
Enable TLS [ 0, 1 ]
failover_tls
TLS connections failover to non-TLS [ 0, 1 ]
hunter_trace
Enable UID chain reporting [ 0, 1 ]
buffer_file_size
Buffer file size in MB
alternate_ips
Comma-separated list of alternate IPs/hostnames for STAP
firewall_installed
Enable firewall [ 0, 1 ]
firewall_fail_close
Action to take when there is no verdict (e.g. SQLGuard unreachable or timeout reached) [ 0 : do nothing, 1 : block
connection ]
firewall_default_state
Set default state [ 0 : not watched, 1 : watched ]
firewall_timeout
Set firewall timeout in seconds
firewall_force_watch
Comma-separated list of IP/masks to watch even with firewall_default_state=0
firewall_force_unwatch
Comma-separated list of IP/masks to unwatch even with firewall_default_state=1
[--help-config [option]] Show information about an option in the ini, if available (show all available if none specified)

[--set-flexload [0 or 1]] Enable or disable K-TAP flex loading
[--retry-ktap-load] Retry KTAP loading (useful after installing dev packages, updating after KTAP request, or changing flexload; automatically
restarts S-TAP)
[--discover-ies] Run discovery and replace all Inspection Engines with those discovered
[--stop [service]] Stop service ( S-TAP, tee, or monitor) temporarily (Solaris services and inittab treat this as permanent disable, does not
auto-start on boot until re-enabled)
[--start [service]] Start service ( S-TAP, tee, or monitor) if not already running (implies enable)
[--restart [service]] Restart service (stap, tee, or monitor) if already running
[--disable [service]] Prevent service (stap, tee, or monitor) from running again
[--enable [service]] Configure service (stap, tee, or monitor) for automatic start
[--status] Show which services are started and if they are configured to start automatically
5. To upgrade, copy the RPM package to /opt/guardium and run the command: rpm -U <RPM_NAME>
6. To uninstall:
a. To get the RPM name, run: rpm -qa | grep guard_stap
b. Run rpm -e <RPM_NAME>
After un-install, the directory /opt/guardium still exists, but should only contain /opt/guardium/guard_stap/guard_tap.ini.rpmsave and /opt/guardium/rpm_logs
What to do next
After installation completes, verify S-TAP status:
Use the shell installer, either in interactive mode or non-interactive mode, to install the S-TAP client on Linux, Solaris, HPUX, and AIX database servers.
Before you begin

About this task

Interactive mode is an easy way to install and uninstall, but it must be run individually on each system. It provides validation at each step, which means less chance of
errors. It is useful for smaller deployments or whenever a guided, step-by-step installation experience is required. In non-interactive mode, you can install multiple S-
TAPs by a script, which is especially useful for managing large deployments.
If any stage of the installation fails, undo all of the steps up to that point. Do not leave the S-TAP partially installed.
The S-TAP package name is in the format: guard-stap-guard-10.1.0_r79927_1-rhel-5-linux-x86_64.sh, where the first three numbers are the release number,
followed by the revision number, in this example r79927.
Interactive mode is recommended for individual S-TAPs. The system prompts for the basic configuration, and verifies your input immediately, so there are no errors. By
default, K-TAP is installed automatically during S-TAP installation. The S-TAP installer checks if the K-TAP is available for the kernel version. If the installation process
does not find a matching K-TAP, it attempts to build one to match your Linux kernel. If the K-TAP cannot be installed or does not start, a query is presented to the user
whether to continue installation.
Use the non-interactive mode to install on multiple databases multiple systems by running a single command, using the tapfile parameter, --tapfile <path to ini file>, and a
guard_tap.ini file that specifies the databases and their details. If you are installing on multiple databases, consider using GIM instead of non-interactive mode.
Procedure
1. Log on to the database server using the root account.
2. Designate an installation directory and verify it has sufficient disk space, approximately 400 MB - 500 MB total.
3. Copy the S-TAP .tgz to the local disk on the database server, typically to /tmp.
4. For a typical installation by non-interactive mode, the minimum parameters are:
./guard-stap-guard-<release number>_<revision number>_1-rhel-5-linux-x86_64.sh -- --ni --dir

<guardium_installation_directory> Â --tapip <tap_ip or host_name> Â --sqlguardip < sqlguard_ip or host_name>
Note: The S-TAP installer includes all possible modules specific to the different Linux kernels. In rare cases, the S-TAP package does not have the appropriate K-
TAP module. In this case, copy the K-TAP module to /tmp and install using these commands. The K-TAP module file is copied into the S-TAP install directory during
the install.
./guard-stap-guard-10.0.0_r79927_1-rhel-5-linux-x86_64.sh --
--modules /tmp/modules-guard-10.0.0_r79927_1.tgz"
5. For interactive mode, run the installed script. In some cases you will need to run the S-TAP as Guardium. This can cause other issues and should only be used when
absolutely necessary. The only value you must enter is the IP address of the SQL Guard unit. All others can be left at their defaults. The installer prompts as follows.
Enter the path prefix [/usr/local]?

Directory /usr/local/guardium/guard_stap does not exist, would you like to create it? [Y/n]
System library path [/usr/lib]?
Run STAP as root, or as user 'guardium'? [R/u]
Install STAP as root, or as user 'guardium'? [r/U]

Would you like to run guard_discovery? [Y/n]
Do you want to configure load balancer functionality? [y/N]
IP address of the SQL Guard unit:
Do you want to edit the parameters file? [y/N]
If you later update your kernel to another version, we can

try to load the closest fitting delivered module. This
feature is not enabled by default, but we recommend enabling
it to reduce delays in support. Note that if all the
packages require to build natively are installed, a local
build to generate an exact matching module will be attempted
prior to looking for non-exact matches.
Do you wish to enable this feature (y/N/h)?
When the script asks "Would you like to run guard_discovery? [Y/n]" if you choose yes, then it runs the guard_discovery once with the --update-tap-flag to initially
configure inspection engines. No matter what, it configures guard_discovery --send-to-sqlguard-flag to run once every 24 hours.
What to do next
Linux and UNIX systems: S-TAP install script parameters

Understand the script parameters for installing S-TAPs.
Install Script Command Line Syntax
usage: guard-stap-setup [options]
--ni Non-interactive install.
-k | -p Install with K-TAP or PCAP.
--ignore-compat Ignore script compatibility check.
-k | -t | -p Install with K-TAP, Tee, or PCAP.
-u Update if previous installation found.
--user | --root Run S-TAP as user or root.
--userinst | --rootinst Install S-TAP as user or root.
--overwrite-existing Overwrite existing installation if found.
--tls force | failover | none S-TAP TLS setting.
--dir <dir> S-TAP install directory.
--tapfile <file> The install process reads this guard_tap.ini file and uses its parameters for the STAP you are installing. For example:
/var/tmp/guard-stap-10.0.0_r103368_v10_5_1-rhel-5-linux-x86_64.sh --ni --dir /usr/local --tapfile /var/tmp/guard_tap.ini.
--ipfile <file> Text file that specifies a list of hostnames, IP addresses, and Guardium system addresses separated by a single space. For
example:
database-01 10.10.10.1 gmachine-01

The command would look like:/var/tmp/guard-stap-10.0.0_r103368_v10_5_1-rhel-5-linux-x86_64.sh --ni --dir /usr/local --

ipfile /var/tmp/ipfile.txtGIM is a much easier way of configuring these parameters.
--tapip <tapip> The IP of the machine S-TAP is being installed on.
--sqlguardip <sqlguardip> The IP of the Guardium system this S-TAP should communicate with.
--presets <file> | <preset-options> Read installation settings or write them to a file.
--no-discovery Do not use the discovery utility to configure inspection engines.
--modules <module-bundles> Specify an external K-TAP modules bundle
--ktap_allow_module_combos Allow inexact kernel match for K-TAP loading
--load-balancer-ip <load_balancer_ip> The IP address of the central manager or managed unit this S-TAP uses for enterprise load balancing.
--lb-app-group <app_group> Optional. The application group name that this S-TAP belongs to for enterprise load balancing.
--lb-mu-group <mu_group> Optional. The MU group name the app-group will be associated with. Requires a defined LB-APP-GROUP. This parameter can
only be specified once, during initial installation. An MU group must already exist on the Central Manager before it can be used
during installation of S-TAP
--lb-num-mus <number_of_mus> The number of managed units the enterprise load balancer allocates for this S-TAP.
Linux and UNIX systems: Install and uninstall S-TAP with native installers

The native installer provides a shell for the shell installer. The only advantage is that it ensures that S-TAP is registered in the operating system asset repository. This
registration is not required by Guardium for the installation of the S-TAP, but it might be a requirement at your company. Use the native installer only when necessary.
A native installer ensures that S-TAP is registered in the operating system asset repository. This registration is not required by Guardium for the installation of the S-TAP,
but it might be a requirement at your company. There is a separate native installer for each OS type.
Linux and UNIX systems: Installing and uninstalling S-TAP with AIX native installer
Linux and UNIX systems: Installing and uninstalling S-TAP with HP-UX native installer
Linux and UNIX systems: Installing and uninstalling the S-TAP with Solaris native installer
Linux and UNIX systems: Installing and uninstalling S-TAP with AIX native installer
Before you begin
Procedure
1. Obtain the IP address of the database server on which you are installing S-TAP. If virtual IPs are used, note those as well (you will need to configure those later,
2. Identify the IP address of the collector that will control this S-TAP, and to which this S-TAP will report.
3. Verify connectivity between the database server and the collector. On the database, enter nmap -p <port> <ip_address>. For example, to check that port 16018
nmap -p 16018 192.168.3.104
4. Locate the appropriate native installer file (.bff file) from the S-TAP Installation DVD, for your version of AIXÂ®.
5. Enter the following command on a clean server (no previous S-TAP installation) to extract the shell installer for AIX, substituting the appropriate file name with the
appropriate .bff file:
installp -aX -d/var/tmp<filename> SqlGuardInstaller

Example:
installp -aX -d/var/tmp/guard-stap-guard-8.0.00rc1_r20934_1-aix-5.2-aix-powerpc.bff SqlGuardInstaller
The shell installer that is extracted, named guardium, is under /usr/local.
6. Continue with running the interactive installer of the installation procedure, running the generated installation script rather than the default installation script for the
operating system version.
Parent topic: Linux and UNIX systems: Install and uninstall S-TAP with native installers
Remove AIX S-TAP using Native Installer
Procedure
To remove AIX S-TAP using the native installer:
/usr/lib/instl/sm_inst installp_cmd -u -f 'filename'
Example
/usr/lib/instl/sm_inst installp_cmd -u -f'SqlGuardInstaller'
Linux and UNIX systems: Installing and uninstalling S-TAP with HP-UX native installer
Before you begin
Procedure
nmap -p 16018 192.168.3.104
4. Locate the appropriate native installer file (.depot.gz file) on the Guardium S-TAPÂ® Installation DVD, for your version of HPUX.
5. Extract the file with
gzip -d <filename>.depot.gz
6. Enter the swinstall command as follows, supplying the selected file name (the appropriate native installer file) and your database server host name. This command
starts an interactive program. Follow the prompts and use the appropriate controls to install the appropriate S-TAP installation program (.sh file), which is located in
/var/spool/sw/var/tmp.
swinstall -s /var/tmp/<filename>.depot @ ,hostname>:/var/spool/sw

7. Continue with running the interactive installer in the installation procedure, running the generated installation script rather than the default installation script for the
operating system version.
Remove HPUX S-TAP Using Native Installer
Procedure
To remove HPUX S-TAP using the native installer, use the following command:
swremove @<hostname>:/var/spool/sw
Linux and UNIX systems: Installing and uninstalling the S-TAP with Solaris native installer
Before you begin
Procedure
nmap -p 16018 192.168.3.104
4. Locate the appropriate native installer file (.pkg file) on the Guardium S-TAPÂ® Installation DVD, for your version of Solaris
5. Enter the pkgadd command to run the installer using the selected file:
pkgadd -d <filename>.pkg
The shell installer is extracted under /usr/local/guardium
6. Continue with running the interactive installer of the installation procedure, running the extracted shell installer script rather than the default installation script for
the operating system version.
Remove Solaris S-TAP Using Native Installer
Procedure
To remove S-TAP using the native installer:
pkgrm GrdTapIns
Linux and UNIX systems: When to restart or reboot after S-TAP install or upgrade
This topic details the situations, after S-TAP installation, of when to restart and when to reboot the database server or database instance. Restart/reboot requirements are
the same for GIM and non-GIM implementations.
What must be restarted after installation of UNIX/Linux S-TAP when using EXIT
Teradata: needs database restart
DB2: needs database restart
Informix: No restart needed. If ifxserver is running, then restart it. If ifxserver is not running, then no need to restart anything.
What must be restarted after installation of UNIX/Linux S-TAP when using A-TAP
The database must be restarted when using A-TAP.
A-TAP should be deactivated and de-instrumented prior to any database software updates.
What must be restarted after installation of UNIX/Linux S-TAP when using K-TAP
OS/Database Oracle Â DB2 Â Sybase Â MS-SQL Â Informix Â
Â TPC/IPC SHM TPC/IPC SHM TPC/IPC SHM TPC/IPC SHM TPC/IPC SHM
Linux NR NR NR REQ NR NR NR NR NR REQ
AIX REQ NR REQ NR REQ NR NA NR REQ NR
Solaris NR NR NR NR NR NR NR NR NR NR
HP-UX NR NR NR NR NR NR NR NR NR NR
NR = No restart/reboot required (based on utilizing live update mechanism and referencing live update link if you have one)
REQ = Restart required
NA = not applicable
What must be restarted after a live upgrade of UNIX/Linux S-TAP

No restarts are necessary at all for live upgrades that do not include A-TAP.
A-TAP should be deactivated and de-instrumented prior to any S-TAP upgrades.
Reboot guidelines

Rebooting the database server is only required when uninstalling K-TAP (whether or not K-TAP is in use).
Linux and UNIX systems: Work with K-TAP

Learn about K-TAP.
K-TAP is a kernel module that is installed into the operating system. Is it installed during S-TAP installation. After it is installed, it can be enabled or disabled by using a
configuration file setting. When enabled, it observes access to a database server by hooking the mechanisms used to communicate between the database client and
server. With K-TAP you do not need to change how database clients connect to the server.
At installation time, you will choose whether or not to load the K-TAP kernel module to the server operating system. This is the only way to load that module. If you do not
load K-TAP initially, and decide later that you want to use it, you will need to remove S-TAPÂ®, and then re-install it.
Note: If K-TAP fails to load properly during installation, possibly caused by hardware or software compatibility, P-CAP is installed as the default collection mechanism.
Note: Intra-session traffic is transferred from the old KTAP to the new KTAP by use of a callback. This means that, for most databases, it can take two SQL requests before
interception resumes with the new KTAP for pre-existing sessions. In the case of Sybase IOCP, this takes three SQL requests due to the nature of the session.
Linux and UNIX systems: Understanding K-TAP

When installing S-TAP, it attempts to load the correct K-TAP version.
Linux and UNIX systems: Building a K-TAP
There are hundreds of Linux distributions available, and the list is growing. This means that there might not be a K-TAP already available for your Linux distribution.
If the correct K-TAP is not available, the S-TAP installation process can build it for you.
Linux and UNIX systems: Copying a new K-TAP module to other systems
When you build a new K-TAP module for a Linux database server, you can copy that module to other database servers that run the same Linux distribution.
Linux and UNIX systems: Enable K-TAP after installation if Tee was installed by default
If, during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, Tee is installed as the default collection
mechanism. To switch back to K-TAP, after compatibility issues are resolved, follow these steps.
Linux and UNIX systems: Understanding K-TAP

When installing S-TAP, it attempts to load the correct K-TAP version.
KTAP loader mechanism
KTAP loader mechanism uses the following sequence for Linux S-TAP installation (with GIM and non-GIM).
Note: KTAP loader mechanism automatically proceeds to the next step if the previous step was unsuccessful.
1. KTAP Loader looks for exact kernel module match for the Operating system level and if found, loads it.
2. If KTAP Loader did not find a match, it compiles KTAP the module locally and loads it. This can happen only if the system has required packages installed (gcc
and kernel-devel for booted kernel).
3. If KTAP Loader has not yet been able to load the correct kernel module, and if FlexLoad mechanism is ON, KTAP Loader finds the closest matching kernel
module and loads it.
To turn on the FlexLoad mechanism, use the following flags:

For Shell installation: --ktap_allow_module_combos
For GIM installation: KTAP_ALLOW_MODULE_COMBOS=Y
4. If KTAP cannot load the kernel module, it informs you with a "Failed to load" message. It either installs the S-TAP without the KTAP, or fails the S-TAP
installation. You can then request a matching module from Guardium support. This takes about two weeks to prepare.
Note: See information on CUSTOM BUNDLES in KTAP parameters topic.

Parent topic: Linux and UNIX systems: Work with K-TAP
Linux and UNIX systems: Building a K-TAP

There are hundreds of Linux distributions available, and the list is growing. This means that there might not be a K-TAP already available for your Linux distribution. If the
correct K-TAP is not available, the S-TAP installation process can build it for you.
When you install an S-TAP on a Linux system, the installation process checks the Linux kernel to determine whether a K-TAP has been created to work with that kernel. If a
kernel is running that hasnâ€™t loaded the KTAP before, it searches for a matching module and loads it. If the installation process does not find a matching K-TAP, it
attempts to build one to match your Linux kernel.
Most of the K-TAP code is independent of the kernel. The installer for version 9.1 provides a new layer of code, which enables the kernel-independent code to interact with
your kernel. This new layer is delivered as proprietary source code. The installer builds the complete K-TAP by compiling this proprietary source code against your Linux
kernel. This produces a K-TAP specific to your Linux distribution.
This process requires that the standard kernel development utilities, provided with Linux distribution, are present on the database server where the K-TAP is to be built.
The development package must be an exact match for the kernel. The gcc compiler is also required.
If you have several systems running the same Linux distribution, you can build a K-TAP on one system and copy it to the others. For example, you might build a K-TAP on a
test system and then copy it to one or more production database servers after testing. If you use the Guardium Installation Manager (GIM) to install the S-TAP, GIM can
automatically copy the bundle containing the new K-TAP to a Guardium system from which you can distribute it to other database servers.
When the installer attempts to build a K-TAP module, you see messages issued by guard-ktap-loader. These messages can include:
It is attempting to build

The build has completed
The K-TAP has been loaded
The build cannot be attempted, because the kernel development package is not found

Copying a K-TAP module by using GIM
When you build a new K-TAP module for a Linux database server, you can copy that module to other database servers that run the same Linux distribution.
Before you begin

Use this procedure after you have built and tested a K-TAP module on a Linux database server.
About this task

If you use the Guardium Installation Manager (GIM) to manage agents on your database servers, use GIM to copy the module. See the link below for the procedure to use.
Procedure
1. Log in to the database server with the tested K-TAP.
2. Change directory to /usr/local/guardium/guard_stap/ktap/current/ and run ./guard_ktap_append_modules to add the locally built modules to modules.tgz.
3. Copy the updated modules.tgz file to the target server.
4. Log in to the target server and change directory to /usr/local/guardium/guard_stap/ktap/current/.
5. Run the K-TAP loader with the retry parameter and the full path to the updated modules.tgz file. For example:
guard_ktap_loader retry /tmp/modules-9.0.0_r55927_v90_1.tgz
6. Restart the S-TAP to connect it to the new K-TAP module.
Results
The custom K-TAP module is ready to use on the target system. Repeat this procedure for each matching Linux system to which you want to deploy the K-TAP module.
Linux and UNIX systems: K-TAP parameters
Linux and UNIX systems: Enable K-TAP after installation if Tee was installed by default
If, during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, Tee is installed as the default collection
mechanism. To switch back to K-TAP, after compatibility issues are resolved, follow these steps.
Procedure
1. Disable the S-TAPÂ®. See Stop UNIX S-TAP for more information.
2. Edit guard_tap.ini and change ktap_installed to 1 and tee_installed to 0
3.
Run the guard_ktap_loader install command.
example: /usr/local/guardium/guard_stap/ktap/current/guard_ktap_loader install
4. Run the guard_ktap_loader start command.
example: /usr/local/guardium/guard_stap/ktap/current/guard_ktap_loader start
5. Re-enable S-TAP. See Restart UNIX S-TAP for more information.
Linux and UNIX systems: Special environments configuration

Use these procedures for as relevant for systems with Zones, RAC, WPAR, clusters.

Install and configure S-TAP in the Master zone (global zone). All other zones (local zones) share the resource with Master zone.
Linux and UNIX systems: Configure S-TAP for DB2 WPAR
Linux and UNIX systems: Activate A-TAP on all nodes of a DB2 Cluster
A-TAP needs to be activated on all nodes where a DB2 server is shared by nodes on a DB2 cluster.
Linux and UNIX systems: Configure delayed cluster disk mounting
This topic applies for Oracle, InformixÂ® and DB2Â® database servers only.

Install and configure S-TAP in the Master zone (global zone). All other zones (local zones) share the resource with Master zone.

About this task
Procedure
1. Install S-TAP on the master zone (global zone) regardless of the zone in which the database runs, since the local zones share information from the master zone.
2. When configuring the Inspection Engine, use the global zone values for the db_install_dir path and tap_db_process_names. (From the global zone, S-TAP monitors
access to databases in all zones.)
3. If you are using PCAP, add the IP addresses of all zones that you want to monitor to the alternate_ips parameter in the guard_tap.ini file on the Solaris database.
4. At the end of the installation:
K-TAP is not loaded on the local zone as it is only loaded on the global. It is visible on the local zones.
S-TAP does not run on the local zones.
Parent topic: Linux and UNIX systems: Special environments configuration

About this task
Oracle RAC (Real Application: Clusters) allows multiple computers to run Oracle RDBMS software simultaneously while accessing a single database, thus providing
clustering.
In a non-RAC Oracle database, a single instance accesses a single database. The database consists of a collection of data files, control files, and redo logs located on disk.
The instance comprises the collection of Oracle-related memory and operating system processes that run on a computer system.
In an Oracle RAC environment, two or more computers (each with an Oracle RDBMS instance) concurrently access a single database. This allows an application or user to
connect to either computer and have access to a single coordinated set of data.
Procedure
1. Install S-TAP on all nodes. In case GIM is used, install GIM client on all nodes, then install bundle S-TAP on all nodes.
2. Configure the STAP parameters. All of the parameters can be configured through GIM UI.
STAP_TAP_IP: public IP configured for the node
STAP_ALTERNATE_IPS: comma separated list of VIPs (virtual IPs) configured for the node, and the scan listener
Tip: Use this command to retrieve value for virtual hostnames to put in alternate_ips: su â€“ grid â€“c â€˜cat
$ORACLE_HOME/network/admin/*.oraâ€™|grep â€“i host
For example:
[root@racvm121 ~]# su - grid -c 'cat $ORACLE_HOME/network/admin/*.ora'|grep -i host

LISTENER_RACVM121=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=racvm121-vip.guard.swg.usma.ibm.com)(PORT=1521)
Configure STAP Inspection engine parameter: unix_domain_socket_marker=<key>, where <key> value can be found in listener.ora in the IPC protocol
definition
Tip: Command to retrieve value for unix_domain_socket: su â€“ grid â€“c â€c̃at $ORACLE_HOME/network/admin/*.oraâ€™|grep â€“i KEY
Example: If the following is a description in the listener.ora LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ORCL))))
then unix_domain_socket_marker=ORCL
Example: If there is more than one IPC line in listener.ora, use a common denominator of all the keys:
su - grid -c 'cat $ORACLE_HOME/network/admin/*.ora'|grep -i KEY

LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1))))
Guardium uses a string search in the path. "LISTENER" works for all four and should be used in this case: unix_domain_socket_marker=LISTENER
Example: If there is no common denominator, create additional inspection engines with unix_domain_socket_marker corresponding to the specific
IPC key(s). For example the guard_tap.ini may look similar to this example in the end:
[DB_0]
...
unix_domain_socket_marker=EXTPROC1522
...
[DB_1]
...
unix_domain_socket_marker=LISTENER
3. If the Oracle database is encrypted (ASO/SSL), activate ATAP on all nodes (active and standby).
a. Stop all Oracle services (including clusterware) and verify that ohasd.bin is down.
i. Run crsctl stop cluster -all
ii. Verify that ohasd.bin is down
b. Authorize user oracle and grid (in case listener belongs to user grid).
c. Configure A-TAP parameters.
d. Activate A-TAP.
e. Start all Oracle services in the cluster.
4. In Oracle RAC environment, verify which user starts the listener. If it is with user grid, authorize the user grid.

Related reference:
Linux and UNIX systems: guardctl utility commands for A-TAP
Linux and UNIX systems: Database-specific guardctl parameters
Linux and UNIX systems: Configure S-TAP for DB2 WPAR

About this task
When ktap_fast_shmem set to 1, if there are multiple DB2 instances that are configured for a single WPAR in guard_tap.ini file and they have the same db2_shmem_size,
then the db2_fix_pack_adjustment and db2_shmem_client_position are taken from the first DB2 section for that WPAR. So in cases where there are multiple DB2
instances running on the WPAR:
If all DB2 instances have the same db2_shmem_size, db2_fix_pack_adjustment, and db2_shmem_client_position, the packets from all instances are collected
even if only one instance is configured.
If all DB2 instances have the same db2_shmem_size, but different db2_fix_pack_adjustment or db2_shmem_client_position, then only packets from the first
configured DB2 instance are collected.
Procedure
1. Compute the client I/O area offsest (db2_shmem_client_position)
a. Open a new bash shell as the db2 instance user.
b. Run the ps -x command to verify that the db2bp command processor is not currently running for this shell. You should not see a command called db2bp
running. If it does, either kill it or run a new shell.
c. Run the following two commands:
db2 get database manager configuration | awk '/ASLHEAPSZ/{print $9 * 4096}'
The output is the required value for db2_shmem_client_position

2. To find the DB2 shared memory segment size (db2_shmem_size), perform one of:
This method gives the most accurate results.
a. Start a DB2 shared memory connection and keep it open.
b. Run this command to get the process ID for db2sysc: ps -eaf | grep db2sysc. The output looks like:
db2inst1 5309370 5505772 0 Nov 11 - 1232:12 db2sysc 0
In this example, the process ID is 5309370.

c. Run this command to retrieve information about shared-memory processes: ipcs -ma. The output looks like:
IPC status from /dev/mem as of Wed Nov 20 13:21:45 CST 2013

T ID KEY MODE OWNER GROUP CREATOR CGROUP NATTCH SEGSZ CPID
m 2097152 0xffffffff D-rw------- pconsole system pconsole system 1 536870912 4522088
m 1 0x78000015 --rw-rw-rw- root system root system 3 16777216 3605314
m 2 0x78000016 --rw-rw-rw- root system root system 3 268435456 3605314
m 219152387 0xffffffff D-rw------- root system root system 1 536870912 5243842
m 1048580 0x61013002 --rw------- pconsole system pconsole system 1 10485760 4522088
m 10485765 0xd9fd8a61 --rw------- db2inst1 db2iadm1 db2inst1 db2iadm1 5 47644672 5571082
m 9437190 0xd9fd8a74 --rw-rw-rw- db2inst1 db2iadm1 db2inst1 db2iadm1 9 140852104 5571082
m 9437191 0xe1bd8858 --rw-rw---- oracle dba oracle dba 40 53687107584 3801352
m 3145736 0x52594801 --rw-rw---- root informix root informix 13 223019008 5702650
m 3145737 0xd9fd8b68 --rw-rw---- db2inst1 db2iadm1 db2inst1 db2iadm1 1 58720256 6619354
m 3145738 0xffffffff --rw------- db2fenc1 db2fadm1 db2inst1 db2iadm1 7 268435456 5505772
m 11 0x52594802 --rw-rw---- root informix root informix 13 33439744 5702650
m 12 0x52594803 --rw-rw-rw- root informix root informix 13 573440 5702650
m 13 0xf2033f7e --rw------- sybase15 sybase sybase15 sybase 1 115564544 5178168
m 409993231 0x52594804 --rw-rw---- informix informix informix informix 13 8388608 5702650
m 763363344 0xffffffff --rw------- db2inst1 db2iadm1 db2inst1 db2iadm1 1 268435456 5309370
The output contains several columns beyond those shown here, but they do not affect this procedure. Find the line that contains the process ID that
was identified in step 2.b and also has a value of 2 under NATTCH. The DB2 shared-memory segment size is the value in the SEGSZ column. In this
example, it is 131072.
d. Tip: if the list returned in step 2.c is too long, you can filter it by using the process ID. In this case, you would enter ipcs -ma | grep 5309370. The
results do not contain the column headers, but you can look at the previous results to see the column headers and identify the correct line and
column. In this example, it is the last line.

Alternatively, use this method, which is easier but less accurate:

ATAP and KTAP rely on the size for identification of the Application/Agent shared memory segments. These segments are then tapped for C2S and S2C
packets. The segments are equal to the sum of the ASLHEAPSZ and RQRIOBLK parameters. DB2Â® allocates much larger segments. In most cases, the size
is equal to (ASLHEAPSZ + 1) * 2 pages, or (ASLHEAPSZ + 1) * 8192 bytes. Exact size can be determined by observation of the shared memory segments in
the system before and after new DB2 local connection is created. Use this sequence of commands to determine the shared memory segment size. ipcs
command parameters and output format differ from platform to platform. The following script is based on the AIXÂ® version.
ipcs -ma | sort -n -2 +3 > /tmp/before.txt

db2 connect to <some_existing_database>ipcs -ma | sort -n -2 +3 > /tmp/after.txt
db2 terminate
diff /tmp/before.txt /tmp/after.txt | awk '{if ($10 == 2) print $11}'
3. Set these parameters in order to capture the DB2 shared memory traffic.
Table 1. DB2 Parameters
Parameter STAP Name ATAP Name
Packet header size db2_fixed_pack_adjustment db2_header_offset
Client I/O area offset db2_shmem_client_position db2_c2soffset
DB2 shared memory segment size db2_shmem_size db2_shmsize

Linux and UNIX systems: Activate A-TAP on all nodes of a DB2 Cluster
A-TAP needs to be activated on all nodes where a DB2 server is shared by nodes on a DB2 cluster.
Procedure
1. Authorize db2 user on node 1. <guardium_base>/xxx/guardctl authorize-user <user-name>
For example:
# /usr/local/guardium/bin/guardctl authorize-user db2inst1
# /usr/local/guardium/bin/guardctl is_user_authorized db2inst1
User 'db2inst1' is authorized.
2. Activate A-TAP on node 1.

<guardium_base>/xxx/guardctl db_instance=<instance> activate
For example:
# /usr/local/guardium/guard_stap/guardctl db_instance=db2inst1 activate
# /usr/local/guardium/guard_stap/guardctl list-active
db2inst1
3. Restore the original DB2 server on node 1 after activating ATAP on it, so that other nodes can activate ATAP. (All nodes share the executable.( In the db2 adm
directory, copy db2sysc-guard-original over db2sysc (make a copy of each first and set them aside). For example:
# > cp db2sysc-guard-original db2sysc
4. Delete db2sysc-guard-original (or it will fail activation on node 2). For example:
# rm -rf db2sysc-guard-original
5. Move cluster resources to node 2. For example:
# pcs resource move resource_id <destination node>
6. Authorize db2 user and activate on node 2 (steps 1 and 2). This will create the libraries on node 2 and replace the db2sysc-guard-original that has been deleted.
The current status should be:
Node01:
db2inst1
Node02:
db2inst1
Linux and UNIX systems: Configure delayed cluster disk mounting

This topic applies for Oracle, InformixÂ® and DB2Â® database servers only.
For these database types, when the S-TAP starts it must have access to the database home. If your environment uses a clustering scheme in which multiple nodes share a
single disk that is mounted on the active node, but not on the passive node, the database home is not available on the passive node until failover occurs.
S-TAP can be configured for delayed loading by setting a configuration file property, WAIT_FOR_DB_EXEC. When starting, if S-TAP finds that there is no access to the
database home, it checks the WAIT_FOR_DB_EXEC value, and takes the appropriate action.
WAIT_FOR_DB_EXEC > 0, S-TAP starts regardless of whether or not it can stat() process name. It tries to stat() process name every 15 minutes
WAIT_FOR_DB_EXEC < = 0 S-TAP tries to stat() process name in inspection engine immediately after it comes up. If it cannot stat() process name, S-TAP exits.
Before setting this property to a positive value, be sure to set all other necessary configuration properties and test that the S-TAP starts and collects data correctly. This
property can be set only by editing the configuration file, and not from the GUI.
Linux and UNIX systems: Uninstalling an S-TAP

Perform this procedure before installing a new version of S-TAPÂ® if you want to save the old configuration file.
About this task

If S-TAP was previously installed, there is a directory named: /usr/local/guardium/guard_stap.
If you have installed A-TAP, you must deactivate it before attempting any upgrade/install operations; see the description of the A-TAP deactivation command, in Linux and
UNIX systems: Deactivating A-TAP.
If you are removing a previous version of S-TAP that used K-TAP, you will need to reboot the database server. If K-TAP has been installed, you will have a device file
named: /dev/guard_ktap.
Procedure

2. Optionally, copy the S-TAP configuration file to a safe location (a non-Guardium directory). By default, the full path name is:
/usr/local/guardium/guard_stap/guard_tap.ini You can use this file later if you have to re-install this version of the software, or you can refer to it when configuring
an updated version of S-TAP. Do not ever use an older configuration file directly with a newer version of the software - newer properties may be missing, and the
defaults taken may result in unexpected behavior when you start S-TAP.
3. Run the uninstall script. For example, if the default directory has been used: [root@yourserver ~]# /usr/local/guardium/guard_stap/uninstall
4. If your previous version of S-TAP included K-TAP, reboot the database server now.
a. Run the uninstall script again
5. This step applies to AIXÂ® WPARs and Solaris Zones only (skip for all others). If you are uninstalling a previous version of S-TAP that included K-TAP, issue the
following commands from the master node: rm -f /wpars/<server>/dev/ktap* and rm -f /wpars/<server>/dev/guard_ktap*, where /wpars/<server> is the path from
the master node to the WPAR.
Linux and UNIX systems: Upgrading S-TAP and K-TAP

Upgrade S-TAP to continue capturing data from pre-existing sessions, and maintain its configuration, without reboot. You can also upgrade K-TAP as part of the S-TAP
upgrade.
About this task

Before upgrading S-TAP, upgrade the Guardium system that serves as the S-TAP host.
If you are removing a previous version of S-TAPÂ® that used K-TAP, you will need to reboot the database server.
If K-TAP has been installed, you will have a device file named: /dev/guard_ktap
Procedure
2. If the system has A-TAP and the encryption box is not used:
a. Stop the database.
b. User guardctl to deactivate the A-TAP.
3. If the system has A-TAP and the encryption box is used, stop the DB. (ATAP is active whenever the DB is running. Once the encryption box has been set to activate
ATAP automatically, it cannot be disabled by simply unchecking the box. The system needs to be rebooted with the feature disabled in order to clear the setting.)
4. Before running live update, either through GIM or shell installers, make sure no process except the S-TAP is using the K-TAP device. The S-TAP must be running and
A-Tap must be deactivated. Run fuser /dev/ktap_xxx or lsof | grep ktap_xxx (where xxx is the old version number) to see if any process is holding the device open.
Failure to do so can result in unpredictable behavior.
5. If un-installing version 6.0 or later of S-TAP:
a. For Red Hat Enterprise Linux 6: Stop S-TAP using the stop utap command.
b. For Red Hat Enterprise Linux 7: Stop S-TAP using the systemctl stop guard_utap command
c. All others:
i. Remove the utap agent entry in the /etc/inittab file (regardless of whether or not it has been commented). In a default installation, this statement
should look like this: utap:<nnnn>:respawn:/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini
ii. Save the /etc/inittab file.
iii. Run the init q command
d. Run ps - ef | grep stap to verify that S-TAP is no longer running.
6. Copy the S-TAP configuration file to a safe location (a non-Guardium directory).
7. Run the uninstall script. For example, using the default directory: [root@yourserver ~]# /usr/local/guardium/guard_stap/uninstall
Note: Do not run the uninstall program with S-TAP running. Be sure that you have stopped S-TAP.
8. If your previous version of S-TAP included K-TAP, reboot the database server now.
9. HP-UX servers only (skip for all others): If you are uninstalling a previous version of S-TAP that included K-TAP, run the uninstall script again after reboot.
10. AIX WPARs only (skip for all others): If you are uninstalling a previous version of S-TAP that included K-TAP, issue the following commands from the master node
after uninstall: rm -f /wpars/<server>/dev/ktap* and rm -f /wpars/<server>/dev/guard_ktap*, where /wpars/<server> is the path from the master node to the
WPAR.
11. Upgrade the S-TAP, using one of
Windows: Installing S-TAP agent with GIM (v10.1-10.1.3), or Linux and UNIX systems: Installing the S-TAP client with GIM (v10.1.4) using the Upgrade
option at the end of the procedure.
If you are upgrading K-TAP, set KTAP_LIVE_UPDATE to yes. Modify other parameters as relevant. Parameters you leave unchanged are carried over in
the upgrade.
Linux and UNIX systems: Installing and updating S-TAP using RPM, using the -u flag and other relevant upgrade parameters listed in the Linux and UNIX
systems: S-TAP install script parameters. To upgrade K-TAP, specify --live_update Y
12. After a K-TAP live upgrade:
The first SQL for an existing session after updating K-TAP is not captured.
Existing A-TAP sessions on Solaris local zone are not logged.
Some processes may still reference memory in the old K-TAP module. Under this scenario, the module refuses to free the resources to prevent future
instability. When this happens, the user should, after those resources are no longer being used, try a manual cleanup by running the guard_ktap_cleanup that
is kept in the ktap directory.
On HP-UX 11.11, the old K-TAP module is no longer installed, but it still shows up as registered when you execute kmadmin -s | grep tap. Manually unregister
this module with kmmodreg -U ktap_<version>.
On Solaris and AIXÂ®, the old dev-nodes are not automatically deleted after a reboot and they need to be removed manually.
Exceptions:
If the DB server is installed with a version that was not installed through GIM, and the non-GIM K-TAP version is not the same with installing K-TAP version,
the value of the KTAP_LIVE_UPDATE is ignored, since an upgrade from a non-GIM version requires system reboot
When upgrading from a non-GIM version to the same GIM version, the system does not need to be rebooted.
You can NOT reinstall a previously installed K-TAP version without rebooting the machine.
Error Handling:
In the event of a failure, it is extremely important to check the GIM Events List report, since some failures require system reboot in order to fully recover.

Note: K-TAP for AIX only fails to load during an S-TAP installation or upgrade if the ODMDIR environment is not defined. ODMDIR is Object Data Manager Directory.
ODM is a database of system and device configuration information integrated into the OS. It is intended for storing system information, software information, and
device information. All ODM commands use the ODMDIR environment variable, that is set in the file /etc/environment. The default value of ODMDIR is
/etc/objrepos.

Related reference:
Linux and UNIX systems: Configuring S-TAP

Linux and UNIX systems: Discover database instances
Enable S-TAP to periodically discover database instances and send the results to the current active S-TAP system.
Linux and UNIX systems: Configuring an Inspection Engine
Linux and UNIX systems: Inspection engine verification
S-TAP verification confirms that the STAPs and their inspection engines in your environment are running and actively monitoring database activity. Understand
verification, and define a schedule to regularly verify S-TAPs.
Linux and UNIX systems: S-TAP Load Balancing models and configuration guidelines
Linux and UNIX systems: Set up S-TAP authentication with SSL certificates
Linux and UNIX systems: Increasing S-TAP throughput
You can configure an S-TAP that reports to multiple Guardium systems to increase the throughput of data.
Kerberos is a network authentication protocol that eliminates the transmission of unencrypted passwords across the network. Learn how it functions in Guardium .
Linux and UNIX systems: A-TAP management
A-TAP is an application-level tap. A-TAP sits in the application layer to support monitoring of encrypted database traffic, which cannot be done in the kernel by K-
TAP.
Linux and UNIX systems: Using Exit libraries
Exit libraries embed a Guardium library into the database, using the exit mechanism. The exit library, or module, communicates directly with the Guardium S-TAP to
forward database traffic.
Linux and UNIX systems: Editing the S-TAP configuration parameters
You can modify the S-TAP configuration after it is installed using GIM, the GUI, or for advanced users, in the configuration file on the database.

About this task

Prerequisite: You must be logged in to the Guardium system that is the active host for the S-TAP.
Some configuration changes require that the S-TAP agent be restarted manually, as indicated in the parameter descriptions.
Sometimes a user is unable to make a decision during the process of installing an S-TAP or may make the wrong decision and it goes undetected until after the installation
process is complete. For instance a user may forget to type in or use the wrong IP address when defining a SQL Guard IP. These types of mistakes can be remedied by
modifying the S-TAP configurations.
Parameters in the GUI may be safely changed. Parameters that are not in the GUI rarely need changing and should normally be left unmodified; they are for use by
Guardium Technical Support or advanced users.
If you have installed your S-TAP by using the Guardium Installation Manager (GIM), you can update some parameters through the GIM GUI or API.
Procedure
2. Perform operations on all S-TAPs in the page.
Refresh: refresh display of S-TAPs.
Add All to Schedule: add all displayed S-TAPs to the S-TAP verification schedule.
Remove All from Schedule: remove all displayed S-TAPs from the S-TAP verification schedule.
Comments: add comments. See Comments
3. Identify the S-TAP to be configured by its IP address or the symbolic host name of the database server on which it is installed. View and perform operations on
individual S-TAPs.
Option Description
Delete: Click Delete to remove an S-TAP.
Deleting S-TAPs is useful to clean up your display when you know that an S-TAP has become inactive, or when the
Guardium unit is no longer listed as a host in the S-TAP's configuration file. In either of these cases, the S-TAP displays
indefinitely with an offline status if you do not delete it.
You cannot remove an active S-TAP from the list. Clicking delete does not stop an S-TAP from sending information, nor
does it remove the Guardium host from the list of hosts stored in the S-TAP's configuration file.

Option Description
Refresh: Click Refresh to fetch a copy of the latest S-TAP configuration from the agent. (There is no auto-refresh of the S-TAP
display.)
Opens the S-TAP Commands popup, where you can run various commands on the S-TAP host.
Restart: Restarts the S-TAP. Not usually needed, and if yes, it's easier to simply kill it from the database server.
Send Command: S-TAP logging
Reinitialize buffer: reset the K-TAP statistics along with deleting the S-TAP buffer
KTAP logging: Similar to S-TAP Logging; increases the debug output from KTAP
Run Diagnostics: Run the S-TAP diagnostics script (and upload the results to the Guardium system)
Upload Linux Modules: Linux only. Uploads the local custom build module of K-TAP.
Record Replay Log: Records all data to a file on DB server (RECORD) and sends data to collector (REPLAY)
Revoke Ignore: All sessions ignored by a revokable ignore policy will be un-ignored and start capturing the traffic
again for those sessions
Run Database Instance Discovery: Runs the discovery process, once immediately. (If enabled to run automatically,
it runs, by default, every 24 hours.)
Opens the S-TAP configuration window. Parameters that do not appear in the GUI are advanced parameters. Do not
Edit S-TAP configuration:
modify them if you are not an advanced user, or have not been instructed to modify them by Guardium Technical Support.
See GUI parameters:
Linux and UNIX systems: General parameters
Linux and UNIX systems: Configuration Auditing System (CAS) parameters
Linux and UNIX systems: Application server parameters
Linux and UNIX systems: Guardium Hosts (SQLGuard) parameters
Linux and UNIX systems: Inspection engine parameters
Show S-TAP Event Log: Click to open the S-TAP event log, where you can see events such as connect, disconnect, GIM server configuration, and
so on. This log is very useful for troubleshooting.
Add to Schedule checkbox Adds the individual S-TAP to the scheduled verification.
Revoke All Ignored Sessions A database could be running many sessions, some of which are currently ignored. Clear this option to stop ignoring traffic
checkbox from that server.
Parent topic: Linux and UNIX systems: Configuring S-TAP
Linux and UNIX systems: Discover database instances

Enable S-TAP to periodically discover database instances and send the results to the current active S-TAP system.
The Guardium Discovery Agent is a software agent automatically installed with the S-TAP package on a database server. The instance discovery agent reports database
instances, listener, and port information to the Guardium system. Discovery does not find and report on every detail of the DB instances on the server.
Auto-discovery is enabled by default. Configure it with the parameter discovery_interval.
Database types supported by S-TAP Discovery

Oracle, DB2, Informix, MySQL, PostgreSGL, Enterprise PostgreSQL, Sybase, Hadoop, Teradata, Netezza, MemSQL.
The discovery bundle is not installed in a slave zone or WPAR; the discovery agent running on the global zone collects information from other zones.
Note: On Solaris zones architecture, when DB2Â® instances are running on slave zones, Discovery does not discover the DB2 shared memory parameters.
Newly discovered database instances can be seen in the Discovered Instances report. From this report, datasources and inspection engines can quickly be added to
Guardium using the Actions menu.
If databases on the database server are not operational (started) or are added later, the Discovery Agent can still discover these instances by running the Run Discovery
Agent command from the STAP Control window (Manage > Activity Monitoring > S-TAP Control. Click , and select Run Database Instance Discovery).
S-TAP Discovery can be run manually but this action is not suggested. The main reason to run it manually is for debugging purposes. If a new request comes in from the
user interface while a scheduled discovery is running, the new request is ignored.
You can run Discovery from a local command line on the database server (/usr/local/guardium/guard_stap/guard_discovery), in one of three ways:
with the --update-tap flag: edits the guard_tap.ini to add or update inspection engines
with the --send-to-sqlguard flag (or with no flag, this is the default): sends the found changes to the Guardium system, where they appear in the Discovered
Instances report
with the --print-output flag: prints the found changes to stdout (for debugging)
If the S-TAP running as "user" (and not guardium), the discovery functionality is limited. The following message displays:
WARNING: Discovery is enabled and STAP is running as user guardium.

The discovery function is limited when STAP runs as user guardium.
Discovery is most effective when 'tap_run_as_root=1'
Note: S-TAP Discovery is not supported on AIX 5.3 because of static libraries are needed on that platform.
Note: In order to avoid an instance where S-TAP discovery does not open the Informix database, it is recommended to start Informix databases using the full path to the
executable.
The S-TAP Discovery application parameters should be left at their default values, except for advanced users. Discovery application are described in Linux and UNIX
systems: Discovery parameters.
Discovery also uses these parameters:
tap_ip: the S-TAP with which the database instance is associated.

sqlguard_ip: S-TAP discovery results are sent to this IP. (The Guardium system with primary=1 in the SQLguard parameters. )
Linux and UNIX systems: Configuring an Inspection Engine

Before you begin

You must be logged in to the Guardium system that manages the S-TAP.
About this task

Do not configure an S-TAP inspection engine to monitor network traffic that is also monitored directly by a Guardium system that is hosting the S-TAP, or by another S-TAP
reporting to the same Guardium system. That would cause the Guardium system to receive duplicate information: it would not be able to reconstruct sessions, and would
ignore that traffic.
Procedure
1. Navigate to Manage > Activity Monitoring > S-TAP Control.
2. In the row of the S-TAP, click . The S-TAP Configuration window opens.
3. Scroll to the bottom of the inspection engines, and click next to Add Inspection Engine....
4. Select the protocol and enter the port range. The window refreshes with the relevant parameters, some with their default values.
5. Configure all required parameters, and click Add. If you are missing parameters, the system informs you what is missing.

Related reference:

S-TAP verification confirms that the STAPs and their inspection engines in your environment are running and actively monitoring database activity. Understand verification,
and define a schedule to regularly verify S-TAPs.
Verification checks sniffer operation and communication between the Guardium system and the inspection engines. You can enable verification for all S-TAP clients on
your system, or individual S-TAP clients, or individual inspection engines.
Verification is supported for these database types:
DB2 and DB2 Exit

Greenplum
Informix
MSSQL (for cluster configuration supports only advanced verification)
MySQL
Netezza
Oracle
PostgreSQL
Teradata (advanced verification only)
There are two types of verification:
Standard verification
Checks the sniffer operation, and the communication between the S-TAP and the inspection engine. It submits invalid login request and verifies that the
appropriate error message is returned.
Advanced verification
Use advanced verification to avoid failed login requests, and manage individual IEs. For avoiding failed login requests, you must identify or create a datasource
definition associated with the target database. The datasource definition includes credentials, which the verification process uses to log in to the database. Then it
submits a request to retrieve data from a nonexistent table in order to generate an error message.
For both types of verification requests, the results are displayed in a new dialog that provides information about the tests that were performed and recommended actions
for tests that failed.
Linux and UNIX systems: S-TAP verification

Linux and UNIX systems: Configure standard verification
Linux and UNIX systems: Configure advanced verification
Use this task to configure all inspection engines on a specific S-TAP client host, and to configure advanced verification.
Linux and UNIX systems: Configuring the S-TAP verification schedule
The default schedule for verifying S-TAPs is once per hour, every day. You can change this schedule.
Linux and UNIX systems: S-TAP verification


Before connecting to the database, the verification process checks whether the sniffer process is running on the Guardium system. The sniffer is responsible for
communicating with each S-TAP and processing the data that is received. If the sniffer is not running, responses from the S-TAP are not recognized.
communicated to the Guardium system.
Next the verification process checks whether it can connect to the selected inspection engine on the database server. It expects to receive a response that indicates a
failed login. If a different response is received, you might have to investigate further.
Some error messages from individual databases do not indicate a specific problem. For example, on several supported databases, the error code returned for a wrong port
can also mean that the database itself is not started.
View the verification results in the S-TAP Verification page (Manage > Reports > Activity Monitoring > S-TAP Verification page). Failed checks are shown first, with
recommendations for next steps. Checks that succeeded are shown in a collapsed section at the end of the list. In some situations, it might be useful to review the
successful checks in order to choose among possible next steps.
Parent topic: Linux and UNIX systems: Inspection engine verification
Linux and UNIX systems: Configure standard verification

About this task

As an alternative to this procedure, you can use the GRDAPI command verify_stap_inspection_engine_with_sequence.
Procedure
1. Access Manage > Activity Monitoring > S-TAP Control.
2. Use these options:
Add All to Schedule: add all inspection engines for all displayed S-TAPs to verification.
Remove All from Schedule: remove all inspection engines for all displayed S-TAPs from verification.
Add to Schedule: add all inspection engines of the selected S-TAP client to the schedule.
If an S-TAP does not have the option All Can Control enabled, you can only change its status if your Guardium system is the primary system for this S-TAP.
3. Click Refresh.
4. To verify now, go to Manage > Activity Monitoring > S-TAP Verification Scheduler and click Run Once Now.
Linux and UNIX systems: Configure advanced verification

Use this task to configure all inspection engines on a specific S-TAP client host, and to configure advanced verification.
Before you begin

Use this task to configure verification on individual inspection engines, including advanced verification.
About this task
Procedure
1. Access Manage > System View > S-TAP Status Monitor.
2. Click anywhere in the row of the S-TAP.
The window refreshes with the individual inspection engines of this host.
3. To verify now, select one or more inspection engines and click Verify.
4. Configure advanced verification.
a. Click one inspection engine, and click Advanced Verify.
b. Optionally, under Datasource, select Show only matching S-TAP host or select a name from the Name drop-down list to search for a specific inspection
engine.
c. Click Close.
5. To add to or remove from verification.
a. Select one or more inspection engines.
b. Click Add to Schedule or Remove from Schedule
Linux and UNIX systems: Configuring the S-TAP verification schedule

The default schedule for verifying S-TAPs is once per hour, every day. You can change this schedule.
About this task

The same schedule is used for all S-TAPs that are scheduled for verification.
Once a schedule is defined, you can click the Pause button to temporarily stop the verification process while keeping it active. Use the Run Once Now button to run the
verification once in real-time.
Procedure

1. Click Manage > Activity Monitoring > S-TAP Verification Scheduler to open the S-TAP Verification Scheduler.
2. In the S-TAP Verification Scheduler portion of the page, click Modify Schedule.
3. In the Schedule Definition dialog, use the drop-down lists and check boxes to schedule when verification runs. This schedule is applied to all S-TAPs that are
scheduled for verification.
4. Click Save to save your changes.
Linux and UNIX systems: S-TAP Load Balancing models and configuration guidelines
Each load balancing model is described here, along with its specific parameter requirements.
Failover
S-TAP sends traffic to one collector (primary) and fails over to one or more collectors (secondary, thirdly, and so on) as needed. The S-TAP agents are configured with a
primary and at least one secondary collector IP. If the S-TAP agent cannot send the traffic to the primary collector for various reasons, the S-TAP agent automatically fails
over to the secondary. It continues to send data to the secondary host until either the secondary host system becomes unavailable, or the primary host becomes available
again. In the first case, it fails over to the tertiary if there is one defined. In the second case S-TAP fails over from the secondary Guardium host back to the Primary
Guardium host. You can configure as many failover collectors as you want, although there is no reason to define more than 3. You can either define one collector as a
standby failover collector only, or a few failover collectors. When using one standby failover, one collector is usually sufficient for 4-5 collectors. When using a few failover
collectors, each one should run at a maximum 50% capacity, so that there are always resources for additional load. Choose the setup that works best with your
architecture, database, and data center layout.
The S-TAP restarts each time configuration changes are applied from the active host.
In the S-TAP Control window, Details section: set Load Balancing to 0; In the Guardium Hosts section: add at least one secondary sqlguard_ip.
Additional failover configuration should be left at the default values, except by advanced users.
Before designating a Guardium system as a secondary host for an S-TAP, verify these items.
The Guardium system must be configured to manage S-TAPs. To check this and re-configure if necessary, see Configure Guardium system to Manage Agents.
The Guardium system must have connectivity to the database server where S-TAP is installed. When multiple Guardium systems are used, they are often attached
to disjointed branches of the network.
The Guardium system must not have a security policy that will ignore session data from the database server where S-TAP is installed. In many cases, a GuardiumÂ®
security policy is built to focus on a narrow subset of the observable database traffic, ignoring all other sessions. Either make sure that the secondary host will not
ignore session data from S-TAP or modify the security policy on the Guardium system as necessary.
Load balancing
This configuration balances traffic from one database onto multiple collectors. This option might be good when you must monitor all traffic (comprehensive monitoring) of
an active database. (Note that for outliers detection, the collectors need to be under the same aggregator and central manager in order for the aggregator to process all
related data.) When the generated traffic is large and you need to house the data online on a collector for an extended period, this method might be your best choice
because it performs session-based load balancing across multiple collectors. An S-TAP can be configured in this manner with up to 10 collectors.
Set participate_in_load_balancing to 1 for load balancing.
Grid
With Grid, the S-TAP communicates to the collector through a load balancer, such as f5 and Cisco. The S-TAP agent is configured to send traffic to the load balancer. The
load balancer forwards the S-TAP traffic to one of the collectors in the pool of collectors. You also can configure failover between load balancers for continuous monitoring
if the load balancer should fail.
Set participate_in_load_balancing to 3 for the grid model.
Redundancy
In redundancy, the S-TAP communicates its entire payload to multiple collectors. The S-TAP is configured with more than one collector (often only two) and
communicates the identical content to both. This option provides full redundancy of the same logged data across multiple collectors. It can also be used for logging data
and alert on activity at different levels of granularity.
Set participate_in_load_balancing to 2 for redundancy.
Multiple K-TAP buffers
This mode utilizes extra threads and K-TAP buffers to increase throughput. Set participate_in_load_balancing to 4. See Linux and UNIX systems: Increasing S-TAP
throughput
Linux and UNIX systems: Set up S-TAP authentication with SSL certificates
S-TAPs can be configured to only connect to a certain group of machine(s) that authenticate with a given certificate or set of certificates. Â These certificates can either be
generated locally on the Guardium system and sent off to the Certificate Authority (CA) for signing or can be created at the CA and installed whole on the Guardium
system.
Linux and UNIX systems: Generating certificate signing request (CSR) on Guardium system
Linux and UNIX systems: Installing an SSL certificate generated outside of the Guardium system

Linux and UNIX systems: Configuring the S-TAP to use x.509 certificate authentication
Linux and UNIX systems: Generating certificate signing request (CSR) on Guardium system
Procedure
1. Log into your Guardium system with CLI.
2. Enter: cli> create csr sniffer
3. Enter the requested data.
When you've finished, it looks like:
4. Copy from the -----BEGIN CERTIFICATE REQUEST----- to the -----END CERTIFICATE REQUEST----- into a file and send this to your CA for signing.
The CA will sign the certificate and send you back a public key that looks something like:

5. Have this file handy to either copy its contents or import it to the Guardium system. Enter: cli> store certificate sniffer [console | import]
6. If console, copy-paste from -----BEGIN CERTIFICATE----- all the way to -----END CERTIFICATE----- (including those within the copy) and paste into the CLI when
prompted. Â If choosing import, tell the Guardium system where to import the file from.
It asks you to confirm that you want to store the certificate, and when you confirm, it stores it.

Parent topic: Linux and UNIX systems: Set up S-TAP authentication with SSL certificates
Linux and UNIX systems: Installing an SSL certificate generated outside of the Guardium
system
About this task

If the CA is sending you a whole certificate to install, you need two files, the private key in PKCS#8 (password protected) format, and the public key in PEM format. The
certificate generated needs to be a 2048 bit RSA key.
The CA sends you two files, and the public cert for your CA. Â
The public-cert of your CA looks like:

The public-cert specific to you/this Guardium system looks like:
The private key (encrypted with pkx#8) looks like:
Have these files handy to either import (via scp/ftp/etc) to the Guardium system or to copy-paste into the cli interface on the Guardium system.
Procedure
1. Log in to the Guardium system via CLI.
2. Store the private key by entering: cli> Â store certificate keystore [import | console] The import takes the saved file, and then copies and pastes the contents of the
file into your console interface. It asks for the password that the file was saved with. Â Either you provided this to the CA for creation of the certificate, or more
likely, they provided you with a password when they sent your files. Here's what it looks like on the Guardium system:

3. Import the signed certificate with: cli> Â Â store certificate sniffer [import | console] It displays the information on the cert and then asks you to confirm storing the
cert. It looks like:

Linux and UNIX systems: Configuring the S-TAP to use x.509 certificate authentication
About this task
First, take note of what you have assigned as the CA and the CN of the certificate. Â If you don't remember, use the CLI command show system certificate to display the
values.
You need the CN of the cert installed on the Guardium system and the public-key for the CA that signed the certificate on the Guardium system. You also might want a
Certificate Revocation list signed by the same CA that signed the Guardium system cert, but it's not necessary.
The relevant parameters in the guard_tap.ini are:

If you do not choose to use a value for a parameter, set its value equal to NULL. This is pertinent to the CRL path in particular, or if you want to shut off certificate
authentication and go back to TLS.
Procedure
1. Copy the public key [and the CRL if wanted] for the CA that the CA sent you to a directory on the S-TAP host.Â Take note of this directory.
2. Set guardium_ca_path=[path-to-CA.pem]
3. Set sqlguard_cert_cn=[the full CN or partial CN (using * as a wildcard) of the Guardium system]
4. If you want to use a certificate revocation list at this time, set guardium_crl_path=[path-to-crl.crl] It should look like:
guardium_ca_path=/var/tmp/pki/Victoria_QA_CA.pem
sqlguard_cert_cn=sample1_qa.victoria
guardium_crl_path=/var/tmp/pki/Victoria_QA_CA.crl
5. Change tls=1.
6. Restart the S-TAP You are now connected using Openssl.
Linux and UNIX systems: Increasing S-TAPÂ® throughput

You can configure any S-TAP to create multiple threads to increase the throughput of data. If the S-TAP configuration file defines more than one Guardium system, a
thread can be created for each Guardium system. S-TAP creates extra threads, matching the number of Guardium systems, in v10.1.4 and higher up to 10 threads. When
participate_in_load_balancing parameter is set to 4, the K-TAP creates a similar number of buffers matching the number of Guardium systems up to 5 threads. The K-TAP
alternates between the buffers, placing entire packets in each buffer. Each S-TAP thread reads from a different K-TAP buffer, and sends traffic data to a single Guardium
system.
In this configuration, no one Guardium receives all the data from the S-TAP. The distribution is similar to that used when participate_in_load_balancing is set to 1.
Attention: Prior to V10 GPU200, when a Guardium system becomes unavailable, no failover is provided. Data that was being sent to a Guardium system is lost until the
system becomes available or the configuration is changed.
Attention: Prior to V10 GPU300, if the S-TAP configuration file defines more than one Guardium system, a thread can be created for each Guardium system. This feature is
activated only when participate_in_load_balancing parameter is set to 4.
Encrypted and unencrypted A-TAP traffic cannot be sent to the same Guardium system. This is similar to the situation when participate_in_load_balancing is set to 1

Parent topic: Linux and UNIX systems: S-TAP operation and performance

Kerberos is a network authentication protocol that eliminates the transmission of unencrypted passwords across the network. Learn how it functions in Guardium .
It works in a mutual authentication mode, verifying both the identity of the user that is requesting authentication as well as the server providing the requested
authentication. The Kerberos authentication mechanism issues tickets for accessing network services. These tickets contain encrypted data, including an encrypted
password, that confirms the user's identity to the requested service.
For auditing and alerting, itâ€™s important to know which database user performed an action. When login is done with a Kerberos ticket, determining the database user is
not always straightforward.
Guardium S-TAP only sees network traffic and passes it on to the sniffer on the Guardium appliance. When a Kerberos ticket is used for login, S-TAP passes that Kerberos
ticket along to the sniffer. For some database server types, the sniffer can determine the database user from the Kerberos login traffic and no additional information is
required. For other database server types, the sniffer needs some assistance. That function is performed by the S-TAP Kerberos plugin.
The S-TAP Kerberos plugin is not enabled by default; it requires additional configuration.
If you use Kerberos at all, configure the plugin. There is no performance implication or other downside to configuring the plugin, just in case you need it.
The data flow between the database, the Guardium sniffer and the Guardium audit data is:
1. S-TAP captures the Kerberized database login packet (along with other activity) and sends it to the Guardium appliance.
2. If the sniffer can determine the user name from the Kerberos ticket, it parses it.
3. If the sniffer cannot determine the user name from the Kerberos ticket, it sends the Kerberos ticket, along with a request for the database user, to the S-TAP. S-TAP
checks to see if there is a Kerberos plugin configured. If there is a Kerberos plugin configured, S-TAP gives the ticket to the plugin and the plugin attempts to figure

out DB_USER from the ticket. It returns the database user name to S-TAP. (If not, then the database user name is not supplied and you do not see database user
names in your reports.)
4. The sniffer can now populate the database user for that ticket, and correlate it with the rest of the database activity for that user in the Audit.
Linux and UNIX systems: Kerberos authentication supported databases

View the list of database servers that are supported for Kerberos authentication, and whether they require the Kerberos plugin.
Linux and UNIX systems: Enabling the Kerberos plugin
Linux and UNIX systems: Configuring the Kerberos plugin
To monitor database traffic on a server that uses Kerberos authentication, including identifying the DB_USER, you must configure the guardtap.ini and
guardkerbplugin.conf files appropriately.
Linux and UNIX systems: Finding the Kerberos configuration parameters for Oracle
For Oracle Kerberos, locate the Kerberos keytab and configuration file locations in sqlnet.ora.
Linux and UNIX systems: Finding the Kerberos configuration parameters for Sybase
Use the Sybase environment variables to get the Kerberos information.
Linux and UNIX systems: Kerberos authentication supported databases

View the list of database servers that are supported for Kerberos authentication, and whether they require the Kerberos plugin.
Database Kerberos plugin required?
DB2 No
Oracle Yes
Cassandra Yes
Sybase ASE Yes
HBase Yes
MongoDB No
HDFS No
Big SQL No
Hive Yes
Impala No
Parent topic: Linux and UNIX systems: Kerberos-authenticated database traffic
Linux and UNIX systems: Enabling the Kerberos plugin

About this task
To enable the plugin, edit the guard_tap.ini configuration file and change the kerberos_plugin_dir entry to point to the directory where the plugin itself
(libguardkerbplugin.so) and the configuration file (guardkerbplugin.conf) are located.
Procedure
1. For a default shell install: kerberos_plugin_dir=/usr/local/guardium/guard_stap
2. For a default GIM install: (exact path varies with software release in use) kerberos_plugin_dir=/usr/local/IBM/modules/STAP/10.1.3_r101299_1-
1495145548
3. Default (plugin is disabled): kerberos_plugin_dir=NULL
Linux and UNIX systems: Configuring the Kerberos plugin

To monitor database traffic on a server that uses Kerberos authentication, including identifying the DB_USER, you must configure the guardtap.ini and
guardkerbplugin.conf files appropriately.
About this task

All customization settings for the Kerberos plugin are located in the file guardkerbplugin.conf. The default contents of this file are:
# Kerberos values
KRB5RCACHETYPE=none
KRB5_KTNAME=/path/to/kerberos/krb5.keytab
KRB5_CONFIG=/path/to/kerberos/krb5.conf
# Plugin values
KRB5_PLUGIN_CCACHE=/path/to/kerberos/krb5cc_*
KRB5_PLUGIN_GSSAPI_LIBRARY=/path/to/lib/libgssapi_krb5.so
#KRB5_PLUGIN_DEBUG=0
Lines beginning with a #, as well as blank lines, are treated as comments and ignored. Invalid entries cause errors and prevent the Kerberos plugin from running.
When any configuration entry is changed, the S-TAP must be restarted for the updated values to take effect.
Configuration entries are:
KRB5RCACHETYPE

KRB5RCACHETYPE=none
KRB5_KTNAME
This is the path to the keytab file; this can either be a keytab file already in use by the system, or one generated by Kerberos utilities specifically for use by the
plugin. In general this file will have the name krb5.keytab. for example:
KRB5_KTNAME=/home/oracle11/krb5/keytabKRB5_KTNAME=/home/sybase15/kerberos/keytab
KRB5_CONFIG
This is the path to the Kerberos configuration file in use by the system. In general this file is named krb5.conf. for
example:KRB5_CONFIG=/home/oracle11/krb5/krb5.conf KRB5_CONFIG=/home/sybase15/kerberos/krb5.conf
KRB5_PLUGIN_CCACHE
This is a wildcard path to where the Kerberos system cache files are located. For example: KRB5_PLUGIN_CCACHE=/tmp/krb5cc*
The value can also be a name if it is on the standard lib path, for example: KRB5_PLUGIN_CCACHE=<library name>.so
V10.1.4 and higher: Multiple paths can be specified, separated by a semicolon (';'), for example:
KRB5_PLUGIN_CCACHE=/home/sybase16/krb5cc*;/tmp/krb5cc*
Note: Specifying more files than needed (for instance, specifying /tmp/*) impacts performance.
KRB5_PLUGIN_GSSAPI_LIBRARY
This is the location of the Kerberos GSSAPI dynamic library. On most systems this is named libgssapi_krb5.so.
The location can be specified by a full path, for example:
KRB5_PLUGIN_GSSAPI_LIBRARY=/usr/lib64/libgssapi_krb5.so KRB5_PLUGIN_GSSAPI_LIBRARY=/opt/freeware/lib64/libgssapi_krb5.so
Alternately, if the library is located on the standard library search path for the system, you can specify only the file name, for example:
KRB5_PLUGIN_GSSAPI_LIBRARY=libgssapi_krb5.so
Note: Any libraries that are needed by the GSSAPI library (typically libkrb5.so, libk5crypto.so, libkrbsupport.so) must also be on the system.
Important: If the Kerberos libraries are NOT in the standard library paths, you need to use the parameter KRB5_PLUGIN_GSSAPI_LIBRARY. Uncomment it and
update its value with full path of libgssapi_krb5.so.
KRB5_PLUGIN_DEBUG
This parameter is used for debugging the plugin only. For normal operation this line must be commented out, or plugin performance is impacted.
Procedure
1. In the guard_tap.ini file, change the value of kerberos_plugin_dir parameter to the full path to the Guardium S-TAP since that is where the plugin is located.
GIM installation: kerberos_plugin_dir=<guardium_base>/modules/STAP/current
S-TAP shell installation: kerberos_plugin_dir=<guardium_base>/guard_stap
2. Configure these in the guardkerbplugin.conf file that is also located in S-TAP installation directory:
KRB5_KTNAME=<full path to kerberos krb5.keytab file>
KRB5_CONFIG=<full path to kerberos krb5.conf file>
Optional parameters as described above. This configuration parameter for ticket cache might be required if the Kerberos plugin does not recognize the user.
This parameter accepts wild cards as there is usually more than one cache file. V10.1.4 and higher: You can specify multiple paths, separated by colons.
KRB5_PLUGIN_CCACHE=<full path to kerberos krb5cc_* files:additional full path to kerberos krb5cc_* files:etc>
Note: In Guardium releases previous to V. 10.1.2, the parameters allow_weak_crypto = 1 and clockskew = 600 were required. In most cases these parameters are
no longer required
Linux and UNIX systems: Finding the Kerberos configuration parameters for Oracle
For Oracle Kerberos, locate the Kerberos keytab and configuration file locations in sqlnet.ora.
About this task
Procedure
1. Enter: grep â€“i KERBEROS $ORACLE_HOME/network/admin/sqlnet.ora
Output is similar to:
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle
SQLNET.KERBEROS5_CONF = /home/oracle11/krb5/krb5.conf
SQLNET.KERBEROS5_REALMS = /home/oracle11/krb5/krb.realms
SQLNET.AUTHENTICATION_SERVICES= (BEQ,KERBEROS5)
SQLNET.KERBEROS5_CLOCKSKEW = 600
SQLNET.KERBEROS5_KEYTAB = /home/oracle11/krb5/keytab
SQLNET.KERBEROS5_CONF_MIT = TRUE
2. To find the Kerberos cache parameter, enter: oklist|grep -i cache
Ticket cache: /tmp/krb5cc_500
Linux and UNIX systems: Finding the Kerberos configuration parameters for Sybase
Use the Sybase environment variables to get the Kerberos information.
Procedure
1. Enter: klist -k

env|grep -i KRB
KRB5_KTNAME=/home/sybase15/kerberos/keytab
KRB5_CONFIG=/home/sybase15/kerberos/krb5.conf
2. To find the Kerberos cache parameter, enter: klist -c
Ticket cache: FILE:/tmp/krb5cc_533
Linux and UNIX systems: A-TAP management

A-TAP is an application-level tap. A-TAP sits in the application layer to support monitoring of encrypted database traffic, which cannot be done in the kernel by K-TAP.
The A-TAP mechanism monitors communication between internal components of the database server. The data is unencrypted in the application layer, where A-TAP picks
it up and sends to K-TAP. K-TAP is a proxy to pass data to S-TAP, and from there it is then sent to the Guardium collector.
This figure shows where A-TAP fits in with the overall architecture on the database server.
A-TAP is included in every S-TAP but must be specifically configured for each database that requires it.
When to use A-TAP
A-TAP is required when DBMS encryption in motion is used, but there may be other internal database implementation details such as shared memory that require it.
Informix and DB2 on Linux integrate with Guardium more closely using exits, and thus are the recommended method for shared memory support when applicable.
Restrictions: A-TAP is not supported in an environment where a 32-bit database is located on a 64-bit server.
Monitoring restrictions: A-TAP does not support redaction. Blocking is supported for Linux kernels at 2.6.36 or later releases.
Linux and UNIX systems: Preparing for A-TAP configuration and maintenance
Configuring and maintaining A-TAP requires coordination with both the database and system administrators.
Linux and UNIX systems: A-TAP configuration and activation
Configure and activate each A-TAP.
Linux and UNIX systems: A-TAP activate, deactivate and DB stop, restart guidelines
Understand when to activate and deactivate A-TAP, and stop or restart the DB.
The guardctl utility is the A-TAP management tool. Understand these commands before starting to work with A-TAPs.
Linux and UNIX systems: guardctl return codes
The guardctl error codes clarify error conditions that occur, in particular, when you are call the guardctl script to manage ATAP instances via another script.
Each database type has specific guardctl requirements.
Linux and UNIX systems: Deactivating A-TAP
You must deactivate A-TAP before upgrading the database OS. You also need to deactivate the ATAPs before upgrading or uninstalling STAP (whether or not it's
installed via GIM, RPM, or shell installer).
Linux and UNIX systems: Configuring and Activating A-TAP in Special Environments
Zones, WPARs, Teradata, and Oracle require additional configuration.
Linux and UNIX systems: Troubleshooting A-TAP configuration issues
This section summarizes common mistakes made during A-TAP configurations, their symptoms, and how to avoid them.
Linux and UNIX systems: Preparing for A-TAP configuration and maintenance
Configuring and maintaining A-TAP requires coordination with both the database and system administrators.
To configure and activate A-TAP, the following authorities are needed:
Root access on the database server

Authority to stop and restart the database
In addition, you must work with the DBA to get the required parameters to input into the utility. Details of the needed parameters are in Linux and UNIX systems:
Database-specific guardctl parameters. For ongoing maintenance, your organization must have documented procedures in place to handle the activation and deactivation
of A-TAP during OS and database upgrades. See Linux and UNIX systems: A-TAP activate, deactivate and DB stop, restart guidelines. For clustered environments, you need
to configure and activate A-TAP on all nodes.

In most cases, use the Guardium guardctl utililty to activate, upgrade, or deactivate A-TAP. You can also implement a wrapper script to use guardctl as a utility interface to
ATAP, which provides its own user experience. See Linux and UNIX systems: guardctl utility commands for A-TAP for details on the syntax and options of the guardctl
utility.
Before you begin:
Make sure that the S-TAP is installed and K-TAP is enabled.

Ensure that you have the root privileges on the database server.
Consult Linux and UNIX systems: Database-specific guardctl parameters for your database to ensure you have the parameters you need to run the utility.
Parent topic: Linux and UNIX systems: A-TAP management
Linux and UNIX systems: A-TAP configuration and activation

Configure and activate each A-TAP.
About this task

Prerequisite:
S-TAP is installed.
If the software is installed with GIM, verify that GIM_ROOT_DIR is the absolute path to the modules, for example /usr/local/guardium/modules.
Procedure
1. Verify ktap_installed=1 in the guard_tap.ini file.
2. Log off from all active database sessions and stop the database. It is very important that all processes with database admin user are stopped. For example, on
oracle, issue ps -ef | grep oracle
3. As root user, authorize the database administrative user to log traffic using the guardctl utility with the authorize-user command as follows:
<guardium_base>/xxx/guardctl authorize-user <user-name>
shell installer with postgres authorize user

/usr/local/guardium/guard_stap/guardctl authorize-user postgres Authorizing user 'postgres' to log traffic
shell installer with postgres verify authorization
/usr/local/guardium/guard_stap/guardctl is_user_authorized postgres User 'postgres' is authorized.
GIM installation with postgres authorize user
/usr/local/guardium/modules/ATAP/current/files/bin/guardctl authorize_user postgres Authorizing user 'postgres' to log
traffic
shell installer example with Greenplum authorize user
/usr/local/guardium/guard_stap/guardctl authorize-user <gpadmin> Authorizing user '<gpadmin>' to log traffic
4. Once S-TAP is installed, add the Oracle OS user to the Guardium group (created by the S-TAP install script). This group is created by the S-TAP installer and users
can be added by the system administrator using the usermod utility. Some platforms require the user to be completely logged off in order for this change to take
effect. For example, where Oracle is the user ID of the OS user for the Oracle database and db2inst1 is the user ID of the OS user for DB2 database:
usermod -a guardium oracle

usermod -a guardium db2inst1
On Solaris, the user has to be completely logged off from the system.
No process should be running in the system under this user id.
In order to verify this, use the following command (assuming the user is Oracle):
ps -efU oracle
If the output is empty, use the following command to add the user to the group:
usermod -G dba,guardium oracle
If the user belongs to groups other than dba, they should be listed as well. The latter can be verified using the following command:
id -a oracle
Once the user is added to the Guardium group, the encrypted traffic should be logged for this user.
5. Store the configuration parameters:
a. See Linux and UNIX systems: Database-specific guardctl parameters to determine the parameters needed for your database type and platform.
b. Store configuration for the database instance using the store-conf command of the guardctl utility as follows. As root user:
<guardium_base>/xxx/guardctl db_instance=<instance> [<name>=<value> ...] store-conf
shell installer Oracle on Linux store-conf

/usr/local/guardium/guard_stap/guardctl --db-user=oracle11 --db-type=oracle --db-instance=on12rh60 --db-
home=/home/oracle11/product/11.1.0/db_1 --db-version=11.2 store-conf
GIM installation Oracle on Linux store-conf
/usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle
db_user=oracle12 db_version=12 store-conf
shell installer Greenplum on Linux store-conf
/usr/local/guardium/guard_stap/guardctl --db-user=<gpadmin> --db-type=greenplum â€“db-home=<db_user home directory> --
db-instance=<greenplum> --db-base==<db_user home directory> store-conf
Note: In Guardium V10.1 and higher, instrumentation is done automatically during activate; there is no explicit instrumentation.
6. Activate A-TAP.
a. As root user: Enter <guardium_base>/xxx/guardctl db_instance=<instance> activate
shell installer Oracle on Linux activate

/usr/local/guardium/guard_stap/guardctl --db-instance=onrh60x activate
GIM installation Oracle on Linux activate
/usr/local/guardium/modules/ATAP/current/files/bin/guardctl --db-instance=onrh60x activate

shell installer Greenplum on Linux activate
/opt/guardium/guard_stap/guardctl --db-type=greenplum --db-home=/usr/local/greenplum-db-4.3.4.0 --db-user=gpadmin
--db-instance=greenplum --db-base=<db_user home directory> activate
Note: Optionally, you can activate A-TAP by using the Encryption checkbox of the inspection engine configuration in the Guardium GUI, though there are no
advantages to activating it in the GUI. This option is not available for Linux platforms.
b. Confirm that the instances are activated using the list-active command of the guardctl utility: <guardium_base>/xxx/guardctl list-active
Example: <guardium_base>/xxx/guardctl list-active oracle
7. Restart the database server.
Linux and UNIX systems: A-TAP activate, deactivate and DB stop, restart guidelines
Understand when to activate and deactivate A-TAP, and stop or restart the DB.
Restart/load/activated requirements for A-TAP.
Scenario Instructions
After installation of UNIX A-TAP in Oracle cluster environment All database instances as well as all inter-cluster processes must be restarted
Before activating A-TAP Stop database
After activating A-TAP Restart database
Before deactivating A-TAP Stop database
Before upgrading database (for example applying Fixpack) Deactivate A-TAP
Before upgrading S-TAP Deactivate A-TAP


The guardctl utility is the A-TAP management tool. Understand these commands before starting to work with A-TAPs.
guardctl utility
To use the guardctl utility, you must log in as root, since it requires superuser privileges. The guardctl utility is installed under <guardium_base>/guard_stap directory
where <guardium_base> is the directory where Guardium software is installed. In the case of a GIM installation guardctl it is installed under
<guardium_base>/modules/ATAP/current/files/bin.
Syntax
<guardium_base>/xxx/guardctl [<parameter>=value>] [<parameter>=<value> ...] <command> [-q | -v | -qv]
See parameters in Linux and UNIX systems: Database-specific guardctl parameters.
-q, -v, -qv flags

Guardium V10.1.3 and higher: Use these flags to manage the output:
-q (quiet): suppress all output except name/value pairs

-v (value pairs): add name/value pairs related to each command
-qv: outputs name/value pairs only
The output depends on the type of command.
Commands that take action across all configured instances

Print all name/value pairs for each instance except overall_rv and overall_msg
Print overall_rv name/value pair at end where value is
0 (success) if and only if all report success
1 (failure) if any report any failure
Print overall_msg name/value pair at end
Returns the value reported in the â€œoverall_rvâ€ name/value pair
Commands that take action on a single instance
Print all name/value pairs except overall_rv and overall_msg
Returns the value reported in the â€œrvâ€ name/value pair
Commands that store parameters, print parameters, or check status
Does not print name/value pairs
Name/Value pairs output looks like:
db_instance: ${db_instance}
db_user: ${db_user}
db_base: ${db_base}
db_home: ${db_base}
db_version: ${db_version}
db_type: ${db_type}
is_active: ${is_active} (â€œyesâ€ or â€œnoâ€ )
is_instrumented: ${is_db_instrumented} (â€œyesâ€ or â€œnoâ€ )
msg: some string
rv: ${retval}

overall_rv: ${retval}
overall_msg: (string)
commands
Command Description
activate Activates A-TAP for the specified database instance using the stored parameters. v10.1.3 and higher: Outputs Name/Value pairs if -v or -qv
specified.
v10.1.3, activating an instance that's already active (whether DB is running or not) does not generate an error.
authorize-user Adds the user to 'guardium' authorization group.
deactivate Deactivates the A-TAP for the specified, single database instance. v10.1.3 and higher: Outputs Name/Value pairs if -v or -qv specified.
From Guardium V10.1.3, deactivating an instance that's already inactive (whether DB is running or not) does not generate an error.
deactivate-all Deactivates A-TAP for a specified list of database instances. If no database instances are specified, all active A-TAPs are deactivated.
v10.1.3 and higher: Outputs Name/Value pairs for each instance, if -v or -qv specified. You can optionally specify the db-type to deactivate a
group (e.g. all Oracle). For additional name/value pair, specify â€œoverall_rv={0,1}â€ at end. Returns success (0) if rv=0 for every instance.
Returns failure (1) if at least one instance reports rv != 0.
deinstrument Removes instrumentation for the specified Oracle DB. Not required from v10.1 and higher. If deinstrumentation is required, it is done
automatically during deactivate. V10.1.3 and higher: Outputs Name/Value pairs if -v or -qv specified.
v10.1.3 and higher, deinstrumenting an instance that is not instrumented does not generate an error, even if the is DB running, regardless of
activation status.
dump-params Dumps current values of parameters
get-statistics Get A-TAP statistics. Statistics includes information about which ATAPs are active, which are inactive, and which are in an incorrect in-
between state (this shouldn't happen, it usually occurs when someone updates the DB while ATAP is active).
help Default command, prints the list of supported commands, parameters and their default values.
instrument Explicitly creates relinked instrumented Oracle. If instrumentation is required, it is usually done automatically during activate. Manual
instrumentation is only required for Oracle versions <= 10 on AIX.
Instrumenting an already instrumented instance returns an error. v10.1.3 and higher: Outputs Name/Value pairs if -v or -qv specified.
is-active Returns 1 if there is at least one A-TAP activated instance. Otherwise, returns 0.
is-user-authorized Checks whether the db-user (running A-TAP) is authorized to the guardium group, and can log database traffic to K-TAP/S-TAP.
list-active Lists database instance user names of all active A-TAP database instances.v10.1.3 and higher: Outputs Name/Value pairs if -v or -qv
specified.
list-configured Lists database instances with configured but inactive A-TAPs. v10.1.3 and higher: Outputs Name/Value pairs if -v or -qv specified.
oracle-relink Calls the utility provided by oracle to relink the DB binary.
prepare-libs Prepares libraries for use in Zone/WPAR installation
repair Run this command if the DB is (accidentally) upgraded while the A-TAP is active. It renames the -guard-original and -guard-instrumented
files. Returns success on successful repair or if repair is not necessary. Does not touch the current DB executable. V10.1.3 and higher:
Outputs Name/Value pairs if -v or -qv specified. From v10.1.4, it is called automatically on activate and deactivate.
restore-active-ataps Restores the active state of the A-TAPs previously saved via save-active-ataps. If an instance fails to activate (due to DB running or some
other error), then the remaining instances still attempt to activate. This command can be run multiple times without problem, since
activating an already active instance is not an error. Introduced in v10.1.4.
save-active-ataps Saves the configurations for the currently active A-TAPs in a single file so that they can be restored later to an active state. Useful prior to
deactivate-all when preparing to upgrade DBs. Introduced in v10.1.4.
store-conf Stores the configuration for a particular database instance
store-system-conf Stores the system configuration parameters

Linux and UNIX systems: guardctl return codes

The guardctl error codes clarify error conditions that occur, in particular, when you are call the guardctl script to manage ATAP instances via another script.
Code Description Usage
0 success Returned by every command.
When returned in response to deactivate, all instances are deactivated
When returned in response to is-active, there are no active instances
1 bad parameter Returned by every command when a parameter is invalid or missing
2 is-active called on unrecognized instance Returned by is-active when a db-instance specified is not known to guardctl and as such cannot
be determined to be active or not
20 attempted to activate instance while database was Returned by activate to indicate that the DB instance is running, so activation could not take
running, but not yet active place
21 attempted to deactivate instance while database was Returned by deactivate to indicate that the DB instance is running, so deactivation could not
running, but not yet inactive take place
22 user is not authorized Returned by instrument and activate to indicate that the db-user specified is not authorized as
a member of the 'guardium' group. Run authorize-user to correct.

Code Description Usage
23 db-home parameter doesn't match db_install_dir Returned by store-conf and activate to indicate that the current guard_tap.ini doesn't have an
parameter in guard_tap.ini IE configured with a db_home that matches the db_install_dir ATAP parameter. One of those
needs to be adjusted to the correct value or STAP may not run.
24 attempt to deactivate an instance where the executable is Returned by deactivate. This instance looks like it should be activated, but the binary isn't what
neither an ATAP executor or the instrumented binary it should be if it is. DB executable could have been updated while ATAP was active. Run the
repair command to fix the issue and activate again.
25 attempt to activate atap when encryption=1 set in Returned by activate when the encryption parameter is set to 1 in the IE. Do not activate with
guard_tap.ini guardctl and use the encryption parameter in the ini.
26 db executable file not found Returned by activate, deactivate, instrument, deinstrument, store-conf, prepare-libs, and repair.
The DB executable is missing (e.g. the oracle binary itself is not in the path specified). Check the
path parameters used when configuring the instance.
27 instrumentation required but not done Returned by activate and store-conf when instrumentation is required, but has not already been
done. Oracle instrumentation is now automatically done in most cases, but still needs to be
manually specified for AIX and Oracle versions <= 10.
28 is-active reports instance is not active Returned by is-active. Informational only. The db-instance specified is not active or if no
instances were specified, no instances are active.
29 deactivate-all not complete success Returned by deactivate-all when at least one active instance could not be deactivated.
30 is-instrumented reports instance is not instrumented Not exported via command.
40 internal instrumentation error Returned by instrument when instrumentation couldn't be completed.
43 instrumentation error, cannot save original binary Returned by instrument when the -guard-original file already exists. Either A-TAP is currently
active with instrumentation, or A-TAP is inactive but the instrumentation is still active.
Deactivate and deinstrument before subsequent instrument and activate.
44 attempt to instrument while instance running and not Returned by instrument when DB instance is currently running. Stop DB instance before
already instrumented attempting to instrument again.
45 attempt to instrument while A-TAP is active and not Returned by instrument when A-TAP is already active, but instrumentation is not active. This
already instrumented can happen when switching from an Oracle configuration that doesn't require instrumentation
to one that does. Deactivate A-TAP before attempting to instrument again.
46 attempt to instrument and already instrumented instance Returned by instrument while instance is already instrumented. If instrumentation needs to be
redone, deinstrument first.
93 unspecified error due to DB running not when activating,

deactivating, or instrumenting (e.g. when running repair
command)
94 no atap library supporting this db Returned by instrument, deinstrument, prepare-libs, activate, deactivate, repair, list-active, and
list-configured. Usually indicates that an unknown error occurred.
95 system error, cannot find group Returned by activate. The guardium group doesn't appear to be known to this system.
96 system error, cannot create group Returned by authorize-user. The guardium group did not exist and an attempt to create the
group failed.
97 filesystem error, cannot create directory or file, or

insufficient space detected
98 platform unsupported Returned by instrument, deinstrument, prepare-libs, activate, deactivate, repair, list-active, list-
configured, store-conf. The DB you're trying to use with ATAP is not supported on this platform
(e.g. DB2, Informix, teradata, or mongo on anything but Linux, etc).
99 other unspecified error


Each database type has specific guardctl requirements.
Linux and UNIX systems: Oracle-specific guardctl parameters

Use these guardctl parameters when configuring A-TAP for a Oracle database.
Linux and UNIX systems: Sybase-specific guardctl parameters
Use these guardctl parameters when configuring A-TAP for a Sybase database.
Linux and UNIX systems: DB2-specific guardctl parameters
Use these guardctl parameters when configuring A-TAP for a DB2 database, Linux only.
Linux and UNIX systems: Informix-specific guardctl parameters
Use these guardctl parameters when configuring A-TAP for a Informix database.
Linux and UNIX systems: Postgres-specific guardctl parameters
Use these guardctl parameters when configuring A-TAP for a Postgres database.
Linux and UNIX systems: Oracle-specific guardctl parameters

Use these guardctl parameters when configuring A-TAP for a Oracle database.
Example:
/usr/local/guardium/guard_stap/guardctl --db-user=oracle11 --db-type=oracle --db-instance=on12rh60 --db-home=/home/oracle11/product/11.1.0/db_1 --db-

version=11.2 store-conf
Oracle required parameters
Required Value How to determine

Parameter
db-user Oracle user name Use the database instance user name.
db_instance Oracle instance name Use the value from $ORACLE_SID
db_type Oracle
db_home Where the database executable is

installed .
db_base Database instance user home The value for db_base must match the correct path for $ORACLE_BASE or the database instance user home
directory directory. It cannot be ~DB_USER.
db_version The database version Run SQL > SELECT * FROM V$VERSION
Oracle optional parameters
Optional Val How to determine When is it required

Parameter ue
db_relink No/ A-TAP activation method deprecated

yes
db_use_inst No/ A-TAP activation uses relinked version of Oracle previously For S-TAPs at v10.1 and higher, instrumentation is done automatically with the
rumented yes created with the instrument command of guardctl. â€œactivateâ€ command or through the Guardium UI.
Instrumentation is required for:
Oracle 12 SSL all non-Windows platforms

Oracle 11.2 SSL on AIX
Oracle ASO and SSL on AIX prior to 11.2
For S-TAPs at 10.0, instrumentation is performed manually.
db_bits 32 DB instance architecture (32 for 32-bit, 64 for 64-bit) Required only if A-TAP is not able to recognize the architecture.
or
64
Parent topic: Linux and UNIX systems: Database-specific guardctl parameters
Linux and UNIX systems: Sybase-specific guardctl parameters

Use these guardctl parameters when configuring A-TAP for a Sybase database.
Sybase required parameters

Example:
/usr/local/guardium/guard_stap/guardctl --db-user=sybase15 --db-type=sybase --db-instance=sn57rh7x --db-version=15 store-conf
Required Parameter Value How to determine
db_user Sybase user name Use the database instance user name.
db_instance Sybase instance name Sybase Server instance name. This parameter is used to name the ATAP instance within guardctl.
db_type sybase
db_version The database version As Sybase user:
> select @@version
> go
Sybase optional parameters
Option Value How to determine When is it required

al
Param
eter
db_ho Points to Same as db_base The basis for how we look for the DB binary. It can usually use the value of
me where the db_base, though it's immediately apparent when activating if it's wrong
database is (guardctl complains about not finding the DB binary)
installed

Option Value How to determine When is it required
al
Param
eter
db_ba Database DB instance user home directory. this needs to match If you aren't specifying db_home separately, use the value for db_base as the
se instance user db_install_dir in some IE in the guard_tap.ini. Do not use the value for db_home.
home directory ~DB_USER shortcut, use the full path instead.
db_bit 32 or 64 DB instance architecture (32 for 32-bit, 64 for 64-bit) Required only if A-TAP is not able to recognize the architecture.
s
db- 0 to any Low end of TCP port range to intercept Specify if you want real IPs reported for encrypted sessions. There are
tcp- integer potentially performance impacts in this mode as well as the added
min- complication to the ATAP setup by specifying the port range.
port Leave blank to use the non-specific IP mode.
db- 0 to any High end of TCP port range to intercept Specify if you want real IPs reported for encrypted sessions. There are
tcp- integer potentially performance impacts in this mode as well as the added
max- complication to the ATAP setup by specifying the port range.
port Leave blank to use the non-specific IP mode.
Linux and UNIX systems: DB2-specific guardctl parameters

Use these guardctl parameters when configuring A-TAP for a DB2 database, Linux only.
DB2 (Linux only) required parameters

Example:
/usr/local/guardium/guard_stap/guardctl --db-user=db2inst1 --db-type=db2 --db-instance=dn0rh7x6 --db-version=10.5 store-conf
db_user DB2 username Points to the DB instance user name
db_instance DB2 instance name $ db2 LIST DATABASE DIRECTORY
db_type db2
db_version The database version As DB2 user: $ db2level
DB2 (Linux only) optional parameters
Optional Value How to determine When is it required

Parameter
db_home Path where the DB version Same as db_base

is installed
db_base Database instance user Value for db_base must match the correct path DB instance user home Where db_base is not same as db_home
home directory directory. It cannot be ~DB_USER.
db_bits 32 or 64 DB instance architecture (32 for 32-bit, 64 for 64-bit) Required only if A-TAP is not able to
recognize the architecture.
db2-shmsize 131072 DB2 shared memory size When the value is different than the default
db2-c2soffset 61440 DB2 shared memory client area offset When the value is different than the default
db2-header- 20 DB2 shared memory header offset When the value is different than the default
offset
Linux and UNIX systems: Informix-specific guardctl parameters

Use these guardctl parameters when configuring A-TAP for a Informix database.
Informix required parameters

Example:
/usr/local/guardium/guard_stap/guardctl --db-user=informix --db-type=informix --db-instance=in17rh7x --db-version=11.70 store-conf
db_user Informix username Points to the DB instance user name
db_instance Informix instance name Informix Server instance name
db_type informix
db_version The database version As Informix user: dbaccess -V

Informix optional parameters

Parameter
db_home Path where the DB Same as db_base

version is installed
db_base Home directory of DB instance user home directory. Value for db_base must match the correct path DB instance Where db_base is not same
db_user user home directory. It cannot be ~DB_USER. as db_home
db_bits 32 or 64 DB instance architecture (32 for 32-bit, 64 for 64-bit)

Linux and UNIX systems: Postgres-specific guardctl parameters

Use these guardctl parameters when configuring A-TAP for a Postgres database.
Postgres required parameters

Example:
/usr/local/guardium/guard_stap/guardctl --db-user=postgres --db-type=postgres --db-instance=guardium_qa --db-version=9.4 --db-base=/home/postgres94 store-conf
db-user Postgres username Points to the DB instance user name
db_instance Postgres instance name Postgres Server instance name
db_type postgres
db_version The database version As Postgres user:
pg_ctl --version
Postgres optional parameters

Parameter
db_home Points to where the DB Same as db_base

version is installed
db_base Home directory of db_user DB instance user home directory. Value for db_base must match the correct path DB instance Where db-base is not
user home directory. It cannot be ~DB_USER. same as db-home
db_bits 32 or 64 DB instance architecture (32 for 32-bit, 64 for 64-bit)
db-tcp-min- 0 to any integer Low end of TCP port range to intercept Using Real IPs
port
db-tcp-max- 0 to any integer High end of TCP port range to intercept Using Real IPs
port
Linux and UNIX systems: Deactivating A-TAP

You must deactivate A-TAP before upgrading the database OS. You also need to deactivate the ATAPs before upgrading or uninstalling STAP (whether or not it's installed
via GIM, RPM, or shell installer).
Procedure
1. Make sure the database is stopped. Log off from all active database sessions.
2. Deactivate A-TAP for the database:
general example
<guardium_base>/xxx/guardctl â€“db-instance=<instance-name> deactivate
Greenplum example
/opt/guardium/guard_stap/guardctl --db-type=greenplum --db-home=/usr/local/greenplum-db-4.3.4.0 --db-user=gpadmin --db-
instance=greenplum --db-base=/usr/local/greenplum-db-4.3.4.0 deactivate
3. Alternately, deactivate all active instances by running:

<guardium_base>/xxx/guardctl deactivate-all
Linux and UNIX systems: Configuring and Activating A-TAP in Special Environments
Zones, WPARs, Teradata, and Oracle require additional configuration.
Linux and UNIX systems: Installing and activating A-TAP in Zones and WPARs environment
Linux and UNIX systems: Deactivate and uninstall A-TAP in Zones and WPARs environment

Linux and UNIX systems: Upgrading A-TAP in Zones and WPARs environment
Linux and UNIX systems: Configure and activate A-TAP steps for Teradata database
Linux and UNIX systems: Oracle configuration for A-TAP
Linux and UNIX systems: Installing and activating A-TAP in Zones and WPARs environment
About this task
Procedure
1. Install STAP/KTAP on the master/global Zone/WPAR by the normal method.
2. For Solaris Zones, for each sub-zone where Oracle is installed, make sure the Guardium device is mapped:
zoneadm -z <zonename> halt
zonecfg -z <zonename>
<zonename>> add device
<zonename>device> set match=/dev/ktap_xxx (for Solaris 10) (katp_xxx is the filename )
<zonename>device> set match=/dev/guard_ktap (for Solaris 11)
<zonename>device> end
<zonename>> verify
<zonename>> exit
zoneadm -z <zonename> boot
3. With multiple KTAP devices, repeat the steps for each KTAP device by using the name, ktap_xxxx (Solaris 10) or guard_ktap_x (Solaris 11).
4. Copy the entire A-TAP installation directory to a sub-Zone/sub-WPAR. Assuming Guardium software is installed on the master Zone/WPAR under
/usr/local/guardium, and there exists a writable directory /usr/local with enough free space on the sub-Zone/sub-WPAR: On the master/global Zone/WPAR: cd
/usr/local; tar -cvf - guardium | ssh root@subzonehost 'cd /usr/local && tar -xvf -'
5. Copy the A-TAP libraries to each sub-Zone/sub-WPAR, and activate it.
If an A-TAP is to be activated on the master Zone/WPAR, activate it normally using guardctl.
Note: Activation must be done using guardctl; it cannot be done through enabling encryption box in the inspection engine section in GUI interface or by
setting encryption=1 in the guard_tap.ini file.
If A-TAP will not be used on the master Zone/WPAR, use guardctl to prepare the libraries for use. On the master Zone/WPAR:
/usr/local/guardium/bin/guardctl --db_instance=<instance-name> --db_type=<database-type> --db_version=<database-
version> prepare-libs
Note: After A-TAP activation, if the database indicates that libguard-xxx.so cannot be found, re-check this step.
6. Install and activate A-TAP for database instances using 1 through 5 on each desired sub-Zone/sub-WPAR.
Note: A-TAP (guardctl) activation may complain and issue warnings about the following:
errors installing libraries under /usr/lib (since that directory belongs to the global/master zone)
not being able to change the guard_tap.ini to monitor oracle-guard instead of oracle (since the file is on the global zone)
not being able to restart S-TAP (since it is running only on the master zone)
7. Adjust the guard_tap.ini file in the master/global Zone/WPAR by manually editing the guard_tap.ini file..
Change the appropriate db_exec_path line:
For Oracle on Solaris: set db_exec_path to oracle-guard-original instead of oracle
For Oracle on AIX: set db_exec_path to oracle-guard-instrumented instead of oracle
Change the files and directories referenced in the IE definitions ( db_install_dir and db_exec_file) so they are relative to the root directory of the WPAR and
not the global partition. (IE order, tap_identifier string, etc, should be identical in all the guard_tap.ini files.)
8. Restart S-TAP.
9. For Solaris, verify the guard_ktap link and permissions on each sub-Zone. This must be performed as root from the global/master Zone.
a. cd to the sub-zone device directory, for example: cd /export/home2/zones/iris3/dev
b. Verify that the KTAP device exists (if it does not, there was a problem with the installation in 2): ls -l ktap_*
c. Verify that the guard_ktap symbolic link exists: ls -l guard_ktap
d. If it does not exist, create it. (Note: ktap_xxxxx is the device just listed): ln -fs ktap_xxxx guard_ktap
For Example:
-bash-3.00# ln -fs ktap_83164_0 guard_ktap

-bash-3.00# ln -fs ktap_83164_1 guard_ktap1
e. Make sure that guard_ktap and ktap_xxxxx are usable by everyone:
chmod 0666 ktap_xxxxx_0

chmod 0666 guard_ktap
chmod 0666 guard_ktap1
Note: ATAP, WPAR and encrypted traffic: with a WPAR/Zone, encrypted traffic and decrypted traffic have different IPs when this traffic goes to the analyzer. Thus
the db_user in WPAR/Zones is meaningless.
Parent topic: Linux and UNIX systems: Configuring and Activating A-TAP in Special Environments
Linux and UNIX systems: Deactivate and uninstall A-TAP in Zones and WPARs environment
About this task
Procedure
1. On every sub-Zone/sub-WPAR with A-TAP installed/active:
a. Deactivate (and deinstrument if necessary, for Oracle on AIX) all A-TAPs using guardctl following the steps in Linux and UNIX systems: Deactivating A-TAP.
b. Manually remove (rm -rf) the installation directory
c. Manually remove the ATAP libraries: find /usr/lib -type f -name 'libguard-*.so' | xargs rm -f
Note: Removing the libraries may give errors; these can be ignored.
2. Uninstall STAP/KTAP using the normal method
a. Remove the libraries: find /usr/lib -type f -name 'libguard-*.so' | xargs rm -f o
b. On Solaris, remove the ktap device from each zoneâ€™s configuration:
zoneadm â€“z <zonename> halt

zonecfg â€“z <zonename>
<zonename>> info
If a ktap device is found, remove it :
/<zonename> remove device match=/dev/ktap_xxxx (FOR SOLARIS 10)

/<zonename> remove device match=/dev/guard_ktap (FOR SOLARIS 11)
<zonename>> verify
<zonename>> exit
c. Remove the ktap device file and link from each sub-Zone/sub-WPAR device directory, for example:
/export/home2/zones/iris3/dev cd /export/home2/zones/iris3/dev
rm -f ktap_xxxx guard_ktap
d. With multiple KTAP devices, repeat the steps for each KTAP device by using the name ktap_xxxx (Solaris 10) or guard_ktap_x (Solaris 11).
Linux and UNIX systems: Upgrading A-TAP in Zones and WPARs environment
Procedure
1. For Solaris Zone:
a. On the master/global-zone, remove the previously installed K-TAP device.

<zonename>> info
b. If a K-TAP device is found, remove it.
/<zonename> remove device match=/dev/ktap_xxxx (for Solaris 10)

/<zonename> remove device match=/dev/guard_ktap (for Solaris 11)
<zonename>> verify
<zonename>> exit
c. For Solaris sub-zones, remove the previous K-TAP device file and link from sub-zone device directory. Go to the sub-zone device directory, for example
/export/home2/zones/iris3/dev.
cd /export/home2/zones/iris3/dev
rm -f ktap_xxxx guard_ktap
2. For Solaris Zone:

a. On the master/global-zone, add the new K-TAP device to the zone configuration:

<zonename>> add device
<zonename>device> set match=/dev/ktap_xxxx (for Solaris 10)

<zonename>device> set match=/dev/ktap_xxxx (for Solaris 11)
<zonename>device> end
<zonename>> verify
<zonename>> exit
b. Add the guard_ktap link and change permission. Go to the sub-zone device directory, for example: sub-zone device
directory=/export/home2/zones/iris3/dev
cd /export/home2/zones/iris3/dev
ln -fs ktap_xxxx guard_ktap
chmod 0666 ktap_xxxx
c. Since there are multiple ktap devices, repeat steps for each K-TAP device by using the name ktap_xxxx_x(solaris 10) or guard_ktap_x (solaris 11)
3. For AIX WPARs: on WPARs, change permission on K-TAP devices. Go to the WPARs device directory, for example: wpars device directory=/wpars/odin3/dev
ln -fs ktap_xxxx guard_ktap

chmod 0666 ktap_xxxx

Linux and UNIX systems: Configure and activate A-TAP steps for Teradata database
Step 1: Determine the user running gtwgateway and the path
For Example:
su11u1x64-tera:~ # ps -ef | grep gtwgateway
teradata 5000 4608 0 Jan03 ? 00:00:05 /usr/tgtw/bin/gtwgateway
root 20128 20063 0 12:35 pts/0 00:00:00 grep gtwgateway
gtwgateway runs as user teradata
Set parameter --db-user=teradata to guardctl
Path to gtwgateway is /usr/tgtw/bin/gtwgateway. This is the default value for the parameter tdc_gtwgateway and as such does not need to be specified.
Otherwise, the parameter should be --tdc_gtwgateway=/usr/tgtw/bin/gtwgateway
Step 2: Determine the path to pdemain
Typically, this will be /usr/pde/bin/pdemain
For Example:
su11u1x64-tera:~ # ps -ef | grep pdemain
root 4608 1 0 Jan03 ? 00:00:25 pdemain â€“debug
su11u1x64-tera:~ # ls -l /proc/4608/exe
lrwxrwxrwx 1 root tdtrusted 0 2015-01-03 01:20 /proc/4608root 20620 20063
0 12:40 pts/0 00:00:00 grep pdemain/exe ->
/opt/teradata/tdat/pde/15h.00.00.07/bin/pdemain
Checking the inodes for this file and /usr/pde/bin/pdemain, we see that they are the same.
su11u1x64-tera:~ # ls -li /opt/teradata/tdat/pde/15h.00.00.07/bin/pdemain
1638875 -r-xr-xr-x 1 teradata tdtrusted 1294666 2014-01-22 01:40
/opt/teradata/tdat/pde/15h.00.00.07/bin/pdemain
su11u1x64-tera:~ # ls -li /usr/pde/bin/pdemain
1638875 -r-xr-xr-x 1 teradata tdtrusted 1294666 2014-01-22 01:40
/usr/pde/bin/pdemain
Since the inodes are the same and the default value for --db-home=/usr/pde, the parameter in this case does not need to be specified. Otherwise, you can specify --
db-home=/opt/teradata/tdat/pde/15h.00.00.07 or --db-home=/usr/pde since bin/pdemain in both paths is the same file hardlinked in this case.
Step 3: Stop the Teradata instance
For Example:
su11u1x64-tera:~ # /etc/init.d/tgtw stop
tgtw Shutdown complete
su11u1x64-tera:~ # /etc/init.d/tpa stop
PDE stopped for TPA shutdown
Step 4: Authorize the DB user to the Guardium group
For Example:
/usr/local/guardium/guard_stap/guardctl --db-instance=teradata authorize-user
Step 5: Store the configuration for A-TAP using the parameters determined in steps 1 and 2.
For Example:
/usr/local/guardium/guard_stap/guardctl --db-instance=teradata
--tdc_gtwgateway=/usr/tgtw/bin/gtwgateway --db-type=teradata
--db-home=/opt/teradata/tdat/pde/15h.00.00.07 --db-user=teradata store-conf
Step 6: Activate A-TAP
For Example:

/usr/local/guardium/guard_stap/guardctl --db-instance=teradata activate
Step 7: Restart the Teradata instance
For Example:
su11u1x64-tera:~ # /etc/init.d/tpa start
Teradata Database Initiator service is starting...
Teradata Database Initiator service started successfully.
su11u1x64-tera:~ # /etc/init.d/tgtw start
tgtw Startup complete
Linux and UNIX systems: Oracle configuration for A-TAP

A-TAP Procedure when working with Oracle Patch Installations
Oracle patches may invoke relink and will replace the Oracle executable, causing the A-TAP to stop functioning.
The correct procedure is:
1. Make sure all A-TAP instances are deactivated

2. Apply Oracle patch(es).
3. Activate A-TAP
However, in case A-TAP was not properly deactivated prior to Oracle patch installation, DO NOT try to deactivate it after patch installation. Instead follow these steps:
1. Check if A-TAP IS OK.
grep guardium $ORACLE_HOME/bin/oracle >& /dev/null && echo "ATAP IS OK"
a. If ATAP IS OK is displayed, the A-TAP is still active and there is no need to do anything.
b. If ATAP IS OK is NOT displayed, remove $ORACLE_HOME/bin/oracle-guard and activate the A-TAP.
In case everything else fails:
Remove $ORACLE_HOME/bin/oracle-guard
Run relink all
A-TAP Problems And Solutions associated with Oracle Permissions

Several problem may occur that have to do with user and group permissions.
In 'BEQUEATH' access from the user other than the one that installed the database the permissions have to be set manually:
add user running sqlplus to group 'guardium'
open the read permissions 'chmod a+rx' on the following two directories:
/usr/local/guardium/xxx/etc/guard
/usr/local/guardium/xxx/etc/guard/executor
make sure that the SUID and SGID bits are on ${ORACLE_HOME}/bin/oracle.
If not, run the command chmod ug+s ${ORACLE_HOME}/bin/oracle')
If the UID or EUID are not members of OWNER group GID, the reason for permission denied is that the user matching UID or EUID does not belong to group
matching OWNER GID.
To make it easier, not having to handle different OS syntaxes for adding users and groups, while disabling the automatic addition to group Guardium, two commands
are available within guardctl which can be used irrespective of the method you use to activate ATAP (i.e. guardctl or guard_tap.ini):
#/path/to/guardium/bin/guardctl is-user-authorized
#/path/to/guardium/bin/guardctl authorize-user ...
Note: Group Guardium can be removed on most OS's with groupdel guardium. However, after removal, only the guard_ktap_loader parameter can correctly re-create it
and change the K-TAP device permissions.
Linux and UNIX systems: Troubleshooting A-TAP configuration issues

This section summarizes common mistakes made during A-TAP configurations, their symptoms, and how to avoid them.
Table 1. Oracle Common Mistakes

Symptoms Mistake Platform Error Message(s) How to Avoid
Activation command fails. Wrong db_home parameter All Â Always specify the value of
$ORACLE_HOME as db_home
name.
Activation command fails. OS user logged in All Â Always make sure the OS user is
not logged in. Use w command
to see which users are logged
in.

Database does not start. Wrong instance name All Failed to execute Always specify the value of
oracleon1jumbo-guard: No such $ORACLE_SID as db_instance
file or directory: No such file or name.
directory ERROR: ORA-12547:
TNS:lost contact
Traffic is not logged. Wrong or missing db_version AIX Â Always specify numeric version
(for example, 10.2 or 9.2 ). The
version number can have only
one digit after the decimal point.
Fails to activate. Missing Oracle-guard- AIX Missing Oracle-guard- Instrument command must be
instrumented instrumented. run first to create a re-linked
instrumented Oracle executable
Error during ATAP activation Insufficient disk space, install Â Matching module found - oracle Clean oracle files and retry.
exits is supported by Change db_space=8 to
/ngs/lpp/guardium/modules/AT db_space=1
AP/current/files/lib/libguard-
atap-oraclesta tic-any Testing
for disk space... cp : 0653-447
Requested a write of 131072
bytes, but wrote only 126976.
Insufficient disk space - please
delete some files and try again.
guard_stap log shows that GIM_ROOT_DIR not set to Â Â When activating A-TAP through
guard-atap-ctl failed absolute path to the modules, the guard_tap.ini file,
for example encryption=1 silently fails. This
/usr/local/guardium/modules is especially important when
running guard_stap manually -
be sure you have defined this
environment variable when
running guard_stap.
Table 2. DB2 Common Mistakes
Traffic is not logged. Wrong or missing db2_* Linux Â See how to determine DB2
parameter parameters in Linux and UNIX
systems: Inspection engine
parameters
Table 3. Informix Common Mistakes
Traffic is not logged properly. Wrong or missing db_version Linux Â Always specify numeric version
(e.g. 7 or 11 ).
Linux and UNIX systems: Using Exit libraries

Exit libraries embed a Guardium library into the database, using the exit mechanism. The exit library, or module, communicates directly with the Guardium S-TAP to
forward database traffic.
Linux and UNIX systems: DB2 Exit integration with S-TAP

The DB2 exit mechanism enables Guardium to pick up all DB2 traffic, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.
Linux and UNIX systems: Informix Exit integration with UNIX S-TAP
The Informix Exit ifxguard utility (Informix 12.10 and higher) monitors connections to your Informix databases.
Linux and UNIX systems: Teradata Exit integration
The Teradata exit module enables Guardium to pick up Teradata traffic, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.
Linux and UNIX systems: DB2 Exit integration with S-TAP

The DB2 exit mechanism enables Guardium to pick up all DB2 traffic, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.
About this task

DB2 exit embeds a Guardium library into DB2 via the DB2_Exit mechanism. The DB2_Exit communicates directly with the Guardium S-TAP to forward all DB2 traffic,
whether encrypted or not, and both local and remote. DB2 exit captures TCP as well as SHM traffic. Enabling UID chain with DB2 consumes much less CPU resource than
KTAP and UID chain.
The DB2 exit library is a dynamic linked library. The DB2 database loads during database starts.
DB2 exit supports firewall (from STAP 10.1.2, also requires DB2 version 10.1 or later), terminate, and UID chain.
If there is no other Inspection Engine (IE) on the S-TAP that requires K-TAP, then you don't need to load K-TAP: set ktap_installed=0 in guard_tap.ini, or with GIM set
ktap_enabled to no, in the GIM dialog for that STAP. You can upgrade the Linux OS and the STAP without being concerned about K-TAP module compatibility. However, if
there is another IE in the S-TAP that requires the K-TAP module, you must ensure that a compatible K-TAP module is available when you upgrade your Linux version.

Limitations:
DB2 Exit does not support Guardium data masking (scrub/redact)

The Guardium firewall (V10.1.2 and later) requires DB2 version 10.1 or later
Stored Procedures: DB2 Exit monitors stored procedures. Since Guardium does not know what is in the stored procedure, SQL from inside the procedure is not
captured.
When upgrading STAP and DB2
1. Stop the DB2.

2. Upgrade STAP.
3. Copy latest db2 exit lib to DB2 commexit directory.
4. Start the DB2.
When patching STAP
1. Stop the DB2.

2. Patch the DB2 Database
3. In case the DB2 configuration was overwritten you need to re-enable using db2 UPDATE DBM CFG USING COMM_EXIT_LIST libguard_db2_exit_64
4. Start the DB2.
The Guardium installer has two versions of the DB2 EXIT library: 32- and 64-bit. Use the one that matches your installed DB2. Both versions are in the Guardium
installation directory in the lib sub-directory. On Linux servers, the 64-bit version is in lib64.
DB2 versions V101FP4 and V105FP3 support UID chain.
Library names
libguard_db2_exit_32.so
libguard_db2_exit_64.so
Procedure
1. Determine the DB2's bitwise. Log in as root and run db2level. The output is similar to
DB21085I Instance db2inst1 uses 64 bits and DB2 code release SQL09070, with level identifier 08010107
2. Locate the communication buffer exit library location (DB2PATH)
a. Log in as DB2 user trip
b. In the DB2 clp, run db2 get database manager configuration
c. In the output, look for default database path: Default database path
(DFTDBPATH) = /DB2/trip
DFTDBPATH is the value you need for the environment parameter DB2PATH.
3. Set up the DB2 Exit library.
a. Log in as user root
b. Set the environment parameter: # export DB2PATH=/DB2/trip
c. Create the directory by entering one of these commands. (This is done only the first time the library is installed, as the directory does not exist)
mkdir $DB2_PATH/sqllib/security/plugin/commexit
mkdir $DB2_PATH/sqllib/security64/plugin/commexit
d. Change permission: # chown ${DB2 user}:${DB2 group} $DB2PATH/security64/plugin/commexit
e. Copy Guardium's libguard file to commexit by entering one of:
# cp /opt/IBM/guardium/module/modules/STAP/libguard_db2_exit_64.so $DB2PATH/security64/plugin/commexit
# cp /opt/IBM/guardium/module/modules/STAP/libguard_db2_exit_64.so $DB2PATH/security/plugin/commexit
where $DB2_PATH is the db2 installation directory.
If the copy fails with the error ....: Text file busy, remove the file from the target directory, make a copy and repeat.
f. Change permission by entering one of:
# chown ${DB2 user}:${DB2 group} $DB2PATH/security64/plugin/commexit/libguard_db2_exit_64.so

# chown ${DB2 user}:${DB2 group} $DB2PATH/security/plugin/commexit/libguard_db2_exit_64.so
4. Add the DB2 instance to the Guardium group. The Guardium group is created during S-TAP installation. This requirement increases the security of shared memory
regions that are created by the S-TAP.
a. If DB2 user is 'trip', verify if 'trip' has been authorized already. Use guardctl under the ATAP folder.
# /opt/IBM/guardium/module/modules/ATAP/10.1.0_r88469_1-1468880597/files/bin/guardctl is-user-authorized trip

User 'trip' is authorized.
b. If the user trip is not authorized, authorize it now:
# /opt/IBM/guardium/module/modules/STAP/10.1.0_r88469_1-1468880597/guardctl authorize-user trip

guardctl authorize-user guardium
User 'guardium' is already authorized.
5. Enable db2 exit in DB2 (so it will send the SQL traffic to the S-TAP).
a. Log in as db2 user and use the db2 clp commands to enable:
db2 UPDATE DBM CFG USING COMM_EXIT_LIST libguard_db2_exit_64
b. Once enabled, db2 sends SQL traffic to the STAP. Verify if db2 exit is successfully enabled by entering
db2 get database manager configuration
The output should include
Communication buffer exit library list (COMM_EXIT_LIST) = libguard_db2_exit_64
6. Restart DB2.

a. Login as db2 user and enter:
# db2stop force; ipclean; db2start
b. Verify the response includes:
The DB2START command completed successfully
c. If the restart was unsuccessful, stop db2 exit to clear any warnings in DB2 by entering:
db2 UPDATE DBM CFG USING COMM_EXIT_LIST NULL
then restart by entering
db2 restart
d. If not, check the log file for clues: ~/sqllib/db2dump/db2diag.log

7. If A-TAP is not activated: Configure STAP for DB2_EXIT. (If A-TAP is activated, continue with 8)
a. Configure the IE for DB2 as usual either in the guard_tap.ini or via GIM. For ease of identification, set db_type=db2.
b. Unix-type platforms only: Verify that the parameter db_install_dir for DB2_EXIT IE is set to the value of $DB2_HOME or $HOME of DB2 environment variable.
c. Windows only: Add the instance_name=Service_name. Determine the service name by using the db2tap utility in the S-TAP installation folder, or from the
control panel. Set the instance name to the portion of the service name that follows the second dash ( - ) delimiter. For example, if the service name in the
control panel is DB2 - DB2COPY1 - DB2-01-0, set INSTANCE_NAME to DB2-01-0
d. Restart S-TAP with new configuration.
8. If A-TAP was activated when you started.
a. Stop the DB2 by entering
# db2stop force; ipclean
b. Deactivate the A-TAP by entering
# /opt/IBM/guardium/module/modules/ATAP/10.1.0_r88469_1-1468880597/files/bin/guardctl db_instance=<db_instance> [--
force-action=yes ] deactivate
c. Configure the IE for DB2 as usual either in the guard_tap.ini or via GIM . For ease of identification, set db_type=db2.
d. Unix-type platforms only: Verify that the parameter db_install_dir for DB2_EXIT IE is set to the value of $DB2_HOME or $HOME of DB2 environment variable.
e. Windows only: Add the instance_name=Service_name. Determine the service name by using the db2tap utility in the S-TAP installation folder, or from the
control panel. Set the instance name to the portion of the service name that follows the second dash ( - ) delimiter. For example, if the service name in the
control panel is DB2 - DB2COPY1 - DB2-01-0, set INSTANCE_NAME to DB2-01-0
f. Restart S-TAP with new configuration.
9. Set up Zones/WPARs.
a. Copy the S-TAP to the Zones/WPARs.
i. On the master/global Zone/WPAR: (assuming Guardium software is installed on the master Zone/WPAR under /usr/local/guardium, and there exists a
writable directory /usr/local with enough free space on the sub-Zone/sub-WPAR), enter:
cd /usr/local
tar -cvf - guardium | ssh root@subzonehost 'cd /usr/local && tar -xvf -'
ii. On Zone/WPARs, add DB2_EXIT IE in the guard_tap.ini with:

-- ktap_installed = 0
-- tap_run_as_root = 1
-- tap_ip = zones/WPAR local IP address
No other IEs should be specified in order to start S-TAP on the zone.
b. Create /var/guard directory.
c. Start the S-TAP.
on WPARs, manually copy/add the utap server entry in inittab file
On Solaris zone use the command svcadm -v enable guard_utap
d. If relevant, configure the tap_debug_output_level.
Note: Impact of debug logging on the database server: The logging is done by the DB2 Exit module. This module is loaded by DB2 and the diagnostics are
piped to the log files. Since the database server is performing the actual logging, there is some impact, depending on how much logging is done. Remember
that S-TAP logging is meant to be used as part of troubleshooting and not a standard feature, so the impact is only when logging is turned on.
When S-TAP log level = 10, debug info is logged into both S-TAP log and db2_exit log (db2diag.log)
When S-TAP log level = 11, debug info is only logged into db2_exit log (db2diag.log)
Note: In a WPAR environment when running discovery, if the instance name is the same on both slave zone and master zone, then only one Inspection Engine entry
is added that belongs to the master zone.
Note: When changing tap_identifier in the inspection engine, in order for the change to take effect with Informix exit or DB2 exit, the database must be restarted.
With ATAP enabled, the database has to be stopped, ATAP deactivated, reactivated, and finally the database started again. For Informix exit, stop ifxguard, then
restart the database, then start ifxguard.
Parent topic: Linux and UNIX systems: Using Exit libraries
Linux and UNIX systems: Informix Exit integration with UNIX S-TAP
The Informix Exit ifxguard utility (Informix 12.10 and higher) monitors connections to your Informix databases.
About this task

With Informix Exit, Guardium v.10 and higher can audit all protocols of Informix SQL activities. This includes TCP, Shared Memory and Named Pipe protocols. It supports
all Guardium features (S-gate, UID chain, Redaction, query-rewrite, etc). On Linux platforms, you can use Informix Exit instead of ATAP to capture shared memory traffic.
Informix exit captures encrypted traffic.
A shared library, Informix Exit, is part of the Guardium Unix S-TAP installation. S-TAP includes 32bit and 64bit.so. They are located under
<guardium_installation_directory>/guard_stap, for example:
/usr/local/guardium/guard_stap /usr/local/guardium/guard_stap/libguard_informix_exit_32.so
/usr/local/guardium/guard_stap/libguard_informix_exit_64.so.

Note: When changing tap_identifier in the inspection engine, in order for the change to take effect with Informix exit or DB2 exit, the database must be restarted. With
ATAP enabled, the database has to be stopped, ATAP deactivated, reactivated, and finally the database started again. To make tap_identifier work for DB2 exit and
Informix exit, make sure db_install_dir is exactly the same with $HOME value in the database. Also, the database needs to restart to pick up the tap_identifier value. For
Informix exit, stop ifxguard, then restart the database, then start ifxguard.
Procedure
1. Login as user informix to the database and locate its instance name (INFORMIXSERVER) and its installation directory (INFORMIXDIR) by running these Unix
commands:
$ echo $INFORMIXSERVER
INFORMIXSERVER=test117
$ echo $INFORMIXDIR
INFORMIXDIR=/home/informix
2. Install and start up the S-TAP in the db host. See Linux and UNIX systems: Install the S-TAP agent.
3. As user root, make sure the user informix is in the guardium group, for example,
/usr/local/guardium/bin/guardctl authorize-user informix
or with unix
# chgroup users=informix guardium (AIX only).
4. Login as user informix and enter:
$ iduid=501(informix) gid=205(informix) groups=215(guardium)
5. As user informix, copy the correct informix exit library from the guard_stap directory to the informix user's lib directory, for example,
cp /usr/local/guardium/guard_stap/libguard_informix_exit_64.so
$INFORMIXDIR/lib/libguard_informix.so
6. Set up ifxguard. Create a config file under $INFORMIXDIR/etc/ifxguard.$INFORMIXSERVER with these lines:
NAME ol_informix1210
WORKERS 2
LIBPATH /home/informix/12.10.FC6/lib/libguard_informix.so
DEBUG 1
LOGFILE /home/informix/12.10.FC6/etc/ifxguard.msg.txtg.txt
Note: INFORMIXDIR=/home/informix/12.10.FC6
7. Bring up ifxguard as user informix
a. Make sure Informix database server is online (onstat -).
$ id
uid=501(informix) gid=205(informix) groups=215(guardium) $ onstat -
IBM Informix Dynamic Server Version 12.10.FC6 -- On-Line -- Up 6 days 00:22:25 -- 253104 Kbytes
b. If the ifxguard config file is setup as described above, bring up ifxguard with:
$ ifxguard
15:20:17 ifxguard set instance name ol_informix1210
Starting ifxguard ol_informix1210 ...
check log file: /home/informix/12.10.FC6/etc/ifxguard.msg.txt
You should not see any errors. In case of error, check the file indicated in LOGFILE.
c. If the ifxguard config file is not under $INFORMIXDIR/etc, specify the file's full path with -c option, - for example
$ ifxguard -c /mnt/conf/ifxguard.ol_informix1210
d. If ifxguard config file is not set up at all, you can still bring up the agent but must specify the .so library using full-path with -p option and message log file
with -l option, for example
$ ifxguard -p /home/informix/12.10.FC6/lib/libguard_informix.so -l home/informix/12.10.FC6/etc/ifxguard.msg.txt
e. If there are errors, check the log file indicated in LOGFILE.

8. Make sure ifxguard and S-TAP is up running using ps -ef:
$ ps -ef|grep guard
root 15401210 1 1 15:14:11 - 0:00
/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini
informix 22609968 1 0 15:20:17 - 0:00 ifxguard
You should see the following msg in /home/informix/12.10.FC6/etc/ifxguard.msg.txt.
Wed Feb 3 15:20:17 2016

15:20:17 INFORMIX-ESQL Version 12.10.FC6
15:20:17 Build Number: N253
15:20:17 Build Host: cxp01007
15:20:17 Build OS: AIX 6.1
15:20:17 Build Date: Wed Nov 4 21:55:13 CST 2015
15:20:17 GLS Version: glslib-6.00.FC7
15:20:17
15:20:17 Starting ifxguard ol_informix1210 ...
15:20:17 DEBUG[TID1]:Password File /home/informix/12.10.FC6/etc/ passwd_file failed error:No
such file or directory [2] [onguard_main.c:onguard_pw_init:518]
15:20:17 DEBUG[TID1]:ifxguard ol_informix1210 connect to trusted host, Password Manager is i
gnored. [onguard_main.c:onguard_run:2391]
15:20:17 pcbms = 110023688, spt_fn=ffffffffffff300
15:20:17 CBMS: cbms_initialize()

15:20:17 Attached /.guard_writer0 shmem[0] 8001000a0000de8
15:20:17 Attached /.guard_writer1 shmem[1] 8001000a0000eb8
15:20:17 Attached /.guard_writer2 shmem[2] 8001000a0000f88
15:20:17 Attached /.guard_writer3 shmem[3] 8001000a0001058
15:20:17 Attached /.guard_writer5 shmem[5] 8001000a00011f8
15:20:17 Attached /.guard_writer6 shmem[6] 8001000a00012c8

15:20:17 Attached to /.guard_reader
15:20:17 guard_conf_message=70000000149b000: my_ip=96eb8b7, intercept_type=1c, debug_level=0
, ignore_response_db_list=NONE
15:20:17 comm exit shm initialization successful
15:20:17 DEBUG[TID1]:new daemon pid is 22609968 [onguard_main.c:onguard_daemonize:2350]
15:20:17 ifxguard ol_informix1210 started
15:20:17 The connection attempt from ifxguard ol_informix1210 to server ol_informix1210 suc
ceeded. Process id: 22609968:258
15:20:17 Attached to /.guard_reader
15:20:17 The connection attempt from ifxguard ol_informix1210 to server ol_informix1210 succeeded. Process id: 22609968:515
You can ignore the password file error. It's a debug message. You can define one password file and run 'onpassword' to encrypt it. Ifxguard reads user informix's
password from the encrypted file and connects to Informix Dynamic Server (IDS). If the password file is not defined, then ifxguard connects to IDS as trusted host
connection (no password).
9. Add the INFX_EXIT inspection engine either via GRDAPI (create_stap_inspection_engine) or the GUI (Manage > Activity Monitoring > S-TAP Control) with these
specific Informix values:
Parameter in GUI Parameter in GRDAPI Value
Protocol protocol Informix Exit
DB Install Dir dbInstallDir /home/informix
Process Name procName /INFORMIXTMP/.inf.sqlexec
Intercept Types interceptTypes <blank or null>
Identifier ieIdentifier <blank or null>
Â informixVersion Informix version

10. Restart the S-TAP.
11. To disable libguard, run: ifxguard -kill $INFORMIXSERVER
Linux and UNIX systems: Teradata Exit integration

The Teradata exit module enables Guardium to pick up Teradata traffic, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.
About this task

Introduced in v10.1.3. S-TAP on Teradata 16.10 and higher requires this configuration.
Teradata exit embeds a Guardium library into DB2 via the exit module. The exit module communicates directly with the Guardium S-TAP to forward all Teradata traffic.
Teradata exit supports terminate and firewall. It does not support UID chain or redaction.
The location of libguard_teradata_exit_64.so and other Guardium files varies depending on the installation method and directory chosen.
Procedure
1. Stop the Teradata service:
/etc/init.d/tpa stop
/etc/init.d/tgtw stop
2. On your Guardium, configure a Teradata Exit Inspection Engine, similar to:
[DB_0]
connect_to_ip=127.0.0.1
db_exec_file=/opt/teradata/tdat/tgtw/16.00.00.05sks/bin/gtwgateway
db_install_dir=/root
db_type=trd_exit
intercept_types=NULL
tap_identifier=NULL
networks=0.0.0.0/0.0.0.0
exclude_networks=
3. On the DB, create directory "site" as follows: mkdir /opt/teradata/tdat/tgtw/site

4. On the DB, create a symbolic link: ln -s /usr/local/guardium/modules/STAP/current/files/lib/libguard_teradata_exit_64.so
/opt/teradata/tdat/tgtw/site/libtgtwmonitoring.so
5. On the DB, authorize users to the guardium group to capture traffic. As root, enter:
/usr/local/guardium/guard_stap/guardctl --db-user=tdatuser authorize-user

/usr/local/guardium/guard_stap/guardctl --db-user=teradata authorize-user
/usr/local/guardium/guard_stap/guardctl --db-user=root authorize-user
6. On the DB, load the Exit library into the Teradata database: /usr/tgtw/bin/gtwcontrol --monitorlib load=yes
7. Start the Teradata service:
/etc/init.d/tpa start
/etc/init.d/tgtw start
Linux and UNIX systems: Editing the S-TAP configuration parameters

You can modify the S-TAP configuration after it is installed using GIM, the GUI, or for advanced users, in the configuration file on the database.

Note: Parameters in the GUI may be safely changed. Parameters that are not in the GUI are advanced, and rarely need changing. They are normally be left unmodified;
they are for use by Guardium support or advanced users.
CAUTION:
You can some modify parameters in the GUI. See Linux and UNIX systems: Configure S-TAP from the GUI.
GIM is an easy method for modifying parameters, if the S-TAP bundle was installed with GIM. See the instructions for v10.1.4 and higher: Set up by Client; and for v10.1-
10.1.3: GIM user interfaces.
If it is necessary to modify the configuration file from the database server, follow the procedure described in this section. The guard_tap.ini file contains comments that
explain many of the parameters.
The S-TAP needs restarting after you modify the guard_tap.ini. If you're using GIM, it restarts the S-TAP automatically.
CAUTION:
Parameters must be added to their relevant section: [TAP], [SQLGuard], [DB_<name>].

2. Stop the S-TAP.
3. Make a backup copy of the configuration file: guard_tap.ini. The default file locations is /usr/local/guardium/guard_stap/guard_tap.ini
4. Open the configuration file in a text editor.
5. Edit the file as necessary.
6. Save the file.
7. Restart the S-TAP and verify that your change has been incorporated.

These parameters define basic properties of the S-TAP running on a DB server and the server on which it is installed, and do not fall into any of the other categories.
These parameters affect the behavior of the inspection engine that the S-TAP uses to monitor a data repository on a DB server.
Linux and UNIX systems: Firewall parameters
Linux and UNIX systems: Query rewrite parameters
Linux and UNIX systems: Server-side masking (SSM) parameters
The server-side masking parameters affect the behavior of the S-TAP with respect to discovery.
Linux and UNIX systems: Discovery parameters
These parameters affect the behavior of the S-TAP when an application user name needs to be bounded with database activities.
Linux and UNIX systems: Hadoop parameters
Guardium supports integration Hortonworks distributions using Apache Ranger. Understand the S-TAP parameters required for the connection between S-TAPs and
Ranger agents.
Linux and UNIX systems: Debug parameters
These parameters affect the behavior of the K-TAP.


value
Pool Â connection_pool_size 0 The number of connections to open between the S-TAP and the sniffer process on a Guardium host.
size Increasing the value provides additional throughput that may be required when enabling encryption such
as TLS. The maximum number of pooled connections is 50. The total is the sum of (connection_pool_size
x num_main_threads) in all of the [SQLGuard_n] sections in the guard_tap.ini.
Valid values:Â Â
0: disable pooling
1-10 (for each defined host)
Default = 0
Main Â num_main_threads 1 The number of threads used between the S-TAP and one or more Guardium hosts.
threa
ds Valid values: 1-510 (maximum total of 510 for all defined Guardium hosts) (Until V10.1.3 maximum was
5.)
Default = 1
Note: Enterprise load balancing does not support using multiple threads for a single managed unit. When
using enterprise load balancing, set this parameter to 1.

value
Â primary Â Indicates the primary Guardium system for this S-TAP. In guard_tap.ini: 1=Primary, 2=Seconday,
(chec 3=tertiary, and so on
kmark
indica
tes
the
prima
ry
host)
Â Â sqlguard_port 16016 Read only. Port used for S-TAP to connect to Guardium system.
Guard STAP_ sqlguard_ip NULL IP address or hostname of the Guardium system that acts as the host for the S-TAP. You can define
ium SQLG multiple hosts by adding [SQLGuard_1], [SQLGuard_2], and so on.
Host UARD
_IP
Parent topic: Linux and UNIX systems: Editing the S-TAP configuration parameters

These parameters define basic properties of the S-TAP running on a DB server and the server on which it is installed, and do not fall into any of the other categories.
Table 1. S-TAP configuration parameters in the [TAP] section
Default
GUI GIM guard_tap.ini value Description
Â Â tap_type Â The type of installed S-TAP agent:
stap=UNIX
ztap=Z/OS
Versi Â tap_version Â Read only. The S-TAP version that is installed on the DB server, added to the file during
on installation or upgrade only.
S- STAP tap_ip Â Read only. IP address or hostname for the database server system on which S-TAP is
TAP _TAP installed
Host _IP
Devic STAP devices none Which interfaces to listen on. Use ifconfig to find the correct interface.
es _DEV
ICES
All STAP all_can_control 0 0=S-TAP can be controlled only from the primary Guardium system. 1=S-TAP can be
can _ALL controlled from any Guardium system.
contr _CAN
ol _CON
TROL
Load STAP participate_in_load_balancing 0 Controls load balancing to Guardium systems:

balan _PAR
cing TICIP 0: No load balancing.
ATE_ 1: Load balancing. Traffic is balanced between the primary and secondary servers,
IN_L defined in the SQLGuard section.
OAD_ 2: Redundancy. Fully mirrored S-TAP sends all traffic to all primary and secondary
BALA servers, defined in the SQLGuard section.
NCIN 3: Hardware load balancing. Guardium uses a load balancer such as F5 or Cisco. S-
G TAP sends the traffic to the load balancer, which forwards it to one of the collectors
in the pool.
4: Multiple KTAP buffer and S-TAP threads are used to split the traffic.
Use the primary parameter in the SQLGUARD section to specify primary, secondary, etc.
servers. If this parameter is set to 0, and you have more than one Guardium system
monitoring traffic, then the non-primary Guardium systems are available for failover.
Note: Guardium does not support failover with a v10.x S-TAP and a v9.x collector.
Â Â connection_timeout_sec 10 Number of seconds after which the S-TAP considers a Guardium server to be unavailable.
It can have any integer value.
TLS STAP use_tls 0 1=use SSL to encrypt traffic between the agent and the Guardium system.
Use _USE
_TLS 0=do not encrypt.
Warning: The traffic between the agent and Guardium system is in clear text.
Guardium recommends encrypting network traffic between the S-TAP and the collector
whenever possible, only in cases where the performance is a higher priority than security
should this be disabled.
Decrypting login packets isn't supported when TLS is enabled. This means that DB_USER
is not populated and failed logins are not associated with an access.

Default
TLS STAP failover_tls 0

Failov _FAIL 1= If ssl connection is not possible for any reason, fail over to using non-secure
er OVER connection.
_TLS 0=use only secure connections.
Â STAP wait_for_db_exec -1 Specifies how the S-TAP starts monitoring its databases after a restart.
_WAI
T_FO 1 and greater: When S-TAP restarts, either from a system reboot or user initiated S-TAP
R_DB stop / start commands, S-TAP polls all databases that have been configured to be
_EXE monitored and begins monitoring them when available. Any configuration anomalies
C (either on the database side or the S-TAP side) that limits S-TAP ability to monitor a
database does not limit S-TAP from monitoring other databases with valid configurations.
Instead, S-TAP starts successfully, monitors all valid configurations, and continues to poll
other databases until they become available and then starts monitoring them as well. It is
recommended to use existing alerts and reports to monitor and report on any failed S-TAP
status.
For example, after relinking Oracle, Oracle BEQ traffic is not logged for 15 minutes, this is
the time it takes for S-TAP to run periodically and check if an Oracle device node has been
changed.
0 and less: S-TAP exits with error message if it cannot access the db_install_dir. If the
STAP has multiple IEs, it exits at the first occurrence of not reaching a DB.
Â STAP tap_run_as_root TAPUSER To allow S-TAP to run as regular user. 0 = runs as guardium user, 1= runs as root
_RUN
_AS_ In some cases you need to run the S-TAP as guardium (and not root). This can cause
ROOT other issues and should only be used when necessary. Running S-TAP as the guardium
user can cause a database or protocol to stop working because of permission levels.
Verify that the database path or exec file gives the Guardium user read permission.
Depending on your environment, typical limitations are:
wait_for_db_exec might not work. For cluster, check the database path or exec file
for Guardium user read permission.
Database on AIXÂ® WPAR and Solaris Zones may not work, check the permission to
access the install path or exec file
For Oracle BEQ, restart S-TAP after starting or restarting the database.
For InformixÂ® shared memory, restart S-TAP after starting or restarting the
database.
For DB2 shared memory, if shmctl failed because of permission issue, then in most
cases S-TAPÂ® should be changed to run as root.
If shared memory segment has read permission by group, then make sure
the DB2 instance has been added to user (Guardium) group. But still on
each server, only one set of configuration of DB2Â® can be supported.
If shared memory segment has read permission by db2 user only, then S-
TAP has to run as root. (open a DB2 shared memory session, run command
ipcs -ma, check MODE on the output)
Â Â tap_buf_dir NULL Location of S-TAP buffer file. Default location is $inidir/buffers
Â Â tap_log_dir NULL Location of S-TAP log files: guard_stap.stdout.tx, guard_stap.stderr.txt,

guard_stap.fam.txt. By default log files are written in /tmp.
Alter STAP alternate_ips NULL Comma-separated list of alternate or virtual IP addresses used to connect to this
nate _ALT database server. This is used only when your server has multiple network cards with
ips ERNA multiple IPs, or virtual IPs. S-TAP only monitors traffic when the destination IP matches
TE_I either the S-TAP Host IP defined for this S-TAP, or one of the alternate IPs listed here, so
PS it's recommend that you list all virtual IPs here.
Â TEE_ tee_installed 0 1=Tee is in use. 0=Tee is not used.

ENAB
LED
Â tee_msg_buf_len 128 Size of the buffer for Tee in MB. It can take any integer value.
Â STAP buffer_file_size 50 Advanced. Size in MB of the buffer allocated for the packets queue. If the buffer size is set
_BUF too large, the S-TAP might not be able to start. Files larger than 2560 MB are known to
FER_ cause this problem.
FILE_
SIZE
Â buffer_mmap_file 0 1=memory mapped file option. 0=virtual memory allocation
Trace tracefiles_dir Â The Directory in which access tracer files will be stored. The default is INSTALLDIR.
files
dir

Default
Com STAP compression_level 0 Advanced. Compression level. 1-9.

pres. _COM
Level PRES 0: no compression
SION 1: best speed
_LEV 9: best compression
EL 0: no compression
-1: default compression
Â min_bytes_to_compress 500 Advanced. Minimum size of message to compress.
Â Â tap_min_heartbeat_interval 180 Number of seconds after which the S-TAP should fail over.
Â msg_aggregate_timeout 100 time in milliseconds at which K-TAP sends the packets accumulated in its buffer to the S-
TAP. Can be any integer value.
Â msg_count_watermark 64 Number of packets at which K-TAP sends the packets accumulated in its buffer to S-TAP.
Can be any integer value.
Â log_program_name 0 To boost performance you may consider disabling getting the sourceprogram name, in
doing so you won't be able to tell which program name was using the connection (but all
other connection information like user and client address will be available). 0 = don't send
source_program name to Guardium system, 1=send source_program name to Guardium
system.
Â max_server_write_size 16384 The maximum number of bytes that the S-TAP sends to the Guardium system at once.
Can be any integer value.
Â guardium_ca_path NULL Location of the Certificate Authority certificate.
Â sqlguard_cert_cn NULL The common name to expect from the Sqlguard certificate.
Â guardium_crl_path NULL The path to the Certificate Revocation list file or directory.
Â tap_failover_session_size 1024 The maximum number of failover sessions in the list per Guardium system. 0=failover
feature is disabled. Can be any integer value.
Â tap_failover_session_quiesce 60 The number of minutes after S-TAP failover, when unused sessions in the failover list from
the previous active servers are removed from the current active server. This includes
cleaning the session's policy and removing the session from the firewalled and scrubbed
lists.
Â STAP kerberos_plugin_dir NULL Location of Kerberos files

_KER
BERO
S_PL
UGIN
_DIR
Â STAP db_ignore_response NULL Comma-separated list of db types to be response-ignored. If it is set to none, no response
_DB_ is ignored; if it is set to all, the responses from all DBs are ignored. Note: If using
IGNO db_ignore_response=all to set the Oracle database response to be ignored (not captured
RE_R to reduce traffic load), then be aware that more than just database server responses are
ESPO involved. Database server responses can also contain important database protocol
NSE metadata information used by the application for following database requests
interpretation.
Â STAP stap_statistic 0 Interval at which S-TAP sends statistic information about S-TAP/K-TAP to sniffer ; 0=do
_STA not send. Specify a positive integer for hours or a negative integer for minutes.
TISTI
C
Â stap_statistic_version 1 STAP statistics are version specific to the collector
1: Guardium V10 and higher
0 - Guardium V9
Â STAP upload_feature 1 If=1, when a new K-TAP is built, upload it automatically to the Guardium system to which
_UPL this S-TAP reports.
OAD_
FEAT
URE
Â STAP upload_snapshots 1 Upload snapshots using file upload mechanism

_UPL
OAD_
SNAP
SHOT
S
Â add_to_verification schedule 0 Add the Inspection Engines defined in guard_tap.ini to S-TAP Verification schedule. STAP
Verification will test traffic capture. 0=OFF, 1=ON, default is 0.

Default
Â STAP db_ignore_response_bypass_bytes 4096 Integer of bytes size of the result set, that when a result set is greater than the size to
_DB_ ignore the response.
IGNO
RE_B
YPAS
S_BY
TES
Â STAP db_ignore_response_resets_per_request 0 The db_ignore_response_bypass_bytes is reset on each request.

_DB_
IGNO 0=no; 1=yes
RE_R
ESET
S_PE
R_RE
QUES
T
Â STAP db_ignore_response_filter 0.0.0.0/0.0. Comma separated list of IP/MASKs to be response-ignored, by default it filters all traffic
_DB_ 0.0
IGNO Any DB responses of the type specified by DB_IGNORE_RESPONSE to the specified
RE_R IP/MASKs are ignored.
ESPO
0=no filtering of responses occurs
NSE_
FILTE 0.0.0.0/0.0.0.0=all IPs are filtered
R
Â STAP db_ignore_response_local 1 Filtering of local db responses. TCP traffic is not considered local traffic for this
_DB_ parameter.
IGNO
RE_R 0=no
ESPO
1=yes
NSE_
LOCA
L
Â debug_snapshot 0 Advanced. Collects a debug dump from a STAP. Should be triggered from the GUI (S-TAP
Control > S-TAP commands). After triggering a dump from the GUI, the parameter reverts
to its default of 0.
Â debug_snapshot_level 1 Advanced. The value of tap_debug_output_level that is run for the debug dump:
1: basic debug
4: verbose debug
Â debug_snapshot_time 60 Advanced. The time interval, in seconds, for which the diagnostic runs. The value can be
any integer value.
Â force_log_limited 0 Controls sending certain types of information to the collector. Useful when you are
concerned about the possibility of storing private data on the Guardium collector.
0=unrestricted. Default
1=restricted logs. Private data is removed.
Â hunter_trace 0 Enable UID_CHAIN
0: Disable.
1: Enable. For local TCP/IP connections including Solaris zones and AIX WPARS; or
remote TCP/IP connection when appserver_installed = 1
Load STAP load_balancer_ip Â IP address of the load balancer unit. If not defined, S-TAP does not use Enterprise Load
Balan _LOA Balancing.
cer D_BA
IP LANC
ER_I
P
Mana STAP load_balancer_num_mus 1 Number of managed units to request from load balancer
ged _LOA
Units D_BA
LANC
ER_N
UM_
MUS
Â merge_with_template 0 Specifies whether or not the configuration from the collector is merged with the template
config file when it is pushed to STAP.
0=no
1=yes

Default
Â shmid_blacklist NULL Comma separated list of shared memory IDs that KTAP filters.
Â shmid_blacklist_wait 0 Wait to activate interception until shmid_blacklist items are discovered 0: no, 1: yes (0)
Â blacklist_shmem_ops_by_proc NULL ktap uses blacklist_shmem_ops_by_proc to filter the shmem interception for the
specified processes (comma separated list)
Â STAP fam_enable See Global enable/disable for FAM monitor (crawler).

_FAM description
_ENA for defaults 0: disabled
BLED 1: enabled
In GIM installations from v10.1.4, the default is disabled, and in earlier versions it is
enabled by default. In shell installations, the default is enabled in all 10.0 and 10.1
version.
Inclu STAP uid_chain_sshd_ip 0 Introduced in v10.1.4. Encode the client IP into the UID chain when ssh is identified as
de _UID one of the processes in the chain.
client _CHA
IP in IN_T 0=disabled, 1=enabled
UID RACE
chain
for
SSH
daem
on

These parameters affect the behavior of the inspection engine that the S-TAP uses to monitor a data repository on a DB server.
These parameters are stored in the individual [DB_<name>] inspection engine section of the S-TAP properties file, with the name of a data repository. There can be
multiple sections in a properties file, each describing one inspection engine used by this S-TAP.
Protoc db_type Â The type of data repository being monitored.

ol
Port port_range_start Â Starting port range specific to the database instance. Together with port_range_end defines the
range range of ports monitored for this database instance. There is usually only a single port in the range.
For a Kerberos inspection engine, set the start and end values to 88-88. If a range is used, do not
include extra ports in the range, as this could result in excessive resource consumption while the S-
TAP attempts to analyze unwanted traffic.
Port port_range_end Â Ending port range specific to the database instance.

range
KTAP real_db_port 4100 Used only when the K-TAP monitoring mechanism is used. Identifies the database port to be
DB monitored by the K-TAP mechanism.
Real
Port
Client networks Â Identifies the clients to be monitored, using a list of addresses in IP address/mask format:
Ip/Ma n.n.n.n/m.m.m.m. If an improper IP address/mask is entered, the S-TAP does not start. Valid values:
sk
null=select all clients
127.0.0.1/255.255.255.255=local traffic only
Client Ip/Mask (networks) and Exclude Client Ip/Mask (exclude networks) cannot be specified
simultaneously.
If the IP address is the same as the IP address for the database server, and a mask of
255.255.255.255 is used, only local traffic will be monitored. An address/mask value of
1.1.1.1/0.0.0.0 monitors all clients.
Exclu exclude_networks Â A list of client IP addresses and corresponding masks that are excluded from monitoring. This option
de allows you to configure the S-TAP to monitor all clients, except for a certain client or subnet (or a
Client collection of these). Client Ip/Mask (networks) and Exclude Client Ip/Mask (exclude networks)
Ip/Ma cannot be specified simultaneously.
sk
TEE tee_listen_port 12344 Deprecated. Replaced by the parameter real_db_port when the K-TAP monitoring mechanism is
Listen used.
Port-
Real Was required when the TEE monitoring mechanism. The Listen Port is the port on which S-TAP listens
Port for and accepts local database traffic. The Real Port is the port to which S-TAP forwards traffic.
Conne connect_to_ip 127.0.0.1 IP address for S-TAP to use to connect to the database. Some databases accept local connection
ct To only on the real IP address of the machine, and not on the default (127.0.0.1). When K-TAP is
Ip enabled, this parameter is used for Solaris zones and AIX WPARs and it should be the zone IP
address in order to capture traffic.

DB db_install_dir NULL DB2, Informix, or Oracle: Enter the full path name for the database installation directory. For
Install example: /home/oracle10. All other database types enter: NULL. For DB2 exit and Informix exit,
Dir db_install_dir must be exactly the same as the $HOME value in the database (or $DB2_HOME for
DB2 Exit); otherwise tap_identifier does not function properly.
Proce db_exec_file NULL For a DB2, Oracle, or Informix database, enter the full path name for the database executable. For
ss example:
Name
Oracle: there is no standard path, it depends on the directory where the database is installed.
Informix: /INFORMIXTMP/.inf.sqlexec. Applies to all Informix platforms but Linux.
Informix with Linux, example: /home/informix11/bin/oninit
MYSQL: mysql
All other database types: NULL
Encry encryption 0 Activate ASO or SSL encrypted traffic for Oracle (versions 11 and 12) and Sybase on Solaris, HPUX
ption and AIX.
For Oracle, specify db_version in the ini file (e.g. db_version=12)
For Oracle12 SSL, instrument on all platforms. For Oracle11 SSL, instrument on AIX.
For any Oracle requiring instrumentation, if you are using encryption=1 in the guard_tap.ini (which is
not supported on Linux), you must instrument prior to setting that parameter.
Some DBs require restart after enabling encryption.
Â load_balanced 1 1=database traffic participates in load balancing. 0=database traffic does not participate in load
balancing.
Interc intercept_types NULL Protocol types that are intercepted by the IE. Valid values:
ept
Types NULL: auto intercepts all protocols the Database supports
Comma separated list: IE intercepts these protocol types only.
Identi tap_identifier NULL Optional. Used to distinguish inspection engines from one another. If you do not provide a value for
fier this field, Guardium auto-populates the field with a unique name using the database type and GUI
display sequence number.
DB db_version 9 The database version.

Versio
n
Unix unix_domain_socket_marker Null Specifies UNIX domain sockets marker for Oracle, MySQL and Postgres. Usually the default value is
Socke correct, but when the named pipe or UNIX domain socket traffic does not work then you need to
t make sure this value is set correctly. For example, for Oracle, unix_domain_socket_marker should be
Marke set to the KEY of IPC defined in tnsnames.ora. If it is NULL or not set, the S-TAP uses defined default
r markers identified as: * MySQL - "mysql.sock" * Oracle - "/.oracle/" * Postgres - ".s.PGSQL.5432"
These additional parameters are used with IBM DB2 databases.
Table 1. Additional S-TAP configuration parameters for a DB2 inspection engine

DB2 Shared db2_fix_pack_adjustment 20 Required when DB2 is selected as the database type, and shared memory connections are
Mem. Adjust. monitored. The offset to the server's portion of the shared memory area. Offset to the beginning
of the DB2 shared memory packet, depends on the DB2 version: 32 in pre-8.2.1, and 80 in 8.2.1
and higher.
DB2 Sh. Mem. db2_shmem_client_position 61440 The offset to the client's portion of the shared memory area. Required when DB2 is selected as
Client Pos. the database type, and shared memory connections are monitored. The client offset can be
calculated by taking the value of the DB2 parameter ASLHEAPSZ and multiplying by 4096 to get
the appropriate offset. The default for this parameter is 61440 decimal. This parameter is
calculated by taking the DB2 database configuration value of ASLHEAPSZ and multiplying by
4096. To get the value for ASLHEAPSZ, execute the following DB2 command: db2 get dbm cfg
and look for the value of ASLHEAPSZ. This value is typically 15 which yields the 61440 default. If
it's not 15, take the value and multiply by 4096 to get the appropriate client offset.
db2bp_path Null Only used when using ATAP on DB2. If the program 'db2bp' (part of DB2) is in the standard
location, this does not need to be set. If it is non-standard, then this parameter points to its
location. The value of this parameter should be the full path of the relevant db2bp as seen from
the global zone/wpar. For example, if the file is /data/db2inst1/sqllib/bin/db2bp and the zone is
installed in /data/zones/oracle2nd/root/ then the full path to db2bp that should be set in the
db2bp_path parameter is /data/zones/oracle2nd/root/data/db2inst1/sqllib/bin/db2bp
DB2 Shared db2_shmem_size 131072 DB2 shared memory segment size. Required when DB2 is selected as the database type, and
Mem. Size shared memory connections are monitored.
Linux and UNIX systems: Firewall parameters


CAUTION:
G
I
S firewall_installed 0 Firewall feature enabled. 1=yes, 0=no.

T
A
P
_
F
I
R
E
W
A
L
L
_
I
N
S
T
A
L
L
E
D
S firewall_timeout 10 Time, in seconds to, wait for a verdict from the Guardium system if the firewall timed out. Look at
T firewall_fail_close value to know whether to block or allow the connection. The value can be any integer
A value.
P
_
F
I
R
E
W
A
L
L
_
T
I
M
E
O
U
T
S firewall_fail_close 0 If the verdict does not come back from the Guardium system and the firewall_timeout expires: if
T firewall_close = 0 the connection goes through; if firewall_close=1 the connection is blocked.
A
P
_
F
I
R
E
W
A
L
L
_
F
A
I
L
_
C
L
O
S
E

G
I
S firewall_default_state 0 0: An event triggers traffic in a session to be watched and checked for firewall policy violations.
T 1: All traffic is watched by default for firewall policy violations
A
P
_
F
I
R
E
W
A
L
L
_
D
E
F
A
U
L
T
_
S
T
A
T
E
S firewall_force_watch NULL When the firewall feature is enabled and firewall_default_state is 0, the session is watched automatically
T when its client IP matches one of this list of IP/MASK values. The list itself is separated with commas, for
A example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2
P
_
F
I
R
E
W
A
L
L
_
F
O
R
C
E
_
W
A
T
C
H

G
I
S firewall_force_unwatch NULL When the firewall feature is enabled and firewall_default_state is 1, the session is unwatched
T automatically when its client IP matches one of this list of IP/MASK values. The list itself is separated with
A commas, for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2,
P
_
F
I
R
E
W
A
L
L
_
F
O
R
C
E
_
U
N
W
A
T
C
H
Linux and UNIX systems: Query rewrite parameters

CAUTION:
GIM guard_tap.ini Default Description
Value
STAP_QRW_INSTALLED qrw_installed 0 Enable / disable the Dynamic Data Masking for Databases feature. When set to 0, all other
parameters in this group are ignored.
0=No
1=Yes
STAP_QRW_DEFAULT_S qrw_default_state 0 Sets the query rewrite activation trigger. Must be 0 if firewall_default_state=1.
TATE
0=QRW activated per session when triggered by a rule in the installed policy
1=QRW activated for every session regardless of the installed policy
STAP_QRW_FORCE_WA qrw_force_watch NULL Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to watch
TCH automatically. Valid when qrw_default_state is 0. Cannot be configured to the same range as
firewall_force_watch.
STAP_QRW_FORCE_UN qrw_force_unwatch NULL Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to exclude
WATCH from watching. Valid when firewall_default_state is 1. Cannot be configured to the same range as
firewall_force_unwatch.
Linux and UNIX systems: Server-side masking (SSM) parameters

The server-side masking parameters affect the behavior of the S-TAP with respect to discovery.
CAUTION:
Parameter Default value Description
server_side_masking_installed 0 Enables the server-side masking feature.
0=No
1=Yes

Parameter Default value Description
server_side_masking_default_state 0 Sets the server-side masking activation trigger.
0=SSM activated per session when triggered by a rule in the installed policy
1=SSM activated for every session regardless of the installed policy
server_side_masking_force_watch NULL Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) whose sessions are
watched automatically. Valid when server_side_masking_installed=1 and qrw_default_state=0.
Cannot be configured to the same range as firewall_force_watch.
server_side_masking_force_unwatc NULL Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) whose sessions are
h not watched. Valid when server_side_masking_installed is 1 and firewall_default_state is 1.
Cannot be configured to the same range as firewall_force_unwatch.

Linux and UNIX systems: Discovery parameters

CAUTION:
GIM guard_tap.ini Default value Description
STAP_DISCOVE discovery_interval 24 The time interval, in hours, at which auto-discovery runs. Set to 0 to disable.
RY_INTERVAL
DISCOVERY_DB discovery_dbs oracle:db2:inform Colon (':') separated list of database types to discover.
S ix:mysql:postgres
:sybase:hadoop:t
eradata:netezza:
memsql
DISCOVERY_DE discovery_debug 0 Discovery debug level

BUG
0 = errors only
1 = errors and debug statements
DISCOVERY_OR discovery_ora_alt_locations Alternate locations to look for listener.ora files

A_ALT_LOCATIO
NS
STAP_DISCOVE discovery_port 8443 The Guardium port the S-TAP Discovery uses to connect to the Guardium system.
RY_PORT

These parameters affect the behavior of the S-TAP when an application user name needs to be bounded with database activities.
These parameters are in the [TAP] section on the guard_tap.ini file.
Default
Â STAP appserver_installed 0 0 is default, S-TAP acts as normal. 1=S-TAP is set in 'client mode', switches S2C and C2S packets to
_AP reflect S-TAP being installed on client, not db server. Also, if 1, checks to see if the other appserver_*
PSE parameters are filled in, and if so, examines http packets on the supplied port to grab session
RVE information about the end-user of the java-application that resides on the client system.
R_IN
STAL
LED
Ports STAP appserver_ports 8080 Comma-separated list of ports, or hyphens for inclusive ranges of ports, on which the Java
_AP application is accessed via web browser.
PSE
RVE
R_P
ORT
S

Default
Login STAP appserver_login_pattern Â Comma-separated list of strings specifying the login pattern passed to the application. This is the
pattern _AP pattern that the Java application is passed to identify a user login.
PSE
RVE
R_L
OGI
N_P
ATTE
RN
Username STAP appserver_username_prefix Â Comma-separated list of strings specifying the prefix to the username for a given session. This is the
prefix _AP pattern the Java application uses to indicate the username of the given session.
PSE
RVE
R_U
SER
NAM
E_P
REFI
X
Username STAP appserver_username_postfix Â Comma-separated list of strings specifying the postfix to the username for a given session. This is
postfix _AP the pattern (or character) used by the Java application to indicate the end of the value for the given
PSE variable that indicates the username.
RVE
R_U
SER
NAM
E_P
OST
FIX
Session STAP appserver_session_pattern Â Comma-separated list of strings specify the start of an end-user session, using a particular database
pattern _AP session. This is the pattern specifying [change of] end-user session for a given database connection.
PSE
RVE
R_S
ESSI
ON_
PATT
ERN
Session STAP appserver_session_prefix Â Comma-separated list of strings specifying the session identifier
prefix _AP
PSE
RVE
R_S
ESSI
ON_
PRE
FIX
Session STAP appserver_session_postfix Â Comma-separated list of strings specifying where the session id ends.
postfix _AP
PSE
RVE
R_S
ESSI
ON_
POS
TFIX
Session ID STAP appserver_usersess_pattern Â Comma-separated list of strings specifying the identifier for marking which end-session a given
pattern _AP connection is continuing with.
PSE
RVE
R_U
SER
SESS
_PAT
TER
N

Default
Session ID STAP appserver_usersess_prefix Â Comma-separated list of strings specifying what identifies/precedes the session_id in a given
prefix _AP usersess indicator packet.
PSE
RVE
R_U
SER
SESS
_PR
EFIX
Session ID STAP appserver_usersess_postfix Â Comma-separated list of strings specifying where the session id ends.
postfix _AP
PSE
RVE
R_U
SER
SESS
_PO
STFI
X
Linux and UNIX systems: Hadoop parameters

Guardium supports integration Hortonworks distributions using Apache Ranger. Understand the S-TAP parameters required for the connection between S-TAPs and
Ranger agents.
guard_tap.ini parameters for Hortonworks with Apache Ranger

Note: Some parameters are configurable through the Guardium user interface or through the Guardium Installation Manager. All parameters are configurable using the
Guardium API.
CAUTION:
Table 1. guard_tap.ini parameters for Hortonworks with Apache Ranger integration
Parameter Values Description
log4j_reader_enabled 0 or 1 Enable log4j listening mode for Ranger traffic.
0 is disabled (default).
1 is enabled.
log4j_port Integer. The port where the Guardium S-TAP will listen for
Ranger audits.
Default = 5555.
log4j_listen_address IP address Ranger plugins will connect to this address.
0.0.0.0 indicates any IP address of the system The default value of 0.0.0.0 is recommended, as this
(default). enables the S-TAP to receive traffic from any host.
localhost indicates the loopback address of the Use localhost if configuring the system for high
system. availability.
If you choose to restrict access to a specific address,

be sure you are not excluding any necessary traffic for
monitoring.
log4j_num_connections Integer The number of concurrent connections to expect from

the service or services defined for this S-TAP.
Default value is 20.
ranger_dynamic_policy_port integer Port that Ranger plugins connect to. S-TAP listens here
for the Ranger dynamic policy.
Default = 5556
ranger_dynamic_policy_listen_address IP address Ranger dynamic policy plugins connect to this address.
Use localhost for HA.
0.0.0.0 indicates any IP address of the system
(default)
ranger_dynamic_policy_num_connections Integer Maximum number of connections to support from the
dynamic policy plugin.
Default = 20
ranger_dynamic_policy_timeout Integer Number of seconds to wait for a verdict before sending
the default verdict result.
Default = 10

ranger_dynamic_policy_default_verdict 0 or 1 Behavior when Guardium is unreachable or the verdict

times out.
1 = match, 0 = no match
Default = 1
ranger_dynamic_policy_reader_enabled 0 or 1 Enable Hortonworks dynamic policy logging.
1 is enabled.
guard_tap.ini parameters for Cloudera Navigator using Kafka messaging

Guardium supports Cloudera Navigator for collecting audit data using the Kafka messaging system.
Note: Some parameters are configurable through the Guardium user interface or through the Guardium Installation Manager. All parameters are configurable using the
Guardium API.
CAUTION:
Table 2. guard_tap.ini parameters for Cloudera Navigator using Kafka messaging integration
kafka_reader_enabled 0 or 1 Enable Cloudera Navigator integration using Kafka

publish and consume.
1 is enabled.
kafka_bootstrap_servers A comma separated list of host name:port pairs.

The host name:port list is used for establishing the
initial connection to the Kafka cluster. After the initial
Format: host:port,host:port connection is established, all servers in the cluster are
used. You may want to specify more than one
Example:
hostnameofbroker1:9092,hostnameofbroker2:9 bootstrap in case one is down.
092
kafka_use_tls 0 or 1 Indicate whether the Kafka cluster uses TLS.
1 is enabled.
kafka_topic_name String The topic name used by Cloudera Navigator to publish

its audit events to Kafka.
Default value is NavigatorAuditEvents.
kafka_principal String The Kerberos principal name for the S-TAP, which is
used when the Kafka cluster requires Kerberos
Default value is NULL. authentication.
kafka_keytab NULL The path to the Kerberos keytab file on the S-TAP
server.

Task checkpoint cas_task_checkpoint task_checkpoint Internal handle program machine state in case of host failure.
Client checkpoint cas_client_checkpoint client_checkpoint File used to restart processing. A series of files is created. Each version of the file ends
with a unique number. The default is task_checkpoint and client_checkpoint
Checkpoint period cas_checkpoint_period 60 Interval time, in seconds, for the check.
Fail over file cas_fail_over_file fail_over_file Name of the outgoing messages buffer. The database writes to this file when the
Guardium system cannot be reached. During this time, the file can grow to the
maximum size specified. When the limit is reached, a second file is created, using the
same name with the digit 2 appended to the end of the name. (This is the point at which
CAS begins trying to connect to a secondary server.) If that file also reaches the
maximum size, the first file is overwritten. If the first file fills again, the second file is
overwritten. Thus, following an extended outage, you may lose data, but you will have
an amount of data up to twice the size of the Failover File Size Limit.
Fail over file size limit cas_fail_over_file_size_limit 50000 Failover file maximum size, in KB. There are two of these files, so the disk space
requirement is twice what you specify here. If you specify -1, there is no limit on the file
size, but it's recommend that the file size is capped.

Max rec. attempts cas_max_reconnect_attem 5000 Number of reconnect attempts when connection is lost. After losing a connection to the
pts Guardium system, the maximum number of times CAS attempts to reconnect. Set this
value to -1 to remove any maximum (CAS attempts to reconnect indefinitely). The
default cas_max_reconnect_attempts and cas_reconnect_interval define an interval of
about 3.5 days. After the maximum has been met, CAS continues to run, writing to the
failover files, but it does not attempt to reconnect with a Guardium host.
Reconnect interval cas_reconnect_interval 60 Wait time, in seconds, between reconnect attempts.
Raw data limit cas_raw_data_limit 1000 Maximum number of kilobytes written for an item when the Keep data checkbox is
marked in the item template. If you specify -1, there is no limit.
Md5 data limit cas_md5_size_limit 1000 Maximum size of a data item, kilobytes, on which the MD5 checksum calculation is
performed. If you specify -1, there is no limit.
Â cas_command_wait 300 Wait time in seconds before killing a long-running data collection process
Â cas_server_failover_delay 60 Wait time in minutes before trying to connect to another Guardium system
Table 1. CAS
deprecated
parameters
guard_tap.ini
cas_task_baseline
cas_client_baseline
Linux and UNIX systems: Debug parameters

CAUTION:
These parameters are in the [TAP] section on the guard_tap.ini file.
Table 1. S-TAP configuration parameters for debugging
Messages Syslog STAP_SYSLOG_MESSA syslog_messages 1 1= send messages to syslog. 0=do not send messages.
GES
Â Â tap_debug_output_lev 0 S-TAP logs level. Logs are stderr.txt, guard_stap.fam.txt,

el guard_stap.stdout.txt located in the directory specified in tap_log_dir
parameter (by default: /tmp/guard_stap). S-TAP Log Levels:
0: disable
1: basic debug
4: verbose debug
6: Appserver debug
10: Exit engine debug. Debug info is logged into both S-TAP log and
db2_exit log (db2diag.log).
11: exit engine debug. Debug info is only logged into db2_exit log
(db2diag.log).
Messages Remote STAP_REMOTE_MESSA remote_messages 1 Send messages to the active Guardium host.
GES
0=Do not send messages
1=Send messages to the active Guardium system.

These parameters affect the behavior of the K-TAP.
These parameters are located in the [TAP] section of the S-TAP properties.
CAUTION:
Table 1. K-TAP configuration parameters
Default
ktap_installed 1 Is Kernel Monitor module installed: 0=NO, 1=YES. ktap_installed and tee_installed are mutually exclusive; only
one can be set to on.
ktap_request_timeout 5 The timeout, in seconds, for waiting for K-TAP reply. K-TAP sends ioctl to S-TAP to ask for some information, and
waits for the reply from S-TAP. It can have any value.
ktap_dbgev_ev_list 0 It is used to enable K-TAP trace log either through GUI or through guard_tap.ini file: 0=disable, 1=enable ktap
trace log located under /var/tmp directory

Default
ktap_dbgev_func_name all List of functions to log in K-TAP trace log. all= all the functions or we can specify specific function such as accept
so we log in the log file only the accept functions. If you specify a function that is not relevant to the K-TAP trace
log it won't log anything to the log.
ktap_fast_tcp_verdict 1 For TCP connections.

0: "slow" verdict.Â Â KTAP sends information about the session to STAP to ask whether or not the traffic should
beÂ Â intercepted.
1: "fast" verdict.Â Â KTAP decides on its own.
In both cases, the network/exclude network parameters are checked against the incoming IP.
From 10.1.4, the value is 1 after upgrade.
ktap_fast_file_verdict 1 For TLI connection, K-TAP sends ioctl to S-TAP to confirm that session is the database connection configured in
our IE by checking ports and Ips, when ktap_fast_file_verdict is set to 1, then K-TAP does not send the request to
S-TAP as long as session's ports are in the range. it can have either 1 or 0 values (1).
ktap_buffer_size 4194304 Advanced. The size of theK-TAP buffer in Bytes. The range of values is between 1 MB and 16 MB
ktap_buffer_flush 0 Advanced. The way to send messages from K-TAP to S-TAP. If = 1 the S-TAP reads the entire K-TAP buffer and
process all the packets in the buffer. If ktap_flush_buffer=0 , the S-TAP reads a fixed amount rather than the entire
buffer.
ktap_local_tcp 0 1=only intercept local connections (although previously intercepted connections will still be captured) (this
parameter is used for TCP connections)
khash_table_length 24593 Number of sessions that can be stored in the Khash table. It is an integer and can have any value.
khash_max_entries 8192 Length of the table that contains all the information for the specific session. It is an integer and can have any value.
ktap_fast_shmem 1 For db2 shared memory connection
0=KTAP sends ioctl to the STAP to confirm that the session is the database connection configured in the IE
by checking the process ID
1= K-TAP does not send the request to S-TAP as long as session's db2_shmem_size matches the attached
shared memory segment.
ktap_fsmon_buffer_size 4194304 FAM buffer size

Table 2. A-TAP and PCAP configuration parameters
Default
Parameter value Description
atap_exec_location /var/guard Location of the executable that is used when activating A-TAP by enabling the encryption box in the inspection
engine section
pcap_read_timeout 0 only PCAP traffic (non-K-TAP): how long should S-TAP wait between PCAP sampling. Do not change this value
without consulting with Technical Support, after examining the problem and determining the losses (not
capturing all the traffic) are caused due to PCAP/S-TAP related bottleneck.
pcap_dispatch_count 16 Optimization of PCAP capturing; number of packets to bundle (group) before reporting back to S-TAP. Grouping
the packets together can reduce the PCAP-to-S-TAP communication, and boost performance. Do not change this
value without consulting with Technical Support, after examining the problem and determining the losses (not
capturing all the traffic) are caused due to PCAP/S-TAP related bottleneck.
pcap_buffer_size -1 Size of PCAP socket buffer. This parameter is used for LINUX only. This integer's default value is -1, means to get
the maximal buffer possible. Any other case, this is buffer size in kilobytes. 0 is not legal - if it is 0, it means 60
other than that it can be any value up to 65535. Larger buffer mean that it's likely to have losses when there are
busts of high volume traffic. The scenario; Burst of high traffic, PCAP captures everything, but the S-TAP (or
PCAP-to-S-TAP flow) is not fast enough and cannot keep up with the traffic. To avoid losses, the yet-to-be-
processed packets are buffered. The larger the buffer is, the more resilient against higher and longer bursts of
high traffic. Do not change this value without consulting with Technical Support, after examining the problem and
determining the losses (not capturing all the traffic) are caused due to PCAP/S-TAP related bottleneck.
pcap_backup_ktap 1 When this parameter is enabled, always start PCAP regardless if ktap_installed is enabled or not, as long as there
is DB2 defined in IE.
Add parameter to control use of custom KTAP modules distribution via GIM GUI
GIM users - Compile a custom built KTAP into a custom bundle and use it on other database servers.
Non-GIM users - No custom bundles needed, custom KTAP could be compiled and copied between databases server manually.
Parameter Name: GIM_ALLOW_CUSTOM_BUNDLES
Valid values: '1' - allow custom bundles installations . '0' - Reject custom bundle installations
Default value: 1
During GIM scratch installation (DB server) - User can specify a new optional installation parameter, --install_custom_bundles.
If specified, custom bundles installations (for example, custom bundle STAP) will be allowed (GIM_ALLOW_CUSTOMED_BUNDLES will be set to '1') on that DB server.
Otherwise won't be allowed (GIM_ALLOW_CUSTOMED_BUNDLES will be set to '0').
During GIM upgrade (via GIM GUI) from a GIM version that did NOT have this parameter - Default value will be '1' (in order not to disable this functionality for customers
that might have been using this feature until now).

This parameter can be set to either '1' or '0' when using the configurator utility on the DB server.
This parameter cannot be set to '1' from the GUI if the previous value is '0'.
Note: This functionality will be checked during installation time (on the DB server) and NOT while you are assigning or scheduling a bundle installation or a parameter
update (like all the other params are validated).
Affected features: BUNDLE-GIM, configurator.sh, consolidated installer
GuardAPI commands and custom KTAP bundle
In v10
1. STAP_UPLOAD_FEATURE indicator by default is turned on (1) so custom KTAPs when compiled automatically uploaded to appliance
2. In order to compile custom GIM bundle to include new custom KTAP, user need to run grdapi make_bundle_with_uploaded_kernel_module command (need to
have exact syntax of the command)
3. In order to use already compiled CUSTOM BUNDLE on any server customer need to turn on GIM_ALLOW_CUSTOM_BUNDLES indicator to 1 (for security reasons
this have to be done manually on each DB server). Turning GIM_ALLOW_CUSTOM_BUNDLES indicator back to off could be done from appliance.
Linux and UNIX systems: S-TAP operation and performance

Linux and UNIX systems: Stop S-TAP using GIM
Learn how to stop an S-TAP using GIM.
Linux and UNIX systems: Restart S-TAP using GIM
Use GIM to restart the S-TAP without ever having to log into the database server.
Linux and UNIX systems: Stop S-TAP without GIM
Use this procedure for an S-TAP that was installed by script or rpm.
Linux and UNIX systems: Restart S-TAP without GIM
Linux and UNIX systems: S-TAP logs
The UNIX S-TAP has a few log files.
Linux and UNIX systems: How S-TAP/GIM processes are initialized by different OS types/versions
Linux and UNIX systems: Determine the S-TAP version
Linux and UNIX systems: Increasing S-TAP throughput
Linux and UNIX systems: Monitoring S-TAP in the GUI
Linux and UNIX systems: S-TAP statistics
The S-TAP statistics are stored in the database table STAP_STASTICS on the collector. This table stores the statistics sent by the S-TAP to the sniffer. There is no
pre-defined report for this table.
Linux and UNIX systems: S-TAP Monitor (guard_monitor)
The S-TAP Watchdog (guard_monitor) monitors S-TAP performance and responsiveness. You can configure specific actions that are triggered when the S-TAP
exceeds certain thresholds.
Linux and UNIX systems: Troubleshooting S-TAP problems
You can use the S-TAP Status monitor tab of the SystemÂ View to begin investigating any problems. Sometimes you might need to use other tools, particularly if you
are monitoring databases for which the inspection engines cannot be verified.
Linux and UNIX systems: Stop S-TAP using GIM

Learn how to stop an S-TAP using GIM.
About this task

On the database host itself, you can stop S-TAP (and all other GIM modules except GIM itself) by stopping GIM's supervisor service with the command: stop gsvr_<release
number>. Use initctl list to get the list of services statuses.
You can use GIM to stop S-TAP without ever having to log into the database server. Complete the following steps to change the STAP_ENABLED parameter and schedule
the change on the database server.
Procedure
1. Click Manage > Module installation > Set up by Client (v10.1.4: Legacy) to open the Client Search Criteria.
2. Perform a filtered search of registered clients or click Search to view all of the registered clients.
3. Select the clients are the target for the action (stopping S-TAP). If there are more than 20 clients, then the list of clients spreads onto additional pages.
Note: Clicking Select All selects only the clients on the current page being viewed.
5. Select the Module for S-TAP.
6. Click Next button to open the Module Parameters panel.
7. Select the client that is the target for the action (stopping S-TAP).
8. Change the STAP_ENABLED parameter to 0 (zero).
10. Click Install/Update to schedule the update to the targeted clients. This update can be scheduled for NOW or some time in the future.

Linux and UNIX systems: Restart S-TAP using GIM
Use GIM to restart the S-TAP without ever having to log into the database server.
About this task

Complete the following steps to change the STAP_ENABLED parameter and schedule the change on the database server.
Procedure
1. Click Manage > Module installation > Set up by Client (v10.1.4: Legacy) to open the Client Search Criteria
2. Perform a filtered search of registered clients or click Search to perform an unfiltered search of all registered clients.
3. Select the clients that are the target for the action (starting S-TAP). If there are more than 20 clients, then the list of clients spreads onto additional pages.
Note: Clicking Select All selects only the clients on the current page being viewed.
5. Select the Module for S-TAP.
7. Select the client that is the target for the action (starting S-TAP).
8. Change the STAP_ENABLED parameter to 1 (one).
10. Click Install/Update to schedule the update to the targeted clients. This update can be scheduled for NOW or some time in the future.
Linux and UNIX systems: Stop S-TAP without GIM

Procedure
1. Log on to the database server system by using the root account.
2. For Red Hat
a. Find the S-TAP process ID by using ps -fe | grep guard_stap | grep -v grep
b. Kill that process using the command kill
3. For Solaris:
-bash-3.00# svcadm -v disable guard_utap

svc:/site/guard_utap:default disabled.
-bash-3.00# ps -eaf | grep stap
root 2375 1930 0 14:25:36 pts/2 0:00 grep stap
4. From the Guardium system to which this S-TAPÂ® reports, verify that the Status light in the S-TAP control panel is red.
Linux and UNIX systems: Restart S-TAP without GIM

Procedure
1. Log on to the database server system by using the root account.
2. For all non-Red Hat Enterprise Linux
a. Open the /etc/inittab file for editing.
b. Un-comment the following two statements by deleting the comment character (: for AIXÂ®, # for all others) at the start of each line:
#utap:2345:respawn:/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini
c. Optional. If you are using the TEE monitoring mechanism, un-comment the following two statements by deleting the comment character (: for AIX, # for all
others) at the start of each line.
Note: These processes are not used in the default configuration and must not be started if you are using the K-Tap monitoring mechanism.
#utee:2345:respawn:/usr/local/guardium/guard_stap/guard_tee /usr/local/guardium/guard_stap/guard_tap.ini
#hsof:2345:respawn:/usr/local/guardium/guard_stap/guard_hnt
d. Run the init q command to restart the S-TAPÂ® processes.

3. For Red Hat Enterprise Linux
a. List the currently running agents by using the operating system command initctl list. The output shows the agents that are listed as in the following example:
gim_33264 start/running, process 910

gsvr_33264 start/running, process 2552
b. Start each of the agents by using the start <agent> command where agent would be the first entry in the list from a. See the following example.
start gim_33264
start gsvr_33264
start guard_utap
4. To restart using Solaris services:
bash-3.00# svcadm -v enable guard_utap

svc:/site/guard_utap:default enabled.
-bash-3.00# ps -eaf | grep stap

root 2379 1 0 14:25:57 ? 0:00
/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_
root 2396 1930 0 14:26:00 pts/2 0:00 grep stap
-bash-3.00# svcs guard_utap
STATE STIME FMRI
online 14:25:56 svc:/site/guard_utap:default
-bash-3.00#
5. Run ps -ef | grep stap to verify that S-TAP is running.

6. From the administrator portal of the Guardium system to which this S-TAP reports, verify that the Status light in the S-TAP control panel is green.
Linux and UNIX systems: S-TAP logs

The UNIX S-TAP has a few log files.
guard_stap* logs, located in the filepath specified by tap_log_dir parameter.

guard_stap.stderr.txt: is all the output (and the extra debugging output) of STAP
guard_stap.fam.txt: Exists only if FAM is enabled; it contains all the output (and extra debug) of FAM monitoring.
guard_stap.stdout.txt. Since v10.1.4, it is present in the system, but not used.
UNIX system log (/var/adm/syslog, /var/log/messages, name and location as relevant on the particular system): contains K-TAP module output messages (along
with output messages from all other kernel tasks).
Linux and UNIX systems: How S-TAP/GIM processes are initialized by different OS
types/versions
OS Version Â Initialization method
AIX 6.1 PowerPC inittab
HP-UX 11.11 pa9000 inittab
HP-UX 11.23 IA-64 inittab
HP-UX 11.31 IA-64 inittab
RHEL 4 i686 inittab
RHEL 4 IA-64 inittab
RHEL 4 x86_64 inittab
RHEL 5 i686 inittab
RHEL 5 IA-64 inittab
RHEL 5 ppc64 inittab
RHEL 5 s390x inittab
RHEL 6 i686 inittab
RHEL 6 ppc64 inittab
RHEL 6 s390x inittab
RHEL 7 ppc64le systemd
RHEL 7 ppc64 systemd
RHEL 7 s390x systemd
RHEL 7 x86_64 systemd
SUSE 11 i686 inittab
SUSE 11 ppc64 inittab
SUSE 11 s390x inittab
SUSE 11 x86_64 inittab
SUSE 12 ppc64le systemd
SUSE 12 s390x systemd
SUSE 12 x86_64 systemd
Ubuntu 10.04 x86_64 inittab

OS Version Â Initialization method
Ubuntu 12.04 x86_64 upstart
Ubuntu 14.04 x86_64 upstart
Ubuntu 16.04 x86_64 systemd
Solaris 5.10 i386 service
Solaris 5.10 i386_64 service
Solaris 5.10 SPARC service
Solaris 5.11 i386_64 service
Solaris 5.11 SPARC service
Upstart servers
When using Upstart servers, the following are the start and stop commands on the Database server:
To stop S-TAP process:
stop utap
To start S-TAP process:
start utap
To stop GIM and supervisor processes:
stop gim_revision#
stop gsvr_revision#
Example, stop gim_46743
To start GIM and supervisor processes:
start gim_revision#
start gsvr_revision#
Example: start gim_46743
To verify status of Guardium product on the system:
initctl list
status utap
Systemd servers
When using systemd servers, the following are the commands on the Database server:
systemctl stop guard_utap.service
systemctl start guard_utap.service
systemctl stop guard_gim.service
systemctl stop guard_gsvr.service
systemctl start guard_gim.service
systemctl start guard_gsvr.service
To verify status of Guardium product on the system:
systemctl -t service -a|grep guard
Services servers
When using services servers, the following are the commands on the Database server:
svcadm -v disable guard_utap
svcadm â€“v enable guard_utap

svcadm â€“v disable guard_gim
svcadm â€“v disable guard_gsvr
svcadm â€“v enable guard_gim
svcadm â€“v enable guard_gsvr
To verify status of Guardium product on the server:
svcs | grep guard
Linux and UNIX systems: Determine the S-TAP version

Procedure
1. From the GUI, the S-TAPÂ® version number is displayed in Manage > System View > S-TAP Status Monitor
2. Alternatively, you can display the S-TAP version number from the UNIX command line of the database server, by running the guard_stap binary with the -version or
--version argument For example, assuming the S-TAP is installed in the default installation directory, enter one of these commands:
-bash-3.2# <guardium_base>/modules/STAP/current/guard_stap --version
-bash-3.2# <guardium_base>/guard_stap/guard_stap --version

STAP-doberman_r20511_1-20100728_0514
Linux and UNIX systems: Increasing S-TAPÂ® throughput

You can configure any S-TAP to create multiple threads to increase the throughput of data. If the S-TAP configuration file defines more than one Guardium system, a
thread can be created for each Guardium system. S-TAP creates extra threads, matching the number of Guardium systems, in v10.1.4 and higher up to 10 threads. When
participate_in_load_balancing parameter is set to 4, the K-TAP creates a similar number of buffers matching the number of Guardium systems up to 5 threads. The K-TAP
alternates between the buffers, placing entire packets in each buffer. Each S-TAP thread reads from a different K-TAP buffer, and sends traffic data to a single Guardium
system.
In this configuration, no one Guardium receives all the data from the S-TAP. The distribution is similar to that used when participate_in_load_balancing is set to 1.
Attention: Prior to V10 GPU200, when a Guardium system becomes unavailable, no failover is provided. Data that was being sent to a Guardium system is lost until the
system becomes available or the configuration is changed.
Attention: Prior to V10 GPU300, if the S-TAP configuration file defines more than one Guardium system, a thread can be created for each Guardium system. This feature is
activated only when participate_in_load_balancing parameter is set to 4.
Encrypted and unencrypted A-TAP traffic cannot be sent to the same Guardium system. This is similar to the situation when participate_in_load_balancing is set to 1


You can define new queries or reports on the Rogue Connections domain, and you can create alerts that are based on exceptions that are created by S-TAPs, but other
domains that are used by S-TAP reports are system-private and cannot be accessed by users. Â
System View
S-TAP Status Monitor in the System Monitor window: For each S-TAP reporting to this Guardium system, this report identifies the S-TAP Host, S-TAP Version, DB Server
Type, Status (active or inactive), Last Response Received (date and time), Instance Name, Primary Host Name, and true/false indicators for: KTAP, TEE, MS SQL Server
Shared Memory, DB2Â® Shared Memory, Win TCP, Local TCP monitoring, Named Pipes Usage, Encryption, Firewall, DB install Dir, DB port Min and DB Port Max.
S-TAP Status Monitor: For each S-TAP reporting to this Guardium system, this report identifies the S-TAP Host, DB Server Type, S-TAP Version, Status (active or inactive),
Inspection Engine status, Last Response Received (date and time), Primary Host Name, and true/false indicators for: Firewall and Encrypted. Click the S-TAP Status and
the Inspection Engine status to see the Verification status on all Inspection Engines.
S-TAP Events: For each S-TAP reporting to this Guardium system, this report identifies the S-TAP Host, Timestamp, Event type (Success, Error Type, and so on), and Tap
Message.
If no messages display in the S-TAP Events panel, the production of event messages may have been disabled in the configuration file for that S-TAPÂ®. If this is the case,
you may be able to locate S-TAP event messages on the host system in the syslog file.
Tap Monitor
Rogue Connections: This report is available only when the Hunter option is enabled. The Hunter option is only used when the Tee monitoring method is used. This report
lists all local processes that have circumvented S-TAP to connect to the database.

S-TAP Configuration Change History: This report is displayed only when an inspection engine is added or changed. Lists S-TAP configuration changes â€“ each
inspection engine change is displayed on a separate row. Each row lists the S-TAP Host, DB Server Type, DB Port From, DB Port To, DB Client IP, DB Client Mask, and
Timestamp for the change.
Primary GuardiumÂ® Host Change Log: Log of primary host changes for S-TAPs. The primary host is the Guardium system to which the S-TAP sends data. Each line of the
report lists the S-TAP Host, Guardium Host Name, Period Start, and Period End.
S-TAP Status: Displays status information about each inspection engine that is defined on each S-TAP Host. This report does not have From and To date parameters, since
it is reporting current status. Each row of the report lists the S-TAP Host, DB Server Type, Status, Last Response, Primary Host Name, Yes/No indicators for the following
attributes: K-TAP Installed, TEE Installed, Shared Memory Driver Installed, DB2 Shared Memory Driver Installed, Named Pipes Driver Installed, and App Server Installed.
In addition, it lists the Hunter DBS.
Inactive S-TAPs Since: Lists all inactive S-TAPs that are defined on the system. It has a single runtime parameter: QUERY_FROM_DATE, which is set to now -1 hour by
default. Use this parameter to control how you want to define inactive. This report contains the same columns of data as the S-TAP Status report, with the addition of a
count for each row of the report.
Linux and UNIX systems: S-TAP statistics

The S-TAP statistics are stored in the database table STAP_STASTICS on the collector. This table stores the statistics sent by the S-TAP to the sniffer. There is no pre-
defined report for this table.
To access, use the GUI. You can create alerts based on results.
The time interval is in hours (example, 5 is every 5 hours). Use - (minus) for a time interval less than 1 hour.
Fields in Table
TIMESTAMP
SOFTWARE_TAP_HOST
TOTAL_BYTES_SO_FAR
TOTAL_BYTES_DROPPED_SO_FAR
TOTAL_BYTES_IGNORED
TOTAL_BUFFER_INIT
IOCTL_REQUESTS
TOTAL_RESPONSE_BYTES_IGNORED
System CPU%
System Idle%
STAP CPU%
Buffer recycled

The S-TAP Watchdog (guard_monitor) monitors S-TAP performance and responsiveness. You can configure specific actions that are triggered when the S-TAP exceeds
certain thresholds.
Note: On HP-UX 11.11, the information about the process command is limited to 64-characters. This means that if the full path to the guard_stap binary is longer than 64-
characters, the Guardium monitor cannot recognize it.
Monitoring covers:
CPU utilization: checked with the ps command or using cpu time from procfs
CPU responsiveness to polling: checked by sending the S-TAP process a console request and waiting for a response.
If S-TAP CPU utilization exceeds the configured threshold, or if S-TAP does not respond to the console request, the following actions can be taken:
Automatically run guard_diag.

Automatically kill the S-TAP process.
Automatically core dump and kill the S-TAP process.
Automatically trace S-TAP process.
Guard Monitor installs automatically at the end of the S-TAP installation. There are no user prompts and no install progress is shown. During S-TAP uninstall, Guard
Monitor is automatically uninstalled. The user no longer has the option to reboot in the installer and is instead just notified that a reboot is necessary to complete the
uninstall. This reboot is not critical but it is necessary if the user intends to install S-TAP again on the system. If the user uninstalls, does not reboot, and then tries to
reinstall there will be an popup blocking the installation notifying the user that S-TAP is partially installed and the server needs to be rebooted.
The guard_monitor runs with its configuration file, guard_monitor.ini as its argument. The monitor is controlled by using the guard_monitor.ini file. For Shell installations,
you can make all configuration changes directly on the configuration file. For GIM, use the interface in the GUI to make any changes.
Guard_monitor is not enabled by default. In shell installations, enable it from inittab by uncommenting the â€œumonâ€ line, or by using the services control facility for
the particular Operating Systems (initctl for RedHat 6, systemctl for RedHat 7, SMF for Solaris 10 and up). For GIM installations, guard_monitor is enabled by setting
STAP-UTILS_START_MONITOR=y.
Note: guard_monitor requires administrative privileges (root).
The default location for the S-TAP Monitor output is /var/tmp/monitor. This location can be configured from guard_monitor.ini (configuration file). See the example of the
guard_monitor.ini file at end of this topic.
After enabling guard_monitor, make sure the process is running on the database server.

Examples of settings
Default thresholds are provided for each function. For example, you might want to monitor CPU usage, and set one threshold (75%) for gathering diagnostic
information and a higher threshold (85%) at which the S-TAP is killed. You would set auto_diag=1 to enable gathering of diagnostic information, and
diag_high_cpu_level=7500 to gather diagnostic information when CPU usage reaches 75%. Then set auto_kill_on_cpu_enable=1 to enable automatic killing of the
S-TAP process, and set auto_kill_on_cpu_level=8500 to kill the process when CPU usage reaches 85%.
But you may not want to keep killing the S-TAP process repeatedly, so you can set a limit on that as well. You can limit how many times the process can be killed
within one hour by setting kill_num_in_hour=5. Then specify what should happen when the limit is reached: code final_action=1 to disable the S-TAP, or
final_action=2 to allow it to continue running.
Guard_monitor CPU polling parameters

guard_monitor.ini GIM Description Default
poll_cpu_interval STAP-UTILS_MONITOR_POLL_CPU_INTERVAL Interval, in seconds, at which guard_monitor 10

checks S-TAP CPU utilization.
When checking CPU utilization, guard_monitor

measures the average CPU utilization over the life
of the guard_stap process using ps. This means
that S-TAP has to run above the CPU threshold
for some time before guard_monitor detects a
problem.
cpu_measurement_timeslice Â Interval over which CPU consumption is 5

measured, in seconds. When set to 0,
consumption is measured across the life of the
process.
poll_stap_interval STAP-UTILS_MONITOR_POLL_STAP_INTERVAL Interval at which guard_monitor sends a console 10

S-TAP request, in seconds.
cpu_measurement_mode NA Method for calculating CPU consumption: 0
Introduced in v10.1.4 0: measure CPU consumption relative to one core
1: measure CPU consumption out of total CPU

capacity of Guardium system.
nonresponsive_action NULL Action taken when S-TAP does not respond to

polls.
diags
trace
NULL
Auto-Diag action
If S-TAP CPU utilization exceeds the configured threshold, the most basic action guard_monitor takes is an automatic guard_diag.
By default, the output from the guard_diag is placed in /var/tmp. The file name is derived from the machine name, and the time/date run; it always starts with
diag.ustap.
auto_diag STAP-UTILS_MONITOR_AUTO_DIAG Enables automatic guard_diag. 0=no, 1=yes. 1
diag_high_cpu_level STAP-UTILS_MONITOR_DIAG_HIGH_CPU_LEVEL The S-TAP CPU threshold at which guard_monitor 7500

initiates a guard_diag. Enter (%CPU threshold*100).
v10.1.4 and higher: When
cpu_measurement_mode=1, the % can be higher than
100.
diag_num STAP-UTILS_MONITOR_DIAG_NUM Enables creation of more than one guard_diag output. 2

Integer.
Auto-Kill action
Use these parameters to configure the S-TAP auto-kill.
auto_kill_on_cpu_enable STAP-UTILS_MONITOR_AUTO_KILL_ON_CPU_ENABLE Enable automatic S-TAP kill. 0=no, 1=yes.
auto_kill_on_cpu_level STAP-UTILS_MONITOR_AUTO_KILL_ON_CPU_LEVEL The S-TAP CPU threshold at which guard_monitor kills 8500
S-TAP. Enter (%CPU threshold*100). v10.1.4 and
higher: When cpu_measurement_mode=1, the % can
be higher than 100.
kill_num_in_hour STAP-UTILS_MONITOR_KILL_NUM_IN_HOUR The maximum number of times guard_monitor is killed 5

in an hour. Integer value.
final_action STAP-UTILS_MONITOR_FINAL_ACTION Action taken when max kills per hour is reached.
1 = Disable S-TAP.
2 = Stop killing S-TAP and let it continue.

Core dump S-TAP before kill
Some S-TAP issues, such as when S-TAP gets stuck in a loop, require more information than provided in the guard_diag output.
The guard_monitor performs automatic core dumping of the S-TAP process. The guard_monitor core dumps S-TAP before killing the process (if S-TAP auto kill is
enabled).
Location of core dumps created by guard_monitor: /var/tmp/monitor/coredumps
These parameters configure auto core dumps:
guard_monitor.ini Description Default
force_core_before_kill The type of core dump to generate:
sigsegv: This is the most portable of the options, but requires the SA to configure
ulimit to enable core dumping.
gcore: The most useful, but requires gcore to be installed on the system. Linux
platforms only.
pstack: Least useful of the options, but may be the only utility available on certain
systems. Linux platforms only.
NULL: disabled
force_core_when When to collect a core dump: always
Introduced in v10.1.4 limitsexceeded: collect core when S-TAP is killed due to exceeding a resource limit
nonresponsive: collect core when S-TAP is killed due to it being nonresponsive
always: always collect core
kill_oldcore_saved Integer. Specifies whether generated core dumps are saved. When set to non-zero,
guard_diag keeps all core dumps generated. Otherwise, it deletes the old core
dumps each time a new one is generated.
Example of guard_monitor.ini
The following section header is required for GIM to recognize this .ini file.
; otherwise, it serves no purpose
[TAP]
; output dir for monitor logs, diags, traces, etc.
monitor_output_dir=/var/tmp
; location of guardium installation (need not be where monitor is installed, for example, /usr/local)
stap_dir=/usr/local
; ip to connect to for downloading configuration file and uploading diags and trace output
; this is parsed out of the guard_tap.ini, but backup value here is kept in sync
sqlguard_ip=NULL
; polling interval to verify that server end is still alive (secs)
poll_server_interval=20
; polling interval to check CPU level (secs)
poll_cpu_interval=10
; polling interval to communicate with STAP (secs)
poll_stap_interval=10
; maximum file size of monitor log file (KB)
monitor_log_rotate_size=1024
; number of rotated monitor logs to keep
monitor_log_rotate_num_kept=5
; maximum file size of log files (KB)
log_rotate_size=4096
; number of rotated logs to keep
log_rotate_num_kept=5
; logs to rotate
logs_to_rotate=/tmp/guard_stap.stderr.txt,/tmp/guard_stap.stdout.txt,/usr/local/guardium/guard_stap/ktap/ktap_install.log,/us
r/local/guardium/guard_stap/guard_discovery.stderr.log
; maximum number of STAP kills per hour (doesn't count kills resulting from auto_kill_on_intercept)
kill_num_in_hour=5
; disable STAP when kills per hour limit hit or disable kills and let STAP continue
; disable STAP: 1; disable kill: 2
final_action=2
; automatic kill STAP on CPU level on/off (1/0)
auto_kill_on_cpu_enable=0
; CPU level for kill (% * 100)
auto_kill_on_cpu_level=8500
; snif timeout for kill (secs, 0 disabled)
auto_kill_on_snif_timeout=0
; KTAP timeout for kill (secs, 0 disabled)
auto_kill_on_ktap_timeout=0
; PCAP timeout for kill (secs, 0 disabled)
auto_kill_on_pcap_timeout=0
; TEE timeout for kill (secs, 0 disabled)
auto_kill_on_tee_timeout=0
; SHMEM timeout for kill (secs, 0 disabled)
auto_kill_on_shmem_timeout=0
; automatic diags on/off (1/0)
auto_diag=1
; number of diags runs
diag_num=2
; time between diags runs (mins)
diag_interval=2

; keep old diag files or not yes/no (1/0)
diag_oldrun_saved=0
; kill STAP process after diags yes/no (1/0)
diag_auto_kill=0
; CPU level to trigger diags (% * 100)
diag_high_cpu_level=7500
; snif timeout to trigger diags (secs, 0 disabled)
diag_snif_timeout=0
; KTAP timeout to trigger diags (secs, 0 disabled)
diag_ktap_timeout=0
; PCAP timeout to trigger diags (secs, 0 disabled)
diag_pcap_timeout=0
; TEE timeout to trigger diags (secs, 0 disabled)
diag_tee_timeout=0
; SHMEM timeout to trigger diags (secs, 0 disabled)
diag_shmem_timeout=0
; automatic trace on/off (1/0)
auto_trace=0
; max time to run trace (secs)
trace_max_time=30
; max log file size for trace (MB)
trace_max_log_size=10
; keep old trace log files yes/no (1/0)
trace_oldlog_saved=0
; kill STAP when trace runs to completion yes/no (1/0)
; (e.g. is not cancelled due to low CPU)
trace_kill_on_complete=0
; CPU level to trigger trace (% * 100)
trace_high_cpu_level=6000
; low CPU level to cancel trace (% * 100)
trace_low_cpu_level=3500
; timeout for snif communication trigger (secs, 0 disabled)
trace_snif_timeout=0
; timeout for KTAP communication trigger (secs, 0 disabled)
trace_ktap_timeout=0
; PCAP timeout to trigger trace (secs, 0 disabled)
trace_pcap_timeout=0
; TEE timeout to trigger trace (secs, 0 disabled)
trace_tee_timeout=0
; SHMEM timeout to trigger trace (secs, 0 disabled)
trace_shmem_timeout=0
; auto-kill STAP when we're not intercepting databases that are configured yes/no(1/0)
; feature is also disabled when guard_tap.ini shows that STAP is running as root
auto_kill_on_intercept=0
; minimum time between STAP requested kills (mins)
intercept_min_time_interval=15
; maximum number of intercept kills per hour
intercept_max_num_in_hour=0
; number of seconds across which CPU consumption is measured (secs, 0 disabled)
; when disabled, CPU consumption is measured across the life of the process
cpu_measurement_timeslice=0
; method for calculating CPU consumption (0 or 1)
; 0: measure CPU consumption relative to one core
; 1: measure CPU consumption taking number of cores into account
cpu_measurement_mode=0
; when to collect a core dump (always, limitsexceeded, nonresponsive)
; limitsexceeded: collect core when STAP is killed due to exceeding a resource limit
; nonresponsive: collect core when STAP is killed due to it being nonresponsive
; always: always collect core
force_core_when=always
; STAP nonresponsive action

; run diags before killing STAP : diags
; collect trace before killing STAP: trace
; no collection, just kill STAP : NULL
nonresponsive_action=diags
Linux and UNIX systems: Troubleshooting S-TAP problems

You can use the S-TAP Status monitor tab of the SystemÂ View to begin investigating any problems. Sometimes you might need to use other tools, particularly if you are
monitoring databases for which the inspection engines cannot be verified.
If an S-TAP is not connected to your Guardium system

Check whether the IBM Security Guardium S-TAP service is running on the database server:
On the database server, from the command line, run the command ps -ef | grep stap to verify that the S-TAPÂ® process is running. In the process list, look for
/guardium/guard_stap.
How can I find the S-TAP version?
From the GUI, the S-TAP version number is displayed in Manage > System View > S-TAP Status Monitor
Alternatively, you can display the S-TAP version number from the command line of the database server.
Run debug from the command line to quickly identify configuration issues
Use the syntax <stap_program> <parameter_file> <debug_level>, where 4 is the level for normal debug. (Other values do different things, not all of them debug).
For example: /usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini 4
Verify the connection between the database server and the Guardium system
Verify that you can ping the Guardium system at sqlguard_ip from the database server.
If the ping is successful, verify that you can telnet to the following ports on the Guardium system: 16016/16018

If there is a firewall between the database server and the Guardium system
Verify that the following ports are open for traffic between these two systems: TCP Port 16016 or TLS Port 16018 for encrypted connections.
Note: Use the following command to check the port availability: nmap -p port guardium_hostname_or_ip
Verify that the sqlguard_ip parameter is set to the correct guardium_hostname_or_ip for the Guardium system that you are connecting to.
2. Locate the S-TAP Host for the IP address that corresponds to your database server.
3. Expand the Guardium Hosts subsection, and verify that the active Guardium Host is correctly configured.
4. If necessary, click Modify to update the Guardium Hosts.
Verify that the S-TAP process is not repeatedly restarting

On the database server, run the command ps -eaf | grep stap to verify that the process for S-TAP is not changing.
Verify that S-TAP Approval is not turned on
If S-TAP Approval is turned on, any new S-TAP that connects to the Guardium system is refused.
1. Click Manage > Activity Monitoring > S-TAP Certification to open S-TAP Certification.
2. Look at the S-TAP Approval Needed check box. If this box is checked, new S-TAPs can connect to this Guardium system only after they have been added to
the list of approved S-TAPs.
3. If S-TAP Approval is turned on, select Daily Monitor > Approved Tap Clients to view a list of approved S-TAPs. If the S-TAP that you are investigating is not on
this list, return to the S-TAP Certification pane, enter the IP address of the S-TAP in the Client Host field, and click Add.
If the S-TAP shows green status but no data is being processed

Check the status of the A-TAP.
S-TAP verification issues
communicated to the Guardium system. Your S-TAP could be configured in a way that prevents the inspection engine message from reaching the Guardium system
from which the request was made.
These configuration details include:
Load balancing: if the S-TAP is configured to return responses to more than one Guardium system, the error message could be sent to a different Guardium
system.
Failover: If secondary Guardium systems are configured for the S-TAP, the error message could be sent to a secondary Guardium system if the primary
Guardium system is too busy.
Db_ignore_response: if the S-TAP is configured to ignore all responses from the database, it does not send error messages to the Guardium system.
Client IP/mask: if any mask is defined that is not 0.0.0.0, it could prevent the error message from being sent.
Exclude IP/mask: if any mask is defined that is not 0.0.0.0, it could prevent the error message from being sent.
Related topics:

DB2 for IBM i S-TAP

You can use the Guardium DB2 for i S-TAP to monitor and report on any database access on IBM i. This includes any programs, such as RPG, that use native database I/O
operations or SQL access.
You can use information gathered by the Guardium DB2 for i S-TAP to create activity reports, help you meet auditing requirements, and generate alerts of unauthorized
activity. Detailed auditing information includes:
Session start and end times

TCP/IP address and port
Object names (for example, tables or views)
Users
SQLSTATEs
Job and Job numbers
SQL statements and variables
Client special register values
Interface information, such as ODBC, ToolboxJDBC, Native JDBC, .NET, and so on
The S-TAP receives data from two sources:
SQL Performance Monitor (otherwise known as database monitor) data for SQL applications
Audit entries from the QSYS/QAUDJRN audit journal for applications using non-SQL interfaces
Data from these sources includes:
Any SQL access whether it is initiated on the IBM i server or from a client
Any native access that is captured in the audit journal
The S-TAP sends this data to the Guardium system in real time.
For more information about the DB2 for i S-TAP and related topics, refer to these sources:
Using IBM Security Guardium for monitoring and auditing IBM DB2 for i database activity: this developerWorks article introduces IBM Guardium, the DB2 for i S-
TAP, and key related details.
IBM i on IBM Knowledge Center: look here for information about IBM i, audit journaling, and other related topics.
i S-TAP for encryption, load balancing, and failover

The IBM i S-TAP supports TLS encryption and S-TAP session load balancing/failover.
Note: i S-TAP TLS support and load balancing is supported only for IBM i 7.1 and 7.2.
Similar to UNIX S-TAPs, i S-TAP configuration parameters are saved in a guard_tap.ini file in the /usr/local/guardium directory on the IBM i server.
Administrators configure the S-TAP is done using the same APIs and UI (S-TAP Control) as other UNIX S-TAPS. When the GUI or API is used to make a change to the S-
TAP configuration, the Guardium sniffer sends a message to the S-TAP, which backs up the old .ini file, saves the configuration to the new .ini file and then restarts itself.
Administrators can set up encrypted communication between the S-TAP and the appliance using the S-TAP configuration controls as well as set up various load balancing
options.
Using S-TAP failover and load balancing
The failover and load balancing options for the i S-TAP are similar to what exists for UNIX S-TAPs. Use the participate_in_load_balancing parameter to determine
whether to use failover or load balancing behavior, and use the SQLGuard sections of your S-TAP to set up primary, secondary, and tertiary Guardium hosts.
One difference is that there is no need for participate_in_load_balancing=3; because of the way the I S-TAP communication is architected, complete session
information is available on each message. This means that even before the enhancements delivered in this patch, you could have used hardware balancing (such as
F5) with participate_in_load_balancing=1 and a virtual IP address in the primary SQLGuard section of the configuration file.
In a failover configuration, the S-TAP is configured to register with multiple collectors, but only send traffic to one collector at a time
(participate_in_load_balancing=0). The S-TAP in this configuration sends all its traffic to one collector unless it encounters connectivity issues to that collector that
triggers a failover to a secondary collector.
How to use AppEvent from IMS

The data holding user information of an APP_EVENT DLI call needs to have similar syntax as GuardAppEvent api.
The first two bytes represent ccsid of the encoding of the following bytes. For example, 0x04B8 stands for ccsid 1208. The following bytes need to have the syntax as
below:
SELECT
â€˜GuardAppEvent:Startâ€™,
â€˜GuardAppEventType:typeâ€™,
â€˜GuardAppEventUserName:nameâ€™,
â€˜GuardAppEventStrValue:stringâ€™,
â€˜GuardAppEventNumValue:numberâ€™,
â€˜GuardAppEventDateValue:dateâ€™
FROM DUAL
For further reference for type, name, string, number, date, check GuardAppEvent API.
Currently, only UTF8 encoding is supported.
Monitoring strategy
Make your monitoring and auditing effective and efficient by developing a strategy that recognizes and fulfills your regulatory and other requirements.
Installing the S-TAP for IBM i
Follow these steps to install or uninstall the S-TAP.
Defining the S-TAP for IBM i
After you install the S-TAP, ensure that it can communicate with the Guardium system.
Monitoring strategy
Make your monitoring and auditing effective and efficient by developing a strategy that recognizes and fulfills your regulatory and other requirements.
After you know what data you need, develop a strategy for collecting it with as little extraneous data as possible. Monitoring and logging data that you do not need uses up
disk space and processing power, and generates extra network traffic. There are several areas where you can implement your strategy:
Database monitoring
The global SQL monitor captures SQL information and puts it into a queue for the S-TAP. You can use the filtering capabilities of the monitor to control which types
of users and objects are queued. By default, these types of entries are not forwarded from the S-TAP to the Guardium system:
SQL Abbreviation Meaning
AD ALLOCATE DESCRIPTOR
CL CLOSE
DA DEALLOCATE DESCRIPTOR
DE DESCRIBE
EX EXECUTE (the SQL statement executed is audited)
FE FETCH
FL FREE LOCATOR
GD GET DIAGNOSTICS
GS GET DESCRIPTOR

HL HOLD LOCATOR
PR PREPARE (except authorization errors are captured)
RE RELEASE
RG RESIGNAL
SC SET CONNECTION
SD SET DESCRIPTOR
SG SIGNAL
Audit journal
You can configure the system audit journal to capture only those entries that concern objects of interest or users of interest. By default, entries of these types are
sent from the S-TAP to the Guardium system:
SQL Abbreviation Meaning
ZR Read object
ZC Change object
CA Authority change
AD Auditing change
AF Authority failure
CO Create object
DO Delete object
SV System Value change
GR General purpose audit record
OM Object moved or renamed
PG Primary group change
PW Invalid password or user ID
OW Change owner
OR Object restored
RA Restore authority change
RO Restore owner change
RZ Restore primary group change

Only those entries that relate to database objects are forwarded:
*FILE (a table, view, index, logical file, alias, or device file)

*SQLUDT (an SQL user-defined type)
*SQLPKG (an SQL package)
*PGM (a procedure, function, or program)
*SRVPGM (a procedure, function, global variable, or service program)
*DTAARA (an SQL sequence)
On the Guardium system

You can define policies that control which information that is received from the S-TAP is ignored, and what actions to take based on other items.
Ignoring data after it has been sent over the network is inefficient. Wherever possible, filter out information that you do not need before it is queued for the S-TAP.
Parent topic: DB2 for IBM i S-TAP
Installing the S-TAP for IBM i

Follow these steps to install or uninstall the S-TAP.
Before you begin

The DB2 for i S-TAP requires Portable Application Solutions Environment (PASE), which is automatically started and stopped as needed when a user starts and stops the
DB2 for i S-TAP from the IBM Guardium user interface.
You must know the IP address of the Guardium system to which this S-TAP will connect.
When you download the S-TAP, be sure to filter for the IBM i platform, to ensure that you download the correct package.
About this task

The Guardium Installation Manager (GIM) is not supported on IBM i.
You can use 5250 emulator software to connect to the IBM i system remotely.
Procedure
1. On the IBM i server, enter this command to open the PASE shell: call qp2term.
2. In the PASE shell environment, create a temporary directory to hold the S-TAP installation script, such as /tmp.
3. Use FTP to move the following S-TAP installation shell script to that temporary directory: guard-itap-9.0.0_rnnnnn-aix-5.3-aix-powerpc.sh
4. In the same directory, run this command:

guard-itap-9.0.0_rnnnnn-aix-5.3-aix-powerpc.sh guardium_host_IP
where guardium_host_IP is the IP address of the Guardium system.
Results
The S-TAP is installed in /usr/local/guardium. After the installation is complete, the S-TAP attempts to start the processes that enable activity monitoring and to connect to
the Guardium system by using the IP address that was specified with the installation command.
What to do next
To validate the successful installation and start of the audit process, log in to the IBM Guardium web console as an administrator, navigate to the System View tab, and
check the status of the S-TAP.
Uninstalling the S-TAP
Procedure
To stop and uninstall the S-TAP, issue these commands:
RUNSQL SQL('call SYSPROC/SYSAUDIT_End') COMMIT(*NONE)

RMVDIR DIR('/usr/local/guardium') SUBTREE(*ALL)
Defining the S-TAP for IBM i

After you install the S-TAP, ensure that it can communicate with the Guardium system.
Before you begin

You must know the log-in credentials for the IBM i system.
About this task

The high-level steps to configure the S-TAP are:
1. Define DB2 for i as a recognized data source to IBM Guardium and test the connection.
2. Populate the Guardium system with information from the configuration file on IBM i that was created when you installed the DB2 for i S-TAP, using the Custom
Table Builder process.
3. Create a DB2 for i configuration report. It is from this report interface that you can invoke the Guardium APIs that enable you to start and stop the monitoring
process, get status information, and update configuration parameters, including filtering values.
Procedure
1. Click Setup > Tools and Views > Datasource Definitions to open the Datasource Builder. Select Custom Domain from the Application Selection box. Click Next.
2. In the Datasource Finder, click New, which opens the Datasource Builder.
3. Select DB2 for i as the Database Type and then add the appropriate information for the host, service name, and credentials. Click Apply.
4. Click Test Connection to ensure that the configuration succeeded.
5. Click Tools > Report Building.
6. Click Custom Table Builder. Select DB2 for i S-TAP Configuration and then click Upload Data. The Datasource Finder displays a list of DB2 for i S-TAPs.
7. Select your DB2 for i data source from the list/ Click Add.
8. On the Import Data screen, ensure the DB2 for i data source appears. Click Apply and then click Run Once Now. You should see a message that the operation ended
successfully with one row inserted.
9. Click Customize in the Guardium title bar. Then click Add Pane.
10. Give the pane a new name, such as My New Reports, and then click Apply.
11. My New Reports appears in the Customize pane. Click the icon next to the name. In the Layout dropdown list, choose Menu Pane. Click Save. Your new pane
appears as a tab.
12. Click Report Building in the navigation pane.
13. From the query dropdown list, click DB2 for i S-TAP configuration, then click Search.
14. Select the DB2 for i S-TAP configuration and then click Add to My New Reports (or the name that you specified in step 10).
15. Open the My New Reports tab, which now displays the IBM i report row. Double-click a row in the report and select Invoke. A list of IBM Guardium APIs that you
can select is displayed.
16. Select update_istap_config.
17. When you select a Guardium API, the parameters for that API are displayed. You can change any values that you need to. Change the value of the start_monitor
parameter to 1. Click Invoke Now.
Results
Using the data that you have entered, the update_istap_config API performs these tasks:
Creates the message queue that will be used to send entries from the S-TAP to the Guardium system and starts a global database monitor using a view with an
INSTEAD OF trigger, which sends the entries to the message queue.
Starts PASE and the S-TAP.
Receives journal entries from QAUDJRN and adds them to the message queue.

You can use the GuardiumÂ® Installation manager (GIM) to install and maintain Guardium components on managed servers.
The GIM component includes a GIM server, which is installed as part of the Guardium system, and a GIM client, which must be installed on servers that host databases or
file systems that you want to monitor. The GIM client is a set of Perl scripts that run on each managed server. After you install the GIM client, it works with the GIM server
to perform these tasks:
Check for updates to installed software

Transfer and install new software
Uninstall software
Update software parameters
Monitor and stop processes that run on the database server
For example, you can use GIM to install your S-TAP modules and keep them up-to-date.
The GIM client uses port 8444 to communicate with the GIM server.
You can use the GIM server through the Guardium user interface or through the command-line interface (CLI).
The software modules that you can deploy by using GIM are packaged as GIM bundles. A bundle is a file of type gim that contains software that can be deployed by using
GIM.
If your environment includes a Guardium system that is configured as a central manager, you must decide which Guardium systems you want to use as GIM servers. You
can either manage all of your GIM clients, up to 4000, from a single Guardium system, such as the central manager, or you can manage them in groups from the different
Guardium systems. If you manage all of your GIM clients from a single Guardium system, then you can view the status of all the GIM clients and perform related tasks
from that one UI. If you choose to manage your GIM clients in groups from separate Guardium systems, then you can use each UI to work with the GIM clients that it
manages; no overall view is available.
If you upgrade to Version 10.0 from V9.0 GPU patch 50 or later, there is no change in how you can view information about GIM clients. If you upgrade from an older
version, these restrictions apply: After you upgrade your Central Manager, you can still view information about GIM clients that are assigned to other Guardium systems,
but you can no longer do provisioning to those GIM clients from the Central Manager. After you upgrade all your Guardium systems, you can view each GIM client only from
the Guardium system that is its GIM server.
To manage large numbers of GIM installations, you can create groups of GIM clients. Then, you can use the groups to install, update, and manage software bundles.
The GIM client monitors the processes that you install by using GIM. It checks the heartbeat of each process once each minute, and passes status changes for the
processes to the GIM server. The status of each process is displayed on the Process Monitoring panel. Changes are reflected within three minutes. Changes to the status
of the GIM client itself are reflected according to the interval at which the client polls the server and delivers its "alive message".
Note: When performing a system backup and restore from one server, which has GIM defined, to another server, then the user must configure a GIM failover to the restore
server. This GIM configuration applies to a Backup Central Manager or a System backup and restore.

Managing software with GIM
GIM Server Allocation
Remotely connect to a pre-installed and inactive (not connected to any collector) GIM agent and make it connect to some collector without the need to access the
database server.
Installing the GIM client on a Windows server
Learn how to install the GIM client for Windows using either an interactive installer or a silent installation. Instructions are also provided for uninstalling the GIM
client.
Installing the GIM client on a UNIX server
Use this command to install the GIM client on each database server.
Uninstalling GIM and its modules on a UNIX database
You can uninstall GIM and its modules either from the GUI, or on the database server itself.
Upgrading the GIM client
You can use GIM to upgrade the GIM client to a newer version.
Using groups with GIM
You can use groups to make some GIM tasks easier.
If you build a custom K-TAP module for a Linux database server, you can use GIM to copy that module to other Linux database servers.
GIM dynamic updating
GIM clients check for updates from the GIM server at regular intervals. The GIM server can calculate the best polling interval to use based on system conditions.
When you upgrade your database server operating system
When you upgrade the operating system on your database server, you can allow the GIM client to make the required changes in itself and your GIM-installed
modules.
Distributing GIM bundles to managed units
You can distribute GIM bundles to managed units in order to deploy them on the GIM clients managed by those managed units.
Removing unused GIM bundles
You can remove GIM bundles from your GIM server if they are no longer used on any database server.
Running GIM diagnostics
You can run diagnostics on GIM clients to verify that the GIM server has accurate data about each client.
Debugging GIM operations
You might need to turn on debugging in order to troubleshoot a problem.
Restarting the supervisor for Solaris with SMF support
Use a set of CLI commands to restart the supervisor on Solaris servers with SMF support.

The deploy monitoring agents tool simplifies the process of establishing a Guardium deployment. Building on existing Guardium installation manager (GIM) infrastructure,
the deploy monitoring agents tools helps you quickly find database servers, install monitoring agents (S-TAPs), and configure inspection engines for your databases. In

addition, the tool provides a centralized view for tracking and reviewing deployment status.
Prerequisites for deploying monitoring agents

Review prerequisites and restrictions before you being deploying monitoring agents.
Learn how to quickly deploy S-TAPs and configure inspection engines.
Parent topic: Guardium Installation Manager
Prerequisites for deploying monitoring agents

Review prerequisites and restrictions before you being deploying monitoring agents.
Before using the deploy monitoring agents tool to install S-TAPs and configure inspection engines on your database servers, verify the following prerequisites.
The target S-TAP installation directory must be empty or not exist. You cannot install an S-TAP into a directory that already contains any files.
Install GIM clients in listener mode
Install GIM clients in listener mode on one or more database servers in your environment. To install the GIM client in listener mode on Windows systems, omit the -
-host parameter. To install the GIM client in listener mode on systems such as AIX and Linux, omit the --sqlguardip parameter. For more information about GIM
listener mode, see GIM Server Allocation.
Important: You may need to open a port between the GIM client on the database server and the Guardium system where you will run the deploy monitoring agents
tool. The default port 8445 is used unless you specify a different port when installing the GIM client.
Upload GIM S-TAP modules to the Guardium system
Run the deploy monitoring agents tool as an administrative user from any Guardium system that is not configured as an aggregator. Before you begin, use the
following procedure to upload GIM S-TAP modules to the Guardium system.
1. Navigate to Manage > Module Installation > Upload Modules.

2. Click Choose file and select the module you want to install.
3. Click Upload to upload the module to the Guardium system. After uploading, the module will be listed in the Import uploaded modules table.
4. In the Import uploaded modules table, click the check box next to the module you want to install. The module will be imported and made available for
installation. After the module is imported, the Upload Modules page will reload and the module will no longer appear in the Import uploaded modules table.
For information about S-TAP offerings and supported platforms, see System requirements and supported platforms for IBM Security Guardium.
Verify that all discoverable database servers are running
Inspection engines can be automatically configured for some databases, including the following:
DB2 for Linux, UNIX, and Windows

Informix
Microsoft SQL Server
MySQL
Oracle
Postgre SQL
Sybase
Teradata
To allow the auto-configuration of inspection engines, verify that databases servers are running before deploying monitoring agents.
For more information about automatically discovering database instances, see Discover database instances.
Parent topic: Quick start for deploying monitoring agents

Learn how to quickly deploy S-TAPs and configure inspection engines.
Before you begin

Run the deploy monitoring agents tool as an administrative user from any Guardium system that is not configured as an aggregator. Verify the following before you begin:
GIM clients are installed in listener mode.

GIM S-TAP modules are imported to the Guardium system.
Discoverable database servers are running.
For more information, see Prerequisites for deploying monitoring agents.
About this task

The following procedure describes how to use the deploy monitoring agents tool to quickly install S-TAPs and configure inspections engines for monitoring database
traffic.
Procedure
1. Open the deploy monitoring agents tool by navigating to Setup > Quick Start > Deploy Monitoring Agents.
2. In the Identify database servers section, use the IP addresses field to specify a range of IP address to search for GIM clients in listener mode. Use the icon to
specify additional IP addresses. Include wildcard (*) or range (-) characters to expand the search. For example, 10.0.0-5.*. Use commas to separate complete
IP addresses or ranges. For example, 9.70.145.165,9.70.145-148.165,9.70.145.*.
Important: Scanning a large number of IP addresses is time intensive and may time-out before the scan completes. Use the IP addresses fields to define a narrow
range of IP addresses where you expect to find GIM clients in listener mode.

3. Click Discover to begin scanning for GIM clients in listener mode.
Tip: By default, the discovery of GIM clients and the deployment of monitoring agents (S-TAPs) is completed in two separate steps: discovery, then deployment.
This allows you to manually select the database servers where you want to install S-TAPs, as described in the following steps.
However, it is possible to streamline the process by automatically installing S-TAPs on all compatible GIM clients that are discovered while scanning IP addresses.
To enable the automated mode, click to open the Customize settings dialog and select Automatically deploy agents on discovered database servers. When
using the automated mode, after specifying the IP addresses to scan, simply click the Discover and Deploy button.
4. In the Database server status section, select the database servers where you would like to deploy monitoring agents and click Deploy Agents to open the Configure
monitoring agents dialog.
5. From the Configure monitoring agents dialog, review and adjust the installation parameters. Click Deploy to begin installing monitoring agents.
The default parameters should work well for most new deployments. However, you may want to adjust the following settings for your specific environment.
Windows installation directory
Specify an installation directory for S-TAPs deployed on Windows database servers. The parameter is ignored and default installation paths are used when
deploying on other platforms. For more information about S-TAP installation parameters, see S-TAP command line and GIM installation parameters and S-
TAP install script parameters.
Assign a Guardium collector
Select Use enterprise load balancing to automatically assign S-TAPs based on the relative load or availability of Guardium collectors in a centrally-managed
environment. For more information, see Enterprise load balancing.
Select Specify collector to assign S-TAPs to a specific Guardium collector.
6. In the Database server status section, use the S-TAP installation status column to monitor the progress of module installation. A status of Installed indicates
successful and complete installation.
What to do next
If the S-TAP installation status of a database server is marked Failed, click the icon to learn more about the problem. If a database server disappears from the
Database server status after attempting to deploy monitoring agents, click Error log to learn more about the problem.
Tip: The Error log captures issues related to the Deploy monitoring agents tool. For example, if Deploy monitoring agents cannot find a module required for installation, a
message is added to the Error log. Other errors are recorded in component-specific logs and made available for investigation by clicking the icon in the S-TAP
installation status column.
After successfully deploying monitoring agents, you are ready to monitor traffic on your database servers and begin meeting security compliance requirements. To
configure compliance monitoring, navigate to Setup > Quick Start > Compliance monitoring and see Quick start for compliance monitoring for more information.
Parent topic: Quick start for deploying monitoring agents
Managing software with GIM

Set up by Client
Quickly deploy S-TAPs and other software packages using the Guardium Installation Manager (GIM) Set up by Client tool.
GIM user interfaces
The purpose of GIM is to provide automatic installation capability for modules, taking advantage of a GIM client and GIM server residing on each database server
and Guardium system respectively.
GIM command line interface
You can use the CLI in order to install or upgrade modules on the database server.
Set up by Client
Quickly deploy S-TAPs and other software packages using the Guardium Installation Manager (GIM) Set up by Client tool.
Before you begin

Before using the Set up by Client tool, verify the following:
GIM clients are installed on database servers and connected to the Guardium system.
Compatible GIM bundles are uploaded and imported to the Guardium system.
Procedure
1. Navigate to Manage > Module Installation > Set up by Client.
2. In the Choose clients section, select the database servers where you want to install or update software using GIM. Select individual clients using check boxes in the
table, or use the Select client group menu to select a group of clients. Click Next to continue.
Attention:
If you add new clients while using the Set up by Client tool, refresh the browser to see the new clients.
When creating or updating a group and editing the Client Name or Client IP address of GIM clients, the name and address must reflect valid values for a GIM
client connected to the Guardium system. If an invalid name or address is specified, the edited client will no longer appear as a member of the group.
3. In the Choose bundle section, use the Select a bundle menu to identify the software you want to install or update. Click Next to continue. After selecting a software
bundle, the Selected bundle action column indicates the action that will be performed for each client:
Install
The selected bundle will be installed on the client. This action indicates a first-time installation of the software on the client.

Upgrade
The bundle will be upgraded on the client. This action indicates that an earlier version of the software is currently installed on the client.
Update parameters
The bundle parameters will be updated on the client. This action indicates that the selected software and the currently-installed software are the same
version.
Downgrade
The selected bundle will be installed on the client. This action indicates that the selected software is older than the software currently installed on the client.
None (bundle not found)
No actions will be performed, indicating that there are no compatible actions on the client for the selected bundle.
Tip:
Clear the Show only latest versions check box to view and work with earlier versions of a bundle.
Clear the Show only bundles check box to identify individual modules within a bundle.
Select the Show only compatible clients check box to hide clients that are not compatible with the selected bundle.
Attention:
By default, the Select a bundle menu shows only the latest uploaded bundle version regardless of platform or compatibility with selected clients. To install a
different bundle version for a specific platform or client, clear the Show only latest versions check box and select the required bundle.
If you upload and import new bundles while using the Set up by Client tool, refresh the browser to see the new bundles.
If you already have a bundle scheduled for installation, installing a new bundle removes the existing schedule.
4. In the Choose parameters section, specify values for required and optional parameters. Use the or icons to add or remove optional parameters. Use the
icon to search for parameters by name or description. Click Next to continue.
Important: Unless identified as a client-specific parameter, values provided in the Choose parameters section are applied to all clients where the software will be
installed, upgraded, or updated. For client-specific parameters, the value field is disabled and values are defined per-client in the Configure clients section.
5. In the Configure clients section, use the table to review and edit parameter values for each client. Editable parameters show a icon next to the parameter value.
Click the icon to edit the value.

6. Click Install to begin the software installation. Use the icon to schedule the installation, then click OK to continue.
What to do next
Use the Choose bundle section to monitor the software installation. Installation status is shown in the Status column. Use the icon to refresh the installation status.
Parent topic: Managing software with GIM
GIM user interfaces

The purpose of GIM is to provide automatic installation capability for modules, taking advantage of a GIM client and GIM server residing on each database server and
Guardium system respectively.
Users may also interact with GIM through the CLI. See GIM command line interface for information on installing and upgrading modules with GIM using CLI.
You can use the GUI of the Guardium Installation Manager (GIM) for these tasks:
Process Monitoring
Upload Module Package
Configure, Install, or Update Modules (by client)
Configure, Install, or Update Modules (by module)
Rollback Mechanism
Note: If A-TAP is being used, A-TAP must first be disabled on the database server before performing a GIM-based S-TAPÂ® upgrade or uninstall.
Note: GIM does not support the installation of native S-TAP installers (rpm, dept, bff, etc.)
Note: Installation of modules on a specific client for the FIRST TIME using the GIM utility must be in the form of a BUNDLE. Future upgrades of specific modules which are
part of the installed bundle can be either as single modules or bundles.
Process Monitoring
Displays the status for GIM processes on servers.
Supervisor
The GIM Supervisor is a process with the main purpose of supervising and monitoring GuardiumÂ® processes. Specifically, it is responsible for starting, stopping, and
making sure all of Guardium processes are running at all times and restarting them if they fail.
Note: For Guardium V9.0, on Solaris 5.10/5.11, GIM and SUPERVISOR are now SMF services. They are not inittab entries anymore.
To start/stop gim/supervisor use:
svcadm -v enable guard_gim
svcadm -v enable guard_gsvr
svcadm -v disable guard_gim
svcadm -v disable guard_gsvr
GIM
The GIM process is the GIM client process, which is responsible for such duties as registering to the GIM server, initiate a request to check for software updates, installing
the new software, updating module parameters, and uninstalling modules.
Upload Module Package

Loads the modules package file (a .gim file containing module(s) sub-packages) to the database.
1. Click Manage > Install Management > Upload to open Upload.

2. Click Browse to browse where your package (.gim file) is on disk.
3. Click Upload to upload your package.
4. Click the Import icon of the uploaded package located under Import Uploaded modules to load the package.
Configure, Install, or Update Modules (by client)

Tip: For information about the latest GIM software management tool, see Set up by Client.
You can use this option to configure/install a module for any number of clients from packages already loaded.
The simplest, safest, and quickest way to install or uninstall modules is by using bundles. Using bundles guarantees automatic dependency and order resolution.
If you have already created groups of clients, you can use a group to specify the clients to be the target for the specified action. Otherwise use these steps to select a list
of clients.
1. Click Manage > Install Management > Set up by Client (Legacy) to open the Client Search Criteria.
2. Click the Search button to perform filtered search and display the Clients panel.
3. Select the clients that will be the target for the specified action.
If there are more than 20 clients then the list of clients will be split onto additional pages
Note: Clicking the Select All button will only select the clients on the current page being viewed
4. From the Clients panel, two actions can be taken:
Configure/install common parameters
Configure/install module
Reset Clients - By clicking Reset Clients, you can disassociate modules from selected clients and remove the client definition from the Guardium system
database. Note: Resetting a client does NOT trigger module removal on the database server.
View installation state of this client - By clicking on the information icon you can open up the Installation Status panel and view the installation status of a
client. This panel displays all modules on the client which are installed or scheduled for update or uninstall. From this panel, you can use the Edit this module
icon to configure parameters for each module individually.
Configure, install, or update modules (by module)

Starting from modules, enables users to configure and install a module for any number of clients. Any required packages should have been loaded beforehand.
1. Click Manage > Module Installation > Set up by Module to open the Modules Search Criteria.
2. Click Search to perform filtered search and display the Modules panel showing all the available modules and bundles.
3. Select one or more modules and click Next to open the Clients panel.
4. Select the clients that are the target for the specified action.
Note: If there are more than 20 clients then the list of clients splits onto additional pages Clicking the Select All button only selects the clients on the current page
being viewed
5. From the Clients panel, these actions can be taken:
Install/update modules: Select one or more target clients and click Next, then click Install/Update
Modify module parameter configuration: Select one or more target clients and click Next, modify parameter values, select the target clients and click Apply to
Clients
Click Reset Clients to disassociate modules from selected clients and remove the client definition from the Guardium system database. Note: Resetting a
client does NOT trigger module removal on the database server.
View installation state of this client by clicking the icon to open the Installation Status panel and view the installation status of a client. This panel
displays all modules on the client which are installed or scheduled for update. From this panel, the Edit this module icon can be used to configure parameters
for each module individually.
Click Run Diagnostics: the diagnostic report is run the next time the clients sends an alive message, and is recorded in the GIM Events List.
Configure/install common parameters

1. Click Setup > Tools and Views > Parameter Configuration.
2. Select the clients in the Client Module Parameters section that you would like to modify parameters for
3. Modify any of the listed module parameters within the Client Module Parameters section
Note: parameters may be entered in the Common Module Parameter section to, by clicking Apply to Selected, populate the selected clients in the Client Module
Parameters section.
4. Click Apply to Clients, after entering values for all required parameters on all selected clients, to save the configuration to the database. Before the save, a
validation is performed to make sure all required fields have values or their values are in pre-defined range.
5. After Saving configurations, click Install/Update to schedule the module for installation on the selected clients. In addition, from the Module Parameters panel you
may uninstall, cancel install/update, cancel uninstall, and revert current changes. Note that the schedule date and time corresponds to the date and time on the
selected clients.
Note: The Generate Grdapi button at the front of the client line under the Client Module Parameter section enables you to view the list of grdapi commands that
reflect the changes tat you have made to the module such as assigning, installing, uninstalling, scheduling, and updating of the module. These grdapi commands
are provided so you can take the set of commands and apply them to other clients in a script if you would like to reproduce the changes .
Note: The open Property content button appears in front of every writable properties and opens up a window that simplifies the editing of a long field.
Note: The View installation state of this client button, also at the front of the client line under the Client Module Parameter section provides a view into the current
installation status for the module.
Note: When installing KTAP as part of BUNDLE-STAP, KTAP status will set to INSTALLED even if the actual KTAP module was missing for this specific platform.
However a message will be shown on the GIM-EVENTS report indicating KTAP module was missing.
Note: You should check the GIM-EVENTS report after installing bundles on the DB servers.
6. Click Back to go back to the Clients panel.
Windows S-TAP Parameters in GIM

During S-TAP installation, or to update the S-TAP configuration, you can use the WINSTAP_CMD_LINE field in the Setup by Client page.

[TAP] parameters, or CLI parameters (Windows: S-TAP command line installation parameters) with the syntax -param value, and it is added or updated in the
guard_tap.ini.
CAUTION:
For example, the following command line options skip the installation of CAS and Named Pipes support.
CAS=0 NamedPipes=0
If you are installing an S-TAP and you do not want it to automatically discover MSSQL databases, type START=0 in the WINSTAP_CMD_LINE column to prevent the S-TAP
from starting when it is installed. You can also specify this parameter for a single database server by using the GIM API:
grdapi gim_update_client_params clientIP=xx.xx.xx.xx paramName=WINSTAP_CMD_LINE paramValue="START=0"
Additional guard_tap.ini parameters may also be set at installation. An example is paramValue="START=1 !client_timeout_sec=120&use_tls=1!"
Note: When using GuardAPI commands, the WINSTAP_CMD_LINE paramValue should be quoted and each parameter separated by spaces, such as
paramValue="START=1 CAS=0" as in the prior example. A lack of spaces can cause the subsequent installation to not complete as anticipated.
Configure/install module
1. If configuring, installing, or updating:
a. by client
i. Click Next to display the Common Modules panel where a list of all available common modules and bundles that can be installed on the selected
clients.
ii. Select a module or bundle to configure/install for the selected clients.
Note: The status of a module or bundle will be displayed only if its version matches either an installed version or a scheduled version.
iii. Click Next after selecting a module or bundle from the list.
b. by module
i. Click Next after selecting the clients from the list
2. Depending on the module or bundle selected, and possible dependencies, you will then see options based on the selection types:
Bundle
Clicking Next for a bundle will take you to the Module Parameters panel that will display all the parameters for all modules of the bundle. Modify any of the
listed module parameters within the Client Module Parameters section.
Note: A bundle is treated as a regular module.
module with no mandatory dependencies
Clicking Next for modules with no mandatory dependencies will take you to the Module Parameters panel that will display the module's parameters. Modify
any of the listed module parameters within the Client Module Parameters section.
module with dependencies

Clicking Next for a module with dependencies displays that module and all dependencies modules in the Dependent Modules screen. Click the Edit icon for
any of the modules to configure its parameters for all selected clients; taking you to the Module Parameters panel that will display the module's parameters.
Change any parameters there and click the Accept button to come back to the Dependent Modules screen.
Note: The configuration for module and all of its dependencies can be saved to the database only at once. Also, they can only be installed as a bundle. This
means that they cannot be individually saved or scheduled for installation. For example, if, in middle of scheduling installation, the process fails for one of
modules on one of the clients, it will roll back all installations before that failure.
Note: parameters may be entered in the Common Module Parameter section to, by clicking the Apply to Selected, populate the selected clients in the Client
Module Parameters section.
3. Click Apply to Clients, after entering values for all required parameters on all selected clients, to save the configuration to the database. Before the save, a
validation is performed to make sure all required fields have values or their values are in pre-defined range.
4. After Saving configurations, click Install/Update to schedule the module and its dependencies for installation on the selected clients. In addition, from the
Dependent Module Parameters panel you may uninstall, cancel install/update, cancel uninstall, and revert current changes. Note that the schedule date and time
corresponds to the date and time on the selected clients.
Note: The Generate Grdapi button at the front of the client line under the Client Module Parameter section allows the user to view the list of grdapi commands that
reflect the changes the user has made to the module such as assigning, installing, uninstalling, scheduling, and updating of the module. These grdapi commands
are provided to the user so they can take the set of commands and apply them to other clients in a script if they would like to reproduce.
Note: The open Property content button appears in front of every writable properties and opens up a window that simplifies the editing of a long field.
Note: The View installation state of this client button, also at the front of the client line under the Client Module Parameter section provides a view into the current
installation status for the module.
Note: When installing K-TAP as part of BUNDLE-STAP, K-TAP status will set to INSTALLED even if the actual K-TAP module was missing for this specific platform.
However a message will be shown on the GIM-EVENTS report indicating K-TAP module was missing.
Note: Always check the GIM-EVENTS report after installing bundles on the DB servers
Note: When uninstalling modules, GIM will only uninstall the selected module and not uninstall dependencies
Rollback Mechanism
GIM's rollback mechanism purpose is to handle errors during installation and recover modules to their prior state. The Rollback mechanism supports the following
recovery scenarios:
1. Live Upgrade Recovery

For Bundles
When bundles are installed, recovery will rollback the modules that have an install failure within the bundle.
Modules that are marked as NO_ROLLBACK (in the form of a read-only parameter <MODULE>_NO_ROLLBACK=1) will not be rolled back in the event of a
failure. S-TAP/KTAP are two such modules that once successfully installed will not be rolled back in the event of a failure of another module.
For non-Bundles
Rollback entails the removal of the standalone module in the case of a scratch install or reverting back to the previous version in case of an upgrade.
2. Boot Time Installation Recovery
If installation failure occurs during a system reboot, a second system reboot will be needed in order to complete the recovery. Users will still see the status IP-PR
after reboot, and a GIM_EVENT entry that indicates a second reboot is needed to complete the recovery process. The module/bundle state will then indicate a
â€œFAILEDâ€ status after the second reboot.

Note: When the status is 'IP-PR' booting the DB-server is different per OS (Any other way of rebooting the system will keep the pending modules in a pending state):
Linux : shutdown -r
SuSe : reboot
HP : shutdown -r
Solaris : shutdown -i [6|0] (Note : '0' can be used only if shutdown is done from the terminal server)
AIX : reboot
Tru64 : reboot
Note: In addition, prior to reboot, A-TAP instances must be disabled/deactivated.
Changing the GIM server for a GIM client

You can change the GIM server that manages one or more GIM clients. You might want to make this change in order to balance the load among your GIM servers, or to
make it easier to distribute GIM packages. To reassign a group of GIM clients to a different GIM server, follow these steps:
1. Click Manage > Install Management > Set up by Module to change the GIM server for a GIM client.
2. Select a GIM bundle that is installed on the clients that you want to reassign. Click Next.
3. Select the clients to be changed. You can click Select All or select clients individually. Click Next.
4. Click Select All.
5. For the GIM_URL parameter, enter the hostname or IP address of the GIM server (Guardium system) to which you want to reassign the selected GIM clients. Click
Apply to Selected.
6. On the same panel click Apply to Clients, then click Install/Update and schedule the update.
After the update has been processed, the GIM client will be managed by the new GIM server.
GIM command line interface

You can use the CLI in order to install or upgrade modules on the database server.
The following examples are presented only to cover some of the more common scenarios. For more information and a complete list of all supported CLI commands refer
to GuardAPI GIM Functions.
Loading module packages

Upgrade or Scratch install using bundles
Uninstall a module/bundle
Installation Status
Querying modules state
Loading module packages

Before modules can be installed on DB server, they must be loaded onto the Central Manager GIM database. If a Central Manager is not part of the architecture, packages
must be loaded onto each Guardium system. Use the Load package option in the GIM UI in order to get the packages loaded to the database.
Upgrade or Scratch install using bundles

Note: Scratch install refers also to a case where old (pre-GIM) S-TAPÂ® is installed on the database server.
A bundle is a list of modules grouped together to allow easier installation process. Always use bundles to install or upgrade modules.
1. Get the list of registered clients (i.e. database servers installed with GIM client that have registered with GIM server):
grdapi gim_list_registered_clients
ID=0
####### ENTRY 0 #######
CLIENT_ID: 1
IP: 192.168.2.204
OS: HP-UX
OS_RELEASE: B.11.00
OS_VENDOR: hp
OS_VENDOR_VERSION: B.11.00
OS_BITS: 64
PROCESSOR 9000
####### ENTRY 1 #######
CLIENT_ID: 2
IP: 192.168.2.210
OS: Linux
OS_RELEASE: 2.6.16.54-0.2.5-smp
OS_VENDOR: suse
OS_VENDOR_VERSION: 10.1
OS_BITS: 64
PROCESSOR x86_64
2. Assign (i.e. prepare to install; NOT a request to actually install it on the client) the latest bundle available for a specific client
grdapi gim_assign_latest_bundle_or_module_to_client clientIP=198.168.2.210 moduleName=BUNDLE-STAP
Note: In order to assign a specific bundle or module to a client, step 2 should be replaced with the following sequence:
gim_get_available_modules clientIP=â€ client ipâ€

gim_assign_bundle_or_module_to_client_by_version clientIP=â€ client ipâ€ modulesName=â€ Bundle/Module nameâ€
moduleVersion=â€ Bundle/Module versionâ€
3. Schedule the installation.
grdapi gim_schedule_install clientIP=192.168.2.210 date=now

Note: For multiple client installation repeat steps 2-3.
Note: For flexible GIM scheduling, use now + [1-9][0-9]* minute | hour | day | week | month. Example: now + 1 day, now + 3 minutes
GIM scheduling
All time is relative to Guardium system time. Now means right now as specified by the Guardium system. Now +30 minute is the current Guardium system time + 30
minutes. This can be seen when looking at the installation status by clicking on the small "i" next to a client, for example in Manage > Module Installation > Set up by
Client (Legacy). If the time on the database server has passed the time on the Guardium system specified for install, then the install begins.
Example one, set up three clients (a) set for Guardium system time - 1 hour, (b) set for Guardium system time, and (c) set for Guardium system time + 1 hour.
Set up an S-TAP installation via GIM for "now +30 minute".
Guardium system (a), which is already 30 minutes ahead of the time set for installation, will install immediately.
Guardium system (b) will install in 30 minutes.
Guardium system (c) will take another hour after (b) to install.
Example two - Same setup as example one but this time specify "now".
Installation status changes to IP immediately on all clients.
Uninstalling a module/bundle
grdapi gim_uninstall_module clientIP=192.168.2.210 module=BUNDLE-STAP date=now
You can specify date=now or use the format of YYYY-MM-DD HH:mm. The uninstallation will take place the next time GIM client checks for updates (GIM_INTERVAL).
Installation Status
Additional information about the latest status the client has sent can be retrieved by running the following command (The status message will appear as an entry in
GIM_EVENTS table from which a report can be generated):
The general status message can be obtained by running the following CLI command:
grdapi gim_get_client_last_event clientIP="client ip"

grdapi gim_get_client_last_event clientIP=winx64
grdapi gim_get_client_last_event clientIP=9.70.144.73
Here is an example of the output from this command:
ID=0
OK
BUNDLE-STAP-8.0_r2609_1 INSTALLED
STAP-UTILS-8.0_r2609_1 INSTALLED
COMPONENTS-8.0_r2609_1 INSTALLED
KTAP-8.0_r2609_1 INSTALLED
STAP-8.0_r2609_1 INSTALLED
TEE-8.0_r2609_1 INSTALLED
ATAP-8.0_r2609_1 INSTALLED
Querying modules state

In order to query the installed module's state per client the following CLI command needs to be executed.
grdapi gim_list_client_modules clientIP=â€ client ipâ€
The following states are possible:
INSTALLED
Module is installed.
PENDING-INSTALL
Module is pending to be scheduled for installation.
PENDING-UNINSTALL
Module is pending to be scheduled for uninstallation.
PENDING-UPDATE
Module is pending to be scheduled for update.
IP
Module installation is in progress.
FAILED
Module's last operation failed.
IP-PR
Module requires client reboot in order to complete the installation process. Prior to rebooting, deactivate all A-TAP instances. Rebooting the database server is
different per OS (Any other way of rebooting the system will keep the pending modules in a pending state).
Â AIX: reboot
Linux Â Â : shutdown -r
SuSe: reboot
HP-UX: shutdown -r
Solaris: shutdown -i [6|0] Â (Note : '0' can be used only if shutdown is done Â from the terminal server)
Tru64: reboot
Output example

ID=0
####### ENTRY 0 #######
MODULE_ID: 11
NAME: INIT
INSTALLED_VERSION 8.0_r3852_1
SCHEDULED_VERSION 8.0_r3852_1
STATE: INSTALLED
IS_SCHEDULED: N
####### ENTRY 1 #######
MODULE_ID: -1
NAME: COMMON
STATE: INSTALLED
IS_SCHEDULED: N
####### ENTRY 2 #######
MODULE_ID: 12
NAME: UTILS
STATE: INSTALLED
IS_SCHEDULED: N
####### ENTRY 3 #######
MODULE_ID: 13
NAME: SUPERVISOR
STATE: INSTALLED
IS_SCHEDULED: N
####### ENTRY 4 #######
MODULE_ID: 14
NAME: GIM
STATE: INSTALLED
IS_SCHEDULED: N
####### ENTRY 5 #######
MODULE_ID: 15
NAME: BUNDLE-GIM
STATE: INSTALLED
IS_SCHEDULED: N
GIM Server Allocation

Remotely connect to a pre-installed and inactive (not connected to any collector) GIM agent and make it connect to some collector without the need to access the
database server.
Overview
The following process (also called GIM Auto-Discovery) allows you to remotely connect to a pre-installed and inactive GIM agent and make it connect to a collector
without accessing the database server.
1. An inactive GIM client runs in listener mode and waits for a connection from any collector.
2. From the collector's graphic user interface (GUI) or the GuardAPI, you can send the IP address of any collector to the inactive GIM client.
3. The inactive GIM client accepts the collector's IP address and connects to it.
If GIM is installed without specifying a collector's IP address (--sqlguardip) it will run in server mode. When the GIM agent is running in server mode, it accepts messages
only from verified collectors over SSL that have certificate authentication and shared secret verification. If there are 30 or more consecutive authentication failures, the
GIM agent stops listening for requests and runs in server mode. This action prevents denial of service (DoS) attacks.
You can define your own certificates, shared secret, and port number. To use other certificates, specify the certificate/key full path name in the installation parameters: --
key_file and --cert_file. Load the certificates to the collector key store with the GuardAPI command store certificate gim.
To set a shared secret other than the default one, use the GuardAPI command grdapi gim_set_global_param paramName=gim_listener_default_shared_secret
paramValue=<password>. The format should be a string. The shared secret must be identical on the database server and collector.
Note: Do not specify the unencrypted shared secret in the command line.
To use a port other than the default one, specify the port in the installation parameter --listener_port. Set the GIM global parameter gim_listener_default_port with the
new port in the GIM Global Parameters.
Note: The default or user defined port must be enabled in the firewall.
Parameters
The following list describes the GIM installation parameters:
--sqlguardip - Sets the collector IP address/hostname that the GIM client is connecting to. If it is not specified, the GIM client will work in â€œListener mode".
--ca_file - Full file name path to the Certificate Authority PEM file.
--key_file - Full file name path to the private key PEM file.
--cert_file - Full file name path to the certificate PEM file.
--shared_secret - specify a shared secret to verify collectors.
--listener_port - specify a port number that is different than the default.
--no_listener - disables GIM from running in "Listener mode" even if --sqlguardip is not specified.

Any attempt to:
update parameters
install modules
uninstall GIM directly on the database server
causes the GIM agent to exit server mode and process the request. If the GIM client cannot connect to the designated collector, it returns to server mode. After the GIM
agent is assigned to a valid collector's IP address or host name, you cannot set the GIM server to run in server mode again. All new GIM agent server mode parameters
appear as READ-ONLY.
Note: The following parameters must exist in the file system or the installation fails:
ca_file
key_file
cert_file
Additional command line parameter
GIM and Consolidated Installers for GIM have an additional command line parameter:
--allow_ip_hostname_combo <0|1>
param name : GIM_ALLOW_IP_HOST_COMBO
param values : 1 - Enabled, 0 - Disabled
Param default value : 0
param description : If Enabled, and the GIM_CLIENT_IP is different than the db server's hostname, GIM_CLIENTS.GIM_CLIENT_NAME will be set with a value that
is the combination of `hostname`_<GIM_CLIENT_IP>.
If GIM_CLIENT_IP is set with an IP address and the GIM_ALLOW_IP_HOST_COMBO is enabled, GIM's hostname will be a combination of the
<hostname>_<GIM_CLIENT_IP> This will allow GIM clients uniqueness across database servers with "common" hostname.
LIMITATION: You can NOT set GIM_CLIENT_IP with a "common" hostname. This will be considered as an attempt to register with a duplicate identifier.
Setting GIM in Server Mode Global Parameters

You can set up the server mode GIM parameters by using the following GuardAPI command:
grdapi gim_set_global_param
paramName=gim_listener_default_shared_secret
paramValue=<password>
This value is encrypted and stored in the database. The value must be identical to the unencrypted value as the shared secret if you install the GIM agent on the database
server.
To set up a new default server mode GIM port, use the following GuardAPI command:
grdapi gim_set_global_param paramName=gim_listener_default_port paramValue=<port number>
This value must be identical to the unencrypted value of the shared secret if you install the GIM agent on the database server.
Note: If you use a different port or shared secret, you must specify the shared secret or port every time you connect the collector IP/hostname to the server mode GIM
agent.
GIM Remote Activation

Remotely connect to a pre-installed GIM agent and connect it to a collector without accessing the database server with GIM Remote Activation.
1. Click Manage > Module Installation > GIM Remote Activation.

2. Type in the IP address or host name where GIM is running in listener mode in the IP / hostname field. Otherwise, select a server group from the following list.
3. Type in a numerical value in the GIM Listener Port if it is different from the GIM Global setting. The default value is 8445.
4. Enter the shared secret in the GIM Listener Password field if it is different from the GIM Global setting.
5. Click Submit to process the information or Reset to clear the information.
Note: You must enter an IP address / host name or select a server group, but the GIM listener port and GIM listener password are optional. When you install the GIM client
in listener mode, the settings of the shared secret and certificates cannot be changed unless you reinstall the GIM client.
Note: If the "Collector IP" field in GIM Remote Activation is blank, the hostname of the collector is sent to the server. If IP is specified, this is sent instead.
Create a GIM Auto-discovery Process

Create a GIM auto-discovery process to identify and associate GIM clients that have been installed in listener mode. It is also possible to activate GIM clients that have
been installed in listener mode using Quick start for deploying monitoring agents.
1. Navigate to Discover > Database Discovery > GIM Auto-discovery Configuration.
2. Create a new GIM auto-discovery process by clicking the icon.

3. Name the process using the Process name field and then clicking Apply.
4. Define hosts to scan for GIM clients that were installed in listener mode using the Add hosts and ports to process section.
a. Identify a host or subnet to scan using the Host(s) field. Wildcard characters are enabled. For example, to select all addresses beginning with 192.168.2, use
192.168.2.*.
b. Add the host or subnet to the GIM auto-discovery process by clicking Add scan.
c. Repeat the previous steps to define multiple hosts or subnets to include in the GIM auto-discovery process.
Note:
If you have a dual stack configuration, define scans for both the IPV4 and the IPV6 addresses.
Modify existing host or subnet scans by typing over the existing value and clicking Apply to save the changes.

Remove scans by clicking the icon. If a task has scan results dependent upon it, the scan cannot be deleted.
5. Run the GIM auto-discovery process by clicking Run Once Now or define a schedule for running the process by clicking Modify Schedule. See Scheduling for
information about defining a schedule.
6. After the process has completed, click View Results to see a list of discovered GIM clients and associate those clients with Guardium systems.
a. Select the GIM clients to associate.
b. Click Associate to assign the clients to the current Guardium system or click Assign Collector to assign the clients to another Guardium system in your
environment.
c. Use the Results dialog to review the status of client association. After successfully association, GIM clients are no longer in listener mode and are not shown
in the GIM auto-discovery results window.
d. Click Close to close the results window.
GIM Global Parameters

Define your own shared secret or GIM listener port through the user interface.
1. To open the GIM Global Parameters, click Manage > Module Installation > GIM Global Parameters.
2. Select gim_listener_default_shared_secret to set the shared secret or gim_listener_default_port to set the port.
3. Click the icon to edit the selected parameter.

4. Change the value and click Save to change the parameter or Close to return to the page.
Installing the GIM client on a Windows server

Learn how to install the GIM client for Windows using either an interactive installer or a silent installation. Instructions are also provided for uninstalling the GIM client.
About this task

There are currently two types of installers for the GIM client based on your GIM client version. Version 10.1.2 and earlier use build numbers through r89755, while version
10.1.3 and beyond uses build numbers starting from 10.2.30.5. Please pay attention to your GIM client version and build numbers as you go through these instructions.
Installing the GIM client using an interactive installer: GIM client version 10.1.2 or older
A wizard is provided to help you install the GIM client on each database server.
Procedure
1. Place the GIM client installer on the database server, in any folder.
2. Run the setup.exe file to start the wizard that installs the GIM client. The setup.exe file is located in the Windows_GimClient folder.
3. Follow and answer the questions in the installation wizard.
What to do next
You can view the results of the installation in the log file at c:\guardiumstaplog.txt.
Installing the GIM client using an interactive installer: GIM client version 10.1.3 and newer
A wizard is provided to help you install the GIM client on each database server.
Procedure
2. Run the setup.exe file to start the wizard that installs the GIM client. The setup.exe file is located in the GIM-Installer-10.2* folder.
3. Follow and answer the questions in the installation wizard.
What to do next
You can view the results of the installation in the log file at C:\IBM Windows GIM.ctl..
Installing the GIM client using silent installation: GIM client version 10.1.2 or older
If you prefer, you can install the GIM client from the command line instead of using the wizard.
About this task
Procedure
2. Open a command prompt and navigate to the Windows_GimClient folder under the folder where you placed the installer.
3. Enter this command, with no linebreak. setup.exe /s /z" --host=g10.guardium.com --path=c:\\program files (x86)\\guardium\\GIM --
perl=c:\\perl\\bin --localip=192.168.1.100" Include all the spaces and quotes exactly as in this example. Removing or adding spaces causes the
installer to fail. The --perl= parameter indicates where Perl is installed on this computer. This parameter is optional. If you do not specify it, the installer installs a
Perl instance.
Attention:
Omit the --host parameter to install the client in GIM listener mode. Listener mode makes the GIM client available for remote registration from a Guardium
system. Example of how to install as listener: setup.exe /s /z"--path=c:\program files (x86)\guardium\GIM --host=GIM_HOST" For more information, see
GIM Remote Activation and Create a GIM Auto-discovery Process.

When cloning database servers and establishing large deployments, use --auto_assign_ip=1 to allocate a random IP address from one of the valid IP
addresses of a database server. Do not specify both auto_assign_ip and localip when installing the GIM client. When updating the
GIM_AUTO_SET_CLIENT_IP parameter using Manage > Module Installation > Set up by Client or Set up by Module, you must restart the GIM client service
for the new setting to take effect.
What to do next
You can view the results of the installation in the log file at c:\guardiumstaplog.txt.
Installing the GIM client using silent installation: GIM client version 10.1.3 or newer
If you prefer, you can install the GIM client from the command line instead of using the wizard.
Procedure
2. Open a command prompt and navigate to the GIM_Installer* folder under the folder where you placed the installer.
3. Enter this command, with no linebreak. setup.exe -UNATTENDED -INSTALLPATH "c:\Program Files(x86)\Guardium Installation Manager" -
LOCALIP 10.9.876.543
Attention:
The UNATTENDED and LOCALIP parameters are required. APPLIANCE is optional and if not supplied, will trigger Listener Mode. If using parameter
AUTO_ASSIGN_IP, LOCALIP is not required.
Omit the -APPLIANCE parameter to install the client in GIM listener mode. Listener mode makes the GIM client available for remote registration from
a Guardium system. Example of how to install as listener: setup.exe -UNATTENDED -INSTALLPATH C:\program files (x86)\guardium\GIM -LOCALIP
10.9.876.543. For more information, see GIM Remote Activation and Create a GIM Auto-discovery Process.
When cloning database servers and establishing large deployments, use --auto_assign_ip=1 to allocate a random IP address from one of the valid IP
addresses of a database server. Do not specify both auto_assign_ip and localip when installing the GIM client. When updating the
GIM_AUTO_SET_CLIENT_IP parameter using Manage > Module Installation > Set up by Client or Set up by Module, you must restart the GIM client
service for the new setting to take effect.
Windows GIM command line installation reference
Parameters applicable to all .NET installers
-UNATTENDED Install silently. A value is not required
-UNINSTALL Uninstall. A value is not required.
-INSTALLPATH This is the install directory. Default install path is "C:\Program Files (x86)\Guardium\Guardium Installation Manager"
-CUSTOMER To change customer name
-COMPANY To change company name
-SERVICEUSER To specify a user to run the service under
-SERVICEPASSWORD The password for the user

Parameters specific to GIM .NET installers
-APPLIANCE To set the appliance address that GIM connects to. Absence of this parameter will result in GIM installation using Listener Mode.
-LOCALIP This is the IP of the server where GIM is being installed.
-KEY_FILE To set the key file to non-default file
-CERT_FILE To set the certificate file to non-default file
-CA_FILE To set the CA file to non-default file
-SHARED_SECRET To set shared secret for registration with appliance if not specified using -APPLIANCE parameter
-LISTENER_PORT Set listener port for registration with appliance if not using the -APPLIANCE parameter. Default value is 8445.
-AUTO_ASSIGN_IP When value set to 1, a local IP is automatically assigned and should NOT be specified using -LOCALIP. Default value is 0.
What to do next
You can view the results of the installation in the log file at C:\IBM Windows GIM.ctl.
Uninstalling the GIM client: GIM client version 10.1.2 or older
Procedure
1. Open a command prompt and navigate to the Windows_GimClient* folder under the folder where you installed the client.
2. Enter this command: For Installshield, use
setup.exe /s /z"--host=g10.guardium.com --remove=true"
The --host= parameter is optional.
Uninstalling the GIM client: GIM client version 10.1.3 and newer
Procedure
1. Open a command prompt and navigate to the GIM_Installer* folder under the folder where you installed the client.
2. Enter this command:

setup.exe -UNINSTALL
Installing the GIM client on a UNIX server

Use this command to install the GIM client on each database server.
About this task

You can install and use the GIM client in a Solaris slave zone or an AIX workload partition (WPAR). This enables you to use the GIM client to install an S-TAP in a slave zone
or WPAR. When you install an S-TAP in a slave zone or WPAR, the K-TAP is disabled, regardless of the setting of the ktap_enabled parameter. You can also use the GIM
client to install the Configuration Auditing System (CAS) agent in a slave zone or WPAR. You cannot install the discovery bundle in a slave zone or WPAR; the discovery
agent running on the global zone can collect information from other zones. The process for installing the GIM client in a Solaris slave zone or an AIX workload partition is
the same as the process for installing in the master zone. The installation can take a few seconds longer than installing in the master zone. If you install the GIM client on a
Solaris system with master and slave zones, you must install the client in the same location on the master and slave zones. This location cannot be a shared directory.
On Solaris, the GIM client and supervisor in each slave zone are controlled by the GIM supervisor process that runs in the master zone. If the supervisor process on the
master zone is shut down, all GIM processes on the slave zones are shut down as well.
Note: GIM requires 300 MB minimum of disk space, and 700 MB if FAM module is also being installed.
Procedure
1. Place the GIM client installer on the database server in any folder.
2. Run the installer: ./<installer_name> [-- --dir <install_dir> <--sqlguardip> <g-machine ip> --tapip <db server ip address> --perl
<perl dir> -q] The installer name has the syntax: guard-bundle-GIM-<release build>-<DB>-<OS>_<bit>.gim.sh, for example:
guard-bundle-GIM-10.5.0_r103224_v10_5_1-rhel-6-linux-x86_64.gim.sh
Attention:
Omit the --sqlguardip parameter to install the client in GIM listener mode. Listener mode makes the GIM client available for remote registration from a
Guardium system. For more information, see GIM Remote Activation and Create a GIM Auto-discovery Process.
When cloning database servers and establishing large deployments, use --auto_set_gim_tapip to allocate a random IP address from one of the valid IP
addresses of a database server. Do not specify both auto_set_gim_tapip and tapip when installing the GIM client. Update the GIM_AUTO_SET_CLIENT_IP
parameter after GIM client installation by using Manage > Module Installation > Set up by Client or Set up by Module.
3. On Red Hat Linux, version 6 or later, run these commands to verify that the files have been added:
ls -la /etc/init/gim*
ls -la /etc/gsvr*
On Solaris, version 10 or later, run this command:
ls /lib/svc/method/guard_g*
On all other platforms, run these commands to verify that the following new entries were added to /etc/inittab:
gim:2345:respawn:<perl dir>/perl <modules install dir>/GIM/<ver>/gim_client.pl

gsvr:2345:respawn:<modules install dir>/perl <modules install dir>/SUPERVISOR/<ver>/guard_supervisor
Where modules install dir is the directory where all GIM modules are installed, for example, /usr/local/guardium/modules.
4. Enter this command to verify that the GIM client, SUPERVISOR process, and modules are running:
ps -afe | grep modules
5. Log in to the Guardium system and check the Process Monitoring status.
Uninstalling GIM and its modules on a UNIX database

You can uninstall GIM and its modules either from the GUI, or on the database server itself.
Procedure
1. To uninstall using the Guardium GUI.
a. Schedule an uninstall of the S-TAP bundle (Setup by Client).
b. Schedule an uninstall of the GIM bundle (Setup by Client).
c. Reboot the database server to remove K-TAP from the drivers.
2. Alternatively, uninstall on the DB server itself:
a. Uninstall both the GIM bundle and the S-TAP bundle by executing as root: /full/path/modules/GIM/current/uninstall.pl
b. Reboot the database server to remove K-TAP from the drivers.
Upgrading the GIM client

You can use GIM to upgrade the GIM client to a newer version.
Procedure
1. Upload the latest available BUNDLE-GIM.gim file to the Guardium system.
2. Use the GIM GUI to schedule the installation of the new BUNDLE-GIM.gim file.

3. Monitor the installation process by clicking on the i icon and pressing Refresh. When the installation has successfully completed the INSTALLED status will be
displayed.
Using groups with GIM

You can use groups to make some GIM tasks easier.
Before you begin
About this task

You can create group of GIM clients and use it to roll out updates to those managed servers.
Procedure
1. Click Setup > Tools and Views > Group Builder. In the Group Builder, create a new group. For the Group Type Description choose Client Hostname. The new group is
added to the list of existing groups.
2. Choose the new group in the Modify Existing Groups list and add members to the group. You can add them manually or populate the list from a query. To populate
the list from a query, click Populate from Query and note these requirements:
a. For Query select a report name that begins with GIM.
b. For Fetch Member from Column, select GIM Client Name.
c. In each Enter (Like) field, enter a value to be matched, or % if this field is not used to identify clients.
d. Save the group and run or schedule the query.
Results
You can use the group in the Manage > Module Installation > Set up by Client screen to work with this set of clients as a group rather than individually.

If you build a custom K-TAP module for a Linux database server, you can use GIM to copy that module to other Linux database servers.
Before you begin

The custom K-TAP module is built when you install an S-TAP on a Linux server for which there is no pre-built K-TAPfor the current kernel. The custom K-TAP module is
built only if the kernel-devel package is installed. When you install the S-TAP bundle, use the GIM UI to set the value of the GIM parameter STAP_UPLOAD_FEATURE to 1.
This tells the GIM client to upload the custom K-TAP module to the Guardium system after it is built and then automatically create a custom S-TAP bundle.
Procedure
1. Use GIM to install the S-TAP on the Linux database server. The installer determines that a custom K-TAP module is required and builds it.
2. The custom K-TAP module, along with its sha256sum value, is uploaded automatically to the Guardium system for which the S-TAP is configured. Note that this
might not be the same Guardium system that you use as a GIM server.
3. On the Guardium system to which the K-TAP is uploaded, run this CLI command: grdapi make_bundle_with_uploaded_kernel_module, This adds the newly built K-
TAP module to the corresponding S-TAP bundle. There must be at least one S-TAP bundle whose build number and operating system attributes match those of the
uploaded K-TAP module. Loaded bundles are stored in /var/gim_dist_packages. The script creates a new S-TAP bundle with _8XX appended to the build number.
The new bundle is located in /var/dump. After running the GuardAPI command, grdpi make_bundle_with_uploaded_kernel_module, there is a need to load the new
GIM bundle. Otherwise it will not be visible in GIM GUI. If the GuardAPI command, grdpi make_bundle_with_uploaded_kernel_module, is successful, the following
example of a message containing the name of the new STAP bundle will be printed: Created guard-bundle-STAP-9.0.0_r71327_v90_800-suse-11-linux-
x86_64.gim with kernel ktap-71327-suse-11-linux-x86_64-xCUSTOMxeagle910-3.0.101-303.gefb7031-default-x86_64-SMP. Then run the GuardAPI command,
grdapi gim_load_package, and supply the name of the new bundle printed in the previous step.
4. If the new bundle is on a Guardium system that is not your GIM server, copy the new bundle to the GIM server.
5. Use the GIM GUI or CLI to distribute the new bundle to other database servers that are running the same Linux distribution as the server where the custom K-TAP
was built. There are hundreds of Linux distributions available, and the list is growing. This means that there might not be a K-TAP already available for your Linux
distribution. If the correct K-TAP is not available, the S-TAP installation process can build it for you. When you build a new K-TAP module for a Linux database
server, you can copy that module to other database servers that run the same Linux distribution.

Copying a new K-TAP module to other systems
GIM dynamic updating

GIM clients check for updates from the GIM server at regular intervals. The GIM server can calculate the best polling interval to use based on system conditions.
Each GIM client sends an "alive" message to its GIM server regularly, to check whether any updates are ready to be processed. This polling interval is calculated and
updated based on conditions at the GIM server. The interval is calculated regularly, and the new value is passed to the GIM client in response to its "alive" message. This
feature is enabled by default, but you can turn it off if you prefer a fixed interval.
In the event that a GIM client fails to connect to its GIM sever after five consecutive attempts, the GIM client automatically connects to a failover server if one is specified.
The GIM client resumes connecting to its original GIM server when that server becomes available. The GIM server and failover server are configured using the GIM_URL
and GIM_FAILOVER_URL parameters, respectively.
Dynamic updating is controlled by the Guardium API command gim_set_global_param, with these parameters.
dynamic_alive_enabled

Dynamic alive feature control. 1 â€“ enabled, 0 â€“ disabled. Default =1
dynamic_alive_check_interval
The interval, in minutes, at which the polling interval is recalculated. Default = 5
For example:
grdapi gim_set_global_param dynamic_alive_enabled=0
When each GIM client sends its alive message to the server, the server responds with the new polling interval as well as any other updates that have been scheduled for
that client.
These parameters were valid in 10.0, and removed from 10.1 and higher:
dynamic_alive_default_load_factor
dynamic_alive_cpu_level1_threshold
dynamic_alive_cpu_level2_threshold
dynamic_alive_db_conn_level1_threshold
dynamic_alive_db_conn_level2_threshold
dynamic_alive_cpu_load_sample_time
When you upgrade your database server operating system

When you upgrade the operating system on your database server, you can allow the GIM client to make the required changes in itself and your GIM-installed modules.
Before you begin

Review the information at http://www-01.ibm.com/support/docview.wss?uid=swg21679002 to see the options that are available based on the level of your GIM client.
About this task

It is best to update all your GIM-installed modules as soon as possible after the upgrade, whether manually or automatically. By default, the option to update these
modules automatically is disabled. If you want to use automatic updating, you must configure the Guardium system that acts as your GIM server to support this option,
and you must make the required bundles available on this server.
Procedure
1. For each module that you have installed on your database server, locate the GIM bundle containing the latest version of this module that supports the new
operating-system version. The build number of each bundle must be the same or greater than the bundle that is currently installed. Load each bundle onto the GIM
server.
2. Use the gim_set_global_param command to set the value of the global parameter auto_install_on_db_server_os_upgrade to 1. This enables the automatic update
option on the GIM server.
grdapi gim_set_global_param paramName="auto_install_on_db_server_os_upgrade" paramValue="1"
By default this parameter is set to 0, which means the option is disabled.

3. After completing all your other preparations, upgrade the operating system on your database server.
Results
At first boot after OS upgrade, the GIM client recognizes that the operating system has been upgraded and because the automatic update option is enabled, the client
takes these steps:
1. Changes the configuration files for all GIM-installed modules to support the new operating system attributes.
2. Re-registers all the modules to the GIM server with the updated attributes.
3. Records an alert in the GIM_EVENTS report saying that an OS upgrade has occurred and listing actions that should be taken.
When the modules are re-registered, the GIM server looks first for a bundle that has the same build number as the previously installed bundle, but is compatible with the
upgraded OS. If it does not find such a bundle, it looks for the latest bundles that support the new OS attributes. If the server cannot find appropriate bundles, it issues an
error message. If the server finds appropriate bundles, it schedules them for upgrade and runs the upgrade process immediately.
What to do next
Review the messages in the GIM_EVENTS report. If the GIM server reports that the modules have been upgraded successfully, verify the proper operation of the modules
as you would do after any update.
If error messages have been written to the GIM_EVENTS report, indicating that the upgrade was not successful, review the error messages for guidance.
After completing your planned OS upgrade, disable the automatic update option on the GIM server. This prevents a GIM client from erroneously starting an update
process.
grdapi gim_set_global_param paramName="auto_install_on_db_server_os_upgrade" paramValue="0"
You can re-enable the automatic update option when you perform another OS upgrade.
Distributing GIM bundles to managed units

You can distribute GIM bundles to managed units in order to deploy them on the GIM clients managed by those managed units.

Before you begin
About this task

If you manage all your GIM clients from your Central Manager, you can deploy bundles to all your GIM clients directly from the Central Manager. If you manage groups of
clients from several managed units, you can distribute GIM bundles from your central manager to those managed units.
The time required for distribution depends on the size of the bundles and network conditions. In a network with substantial latency, transfers can take several hours.
Procedure
1. Copy the bundles that you want to distribute into the /var/gim/dist_packages directory on your Central Manager. All files in this directory will be distributed; you
cannot select which bundles you want to distribute.
2. Choose the managed units to which you want to distribute the bundles.
3. Click Distribute GIM bundles. The bundles are copied to the selected managed units.
Results
You can install the bundles from each managed unit to the GIM clients that it manages.
Removing unused GIM bundles

You can remove GIM bundles from your GIM server if they are no longer used on any database server.
About this task

This function enables you to maintain your inventory of GIM bundles and prevent it from using disk space unnecessarily.
You can use two new Guardium API commands to identify and remove unused GIM bundles. Perform this procedure on each Guardium system that acts as a GIM server.
Procedure
1. Run the gim_list_unused_bundles command to identify unused bundles for FAM install. Use the includeLatest parameter to indicate whether you want the list that
is returned by the command to include the latest version of each GIM bundle. You might have some bundles that you have not yet distributed, or you might want to
keep one older version so that you can reinstall it if needed. Set includeLatest to 0 to exclude the latest unused version of each bundle from the command results.
Set it to 1 to include all unused versions. This parameter is required and no default value is provided. For example:
gim_list_unused_bundles includelatest=0
The command returns a list of GIM bundles that are found on the GIM server but are not installed on any database server whose GIM client works with this GIM
server.
2. If step 1 identifies some unused bundles, use the gim_remove_bundle command to remove each unwanted bundle. This command takes a single parameter,
bundlePackageName, which identifies the bundle to be removed. This parameter is required and no default value is provided. Use names that are returned by the
gim_list_unused_bundles command.
The named bundle is removed only if:
The name specified in bundlePackageName matches the name of one and only one specific GIM bundle.
There is no GIM bundle whose name matches bundlePackageName installed on any database server whose GIM client works with this GIM server.
For example:
gim_remove_bundle bundlePackageName=name
where name is a bundle name that was returned by the gim_list_unused_bundles command.
Results
GIM bundles that are not needed are removed from your GIM server.
Running GIM diagnostics

You can run diagnostics on GIM clients to verify that the GIM server has accurate data about each client.
About this task

If you experience trouble with a GIM client, your first step should be to verify that the GIM server has accurate data about that client. Running GIM diagnostics verifies that
the modules listed for that client on the GIM server match the modules installed on that client, and that the parameters stored on the GIM client match those stored on
the GIM server.
You can run GIM diagnostics either from the Guardium user interface or from the command line. To run from the command line, use this command:
grdapi gim_run_diagnostics clientIP=xx.xx.xx.xx
The value of clientIP can be either an IP address or a hostname. You must run the command on the Guardium system that is the GIM server for this client.
To run GIM diagnostics from the GUI, use this procedure:
Procedure
1. Use the check boxes next to each client to choose the clients for which you want to run GIM diagnostics.

2. Click Run diagnostics. The next time that each client polls the GIM server for updates, it will receive the diagnostic command and run it immediately.
Results
You can review the results in the GIM_EVENTS report.
Debugging GIM operations

You might need to turn on debugging in order to troubleshoot a problem.
About this task

Use these steps to turn on GIM debugging on the GIM server (Guardium system). Modifying gimserver.log4j.properties requires root login on Guardium appliance. Contact
Guardium technical Support if required.
Procedure
1. Edit the GIM properties file: /opt/IBM/Guardium/tomcat/gimserver/ROOT/WEB-INF/conf/gimserver.log4j.properties.
2. Change the value ERROR to DEBUG.
3. Save the file.
Results
Debugging will be turned on in a few seconds and debug messages will be written to the daily debug log file in /var/log/guard/debug-logs/.
What to do next
When you have finished debugging, edit the file again and change DEBUG back to ERROR.
Enabling GIM client debugging
About this task
To enable debugging on the GIM client, change the parameter module_DEBUG to 1, where module is the name of the installed module whose operation you want to
debug. You can modify the parameter by using the CLI or the user interface. Set the value to 0 when you complete your debugging.
Restarting the supervisor for Solaris with SMF support

Use a set of CLI commands to restart the supervisor on Solaris servers with SMF support.
About this task

To restart the supervisor, complete the following procedure. Only use this procedure on Solaris servers with SMF support.
Procedure
1. Stop the supervisor by running the command svcadm -v disable guard_gsvr.
2. Run the command svccfg delete -f guard_gsvr.
3. Restart the supervisor with the command svccfg import <gim install dir>/SUPERVISOR/current/guard_gsvr.xml where <gim install dir> is the file path to the GIM
installation directory.
Results
The supervisor is restarted for Solaris with SMF support.
Installing your Guardium system

This document details the steps necessary to install and configure your IBM Security Guardium system.
This document also provides information on how to customize the partitioning on the appliance and how to install on a remote drive (SAN).
The steps are:
1. Assemble configuration information and the hardware required before you begin.
2. Set up the physical appliance or the virtual appliance.
3. Install the GuardiumÂ® image.
4. Set up initial and basic configurations.
5. Verify successful installation.
The IBM Security Guardium solution is available as:
Hardware offering â€“ a fully configured software solution delivered on physical appliances provided by IBMÂ®.
Software offering â€“ the solution delivered as software images to be deployed by the customers on their own hardware either directly or as virtual appliances.

The requirements listed in this document apply to the installation of both the physical appliance and the virtual appliance unless specified otherwise.
Operating modes
You can deploy a Guardium system in any of several operating modes.
License keys
Establishing a functional Guardium system requires both a base license and one or more append licenses.
Hardware Requirements
Detailed hardware requirements and sizing recommendations are available on the IBM Support Portal.
Guardium port requirements
Each Guardium system must have ports available for several types of communication. This table lists these connections and the default port numbers that are
assigned to them.
Step 1. Assemble the following before you begin
To prepare for the deployment of the Guardium system, the network administrator needs to supply the following information.
Step 2. Set up the physical or virtual appliance
The setup instructions in this section are different when installing to a physical appliance or a virtual appliance.
Step 3. Install the Guardium image
This section explains how to install the image and partition the disk.
Step 4. Set up initial and basic configuration
The initial step should be the network configuration, which must be done locally through the Command Line Interface (CLI) accessible through the serial port or the
system console.
Step 5. What to do next
This section details the steps of verifying the installation, installing license keys, and installing any available maintenance patches.
Creating the Virtual Image
Use this section to install the virtual image.
Custom Partitioning
If you customize the partitioning of the hard drive, you must make several choices.
How to partition with an encrypted LVM
If you want to use an encrypted disk, follow these steps to create an encrypted LVM volume that contains the / and /var logical volumes.
Example of SAN Configuration
This appendix details the steps involved in moving to a command prompt in order to pre-partition a hard drive (as is needed for SAN installation).
Operating modes
You can deploy a Guardium system in any of several operating modes.
As you plan your Guardium environment, you might deploy systems in any or all of these operating modes:
Collector
A collector receives data about database activities or file activities from agents that are deployed on database servers and file servers. The collector processes this
data and responds according to policies that are installed on the collector. A collector can export data to an aggregator.
Aggregator
An aggregator collects data from several collectors, to provide an aggregated view of the data. The aggregator is not connected directly to database servers and file
servers. You can allocate collectors to aggregators according to location or function. For example, you might want to connect the collectors that monitor your
human resources database servers to a single aggregator, so that you can view data that is related to all those servers in one location. If you want, you can
implement a second tier of aggregation by deploying an aggregator that collects data from all your other aggregators, rather than from collectors.
Note: If you plan to use the appliance as a central manager you MUST select Aggregator option.
Central manager
There is only one central manager in a Guardium environment, although you can designate another Guardium system as a backup central manager. You can use the
central manager to define policies and distribute them to all collectors, to perform other configuration tasks that affect all your Guardium systems, and to perform
various other administrative tasks from a single console. Your central manager can also function as an aggregator, collecting data from collectors or from other
aggregators. This model provides an enterprise-wide view of activities and enables you to view reports that are based on data that is aggregated from all your
Guardium systems.
The number of monitored database servers and file servers that you assign to an collector depends on the amount of data that flows from the servers to the collector. For
information about how many collectors and aggregators your environment requires, and how to locate your Guardium systems for best results, refer to the Deployment
Guide for IBM Guardium.
If you are using the Guardium Vulnerability Assessment component, you must decide where to run assessment tests. Some customers dedicate a separate Guardium
system for this function. You can also run tests from any Guardium system that is deployed as a collector, an aggregator, or a central manager.
Parent topic: Installing your Guardium system
License keys
Establishing a functional Guardium system requires both a base license and one or more append licenses.
Base and append licenses are described as follows:
Base license keys (also known as reset keys) reflect the machine type of the system. For example, establishing collector system requires a collector base license.
Append license keys enable specific sets of features. For example, typical data activity monitoring features require a DAM Standard append license. Multiple
append licenses can be installed in combination to enable expanded Guardium functionality.
When applying a base license, the machine type is checked to verify compatibility. There are two types of base licenses:
Table 1. Base license types
Base License Type License Description
Collector Collector base licenses are valid for establishing a standalone system or a collector.
Aggregator Aggregator base licenses are valid when establishing an aggegator or a central manager
system.

The features available on your Guardium system depend on the append license(s) you have installed. The following append licenses are available and can be used in
combination:
Table 2. Append license types
Append License Type License Description
DAM Express Predefined functionality for data activity monitoring.
DAM Standard Core functionality for data activity monitoring.
DAM Advanced DAM Standard functionality plus fine-grained access control, masking, quarantine, and blocking (activity terminate).
FAM Standard Core functionality for file activity monitoring.
FAM Advanced FAM Standard functionality plus blocking.
VA Standard Vulnerability assessment plus database protection service (DPS), change audit system (CAS), and database entitlement
reporting.
For information about installing Guardium licenses, see Install license keys.

Related tasks:
Install license keys
Hardware Requirements
Detailed hardware requirements and sizing recommendations are available on the IBM Support Portal.
For detailed hardware specifications and sizing recommendations, refer to the following: IBM Guardium V10.1 Software Appliance Technical Requirements.
Guardium port requirements

Each Guardium system must have ports available for several types of communication. This table lists these connections and the default port numbers that are assigned to
them.
Open ports
Ports used in/by the Guardium system.
DB Server â€“ Collector
TCP 8443 - open from DB server to collector
TCP 16016 â€“ Unix STAP, both directions, registration, heartbeat, and data (including IBM i S-TAP running in PASE)
TCP 16017 â€“ Windows/Unix CAS, both directions, templates and data
TCP 16018 â€“ Unix STAP (TLS), both directions, registration, heartbeat, and data
TCP 16019 â€“ Windows/Unix CAS (TLS), both directions, templates and data
TCP 16020 - From STAP agent Clear UNIX STAP connection pooling
TLS 16021 - From STAP agent Encrypted UNIX STAP connection pooling
TCP 8081 â€“ Guardium Installation Manager, both directions, database server to collector/Central Manager
TCP 9500 â€“ Windows STAP, both directions, DB Server to Collector, STAP registration and data
TCP 9501 â€“ Windows STAP (TLS), both directions, DB Server to Collector, STAP registration and data
Collector â€“ Aggregator (Secure Shell â€“ SSL)
TCP 22 â€“ collector to aggregator, SCP data exports, both directions
Central Manager â€“ Managed Devices
TCP 22 â€“ SSH/SCP data transfers, both directions
TCP 8443 â€“ SSL, both directions
TCP 8444 â€“ SSL, STAP to GIM file upload
TCP 3306 â€“ MySQL, opened to specific sources (for instance, the Central Manager is open to all managed units; a managed unit is open to the Central Manager)
TLS 8447 - Used for remote messaging service infrastructure (and profile distribution infrastructure) for communication between Guardium systems in the federated
environment / centrally-managed environment. Configuration profiles allow the definition of configuration and scheduling settings from a Central Manager and
conveniently distribute those settings to managed unit groups without altering the configuration of the Central Manager itself.
File Activity Monitoring (FAM)
TCP/TLS 16022/16023 - Universal Feed. 16022 (FAM monitoring, unencrypted) and 16023 (FAM monitoring, encrypted) both need to be open bidirectionally. The sniffer
needs the block from 16016 to 16023 open bidirectionally.

18087 - Listener port for FAM on IBM Content Classification (ICM) server located on the same machine where FAM is installed.
(serverSettings.icmURL=http://localhost:18087) Open bidirectionally.
Guardium Installation Manager (GIM)
8445 - GIM client listener, both directions. The GIM client is doing the listening. Any GIM server on either the Central Manager or the collector can reach out to it (the GIM
client).
8446 - GIM authenticated TLS, both directions. Use between the GIM client and the GIM server (on the Central Manager or collector). If GIM_USE_SSL is NOT disabled,
then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444, BUT no certificate is passed (for example,
TLS without verification).
8081 - TLS - To use 8081 for the GIM client to connect to the GIM server, there is a need to disable the GIM_USE_SSL parameter - it is ON by default. This parameter is
part of the GIM common parameters in the GUI. If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port
8446 is NOT open, then it defaults to 8444, BUT no certificate is passed (for example, TLS without verification).
Enterprise load balancer
TLS 8443 - S-TAP load balancer - This is needed for UNIX/Linux S-TAPs to communicate instances to the collector. However this port is also used for the Central Manager
load balancer. The S-TAP initiates a request to Central Manager (load balancer) on 8443 sending HTTPS message, if installation indicates to use Enterprise load balancer.
Between the database server and Central Manager, there will be the capability to use a proxy server, if customer doesn't want an open port directly from database to
Central Manager.
Quick Search for Enterprise
TCP 8983 - SOLR - Incoming, SSL
TCP 9983 - SOLR - Incoming, SSL
User Interface â€“ Guardium System (standalone, aggregator, Central Manager)
TCP 22 â€“ user to system, CLI connectivity, both directions
TCP 8443 â€“ user to system, GUI connectivity (configurable), both directions
System â€“ SMTP server
TCP 25 â€“ system to SMTP server, email alerts
System â€“ SNMP server
UDP 161 - SNMP client to system â€“ SNMP Polling
UDP 162 - system to SNMP server, SNMP traps
System â€“ SYSLOG server
UDP/TCP 514 â€“ remote syslog message from/to other systems, typically SIEMNote: The local port is 514, but the remote port must be entered into the configuration. If
encryption is used, the protocol must be TCP, not UDP.
System â€“ NTP server
TCP/UDP 123 â€“ system to Network Time Protocol Server
System â€“ DNS server
TCP/UDP 53 â€“ system to Domain Name Server
System â€“ EMC Centera (backups)
TCP 3218 â€“ system to EMC Centera
System â€“ Tivoli LDAP
UDP 389 â€“ system to/from Tivoli LDAP
System â€“ Mainframe
TCP 16022 â€“ connects S-TAP to DB2 z/OS, S-TAP IMS, S-TAP VSAM (S-TAP Data Set)
TCP 16023 - TLS connections, specifically IBMâ€˜s Application Transparent Transport Layer Security (AT-TLS)
Ports for connections to Windows database servers
Protoc
Port ol Purpose
8075 UDP Windows S-TAP heartbeat signal (two-way traffic). Note: The UNIX S-TAP agent does not use UDP for heartbeat signals, so there is no corresponding
UNIX port for this function.
9500 TCP Clear Windows S-TAP
9501 TLS Encrypted Windows S-TAP (optional)
1601 TCP Clear Windows CAS

7
1601 TLS Encrypted Windows CAS (optional)

9

Default Ports Used for Guardium Application Access
Por Protoc
t ol Purpose
844 TCP Web browser access (https) to the Guardium user interface. Note: This port can be changed by the Guardium administrator, and is also used to register a
3 managed unit to the Central Manager.
22 TCP SSH access from clients to manage the Guardium appliance
330 TCP Communication between central manager and managed units

6
Ports for connections to z/OS database servers
Port Protocol Purpose
16022 TCP Connects to S-TAP for DB2 z/OS, S-TAP for IMS, S-TAP for Data Sets
16023 TCP TLS connections, specifically IBM's Application Transport Layer Security (AT-TLS)
41500 TCP Default starting port for internal message logging communications â€“ LOG_PORT_SCAN_START
39987 TCP Default agent-specific communications port between the agent and the agent secondary address spaces â€“ ADS_LISTENER_PORT
Default ports used for other features
Pr
ot
o
Por c
t ol Purpose
20, T FTP Server for backups/archiving (optional)

21 C
P
22 T SCP for backups/archiving, patch distributions, and file-transfers

C
P
25 T SMTP (email server) for alerts and other notification

C
P
53 T DNS Servers
C
P
123 T NTP (Time Server) for time synchronization

C
P,
U
D
P
161 T SNMP Polling (optional)

C
P,
U
D
P
162 T SNMP Traps (optional)

C
P,
U
D
P
389 T LDAP, for example, Active Directory or Sun One Directory

C
P
514 T Syslog Server (optional)

C
P
636 T LDAP, for example, Active Directory or Sun One Directory over SSL (optional)
C
P
150 T Tivoli Storage Manager backup hosts (optional)

0 C
P
321 T EMC Centera backup hosts (optional)

8 C
P,
U
D
P
use T Database Server listener ports, for example, 1521 for Oracle or 1433 for MS-SQL, for Guardium datasource access (optional). Use this port for S-TAP
r- C verification and Discovery.
defi P
ned
160 T Universal Feed - File Activity Monitoring (FAM0

22/ C
160 P/
23 T
L
S
180 Â FAM using IBM Content Classification locally (serverSettings.icmURL=http://localhost:18087)

27
844 Â GIM client listener, both directions

5
The GIM client is doing the listening. Any GIM server on either the Central Manager or the collector can reach out to it (the GIM client).
844 T GIM authenticated TLS, both directions
6 L
S Use between the GIM client and the GIM server (on the Central Manager or collector).
If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to
8444 BUT no certificate is passed (for example, TLS without verification).
844 T Used for remote messaging service infrastructure (and profile distribution infrastructure) for communication between Guardium systems in the federated
7 L environment / centrally-managed environment. Configuration profiles allow the definition of configuration and scheduling settings from a Central Manager and
S conveniently distribute those settings to managed unit groups without altering the configuration of the Central Manager itself.
844 T Enterprise load balancer

3 L
S This is needed for UNIX/Linux S-TAPs to communicate instances to the collector.
However this port is also used for the Central Manager load balancer. If the installation wants to use Enterprise load balancer, then the S-TAP initiates a request
to the Central Manager on port 8443 by sending an HTTPS message.
So between database server and Central Manager, there will be the capability to use a proxy server, if customer doesn't want an open port directly from
database to Central Manager.
808 T To use 8081 for the GIM client to connect to the GIM server - need to disable the GIM_USE_SSL parameter - it is ON by default. This parameter is part of the
1 L GIM common parameters in the GUI. If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port
S 8446 is NOT open, then it defaults to 8444 BUT no certificate is passed (for example, TLS without verification).
898 T SOLR, incoming, SSL (Quick Search for Enterprise)

3 C
P
998 T SOLR, incoming, SSL (Quick Search for Enterprise)

3 C
P
Step 1. Assemble the following before you begin

To prepare for the deployment of the Guardium system, the network administrator needs to supply the following information.
IP address for the interface card (eth0)

Subnet mask for primary IP address
Default router IP address.
Hostname and domain name to assign to system
DNS server IP addresses (up to three addresses), and add the new Guardium system to your DNS domain
(optional) IP address for secondary management interface
(optional) Mask for secondary IP management interface
(optional) Gateway for secondary IP management interface
(optional) NTP server hostname
(optional) SMTP configuration information (for email alerts): IP address, port, and if authentication is used, an SMTP user name and password
(optional) SNMP configuration information (for SNMP alerts) the IP address of the SNMP server and the trap community name to use.
SAN storage devices

If the installation is to be deployed on a Storage Area Network (SAN), all configuration information needed by the SAN, must be prepared before deployment. Also,
there are additional installation steps required to partition the SAN storage device and install the Guardium OS.
SAN storage devices

If the installation is to be deployed on a Storage Area Network (SAN), all configuration information needed by the SAN, must be prepared before deployment. Also, there
are additional installation steps required to partition the SAN storage device and install the Guardium OS.

Note: Installation on a SAN is supported, installation on a NAS is not supported.
Parent topic: Step 1. Assemble the following before you begin
Step 2. Set up the physical or virtual appliance

The setup instructions in this section are different when installing to a physical appliance or a virtual appliance.
Physical Appliance
After the appliance has been loaded into the customer's rack, connect the appliance to the network in the following manner:
How to identify eth0 and other network ports
Use the following CLI commands to map the network ports.
Default passwords for physical appliances
Default passwords are supplied for predefined users.
Virtual appliance
The IBM Security Guardium Virtual Machine (VM) is a software-only solution licensed and installed on a guest virtual machine such as VMware ESX Server.
Physical Appliance
After the appliance has been loaded into the customer's rack, connect the appliance to the network in the following manner:
1. Find the power connections. Plug the appropriate power cord(s) into these connections.
2. Connect the network cable to the eth0 network port. Connect any optional secondary network cables.
3. Connect a Keyboard, Video and Mouse directly or through a KVM connection (either serial or through the USB port) to the system.
4. Power up the system.
Parent topic: Step 2. Set up the physical or virtual appliance

Lenovo System x3550 M5 Installation and Service Guide
Technical Requirements document
Changes in eth0 management port
How to identify eth0 and other network ports

Use the following CLI commands to map the network ports.

Use this CLI command to display the port names and MAC addresses of all installed network interfaces.

eth0 00:13:72:50:CF:40
eth1 00:13:72:50:CF:41
eth2 00:04:23:CB:11:84
eth3 00:04:23:CB:11:85
eth4 00:04:23:CB:11:96
eth5 00:04:23:CB:11:97
show network interface port

Use this CLI command to locate a physical connector on the back of the appliance. After using the show network interface inventory command to display all port names,
use this command to blink the light on the physical port specified by n (the digit following eth - eth0, eth1, eth2, eth3, etc.), 20 times.
show network interface port 1
The light on port eth1 will now blink 20 times.
Install the software directly on dedicated computer

When installing the Guardium software directly to disk on a dedicated computer, use the Physical appliance instructions.
Default passwords for physical appliances

Default passwords are supplied for predefined users.
When you receive a physical appliance from IBM, use these passwords for your initial configuration.
Note: Be sure to change all default passwords when you complete the installation.
Table 1. Default passwords for
predefined users
User Default password
accessmgr guard1accessmgr
admin guard1admin
cli guard1cli

Virtual appliance
The IBM Security Guardium Virtual Machine (VM) is a software-only solution licensed and installed on a guest virtual machine such as VMware ESX Server.
To install the Guardium VM, follow the steps in Creating the Virtual Image. The steps are:
Verify system compatibility

Install VMware ESX Server
Connect network cables
Configure the VM Management Portal
Create a new Virtual Machine
Install the IBM Security Guardium virtual appliance
After installing the VM, return to Step 4, Setup Initial and Basic Configuration, for further instructions on how to configure your Guardium system.
Step 3. Install the GuardiumÂ® image

This section explains how to install the image and partition the disk.
1. Make sure your UEFI/BIOS â€œboot sequenceâ€ settings are set to attempt startup from the removable media (the CD/DVD drive) before using the hard drive.
Note: Installation can take place from DVD. If needed, get the UEFI/BIOS password from Technical Support.
2. Load the Guardium image from the installation DVD.
3. The following two options appear:
Standard Installation: this is the default. Use this choice in most cases when partitioning the disk.
Custom Partition Installation: allows more customization of all partitions (locally or on a SAN disk). See Custom partitioning for further information on how to
implement this option.
Note:
The Standard Installation wipes the disk, repartitions and reformats the disk, and installs a new operating system.
On the first boot after installation, the user is asked to accept a Licensing Agreement. They can use PgDn to read through the agreement or Q to skip to the
end. To accept the terms of the agreement, enter q to exit and then type yes. The user must enter yes to the agreement or the machine will not boot up.
4. The system boots up from DVD. It takes about 12 minutes for this installation.
(d) The installation process will now ask you to choose a collector or aggregator (will be set to â€œCollectorâ€ automatically after 10 seconds if no input is
provided). See the Product Overview for an explanation of Collector and Aggregator. If you wanted to choose aggregator and you did not choose it within 10
seconds, you must reinstall in order to get back to this point where you have a choice of aggregator.
Note: If you plan to use the appliance as a central manager you MUST select Aggregator option.
5. The system automatically reboots at this point to complete the installation. The first login after a reboot requires a changing of passwords.
Step 4. Set up initial and basic configuration

The initial step should be the network configuration, which must be done locally through the Command Line Interface (CLI) accessible through the serial port or the
system console.
Enter the temporary cli password that you supplied previously.
In the following steps, you will supply various network parameters to integrate the Guardium system into your environment, using CLI commands.
In the CLI syntax, variables are indicated by angled brackets, for example: <ip_address>
Replace each variable with the appropriate value for your network and installation. Do not include the brackets.
Set the primary system IP address

The primary IP address is for the eth0 connection, and is defined by using the following two commands:
Set the Default Router IP Address
Use the following CLI command:
Set DNS Server IP Address
Set the IP address of one or more DNS servers to be used by the appliance to resolve host names and IP addresses. The first resolver is required, the others are
optional.
SMTP Server
An SMTP server is required to send system alerts. Enter the following commands to set your SMTP server IP address, set a return address for messages, and enable
SMTP alerts on startup.
Set Host and Domain Names
Configure the hostname and domain name of the appliance. This name should match the hostname registered for the appliance in the DNS server.
Set the Time Zone, Date and Time
There are options for setting the date and time for the appliance.
Set the Initial Unit Type
An appliance can be a standalone unit, a manager or a managed unit; In addition, an appliance can be set to capture database activity via network inspection or S-
TAP or both. The standard configuration would be for a standalone appliance (for all appliances), and the most common setting would use S-TAP capturing (only for
collectors).
Reset Root Password
Reset your root password on the appliance using your own private passkey by executing the following CLI command (requires access key: "t0Tach"):
Validate All Settings
Before logging out of CLI and progressing to the next configuration step, review and validate the configured settings using the following commands:

Reboot the System
If the system is not in its final location, now is a good time to shut down the system, place it in its final network location, and start it up again.
Set the primary system IP address

The primary IP address is for the eth0 connection, and is defined by using the following two commands:
store network interface ip <ip_address>

store network interface mask <subnet_mask>
The default network interface mask is 255.255.255.0. If this value is the correct mask for your network, you can skip the second command.
To assign a secondary IP address, use the CLI command, store network interface secondary [on <interface> <ip> <mask> <gw> | off], that can be used to enable/disable
the secondary interface.
Next you must restart the network by using the CLI command, restart network. Assigning a secondary IP address cannot be done by using the GUI, only through the CLI.
The remaining network interface cards on the appliance can be used to monitor database traffic, and do not have an assigned IP address.
Parent topic: Step 4. Set up initial and basic configuration
Set the Default Router IP Address

Use the following CLI command:
store network routes defaultroute <default_router_ip>
Set DNS Server IP Address

Set the IP address of one or more DNS servers to be used by the appliance to resolve host names and IP addresses. The first resolver is required, the others are optional.
store network resolver 1 <resolver_1_ip>

SMTP Server
An SMTP server is required to send system alerts. Enter the following commands to set your SMTP server IP address, set a return address for messages, and enable SMTP
alerts on startup.
store alerter smtp relay <smtp_server_ip>

store alerter smtp returnaddr <first.last@company.com>
store alerter state startup on
Note: You can also configure the SMTP server by using the user interface. ClickSetup > Alerter.
Set Host and Domain Names

Configure the hostname and domain name of the appliance. This name should match the hostname registered for the appliance in the DNS server.
store system hostname <host_name>

store system domain <domain_name>
Set the Time Zone, Date and Time

There are options for setting the date and time for the appliance.
Timezone, date, time and ntp
1. Set timezone
2. Set date and time - Option 1 - set ntp. Option 2 - store system clock datetime
Date/Time Option 1: Network Time Protocol
Provide the details of an accessible NTP server and enable its use.

Date/Time Option 2: Set the time zone, date and time
Use the following command to display a list of valid time zones:
store system clock timezone list

Choose the appropriate time zone from the list and use the same command to set it.
store system clock timezone <selected time zone>
Note: When setting up a new timezone, internal services will restart and data monitoring will be disabled for a few minutes during this restart.
Store the date and time, in the format: YYYY-mm-dd hh:mm:ss
store system clock datetime <date_time>
Note: Do not change the hostname and the time zone in the same CLI session.
Set the Initial Unit Type

An appliance can be a standalone unit, a manager or a managed unit; In addition, an appliance can be set to capture database activity via network inspection or S-TAP or
both. The standard configuration would be for a standalone appliance (for all appliances), and the most common setting would use S-TAP capturing (only for collectors).
store unit type standalone - use this command for all appliances.
store unit type stap - use this command for collectors.
Unit type standalone and unit type stap are set by default. Unit type manager (if needed) must be specified.
Note: Unit type settings can be done at a later stage, when the appliance is fully operational.
Reset Root Password

Reset your root password on the appliance using your own private passkey by executing the following CLI command (requires access key: "t0Tach"):
support reset-password root <random>
Save the passkey used in your documentation to allow future Technical Support root accessibility. To see the current pass key use the following CLI command:
support show passkey root
Questions - How secure is the Guardium system root password? Who has access to it?
Guardium appliances are "black box" environments with the end user only having access to limited access Operating System accounts, such as:
cli; guardcli1; guardcli2; guardcli3; guardcli4; and, guardcli5.
The Graphical User Interface user accounts (for example admin and accessmgr) are not defined by the Guardium system's operating system, but are application IDs
defined and managed via an application interface (accessmgr).
Being a secured server, root access is not readily available to anyone, but, is often required by Guardium support to gain access to the Guardium apoliances to
troubleshoot and resolve issues. Guardium support does not use sudo, or any other userid other than root, to gain access to Guardium appliances.
The root password is secured using a "joint password" mechanism. The customer holds the keys to the appliance in the form of a eight-digit numeric passkey. IBM
holds the passkey decoder. Without having both, the passkey and passkey decoder, neither IBM nor the customer can access the appliance as root.
The passkey is managed by the customer via the CLI interface. The customer can change the passkey at any time, without notifying IBM, by using the following CLI
command:
support reset-password root
Anyone with CLI access can retrieve the passkey for root by using the following CLI command:
support show passkey root
When involving Guardium support, on a remote desktop sharing session, the support analyst will request the root passkey for the Guardium appliance in question.
Once the passkey has been decoded, Guardium support will use the root password to gain access to the appliance as root. After the remote desktop sharing session
terminates, the customer can change the passkey using the above CLI command, thereby ensuring IBM no longer has the root password for this appliance.
Being an eight-digit numeric key, the passkey has a range of 10000000 to 99999999. This range provides 89,999,999 possible passwords. All encoded passwords
are hardened. They do not contain any common passwords, any dictionary words, their length varies and they contain national, special, alphabetic (upper and lower
case) and/or numeric characters.
Access to the passkey decoder is restricted to a select few IBM Guardium employees, such as Guardium R&D, Guardium QA and Guardium support staff members.
It is not available to IBM staff.
The CLI userids mentioned above (cli, guardcli1, guardcli2, guardcli3, guardcli4, guardcli5) do not use the passkey mechanism and their passwords are 100%
governed by the customer with IBM having no access to their passwords. For this reason, IBM recommends keeping the root passkey in a password vault to ensure
the appliance is accessible even if the CLI account passwords have been forgotten or misplaced.
Validate All Settings

Before logging out of CLI and progressing to the next configuration step, review and validate the configured settings using the following commands:
show network interface all

show network routes defaultroute
show network resolver all
show system hostname

show system domain
show system clock timezone
show system clock datetime
show system ntp all
show unit type
Reboot the System

If the system is not in its final location, now is a good time to shut down the system, place it in its final network location, and start it up again.
Remove the installation DVD before you reboot the system.
To stop the system, enter the following command in the CLI:
stop system
The system shuts down. Move the system to its final location, re-cable the system, and power the system back on. After the system is powered on, it is accessible (using
the CLI and GUI) through the network, using the provided IP address or host name.
Step 5. What to do next

This section details the steps of verifying the installation, installing license keys, and installing any available maintenance patches.
Verify Successful Installation

Verify the installation by following the following steps:
Set Unit Type
To set up a federated environment, configure one of the appliances as the central manager and set all the other appliances to be managed by the central manager.
This topic guides you through the procedure of installing and accepting Guardium license keys.
Install maintenance patches (if available)
You can install patches by using the CLI or through the GUI.
Additional Steps (optional)
The following sections discuss changing the baseline English to another language, installing S-TAPÂ® agents, defining Inspection Engines and installing CAS agents.
Verify Successful Installation

Verify the installation by following the following steps:
1. Login to CLI - ssh cli@<ip of appliance>

2. Login to GUI - https://<hostname of appliance>.<full domain>:8443 (use admin userid)
The first login after a reboot will require a changing of passwords.
Login to the Guardium web-based interface and go to the embedded online help for more information on any of the following tasks.
Parent topic: Step 5. What to do next
Set Unit Type

To set up a federated environment, configure one of the appliances as the central manager and set all the other appliances to be managed by the central manager.
Use the CLI command store unit type to set the type of each Guardium system.

This topic guides you through the procedure of installing and accepting Guardium license keys.
Before you begin

Download your license keys from Passport Advantage
Install or upgrade your Guardium system
Verify that the machine type is correctly set for your system
About this task

Installing a Guardium license key is a two-step process: you need to install the license key and then read and accept the terms of the license agreement. After installing a
Guardium license key, the user interface will reload to reflect the functionality enabled by the new license.
Establishing a functional Guardium system requires installing both a base and at least one append licenses. The base license must be installed and accepted before
installing and accepting any append licenses.
For more information about Guardium license keys, see License keys.

Attention:
When upgrading a Guardium system, you will not need to apply licenses. License keys will be automatically generated based on your preexisting installation, but you will
need to review and accept the license agreements before you can begin using your Guardium system. To review and accept licenses on an upgraded system, navigate to
Setup > Tools and Views > License and click the Read and accept license link.
Procedure
1. Log in to your Guardium system as the admin user.
2. Verify that the Machine Type displayed in the Guardium banner is correct for the system you are licensing. The machine type will be one of the following:
Standalone
Central Manager
Aggregator
Attention: If you are setting up a central manager and the Machine Type indicates an aggregator, convert the system from an aggregator to a central manager using
the following CLI command: store unit type manager.
3. Install a base license.
a. Navigate to Setup > Tools and Views > License.
b. On the License page, enter the base key for your system in the License key field and click Apply to continue.
Attention: Depending on the system you are setting up, you will need to apply either a base collector key or a base aggregator key. A base aggregator key is
required when setting up a central manager system.
c. From the License Agreement dialog, review the license agreement associated with the base key and click Accept when you are ready to accept the terms.
The Guardium interface will automatically refresh after accepting the agreement, but there will be no change in available functionality after installing a base
license key.
4. Install one or more append licenses. Repeat the following steps for each append licence you have purchased and want to install.
b. On the License page, enter an append key in the License key field and click Apply to continue.
c. From the License Agreement dialog, review the license agreement associated with the append key and click Accept when you are ready to accept the terms.
The Guardium interface will automatically refresh after accepting the agreement, and any new functionality associated with the append license will become
available.
d. Repeat the steps in this section for each append license you want to install.
What to do next
In an environment with a central manager, you can distribute the new licenses by navigating to the Manage > Central Management > Central Management page and
clicking the icon to distribute licenses from the central manager to managed units.
In an environment with a central manager, the central manager and its managed units must use the same shared secret. Set the shared secret from the Setup > Tools and
Views > System page or by using the CLI command store system shared secret.

Related concepts:
License keys
Install maintenance patches (if available)

You can install patches by using the CLI or through the GUI.
Note: In federated environments, maintenance patches can be applied to all of the appliances from the Central Manager.
There may not be any maintenance patches included with the installation materials. If any are included, follow these steps to apply them:
1. Log in to the GuardiumÂ® console, as the cli user, using the temporary cli password you defined in the previous installation procedure. You can do this by using an
ssh client.
If installing from a network location, enter the following command (selecting either ftp or scp):
store system patch install [ftp | scp]
And respond to the following prompts (be sure to supply the full path name to the patch file):
User on <hostname>
Full path to patch, including name:
Password:
If installing using the fileserver function, enter the following command:
store system install patch sys
You will be prompted to select the patch to apply. Use wildcards in the pathname to get multiple patches. Also separate patch names by commas.
3. To install additional patches, repeat step 2.

4. To see if patches have been installed successfully, use the CLI command:
show system patch installed
Patches are installed by a background process that may take a few minutes to complete.

Additional Steps (optional)
The following sections discuss changing the baseline English to another language, installing S-TAPÂ® agents, defining Inspection Engines and installing CAS agents.
Change the language

Installation of IBM Guardium is always in English. Use the CLI command store language to change from the baseline English and convert the database to the preferred
language. A Guardium system can be changed only to Japanese or Chinese (Traditional or Simplified) after an installation. The store language command is considered a
setup of the Guardium system and is intended to be run during the initial setup of the system. Running this CLI command after deployment of the appliance in a specific
language can change the information already captured, stored, customized, archived or exported. For example, the psmls (the panes and portlets you have created) will be
deleted, since they need to be re-created in the new language.
Note: To avoid the Guardium UI from displaying a mixture of languages, set the Central Manager and managed units to the same language.
Install S-TAP agents

Install S-TAP agents on the database servers and define their inspection engines. S-TAP is a lightweight software agent installed on the database server, which monitors
local and network database traffic and sends the relevant information to a Guardium system (the collector) for further analysis, reporting and alerting. To install an S-TAP,
refer to the S-TAP section of this information center. To verify that the S-TAP have been installed and are connected to the Guardium system:
1. Log in to the administrator portal.

Navigate to the Manage > System View, and click S-TAP Status Monitor from the menu. All active S-TAPs display with a green background. A red background indicates that
the S-TAP is not active.
Navigate to Manage > Activity Monitoring > S-TAP Control, and confirm that there is a green status light for this S-TAP.
Define Inspection Engines

Define Inspection Engines for network-based activity monitoring.
Install CAS agents

Install Configuration Auditing System (CAS) agents on the database server.
Creating the Virtual Image

Use this section to install the virtual image.
VMware Infrastructure Overview

While you can install a Guardium VM on any VMware product, the VMware ESX server is the recommended platform for a virtual solution and is presented here.
VM Installation Overview
To install the IBM Security Guardium VM, follow the steps that are described here. After you install the VM, return to earlier Step 3, Install the IBM Security
Guardium image, and earlier Step 4, Initial Setup and Basic Configuration.
Creating a Hyper-V Virtual Machine
VMware Infrastructure Overview

While you can install a Guardium VM on any VMware product, the VMware ESX server is the recommended platform for a virtual solution and is presented here.
The VMware ESX Server on which you can install the Guardium VM is one component of the VMware infrastructure. Although not all VMware Infrastructure components
are required to support the Guardium VM, you should be familiar with all components that are in use at your installation.
ESX Server: This component is used to configure and control VMware virtual machines on a physical host referred to as the ESX Server host. To install an Guardium VM,
you first define a virtual machine on an ESX Server host, and then install and configure the Guardium VM image on that virtual machine. You can create multiple Guardium
VMs on a single ESX Server.
VI Client (Virtual Infrastructure Client): This component is used to connect to a standalone ESX Server, or to a VirtualCenter Server. In the latter case, you can
administer multiple virtual machines created over multiple ESX Server hosts.
Web Browser: Use a Web browser to download and use the VI Client software from an ESX Server host or the VirtualCenter server.
VirtualCenter Management Server (Optional): This component runs on a remote Windows machine, and can be used to manage multiple virtual machines on multiple
ESX Server hosts. It offers a single point of control over all the ESX Server hosts.
Database (Optional): The VirtualCenter Server uses a database to store configuration information for the infrastructure. The database is not needed if the VirtualCenter
Server is not used.
License Server (Optional): Stores and manages the licenses needed to maintain a VMware Infrastructure.
For more information, go to www.vmware.com and search for â€œESX Quick Startâ€
Parent topic: Creating the Virtual Image
VM Installation Overview

To install the IBM Security Guardium VM, follow the steps that are described here. After you install the VM, return to earlier Step 3, Install the IBM Security Guardium
image, and earlier Step 4, Initial Setup and Basic Configuration.
If you are installing multiple Guardium VM systems in a VMware VirtualCenter Management Server environment, you can create a template system from the first Guardium
VM that you create, and then clone that template as necessary. Then, all you need to do is set the IP address on each cloned system. For more information, see the note
following Step 7.
Step 1: Verify system compatibility

1. Verify that the host is compatible with VMware's ESX Server (ESX 4.0 Update 4 and higher is the bare minimum to run a Guardium system). See the VMware
document entitled Systems Compatibility Guide for ESX Server, which is available online in PDF format.
2. Verify that a virtual machine installed on the host will be able to provide the minimum recommended resources for a Guardium system, whether you plan to use it
as a collector, central manager, or aggregator. See the Minimum/Recommended Resources in the Hardware Requirements section of this document.
3. When you create a 64-bit VM for the first time or upgrade a 32-bit VM to 64-bit, ensure that the virtual hardware is correctly configured for 64-bit operation. In
some cases, you might need to perform an Upgrade Virtual Hardware operation. For information, refer to your VMware documentation.
Step 2: Install VMware ESX Server

If it is not already installed, install VMware ESX Server. VMware provides installation instructions on their website to help with installing and configuring the VMware
Infrastructure and ESX server.
Note: The ESX server is only supported on a specific set of hardware devices. For more information, see the VMware Virtual Infrastructure documentation.
Step 3: Connect network cables

Before you define any virtual switches that will be used for the Guardium VM, you must connect the appropriate NICs to the network. You cannot assign NICs to virtual
networks or switches until the NICs are physically connected.
The following table describes how the Guardium VM uses network interfaces. Refer to this table to make the appropriate connections before you configure the virtual
switches for use by the Guardium VM.
Table 1. IBM Security Guardium VM Network Interface Use

Interface Description
Proxy interface (eth0) This interface is the main gateway to the appliance, and is used for these purposes:
Graphical web-based User Interface (GUI) to manage, configure, and use the solution
Command Line Interface (CLI) for initial setup and basic configuration
Connections with external systems such backup systems, database servers, and LDAP server
Communication with other Guardium components such as other appliances (aggregator, central manager) and agents that are installed
on database or file servers such as S-TAP or CAS clients
Application server This interface is required if you configure your Guardium system as a transparent proxy. It connects to the application servers whose content
interface (eth1) your Guardium system is configured to mask.
Step 4: Configure the Guardium VM management portal

The default configuration for a new VMware ESX Server installation creates a single port group for use by the VMware service console and all virtual machines. For the
Guardium VM, we strongly recommend that you do not share ports with the VMware console or any other virtual machine. Follow these instructions to create one or more
virtual switches to be used by a Guardium VM.
1. Open the VMware VI Client, and log on to either a VirtualCenter Server, or the ESX Server host on which you want to create a new virtual machine.
2. If you are logged in to a VirtualCenter Server, click Inventory in the navigation bar, and expand the inventory as needed to display the managed host or cluster on
which you plan to install a Guardium VM.
3. In the inventory display, click the host or cluster on which you plan to install a Guardium VM.
4. Click Configuration tab, click Networking in the Hardware box, and then click Add Networking.
This opens the Add Network Wizard, which is used for various purposes.
Use the Add Network Wizard to define a new virtual switch for the Guardium VM network interface. This is the connection over which you will access the Guardium
VM management console, and over which the Guardium VM will communicate with other Guardium components (S-TAPs, for example, which are software agents
that you will install later on one or more database servers).
5. In the Connection Types box, click Virtual Machine and click Next.

6. In the Network Access panel, click Create a virtual switch, and mark the unclaimed network adapter that you will use for the Guardium VM network interface:
7. Optionally mark a second unclaimed network adapter if want to use the VMware IP teaming capability to provide a secondary (failover) network interface. Later, you
will designate this second adapter as a Standby Adapter (and of course, you must cable both NICs appropriately).
8. Click Next to continue to the Connection Settings page of the Add Network Wizard.
9. In the Network Label box, enter a name for the virtual machine port group, for example: GuardETH0, and click Next.
10. In the Summary page, click Finish. The new virtual switch is displayed in the Configuration tab.
11. Optional. If you have defined a second adapter for failover purposes: (a) Click Properties link for the virtual switch just created to open the virtual switch Properties
panel. (b) Click Ports tab and select the virtual port group just created (GuardETH0 in the example), and click Edit. (c) In the virtual port group Properties panel,
click NIC Teaming tab, mark the Override vSwitch Failover box, and then move the second adapter to the Standby Adapters list. (d) Click OK to close the virtual port
group Properties box, and click Close to close the virtual switch Properties box.
Step 5: Create a new virtual machine

If you have not already done so, create a new virtual machine on which to install a Guardium VM.
Perform this task by using the VMware VI Client.
2. If you are logged in to a VirtualCenter Server, click Inventory in the navigation bar, expand the inventory as needed, and select the managed host or cluster to which
you want to add the new virtual machine.
3. From the File menu, click New â€“ Virtual Machine to open the configuration Type panel of the New Virtual Machine wizard.
4. Click Typical as the configuration type, and click Next to continue with the Name and Folder panel.
5. On the Name and Folder panel:
Enter a name for the new virtual machine in the Virtual Machine Name field. This name appears in the VI Client inventory and is also used as the name of the virtual
machines files.
To set the inventory location for the new virtual machine, select a folder or the root location of a datacenter from the list under Virtual Machine Inventory Location.
Click Next.
6. If your host or cluster contains resource pools, the Resource Pool panel is displayed, and you must select the resource (host, cluster, or resource pool) in which you
want to run the virtual machine. Click Next.
7. On the Datastore panel, optionally select a datastore in which to store the new virtual machine files, and click Next.
8. In the Choose the Guest Operating System panel, choose the operating system that corresponds to the Guardium image that you are installing. Click Linux > RedHat
Enterprise Linux 6, 64-bit from the Version box, and click Next. .
The operating system is not installed now, but the OS type is needed to set appropriate default values for the virtual machine.
For VM minimum resources, refer to the Hardware Requirements in the Before you begin section.
9. On the Virtual CPUs panel, select the number of CPUs recommended for the type of Guardium VM being installed, and click Next.
10. On the Memory panel, select the amount of memory recommended for the type of Guardium VM being installed, and click Next. Important: the initial value must be
at least 16 GB. If customers want to work outside the required range, consult with Technical Support.
11. On the Network panel, click 1 as the number of ports that are required, and click Next.
12. For the selected port, use the Network pull-down menu to choose a port group configured for virtual network use. (You should have defined this port group in the
previous procedure.)
13. For the selected port group, mark the Connect at Power On check box (it should be marked by default), and click Next.
14. On the Virtual Disk Capacity panel, enter the amount of disk space to reserve for the new virtual machine in the Disk Size field.
15. On the Ready to Complete panel, verify your settings and click Finish.
This completes the definition of the new virtual machine. The operating system has not yet been installed, so if you attempt to start the virtual machine, that activity will
fail.
Step 6: Install the Guardium system

Perform this task using the VMware Virtual Infrastructure Client.

2. If logged into a VirtualCenter Server, click Inventory in the navigation bar, expand the inventory as needed, and select the virtual machine on which you want to
install the Guardium VM.
3. On the Summary tab, click Edit Settings.
4. Click CD/DVD Drive 1.
5. Select one of the following options to determine from where the virtual CD-ROM/DVD device will read the GuardiumÂ® Installation program. We strongly
recommend the first option:
Datastore ISO File â€“ Connect to the Guardium Installation ISO file on a datastore. If you have not already done so, copy the Guardium ISO files to a datastore
accessible from the ESX Server host on which the virtual machine is installed. Click Browse to select the file.
Caution: For the remaining options, you will place the Guardium Installation CD/DVD in a CD-ROM/DVD drive. If you reboot any system with an Guardium
Installation CD/DVD in its CD-ROM/DVD drive, you will install Guardium on that system, wiping out the host operating system and files.
Client Device â€“ Connect to a CD-ROM/DVD device on the system on which you are running the VI Client. If you select this option, insert the Guardium CD/DVD in
the CD-ROM/DVD drive of the system on which the VI Client is running.
Host Device â€“ Connect to a CD-ROM/DVD device on the ESX Server host machine on which the virtual machine is installed. If you select this option, choose the
device from a drop-down menu, and insert the Guardium CD/DVD in the CD-ROM/DVD drive of the ESX Server host machine.
6. Click OK.
7. Click Power On to start the virtual machine.
8. If you selected Client Device as your CD/DVD Drive option, click Virtual CD-ROM (ide0:0) in the toolbar, and select the local CD-ROM device to connect to.
9. Click Console tab to display the virtual machine console. You will need to respond to several prompts during the installation process.
10. Skip this step if you are using theGuardium DVD.
When prompted for the second CD, depending on option you use in step 5 you need to either put the second CD in its drive or select the second CD ISO image.
Continue by pressing Enter. When prompted for the cli password, enter a temporary password for use when logging in to the Guardium CLI, which you will need to
do to set the IP configuration parameters for the appliance.
11. When you are prompted for the GUI admin password, enter a temporary password for use when logging in to the Guardium user interface as the admin user.
12. When asked if building a collector or aggregator, choose the appropriate type.
13. Click No to the Master Passkey prompt.
Caution: If a CD-ROM/DVD drive was used, the CD/DVD ejects when the installation completes. Be sure to remove the installation CD/DVD from that drive. If the ISO
file was used, be sure to remove the ISO CD ROM by changing the virtual CD/DVD back to a Client or Host Device. Otherwise, the next time it is rebooted, you will
install Guardium on the host machine, wiping out the host machine operating system and all files.
The machine will reboot automatically, and you will be prompted to log in as the CLI user.
14. At this point, return to Step 4, Set up Initial and Basic Configurations for complete instructions on configuration of the Guardium system.
Step 7: Install Multiple VMs

(Optional) To install multiple GuardiumVMs, you can repeat the procedures for each appliance, or you can minimize your work by cloning the first Guardium VM that you
created, and following these steps:
1. Use the VMware virtual infrastructure server product to clone the first Guardium VM that you configured to a template.
2. From the template, create a clone for each additional Guardium VM to be configured.
3. For each clone, log in to the Guardium VM console as the cli user by using the temporary cli password and reset any of the IP configuration parameters that you set
in the previous procedure. Mandatory tasks: reset the IP address, reset the GLOBAL_ID (GID), and reset the host name. The UNIQUE_ID (UID) is set automatically
and does not require manual configuration. Be sure to review all of the IP configuration settings entered in the previous procedure.
store network interface ip <ip_address>

store network interface mask <subnet_mask>
store product gid <n>
store system hostname <host_name>
When you are done, enter the restart network command.
restart network
Note: The unique ID (UID) of the appliance is recalculated every time the hostname changes in order to avoid having multiple appliances with the same unique ID.
Note: The global ID (GID) can be any number so long as it is unique and less than 9223372036854775808. During the cloning process this unique number is
necessary. Please obtain the global IDs from your other appliances and use a number that is unique for this clone.
Creating a Hyper-V Virtual Machine

Before you begin
Hyper-V is a virtualization solution from Microsoft. It is assumed that the Guardium user using Hyper-V has pre-experience with Hyper-V. Most installations of
Hyper-V are straight forward. The instructions listed in this Guardium help topic may be more complex than needed.
Verify system requirements for the version of Guardium being installed.
Reserve an IP address for the virtual machine.
About this task
Procedure
1. Log into the Hyper-V server as an administrator.
2. Start the Hyper-V manager at Start menu > Administrative Tools > Hyper-V Manager.
3. Right-click on the Hyper-V server and select New > Virtual Machine.

a. Enter the host name in Name field, use the default Store location, then click Next.
b. Enter desired memory in the RAM field, then click Next. Verify that the specified RAM meets the minimum system requirements for your Guardium version.
a. Select connection Trunk > Virtual Network, then click Next.
b. Specify the desired disk size on the Virtual Disk dialog, then click Next. Verify that the specified virtual disk size meets the minimum system requirements for
your Guardium version.
c. Accept the default settings under Installation Options, then click Next.
d. Click Finish to create your new virtual machine.
4. Right-click on your new virtual machine in the Virtual Machines list and select Connect to open the console.
5. Power on the virtual machine to reserve a MAC address by clicking the green button or selecting Action > Start.
6. At the boot failure prompt, power off the virtual machine by clicking the gray button or selecting Action > Turn Off.
7. Select File > Settings to continue configuring your virtual machine.
a. Specify the desired number of logical processors under Hardware > Processor > Logical Processors. Verify that the specified number of processors meets the
minimum system requirements for your Guardium version.
b. Record the MAC address assigned under Hardware > Network Adapter. You will need this information later in the installation process.
c. Select the network adapter and click Remove.
d. Select Hardware > Add Hardware > Legacy Network Adapter, then click Add. The selection is automatically moved to Legacy Network Adapter.
e. Select Trunk > Virtual Network.
f. Select MAC Address > Static and enter the previously-recorded MAC address.
g. Select the Enable Virtual LAN Identification check box.
h. Enter a VLAN Designation of 3xxx. For example, 3156.
i. Select Hardware > BIOS, raise the Legacy Network Adapter, then click OK.
8. Add the virtual machine's MAC address to your IP reservation.
9. Add the virtual machine's IP address, host name, and MAC address to gmachine_list.txt.
10. Start the virtual machine. The Dev-IT managed OS Boot dialog should appear, stop at BOOT: until timeout, and then return to the Boot Failure prompt.
11. Run your PXE command, then use CTRL-ALT-DEL macro button to reboot the virtual machine. Allow the machine to build.
12. Use TOUCH and SU - CLI to assign the proper IP address, route, and DNS settings. The host and domain settings are typically are auto-configured.
13. Use SU - CLI > STOP SYSTEM to shut down the system.
14. Right-cick the virtual machine and select Settings.
a. Replace Legacy Network Adapter with the default network adapter selection.
b. Select Trunk > Virtual Network.
c. Select MAC Address > Static and enter the previously-recorded MAC address.
d. Enter a VLAN Designation of 3xxx. For example, 3156.
15. Boot the virtual machine.
What to do next
Verify that the virtual machine is functioning by pinging OTIS from the virtual machine and by logging into the virtual machine over SSH from a remote host.
Some common problems include:
Not replacing the default network adapter with the legacy adapter will not allow PXE.
Not replacing the legacy network adapter with the default network adapter leave the Guardium system without network connectivity.
Starting the machine before changing the MAC address after replacing the legacy network adapter generates a new MAC address and virtual adapter on the virtual
machine. This must be remedied for the system to work. Change the MAC address to your previously-recorded MAC address and use the normal method to clean up
the ifcfg-eth0 and 70-persistent-nework.rules.
Custom Partitioning
If you customize the partitioning of the hard drive, you must make several choices.
1. Choose Custom Partitioning Installation from the boot screen.

Choose Create custom layout and use the recommended partitioning scheme listed here.
Note: The boot loader, a special program that loads the operating system into memory, is part of any custom partitioning installation.
2. Create custom layout. In this case, there are existing partitions on the disk. Do not delete any partitions. Choose the custom layout selection to add whatever
partitions you want to what is already on the disk.The following table specifies recommended values for custom layout.
Table 1. Recommended
values for custom layout
Partitions Values
/ 25 GB
Swap portion half of RAM

size
/boot 5 GB
/var All the rest
All the available drives are also displayed on this screen. Choose the drive for the partitioning and then installation.
After the partitioning is finished, the GuardiumÂ® system software is installed automatically.
If values are created that exceed the space available on the disk, an error message appears.
Click OK to reboot the system and return to the beginning of Custom Partitioning.
See the Red Hat Enterprise Linux documentation for more information about how the Red Hat distribution handles partitioning.
Note: Non-default partitioned systems - Custom partitioned systems cannot be upgraded using an upgrade patch. Instead, you must use the backup, rebuild, and restore
method. If there is uncertainty regarding the partitioning of systems, download and install Health Check p9997. The resulting patch log contains information regarding

system partitioning.
How to partition with an encrypted LVM

If you want to use an encrypted disk, follow these steps to create an encrypted LVM volume that contains the / and /var logical volumes.
For the encrypted LVM installation, you are asked to enter an encryption key. Then, on EVERY reboot, the user is required to enter this key to unlock the LVM volume (This
means that the user must have console access to the appliance, either physical or remote access).
Important â€“ The encryption key must be safeguarded and retained, as it is impossible to replace if lost.
Note: The boot loader, a special program that loads the operating system into memory, is part of a custom partitioning installation. An example of the password entry
screen is shown near the end of this topic.
1. Insert the IBM Guardium DVD and boot the machine.

2. Choose Custom Partition Installation from the boot screen.
3. Press Enter.
4. Click Remove all partitions and create default layout from the first RedHat Enterprise Linux screen. Also, select the check boxes Encrypt system and Review and
modify partitioning layout.
5. Click Next.
6. A warning notice appears on the following screen, asking if you really want to remove all partitions. Click Yes.
7. Click LogVol00 in the next screen and click Edit to bring up the Edit LVM Volume Group dialog.
8. Click LogVol00 from the list in the previous screen and click Edit.
9. On the next screen, change the size to 10240 and click OK.
10. Click LogVol01 from the list on the next screen and click Edit.
11. Allocate a swap partition that is half as large as the memory that is installed on the system. Specify the size of the swap partition and click OK.
12. Click Add. The Make Logical Volume dialog is displayed.
13. Specify /var as the mount point, and let the system pick the remaining size.
14. Review the sizes of your partitions. Then, click OK.
15. Then click OK from the Edit LVM Volume Group: VolGroup00 dialog.
16. Click Next in the next screen, which will take you to the passphrase dialog.
17. Enter the passphrase of your choice into the Enter passphrase field and enter the identical passphrase into the Confirm passphrase field. Click OK.
Note: The passphrase must be entered each time that the system is booted. There is no way to recover a lost LVM passphrase.
The Bootloader configuration dialog is displayed. When a computer with Red Hat Enterprise Linux is turned on, the operating system is loaded into memory by a
special program that is called a boot loader. A boot loader usually exists on the system's primary hard disk (or other media device) and has the sole responsibility of
loading the Linux kernel with its required files or (in some cases) other operating systems into memory.
In most cases, the default options are acceptable, but depending on the situation, changing the defaults options may be necessary.
18. At this screen, click Next. This starts the encrypted installation.
During the installation and further re-boots, you are asked to enter the LUKS (Linux Unified Key Setup) passphrase for the LVM during boot. After you enter the LUKS
passphrase, the system completes the boot process.
Example of SAN Configuration

This appendix details the steps involved in moving to a command prompt in order to pre-partition a hard drive (as is needed for SAN installation).
First partition space on the SAN storage device, and then install the IBM Security Guardium OS. Choose one hard disk for this installation.
Note: Depending on what SAN hardware is used, specific instructions may be different. Installation on a SAN is supported; installation on a NAS is not supported.
Summary of steps
1. Enter system setup (press F1 on IBMÂ® servers during initial boot) and modify the Start Options to select the appropriate PCI slot to boot from (where the QLogic
Card is).
2. Modify the BIOS for the QLogic card by pressing Ctrl-Q, when the QLogic BIOS is loading, to enable it to be a boot device. Then select the LUN (logical unit number)
of the boot device.
3. Boot from the RedHat 5.8 DVD and enter Rescue mode in order to run fdisk and create partitions on the SAN device using the specifications listed here:
Table 1. Partitions on SAN device
Partitions Space
1 500 MB for /boot
2 Amount of system memory + 4

GB
3 25 GB for /
4 All remaining space for /var

Note: While the RedHat installation process would allow you to create the partitions and load the OS, the system does not boot properly after the installation unless
the partitions are pre-created with fdisk.
4. Proceed with the OS installation utilizing the previously defined partitions (use only the /dev/sda device).
5. Reboot and finish the remaining installation steps (hostname, IP configuration, and so on).
Note:
In the SAN environment, the single LUN is presented to RedHat 5.8 as multiple devices due to redundant paths within the network switch(es) on the SAN. (The SDD
storage was eight devices.)

This is a function of the SAN storage brand/type and how it is configured at each site.
It is very important to only edit the existing partitions that the IBM Guardium installation sees by adding the mount point and setting the file system (ext4 or swap,) and
not changing other settings (such as size) and to unselect all devices other than /dev/sda when selecting which device to load the OS on.
Instructions for running fdisk

Follow these instructions for running fdisk to pre-partition the SAN storage from RedHat rescue mode:
1. Assuming SAN is the only storage attached to the server, type fdisk /dev/sda. Type y if a warning appears regarding working on the whole device.
2. Type n for a new partition.
3. Type pfor a primary partition.
4. Type 1for partition #1.
5. Press Enter to accept the default start location.
6. Type +512M to make partition 1 500MB in size (this will be the /boot partition).
8. Type p for a primary partition.
9. Type 2 for partition #2.
11. Type +12288M to make partition 2 12GB in size (this assumes 8GB of physical RAM). The recommended size is physical RAM + 4GB (this will be the swap partition).
13. Type p for a primary partition.
14. Type 3 for partition #3.
16. Type +10240M to make partition 3 10 GB in size (this will be the / partition).
18. Type p for a primary partition (will default to partition #4).
20. Press Enter to fill to maximum size (this will be the /var partition).
21. Type w to write the partition table to the SAN.
22. Type exit to exit rescue mode and reboot to begin the Custom Partition Installation (Step 3, Install the IBM Security Guardium image).
Examples of screenshots for QLogic setup

The Q-Logic screens used here are representative of the steps needed. Other Fiber Channel cards can be used.
1. Modify the BIOS for the QLogic card by pressing CTRL-D. This is the first screen presented after pressing Ctrl-Q when prompted to enter the Configuration Setup
Utility. This is a two-port card; select the appropriate port and press Enter.
2. Press Enter to change Configuration Settings.
3. Press Enter to change Adapter Settings.
4. Use your arrow keys to select Host Adapter BIOS and press Enter to toggle to Enabled.

5. Press Esc to back up to the previous screen and use the down-arrow to select Selectable Boot Settings and press Enter.
6. Press Enter to change Selectable Boot to Enabled.
7. Select the first Boot Port Name, LUN and press Enter to display a list of LUNs. If you are configuring the proper card/port, the LUN number(s) appear here. Select the
first one in the list.
8. Press Esc until you have backed out to the screen that says Reboot and select it to reboot the system. You are now ready to proceed with the IBM Security
Guardium installation.
Upgrading your Guardium System

Use this information to upgrade your IBM Security Guardium system to the latest V10 offering.
Before beginning an upgrade, review the Planning an upgrade, Choosing an upgrade method, and Mixed-version environments during an upgrade sections.
In addition, the following resource are available to support your upgrade experience::
IBM Security Guardium high-level upgrade roadmap: contains an overview of the supported upgrade paths from various releases of Guardium.
IBM Guardium V10.1 Software Appliance Technical Requirements: describes the hardware requirements for both physical and virtual machine installations.
Hints and tips on upgrading to V10: provides videos with information about upgrade planning, execution, and troubleshooting.
Planning an upgrade
Learn about different upgrade scenarios and identify the correct approach for upgrading your Guardium systems with minimal downtime.
Common upgrade tasks
Tasks such as purging system data, monitoring installations, and cleaning up after an upgrade are common to all Guardium upgrade scenarios.
Upgrading a 32-bit environment
Upgrade your 32-bit Guardium environment without using a backup central manager.

Upgrading your 64-bit Guardium environment without using a backup central manager.
Upgrading a 32-bit environment with a backup central manager
Upgrade your 32-bit Guardium environment using a backup central manager.
Upgrading your 64-bit Guardium environment using a backup central manager.
Planning an upgrade
Learn about different upgrade scenarios and identify the correct approach for upgrading your Guardium systems with minimal downtime.
Choosing an upgrade method

The best approach for upgrading Guardium depends on multiple factors, including the version you are upgrading from, the hardware of your system, and any special
partitioning requirements you may have.
Mixed-version environments during an upgrade
During an upgrade, your Guardium environment will enter a mixed-version state with restricted functionality.
Upgrading with central managers and aggregators
Minimize disruptions to your Guardium environment by following a top-down upgrade approach.
Parent topic: Upgrading your Guardium System
Choosing an upgrade method

The best approach for upgrading Guardium depends on multiple factors, including the version you are upgrading from, the hardware of your system, and any special
partitioning requirements you may have.
Determine your current Guardium version and patch level by clicking the icon in the main user interface and selecting About Guardium.
Upgrade to the latest version of Guardium using one of the following methods:
Upgrade patch
Use an upgrade patch to upgrade all systems in a managed environment. The upgrade patch preserves all data and configurations with the exception of UI
customizations due to a new UI architecture. Using an upgrade patch without defining a backup central manager is recommended for 64-bit environments with
default partitioning.
Backup, rebuild, restore
Use a backup, rebuild, and restore method. This requires taking a full system backup, rebuilding the system from the latest ISO, and restoring system data and
configuration from the backup. Using the backup, rebuild, and restore method with a backup central manager is recommended for 32-bit environments or systems
with custom partitioning.
Important: Custom partitioned systems cannot be upgraded to V10 using an upgrade patch. Instead, you must use the backup, rebuild, and restore method. If there is
uncertainty regarding the partitioning of systems, download and install Health Check p9997. The resulting patch log contains information regarding system partitioning.
Use the following tables to identify the best approach for upgrading your systems to the latest version of Guardium.
Table 1. Determine an upgrade method

Guardium system Upgrade methods for V10
Backup V9, rebuild system to latest V10, restore from V9 backup Apply latest V10 upgrade patch
V9 patch 600 (64-bit) or later Yes Yes
V9 patch 600 (32-bit) or later Yes No
V9.0 below patch 600 Yes No
V8.2 or earlier No No
Table 2. Overview of V10 upgrade paths
Guardium level on current system Upgrade path to the latest V10
V8.2 You cannot upgrade V8.2 systems directly to V10 systems. You must rebuild your appliances with the latest V9 (64-bit)
ISO and then install the latest V9 to V10 upgrade patch.
1. Create V8.2 system backup.

2. Rebuild appliance with the latest V9 (64-bit) ISO.
3. Install V9 patch 600 or later (64-bit) GPU.
4. Restore the system backup from original V8.2 system.
Note: For collectors, upgrade all corresponding S-TAPs to latest V9 before proceeding to the next step.
5. Install Health Check p9997.
6. Create a V9 (64-bit) system backup.
7. Install the latest V9 to V10 upgrade patch.
V9 (32-bit) 1. Create a V9 (32-bit) system backup.

2. Rebuild the appliance with latest V10 (64-bit) ISO.
3. Apply V10 patch 100 or later GPU.
4. Restore the system backup from the original V9 (32-bit) system.

Guardium level on current system Upgrade path to the latest V10
V9 below patch 600 (64-bit) 1. Create a V9 (64-bit) system backup.

2. Install V9 patch 600 or later (64-bit) GPU.
3. Create a V9 (64-bit) system backup.
4. Install Health Check p9997.
V9 patch 600 (64-bit) or later 1. Install Health Check p9997.

2. Create V9 (64-bit) system backup.
V10 1. Apply latest V10 GPU.
Parent topic: Planning an upgrade

Related concepts:
Mixed-version environments during an upgrade

During an upgrade, your Guardium environment will enter a mixed-version state with restricted functionality.
Since the upgrade process cannot be completed on all systems (central managers, aggregators, and collectors) and all S-TAPs simultaneously, your Guardium
environment will enter a mixed-version state during upgrade. For example, after upgrading a central manager to the latest V10, managed units will continue operating at
V9 GPU 600. Although mixed-version environments are supported, several limitations must be considered as part of any upgrade plan. For example, data collection, data
assessment, and policies (with some restrictions) will continue to work while in a mixed state, but functions with new or enhanced capabilities will not work in a mixed
environment.
Important: Upgrade your entire environment to the latest patch level of V10 as soon as possible. Be aware of the following while operating in a mixed-version environment
during upgrade:
Complete Guardium functionality will not be available until the entire environment has been upgraded to the latest V10.
Do not make configuration changes while operating in a mixed-version environment.
Guardium V10 does not support mixed environments with managed units below V9 GPU 600.
Distributing configurations and settings

Configuration distribution is not supported between a V10 central manager and V9 patch 600 or later managed units. This restriction includes the following:
Policies cannot be distributed from a V10 central manager to V9 patch 600 managed units. Policies already installed on the managed units prior to the
upgrade remain unchanged.
Patch backup settings cannot be distributed from a V10 central manager to V9 patch 600 or later managed units. Patch backup settings defined before the
upgrade remain unchanged.
UI layout customization and distribution is not supported on a V10 central manager with V9 (patch 600 or later) managed units.
Managed units
You cannot register additional V9 patch 600 or later managed units after upgrading the central manager to V10. Units registered before the upgrade remain
registered after the upgrade.
Quick search
Quick search for enterprise works in a mixed environment that consists of a V10 central manager and V9 patch 530 or later managed units. The user interface must
be restarted in order to reinitialize quick search for enterprise. Managed units prior to GPU 500 are unable to take advantage of enterprise search, although local
quick search is still available.
If a central manager is upgraded from V9 to the latest V10 and the managed units remain on V9, quick search is disabled on the V9 managed units until the
managed units are upgraded to V10.
Reports
Some reports will result in SQL errors or may not display data correctly when viewed on V9 patch 600 or later managed units, including the following:
Connections Quarantined
Installed Patches
Inactive Inspection Engines
S-TAP Verification
Connection Profiling List
Replay Statistics
Replay Summary
With the exception of Enterprise Buffer Usage Monitor data, data from V9 patch 600 or later managed units is not accessible in the following reports on a V10 central
manager:
Enterprise S-TAP Verification

Enterprise Load Balancing Events
Upgrading with central managers and aggregators

Minimize disruptions to your Guardium environment by following a top-down upgrade approach.

This means first upgrading one high-level system and then upgrading the systems or agents that report to it, then upgrading the next high-level system and the systems or
agents that report to it, and so on. This approach minimizes the impact of operating a mixed-version Guardium environment.
A top-down approach is necessary because an upgraded aggregator can aggregate data from older releases, but an older aggregator cannot aggregate data from newer
releases. Similarly, an upgraded central manager can manage units running older releases, but the managed units will not enjoy full functionality until they are upgraded to
match the central manager.
To avoid these issues, upgrade a central manager before upgrading any of its managed units. If you have multiple central managers, first upgrade one central manager and
then upgrade its managed units before going on to upgrade the next central manager and its managed units.
Similarly, upgrade an aggregator before upgrading any units that export data to it. If you have several aggregators, first upgrade one aggregator and then upgrade the
collectors that report to it before going on to upgrade the next aggregator and its collectors.
Finally, upgrade a collector before upgrading the S-TAPs registered to it. Upgrade one collector and all the S-TAPs registered to it before going on to upgrade the next
collector and its S-TAPs.
This approach provides compatible systems--from central managers to aggregators, collectors, and S-TAPs--in each branch of your environment more quickly than
upgrading all your central managers or aggregators before upgrading any collectors.
Common upgrade tasks

Tasks such as purging system data, monitoring installations, and cleaning up after an upgrade are common to all Guardium upgrade scenarios.
Purge system data

Purging unnecessary data from the Guardium system can significantly speed up the upgrade process.
Patch installation, distribution, and monitoring
Before you begin an upgrade, it is helpful to familiarize yourself with how to upload and install patches, monitor patch installations, and verify that installations are
successful.
Track installation progress with diag
Use the diag command to access the upgrade log and track the progress of an upgrade.
Verify and cleanup after the upgrade
Verify that the upgrade completed successfully and perform post-upgrade maintenance.
Purge system data

Purging unnecessary data from the Guardium system can significantly speed up the upgrade process.
About this task

For best performance and to minimize risks associated with upgrading large amounts of data, try to achieve less than 20% internal database utilization by purging
unnecessary system data.
Procedure
1. Open Manage > Data Management > Data Archive.
2. Click the Purge check box to define a purge operation.
Important: Changes made to the Data Archive purge configuration will also be applied to the Data Export purge configuration.
3. Define a Purge data older than time period. All data older than the specified period of days, weeks, or months will be purged from the system.
4. Click the Allow purge without archiving or exporting check box.
5. Click Save to save the configuration changes.
6. Click Run Once Now to execute the purge operation and purge old system data.
What to do next
Open Manage > Reports > Activity Monitoring > Scheduled Jobs to monitor the status of the data archive job.
Parent topic: Common upgrade tasks
Patch installation, distribution, and monitoring

Before you begin an upgrade, it is helpful to familiarize yourself with how to upload and install patches, monitor patch installations, and verify that installations are
successful.
Install a patch using scp

When upgrading your Guardium environment, there are several ways to upload and install patches on central managers and managed units.
Important: Patches downloaded in ZIP format must be unzipped outside the Guardium system before uploading and installing. Observe the following restrictions for any
patch with database structure changes:
Perform or schedule the patch installation during quiet time on the Guardium system to avoid conflicts with long-running processes such as heavy reports, audit
processes, backups, and imports.
To upload and install a patch using scp, issue the following CLI command: store system patch install scp

When the upload completes, you are automatically prompted to continue with the patch installation.
Install a patch using fileserver

To upload and install a patch using the Guardium fileserver:
1. Initialize the fileserver using the following CLI command: fileserver [ip_address] where [ip_address] is the system being used to connect to the Guardium
system.
2. From a web browser, connect to the Guardium system.
a. Click Upload Patch.
b. Browse to select the patch file and then click Upload.
3. Issue the following CLI command to install the patch: store system patch install system.
Distribute a patch
To distribute a patch from a central manager to managed units, one of the following must have taken place:
The patch is installed on the central manager

The patch has been made available on the central manager by running the following CLI command: store system patch available
Distribute the patch to managed units using the Central Management page on the central manager. Navigate to Manage > Central Management > Central Management and
click Patch Distribution.
Monitor and verify patch installation

You can monitor and verify the installation of patches in the following ways:
Issue the following CLI command: show system patch install.

Use the Central Management page on the CM: Manage > Central Management > Central Management > Patch Installation Status.
Important: V9 patches will not available after the Guardium system is upgraded to V10.
Track installation progress with diag

Use the diag command to access the upgrade log and track the progress of an upgrade.
Procedure
1. Log in to the Guardium system CLI.
2. Issue the diag command.
3. From the diag command menu:
a. Select 1 Output management and click OK.
b. Select 3 Export recorded files and click OK.
c. Choose the log files you need and click OK.
d. Select 1 FTP or 2 SCP and click OK.
e. Input the host name that you want to upload to and click OK.
f. Input the user name and click OK.
g. Input the password and click OK.
Note: If 2 SCP is chosen, the destination path is asked for before the password.
h. Input the destination path and click OK.
i. Check the information and click OK. The file uploads to the target system.
j. Select OK to exit.
k. Select 3 Exit and click OK.
Note: Return to 3a if you need to upload another file; otherwise, proceed to the next step.
l. Select 5 Exit to CLI and click OK.
Verify and cleanup after the upgrade

Verify that the upgrade completed successfully and perform post-upgrade maintenance.
Procedure
1. If you upgraded using an upgrade patch, log in as the CLI user and issue the following command: show upgrade-status. The command will output detailed
status information from the upgrade process, and the last line of output should indicate INFO:Migration Complete.
2. If you upgraded a central manager, verify that managed units are listed on the Manage > Central Management > Central Management page.
3. Verify that custom reports created in previous versions of Guardium are available at Reports > My Custom Reports.
My Custom Reports should contain any new reports that you created as well as any predefined reports that you modified in a previous version of Guardium.
4. Refresh all managed units on the Central Management page so you can distribute the licenses down to the upgraded MUs.
5. You may need to update the Guardium DPS file after upgrade or restore procedures. Download the latest DPS file, then use the Harden > Vulnerability Assessment >
Customer Uploads tool to upload and import the new DPS file.
6. Company logos uploaded before upgrade or restore procedures may need to be reloaded. To reload a customer logo, follow these steps:
a. Log in as an admin user.
b. Navigate to Setup > Tools and Views > Global Profile.
c. Browse for the company logo file.
d. Upload the logo file.

7. Verify the status of the Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) services using the CLI commands show gui csrf_status and show gui
xss_status.

Upgrade your 32-bit Guardium environment without using a backup central manager.
Before upgrading your 32-bit Guardium environment via the ISO without using a backup central manager, review the following checklist and complete each item before
attempting the upgrade.
Important: Before performing restore db on a V10 system, apply the latest maintenance patches after your system has been built to V10. If you are using a 32-bit
collector-based central manager, you must rebuild it to a 64-bit collector-based central manager before upgrading to V10.
Upgrade checklist
Download latest health check patch (p9997) from Fix Central. For more information, see: Guardium health check patch release notes.
Current systems must be at Guardium V9 and have 32-bit architecture.
Download the latest Guardium V9 release or get it later from Fix Central [optional].
Download the latest Guardium V10 ISO from Passport Advantage
Download all base and append licenses from Passport Advantage
Download the latest V10 GPU from Fix Central, if one is available
Record all network configuration parameters returned by the following Guardium CLI commands:

show network route defaultroute
show network resolver 1
show system domain
1. Upgrading a 32-bit central manager

When upgrading your 32-bit Guardium environment, follow these steps to run the health check patch and upgrade a central manager using a backup, rebuild, and
restore procedure.
2. Upgrade 32-bit managed units
Upgrade 32-bit managed units using a backup, rebuild, and restore procedure.

Related concepts:
Planning an upgrade
Upgrading a 32-bit central manager

When upgrading your 32-bit Guardium environment, follow these steps to run the health check patch and upgrade a central manager using a backup, rebuild, and restore
procedure.
Before you begin

Complete the upgrade checklist in Upgrading a 32-bit environment.
Procedure
1. Upgrade the system to V9 patch 600 or later.
2. Set the time to the local time zone and synchronize time across all Guardium systems using an NTP server.
3. Download and install the latest health check patch (p9997) and verify that the installation was successful. See Patch installation, distribution, and monitoring for
instructions.
4. Take a system backup of the central manager and verify that it was successful.
a. Navigate to Manage > Data Management > System Backup.
b. Configure the protocol based on your preferences and fill in all fields.
c. Back up both configuration and data.
Important: Create at least one valid backup before beginning the upgrade procedure.
5. Mount the latest Guardium V10 ISO.
a. Select a system type within the first five seconds of entering the Guardium installer. The default selection is Standard Installation (non CM) with a unit type of
standalone collector. When upgrading a central manager or an aggregator, select Aggregator.
b. Allow the installation to complete and the system to reboot.
6. Configure network parameters. Log into the Guardium CLI and issue the following commands:
store network interface ip

store network route defaultroute
store network resolver 1
store system hostname
store system domain
7. Log into the Guardium user interface and validate the default components.
Note: If logging in for the first time, the default password is guardium.
a. Verify that only the Welcome and Setup navigation items are visible.
b. Navigate to Setup > Tools and Views > License or click the icon to verify that no licenses are installed on the system.
8. Install licenses.
a. Navigate to the license page by following the notification link or selecting Setup > Tools and Views > License.
b. Apply all relevant base and append licenses, and accept the license agreements.

c. If necessary, change the system unit type by logging into the CLI and issuing the following CLI command: store unit type <type> where <type> is
manager, standalone, netinsp, mainframe, sink, or stap.
9. Install the latest V10 GPU (if newer than the latest V10 ISO) and the latest maintenance patches on the central manager, and verify that they have installed
successfully.
10. Restore data and configurations on the central manager.
a. Issue the following Guardium CLI command to import the backup files: import file.
b. Import the data and configuration files separately.
c. Perform the data and configuration restore by issuing the following CLI command: restore db-from-prev-version.
Tip: The restore db log can be accessed by running the diag CLI command. See Track installation progress with diag for more information.
11. After restoring data and configurations to the central manager, verify that all relevant managed units information is displayed on the Central Management page.
12. Validate that the managed environment is functioning as expected.
a. Verify that custom reports were restored
b. Verify that managed units appear online and are accessible from the Central Management page
Attention: Be aware of expected limitations when operating in a mixed environment. For more information, see Mixed-version environments during an upgrade.
What to do next
After successfully upgrading your 32-bit Guardium central manager, Upgrade 32-bit managed units.
Parent topic: Upgrading a 32-bit environment
Next topic: Upgrade 32-bit managed units
Upgrade 32-bit managed units

Before you begin

Before upgrading 32-bit managed units, review and complete the following tasks:

Important: You must upgrade your environment to V9 patch 600 or later before upgrading to the latest V10.
Procedure
1. Distribute the latest health check patch (p9997) to managed units and verify that it installed successfully. See Patch installation, distribution, and monitoring for
more information.
2. Take system backups of all managed units.
3. Rebuild the managed units using the following procedure:
a. Mount the latest Guardium V10 ISO image.
b. Select a system type within five seconds of entering the Guardium installer. Use the default selection of Standard Installation (non CM) with a unit type of
standalone collector, or allow for an automatic boot.
c. Allow the installation to complete and the system to reboot.

store system domain
5. Log into the Guardium user interface and verify that no licenses are installed on the system.
Tip:
If logging in for the first time, the default password is guardium.
If you are working with a standalone system that will eventually become a managed unit, there is no need to install licenses.
a. On the main Guardium navigation, verify that only the Welcome and Setup navigation items are available.
6. Restore data and configuration on the managed units.
Note: When restoring a managed unit from a backup, any custom layouts for that managed unit will be lost if the central manager is down at the time of the restore.
7. Once all managed units have been successfully upgraded, distribute licenses from the central manager to the managed units.
a. Log into the user interface of the central manager.
b. Navigate to Central Management > Manage > Central Management and verify that the managed units are listed.
c. Click the Select all check box to select all managed units.
d. Click the Refresh button to distribute licenses to the managed units.
e. Wait until the refresh process completes.
f. Log into the user interface of the managed units and navigate to Setup > Tools and Views > License to verify that the correct licenses have been installed.
When the correct licenses have been installed:
The expected navigation menu options will now be available on the managed units.
Reports on the managed units will be functional.
Reports will be accessible via remote data sources from the central manager.
8. If the latest Guardium V10 GPU (if newer than the latest V10 ISO) and maintenance patches were installed on the central manager, distribute the GPU and
maintenance patches to the managed units.
9. If you use VMware Tools, you must reinstall them after completing the upgrade. To reinstall VMware Tools, log into the Guardium CLI, issue the following command,
and follow the prompts: setup vmware_tools install.

Results
You have successfully completed an upgrade of your 32-bit Guardium environment to the latest V10. Please verify the stability of your Guardium environment.
Previous topic: Upgrading a 32-bit central manager

Upgrading your 64-bit Guardium environment without using a backup central manager.
Before upgrading your 64-bit Guardium environment via the ISO without using a backup central manager, you review the following checklist below and complete each
item before attempting the upgrade.
collector-based central manager, the upgrade patch will handle the upgrade and convert the system from a collector-based central manager to an aggregator-based
central manager.
Upgrade checklist
Current systems must be at V9 patch 600 or above and have 64-bit architecture
Download upgrade patch p10000
Download the latest maintenance patches from Fix Central
For contingency planning, download the following:
All required base and append licenses.

The latest V10 ISO from Passport Advantage.
1. Upgrading a 64-bit central manager

When upgrading your 64-bit Guardium environment, follow these steps to run the health check patch and upgrade a central manager.
Upgrade 64-bit managed units using an upgrade patch.

Related concepts:
Planning an upgrade

When upgrading your 64-bit Guardium environment, follow these steps to run the health check patch and upgrade a central manager.
Before you begin

Complete the upgrade checklist in Upgrading a 64-bit environment.
Procedure
instructions.
4. Take a system backup of the central manager and verify that it was successful.
c. Back up both configuration and data.
5. Install p10000 on the central manager and monitor its installation.
Important: After the patch installation completes, the upgrade process automatically begins and the system is rebooted. Do not reboot the system manually.
6. Allow the operating system installation to complete.
Installation time depends on the amount of data involved as well as system specifications and configuration
Once the operating system installation has completed, the system reboots into the latest Guardium V10 for the first time.
Attention: After you successfully install the latest V10, the first boot into your system is followed by:
Network configuration, database data migration, database start up.
License upgrade, PSML upgrade, language setting.
Database restart, certificate and key migration, password migration, and file clean-up.
7. Confirm that the central manager has been successfully upgraded:
a. Log in to the Guardium CLI. If the CLI enters recovery mode, the upgrade is still in progress.
b. Issue the following CLI command: show upgrade-status The command can also be issued from the CLI recovery mode.
c. Verify that the last line in the output reads: 5.0:INFO:Migration Complete
d. If you are still in the CLI recovery mode, exit the CLI and log back in to enter the normal Guardium CLI mode.
e. Issue the following CLI command:show system patch install
f. Verify that p10000 status is the following:Phase 5: Migration completed
8. Log into the Guardium user interface and accept license agreements to enable product features.
b. Accept the base license agreement.
c. Accept all applicable append license agreements.
Note: Skipping this step prevents Guardium features from being enabled.

9. Validate that the managed environment is functioning as expected by verifying that the managed units appear online and are accessible from the Central
Management page.
Attention: Be aware of expected limitations when operating in a mixed environment. For more information, see Mixed-version environments during an upgrade.
10. Install the latest maintenance patches on the central manager and verify that they have installed successfully.
What to do next
After successfully upgrading your 32-bit Guardium central manager, Upgrade 64-bit managed units.

Before you begin

Before upgrading 64-bit managed units using an upgrade patch, review and complete the following tasks:

Procedure
more information.
3. Distribute the p10000 upgrade patch to all managed units and monitor the patch installation. Read Patch installation, distribution, and monitoring for more
information.
Attention: After the patch installation completes, the upgrade process automatically begins and the system is rebooted. Do not reboot the system manually.
The time required for upgrade depends on the amount of data involved as well as system specifications and configuration. When the upgrade is complete and the
system reboots, the first boot of the upgraded system is followed by:
During this process, you will be unable to log in to upgraded managed units until the database migration completes.
4. Verify that the upgrade process has completed successfully on each managed unit.
a. Log in to the Guardium CLI of the system being upgraded. If the CLI enters recovery mode, the upgrade is still in process.
b. Issue the following CLI command: show upgrade-status. This command can also be issued from the CLI in recovery mode.
c. Verify that the last line of output reads: 5.0:INFO:Migration Complete.
d. If you are in CLI recovery mode, exit the CLI and log back in to enter the CLI mode.
e. Issue the following CLI command: show system patch install.
Attention: show system patch install will not return results until the upgrade completes after the first reboot.
f. Verify that the upgrade patch installation status read: Phase 5: Migration completed.
6. If the latest V10 GPU and maintenance patches were installed on the central manager, distribute the GPU and maintenance patches to the managed units.
Results
You have successfully completed an upgrade of your 64-bit Guardium environment to the latest V10. Please verify the stability of your Guardium environment.
Previous topic: Upgrading a 64-bit central manager

Upgrade your 32-bit Guardium environment using a backup central manager.
Before upgrading your 32-bit Guardium environment using a backup central manager, review the following checklist and complete each item before attempting the
upgrade.
collector-based central manager, you must rebuild it to a 64-bit collector-based central manager before upgrading to V10.
Upgrade checklist

Identify and record all managed units defined in the current environment.
Current systems must be at Guardium V9 and have 32-bit architecture.
Download the latest Guardium V10 ISO from Passport Advantage
Download all base and append licenses from Passport Advantage
Download the latest V10 GPU from Fix Central, if one is available
Record all network configuration parameters returned by the following Guardium CLI commands:

show network route defaultroute
show network resolver 1
show system domain
1. Upgrading a 32-bit backup central manager

When upgrading your 32-bit Guardium environment, follow these steps to run the health check patch and upgrade a backup central manager using a backup,
rebuild, and restore procedure.
2. Upgrade old 32-bit primary central manager
When working with a backup central manager, follow these procedures to upgrade your old 32-bit primary central manager using a backup, rebuild, and restore
procedure.

Related concepts:
Planning an upgrade
Upgrading a 32-bit backup central manager

When upgrading your 32-bit Guardium environment, follow these steps to run the health check patch and upgrade a backup central manager using a backup, rebuild, and
restore procedure.
Before you begin

Complete the upgrade checklist in Upgrading a 32-bit environment with a backup central manager.
Procedure
instructions.
Important: You will need to install the latest health check patch (p9997) on both the primary central manager and backup central manager candidate before
designating a backup central manager.
4. Define a backup central manager.
a. Navigate to the Central Management page on the primary central manager.
b. Select a managed aggregator.
c. Verify that the primary central manager and the backup central manager candidate have the same patches installed.
d. Designate the aggregator as a backup central manager.
e. Verify that the cm_sync_file.tgz file has been created by checking the Aggregation/Archive Log on the primary central manager.
5. Take a system backup of the backup central manager and verify that it was successful.
c. Be sure to backup both configuration and data.
6. Rebuild the backup central manager using the latest V10 ISO.
a. Mount the latest V10 ISO.
b. Select a system type within the first five seconds of entering the Guardium installer. The default selection is Standard Installation (non CM) with a unit type of
standalone collector.
7. Allow the installation to complete and the system to reboot.

store system domain
9. Log into the Guardium user interface and validate the default components.
Note: If logging in for the first time, the default password is guardium.
a. Verify that only the Welcome and Setup navigation items are visible.
10. Install the license.
a. Navigate to the license page by either following the link in the notification or selecting Setup > Tools and Views > License.
b. Apply all relevant base and append licenses, and accept the license agreements.
11. Install the latest V10 GPU (if newer than the latest V10 ISO) and the latest maintenance patches on the central manager, and verify that they have installed
successfully.
12. Set the shared secret on the backup central manager by using either the CLI command store system shared secret or by navigating to Setup > Tools and
Views > System.
13. Restore data and configurations on the central manager.

Tip: The restore db log can be accessed by running the diag CLI command. See Track installation progress with diag for more information.
14. From the primary central manager, verify that the V10 backup central manager is available and online. Identify and record the number of managed units reporting to
the primary central manager (this information is used after transitioning to the backup central manager).
Important: The backup central manager (now running the latest Guardium V10) may show a red status light. This happens when the central manager sends a V9
signal to a V10 system and fails, and you can still promote the server as long as the backup central manager sync file is present on your backup central manager. Do
not attempt a refresh.
15. Verify that the cm_sync_file.tgz file has completed at least two successful transfers from the primary central manager to the backup central manager by checking
the Aggregation/Archive Log on the primary central manager. The transfers should occur at 30-minute intervals.
16. Make the backup central manager the primary central manager. You may encounter the following message after logging into the backup central manager:
The central manager version is lower than the version of this managed unit. Functionality is limited until the version
mismatch is corrected.
a. Navigate to Setup > Central Management.

b. Click Make Primary CM. If you do not see this option, verify that the cm_sync_file was transferred successfully.
c. Answer Yes to the message: Are you sure you want to make this unit the primary CM?
d. Click Close on the pop-up-message: The change will take a few minutes and would require a GUI restart. You will be logged off when the GUI restart is
performed. The progress icon is displayed on the user interface page.
Note: During the conversion process, the Guardium user interface is temporarily unavailable. After the process completes, the login screen returns to normal.
17. Transition the managed units to the new primary central manager. This might take some time to complete. Using an SSH client, connect to the new primary central
manager to view the results log.
a. Initialize the fileserver using the following command: fileserver [ip_address] [duration]
b. From a web browser, connect to the new primary central manager.
c. View the load_secondary_cm_sync_file.log file to see the progress. The file is located in the gim-snif-guard-logs directory.
d. When you see the final line Import CM sync info done, the process has finished successfully.
e. At this point, the user interface refreshes and you will see the login page.
f. Wait until the top of the hour for the process to complete as the managed units begin transitioning to the new primary central manager.
18. Log into the Guardium user interface and complete the following steps:.
a. Verify that managed units are now managed by the new primary central manager.
b. Verify that all managed units have been transitioned except for the old primary central manager.
What to do next
After successfully upgrading your backup central manager and transitioning managed units, Upgrade old 32-bit primary central manager.
Parent topic: Upgrading a 32-bit environment with a backup central manager
Next topic: Upgrade old 32-bit primary central manager
Upgrade old 32-bit primary central manager

When working with a backup central manager, follow these procedures to upgrade your old 32-bit primary central manager using a backup, rebuild, and restore procedure.
Before you begin

Once your backup central manager has become your new primary central manager, you can upgrade your old primary central manager to the latest Guardium V10. Before
upgrading your old primary central manager, review and complete the following tasks:

Procedure
1. Reconfigure the old primary central manager by issuing the following CLI command: delete unit type manager. Before continuing, verify that the old primary
central manager is now a standalone aggregator.
2. Take a system backup from the old primary central manager. Include both data and configuration in the backup.
3. Rebuild the old primary central manager using the following procedure:
b. Select a system type within five seconds of entering the Guardium installer. When working with an old primary central manager, select Aggregator.

store system domain
Tip:
6. If the latest V10 GPU (if newer than the latest V10 ISO) and maintenance patches were installed on the old backup central manager prior to converting it to a
primary central manager, install the same GPU and maintenance patches on the old primary central manager.
7. Restore data and configuration on the old primary central manager.

8. Set the shared secret on the old primary central manager by navigating to Setup > Tools and Views > System.
9. Register the old primary central manager (the system you have just upgraded) to the new primary central manager.
10. Define a new backup central manager.
a. Navigate to Manage > Central Management > Central Management on the new primary central manager.
b. Select the old primary central manager.
c. Designate the old primary central manager as the new backup central manager.
d. Wait for at least one backup synchronization to complete. The first backup synchronization should take place within one hour.
e. Verify that the cm_sync_file.tgz file has been created by checking the Aggregation/Arcive log on the new primary central manager.
11. Optionally revert to the original managed environment configuration by redefining the new backup central manager as the primary central manager.
a. Answer Yes to the message: Are you sure you want to make this unit the primary CM?
b. Click Close on the Information pop-up message. The progress icon is displayed on the user interface page.
Attention: The user interface will be temporarily unavailable during the conversion process. When the process completes, the login screen will return to
normal.
12. Transition the managed units to the new primary central manager. This process may take some time to complete. Using an SSH client, connect to the new primary
central manager to view the results log.
f. Wait five minutes for the process to complete as the managed units begin transitioning to the new primary central manager.
13. Navigate to Manage > Central Management > Central Management and verify that all managed units are green and are now managed by the original primary central
manager. The original backup central should not appear in the list of managed units unless it has been reconfigured as a backup central manager.
What to do next
Now that you have upgraded your central manager and backup central manager, Upgrade 32-bit managed units.
Previous topic: Upgrading a 32-bit backup central manager

Before you begin

Before upgrading 32-bit managed units, review and complete the following tasks:

Procedure
more information.
3. Rebuild the managed units using the following procedure:
b. Select a system type within five seconds of entering the Guardium installer. Use the default selection of Standard Installation (non CM) with a unit type of
standalone collector, or allow for an automatic boot.

store system domain
Tip:
6. Restore data and configuration on the managed units.
Note: When restoring a managed unit from a backup, any custom layouts for that managed unit will be lost if the central manager is down at the time of the restore.

Results
You have successfully completed an upgrade of your 32-bit Guardium environment to the latest V10 using a backup central manager. Please verify the stability of your
Guardium environment.
Previous topic: Upgrade old 32-bit primary central manager

Upgrading your 64-bit Guardium environment using a backup central manager.
Before upgrading your 64-bit Guardium environment using a backup central manager, review the following checklist and complete each item before attempting the
upgrade.
collector-based central manager, the upgrade patch will handle the upgrade and convert the system from a collector-based central manager to an aggregator-based
central manager.
Upgrade checklist
Identify and record all managed units defined in the current environment.
Current systems must be at V9 patch 600 or above and have 64-bit architecture
Download upgrade patch p10000
Download the latest maintenance patches from Fix Central
1. Upgrading a 64-bit backup central manager

When upgrading your 64-bit Guardium environment, follow these steps to run the health check patch and upgrade a backup central manager using a backup,
rebuild, and restore procedure.
2. Upgrade old 64-bit primary central manager
When working with a backup central manager, follow these procedures to upgrade your old 64-bit primary central manager using an upgrade patch.

Related concepts:
Planning an upgrade

When upgrading your 64-bit Guardium environment, follow these steps to run the health check patch and upgrade a backup central manager using a backup, rebuild, and
restore procedure.
Before you begin

Complete the upgrade checklist in Upgrading a 64-bit environment with a backup central manager.
Procedure
instructions.
Important: You will need to install the latest health check patch (p9997) on both the primary central manager and backup central manager candidate before
designating a backup central manager.
4. Define a backup central manager.
a. Navigate to the Central Management page on the primary central manager.
b. Select a managed aggregator.
c. Verify that the primary central manager and the backup central manager candidate have the same patches installed.
d. Designate the aggregator as a backup central manager.
e. Verify that the cm_sync_file.tgz file has been created by checking the Aggregation/Archive Log on the primary central manager.
5. Take a system backup of the backup central manager and verify that it was successful.
c. Be sure to backup both configuration and data.
6. Install p10000 on the central manager and monitor its installation.

Important: After the patch installation completes, the upgrade process automatically begins and the system is rebooted. Do not reboot the system manually.
7. Allow the operating system installation to complete.
Installation time depends on the amount of data involved as well as system specifications and configuration
Once the operating system installation has completed, the system reboots into the latest Guardium V10 for the first time.
Attention: After you successfully install the latest V10, the first boot into your system is followed by:
8. Confirm that the backup CM upgrade has completed successfully using the following steps
a. Log in to the CLI.
b. Issue the following CLI command: show upgrade-status
c. Verify that the last line in the output reads: 5.0:INFO:Migration Complete
d. Issue the following CLI command:show system patch install
e. Verify that p10000 status is the following:Phase 5: Migration completed
9. Install the latest maintenance patches on the central manager and verify that they have installed successfully.
10. Verify that the primary central manager still sees the upgraded backup central manager.
Important: The backup central manager (now running the latest Guardium V10) may show a red status light. This happens when the central manager sends a V9
signal to a V10 system and fails, and you can still promote the server as long as the backup central manager sync file is present on your backup central manager. Do
not attempt a refresh.
11. Verify that the cm_sync_file.tgz file has completed at least two successful transfers from the primary central manager to the backup central manager by checking
the Aggregation/Archive Log on the primary central manager. The transfers should occur at 30-minute intervals.
12. Make the backup central manager the primary central manager. You may encounter the following message after logging into the backup central manager:
The central manager version is lower than the version of this managed unit. Functionality is limited until the version
mismatch is corrected.
a. Navigate to Setup > Central Management.

b. Click Make Primary CM. If you do not see this option, verify that the cm_sync_file was transferred successfully.
c. Answer Yes to the message: Are you sure you want to make this unit the primary CM?
d. Click Close on the pop-up-message: The change will take a few minutes and would require a GUI restart. You will be logged off when the GUI restart is
performed. The progress icon is displayed on the user interface page.
Note: During the conversion process, the Guardium user interface is temporarily unavailable. After the process completes, the login screen returns to normal.
13. Transition the managed units to the new primary central manager. This might take some time to complete. Using an SSH client, connect to the new primary central
manager to view the results log.
f. Wait until the top of the hour for the process to complete as the managed units begin transitioning to the new primary central manager.
14. Log into the Guardium user interface and accept license agreements to enable product features.
b. Accept the base license agreement.
c. Accept all applicable append license agreements.
Note: Skipping this step prevents Guardium features from being enabled.
15. Navigate to the Central Management page and ensure that managed units are now managed by the new primary central manager. The old primary central manager
should not appear in the list of managed units.
What to do next
After successfully upgrading your backup central manager and transitioning managed units, Upgrade old 64-bit primary central manager.
Next topic: Upgrade old 64-bit primary central manager

When working with a backup central manager, follow these procedures to upgrade your old 64-bit primary central manager using an upgrade patch.
Before you begin

Once your backup central manager has become your new primary central manager, you can migrate your old primary central manager to the latest Guardium V10. Before
upgrading your old primary central manager, review and complete the following tasks:

Procedure
1. Reconfigure the old primary central manager by issuing the following CLI command: delete unit type manager. Before continuing, verify that the old primary
central manager is now a standalone aggregator.
2. Take a system backup from the old primary central manager. Include both data and configuration in the backup.
3. Upgrade the old primary central manager using the p10000 upgrade patch and monitor the patch installation. Read Patch installation, distribution, and monitoring
for more information.

4. Verify that the upgrade process has completed successfully on the old primary central manager.
5. If the latest V10 GPU (if newer than the latest V10 ISO) and maintenance patches were installed on the old backup central manager prior to converting it to a
primary central manager, install the same GPU and maintenance patches on the old primary central manager.
6. Set the shared secret on the old primary central manager by navigating to Setup > Tools and Views > System.
7. Register the old primary central manager (the system you have just upgraded) to the new primary central manager.
8. Define a new backup central manager.
a. Navigate to Manage > Central Management > Central Management on the new primary central manager.
b. Select the old primary central manager.
c. Designate the old primary central manager as the new backup central manager.
d. Wait for at least one backup synchronization to complete. The first backup synchronization should take place within one hour.
e. Verify that the cm_sync_file.tgz file has been created by checking the Aggregation/Arcive log on the new primary central manager.
9. Optionally revert to the original managed environment configuration by redefining the new backup central manager as the primary central manager.
a. Answer Yes to the message: Are you sure you want to make this unit the primary CM?
b. Click Close on the Information pop-up message. The progress icon is displayed on the user interface page.
Attention: The user interface will be temporarily unavailable during the conversion process. When the process completes, the login screen will return to
normal.
10. Transition the managed units to the new primary central manager. This process may take some time to complete. Using an SSH client, connect to the new primary
central manager to view the results log.
f. Wait five minutes for the process to complete as the managed units begin transitioning to the new primary central manager.
11. Navigate to Manage > Central Management > Central Management and verify that all managed units are green and are now managed by the original primary central
manager. The original backup central should not appear in the list of managed units unless it has been reconfigured as a backup central manager.
What to do next
Now that you have upgraded your central manager and backup central manager, Upgrade 64-bit managed units.
Previous topic: Upgrading a 64-bit backup central manager

Before you begin

Before upgrading 64-bit managed units using an upgrade patch, review and complete the following tasks:

Procedure
more information.
3. Transfer the p10000 upgrade patch to the central manager and make it available to the managed units.
a. Transfer the upgrade patch to the central manager. Read Patch installation, distribution, and monitoring for more information.
b. Make the upgrade patch available to the managed units by issuing the following CLI command from the central manager: show system patch available.
4. Distribute the p10000 upgrade patch to all managed units and monitor the patch installation. Read Patch installation, distribution, and monitoring for more
information.
5. Verify that the upgrade process has completed successfully on each managed unit.

Results
You have successfully completed an upgrade of your 64-bit Guardium environment to the latest V10 using a backup central manager. Please verify the stability of your
Guardium environment.
Previous topic: Upgrade old 64-bit primary central manager
CLI and API

The GuardiumÂ® command line interface (CLI) is an administrative tool that allows for configuration, troubleshooting, and management of the Guardium system. The
Guardium application programming interface (API) provides access to many Guardium functions from the command line.
CLI Overview
The Guardium command line interface (CLI) is an administrative tool that allows for configuration, troubleshooting, and management of the Guardium system.
GuardAPI Reference
GuardAPI provides access to Guardium functionality from the command line.
CLI Overview
The GuardiumÂ® command line interface (CLI) is an administrative tool that allows for configuration, troubleshooting, and management of the Guardium system.
Documentation Conventions
All CLI command examples are written in courier text (for example, show system clock).
To illustrate syntax rules, some command descriptions use dependency delimiters. Such delimiters indicate which command arguments are mandatory, and in what
context. Each syntax description shows the dependencies between the command arguments by using special characters:
The < and > symbols denote a required argument.

The [ and ] symbols denote an optional argument.
The | (vertical bar) symbol separates alternative choices when only one can be selected. Â For example:
store full-bypass <ON | OFF>
CLI Command Usage

Commands and keywords can be abbreviated by entering enough characters so the commands are not ambiguous. For example, show can be abbreviated sho.
Most Guardium CLI commands consist of a command word followed by one or more arguments. The argument may be a keyword or a keyword followed by a
variable value (for example an IP address, subnet mask, date, etc.
Commands and keywords are not case sensitive, but element names are.
To display command syntax and usage options, enter a question mark (?) as an argument following the command word.
Use quotation marks around words or phrases to precisely define search terms.
Accessing the CLI

An administrator can access the CLI though:
A physically connected PC console or serial terminal OR

A network connection using an SSH client
Physical Console Access

Interactive access to the Guardium appliance is through the serial port or the system console.
PC keyboard and monitor â€“ A PC video monitor can be attached to either the front panel video connector or the video connector on the back of the appliance.
A PC keyboard with a PS/2 style connector can be attached to the PS/2 connector on the back of the appliance. Alternatively, a USB keyboard can be connected to the USB
connectors located at the front or back of the appliance.
Serial port access â€“ Using a NULL modem cable, connect a terminal or another computer to the 9-pin serial port at the back of the appliance. The terminal or a terminal
emulator on the attached computer should be set to communicate as 19200-N-1 (19200 baud, no parity, 1 stop bit).

A login prompt displays once the terminal is connected to the serial port, or the keyboard and monitor are connected to the console. Enter cli as the user name, and
continue with CLI Login.
Network SSH Access

Remote access to the CLI is available on the management IP address or domain name, using an SSH client. SSH clients are freely or commercially available for most
desktop and server platforms. A Unix SSH connect command to log in as the cli user might look like this:
ssh â€“l cli 192.168.2.16
The SSH client may ask you to accept the cryptographic fingerprint of the Guardium appliance. Accept the fingerprint to proceed to the password prompt.
Note: If, after the first connection, you are asked again for a fingerprint, someone may be trying to induce you to log into the wrong machine.
CLI Login
Access to the CLI is either through the admin CLI account cli or one of the five CLI accounts (guardcli1,...,guardcli5). The five CLI accounts (guardcli1,...,guardcli5) exist to
aid in the separation of administrative duties.
Access to the GuardAPI, which is a set of CLI commands to aid in the automation of repetitive tasks, requires the creation of a user (GUI username/guiuser) by access
manager and giving those accounts either the admin or cli role. Proper login to the CLI for the purpose of using GuardAPI requires the login with one of the five CLI
accounts (guardcli1,...,guardcli5) and an additional login with guiuser by issuing the 'set guiuser' command. See GuardAPI Reference Overview or Â Set guiuser
Authentication for additional information.
Password Hardening
In order to meet various auditing and compliancy requirements the following password enforcements will be in effect for CLI accounts:
For the account cli either use the cli password supplied or be sure to set a strong password to protect this account. If you have just rebuilt the system from an
installation DVD, the Guardium cli user has a default password of guardium. You should change that password immediately.
Enforcement of an expiration period for the CLI and five CLI accounts where the default is 90 days. When a password expires a required change of password will be
invoked during the login process.
Passwords must be a minimum of eight characters in length.
Passwords must contain at least one character from three of the following four classes
Any upper-case letter
Any lower-case letter
Any numeric (0,1,2,...)
Any non-alphanumeric (special) character
Once access is granted through the use of a separate GUI username (guiuser) the CLI audit trail will show the CLI_USER+GUI_USER pair used for login.
CLI users cannot be authenticated through LDAP as these are considered administrative accounts and should be able to login regardless of connectivity to an LDAP
server
Limited CLI commands during maintenance of internal database

CLI has three sets of commands - general commands, specialized support commands, and recovery commands. Support commands are to used by Technical Support to
analyze the system. Recovery commands are to recover the system when the database is down.
The initial CLI login is:
Welcome to CLI - your last login was <date>
The welcome message will add further information if the internal database is down due to maintenance or during an upgrade.
If this is the case, the number of CLI commands available will be limited.
The internal database on the appliance is currently down and CLI will be working
in "recovery mode"; only a limited set of commands will be available.
The CLI commands that available for use during recovery mode are as follows:

restart mysql
restart stopped_services
restart system
restore pre-patch-backup
restore system
Aggregator CLI Commands

This section list Aggregator CLI commands.
Alerter CLI Commands
This section list Alerter CLI commands.
Certificate CLI Commands
Use the certificate commands to create a certificate signing request (CSR), and to install server, CA (certificate authority), or trusted path certificates on the
Guardium system.
Configuration and Control CLI Commands
Use the following CLI commands for configuration and control.
diag CLI command
Use these CLI command to access troubleshooting and maintenance utilities through diag.
File Handling CLI Commands
Use these commands to backup and restore system information. Many of these tasks can be performed from Guardium user interface.
Inspection Engine CLI Commands
Use these CLI commands to configure the inspection engines.
Use these CLI commands to configure the Investigation Dashboard .

Network Configuration CLI Commands
Use the network configuration CLI commands to set IP addresses, handle bonding/failover, handle secondary functionality, and reset networking.
Support CLI Commands
The following CLI commands are to be used only with the direction of Technical Support.
System CLI Commands
Use these CLI commands to configure system settings.
User Account, Password and Authentication CLI Commands
Use these CLI commands to configure user accounts, passwords and authentication.
Parent topic: CLI and API

Aggregator CLI Commands

This section list Aggregator CLI commands.
aggregator backup keys file

Use this command to back up the shared secret keys file to the specified location.
Syntax
aggregator backup keys file <user@host:/path/filename>
Parameters
user@host:/path/filename For the file transfer operation, specifies a user, host, and full path name for the backup keys file. The user you specify must have the authority to
write to the specified directory.
Note: For more information about the shared secret use, see System Shared Secret.
aggregator clean shared-secret

Sets the system shared secret value to null. All files archived or exported from a unit with a null shared secret can be restored or imported only on systems where the
shared secret is null.
Syntax
aggregator clean shared-secret
aggregator debug
Starts or stops writing debugging information relating to aggregation activities. Use these commands only when directed to do so by GuardiumÂ® Support, and be sure to
issue the stop command after you have gathered enough information.
Note: Debug mode will automatically expire after 7 days.
Syntax
aggregator debug <start | stop>
aggregator list failed imports

When an import operation fails because of a shared secret mismatch, the offending file is moved from the /var/importdir directory to the /var/dump directory, and it is
renamed using the original file name plus the suffix .decrypt_failed. Use this command to list all such files
Syntax
aggregator list failed imports
aggregator recover failed import

Use this command to move and rename failed import files, prior to re-attempting an import or restore operation. Failed import files are stored in the /var/dump directory,
with the suffix .decrypt_failed. Before re-attempting an import or restore operation, those files must be renamed (by removing the .decrypt_failed suffix) and moved to the
/var/importdir directory.
Syntax
aggregator recover failed import <all | filename>
Parameters
Use the all option to move all files from the /var/dump directory ending with the suffix .decrypt_failed, or use the filename option to identify a single file to be moved.
Note: After moving the failed files, but before a restore or import operation runs, be sure that the system shared secret matches the shared secret used to encrypt the
exported or archived file.
aggregator restore keys file

Use this command to restore the shared secret keys file from the specified location.

Syntax
aggregator restore keys file <user@host:/path/filename>
Parameters
user@host:/path/filename For the file transfer operation, specifies a user, host, and full path name for the backup keys file.
store aggregator drop_ad_hoc_audit_db

Audit Process reports on Aggregator â€“ creates ad-hoc databases for each of its tasks that will include only the relevant days for that task. These ad-hoc databases can
be kept for 14 days (for analysis) or deleted immediately after use. The CLI command defines the ad-hoc databases purging policy. Choices are 0 or 1(0 - keep for 14-days
or 1 - delete after use).
Syntax
store aggregator drop_ad_hoc_audit_db [1|0]
Drop ad-hoc merge databases? 0
show aggregator drop_ad_hoc_audit_db
store aggregator orphan_cleanup_flag

Use this CLI command to regularly run static orphans cleanup on an aggregator.
Use this CLI command to clean orphans on aggregators that will be scheduled to run on data older then 3 days and will run at the end of a purge.
This process will be started by the user with this CLI command, so in case of large database, the user will be aware of the time length of the process.
It will cover the whole data on the aggregator, but will run it all on a separate temporary database.
Note: On a collector, orphans cleanup is not changed - it runs with the small cleanup tactics and is invoked before export/archive.
show aggregator orphan_cleanup_flag Displays small, large or analyze.
store aggregator orphan_cleanup_flag
store aggregator orphan_cleanup_flag <flag>, where flag is one of the words < small large analyze >
These commands are applicable on aggregator only.
If set to one of small, large or analyze - orphans cleanup script is invoked after each run of merge process.
The orphans cleanup on an aggregator does not remove orphan records of the last 3 days - it does remove all orphans older then 3 days.
If small is specified, the process does not interfere with audit processes that can start after the merge is completed.
If large is specified, the process would run faster where there is a large number of orphans but it's run might interfere with audit processes - if large is specified, audit
processes will not start until orphans cleanup is complete.
If analyze is specified, the process first evaluates the number of orphans and uses the large tactics if there are more than 20% orphans - if analyze is specified, audit
processes will not start until orphans cleanup is complete.
Syntax
store aggregator orphan_cleanup_flag [ small | large | analyze]
Show command
show aggregator orphan_cleanup_flag
store archive_static_table
Use this CLI command to turn off/ turn on the archive static table
USAGE: store archive_static_table <state>,
where state is on/off.
Show command
show archive_static_table
store next_export_static
The aggregation software makes a distinction between two types of tables:
static tables - grow slowly over time, data in these tables is not time dependent Â (GDM_OBJECT, GDM_FIELD, GDM_SENTENCE, GDM_CONSTRUCT, etc.).
dynamic tables- grow quickly with time, data is time dependent (GDM_CONSTRUCT_INSTANCE, GDM_SESSION, GDM_CONSTRUCT_TEXT etc.).
As stated previously, the data of static tables is not time dependant. The data of dynamic tables that is time dependant is linked to static data. As static tables can grow to
be very large, the export/archive process does not archive the full static data every day - it archives the full static data the first time it runs, and then at the first day of each
month, on any day besides the first of the month, it only archives static data that changed during that day. For this reason when restoring data of any day, it is also required
that the first of the month be restored - this ensures that full static data is present and references are not broken.

Use the CLI command, store next_export_static, to set a flag so that the next export contains the full static data.
Syntax
store next_export_static [ON | OFF]
Show command
show next_export_static
store last_used
Use this CLI command during purging and aggregation.
Syntax
store last_used [size | interval | logging]
Show command
show last_used [size | interval | logging]
LAST_USED SIZE - Integer, Default is 50
LAST_USED INTERVAL - Integer, default is 60 (minutes)
LAST_USED LOGGING - Integer
All Tables - 1
Only GDM_Object - 2
None - 0 (Default)
store aggregator static_data

store aggregator static_data [TIMESTAMP | LAST_USED_FOR_OBJECT_ONLY | LAST_USED ]
Note: Set the CLI command, last_used logging, prior to using this command.
When the LAST_USED column is updated by the Sniffer in Static tables, this column can be referenced when purging data from these tables or when archiving and
exporting data from these tables.
The value of this column can also be updated when importing data to an aggregator.
There are three options:
1. By default, the system behaves like it did in previous versions - the LAST_USED column is not considered in purge, archive and export and is not updated on import,
archive and export are done by TIMESTAMP.
2. LAST_USED_FOR_OBJECT_ONLY is considered only for GDM_OBJECT table.
3. LAST_USED is considered for GDM_CONSTRUCT, GDM_SENTENCE, GDM_OBJECT, GDM_FIELD, GDM_JOIN, GDM_JOIN_OBJECT
Note: Options 2 and 3 are only enabled when the sniffer is configured to collect and update this data.
Note: Validations performed only on a collector - If ADMINCONSOLE_PARAMETER.LAST_USED_LOGGING=0, then only TIMESTAMP is allowed. If
ADMINCONSOLE_PARAMETER.LAST_USED_LOGGING=1 then all parameters are allowed. If ADMINCONSOLE_PARAMETER.LAST_USED_LOGGING=2, then TIMESTAMP
and LAST_USED_FOR_OBJECT_ONLY are allowed. On an aggregator, all parameters are allowed.
Syntax
store aggregator static_data <type>
where <type> is <TIMESTAMP | LAST_USED | LAST_USED_FOR_OBJECT_ONLY>depends on the last_used logging flag.
Use show/store last_used logging commands.
Show command
show aggregator static_data
store archive_table_by_date
Use the CLI command, store archive_table_by_date, only on Aggregators. Use this CLI command to archive all static tables on a daily basis or archive static tables data at
the first time of running and every first day of the month. In default, archive data on an aggregator will run with full static tables on a daily basis. If this CLI command is set
to ENABLE, static tables will be archived only on the first day of month or the first time archive data is running.
store run_cleanup_orphans_daily
Use this CLI command to clean all the old construct records that are no longer in use. This CLI command is relevant for collectors and aggregators and by default is
enabled.
store run_cleanup_orphans_daily
USAGE: store run_cleanup_orphans_daily [on|off]
Show command
show run_cleanup_orphans_daily

store max_number_collector
Set the maximum number of collectors managed by aggregator. Default is 10.
Show command
show max_number_collector
store purge_age_period
Set the period of purge age.
Show command
show purge_age_period
Parent topic: CLI Overview
Alerter CLI Commands

This section list Alerter CLI commands.
The Alerter subsystem transmits messages that have been queued by other components - correlation alerts that have been queued by the Anomaly Detection subsystem,
or run-time alerts that have been generated by security policies, for example. The Alerter subsystem can be configured to send messages to both SMTP and SNMP servers.
Alerts can also be sent to syslog or custom alerting classes, but no special configuration is required for those two options, beyond starting the Alerter. There are four types
of Alerter commands. Use the links in the lists, or browse the commands, which are listed in alphabetical sequence following the lists.
Alerter Start-up and Polling Commands
stop alerter
restart alerter
store alerter state operational
store alerter state startup
store alerter poll
store anomaly-detection poll
store anomaly-detection state
SMTP Configuration Commands
store alerter smtp authentication password

store alerter smtp authentication type
store alerter smtp authentication username
store alerter smtp port
store alerter smtp relay
store alerter smtp returnaddr
SNMP Configuration Commands
store alerter snmp community

store alerter snmp traphost
restart alerter
Restarts the Alerter. You can perform the same function using the store alerter state operational command to stop and then start the alerter:
store alerter state operational off
store alerter state operational on
Syntax
restart alerter
stop alerter
Stops the Alerter.
You can perform the same function using the store alerter state operational command:
store alerter state operational off
Syntax
stop alerter
store alerter poll

Starts (on) or stops (off) the Alerter. The default state at installation time is off. You can also use the restart alerter or stop alerter commands to restart or stop the Alerter
subsystem.
Syntax
store alerter state operational <on | off>

Show Command
show alerter state operational
store alerter state operational

Sets the number of seconds, n, that the Alerter waits before checking its outgoing message queue to send SNMP traps or transmit email using SMTP. The default is 30.
Syntax
store alerter poll <n>
Show Command
show alerter poll
store alerter state startup

Enables or disables the automatic start-up of the Alerter on system start-up. The default state at installation time is off.
Syntax
store alerter state startup <on | off>
Show Command
show alerter state startup
store anomaly-detection poll

Sets the Anomaly Detection polling interval, in minutes (n). This controls the frequency with which GuardiumÂ® checks log data for anomalies.
Syntax
store anomaly-detection poll <n>
Show Command
show anomaly-detection poll
store anomaly-detection state

Enables or disables the Anomaly Detection subsystem, which executes all active statistical alerts, checks the logs for anomalies, and queues alerts as necessary for the
Alerter subsystem.
Syntax
store anomaly-detection state <on | off>
Show Command
show anomaly-detection state

Sets the alerter SMTP authentication password to the specified value. There is no corresponding show command.
Syntax
store alerter smtp authentication <value>
store alerter smtp authentication type

Sets the authentication type required by the SMTP server to the one of the following values:
none: Send without authentication.
auth: Username/password authentication. When used, set the user account and password using the following commands:
Syntax
store alerter smtp authentication type <none | auth>
Show Command
show alerter smtp authentication type

Sets the alerter SMTP email authentication username to the specified name.
Syntax

store alerter smtp authentication username <name>
Show Command
show alerter smtp authentication username
store alerter smtp port

Sets the port number on which the SMTP server listens, to the value specified by n. The default is 25 (the standard SMTP port).
Syntax
store alerter smtp port <n>
Show Command
show alerter smtp port
store alerter smtp relay

Sets the ip address of the SMTP server to be used by the Guardium appliance.
Syntax
store alerter smtp relay <ip address>
Show Command
show alerter smtp relay
store alerter smtp returnaddr

Sets the return email address for email alerts. Any bounced messages or email failures will be returned to this address.
Syntax
store alerter smtp returnaddr <email address>
Show Command
show alerter smtp returnaddr
store alerter snmp community

Sets the SNMP trap community used by the Alerter, to the name specified. There is no corresponding show command.
Syntax
store alerter snmp community <name>
store alerter smtp traphost

Sets the Alerter SNMP trap server to receive alerts, to the specified IP address or DNS host name.
Syntax
store alerter snmp traphost <snmp host>
Show Command
show alerter snmp traphost
store syslog-trap
Usage: store syslog-trap ON | OFF
Certificate CLI Commands

Use the certificate commands to create a certificate signing request (CSR), and to install server, CA (certificate authority), or trusted path certificates on the GuardiumÂ®
system.
Note: Guardium does not provide certificate authority (CA) services and does not ship systems with different certificates than the one installed by default. A customer that
wants their own certificate must contact a third-party CA (such as VeriSign or Entrust).
Certification Expiration
Expired certificates will result in a loss of function. Run the show certificate warn_expire command periodically to check for expired certificates. The command displays
certificates that will expire within six months and certificates that have already expired. The user interface will also inform you of certificates that will expire. To see a
summary of all certificates, run the command show certificate summary.
New Certificates

To obtain a new certificate, generate a certificate signed request (CSR) and contact a third-party certificate authority (CA) such as VeriSign or Entrust. Guardium does not
provide CA services and will not ship systems with different certificates than the ones that are installed by default. The certificate format must be in PEM and include
BEGIN and END delimiters. The certificate can either be pasted from the console or imported through one of the standard import protocols.
Note: Do not perform this action until after the system network configuration parameters have been set.
create csr
Creates a Certificate Signed Request (CSR) for the Guardium system. Do not perform this action until after the system network configuration parameters are set. Within the
generated CSR, the common name (CN) is created automatically from the host and domain names assigned.
create csr alias creates a certificate request with an alias.
create csr gim creates a certificate request for gim (GIM Listener).
create csr gui creates a certificate request for the tomcat.
create csr sniffer creates a certificate request for the sniffer.
Syntax
create csr <alias | gimi | gui | sniffer>
restore certificate gim

Restores the certificate gim to the last certificate gim on record or the default certificate gim that was originally provided.
restore certificate gim backup restores the gim certificate to the last saved sniffer gim certificate.
restore certificate gim default restores the gim certificate to the default gim certificate that was supplied with the system.
Syntax
restore certificate gim <backup | default>
restore certificate keystore

Restores the certificate keystore to the last certificate keystore on record or the default certificate keystore that was originally provided.
restore certificate keystore backup restores the certificate keystore to the last saved certificate keystore.
restore certificate keystore default restores the certificate keystore to the default value that was supplied with the system.
Syntax
restore certificate keystore <backup | default>
restore certificate mysql

Restores the client certificate to the last certificate on record.
restore certificate mysql backup restores the last saved mysql certificate.
Syntax
restore certificate mysql <backup>
restore certificate mysql backup client

Restores the client certificate to the last certificate on record.
restore certificate mysql backup client ca restores the last saved client certificate authority (CA) certificate.
restore certificate mysql backup client cert restores the last saved client certificate.
Syntax
restore certificate mysql backup client <ca | cert>
restore certificate mysql backup server

Restores the server certificate to the last certificate on record.
restore certificate mysql backup server ca restores the last saved server certificate authority (CA) certificate.
restore certificate mysql backup server cert restores the last saved server certificate.
Syntax
restore certificate mysql backup server <ca | cert>
restore certificate mysql default client

Restores the mysql client certificate to the default version that was supplied with the system.
restore certificate mysql default client ca restores the mysql client ca certificate to the default version that was supplied with the system.

restore certificate mysql default client cert restores the mysql client certificate to the default version that was supplied with the system.
Syntax
restore certificate mysql default client <ca | cert>
restore certificate mysql default server

Restores the mysql server certificate to the default version that was supplied with the system.
restore certificate mysql default server ca restores the mysql server ca certificate to the default version that was supplied with the system.
restore certificate mysql default server cert restores the mysql server certificate to the default version that was supplied with the system.
Syntax
restore certificate mysql default server <ca | cert>
restore certificate sniffer

Restores the certificate to the last certificate on record.
restore certificate sniffer backup restores the sniffer certificate to the last saved sniffer certificate.
restore certificate sniffer default restores the sniffer certificate to the default sniffer certificate.
Syntax
restore certificate sniffer <backup | default>
restore cert_key mysql backup

Restores the mysql client or server certificate key to the last saved value.
restore cert_key mysql backup client restores the last saved mysql client cert key.
restore cert_key mysql backup server restores the last saved mysql server cert key.
Syntax
restore cert_key mysql backup <client | server>
restore cert_key mysql default

Restores the mysql client or server certificate key to the default version that was supplied with the system.
restore cert_key mysql default client restores the default mysql client cert key that was supplied with the system.
restore cert_key mysql default server restores the default mysql server cert key that was supplied with the system.
Syntax
restore cert_key mysql default <client | server>
show certificate
Displays the summary of all certificates, certificate information, alias list, certificates in the keystore, and expired or soon-to-expire certificates.
This certificate authenticity can be verified by a Guardium CA public key (contained in the CA certificate that is distributed with the client software). This certificate has
either a customer company-unique CN (Common Name - for example, acme.com, or a machine-specific CN (for example x4.acme.com). This permits any client to
establish that not only does the Guardium system have a valid certification (it is a real Guardium system), but also that it is a specific Guardium system (or a set of
Guardium systems) that the client is supposed to connect to.
show certificate all displays a summary of all certificates.
show certificate alias displays an alias list.
show certificate gim displays all GIM certificate information (GIM Listener).
show certificate gui displays all tomcat certificate information.
show certificate keystore displays all certificates in the keystore and an alias list for you to select which certificate to show.
show certificate mysql displays client and server mysql certificate information.
show certificate sniffer displays all sniffer certificate information.
show certificate stap displays all S-TAP certificate information in the keystore.
show certificate summary displays a summary of all certification information.
show certificate trusted displays all trusted certificate information.
show certificate warn_expired displays all expired certificates or certificates that expire in 6 months.
Syntax

show certificate <alias | all | gim | gui | keystore | mysql | sniffer | stap | summary | trusted | warn_expired >
show certificate keystore

Displays certificate information in the keystore.
show certificate keystore all displays all certificates in the keystore.
show certificate keystore alias displays an alias list for you to select which certificate to show.
Syntax
show certificate keystore <all | alias>
show certificate mysql

Displays mysql certificate information.
Parameters
show certificate mysql client shows client mysql information.
show certificate mysql server shows server mysql information.
Syntax
show certificate mysql <client | server>
store certificate
Stores a certificate. Paste your certificate in PEM format and include the BEGIN and END lines.
Parameter
store certificate alias stores a certificate in the keystore after a CSR has been generated. This CLI command supports the CLI command, create csr alias, which allows the
user to create an intermediate trusted certificate from scratch. Use both of these commands to create intermediate trusted certificates. These intermediate trusted
certificates can then be used to sign other certificates, if required.
store certificate gim will allow the custom gim certificate to be stored in keystore by prompting for certificate, key (optional) and CA certificate (GIM Listener).
store certificate gui stores the tomcat certificate in the keystore after a CSR has been generated.
store certificate keystore asks for a one-word alias to uniquely identify the trusted certificate and store it in the keystore.
store certificate mysql stores mysql client and server certificates.
store certificate sniffer stores sniffer certificates.
store certificate stap stores S-TAP certificates.
Syntax
store certificate <gim | gui | keystore | mysql | sniffer | stap >
store certificate mysql client

Stores a mysql client certificate.
store certificate mysql client ca stores client certificate authority (CA) certificates.
store certificate mysql client cert stores client certificates.
Syntax
store certificate mysql client <ca | cert>
store certificate mysql server

Stores a mysql server certificate.
store certificate mysql server ca stores server certificate authority (CA) certificates.
store certificate mysql server cert stores server certificates.
Syntax
store certificate mysql server <ca | cert>
store cert_key
Stores the system certificate key and the certificate key of a mysql client and server.
store cert_key mysql stores the certificate key of a mysql client and server.
store cert_key sniffer stores the sniffer certificate key.
Syntax

store cert_key <mysql | sniffer>
store cert_key mysql

Stores the certificate key of a mysql client or server.
store cert_key myself client stores the certificate key of a mysql client.
store cert_key myself server stores the certificate key of a mysql server.
Syntax
store cert_key mysql <client | server>
store cert_key sniffer

Stores the system certificate key. This command enables a user to set the system certificate that is used by the Guardium system (in communication with S-TAPÂ®). The
certificate can either be pasted from the console or imported via one of the standard import protocols. The certificate format should be PEM and should include the BEGIN
and END delimiters. This certificate needs to be signed by a CA whose self-signed certificate is available to S-TAP software through the guardium_ca_path.
store cert_key sniffer console stores the sniffer certificate key by pasting the key into the console.
store cert_key sniffer import stores the sniffer certificate key by importing the key file.
Syntax
store cert_key sniffer <console | import>
Backup and Default Options

You can choose to restore certificates and certificate keys with the backup or default parameter. Use the backup parameter to restore a certificate to the last saved
certificate. Use the default parameter to restore a certificate to the original certificate that Guardium supplied.
Certificate Expiration Dates and Summary Commands

Run the show certificate warn_expire command periodically. This command warns you of certificates that will expire in six months and displays a list of expired
certificates. For more information, see the show certificate CLI command. To show a summary of all certificates, run the CLI command show certificate summary. Run the
commands periodically to review certificate expiration dates.
Configuration and Control CLI Commands

Use the following CLI commands for configuration and control.
? (question mark)
When entering a command, enter a question mark at any point to display the arguments.
Syntax
<partial_command> ?
Example
CLI> show account strike ?
USAGE: Â show account strike <arg>, where arg is:
?, count, interval, max
ok
CLI>
delete unit type

Use this command to clear one or more unit type attributes. Note that not all unit type attributes can be cleared using this command. See the table, located after the store
unit type command, for more information.
Syntax
delete unit type [manager | standalone] [aggregated] [netinsp] [network routes static] [stap] [mainframe]
commands
Displays an alphabetical listing of all CLI commands.
Syntax
commands
debug

Enable/disable debug mode. Without an argument, it toggles the debug state. Optionally, a state argument can be passed.
Syntax
debug <on | off>
eject
This command dismounts and ejects the CD ROM, which is useful after upgrading or re-installing the system, or installing patches that were distributed via CD ROM.
Syntax
eject
delete scheduled-patch
See the CLI command, store system patch install for further information on patch installation.
forward support email

When the support-state option is enabled (which it is by default), this command sets the email address to receive system alerts.
Syntax
forward support email to <email address>
Show Command
show support-email
iptraf
IPTraf is a network statistics utility distributed with the underlying operating system. It gathers a variety of information such as TCP connection packet and byte counts,
interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts. Â The IPTraf User Manual is available on the internet at
the following location (it may be available at other locations if this link does not work):
http://iptraf.seul.org/2.7/manual.html
Syntax
iptraf
license check
Indicates if the installed license if valid. Use this command after installing a new product key.
Syntax
license check
ping
Sends ICMP ping packets to a remote host. This command is useful for checking network connectivity. The value of host can be an IP address or host name.
Syntax
ping <host>
quit
Exits the command line interface.
Syntax
quit
recover failed
Command to restore failed CSV/CEF/PDF transfer files, placing the files back into the export folder for another export attempt.
Syntax
recover failed [csv|cef|pdf]
register management
Registers the Guardium system for management by the specified Central Manager. The pre-registration configuration of this Guardium system is saved, and that
configuration will be restored later if the unit is unregistered.
Syntax
register management Â <manager ip> <port>

Parameters
manager ip is the IP address of the Central Manager.
port is the port number used by the Central Manager (usually 8443).
restart gui
Restarts the IBMÂ® GuardiumÂ® Web interface. To optionally schedule a restart of the GUI once a day or once a week, use additional parameters. HH is hours 01-24. MM is
minutes 01-60. W is the day of the week, 0-6, Sunday is 0. If HHMM is listed twice, only the last entry is used. The parameter clear deletes the scheduled time.
In order to restart the Classifier and Security Assessments processes, run the restart gui command from the CLI (not from the GUI).
Running restart GUI from the GUI only restarts the web services. It is necessary to run the restart GUI command from the CLI to fully restart all processes, including
Classifier and Security Assessments processes. It is necessary to run the restart GUI command from the CLI for each managed unit to restart the Classifier listener.
Syntax
restart gui [HHMM|HHMMW|clear]
Use this CLI command to restart services previously stopped with the store auto_stop_services_when_full CLI command.
Syntax
restart system
Reboots the Guardium system. The system will completely shut down and restart, which means that the cli session will be terminated.
Syntax
restart system
show buffer
This command displays a report of buffer use for the inspection engine process. If you are experiencing load problems, IBM Technical Support may ask you to run this
command.
Syntax
show buffer <log | snif>
show buffer log

Use this CLI command to display the buffer usage of the inspection engine process.
show buffer snif

Use this CLI command to display the buffer usage of the sniffer.
show build
Displays build information for the installed software (build, release, snif version).
Syntax
show build
show defrag
Identify fragmented packets and attempt to reconstruct the packets before they get to the network sniffing process. The defrag is relevant only for network sniffing
through SPAM or a TAP device.
Syntax
show defrag
Parameters
Packet size- The packet size in bytes, up to a maximum of 217 (131072)
Time interval - The time interval
Trigger level - The trigger level
Release level - The release level specified as a number of seconds, up to a maximum of the 31st power of two (2147483648).
show network routes static

Permit the user to have only one IP address per appliance (through eth0) and direct traffic through different routers using static routing tables. List the current static
routes, with IDs.

Syntax
Delete command
delete network routes static
show password
This CLI command displays password functions. Password disable [0|1] removes the use of a password by storing the value 1. Password Expiration [CLI|GUI] [Number of
days] displays the number of days between required password changes. Default is 90 days. Password Validation [ON|OFF] determines how strong the password is. Â
Syntax
show password disable [0|1]
show password expiration [CLI|GUI] 90
show password validation [ON|OFF]
show security policies

Displays the list of security policies.
Syntax
show security policies
show system patch available

Displays the already installed patches and patches scheduled to be installed--showing date/time and the install status.
Syntax

Displays the already installed patches and patches scheduled to be installed--showing date/time and the install status.
Syntax
show system public key

Displays the public key for cli or tomcat. If none exists, this command creates one.
Note: See show system key, store system key in Certificate CLI commands.
Syntax
show system public key <cli | tomcat | grdapi>
stop gui
Stops the Web user interface.
Syntax
stop gui
stop system
Stops and powers down the appliance.
Syntax
stop system
store apply_user_hierarchy
Use this CLI command to apply user hierarchy to audit receiver.
If ON, the non-audit group receiver (the receiver other than the audit group receiver (normal or role) will only see audit results with a group IP beneath the receiver's
hierarchy, including the receiver. Â
Syntax
store apply_user_hierarchy [ON | OFF]
Show command
show apply_user_hierarchy

store allow_simulation
Enables (on) or disables (off) the ability to run the Policy Simulation on the appliance.
In order to run the simulation, Â the original traffic must be replayed through the rules engine (with the policy needing to be tested). This requires some of the original SQL
on the appliance to be saved with their values. The enable/disable of allow_simulation instructs IBM Guardium to save/NOT save any SQL or values whatsoever.
Syntax
store allow_simulation [on|off]
Show command
show allow_simulation
store alp_throttle
Use this CLI to regulate the amount of data that will be logged.
Usage: store alp_throttle <num>
where <num> is the number in range of -2147483647 and 2147483647.
Default is 0.
0 - do not log into GDM_FLAT_LOG and do not create tapks files
>0 - log into GDM_FLAT_LOG and do not create tapks files
<0 - log into GDM_FLAT_LOG and create tapks files
99999 - do not log into GDM_FLAT_LOG, but create tapks files.
Example
10 - log into GDM_FLAT_LOG 10% of statements.
10 - log into GDM_FLAT_LOG 10% of statements and create tapks files
store analyzer
Ignore session: The current request and the remainder of the session will be ignored. This action does log a policy violation, but it stops the logging of constructs and will
not test for policy violations of any type for the remainder of the session. This action might be useful if, for example, the database includes a test region, and there is no
need to apply policy rules against that region of the database.
This command sets the value of the timeout of the ignore session and sets the duration of the ignore session.
Syntax
store analyzer [ignore_sess_timeout | max_open_sess]
Show command
show analyzer
store auto_stop_services_when_full
When ON, will stop internal services if database exceeds the 90% full threshold.
Inspection Engine, Classification and other Collection-related services will stop. Also, Aggregation import/restore will not process any new files.
To remediate, use the various Support commands (support clean audit_task, support clean log_files, support clean DAM_data, support show large_files) to analyze and
manually purge large tables.
Syntax
store auto_stop_services_when_full [ON | OFF]
Show command
show auto_stop_services_when_full
store connect oracle_parser

Use this command to connect and disconnect the Oracle parser from the DB2 parser. The default is OFF (disconnect).
Syntax
store connect oracle_parser [ON | OFF]
Usage: store connect_oracle_parser [state], where state is ON/OFF. ON is connect and OFF is disconnect.
Show command
show connect oracle_parser
store csv_fetch_size

CSV_FETCH_SIZE and CSV_MAX_SIZE are GLOBAL_PROFILE parameters that can only be modified via CLI
Guardium reports can be downloaded in CSV file format.
CSV_MAX_SIZE is used to control the size of the CSV download that are retrieved when clicking Download all records, from the report export menu.
CSV_FETCH_SIZE is used by report REST service to control total number of records.
Note: csv_max_size requires a restart of the GUI for changes to take effect. csv_fetch_size does not requires a restart of the GUI for changes to take effect.
Show command
CLI> show csv_fetch_size
Usage
CLI> store csv_fetch_size
USAGE: store csv_fetch_size <number>
where number is greater than 0
store csv_max_size
CSV_FETCH_SIZE and CSV_MAX_SIZE are GLOBAL_PROFILE parameters that can only be modified via CLI
Guardium reports can be downloaded in CSV file format.
CSV_MAX_SIZE is used to control the size of the CSV download that are retrieved when clicking Download all records, from the report export menu.
CSV_FETCH_SIZE is used by report REST service to control total number of records.
Note: csv_max_size requires a restart of the GUI for changes to take effect. csv_fetch_size does not requires a restart of the GUI for changes to take effect.
Show command
CLI> show csv_max_size
Usage
CLI> store csv_max_size
USAGE: store csv_max_size <number>
where number is greater than 0
store default_queue_size
Use this CLI command to control the configuration parameter ADMINCONSOLE_PARAMETER.DEFAULT_QUEUE_SIZE. The default is 25. The range is 25-300.
The sniffer must be restarted after a change in value.
Syntax
store default_queue_size <N>, where N is the number in range of 25 to 300
Show command
show default_queue_size 25
store defrag
Use this command to restore defragmentation defaults, or to set the defragmentation size. After entering this command, you must issue the restart inspection-core
command for the changes to take effect. The defrag is relevant only for network sniffing through SPAM or a TAP device.
Syntax
store defrag [default | size <s> interval <i> trigger <t> release <r>]
Show command
show defrag
Parameters
default - Restore the default size.
s - The packet size Â in bytes, up to a maximum of 217 (131072)
i - The time interval
t -The trigger level
r - The release level specified as a number of seconds, up to a maximum of the 31st power of two (2147483648).
store delayed_firewall_correlation
Use this CLI command to hold a user connection until the decryption correlation has taken place.

Syntax
store delayed_firewall_collection [on | off]
Show command
show delayed_firewall_correlation
store full-bypass
This command is intended for emergency use only, when traffic is being unexpectedly blocked by the Guardium system. When on, all network traffic passes directly
through the system, and is not seen by the Guardium system.
When using this command, you will be prompted for the admin user password.
Syntax
store full-bypass <on | off>
store gdm_analyzer_rule
Analyzer rules - Certain rules can be applied at the analyzer level. Examples of analyzer rules are: user-defined character sets, source program changes, and firewall watch
or firewall unwatch modes. In previous releases, policies and rules were applied at the end of request processing on the logging state. In some cases, this meant a delay in
decisions based on these rules. Rules applied at the analyzer level means decisions can be made at an earlier stage.
Note: When applying analyzer rules on source program changes, if the source program is not matching the exact pattern, add a .* at the end of the pattern to deal with the
possibility that the source program has a trailing space (unseen by user).
Syntax
store gdm_analyzer_rule [active_flag | new ]
store gdm_analyzer_rule active_flag
Usage: store gdm_analyzer_rule active_flag <id> <on|off>
where <id> is the rule ID.
Use the CLI command, show gdm_analyzer_rule, to see a list of GDM analyzer rules.
store gdm_analyzer_rule new
Enter rule description (optional):
Enter rule type (required):
Show command
show gdm_analyzer_rule
store gdm_analyzer_rule new
Use the Guardium CLI to add an analyzer rule for a direct regular expression to Mask UID Chain pattern.
CLI> store gdm_analyzer_rule new
Please enter rule description: new rule 4
Rule type:
1. Change source program
2. Set alternate character set
3. Send verdict
4. HADOOP exclude
5. Define protocol and port
6. Ignore session after packets
7. Set empty Oracle DB user when login information is missed
8. Force MS SQL login
9. Transform string
Please select rule type (required): 9
Please enter pattern (required, regex string): (.*)(-ppassword)(.*)
Please enter format (required, regex string): \\\\1-p****\\\\3
Do you want to activate the rule now? (Yes/No)
ok

store gdm_http_session_template
Use this CLI command to set the template for the HTTP session.
Usage
store gdm_http_session_template [activate] [add] [deactivate] [remove]
Show command
show gdm_http_session_template
Attempting to retrieve the template information. It may take time. Please wait.
Table 1. store gdm_http_session_template

Active Logout_Session_ Logout_URL_R
ID# URL Regex Session Regex Username Regex Login_Session Regex Comment ID egex
1 1 Cookie.*PHPSESSID=([[:a .*user_name= Set-Cookie:.*PHPSESSID= example of HTTP session Â Â

([[:alnum:] deleted
2 1 Cookie.*PSJSESSIONID= .*SignOnDefault=([[:aln Â example of HTTP session cmd=logout Â

([
3 1 Cookie.*JSESSIONID= .*username=([[:alnum:]] Set-Cookie:.*JSESSIONID example of HTTP session Â Logout.jsp

([0-
store log external

Use this command to set file size, flush period, gdm error and state of the log external.
This rule will be displayed ONLY if the following CLI command is executed:
store log external state on
Then log external shows up as a policy action
CLI command to check the state:
show log external state
CLI command to enable and disable this action:
store log external state on/off
Usage
store log external [file_size] [flush_period] [gdm_error] [state]
Usage: store log external gdm_error <state>
where state is on/off. 'on' is to enable and 'off' is to disable.
Usage: store log external file_size <num>
where <num> is the size of the file.
Default is 4096 bytes.
Usage: store log external flush_period <num>
where <num> is the flush period.
Default is 60 seconds.
Usage: store log external state <state>
where state is on/off. 'on' is to enable and 'off' is to disable.
Show command
show log external [file_size] [flush_period] [gdm_error] [state]
store monitor gdm_statistics

Use this CLI command to get information about the Unit Utilization. Default is 1 (run the script every hour).
Syntax
CLI> store monitor gdm_statistics

USAGE: store monitor gdm_statistics <hour>, where hour is value from 0 to 24.
Default value is 1, means to run the script every hour.
Value 0, means not to run the script.
Show command
CLI> show monitor gdm_statistics
Disable gdm_statistics monitor

store gui
store gui [port | session_timeout | csrf_status]
Sets the TCP/IP port number on which the IBM Guardium appliance management interface accepts connections. The default is 8443. n must be a value in the range of
1024 to 65535. Be sure to avoid the use of any port that is required or in use for another purpose.
Set timeout of session - Sets the length of time (in seconds) with no activity before timeout. After the no-activity-timeout has been reached, it is necessary to log on again
to IBM Guardium. The default length is 900 seconds (15-minutes).
Set Cross-site Report Forgery (CSRF) (ON | OFF) - See the section CSRF and 403 Permission Errors in the Getting Started with GUI help topic. The default value is
enabled on an upgraded system. Trying to use certain web browser functions (for example, F5/CTRL-R/Refresh/Reload, Back/Forward) will result in a 403 Permission
Error message.
The new session timeout value will take effect only after the next GUI restart.
Syntax
store gui port <n>
store gui session_timeout <n>
store gui csrf_status [on | off]
Show command
Displays the GUI port number, state, session timeout (in seconds) and/or CSRF status.
Syntax
show gui [port | state | all | session_timeout | csrf_status ]
store gui cache

Use this CLI command to turn web browser caching ON or OFF (Enable or Disable).
The response is
The parameter has been changed.
Restarting gui
Changing to port 8443
Stopping.......
Safekeeping xregs
ok
The default setting for browser caching is enabled.
The act of changing the cache setting will automatically restart the Guardium web server.
For Firefox, in order for the setting to take affect, the cache on the respective browsers has to be cleared.
Syntax
store gui cache [ON | OFF]
Show command
show gui cache
store gui session_timeout

Sets the length of time (in seconds) with no activity before timeout. After the no activity timeout has been reached, it is necessary to log on again to IBM Guardium. The
default length is 900 seconds (15-minutes).
Syntax
store gui session_timeout
Show command
show gui session_timeout
store gui csrf_status

Use this CLI command to enable or disable the Cross-site Request Forgery (CSRF) status.
Syntax
store gui scrf_status [ on | off ]
Show command
show gui scrf_status

store gui xss_status
Use this CLI command to enable or disable the Cross-Site Scripting (XSS) status. This option is enabled by default on upgraded systems.
Syntax
store gui xss_status [ on | off ]
Show command
show gui xss_status
store gui hsts_status

Use this CLI command to enable or disable the HSTS (HTTP Strict Transport Security Filter). This option is disabled by default on upgraded systems and is recommended
to be turned on after valid certificates are installed. See the topic, How to install an appliance certificate to avoid a browser SSL certificate challenge, for further reference.
Syntax
store gui hsts_status [ on | off ]
Show command
show gui hsts_status
store installed security policy

Sets the security policy named policy-name as the installed security policy.
Syntax
store installed security policy <policy-name>
Show Command
show installed security policy
store keep_psmls
Use this CLI command to retain the current layouts/profiles/portlets created the users of the Guardium application. Set this CLI command to ON before an upgrade, and
the psmls from the previous version will be retained.
Syntax
store keep_psmls [ON | OFF]
show keep_psmls
store ldap-mapping
Store LDAP mapping parameters - allow a custom mapping for the LDAP server schema. This command permits customized mapping to the LDAP server schema for email,
firstname and lastname attributes. The paging parameter is used to facilitate transfer between any LDAP server type (Active Directory, Novell Directory, Open LDAP, Sun
One Directory, TivoliÂ® Directory). If the paging parameter is set to on, but paging is not supported by the server, the search is performed without paging.
Example for paging. If the CLI command, ldap-mapping paging is set to ON, then Microsoft Active Directory will download the maximum number users defined under the
limit value on the LDAP Import configuration screen. If CLI command, ldap-mapping paging is set to OFF, then Active Directory will download up to only 1000 users not
matter what the limit value is set to. All other LDAP server configurations must use the CLI command, ldap-mapping paging off in order to download users up to the set
limit value.
Note: Each time you change the CLI ldap-mapping attributes you also need to select Override Existing Changes on the LDAP Import configuration screen in IBM Guardium
GUI before updating. This action must occur each time you change the CLI ldap-mapping email, firstname or lastname attributes and import LDAP users.
Show commands
show ldap-mapping [email] [firstname][lastname] <name>
show ldap-mapping paging ON|OFF
A GUI restart of the CLI is required for new parameters to take effect.
Examples
Some examples are shown.
store ldap-mapping firstname name
store ldap-mapping lastname sn
store ldap-mapping email mail
store ldap-mapping paging on
Â
If the attributes are written as follows, the mapping process will use the first attribute it finds. If this is not what you want, use one of the examples to map to specific
attributes.

Values for firstname attribute: Â gn,givenName,name
Values for lastname: attribute: Â sn,surname,name
Values for email attribute: userPrincipalName,mail,email,emailAddress,pkcs9email,rfc822Mailbox
Values for paging: on, off
store license
This command applies a new license key to the appliance.
A license key may be of one of two kinds: override type or append type; an override type replaces the currently installed license while the append type license will be
appended to the currently installed license. Append-type licenses can only add functionality; new functions may be enabled and when relevant - expiration dates be
updated, remaining number of scans and datasources will be increased, and a certain numeric fields in the license, such as number of managed Â units will be replaced.
Syntax
store license
Show Command
show license
Example
When using the store license command, you will be prompted to paste the new product key:
CLI> store license
Paste the string received from IBM Guardium and then press Enter.
Copy and paste the new product key at the cursor location, and then press Enter. The product key contains no line breaks or white space characters, and it always ends
with (and includes) a trailing equal sign. A series of messages will display, ending with:
We recommend that the machine be rebooted at the earliest opportunity in order to complete the license updating process.
ok
CLI>
Run the restart gui command at this time.
store log classifier level

Sets the debugging level for the classifier, to one of the values shown.
Syntax
store log classifier level DEBUG|INFO|WARN|ERROR|FATAL
Show command
show log classifier level
store log sql parser_errors

Sets the logging of syntactically wrong SQL commands.
Syntax
store log sql parser_errors [on|off]
Note: A restart of the inspection engine is required after the store command is issued to apply change.
Show command
show log sql parser_errors
store log object_join_info

Sets the logging of object_join.
A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.
Syntax
store log object_join_info [ on | off]
Show command
show log object_join_info
store log session_info

Sniffer-related

Syntax
store log session_info [ on | off]
Show command
show log session_info
store log exception sql

When on, logs the entire SQL command when logging exceptions.
Syntax
store log exception sql <on | off>
Show command
show log exception sql
store logging granularity

Sets the logging granularity to the specified number of minutes. You must use one of the minute values shown in the syntax. The default is 60.
Syntax
store logging granularity <1, 2, 5, 10, 15, 30 or 60>
Show command
show logging granularity
store max_audit_reporting
Displays the audit report threshold. The default is 32. When defining reports in Audit Process, the number of days of the report (defined by the FROM-TO fields) should not
exceed a certain threshold (one month by default). See the Workflow Process, Central Management and Aggregation section of the Compliance Workflow Automation help
topic for further information on this using this CLI command.
Syntax
store max_audit_reporting
Show command
show max_audit_reporting
store max_result_set_size
Store the max_result_set_size, default value is 100 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command
sets the limitation for total result set size. This parameter works for any type of database. If the value is beyond the defined threshold, the analyzer will not retrieve data to
calculate records affected value.
Syntax
store max_result_set_size <size>
Show command
show max_result_set_size
store max_result_set_packet_size
Store the max_result_set_packet_size, default value is 32 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This
command sets the limitation for packet size in response. This parameter works for any type of database. If the value is beyond the defined threshold, the analyzer will not
retrieve data to calculate records affected value.
Syntax
store max_result_set_packet_size <size>
Show command
show max_result_set_packet_size
store max_tds_response_packets
Store the max_tds_response_packets, default value is 5 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This
command sets the limitation for number of packets in response. This parameter works for MS SQL only. If the value is beyond the defined threshold, the analyzer will not
retrieve data to calculate records affected value.
Syntax
store max_tds_response_packets <size>
Note: max_tds_response_packets (Tabular Data Stream) is only applicable for MS SQL Server and Sybase.

Show command
show max_tds_response_packets
store maximum query duration

Sets the maximum number of seconds for a query to the value specified by n. The default is 180. We recommend that you do not set this value greater than the default,
because doing so increases the chances of overloading the system with query processing. This value can also be set from the Running Status Monitor panel on the
administrator portal.
Syntax
store maximum query duration <n>
Show Command
show maximum query duration
store monitor [ buffer | custom_db_usage | gdm_statistics ]

Use the CLI command, store monitor buffer to set the interval of how often the script must run that retrieves the information shown in the Buffer Usage Monitor report of
the IBM Guardium Monitor tab.
Syntax: store monitor buffer
Use the CLI command, store monitor custom_db_usage to set the state to on and to specify a time to run this job.
Syntax
CLI> store monitor custom_db_usage

USAGE: store monitor custom_db_usage <state> <hour>
where state is on/off.
If state is on, specify the hour to run.
Valid value is number from 0 to 23
Use the CLI command, store monitor gdm_statistics to get information about the Unit Utilization. Default is 1 (run the script every hour).
Syntax
CLI> store monitor gdm_statistics

USAGE: store monitor gdm_statistics <hour>, where hour is value from 0 to 24.
Default value is 1, means to run the script every hour.
Value 0, means not to run the script.
Show Commands
show monitor buffer
show monitor custom_db_usage
show monitor gdm_statistics
store mysql_utf8mb4
Enable support for 4-byte UTF-8 encoding (utf8mb4).
This command modifies Guardium sniffer processes and internal databases to correctly capture and store 4-byte UTF-8 characters. Enabling utf8mb4 may be useful if
datasources in your environment contain 4-byte characters, for example as used for Chinese, Japanese, and Korean ideographs.
Observe the following when using this command:
The additional processing required to capture and store 4-byte characters will negatively impact the performance of your Guardium system. For this reason, do not
enable utf8mb4 unless you require 4-byte character support in your environment.
If support for 4-byte UTF-8 encoding is required in an aggregated or centrally managed environment, utf8mb4 should be enabled on all Guardium systems in the
environment. Enabling utf8mb4 on only some systems in the environment may create problems, such as failed aggregation or incorrectly displayed reports.
Data collected or aggregated before enabling utf8mb4 will still be available and function correctly after enabling utf8mb4.
CAUTION:
Once 4-byte UTF-8 support has been enabled using the store mysql_utf8mb4 command, the change cannot be undone or reversed. After enabling utf8mb on a Guardium
system, the only way to remove support for 4-byte UTF-8 characters is to completely rebuild the system.
Syntax
store mysql_utf8mb4
Show Command
show mysql_utf8mb4
Example
> show mysql_utf8mb4

mysql configuration NOT set with UTF8MB4.
ok
> store mysql_utf8mb4

Attempting to change the mysql config file. It may take time. Please wait.

Start to modify mysql config file
Restarting mysql
Mysql has been restarted. Please exit CLI and log back on.
The parameter IS_UTF8MB4 has been changed to 1.
> show mysql_utf8mb4

mysql configuration set with UTF8MB4.
ok
store packet max-size

Limit the maximum size of packets from the sniffer.
Syntax
store packet max-size 1536
Show Command
show packet max-size
store pdf-config
Use this command to change the pdf font size and pdf orientation of the PDF image body content (excluding header/footer).
Size unit ranges from 1 (smallest) to 10 (largest) with default value of 6.
Orientation unit is 1 (for landscape orientation) or 2 (for portrait). The default value is 1.
The change takes effect immediately after typing the CLI command and pressing the Enter key.
Syntax
store pdf-config [ orientation | size ]
Show Command
show pdf-config [ orientation | size ]
store pdf-config multilanguage_support

There are different static pdf generator config files for English (Used on English version) and language C/J (Used on Chinese/Japanese). Use this CLI command to define
the fonts in the PDF generator. Default is English. Multi-language is language C/J.
Syntax
CLI> store pdf-config multilanguage_support

Current setting is Default
1 Default
2 Multi-language
Please select the option (1,2, or q to quit)
Show command
show pdf-config multilanguage_support
store populate_from_query_maxrecs
Sets the maximum number of records that can be used to populate groups and aliases from a query.
Use caution when setting a maximum records value via this CLI command. Setting it too high may result in incomplete populate group from query processes. The
maximum threshold is dynamic and dependent on the system load and memory utilization. This CLI command is limited to a high value of 200000.
Syntax
store populate_from_query_maxrecs 100000
Show command
show populate_from_query_maxrecs
store product gid

Sets the stored unique product <n> GID value.
Syntax
store product gid <n>
Show Command
show product gid
store purge object

Sets the age (in days) at which non-essential objects will be purged. Use the show purge objects age command to display a table showing the index, object name, and age
for each object type for which a purge age is maintained. Then use the appropriate index from that table in the command to set the purge age.
Note: The value of number of days will be set to the default (90 days) when the unit type changes between managed unit/Manager/standalone unit.
Syntax
store purge object age <index> <days>
Show Command
show purge object age
Example
Assume you want to keep an Event Log for 30 days. First issue the show purge objects age command to determine the index (do not use the table; your list may be
different). Then enter the store purge object command.
CLI>show purge objects age
Index Name, Age
1. Â Â Â Â Central Management Persistent Operations, 7
2. Â Â Â Â S-TAP Event Log, 14
4. Â Â Â Â Assessment Tests, 7
5. Â Â Â Â Central Management Temporary Policies, 7
6. Â Â Â Â S-TAP Change History, 14
7. Â Â Â Â Kerberos Authentication Information, 1
8. Â Â Â Â Comment History, 60
9. Â Â Â Â Comment Local History. 60
10. Â Â Â Call Graph History, 90
...
ok
CLI> store purge object age 2 30
ok
store quartz_thread_run
This CLI command is for use by Technical Support.
The Javaâ„¢ Virtual Machine allows the application to have multiple threads. Thread is a piece of the program execution.
Use the store quartz_thread_num CLI command to set the number of threads that can run at the same time.
Use this command to ease conflict between too many threads running at the same time.
The show quartz_thread_num CLI command displays the number of Quartz scheduler threads that run at the same time.
Syntax
store quartz_thread_run <number>
USAGE: store quartz_thread_num <number>, where number is in range 3 to 15 with default value = 5.
Show command
show quartz_thread_num
org.quartz.threadPoll.threadCount= 5
store remotelog
Controls the use of remote logging. In addition to system messages, statistical alerts and policy rule violation messages can be written to syslog (optionally). For each
facility.priority combination, messages can be directed to a specific host. This command can also control the use of remote logging through an optional port number and
can designate a mandatory protocol (UDP or TCP). This command works with any syslog implementation that supports TCP.
If you enable remote logging, be sure that the receiving host has enabled this capability (see the note).
Syntax
store remotelog [help|add|clear] facility.priority host [optional port number:mandatory protocol (UDP or TCP)]
Table 2. Store remotelog parameters

help Displays supported facilities and priorities.

add Adds the specified facility.priority combination to the list of messages to be sent to the specified remote host.
clear Clears the specified facility.priority combination from the list of messages being sent to the specified host.
facility Use daemon. The majority of messages issued by the IBM Guardium appliance will be from the daemon facility.
priority May be one of the following: alert, all, crit, debug, emerg, err, info, notice, warning.
The standard IBM Guardium severity codes for alerts and violations map as follows:
Guardium severity / Syslog priority
INFO / info
LOW / warning
MED / err
HIGH / alert
host Identifies the host to receive this facility.priority combination.
optional port Â
number
mandatory protocol UDP or TCP
format store remotelog format
Some SIEM products may process the IETF RFC 5424 style syslog messages better than the default. This command changes the format. If the
format is changed 'restart rsyslog' must be run for this to take effect.
USAGE: store remotelog format <default|rfc5424>
default - rsyslog traditional format
rfc5424 - rsyslog RFC 5424 format

Note: syslog receiver must be configured to accept RFC5424 format. Otherwise, it would receive in the traditional format.
Note:
To configure the receiving system to accept remote logging, edit /etc/sysconfig/syslog on that system to include the -r option. For example:
SYSLOGD_OPTIONS=-r -m 0
Then restart the syslog daemon:
/etc/init.d/syslog Â restart
The standard syslog file in Linux is named:
/var/log/messages
Common criteria requires that all communications from the Guardium system to a remote syslog server be encrypted. Communications to the remote syslog server can
not be in clear text.
CLI commands
show remotelog
store remotelog ?
store remotelog add ?
store remotelog add encrypted
USAGE: store remotelog add encrypted <facility.priority> <host[:port]> <tcp|udp>
Possible facilities: all auth authpriv cron daemon ftp kern local0 local1 local2 local3 local4 local5 local6 local7 lpr mail mark news security syslog user uucp
Possible priorities: alert all crit debug emerg err info notice warning
Note:
If you want to send the encrypted remote log message to the server, the rsyslog configuration in the server needs to accept encrypted message.
Encrypted setting on client and server only works in TCP mode.
Switching from one mode to other on the same remote server: it needs to modify the configuration file to sync with the designated mode and the remote service
needs to restart.
Example
store remotelog add non_encrypted

store remotelog clear
g32.guard.swg.usma.ibm.com> show remotelog
*.* @9.70.148.175:10514
Use the example to store the certificate as ca.pem in /etc/pki/rsyslog/. This will open a new window and asks the user to paste the certificate.
store remote add encrypted all.all <IP address>:<port number> tcp

Encrypting syslog
Alerts and other messages can be forwarded to a remote syslog receiver, such as a SIEM system. This message traffic can be encrypted from the collector or
aggregator to the remote syslog receiver.
Note: Encryption only works in TCP mode. By default, syslog forwarding uses UDP, so if encryption is required, specify TCP for the CLI command, store remotelog.
Before you begin:
The procedure documented here must be repeated on every collector or aggregator that is sending traffic to the encrypted host.
The certificate used by the remote syslog receiver is needed. Store that certificate on the Guardium system.
1. Have available the public certificate from the CA (Certificate Authority) from Verisign, Thwate, Geotrust, GoDaddy, Comodo, in-house, etc.
2. Log into the CLI on the individual Guardium system from which to send the encrypted syslog. Before executing the command, obtain the appropriate
certificate (in PEM format) from the CA, and copy the certificate, including the Begin and End lines, to your clipboard.
3. Enter the following CLI command:store remotelog add encrypted daemon.all <IP address of encrypted remote host>:<port number of remote host> tcp
Note: This example uses daemon because Guardium sends its application events using daemon.
4. The following instructions will be displayed:
Please paste your CA certificate, in PEM format. Include the BEGIN and END lines, and then press CTRL-D.
Paste the PEM-format certificate to the command line, then press CRTL-D. Guardium will take this input and store it as /etc/pki/rsyslog/ca.pem
There will follow a message informing of the success or failure of the store operation.
When successful, Guardium can send encrypted traffic to the remote system with the correct key.
5. Repeat the procedure for each collector and aggregator that is sending syslog traffic to the encrypted host.
store s2c
Sets several configurable parameters for ADMINCONSOLE. These parameters are used for throttling server-to-client (S2C) traffic.
Note: Use this CLI command only when directed by IBM Guardium Technical Services.
Minimum and maximum values:
ANALYZER_S2C_IGNORE = {0,1,2,3}
MAX_S2C_VELOCITY (K bytes/sec) - number >=0 and <= 2147483647
MAX_S2C_INTERVAL (sec) - number >=1 and <= 2147483647
See also the CLI command Store Throttle.
Â
Syntax
store s2c
USAGE: store s2c ignore I maxrate M maxinterval T
where 0<=I<=3 (level), Â 0<=M<=2147483647 (K/sec), and 1<=T<=2147483647 (seconds) OR store throttle default
Â Â Â Â Â Â Â Â
store s2c ignore 3 maxrate 300 maxinterval 5007
Â
The new configuration will be effective once the CLI command, restart inspection-core, command is executed.
Show command
show s2c
Throttle S2C parameters (defaults):
Â Â Â Â Â Â Â Â Â Ignore: Â Â Â Â Â Â Â Â 0
Â Â Â Â Â Â Â Â Â Max rate: Â Â Â Â Â 999999
Â Â Â Â Â Â Â Â Â Max interval: Â 30
-------------------
ANALYZER_S2C_IGNORE (0,1,2,3) - Switch s2c throttling mechanisms on/off based on scenarios. This flag is based on bits. 0 = the s2c throttling mechanism is OFF. 1 =
turns on the function described in scenario 1, 2 = turns on the function described by scenario 2. 3 = turns both on.
MAX_S2C_VELOCITY - maximal rate (K bytes/sec). If this rate is exceeded, then analyzer should send CLI commands, ignore session, or ignore session reply, request to S-
TAPÂ® or sniffer.
MAX_S2C_INTERVAL - time interval in seconds (default 30 sec.) between possible CLI commands, ignore session, or ignore session reply, requests.
Â
Scenario 1

The sniffer starts to receive traffic from S-TAP or network in the middle of large query. Since all incoming packets are DB server responses, no new session will be created
by the analyzer and therefore no information will be sent to logger and rules engine. This type of traffic is useless for the sniffer. From the other side, this type of traffic can
create additional S-TAP and sniffer load. A throttling mechanism helps to decrease S-TAP and network sniffer load by sending a ignore session message from the analyzer,
if the S2C velocity is greater than MAX_S2C_VELOCITY. If for some reason S-TAP or network sniffer were not affected, then analyzer will send ignore session request again
after MAX_S2C_INTERVAL seconds. In order to switch this throttling mechanism on, set ANALYZER_S2C_IGNORE flag to 1.
Scenario 2
If the incoming traffic has a high S2C rate (>MAX_S2C_VELOCITY), then a throttling mechanism sends a ignore session reply request to S-TAP for local database
connections in the case when S2C velocity is greater than MAX_S2C_VELOCITY. If from some reason S-TAP was not affected, then analyzer will send ignore session reply
request again after MAX_S2C_INTERVAL seconds. In order to switch this throttling mechanism on, set ANALYZER_S2C_IGNORE flag to 2.
store sender_encoding
Use this CLI command to encode outgoing messages (email and SNMP traps) in different encoding schemes, where previously everything is encoded in UTF8.
For example, a Guardium customer wanted to encode all of the outgoing SNMP messages in SJIS - an alternative Japanese encoding.
Note: If the conversion fails, for either reason (a) the encoding scheme specified is invalid, or (b) the characters to be encoded can not be represented in the requested
encoding scheme, then the message will be sent using UTF8, which is the default encoding scheme.
Syntax
store sender_encoding <str>,
where str is the encoding with maximum length 16
Show command
show sender_encoding
store stap approval

Use this function to block unauthorized STAPs from connecting to the Guardium appliance.
If ON, then STAPs can not connect until they are specifically approved.
If an unapproved STAP connects, it is immediately disconnected until the specific authorization of the IP Address of that STAP.
There is a pre-defined report for approved clients, Approved TAP clients, it is available on the Daily Monitor tab.
Note:
A valid IP address is required, not the host name.
The CLI command, store stap approval, does not work within an environment where there is an IP load balancer.
Within a Central Managed environment, after adding the IPs to approved STAPs, there is a wait time associated with synchronization that might take up to an hour. After
synchronization is complete the approved STAPs status will appear green in GUI.
Syntax
store stap approval ON | OFF
Show command
show stap approval
GuardAPI command
grdapi store_stap_approval
The new configuration will be effective after running the CLI command, restart inspection-core.
store stap certificate

Stores a certificate from the S-TAP host (usually a database server), on the IBM Guardium appliance. This command functions exactly like the store certificate console
command, described later.
Syntax
store stap certificate
You will be prompted as follows:
Please paste your new server certificate, in PEM format.
Include the BEGIN and END lines, then press CTRL-D.
If you have not done so already, copy the server certificate to your clipboard. Paste the PEM-format certificate to the command line, then press CRTL-D. You will be
informed of the success or failure of the store operation.
When you are done, use the restart gui command to restart the IBM Guardium GUI.
store stap network_latency

S-TAP verification is a feature by which customers can verify if a S-TAP is monitoring database traffic or not. The verification feature is affected by the customer's network
traffic/latency. Since latency is different for each customer, there is a need for a way to list and change the default value that the verification feature uses.
Syntax
store stap network_latency
USAGE: store stap network_latency <N>
where N is the number greater than 0 seconds.
The default value is 5 seconds.
If the number goes higher the S-TAP verification process will become slower.
Show command
show stap network_latency
store set_partitions_for_queries
Use this CLI command to enable/disable partition selection on queries.
Usage:
store set_partitions_for_queries <on|off>
store storage-system
store storage-system
Adds or deletes a storage system type for archiving or system backup.
Syntax
store storage-system <Centera | TSM> Â Â <backup | archive> <on | off>
Show Command
show storage-system
Example
Assume you are currently using Centera for system backups, but want to switch to a TSM system. You must turn off the Centera backup option (unless you want to leave
that as another option), and turn on the TSM backup option. The commands to do this are highlighted in the example. The show commands are not necessary, but are for
illustration only.
CLI> show storage-system
NETWORK :
CENTERA : backing-up
TSM Â Â Â Â :
SCP Â Â Â Â : archiving and backing-up
FTP Â Â Â Â : archiving and backing-up
ok
CLI>store storage centera backup off
ok
CLI> store storage tsm backup on
ok
CLI> show storage-system
NETWORK :
CENTERA :
TSM Â Â Â Â : backing-up
SCP Â Â Â Â : archiving and backing-up
FTP Â Â Â Â : archiving and backing-up
ok
CLI>
store support state

Enables (on) or disables (off) the sending of email alerts to the support email address, which can be configured using the forward support email command. By default,
the support state is enabled (on), and the default support email address is support@guardium.com.

Syntax
store support state <on | off>
Show Command
show support state
store throttle
This CLI command stores the throttle parameters. After entering this command, you must issue the CLI command, restart inspection-core for the changes to take effect.
This command is used to filter out (ignore) large packets. Throttling has two modes: Thresholds, per session - ignore sessions when identifying a long enough burst
(duration configurable) of large packets (size configurable) and stop ignoring the session when traffic goes under a certain threshold (also configurable); and, Overall -
ignore all packets larger than a certain size (configurable) in all sessions. This throttling mode completely ignores long and excessive non-database packets smaller than a
predefined size (useful for VNC clients and other types of white-noise traffic). Use for network traffic through SPAM port or hardware TAP. For S-TAP traffic, only network
TCP traffic picked up by PCAP. See also the CLI command, store s2c.
Syntax
store throttle [default | size <s> interval <i> trigger <t> release <r>]
USAGE: Â Â store throttle size S interval I trigger T release R
Â Â Â Â Â Â Â Â Â where 0<=S<=2^17 (bytes), 1<=I,T,R,<=2^31 (seconds)
Â Â Â Â Â Â Â Â Â OR store throttle default
Show Command
show throttle
Throttle parameters:
Packet size: Â Â 228000
Time interval: 604800
Trigger level: 10000000
Release level: 10000000
Parameters
default - Enter the keyword default to restore the system defaults (no other parameters are used). The default throttling parameters are never throttle.
s - The packet size in bytes, up to a maximum of 217 (131072).
The remaining parameters are in seconds, up to a maximum of 231 (2147483648):
i - The time interval
t - The trigger level
r- The release level
Note: To restore the throttle defaults, use the CLI command, store throttle default.
store timeout
Sets the timeout value of a CLI session and/or fileserver session. The default value is 600 seconds. A timeout will also close the CLI session.
If the fileserver is stopped because of a timeout, a message will appear, Warning : Fileserver stopped because of timeout. The file upload may not be
complete. Stopping the process.
Use the CLI commands, show timeout db_connection, to show the socketTimeout value in the conf file, and store timeout db_connection <value>, to set the value of the
timeout. The value should be greater than 0. The default value is 25000 seconds. These CLI commands are used in managing the communications between the Central
Manager and the managed unit when DNS is not configured.
Syntax
store timeout cli_session <n>
store timeout fileserver_session <n>
store timeout db_connection <n>
Show command
show timeout cli_session 600
show timeout fileserver_session 600
show timeout db_connection 25000
store transfer-method

Sets the file transfer method used for CSV/CEF export. For export file, need to use CLI command, store transfer-method csv, to set the method of transfer. For
backup/archive, use the CLI command, store transfer-method backup, to set the method of transfer.
Syntax
store transfer-method <FTP | SCP>
Show Command
show transfer-method
Note: Files sent from one IBM Guardium appliance to another (from a collector to an aggregator, for example) are always sent using SCP.
store uid_chain_polling_interval
Set the interval for UID Chain polling with this CLI command. UID chain is a mechanism which allows S-TAP (by way of K-Tap) to track the chain of users that occurred
prior to a database connection.
Set the interval to 0 to turn off the UID Chain processing, in order to improve database performance. If the UID Chain processing is turned off, then calculating the UID
Chain and updating children sessions are skipped.
Note: When using any database, the UID chain is not logged for all sessions if the session is very short.
Syntax
store uid_chain_polling_interval <N>
where N is time in minutes (>= 1 minute; default is 2 minutes)
set N = 0, to turn off the UID Chain processing
Show command
show uid_chain_polling_interval
store upd_session_end
This CLI command adds an option to skip the update for the session_end time.
Syntax
store upd_session_end [enable | disable]
Show command
show upd_session_end
store unit type

Use this CLI command to set unit type attributes for the Guardium appliance. See the Unit Type Attributes table for a description of all unit type attributes that can be
displayed by this command.
Syntax
store unit type [manager | standalone] [netinsp] [stap] [mainframe] [sink]
Use store unit type sink to switch collected DRDA traffic timestamp granularity from 1 millisecond to 1 microsecond.
Show Command
show unit type
Note: Some attributes listed are set using the store unit type command, and cleared using the delete unit type command. The aggregator attribute can only be set during
installation of the IBM Guardium software, and cannot be modified except by re-installing the IBM Guardium software.
Unit Type Attributes

The Guardium system unit type attributes that can be displayed by the show unit type command are described in the table. Except where noted, these attributes can be
set using the store unit type command, and cleared using the delete unit type command.
Table 3. Unit Type Attributes
mainframe The unit is a mainframe (z/OSÂ®) network inspection appliance.
manager Central manager functions are enabled for this unit.
netinsp Inspection of network traffic is enabled.
network route static Removes one line off the static routing table
standalone Local management (independent of a central manager)
stap The unit can receive data from and manage S-TAP and CAS agents.
unregister management

The unregister command restores the configuration that was saved when the appliance was registered for central management. If that happened under a previous release
of the IBM Guardium software, restoring that configuration without first applying a patch to bring the saved configuration to the current software release level will disable
the appliance, potentially causing the loss of all data stored there. Accordingly, do not unregister a unit until you have verified that the pre-registration configuration is at
the current software release level. If you are unsure about how to verify this, contact Technical Support before unregistering the unit.
Syntax
unregister management
Notes:
This command is intended for emergency use only, when the Central Manager is not available.
After unregistering using this command, you should also unregister from the Central Manager (from the Administration Console), since that is the only way the
count of managed units will be reduced. The count of managed units is authorized by the product key.

diag CLI command

Use these CLI command to access troubleshooting and maintenance utilities through diag.
Use the diag command as directed by Technical Support.
There are no functions that you would perform with this command on a regular basis. Each main menu entry is described in a separate topic (see Main Menu Commands).
Troubleshooting and Maintenance Utilities through DIAG:
Aggregator Fix Schema â€“ brings all imported tables that have older schema than that of the aggregator to the schema of the latest patch level of the aggregator
(runs in the background and may take several hours to complete). Note: There may be scenarios in which (a) the aggregator will not have the latest patch level or (b)
some of the imported tables are of the latest patch levelâ€”resulting in not all imported tables having the latest patch level.
Aggregator Maintenance â€“ full analysis and recovery of the Aggregator. This utility will collect AGG related logs and place it in the diag export folder, calls the
Aggregator Fix Schema to sync the schema of all databases, clean AGG workspace and restart the merge process to ensure full analysis of all imported tables (runs
in the background and may take several hours to complete).
Clean Static Orphans on an Aggregator â€“ This option should be used only by Technical Support and only in those cases where static tables grow too much and
needed to be cleaned. This utility cleans all the old construct records that are no longer in use.
Opening the Diagnostics Main Menu

To use the diag command, follow the procedure outlined:
1. At the command line prompt, log into the GuardiumÂ® appliance with CLI.
The Guardium user attempting to use the diag command must have an assigned CLI or admin role. The only user who has a CLI role by default is admin. The user
with a CLI or admin role is permitted to enter the diag command, use the unlock admin and unlock accessmgr CLI commands, and use the export audit-data CLI
command without restrictions. The user with a CLI role does not have to enter user name and password required of a GUI login and does not go through any further
role check.
If the Guardium user attempting to use CLI does not have a CLI or admin role, CLI will not start. The accessmgr assigns CLI and admin roles.
2. After starting CLI, enter the diag command (with no arguments) at the command line prompt.
3. The Guardium user attempting to use the diag command must have an assigned diag role on the Guardium system. By default, only admin has this assigned role.
Access to diag is allowed or disallowed based on the role assignment of this user (access to diag is permitted only if this user has the diag role). The accessmgr
assigns diag roles.
4. You are presented with the main command menu. Do one of the following to move the option selection cursor (which is selecting the first item in the example):
Type the desired entry number (the selection cursor moves to the selected entry).
Use the Up or Down arrow key to select the desired entry.
5. Press the Spacebar, the Left arrow key, or the Right arrow key to move the command selection cursor in the display (which is selecting the OK command in the
example).
6. Perform an action by selecting the appropriate option in the display area and then doing one of the following:
Select the appropriate command with the command selection cursor, then press the Enter key
Click on the appropriate action command.
About the diag Output

The diag command creates output in two directories:
.../guard/diag/current
.../guard/diag/depot
This output is accessed through the fileserver CLI command. See fileserver for further information.
Each directory is described in the following subsections.
.../guard/diag/current Directory
Most output from the diag commands is written in text format to the current directory. For most commands, this directory contains a separate output file. Each time you
run the same command, output is appended to the single file for that command. For a smaller number of commands, a separate file is created for each execution, usually
incorporating a date and time stamp in the filename.

We recommend that you â€œclean upâ€ after each session, so in subsequent sessions you are not looking at old information. When you pack files to a single
compressed file for exporting (see the following topic), all files in the current directory are deleted. Alternatively, you can use the Delete recordings command of the
Output Management menu to delete individual files.
The files in the current directory are easy to identify since the names are created from menu and command names. For example, after you use the File Summary command
from the System Interactive Queries menu, a file named interactive_filesummary.txt is created in the current directory. Â
If you look at the current directory while in the process of using a command, you may see a hidden temporary file with the same name as the one that will contain the
output for that command. The temporary file will be removed when the output is appended to the command output file.
.../guard/diag/depot Directory
When you pack the diag output files in the current directory to a compressed file (to send to Guardium Technical Support, for example), it is stored in the depot directory.
The filename isÂ Â in the format diag_session_<dd_mm_hhmm>.tgz, where the variable portion of the name indicates when the file was created. For example, a file
created at 12:15 PM on May 20th would be named as follows: diag_session_20_5_1215.tgz.
After exporting files (see the Export recorded files topic), you can remove them from the depot directory using the Delete recordings command of the Output Management
menu.
1 Output Management
The Output Management commands control what is done with the output produced by the diag command. Each Output Management command is described separately.
1.1 End and pack current session

Use this command to pack all diagnostic files in the current directory into a single compressed file, and remove those files from the current directory. When you enter this
command, there is no feedback to indicate that the command has completed. You can verify that the command has finished by displaying the directory of the depot
directory. When the command completes, there is a file named in the following format: diag_session_<mm_dd_hhmm>.tgz, where the variable portion of the name is a
date and time stamp, as described previously. Use the Export recorded files command of the Output Management menu to send the file to another system.
1.2 Delete recordings

Use this command to delete files in the depot or current directory. (To delete only the current session files, use the Delete current session files command.) When you enter
this command, the depot directory structure displays:
You can navigate the directories using the Up and Down arrow keys and pressing Enter. For example, selecting ../ and pressing Enter moves the selection up one level in
the directory structure.
You could then select the current directory and press enter, to navigate down to that folder and delete individual command output files. Note that you can navigate to
other directories, but you cannot delete files except from the current and depot directories.
When you have selected the file you want to delete, press Enter.
Caution: You will not be prompted to confirm the delete action
1.3 Export recorded files

Use this command to send a file from the depot directory to another site. To export a file:
1. Select Export recorded files from the Output Management menu. The depot directory displays.
2. Select the file to be sent or use the ../ and ./ entries to navigate up or down in the directory structure. (However, keep in mind that you can only export files from the
depot directory.)
3. With the file to be transmitted selected, press Enter.
4. You are prompted to select FTP or exit. Select FTP and press Enter.
5. You are prompted to supply a host name. Enter the host name of the receiving system (or its IP address), and press Enter.
6. You are prompted for a user name. Enter a user account name for the receiving system, and press Enter.
7. You are prompted for a password. Enter the password for the user on the receiving system.
8. You are prompted to identify a directory to receive the sent file on the receiving system. Enter the path relative to the ftp root of the directory to contain the file on
the receiving system and press Enter.
9. You are prompted to confirm the details of the transfer (the file to be sent and its destination). Press Enter to perform the transfer, or select Cancel and press Enter
to start over.
10. You are informed of the success (or failure) of the operation.
1.4 Delete current session files

Use this command to delete files created during the current session.
1.5 Exit
Use the Exit command to return to the main menu.
2 System Static Reports

Use the System Static Reports command of the Main Menu to produce an extensive set of reports.
1. Select System Static Reports from the Main Menu. You are informed that the process is running.
2. After the report has been created, it displays in the viewing area. Note that his report is lengthy and may be easier to view using a text editor, after exporting it to a
desktop computer).
Use the Up and Down arrow keys to scroll up or down in the report. When you are done viewing the report, press Enter to return to the Main Menu.

System Static Reports Overview
The following subtopics provide an outline of the major components of the System Static Reports output. The fragments of output shown are intended to illustrate the type
and level of information contained in the report, rather than provide a detailed description of the actual contents (that is beyond the scope of this document).
System Configuration Information

The System Static Reports output describes the build version, the patches applied, the current system up time, and name server information:
Build version: 34e1eb12eb68ba76cb49028251c9a0d6Â Â /opt/IBM/guardium/etc/cvstag

Patches:
2009/02/22 16:16:50: START Installation of 'Update 5.0'
2009/02/22 16:18:04: Installation Done - Successfully Installed
< lines deletedâ€¦ >
Current uptime:
Â Â 09:03:43Â Â up 6 days, 17:34,Â Â 1 user,Â Â load average: 0.44, 0.50, 0.41
System nameservers:
192.168.3.20
DB nameservers:
192.168.3.20
Gateway: 192.168.3.1 (system) 192.168.3.1 (def)
Next, the file system information displays (shown partially):
FilesystemÂ Â Â Â Â Â Â Â Â Â Â Â SizeÂ Â Used Avail Use% Mounted on

/dev/hdc3Â Â Â Â Â Â Â Â Â Â Â Â Â 2.0GÂ Â 1.1GÂ Â 813MÂ Â 58% /
/dev/hdc1Â Â Â Â Â Â Â Â Â Â Â Â Â Â 97MÂ Â 9.2MÂ Â Â 83MÂ Â 10% /boot
noneÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 504MÂ Â Â Â Â 0Â Â 504MÂ Â Â 0% /dev/shm
/dev/hdc2Â Â Â Â Â Â Â Â Â Â Â Â Â Â 71GÂ Â 1.2GÂ Â Â 66GÂ Â Â 2% /var
Â Â Â Â Â Â Â Â total:Â Â Â Â used:Â Â Â Â free:Â Â shared: buffers:Â Â cached:
Mem:Â Â 1055199232 1041711104 13488128Â Â Â Â Â Â Â Â 0 63275008 186220544
Swap: 536698880 295432192 241266688
MemTotal:Â Â Â Â Â Â 1030468 kB
MemFree:Â Â Â Â Â Â Â Â Â 13172 kB
This is followed by information about the mail and SNMP servers configured:
SMTP server: 192.168.1.7 on port 25 : REACHABLE

SMTP user: undef
SMTP password: undef
SMTP auth: NONE
SNMP trapsink: undef UNREACHABLE
SNMP trap community: undef
SNMP read community: undef
The final section of the system configuration section describes the network configuration for the unit: IP address, host and domain names, etc:
eth0:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 192.168.3.101Â Â (system) 192.168.3.101 (def)

hostname:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (system)Â Â g1 (def)
domain:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (system)Â Â guardium.com (def)
mac address:Â Â Â Â Â Â 00:04:23:A7:77:F2Â Â (MAC1)Â Â 00:04:23:A7:77:F2 (MAC2)
unit type:Â Â Â Â Â Â Â Â Â Â Â 548 Standalone STAP
Internal Database Information

The next major section of the System Static Reports output contains information about the internal database status and threads (only the first few threads are shown):
uptime 77097 seconds.

27 threads.
78545028 queries.
+------+------------+-----------------------------+---------+---------+------+-----------
| Id | User | Host | db | Command | Time | State | +-----------------------------------------
----------------------------------------------
| 1137 | enchantedg | localhost | TURBINE | Sleep | 26 |
| 1257 | enchantedg | localhost.localdomain:33587 | TURBINE | Sleep | 0 |
The list of threads is followed by an analysis of table status.
Web Servlet Container Information

The next several sections of the System Static Reports output contain information about the Web servlet container environment (Tomcat):
============================================================================
Currently defined Tomcat port is 8443.
The TOMCAT daemon is running and listening on port(s): 8005 8443.
Currently OPEN ports
java run by tomcat on port *:8443

============================================================================
These are the nanny latest actions:

May 19 14:13:09 guard nanny:[5528]: Also checking tomcat.
May 19 14:13:09 guard nanny:[5528]: Going for my initial nap.

This is the TOMCAT command line:

463 sh -c ps -o pid,cmd -e | grep Dcatalina.base
21917 grep Dcatalina.base.
Inspection Engine Information

The next major section of the System Static Reports output contains information about the inspection engine:
============================================================================
This is the SNIF (pid: 13036) command line: 13036 /opt/IBM/guardium/bin/snif.
This is the SNIF status:
Name: snif
State: R (running)
Tgid: 13036

============================================================================
Current timestamp is 2009-05-20 11:56:41

This is the last timestamp at GDM_CONSTRUCT_INSTANCE: 2009-05-20 11:56:41
This is the last timestamp at GDM_EXCEPTION: 2009-05-20 11:56:41
This is the last timestamp at GDM_POLICY_VIOLATIONS_LOG: 2009-05-20 11:56:41
============================================================================
Snif buf usage at Fri May 20 11:56:44 2009:

100 204800 buffers out of 204800
126 connection used, 32642 unused, 0 dropped (sniffer), 9 ignored (analyzer)
0 bytes lost, 60 connections ended, 601752099 bytes sent, 579063 request sent
Dropped Packets: 0 buffer full, 0 too short , 451 ignored
time now is 1116604603
Analyzer/Parser buffers size: 6 (66533) 0 (62902)
ms-tsql-logger 0 (11331)
syb-tsql-logger 0 (70)
ora-tsql-logger 79 (67803)
db2-sql-logger 0 (20544)
IP Tables Information
The next major section contains information about the IP tables:
===========================================================================
IPTABLES:
-------------
Â Â Â Â Â Â Â tcpÂ Â --Â Â 192.168.2.0/24Â Â Â Â Â Â Â 192.168.1.0/24Â Â Â Â Â Â tcp spts:1521:60000Â Â set 0x23
Â Â Â Â Â Â Â tcpÂ Â --Â Â 192.168.1.0/24Â Â Â Â Â Â Â 192.168.2.0/24Â Â Â Â Â Â tcp dpts:1521:60000Â Â set 0x22
S-TAP Information
The next major section contains S-TAPÂ® information:
============================================================================
STAP:
----
Â Â Â Â 0Â Â Â Â Â 0 ACCEPTÂ Â Â Â Â tcpÂ Â --Â Â *Â Â Â Â Â Â *Â Â 0.0.0.0/0Â Â Â Â Â Â 0.0.0.0/0Â Â Â Â Â Â Â Â Â Â tcp spt:9500
Â Â Â Â 0Â Â Â Â Â 0 ACCEPTÂ Â Â Â Â tcpÂ Â --Â Â *Â Â Â Â Â Â *Â Â 0.0.0.0/0Â Â Â Â Â Â 0.0.0.0/0Â Â Â Â Â Â Â Â Â Â tcp dpt:9500
Â 2696Â Â 148K ACCEPTÂ Â Â Â Â tcpÂ Â --Â Â *Â Â Â Â Â Â *Â Â 0.0.0.0/0Â Â Â Â Â Â 0.0.0.0/0Â Â Â Â Â Â Â Â Â Â tcp spt:16016
Â 2835Â Â 175K ACCEPTÂ Â Â Â Â tcpÂ Â --Â Â *Â Â Â Â Â Â *Â Â 0.0.0.0/0Â Â Â Â Â Â 0.0.0.0/0Â Â Â Â Â Â Â Â Â Â tcp dpt:16016
IP Traffic Information
The next major section contains IP traffic information:
IP traffic statistics.
OUTPUT OF ETH0
Fri May 20 11:57:04 2012; ******** Detailed interface statistics started ********
*** Detailed statistics for interface eth0, generated Fri May 20 11:58:04 2009
OUTPUT OF ETH1
Fri May 20 11:57:04 2012; ******** Detailed interface statistics started ********
*** Detailed statistics for interface eth1, generated Fri May 20 11:58:04 2009
Total: Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 82440 packets, 53892382 bytes

Â Â Â Â Â Â Â Â (incoming: 82440 packets, 53892382 bytes; outgoing: 0 packets, 0 bytes)
IP: Â Â Â 82440 packets, 52632747 bytes
Â Â Â Â Â Â Â Â (incoming: 82440 packets, 52632747 bytes; outgoing: 0 packets, 0 bytes)
Information Engine STDERR and STDOUT Information

The next section contains the last messages output by the sniffer:
SnifÂ Â STDERR:
Snif STDOUT:
Fri_20-May-2009_04:04:35 : Guardium Engine Monitor starting
Import Directory Information

The next section lists the import directory contents:
These are the contents of the importdir directory:

total 0
Aggregator Activity Information

This section lists aggregator activities (there are none in the example):
============================================================================
This is the aggregator last activities:
Audit Report
This section lists the following summary information (see example):
============================================================================
Range of time in logs: 01/14/10 13:12:26.348 - 01/18/10 12:48:01.073
Selected time for report: 01/14/10 13:12:26 - 01/18/10 12:48:01.073
Number of changes in configuration: 4 Â Â - changes to the audit configuration
Number of changes to accounts, groups, or roles: 0
Number of logins: 22 Â Â Â - logins into the machine - ssh and console
Number of failed logins: 114
Number of authentications: 22 - "su", etc.
Number of failed authentications: 5
Number of users: 2
Number of terminals: 18
Number of host names: 9
Number of executables: 7
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 3
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 0
Number of process IDs: 9173
Number of events: 98669
============================================================================
Anomaly Report
This section lists the following (see example):
============================================================================
# Date Time Type Exe Term Host AUID Event
============================================================================
1. 01/14/10 13:16:02 ANOM_PROMISCUOUS /usr/sbin/brctl (none) ? -1 8 - Â this is expected
to appear - it means the bridge is listening to all traffic
Authentication Report
============================================================================
============================================================================
1. 01/14/10 13:13:22 tomcat ? console /bin/su yes 4
6. 01/14/10 13:22:29 tomcat ? ? /bin/su yes 155
7. 01/14/10 13:28:10 ? ? tty1 /bin/login no 252
8. 01/14/10 13:28:20 ? ? tty1 /bin/login no 254
Login Report
============================================================================
============================================================================
1. 01/14/10 13:22:15 root 192.168.2.9 sshd /usr/sbin/sshd no 142

3 Interactive Queries
Select System Interactive Queries from the main menu to open the Interactive Queries menu. (Use the Down arrow key to scroll past the tenth item to see all items on this
menu.)
In addition to displaying the requested information, each interactive query command creates output in a separate text file in the current directory. See the Overview topic
for more information about the files created.
Each command is described in the following sections.
3.1 Files Changed

Use the Files Changed command to display a list of files changed either before or after a specified number of days.
1. Select Files Changed from the Interactive Queries menu. You are prompted to enter a number days. Type a number and press Enter.
2. You are asked if you are interested in the files changed before or after that number of days. Select 1 or 2 and press Enter.
3. The full directory path for each changed file is displayed. Note that if not all data fits in the display area, use the Up and Down arrow keys to scroll through the data.
The current position in the file is indicated by the number in the display. The white bars in the display area indicate the presence of more data with a plus sign.
3.2 List Folder

Use this command to list the contents of various directories.
1. Select List Folder from the Interactive Queries menu.

2. You are prompted to select a directory. Select a directory and press Enter. The selected directory is displayed. Remember that if multiple commands of the same
type are issued, the data for each execution of the command is appended to the single text file maintained for that command.
3. Press Enter or click Exit when you are done.
3.3 Summarize Folder

Use the Summarize Folder command to display the output of the du (Disk Usage) command:
1. Select Summarize Folder from the Interactive Queries menu. There are no prompts. You are presented with a display of disk use for various directories.
2. Use the Up and Down arrow keys to scroll through the directories.
3. Press Enter or click Exit when you are done.
3.4 File Summary and Export

Use this command to list all or some portion of a log file.
1. Select File Summary from the Interactive Queries menu.

2. You are prompted to select a file. Use the Up and Down arrow keys to scroll the selection cursor to the file you want to view.
3. Press Enter or click OK.
4. You are prompted to select the number of lines to display. Make your selection and press Enter.
5. You are prompted to enter an optional search string. Use this box if you are searching for a particular log message (you can enter a regular expression). Otherwise
leave the box empty and press Enter.
6. Following the prompt, press Enter to answer yes, meaning that only unique messages will be displayed. Otherwise select No and press Enter (all messages will be
displayed).
Be aware that when the Summary Style is used, variables are replaced by the pound sign character (#). For some log data containing variables such as IP addresses
or dates, the replacements can be extensive.
3.5 Test Email

Use this command to send a test email using the configured SMTP server.
1. Select Test Email from the Interactive Queries menu.

2. You are prompted to select a recipient. Select Custom and press Enter.
3. You are prompted to supply an email address. Type an email address and press Enter. You will be informed of the output of the operation. Â Note that on the
Administration Console, the Test Connection link in the SMTP pane of the Alerter configuration panel only tests that an SMTP port is configured, not that mail can
actually be delivered via that server. You can use this command to test email delivery without having to configure and trigger a statistical or real-time alert, or an
audit process notification.
3.6 Test SNMP

Use this command to send a test SNMP trap to the configured SNMP server.
1. Select Test SNMP from the Interactive Queries menu.

2. You are informed of the activity and the results. Note that on the Alerter Configuration panel, the Test Connection link in the SNMP pane only tests that an SNMP
port is configured, not that a trap can actually be delivered via that server. You can use this command to test trap delivery without having to configure (and trigger) a
statistical or real-time alert, or an audit process notification.
3.7 Report Query Data

Use this command to display the actual select statement used for a report query. This might be useful if a user-written report is producing unexpected output.
1. Select Report Query Data from the Interactive Queries menu.

2. You are prompted to make a selection from a list of report titles. Use the Up and Down arrow keys to select an entry and press the Enter key. Each entry in this list is
a Report entity. All pre-defined reports are listed first. These are numbered in the range 100-225 (for version 3.6.1 â€“ the numbers will most likely grow
incrementally with each release, as more pre-defined reports are created).
User written reports are listed following the pre-defined reports, beginning with number 20001 (for version 3.6.1).
The selected report select statement will be displayed.
3.8 GDM Queries

Use this command to display a count of observed SQL calls during a 100 second interval.
1. Select GDM Queries from the Interactive Queries menu.

2. A message displays requesting your patience. Select yes to continue. The CMD_CT column on the display lists the number of observed SQL calls from the specified
clients to the specified servers.
3. Press Enter when you are done viewing the report.
3.9 Generate TCP Dump

Use this command to create a TCP dump. For this command, output is written to a command file only and not to the screen. Unlike most other commands, a separate file is
created in the current directory for each execution of this command. The file name is in the format: tcpdump_<mmyyyy-hhmmss>, where the variable portion is a date and
time stamp: mmyyyy is the month and year, and hhmmss is the hours, minutes, and seconds.
1. Select Generate TCP dump from the Interactive Queries menu.

2. You are prompted to select an interface. Select a port and press Enter.
3. You are prompted for an optional filter IP address. If you are interested in traffic from only a specific address, enter that IP address and press Enter. Otherwise, just
press Enter.
4. You are prompted for an optional port number. If you are interested in traffic from only a specific port, enter that port number and press Enter. Otherwise, just press
Enter.
5. You are prompted to select how many seconds of traffic to capture. Select a number of seconds and press Enter.
6. You are prompted to press Enter to start collecting data. Press Enter. You are returned to the menu after (approximately) the specified number of seconds.
7. To view the TCP dump data, select the Read TCP dumps command or export the file (see Export Reported Files on the Output Management menu, described
previously).
3.10 Read TCP Dumps

Use this command to display a TCP dump file created previously.
1. Select Read TCP dumps from the Interactive Queries menu.

2. You are prompted to select file. The TCP dump files are listed from oldest to newest. The file name is in the format: tcpdump_<mmddyy-hhmmss>, where the
variable portion is a date and time stamp: mmddyy is the month, day, and year; and hhmmss is the hours, minutes, and seconds. Select the file you want to view
and press Enter.
3. The selected file displays. Use the Up and Down arrow keys to scroll through the display and press Enter when you are done.
3.11 Watch Buffer

Use this command to watch activity in the Guardium buffers:
1. Select Watch Buffer from the Interactive Queries menu. Â The display is updated every second.
2. Press Ctrl-C to close the display.
3.12 SLON Utility

Use this command to run the slon utility, which tracks packets. Typically, you would only run this command as directed by Technical Support. For this command, output is
not written to the screen. Output is written to one of two command files in the current directory, for each execution of the command: apks.txt.<day_dd-mmm-
yyyy_hh.mm.ss.ttt> OR requests.txt.<day_dd-mmm-yyyy_hh.mm.ss.ttt>
The variable portions or the file names are date and time stamps. For example, apks.txt.Fri_20-May-2011_08.52.00.789.
1. Select Slon Utility from the Interactive Queries menu.

2. Select the action to be performed and click OK. The choices are:
(a) Â to dump Analyzer rules info
(f) Â to filter Analyzer packets based on IP and/or mask
(p) Â to dump packets to apks.txt
(l) Â to dump logger requests to requests.txt
(m) Â to dump STAP packets (Select how long to run. Wait for completion and then check the msg-dump file under /var/log/guard/diag/current/tap/ )
(r) Â to record IPQ traffic
(s) Â to dump State machine info
(t) Â to configure throttle parameters
3. Regardless of your selection, you will be prompted to select the time period for the activity. Select a time period and press Enter.
4. You are notified that the program will run for the specified time and prompted to press Enter. Press Enter and wait.
5. When processing completes, a message will be displayed. You can use the File Summary command to display the output of this command. Because this command
can produce a large amount of data, you will probably want to export the file to another system, where you can view the contents using a text editor. (Pack the
current session data, and export the recordings as described earlier in this section.)

3.13 Show Indexes
Use this command to show indexes for various internal tables:
1. Select Show Indexes from the Interactive Queries menu.

2. You are prompted to select a table. Select a table and press Enter to display the indexes for that table.
3. Use the Up and Down arrow keys to scroll through the display. Press Enter when you are done.
3.14 S-TAP Check

Use this command to display S-TAP definitions and traffic information:
1. Select S-TAP Check from the Interactive Queries menu.

2. The systemâ€™s unit type displays in numeric format. Press Enter.
3. You are prompted to select the number of seconds to monitor the S-TAP traffic. Use the Up and Down arrow keys to make a selection and press Enter.
4. You are informed of approximately how long to wait for output, and prompted to press Enter. Press Enter.
5. The S-TAP Definitions and Server Traffic reports display. Press Enter when you are done viewing the report.
3.15 Interface Link Status

Use this command to display interface link status.
1. Select Interface link status from the Interactive Queries menu.

2. The status of all interfaces displays. Use the Up and Down arrows to scroll through the display.
3. Press Enter when you are done. Note that this command displays the link status only. To display interface configuration information, use the show network interface
all CLI command.
3.16 Show Throttle Data

Use this command to display throttle data.
1. Select Show Throttle data from the Interactive Queries menu.

2. Press Enter and wait 3 seconds for throttle statistics.
3. Use the Up and Down arrows to scroll through the display, and press Exit when you are done.
3.17 Generate TCP dump and slon

Use this command to Â create a TCP dump and run the slon utility, which tracks packets. Typically, you would only run this command as directed by Technical Support. See
the individual topics, Generate TCP dump, and Slon Utility.
3.18 Generate SSL dump

Use this command to create a SSL dump..
1. Select Generate SSL dump from the Interactive Queries menu.

2. Select an interface and press OK. Enter filter IP address and press OK. Enter filter port number and press OK.
3. Select how long to run and press OK. Press OK and wait the specified time in order to gather TCP dumps.
4. If you wish to view SSL dumps, press OK.
5. Press Exit when you are done.
3.19 View bash history

Use this command to display bash history.
1. Select View Bash History from the Interactive Queries menu.

2. Press OK.
3.20 Generate GDM_Error dump

Use this command to create GDM_ERROR dumps.
1. Select Show Generate GDM_ERROR dump from the Interactive Queries menu.
2. Press OK and then enter password. Press Enter.
3.21 Prepare Tomcat Memory dump

When Tomcat has a first outOfMemory error, it will do a memory dump to /var/tmp/tomcat/tomcat.dmp. Use this command to compress, encrypt and move this file to
/var/log/guard/diag/tomcat/ for fileserv to retrieve.
1. Select Prepare Tomcat Memory dump from the Interactive Queries menu.
2. Press OK.
3.22 Extended Network Information

Click on Extended Network Information option under System interactive query to display the network diagnostics information.
Example

SQLGuard Diagnostics
Network Parameters from ADMINCONSOLE_PARAMETER:
SYSTEM_NETMASK1: 255.255.255.0
SYSTEM_DOMAIN:
SYSTEM_DEFAULT_ROUTE:
SYSTEM_DNS1:
SYSTEM_DNS2:
SYSTEM_DNS3:
TOMCAT_IP:
MANAGER_IP:
HOST_MAC_ADDRESS:
SECOND_DEVICE:
3.23 Generate TCP dump in rotation

This selection is different from other diag selections in the section called Generate TCP and Generate TCP and slon.
For Generate TCP dump in rotation, enter Filter IP address (enter blank for all IPs). Enter Filter Port number. For the question, How long to run? if the TCP dump in rotation
is already running, choose the option â€œRotation OFFâ€ or â€œRotationâ€ (ON). If Rotation is selected, add file size.
The TCP dump will be output to /var/log/guard/tcp.bin1 and /var/log/guard.bin2 in rotation.
Select TCP dump in rotation again to stop the process loop_tcpdump.sh.
4 Perform Maintenance Actions

Select the Perform Maintenance Actions option from the Main Menu to open the Maintenance menu. Use these commands only under the direction of Technical Support.
These do not need to be run on a regular basis.
4.1 TURBINE analysis (update index cardinality)

Use this command to optimize index cardinality on Guardiumâ€™s internal database. A progress bar displays while the operation is running. When the operation
completes, you are returned to the Maintenance menu.
4.2 TURBINE optimize (rebuild indexes, takes longer)

Use this command to analyze and re-index Guardiumâ€™s internal database.
1. Select TURBINE optimize ( index cardinality ) from the Maintenance menu. A progress bar displays while the operation is running. When the operation completes,
you are returned to the Maintenance menu.
4.3 Clean disk space

Use this command to clean unused disk space. You are returned to the Maintenance menu when the procedure completes.
1. Select Clean disk space from the Maintenance menu. You will be prompted to select a directory.
2. Select the directory from which you want to remove files. The contents of the directory will be listed, and you will be prompted to confirm that you want to remove
all files.
3. When the operation completes, you are returned to the Maintenance menu.
4.4 RAID maintenance

Use this command only under the direction of Technical Support. This command provides access to the Management Menu of the RAID controller utility program, which
can be used to display the status of the RAID drives. If your system does not have a RAID controller, an error message displays if you select this command. You must be
extremely careful when using the RAID controller utility program, since several of the functions provided will erase all information on the disk.
4.5 Application Debugging Utility

Use this command to turn debugging on or off. You are prompted to enable or disable logging, or to reset the system defaults.
4.6 Modify TURBINE watchdog threshold

Use this option to change the timeout limit for long queries.
4.7 Force unrecoverable MySQL to start

Use this option only when directed to do so by Technical Support.
4.8 Transfer backups and system recovery

Use this command to restore a backed up version of the internal database. You will be prompted to confirm the operation.

4.9 Tomcat Logging Level
Use this command to select the component debug level. Choose one of the following options:
Classifier, Data Level Security, Workflow, or Other.
Choose Classifier to select debug level options: ERROR, WARN, INFO, DEBUG, ALL.
Choose DLS (data level security), Workflow, or Other (text input) to select debug level options: ERROR, WARN, INFO, DEBUG, ALL.
If Other is chosen (text input separated by ',') , enter valid components (dls, workflow, audit, customtable, gui, other, job).
4.10 Aggregator Maintenance

Full analysis and recovery of the Aggregator. This utility will collect AGG related logs and place it in the diag export folder, calls the Aggregator Fix Schema to sync the
schema of all databases, clean AGG workspace, and restart the merge process to ensure full analysis of all imported tables (runs in the background and may take several
hours to complete).
4.11 Aggregator Fix Schema

Brings all imported tables to the schema of the latest patch level Â (runs in the background and may take several hours to complete).
4.12 Clean Static Orphans

This option should be used only by Technical Support and only in those cases where static tables grow too much and needed to be cleaned. This utility cleans all the old
construct records that donâ€™t have any Instances associated with them. A progress message will display during the Clean Static Orphans (for use on collector or
aggregator).
5 Exit to CLI
Select Exit to CLI on the Main Menu. Press Enter to close the diag command and return to the command line interface.
File Handling CLI Commands

Use these commands to backup and restore system information. Many of these tasks can be performed from GuardiumÂ® user interface.
About Archived Data File Names

When Guardium data is archived (or exported to an aggregator), there is a separate file for each day of data. Depending on how your export/purge or archive/purge
operation is configured, you may have multiple copies of data exported for the same day. Archive and export data file names have the same format:
<daysequence>-<hostname.domain>-w<run_datestamp>-d<data_date>.dbdump.enc
daysequence is a number representing the date of the archived data, expressed as the number of days since year 0. The same date appears in yyyy-mm-dd format in the
data_date portion of the name.
hostname.domain is the host name of the Guardium appliance on which the archive was created, followed by a dot character and the domain name.
run_datestamp is the date that the data was archived or exported, in yyyymmdd.hhmmss format.
data_date is the date of the archived data, in Â yyyy-mm-dd format.
For example: 732423-g1.guardium.com-w20050425.040042-d2005-04-22.dbdump.enc
backup config
These commands back up and restore configuration information from the internal administration tables. The backup config command stores data in the /media/backup
directory. The backup config command removes license and other machine-specific information. The backup system command provides a more comprehensive backup of
the configuration and the entire system.
Syntax
backup config
restore config
backup system
This topic applies to backup and restore operations for the Guardium internal database. You can back up or restore either configuration information only, or the entire
system (data plus configuration information, except for the shared secret key files, which are backed up and restored separately, see the aggregator backup keys file and
aggregator restore keys file commands). These commands stop all inspection engines and web services and restart them after the operation completes.
Before restoring a file, be sure that the appliance has the system shared secret of the system that created that file (otherwise, it will not be able to decrypt the
information). See About the System Shared Secret in the Guardium Administrator Guide.
Note: System restore must be done to the same patch level Â of the system backup. For example, if a customer backed up the appliance when it was on Version 7.0, Patch
7 and then wishes to restore this backup into a newly-built appliance, then there is a need to first install Version 7.0, Patches 1 to 7 on the appliance and only then to
restore the file.
There are two commands involved in the restore process:
import file, which returns an archived backup file to the system

restore system, which restores the system from a backup file previously returned by an import file operation.
For all backup, import and restore commands, you will receive a series of prompts to supply some combination of the following items, depending on which storage
systems are configured, and the type of restore operation. Respond to each prompt as appropriate for your operation. The following table describes the information for
which you may be prompted.
Note:
One copy of the SCP/FTP/TSM/Centera file transfer is saved, regardless if the transfer was successful or failed. As certain files may take hours to regenerate (for example,
system backup), having a readily available copy (in particular if the file transfer failed) is of value to the user. Only one copy of each type of file is retained (archive/system
backup/configuration backup/etc.)
Backup system will copy the current license, metering and number of datasources, and then backup the data. Restore system will restore the data and then restore the
license, metering and number of datasources. This sequence applies to the regular restore system. Restore from a previous system will require re-configuring license,
metering and number of datasources.
When configuring backups, value of zero '0' for the port number indicates that the default port is being used for that protocol and no need to change.
Table 1. backup system

Item Description
SCP, FTP, TSM, Centera, Snapshot Select the method to use to transfer the file. TSM and Centera will be displayed only if those storage methods that
have been enabled (see the store storage-method command)
Data or Configuration Select Configuration to back up definitions and configuration information only, or select Data to back up data in
addition to configuration information.
restore from archive or restore from backup Select restore from archive to restore archived data, or select restore from backup to restore configuration
information.
normal or upgrade If restoring from the same software version of Guardium, select normal. If restoring configuration information
following software Â upgrade of the Guardium appliance, select upgrade.
host The remote host for the backup file.
remote directory The directory for the backup file. For FTP, the directory is relative to the FTP root directory for the FTP user account
used. For SSH, the directory path is a full directory path. For Windows SSH servers, use Unix-style path names with
forward slashes, rather than Windows-style backslashes.
username The user account name to use for the operation (for backup operations, this user must have write/execute permission
for the directory specified).
Note: For Windows, a domain user is accepted with the format of domain\user
password The password for the username.
file name The file name for the archive or backup file. See Archived Data Names.
A user can select multiple files by using the wildcard character * in the file name. Support of the wildcard character * is
permitted when using transfer methods FTP, SCP and Snapshot. Support of the wildcard character * is not permitted
on transfer methods TSM or Centera.
Centera server Enter the Centera server name. If using PEA files, use the following Â format: Â <Host name/IP>? <full PEA file name>,
for example:
128.221.200.56?/var/centera/us_profile_rwqe.pea.txt
Centera clipID For a Centera restore operation, the Content Address returned from the backup operation. For example:
6M4B15U4JM4LBeDGKCPF9VQO3UA
After you have supplied all of the information required for the backup or restore operation, a series of messages will be displayed informing you of the results of the
operation. For example, for a restore system operation the messages should look something like this (depending on the type of restore and storage method used):
gpg: Signature made Thu Feb 22 11:38:01 2009 EST using DSA key ID 2348FF9E gpg: Good signature from "Backup Signer
<support@guardium.com>" Proceeding to shutdown services Proceeding to startup services Safekeeping admin.xreg Safekeeping
client.xreg Safekeeping controllers.xreg Safekeeping controls.xreg Safekeeping guardium-portlets.xreg Safekeeping local-
portlets.xreg Safekeeping local-security.xreg Safekeeping local-skins.xreg Safekeeping media.xreg Safekeeping portlets.xreg
Safekeeping security.xreg Safekeeping skins.xreg guard_sniffer.pl -reorder Recovery procedure was successful. ok
Prevent backup/archive scripts from filling up /var

The backup process will check for room in /var before running and fail. This process will also warn the user if there is insufficient space for backup.
The archive process will check the size of the static tables and make sure there is room in /var to create the archive.
An error is now logged in the logfile and GUI if the backup is over 50%
Example:
ERROR: /var backup space is at 60% used. Insufficient disk space for backup. CLI> backup system 1. DATA 2. CONFIGURATION
Please enter the number of your choice: (q to quit) 1 1. SCP 2. CONFIGURED DESTINATION Enter the number of your choice:
(q to quit) 2 Make sure destination is configured in the GUI under the System Backup option Please wait, this may take some time.
backup profile
Use this command to maintain the backup profile data (patch mechanism).
The backup file will be copied to the destination according to the backup profile. Â If the parameter indicating whether to keep the backup file is â€œ1â€ AND there is
enough disk space the backup file will be kept within the system, otherwise removed.

All four fields must be filled in - backup destination host, backup destination directory, backup destination user, and backup destination password.
Syntax
show backup profile
Example
patch backup flag is 1 patch backup automatic recovery flag is 1 patch backup dest host is patch backup dest dir is
patch backup dest user is patch backup dest pass is ok
Syntax
store backup profile
Example
Do you want to set up for automatic recovery? (y/n) Enter the patch backup destination host: Enter the patch backup
destination directory: Enter the patch backup destination user: Enter the patch backup destination password:
export audit-data
Exports audit data from the specified date (yyyy-mm-dd) from various internal Guardium tables to a compressed archive file. The data from a specified date will be stored
in a compressed archive file, in the /var/dump directory. The file created will be identified in the messages produced by the system. See the example. Use this command
only under the direction of Guardium Support.
Note: Only users with admin role may run this command .
Syntax
export audit-data <yyyy-mm-dd>
Example
If you enter the audit-data command for the date 2005-09-16, a set of messages similar to the following will be created: CLI>
export audit-data 2005-09-16 2005-09-16 Extracting Â GDM_ACCESS Â Data ... Extracting Â GDM_CONSTRUCT Â Data ... Extracting
Â GDM_SENTENCE Â Data ... Extracting Â GDM_OBJECT Â Data ... Extracting Â GDM_FIELD Â Data ... Extracting Â GDM_CONSTRUCT_TEXT
Â Data ... Extracting Â GDM_SESSION Â Data ... Extracting Â GDM_EXCEPTION Â Data ... Extracting Â GDM_POLICY_VIOLATIONS_LOG Â Data
... Extracting Â GDM_CONSTRUCT_INSTANCE Â Data ... Generating tar file ... /var/csvGenerationTmp ~ GDM_ACCESS.txt
GDM_CONSTRUCT.txt GDM_CONSTRUCT_INSTANCE.txt GDM_CONSTRUCT_TEXT.txt GDM_EXCEPTION.txt GDM_FIELD.txt GDM_OBJECT.txt
GDM_POLICY_VIOLATIONS_LOG.txt GDM_SENTENCE.txt GDM_SESSION.txt ~ Generation completed, CSV Files saved to /var/dump/732570-
supp2.guardium.com-w20050919110317-d2005-09-16.exp.tgz ok
The data from each of the named internal database tables is written to a text file, in CSV format. The name of the archive file ends with exp.tgz and the remainder of the
name is formed as described in About Archived Data File Names.
You can use the export file command to transfer this file to another system.
delete audit-data
Use this command only under the direction of Guardium Support. This command is used to remove compressed audit data files. You will be prompted to enter an index
number to identify the file to be removed. See Archived Data File Names, for information about how archived data file names are formed.
You will be prompted to identify the file to be removed.
Syntax
delete audit-data
show audit-data
Use this command to display any files that were created by executing the CLI command, export audit-data. For more information about audit data files, see export audit-
data.
Syntax
show audit-data <yyyy-mm-dd>
export file
This command exports a single file named filename from the /var/IBM/Guardium/data/dump, /var/log or /var/IBM/Guardium/data/importdir directory.
Use this command only under the direction of Guardium Support. To export Guardium data to an aggregator or to archive data, use the appropriate menu commands on
the Administration Console panel.
Syntax
export file </local_path/filename> <user@host:/path/filename>
local_path must be one of the following: /var/IBM/Guardium/data/dump, /var/log or /var/IBM/Guardium/data/importdir
fileserver
Use this command to start an HTTPS-based file server running on the Guardium appliance. This facility is intended to ease the task of uploading patches to the unit or
downloading debugging information from the unit. Each time this facility starts, it deletes any files in the directory to which it uploads patches.
Note: Any operation that generates a file that the fileserver will access should finish before the fileserver is started (so that the file is available for the fileserver).

Syntax
fileserver [https://ip address:8445] [duration]
ip address is an optional parameter that allows access to the fileserver from the indicated IP address. By default (without the parameter), access is restricted to the IP
address of the SSH client that started the fileserver.
duration is an optional parameter that specifies the number of seconds that the fileserver is active. After the specified number of seconds, the fileserver shuts down
automatically. The duration can be any number of seconds from 60 to 3600.
In case of a security setup where browser sessions are redirected through a proxy server, the IP address of the fileserver client will not be the same as SSH client that
started the fileserver. Instead, the fileserver client will have the IP address of the proxy server, and this address must be passing the optional ip address parameter. To
find the proxy IP address, check your browser settings or the client IP addresses shown in the Logins to Guardium report in the Guardium Monitor interface.
Example
To start the file, enter the fileserver command:
CLI> fileserver <ip address> <duration>
Starting the file server. You can find it at https://(name of appliance):8445
Press ENTER to stop the file server.
Open the fileserver in a browser window, and do one of the following:
To upload a patch, click Upload a patch and follow the directions.

To download log data, click Sqlguard logs, navigate to the file you want and download as you would any other file.
When you are done, return to the CLI session and press Enter to terminate the session.
How to access the VA and Entitlement scripts using fileserver
Instructions
From the CLI, run "fileserver <your desktop IP> 3600"
Vulnerability Assessment:
Open a browser and go to: https://<appliance ip>/log/debug-logs/gdmmonitor_scripts/
Choose the file matching your database type
Entitlements:
Open a browser and go to: https://<appliance ip>/log/debug-logs/entitlemnts_monitor_role/
Choose the file matching your database type
import file
See backup config and restore config.
In import file CLI command, user can use wildcard * for the file name in method scp, ftp and snapshot.
Syntax
import file
import tsm config

Uploads a TSM client configuration file to the Guardium appliance. You must do this before performing any archiving or backup operations using TSM. You will always need
to upload a dsm.sys file, and if that file includes multiple servername sections, you will also need to upload a dsm.opt file. For information about how to create these files,
check with your companyâ€™s TSM administrator.
You will be prompted for a password for the user account on the specified host.
Syntax
import tsm config <user@host:/path/[ dsm.sys | dsm.opt ]>
Parameters
user@host - User account to access the file on the specified host.
/path/[ dsm.sys | dsm.opt ] - Full path filename of the file to import.
Note: In setting up TSM on each collector, if the initial configuration fails, a notification error results which says the test file could not be sent. Logging into the collector as
root, and then running a dsmc archive command to the TSM server, the TSM file, with the same credentials, now succeeds. Returning to the GUI, and configuring with the
same options used before, the configuration now succeeds as well. Â
If tsm config has passwordaccess=generate, the password stored in a local file, is sought. The root user needs to run the dsmc command once to create this local
password file.
After uploading the tsm config file, if tsm config has a passwordaccess generate prompt, passwordaccess is set to be generated.
Would you like to run a dsmc command now to ensure password is set locally (y/n)? If the answer is y, run a "dsmc query
options>>/dev/null" command, which will prompt user for password.

import tsm property
Use this CLI command to upload a file to /opt/tivoli/tsm/client/ba/bin/guard_tsm.properties.
The file size should be 1K.
Syntax
import tsm property user@host:file
This command will upload the input file to /opt/tivoli/tsm/client/ba/bin/guard_tsm.properties
restore config
These commands back up and restore configuration information from the internal administration tables. The backup config command stores data in the /media/backup
directory. The backup config command removes license and other machine-specific information. The backup system command provides a more comprehensive backup of
the configuration and the entire system.
When restoring a configuration, you must restore a backup that is of the same version and patch level as the original appliance where the backup was created.
Syntax
backup config
restore config
restore db-from-prev-version
This command takes a backup from the immediate past system (backup data must be provided, configuration backup is optional) and performs a restore on a newer
system. It includes upgrading the data, portlets, etc.
Perform a full system backup prior to upgrading your Guardium system. If for some reason the upgrade fails and leaves the machine in a way that can not be used, instead
of trying to fix and re-run the upgrade, rebuild the machine as the latest system, setting up this latest system with only the basic network information (IP, resolver, route,
system hostname and domain).
The result will be the latest system with the data and customization (if configuration file is provided) from the previous system.
First, try a regular upgrade from the previous system to the latest system. If this is not successful, then use the backup as an alternative way to upgrade from the previous
system to the latest system.
Note: Older data being restored to an aggregator (not to investigation center), and outside the merge period, will not be visible until the merge period is changed and the
merge process rerun.
To run this command, back up the current server for both data and configuration. Once the backup is complete, install the latest release onto the same server. Next, import
both the data and configuration file from CLI via the import file command. Then after the two backup files are imported, run, again from CLI, the command restore db-
from-prev-version. This restores the backup files (data and configuration) from the older version to the newly installed server.
Note: If you are using Guardium in a non-English language, the restore CLI command sets some strings, including report headers, to English. To view these strings in the
non-English language, run the store language CLI command after you run the restore CLI command.
The optional parameter "override" is applicable only to a restore of a Central Manager appliance from backup.
By default, when a user executes the "restore db-from-prev-version" command on a Central Manager appliance, we preserve the existing configuration information on this
Central Manager that links to the Managed Units that it manages.
When the user adds "override" to the restore command, the existing Central Manager /Managed Units configuration is overridden by the Central Manager /Managed Units
configuration from the backup data.
Syntax
restore db-from-prev-version [override]
Examples
restore db-from-prev-version override
Note: Managed units and S-TAP associations in "Associate S-TAPs and Managed Units" are not restored when using this CLI command. The user will have to define
associations again.
Syntax
This procedure will restore and upgrade a previous backup on a newly-installed latest system. If the older files are currently
located on a remote system, use the "import file" cli command to transfer them locally prior to running this procedure. The
imported files will be put in the /var/dump/ directory. Continue (y/n)?
Note:
Answering Y (yes) to the following questions during the execution of the CLI command, restore db-from-prev-version, will result in all non-canned/customized reports and
panes to compress into one pane with the name of v.x.0 Custom Reports.
Answering N (no) to the same questions will result in all panes being restored to what they were in previous version.
Update portal layout (panes and menus structure) to the new v8 default (current instances of custom reports will be copied to the
new layout, as well as parameter changes on predefined reports) for the user admin? (y/n) n Update portal layout (panes and menus
structure) to the new v8 default (current instances of custom reports will be copied to the new layout, as well as parameter
changes on predefined reports) for all other users? (y/n)

restore keystore
Use this command only under direction from Technical Support.
Use this command to restore certifications and private keys used by the Web servlet container environment (Tomcat).
Syntax
restore keystore
restore pre-patch-backup
Use this command only under direction from Technical Support.
Use this command to recover the pre-patch-backup when the appliance database is up or down.
Syntax
restore pre-patchbackup Please enter the information to retrieve the file: Is the file in the local system? (y/n) n Start to
recover with the backup profile parameters. Please check the recovery status in the log
/var/log/guard/diag/depot/patch_installer.log ok -------------------------------------- If answer 'n', abort the operation. If
answer 'y', need to enter the file name.
restore system
This topic applies to backup and restore operations for the Guardium internal database. You can back up or restore either configuration information only, or the entire
system (data plus configuration information, except for the shared secret key files, which are backed up and restored separately, see the aggregator backup keys file and
aggregator restore keys file commands). These commands stop all inspection engines and web services and restart them after the operation completes.
Before restoring a file, be sure that the appliance has the system shared secret of the system that created that file (otherwise, it will not be able to decrypt the
information). See About the System Shared Secret in the Guardium Administrator Guide.
Note: System restore must be done to the same patch level Â of the system backup.
There are two commands involved in the restore process:
import file, which returns an archived backup file to the system

restore system, which restores the system from a backup file previously returned by an import file operation.
For all backup, import and restore commands, you will receive a series of prompts to supply some combination of the following items, depending on which storage
systems are configured, and the type of restore operation. Respond to each prompt as appropriate for your operation. The following table describes the information for
which you may be prompted.
Note:
One copy of the SCP/FTP/TSM/Centera file transfer is saved, regardless if the transfer was successful or failed. As certain files may take hours to regenerate (for example,
system backup), having a readily available copy (in particular if the file transfer failed) is of value to the user. Only one copy of each type of file is retained (archive/system
backup/configuration backup/etc.)
Backup system will copy the current license, metering and number of datasources, and then backup the data. Restore system will restore the data and then restore the
license, metering and number of datasources. This sequence applies to the regular restore system. Restore from a previous system will require re-configuring license,
metering and number of datasources.
Table 2. restore system

Item Description
SCP, FTP, TSM, Centera, Snapshot Select the method to use to transfer the file. TSM and Centera will be displayed only if those storage methods that have
been enabled (see the store storage-method command)
Data or Configuration Select Configuration to back up definitions and configuration information only, or select Data to back up data in addition to
configuration information.
restore from archive or restore from Select restore from archive to restore archived data, or select restore from backup to restore configuration information.
backup
normal or upgrade If restoring from the same software version of Guardium, select normal. If restoring configuration information following
software Â upgrade of the Guardium appliance, select upgrade.
host The remote host for the backup file.
remote directory The directory for the backup file. For FTP, the directory is relative to the FTP root directory for the FTP user account used.
For SSH, the directory path is a full directory path. For Windows SSH servers, use Unix-style path names with forward
slashes, rather than Windows-style backslashes.
username The user account name to use for the operation (for backup operations, this user must have write/execute permission for
the directory specified).
Note: For Windows, a domain user is accepted with the format of domain\user
password The password for the username.
file name The file name for the archive or backup file. See Archived Data files names.
A user can select multiple files by using the wildcard character * in the file name. Support of the wildcard character * is
permitted when using transfer methods FTP, SCP and Snapshot. Support of the wildcard character * is not permitted on
transfer methods TSM or Centera.

Item Description
Centera server Enter the Centera server name. If using PEA files, use the following Â format: Â <Host name/IP>? <full PEA file name>, for
example:
128.221.200.56?/var/centera/us_profile_rwqe.pea.txt
Note the ? between the server IPs and Pea file name.
This IP address and the .PEA file comes from EMC Centera. The question mark is required when configuring the path. The
.../var/centera/... path name is important as the backup may fail if the path name is not followed. The .PEA file gives
permissions, username and password authentication per Centera backup request.
Centera clipID For a Centera restore operation, the Content Address returned from the backup operation. For example:
6M4B15U4JM4LBeDGKCPF9VQO3UA
After you have supplied all of the information required for the backup or restore operation, a series of messages will be displayed informing you of the results of the
operation. For example, for a restore system operation the messages should look something like this (depending on the type of restore and storage method used):
gpg: Signature made Thu Feb 22 11:38:01 2009 EST using DSA key ID 2348FF9E gpg: Good signature from "Backup Signer
<support@guardium.com>" Proceeding to shutdown services Proceeding to startup services Safekeeping admin.xreg Safekeeping
client.xreg Safekeeping controllers.xreg Safekeeping controls.xreg Safekeeping guardium-portlets.xreg Safekeeping local-
portlets.xreg Safekeeping local-security.xreg Safekeeping local-skins.xreg Safekeeping media.xreg Safekeeping portlets.xreg
Safekeeping security.xreg Safekeeping skins.xreg guard_sniffer.pl -reorder Recovery procedure was successful. ok
set up help (secondary disk for backup)

Install a secondary disk or for backup on R610 R710 appliances. Place it slot number 2 and proceed with set up snapshotdisk to configure the partition, format the drive,
and mount it. The two CLI choices are set up help and set up snapshotdisk.
Syntax
setup [help | snapshotdisk | vmware_tools]
store tsm authorization

When backupinitiationroot is set to ON in TSM servers, then only root and authorized users can perform backup/archive. When backupinitiationroot is set on and password
access in DSM.SYS is set to â€œgenerateâ€ , Guardium backup and archive to TSM will fail with the error message:
ANS1708E Backup operation failed. Only a root user can do this operation
Non-root users must be authorized to perform backup and archive.
This authorization is enabled by executing the CLI command
Store tsm authorization backupinitiationroot on
This authorization is disabled by executing the CLI command:
Store tsm authorization backupinitiationroot off
Syntax
store tsm authorization backupinitationiroot <on/off>
Show command
show tsm authorization backupinitationiroot <on/off>
This CLI command displays on, if non-root Guardium users are authorized to perform backup and archive when backupinitiationroot is set to ON in TSM servers.
Otherwise, it displays off.
store language
Use this CLI command to change from the baseline English and convert the database to the desired language. Installation of Guardium is always in English. A Guardium
system can be changed to Japanese, Chinese (Traditional or Simplified), French,, Spanish, German or Portuguese after an installation.
The CLI command, store language, is considered a setup of the appliance and is intended to be run during the initial setup of the appliance.
Running this CLI command, after deployment of the appliance in a specific language, can change the information already captured, stored, customized, archived or
exported.
Note: After switching from English to a desired language, it is not possible to revert back to English, using this CLI command. The Guardium system must be reinstalled in
English.
Syntax
CLI> store language [English | Japanese | SimplifiedChinese | TraditionalChinese | French | German | Spanish | Portuguese]
Show command
show language
set up vmware tools

Use this CLI command to install VMware that runs on the ESX infrastructure.

Syntax
setup vmware_tools [ install | uninstall ]
Step 1: Open the VM client/console and select the VM instance that contains the IBM Guardium appliance. Right-click the instance, select (from the popup menu) Guest
=> Install/upgrade VMware tools. This enables the instance to access the VMware tools via a mount point.
Step 2: Run the CLI command (from within the VM client/console), setup vmware_tools install, to install VM tools.
Vmware kernel panic after a reboot

VMware ESX 4.1 Virtual machine running Guardium might get a kernel panic after a reboot.
To correct this situation, VMware recommends: Install update 2 on ESX4.1 or Set CPU/MMU virtualization to Use software only instruction set and MMU Virtualization. This
option is found under Settings/ Options/ CPU/MMU Use software for instruction set and MMU Virtualization.
Inspection Engine CLI Commands

Use these CLI commands to configure the inspection engines.
An inspection engine monitors the traffic between a set of one or more servers and a set of one or more clients using a specific database protocol (Oracle or Sybase, for
example). The inspection engine extracts SQL from network packets; compiles parse trees that identify sentences, requests, commands, objects, and fields; and logs
detailed information about that traffic to an internal database.
add inspection-engines
Adds an inspection engine configuration to the end of the inspection engine list. The parameters are described. You can re-order your list of inspection engines after
adding a new one by using the reorder inspection-engines command. Adding an inspection engine does not start it running; to start it running, use the start inspection-
engines command.
Syntax
add inspection-engines <name> <protocol> Â Â Â Â
<fromIP/mask> <port> <toIP/mask> Â Â Â Â
<exclude client list> <active on startup>
Parameters
name - The new inspection engine name; must be unique on the unit.
protocol - The protocol monitored, which must be one of the following: Aster, Cassandra, CouchDB, DB2, DB2 Exit, exclude IE, FTP, GreenPlumDB, Hadoop, HIVE, HTTP,
HUE, IBM ISERIES, IMPALA, Informix, iNFORMIX Exit, KERBEROS, Maria,DB, MongoDB, MS SQL, Mysql, Named Pipes, Netezza, Oracle, PostgreSQL, SAP Hana, Sybase,
Teradata, WebHDFS or Windows File Share.
fromIP/mask - A list of clients, identified by IP addresses and subnet masks. Separate each IP address from its mask with a slash, and multiple entries by commas. An
address and mask of all zeroes is a wild card. If the exclude client list option is Y, the inspection engine monitors traffic from all clients except for those in this list. If the
exclude client list option is N, the inspection engine monitors traffic from only the clients in this list.
port - The port or range of ports over which traffic between the specified clients and database servers will be monitored. To specify a range, separate the two numbers
with a hyphen.
toIP/mask - The list of database servers, identified by IP addresses and subnet masks, whose traffic will be monitored. Separate each IP address from its mask with a
slash, and multiple entries by commas. An address and mask of all zeroes is a wildcard.
exclude client list - A Y/N value; defaults to N. If Y, the inspection engine monitors traffic from all clients except for those identified in the client list. If N, the inspection
engine monitors traffic from only the clients listed in the client list.
active on startup - A Y/N value; defaults to N. If Y, the inspection engine is activated on system startup.
delete inspection-engines
Removes the single inspection engine identified by its name. The name can include only letters, numbers and blanks. If the inspection engine name contains any special
characters, use the administrator portal GUI to remove it.
Syntax
delete inspection-engines <name>
reorder inspection-engines
Specifies a new order for the inspection engines, using index values from the list produced by the list inspection-engines command.
Syntax
reorder inspection-engines <index>, <index>...
Example
If the displayed indices are 1, 2, 3, and 4, the following command will reverse order of the engines:
reorder inspection-engines 4,3,2,1

restart inspection-core
Restarts the inspection-engine core, but not the inspection engines. The collection of database traffic stops when this command is issued.
Syntax
restart inspection-core
Note: To restart the collection of traffic for one or more specific inspection engines, follow this command with one or more start inspection engine commands.
Alternatively, to restart the collection of traffic for all inspection engines, use the restart inspection-engines command.
restart inspection-engines
Restarts the database inspection engine core and all inspection engines. The collection of database traffic stops temporarily while this occurs and restarts only when
database connections re-initiate.
Syntax
restart inspection-engines
show inspection-engines
Displays inspection engine configuration information, as follows:
all - All inspection engines.
configuration <index> - Only the inspection engine identified by the specified index, which is from the list inspection-engines command.
type <db_type> -Displays configurations of a specific database type, which must be one of the supported monitored protocol types: Aster, Cassandra, CouchDB, DB2, DB2
Exit, exclude IE, FTP, GreenPlumDB, Hadoop, HIVE, HTTP, HUE, IBM ISERIES, IMPALA, Informix, iNFORMIX Exit, KERBEROS, Maria,DB, MongoDB, MS SQL, Mysql, Named
Pipes, Netezza, Oracle, PostgreSQL, SAP Hana, Sybase, Teradata, WebHDFS or Windows File Share.
Syntax
show inspection-engines <all | configuration <index> | log sqlstrings | type <type> >
Note: Use the CLI command, show inspection-engines all, to display non-STAP Inspection Engines like SPAN ports. The CLI command, list_inspection_engines, will
display inspection engines created by STAP.
start inspection-core
Starts the inspection-engine core.
Syntax
start inspection-core
start inspection-engines
Starts one or more inspection engines identified using index values from the list produced by the list inspection-engines command.
Syntax
start inspection-engines <all | id>
start inspection-engines all

Starts all the inspection engines.
Syntax
start inspection-engine all
start inspection-engines id
Usage: start inspection-engines id <n>, where n is a numeric sniffer id.
Syntax
start inspection-engines id <n>
stop inspection-engines id
Usage: stop inspection-engines id <n>, where n is a numeric sniffer id.
Stops the inspection-engine core.
Syntax
stop inspection-engines

Stops one or more inspection engines identified using index values from the list produced by the list inspection-engines command. It can also stop all inspection-engines.
Syntax
stop inspection-engine <all | id>
stop inspection-engines all

Stops all the inspection engines.
Syntax
stop inspection-engines all
stop inspection-engines id
Stops one or more inspection engines identified using index values from the list produced by the list inspection-engines command.
Syntax
stop inspection-engine <n>, where <n> is numeric sniffer id
store ignored port list

Sets the complete set of port numbers to be ignored by all inspection engines. The list you specify completely replaces the existing list. Each number is separated from the
next by a comma, and no blanks or other white-space characters are allowed in the list. Use a hyphen to specify an inclusive range of numbers.
Syntax
store ignored port list <n>
Example
store ignored port list 33,60-70
Show Command
show ignored port list

Use these CLI commands to configure the Investigation Dashboard .
show solr connection_timeout

Use this command to show the current connection_timeout value.
show solr connection_timeout
show solr so_timeout

Use this command to show the current so_timeout value.
show solr so_timeout
show solr time_allowed

Use this command to show the current time_allowed value.
show solr time_allowed
store solr connection_timeout

Use this command to set the connection timeout. If the Investigation Dashboard cannot connect to the collector within the specified timeout period, no results from that
collector will be returned.
store solr connection_timeout [value]
Parameter Value Description
connection_timeout integer The timeout is expressed as a value of 0 to 2147483647 milliseconds.
The default value is 100000 milliseconds.
store solr so_timeout

Use this command to set the socket timeout.
store solr so_timeout [value]

so_timeout integer The timeout is expressed as a value of 0 to 2147483647 milliseconds.
store solr time_allowed

Use this command to set the socket timeout.
store solr time_allowed [value]
time_allowed integer The timeout is expressed as a value of 0 to 2147483647 milliseconds.
Note: Deep search uses 10x (ten times) the time_allowed value.
Network Configuration CLI Commands

Use the network configuration CLI commands to set IP addresses, handle bonding/failover, handle secondary functionality, and reset networking.
Use the network configuration CLI commands to:
Identify a connector on the back of the machine (show network interface port)
Reset networking after installing or moving a network card (store network interface inventory)
Set IP addresses (store network interface ip, store network interface mask, store network resolver, store network routes defaultroute)
Enable or disable high-availability (store network interface high-availability)
Configure the network card if the switch it attaches to will not auto-negotiate the settings (store network interface auto-negotiation, store network interface speed,
store network interface duplex)
restart network
Restarts just the network configuration. For example, change the IP address, then run this CLI command.
Syntax
restart network

This command shows settings for the network interface used to connect the GuardiumÂ® appliance to the desktop LAN. The IP address, mask, state (enabled or disabled)
and high availability status will be displayed. If IP high-availability is enabled, the system will display two interfaces (ETH0 and ETH3). Otherwise, only ETH0 will be
displayed.
Syntax
show network routes operational

Display the IP routing configuration in use.
Syntax
show network routes operational
Example
CLI> show net rout ope
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 nic1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 nic2
0.0.0.0 192.168.3.1 0.0.0.0 UG 0 0 0 nic1
ok
CLI>
show network verify

Display the current network configuaration.
Syntax
show network verify

CLI> show network verify
Current Network Configuration

--------------------------------------------------------------------------------
Hostname =
--------------------------------------------------------------------------------
Device | Address | Netmask | Gateway | Member of
--------------------------------------------------------------------------------
eth0 |
--------------------------------------------------------------------------------
Ethtool Options
--------------------------------------------------------------------------------
Device | Options (speed,autoneg,duplex)
--------------------------------------------------------------------------------
eth0 |
--------------------------------------------------------------------------------
DNS Servers
--------------------------------------------------------------------------------
Index | DNS Server
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
Static Routes
--------------------------------------------------------------------------------
Device | Index | Address | Netmask | Gateway
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Basic Network Settings Verified
store network interface auto-negotiation

If auto-negotiation is available on the switch to which a Guardium port is connected, auto-negotiation will be used, and only the restart option of this command will have
any effect. Use this command to enable, disable, or restart auto-negotiation for the network interface named ethN. Use the show network interface inventory command to
display all port names.
Syntax
store network interface auto-negotiation <ethN> <on | off | restart>
Show Command
show network interface auto-negotiation
store network interface duplex

Use this command only when auto-negotiation is not available on the switch to which the Guardium port is connected. This command configures duplex mode for the port
named ethn. Use the show network interface inventory command to display all port names.
Syntax
store network interface duplex <ethn> <half | full>
Show Command
show network interface duplex <ethn>
store network interface high-availability

Enables or disables IP Teaming (also known as bonding), which provides a fail-over capability for the Guardium system primary IP address.
The two ports used (ETH0 and a second interface) must be connected to the same network. There is a slight delay, caused by the switch re-learning the port configuration.
The default setting is off.
The port used for the primary IP address is always ETH0. When the high-availability option is enabled, the Guardium system automatically fails over, as needed, to the
specified second interface, in effect transferring the primary IP address to the second interface.
Note: IP Teaming and Secondary Interface can not done at the same time.
Syntax:
store network interface high-availability [on <NIC> | off ]
There is no show network interface high-availability command.
store network interface inventory

Resets the network interface MAC addresses stored in the Guardium internal tables. This command should only be used after replacing or moving a network card.
Note: The store network interface inventory command will detect on-board NIC cards within the Guardium appliance and assign these cards as eth0 and eth1. This
command should only be run if specifically instructed to by Guardium Support as it can rearrange the NIC cards.
Syntax
CLI> > store network interface inventory

WARNING: Running this function will reorder your NICS and may make the machine unreachable.
WARNING: It is suggested to run this from the console or equivalent.
Are you SURE you want to continue? (y/n)
Use the show command to display the port names and MAC addresses of all installed network interfaces.

Syntax
Example
CLI> show network interface inventory
Current network card configuration:
Device| Mac Address| Member of
eth0| 00:50:56:3b:c3:73|
eth1| 00:50:56:8a:0d:fa|
eth2| 00:50:56:8a:0d:fb|
eth3| 00:50:56:8a:00:c1|
Note: The â€œMember ofâ€ will show which NICs are in the bond pair, if a bonding exists).

Sets the primary IP address for the Guardium appliance. When changing the network interface IP address, you may also need to change its subnet mask. See store
network interface mask. See store network interface secondary to create and manage a secondary IP address. Bonding/failover is managed from the CLI command, store
network interface high-availability.
Syntax
store network interface ip <ip address>
Show Command
show network interface ip
store network interface ip6

Sets the primary IP V6 address for the Guardium appliance. When changing the network interface IP address, you may also need to change its subnet mask. See store
network interface mask. See store network interface secondary to create and manage a secondary IP address. Bonding/failover is managed from the CLI command, store
network interface high-availability.
Syntax
store network interface ip6 <ip address>
Show Command
show network interface ip6
store network interface map

Maps the Ethernet port identified by ethn to the MAC address mac.
Syntax
store network interface map <ethn> <mac>
store network interface mask

Sets the subnet mask for the primary IP address. When changing the network interface mask, you may also need to change its IP address. See store network interface ip.
Note that the subnet mask for a secondary IP address can be assigned only from Setup > Tools and Views > System.
Syntax
store network interface mask <ip mask>
store network interface mtu

Use this CLI command to set the MTU (Maximum Transfer Unit).
CLI> store network interface mtu

Usage: store network interface mtu <interface> <mtu>]
where <interface> is the interface name,
that is one of ( eth0 )
and <mtu> is number between 1000 and 9000.
Show command
show network interface mtu
eth0 1500
show network interface port

Use this command to locate a physical connector on the back of the appliance. After using the show network interface inventory command to display all port names, use
this command to blink the light on the physical port specified by n (the digit following eth - eth0, eth1, eth2, eth3, etc.) 20 times.
Syntax
show network interface port <n>
Example
CLI> show network interface port 1
The orange light on port eth1 will now blink 20 times.
store network interface remap

Use this CLI command to remap the NIC.
Syntax
store network interface remap
store network interface reset

Use this CLI command to wipe the existing OS network configuration and reapply the stored Guardium network settings.
Syntax
CLI> store network interface reset

WARNING: This command will reset the network configuration to the stored Guardium network settings.
Are you SURE you want to continue? (y/n)
store network interface secondary

Use this command to configure a port on the Guardium system as a secondary management interface with a different IP address, network mask, and gateway from the
primary.
Note: IP Teaming and Secondary Interface can not done at the same time.
Syntax:
store network interface secondary [on <NIC> <ip> <mask> <gateway> | off ]
Show command
show network interface secondary
store network interface speed

Use this command only when auto-negotiation is not available on the switch to which the Guardium port is connected. This command configures the speed setting for the
port named ethn. Use the show network interface inventory command to display all port names.
Syntax
store network interface speed <ethn> <10 | 100 | 1000>
Show Command
show network interface speed <ethn>
show network arp-table

Displays the address resolution protocol (ARP) table, which is an operational system value. This command is provided for support purposes only.
Syntax
show network arp-table
Example
CLI> sho net arp
IP address HW type Flags HW address Mask Device
192.168.3.1 0x1 0x2 00:0E:D7:98:07:7F * nic1
192.168.3.20 0x1 0x2 00:C0:9F:40:33:30 * nic1
ok
CLI>
show network macs

Displays a list of MAC addresses (like the show network interface inventory command).
Syntax
show network macs

Example
Network card configuration:
Device| Mac Address| Member of
eth0| 00:50:56:3b:c3:73|
eth1| 00:50:56:8a:0d:fa|
eth2| 00:50:56:8a:0d:fb|
eth3| 00:50:56:8a:00:c1|
Note: The â€œMember ofâ€ will show which NICs are in the bond pair, if a bonding exists).
ok
store network interface ip6

Usage: store network interface ip <ip>, where IP is a valid IP6 address.
store network resolver

Sets the IP address for the first, second, or third DNS server to be used by the Guardium appliance. Each resolver address must be unique. To remove a DNS server, enter
null instead of an IP address.
Syntax
store network resolver <1 | 2 | 3> <ip address | null>
Show Command
show network resolver <1 | 2 | 3>
store network routes defaultroute

Sets the IP address for the default router to the specified value.
Syntax
store network routes defaultroute <ip address>
Show Commands
show network routes defaultroute
store network routes static

Permit the user to have only one IP address per appliance (through eth0) and direct traffic through different routers using static routing tables. Add line to static routing
table.
Syntax
store network routes static
Show Command
List the current static routes, with IDs - Device, Index, Address, Netmask, Gateway
Delete command
delete network routes static
store system domain

Sets the system domain name to the specified value.
Syntax
store system domain <value>
Show Command
show system domain

Sets the system's host name to the specified value.
Syntax
store system hostname <value>
Show Command

Support CLI Commands

The following CLI commands are to be used only with the direction of Technical Support.
These commands are to assist Technical Support in analyzing the status of the machine, troubleshooting common issues and correct some common problems. There are
no functions that you would perform with these commands on a regular basis.
support clean audit_results
A way to manually purge audit results, this command should be used only when absolutely necessary to deal with audit tasks that produce a high number of records
and take up too much disk space.
It is strongly advised to consult with Technical Support before running this command.
A Warning message is presented and a confirmation step is needed when running this command.
This command will list the audit processes and tasks information.
It will present the number of rows, ordered from the largest result set to the smallest. The number of report results is greater or equal to the input value.
Next, after the report is presented, the user can select a line number to purge the results of the audit process corresponding to that line number. Selection of this
line number will delete the audit data for the selected process name.
Syntax
support clean audit_results <rows>
Input parameters
rows Â - an integer, number of rows to show. Â Default 10.
Note: On a system with a great many audit tasks, the completion of this command can take some time.
support clean log_files
This CLI command will delete the specified file after user confirms to delete. If it can not find the file, it will list files larger than 10MB in /var/log and the user delete
a large file from the list. A warning message is presented and a confirmation step is included.
Syntax
support clean log_file <filename> Â Â Â >> add filename
support clean DAM_data
A way to manually purge database activity monitoring data, this command should be used only when absolutely necessary.
It is strongly advised to consult with Technical Support before running this command.
A Warning message and a confirmation step are included in the command.
Syntax
support clean DAM_data <purge_type> <start_date> <end_date>
Input parameters
purge_type options: agg, exceptions, full_details, msgs, constructs, access, policy_violations, parser_errors, flat_log
start_date: YYYY-mm-dd
end_date: YYYY-mm-dd
support clean centera_files
Guardium archives/backups stored within Centera have a deletion date marker attached to them by Guardium, however there is no subsequent facility to invoke the
deletion. Centera does not have a GUI to allow maintenance of its own files, it relies on API invocations from client applications.
Use the CLI command, support clean centera_files, to delete marked files within Centera.
support clean InnoDB-dumps
Use this CLI command to purge InnoDB tables
This is a password protected command (for Technical Support only)
support clean hosts
Â USAGE: support clean hosts <IP address> <fully qualified domain name>
support clean servlets
Deletes *jsp*.java and *jsp*.class files and restarts GUI.
Use this CLI command to delete generated Javaâ„¢ servlets and their classes.

support execute
This utility is designed to provide Guardium Advanced Support with the ability to assist with remote diagnostics and support when direct remote access it not
available or permitted.
Support Execute is not a replacement for direct remote connections, but will allow Guardium Support at least some level of root access in a secure way without
direct access.
The commands provided by Guardium Advanced Support can be SQL statements, O/S Commands, Shell Scripts or SQL scripts. These will then be provided to the
customer along with a Secure Key to allow the command to run via CLI. The Secure key is tied to the system that Guardium Support is working with the customer
on, and is not valid for any other system. The command can only be run a number of times permitted by Guardium Support and is only valid for seven days from the
agreed date.
The feature is disabled by default. Enable via CLI command in both normal and recovery mode:
support execute [enable | disable]
In order to permit the Guardium Advanced Support team to generate a Secure Key, the MAC address of the system in question must be provided for eth0. Here is an
example of the interfaces and MAC addresses:
Customer usage / Logged in as CLI
support execute <CMD String> <PMR #> <KEY>
# main execute command provided by Guardium Advanced Support
support execute showlog [<Secure Key>|main|files]
# Show usage logs
#'<Secure Key>' for full details of single entry
# 'main' to display the main execute log
# 'files' to display log directory list
support execute mac
# Eth0 MAC address required by support to generate secure key
support execute info
# Show eth0 MAC address, root passkey & other system information
support execute version
# Display the "Support Execute" internal binary code version
support execute help
# Help details and purpose of utility information
Example of command provided by Guardium Advanced Support:
support execute "select * from GDM_ACCESS%5CG" 11111,111,111 6254130c0f0c3c504b33687c57f41363e4c00
support reset-password accessmgr
This command will reset the accessmgr account password.
Syntax
support reset-password accessmgr 10000000-99999999|random
Parameters
8-digit key number used to generate new password. Keep this key number to provide to Technical Support to receive new accessmgr account password. The
selection Random will generate a 8-digit random number.
Note: System will attempt to send notification to the accessmgr account email, if it is setup.
Â
This command will reset root password on the IBMÂ® GuardiumÂ® appliance.
Syntax
support reset-password root 10000000-99999999|random
Parameters
8-digit key number used to generate new password. Keep this key number to provide to Technical Support. The choice Random will generate a 8-digit random
number.
This command also requires that the user provide a secret keyword in order to change the root password. Contact Technical Support if there is a need to change the
root password.
Note: Do not reset root password unless absolutely required by business rules.

Â
support schedule find_crashed_tables

Use this CLI command, support schedule find_crashed_tables [ON/OFF], to enable/disable the daily cron job of find_crashed_tables.sh script.
USAGE: support schedule find_crash_tables on ALL|db
support schedule find_crash_tables off
This command enables or disables daily schedule of find_crashed_tables script.
Note: Pay particular attention to the database entered. Users can enter "ALL" in order to process all five valid databases for crashed tables or just one of the five
valid databases "TURBINE", "GDMS", "CUSTOM", "DATAMART or "DIST_INT".
support show db-processlist
This command will list all the db processes sorted by running time.
Syntax
support show db-processlist all
support show db-processlist locked
support show db-processlist running
support show db-process full
Parameters:
support show db-processlist [ ]
Where
running is option to see all running sql statements
all is option to include also sleeping processes
locked is to display all locked and one oldest processes
full [optional] displays sql queries in expended format
Â
support show db-struct-check
This command will display all the structure differences found during aggregation process.
Syntax
support show db-struct-check
Â
support show db-top-tables
This command will list 20 biggest database tables sorted by size and list of tables sorted by used free table space in percents for those tables which use more than
80% free space. It will allow filtering by table name. All table sizes displayed in Mbytes, free space usage in percents.
Syntax
support show db-top-tables all
support show db-top-tables like
Parameters
support show db-top-tables all
will list biggest size tables out of entire DB sorted
support show db-top-tables like
will list biggest tables matching criteria, where could be any portion of the table name
Â
support show db-status
This command will show database usage.
Selections are free, used, megabytes, percentage.
Syntax
support show db-status free %
support show db-status used %
support show db-status free m
support show db-status used m
Â

support show hardware-info
This command uses a script to collect hardware information and place this collected information in a directory for retrieval.
After running this CLI command, the following message will appear:
Collected HW Info as /var/log/guard/Gather_hw_info-2012-06-25-17-43.tgz
Then run the CLI command, fileserver, to retrieve this .tar file from the server.
support show iptables
This command will display the output of system iptables command.
Syntax
support show iptables diff
support show iptables list
Parameters
[diff | list] parameter controlling normal iptables output presentation versus displaying only differences/delta
[accept | full] parameter will filter output by accept row versus not filtered list
Â
support show large_files
This command will list all the files larger than MB and older than days in the /var /tmp /root folders.
Usage Â
This command will list all the files larger than MB and older than days in the /var /tmp /root folders
Input parameters:
Â Â Â * size Â Â - integer > Â 10 (in MB)
Â Â Â * age Â Â Â - integer >= 0 (in days)
Syntax:
support show large_files <size> <age>
Parameters
where <size> is the minimum size files to display (default 100M)
where <age> is the number of days since the last modification.
Â
support show netstat
This command will display the output of system netstat command. It will allow filtering of the output by content using grep parameter.
Syntax
support show netstat all
support show netstat grep
Parameters
support show netstat grep
where is alphanumeric string to search
support show netstat all
Â
support show port open
This command is similar to using telnet to detect an open TCP port locally or on a remote host.
If we are able to connect successfully you will see a message like: Connection to 127.0.0.1 8443 port [tcp/*] succeeded!
If you are unable to connect you will see a message like: connect to 127.0.0.1 port 1 (tcp) failed: Connection refused
Syntax: support show port open
IP port - IP must be a valid IPv4 address like 127.0.0.1.
Port must be an integer with a value in 1-65535.

support show top
This command will display the output of system top command sorted by cpu, memory or running time. It has configurable number of iterations (default 1) and
number of displayed rows (default 10).
Syntax
support show top [ cpu | memory | time ]
Parameters
support show top cpu
where N is number of iterations in range 1 to 10 Â and R is number of rows to display - min 10
support show top memory
where N is number of iterations in range 1 to 10 and R is number of rows to display - min 10
support show top time
where N is number of iterations in range 1 to 10 Â and R is number of rows to display - min 10
Â
support check tables [DB name] [table name}
Invokes mysqlcheck â€“c command on tables (checks tables for errors).
Without any parameter this command checks all tables in TURBINE database with 3 minutes timeout for each check. Checks are running in parallel, overall time will
vary. Command will show progress in percents.If any check runs more than 3 minutes it will be terminated. All tables, whose checks were terminated by timeout,
will be listed on the screen after command completion. Any errors occurred during command's operation will be reported to the log file
/var/log/guard/<dbname>_check_tables/errors.<date>.log, where <date> is current date and <dbname> is the name of database.
Errors found for each table check operation will be reported in /var/log/guard/<dbname>_check_tables/check_table_child.<tablename>.<date>.log files, where
<date> is current date, <dbname> is a name of database and <tablename> is the name of table checked. Files for healthy tables are not created. </p><p>With
dbname specified as the 1st parameter the command will check all tables in the specified DB with the same timeout (3 minutes). With no parameters specified it
will check all TURBINE's tables.
With dbname and tablename specified as the parameters the command will check specified table in specified DB without timeout, until the check operation is
complete. This is to allow manual checking the tables whose checks didn't finish in 3 minutes. You can use masks in tablename parameter using percent sign (%).
Â
support shrink innodb-size
Use this CLI command to reduce size of ibdata1 file.
It performs the following steps:
dumps all InnoDB tables
stops mysql
deletes ibdata1, ib_logfile0, ib_logfile1 files
starts mysql
restores dumped tables
This is a password protected command (for Technical Support only)
Â
support show innodb-status
Use this CLI command to troubleshoot MySQL issues. Use this CLI command to check what is happening at runtime with MySQL tables. Use this CLI command to
determine if long check times with MySQL tables are due to record lock or table lock.
support show innodb-status
0 queries inside InnoDB, 0 queries in queue
0 read views open inside InnoDB
Main thread process no. 7959, id 139923805550336, state: sleeping Number of rows inserted 6894, updated 6934, deleted 93, read 24787 0.33 inserts/s, 0.00
updates/s, 0.00 deletes/s, 0.67 reads/s
----------------------------
END OF INNODB MONITOR OUTPUT
support analyze static-table
Use this CLI command to analyze content of static tables by sorting them based on the largest group per value length and value occurrence.
support must_gather commands
There are some simple must_gather commands that can be run by user CLI that generate specific information about the state of any Guardium system. This
information can be uploaded from the appliance and sent to Guardium Technical Support whenever a PMR (Problem Management Record) is logged.

In order to run these commands, you will need to have the appropriate must_gather patch installed.
Once the correct patch is installed, the must_gather commands can be run at any time by user CLI as follows.
1. Open a Putty session (or similar) to the Guardium system of concern.
2. Log in as user CLI.
3. Depending on the type of issue you are facing, paste the relevant must_gather commands into the CLI prompt. More than one must_gather command may
be needed in order to diagnose the problem.
support must_gather purge_issues
support must_gather audit_issues
support must_gather agg_issues
support must_gather cm_issues
support must_gather alert_issues
support must_gather patch_install_issues
Â
The following may take a few minutes to run to completion.
support must_gather miss_dbuser_prog_issues
support must_gather sniffer_issues
Â
For the following commands, you will be prompted for a time in minutes for how long you want the debugger running while you reproduce the problem.
support must_gather backup_issues
support must_gather scheduler_issues
Â
Output is written to the must_gather directory with filename(s) along the lines of this example, must_gather/system_logs/.tgz
4. Send the resulting output to IBM Support.
By using fileserver, you can upload the tgz files and send to Support.
Send via email or upload to ECUREP using - for example - the standard data upload specifying the PMR number and file to upload.
Guardium for z/OS traffic diagnostics commands
support store zdiag on [N]
Where optional N is number of minutes to run diagnostics, from 10 to 600, 60 by default
Turns on Guardium for z/OS traffic diagnostics. This includes collection of TCPDUMP and SLON, collections will stop once corresponding files reach 2 GB size. Once
completed, results files tcpdump.tar.gz and slon_all.tar.gz can be found via fileserver command. The /var partition must have at least 15GB of free space.
support store zdiag off
Turns off Guardium for z/OS traffic diagnostics. Results files tcpdump.tar.gz and slon_all.tar.gz can be downloaded using the CLI command, fileserver.
support show zdiag
Shows Guardium for z/OS traffic diagnostics status.
SLON Collection Commands
support store slon on [parameter]
Turns on SLON utility that captures packets got by sniffer for debug. Results files slon_packets.tar.gz, slon_messages.tar.gz or slon_all.tar.gz can be found via
fileserver. The /var partition must have at least 15GB of free space.
Where optional parameter is:
packets, dump analyzer packets (default)
snifsql, log sniffer SQL activities and dump analyzer packets
secparams, log secure parameters info and dump analyzer packets
sgate, log S-GATE debugging info and dump analyzer packets
messages, tap message data dump
support store slon off [parameter]
Turns off SLON utility. Results files slon_packets.tar.gz, slon_messages.tar.gz or slon_all.tar.gz can be found via fileserver.

Where optional parameter is:
packets, stop dumping packets, logging secure parameters, S-GATE debug info and sniffer SQL activities (default)
messages, stop tapping message data dump
all, stop all activities
support show slon
Shows SLON utility status.
TCPDUMP Collection Command
support store snif_memory_max

Usage: support snif_memory_max <num>, where num is a number of | 33 | 50 | 75 |
This command only applies to 64-bit system.
Show command
support show snif_memory_max
support store tcpdump on <type> <period> <loglimit> [interface] [IP] [port] [protocol]
support store tcpdump on <type> <period> <loglimit> [interface] [IP] [port] [protocol]
Turns on TCPDUMP utility. After period ends, results file tcpdump.tar.gz can be found via fileserver. The /var partition must have at least 15GB of free space.
Where:
<type> - dump type, 'headers' (only headers captured) or 'raw' (whole packets captured)
<period> - dump period, NUMBER[SUFFIX], where optional SUFFIX may be 's' for seconds, 'm' for minutes (default)
<loglimit> - dump logfile limit, from 1 to 6 gigabytes
Optional filter arguments:
[interface] - network interface name (default eth0)
[IP] - IP address
[port] - port
[protocol] - protocol, 'tcp', 'udp', 'ip', 'ip6', 'arp', 'rarp', 'icmp' or
'icmp6'
Example
support store tcpdump on headers 10m 1
This command will run TCPDUMP saving packets headers for 10 minutes and 1GB log file size limit.
support show tcpdump
Shows TCPDUMP utility status.
support store tcpdump off
Turns off TCPDUMP utility. After stop, results file tcpdump.tar.gz can be found via fileserver.
support must_gather datamining_issues
Collects necessary diagnostic information for Outliers, Quick search and Datamart functionality. Information includes dumps of corresponding internal tables,
necessary logs, state of corresponding processes and standard must_gather diagnostics (general system and internal DB info).
support must_gather network_issues [--host=<HOST>], where optional parameter <HOST> is hostname or IP address.
The command gathers all network information from the appliance and polls hosts that Guardium interacts with by using ping, traceroute, corresponding port
probing and other measures. If the optional parameter is specified, then it polls only the host that was specified (if Guardium is configured to do any activity on this
host).
store antlr3_max
Use this CLI command to help control data flow between Parser and Logger The CLI command, store antlr3_max is an advanced parameter geared towards expert
users and Customer Support to help control the data flow between Parser and Logger component of the Sniffer for Oracle, DB2, MySql, and MSSql.
This value (default 20,000) will change the number of concurrent parsed SQL statements that the Logger is able to hold in queue.
The issues that this could potentially help remedy are Sniffer running out of memory and restarting, or Sniffer not utilizing enough memory.
If you notice the sniffer is running out of memory and restarting, lowering the context cap may help to alleviate this. Alternatively, if the Sniffer isn't using enough of
the available system memory, raising the context cap can allow it to use more.
store active_parser_engine
This CLI command is used to control which parser engine should be used by sniffer. This CLI command is only applicable to database types supported by ANTLR3
parsers (Oracle, DB2, MS SQL, MySQL
USAGE: store active_parser_engine <num>
where <num> is
1: ANTLR3 parser errors reparsed by ANTLR2 (default)

2: ANTLR2 only
3: ANTLR3 only
Show command
show active_parser_engine
System CLI Commands

Use these CLI commands to configure system settings.
start ecosystem
Use this command to restart the entire set of ecosystem processes. This is necessary after patching, upgrades and some other operations.
Syntax
start ecosystem
stop ecosystem
Use this command to temporarily and gracefully stop the entire set of ecosystem processes. This is necessary for patching, upgrades and some other operations.
Syntax
stop ecosystem
store system apc

Use this command to configure automatic powering down options when a UPS is attached. Note that the UPS must be attached to a USB connector (serial connections for
a UPS are not supported).
Sets the minimum charge percent (0-100) before powering down, or the number of seconds to run on battery power before powering down. The defaults are 25 and zero,
respectively.
There are also commands to start and stop the apc process. The apc process is disabled by default.
Syntax
store system apc [battery-level <percent> | timeout <seconds>]
store system apc start
store system apc stop
Show Command
show system apc [battery-level | timeout ]
store system auditlog-passthrough

Use this command to enable or disable the passing-through of system audit log data from the auditd service to the local syslog. Because the system audit log is verbose,
the auditlog-passthrough feature is best used in conjunction with remote logging. See Configuration and Control CLI Commands for more information about remote
logging.
The auditlog-passthrough feature is disabled by default.
Syntax: store system auditlog-passthrough [on | off]
Example:
> store sys aud on

Restarting auditd service to pick up the change.
Reloading configuration: [ OK ]
Auditd to syslog passthrough is enabled.
ok
Show command: show system auditlog-passthrough
store system banner

store system banner [message | clear]
To create a banner (warning about unauthorized access, etc. or a welcome message) at the CLI login, use the CLI command, store system banner [message | clear].
Syntax
store system banner clear - use this CLI command to remove an existing banner message.
store system banner message - use this CLI command to create a banner message. Enter the banner message and then press CTRL-D.
Show command
show system banner - use this CLI command to view an existing banner message.

store system clock datetime
Sets the system clock's date and time to the specified value, where YYYY is the year, mm is the month, dd is the day, hh is the hour (in 24-hour format), mm is the
minutes, and ss is the seconds. The seconds portion is required, but will always be set to 00.
Syntax
store system clock datetime <YYYY-mm-dd hh:mm:ss>
Show Command
show system clock <all |datetime |timezone>
Example
store system clock datetime 2008-10-03 12:24:00
store system clock timezone

Lists the allowable time zone value (list option), or sets the time zone for this system to the specified timezone. Use the list option first to display all time zones, and then
enter the appropriate timezone from the list.
IBMÂ® GuardiumÂ® also logs the local timezone in the standard audit trail, to address cases where data is used in (or aggregated with) data collected in another time
zones.
Note: The timezone setting is not updated automatically when Daylight Saving time occurs. In order to update the machine, the user will need to reset the timezone. Reset
the timezone means to set a new timezone, different from what currently is, and then resetting to the correct timezone. Just resetting the timezone to the same one will
not work and give the message, No change for the timezone.
Syntax
store system clock timezone <list | timezone>
Show Command
show system clock <all | timezone | datetime>
Example
Use the command first with the list option to display all time zones. Then enter the command a second time with the appropriate zone.
CLI> store system clock timezone list
Timezone: Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Description:
--------- Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â -----------
Africa/Abidjan:
Africa/Accra:
Africa/Addis_Ababa:
...
...output deleted
...
CLI> store system clock timezone America/New_York
store system conntrack

Sets the current status of connection tracking subsystem of the Linux kernel. Status can be ON|OFF.
Syntax
store system conntrack ON|OFF
Show command
show system conntrack
store system cpu profile

Allow configuration of CPU scaling from a CLI command on hardware that supports CPU scaling.
Use this CLI command to set the appropriate CPU scaling policy for your needs:
conservative = less power usage, conservative scaling

balanced = medium power usage, fast scale up
performance = runs the CPU(s) at maximum clock speed
Guardium software sets the scaling policy to Performance upon installation.
Syntax

store system cpu profile [min|perf|max]
Show command
show system cpu profile
store system custom_db_size

Use this CLI command to set the maximum size of the custom database table (in MB). The Default value is 4000 MB.
Syntax
CLI> store system custom_db_max_size

USAGE: store system custom_db_max_size <N>
where N is number larger than 4000.
Show command
show system custom_db_size
store system domain

Sets the system domain name to the specified value.
Syntax
store system domain <value>
Show Command
show system domain

Sets the system's host name to the specified value.
Syntax
store system hostname <value>
Show Command
store system issue

store system issue [message | clear]
The CLI command, store system issue message, will receive input from the console until Ctrl-d and write it to /etc/motd after removing from the input any $,\, \followed by
single letter, and ` characters. This is a way to enter messages that make this system compliant with the security policies of customers.
The CLI command, store system issue clear, will restore /etc/motd to the default version.
The version comes from /etc/guardium-release. For example, SG70 -> 7.0, SG80 -> 8.0. If the SG is not found in the /etc/guard-release, the default version is an empty
string.
store system netfilter-buffer-size

Set the size of the netfilter buffer.
Syntax
store system netfilter-buffer-size
Show command
Displays the S-TAPÂ® netfilter buffer size. 65536 by default.
show system netfilter-buffer-size
show system ntp diagnostics

Use this CLI command to run ntpq -p and ntptime and send the output directly to the screen. The Guardium system queries ntpd from localhost via udp.
Syntax
show system ntp diagnostics
Example
CLI> show system ntp diagnostics

Output from ntpq -p :
localhost.localdomain:
-------------------------------------------------------------------
Output from ntptime :
(Note that if you have just started the ntp server, it may report an 'ERROR' until it has synchronized.)
-------------------------------------------------------------------

ntp_gettime() returns code 5 (ERROR)
time d3443c21.47a46000 Thu, Apr 26 2012 17:26:57.279, (.279852),
maximum error 16384000 us, estimated error 16384000 us
ntp_adjtime() returns code 5 (ERROR)
modes 0x0 (),
offset 0.000 us, frequency 0.000 ppm, interval 1 s,
maximum error 16384000 us, estimated error 16384000 us,
status 0x40 (UNSYNC),
time constant 2, precision 1.000 us, tolerance 512 ppm,
store system ntp [all | server | state]

Sets the host name of up to three NTP (Network Time Protocol) servers. Note that to enable the use of an NTP server, you must use the store system ntp state on
command. To define a single NTP server, enter its host name or IP address. To define multiple NTP servers, enter the command with no arguments, an you will be
prompted to supply the NTP server host names.
Syntax
USAGE: store system ntp server
For each server enter either ip or hostname
Enter up to 3 NTP servers to store:
Show Command
show system ntp <all |server>
Delete command
delete ntp-server
store system ntp state
Enables or disables use of an NTP (Network Time Protocol) server.
Syntax
store system ntp state <on | off>
Show Command
show system ntp <all |state>
store system patch install

Installs a single Â patch or multiple patches as a background process. The ftp and scp options copy a compressed patch file from a network location to the IBM Guardium
appliance. Note that a compressed patch file may contain multiple patches, but only one patch can be installed at a time. To install more than one patch, choose all the
patches that need to be installed, separated by commas. Internally the CLI will submit requests for each patch on the list (in the order specified by the user) with the first
patch taking the request time provided by the user and each subsequent patch three minutes after the previous one. In addition, CLI will check to see if the specified
patch(es) are already requested and will not allow duplicate requests.
The last option (sys) is for use when installing a second or subsequent patch from a compressed file that has been copied to the IBM Guardium appliance using this
command previously.
To display a complete list of applied patches, see the Installed Patches report on either Manage > Reports > Install Management > Installed Patches, Manage >
Maintenance > General > Installed Patches, or Reports > Guardium Operational Reports > Installed Patches.
In store system patch install CLI command, user can choose multiple patches from the list.
Syntax
store system patch install <type> <date> <time>
<type> is the installation type, cd | ftp | scp | sys
<date> and <time> are the patch installation request time, date is formatted as YYYY-mm-dd, and time is formatted as hh:mm:ss
If no date and time is entered or if NOW is entered, the installation request time is NOW.
Parameters
Regardless of the option selected, you will be prompted to select a patch to apply:
Please choose one patch to apply (1-n,q to quit):
cd - To install a patch from a CD, insert the CD into the IBM Guardium CD ROM drive before executing this command. A list of patches contained on the CD will be
displayed.
tp or scp - To install a patch from a compressed patch file located somewhere on the network, use the ftp or scp option, and respond to the prompts shown. Be sure to
supply the full path name for the patch, including the filename:
User on hostname:

Full path to the patch, including name:
Password:
In store system patch install scp CLI command, user can use wildcard * for the patch file name.
The compressed patch file will be copied to the IBM Guardium appliance, and a list of patches contained on file will be displayed.
sys - Use this option to apply a second or subsequent patch from a patch file that has been copied to the IBM Guardium appliance by a previous store system patch
execution.
The store system patch install command will not delete the patch file from the IBM Guardium appliance after the install. While there is no real need to remove the patch
file, as same patches can be reinstalled over existing patches and keeping patch files around can aid in analyze various problems, a user may remove patch files by hand or
use the CLI command diag (Note, the CLI command diag is restricted to certain users and roles.)
store system public key reset

After generating SSH public keys using CLI commands, show system public key tomcat or show system public key cli, the CLI command, store system public key reset, will
delete the SSH keys. If the SSH keys were never generated, this CLI command does nothing. This command asks for confirmation before deletion.
Syntax
store system public key reset
store system remote-root-login

Enable/disable SSH (root access). Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.
Syntax
store system remote-root-login Â ON|OFF
Show command
show system remote-root-login
store system serialtty

In some environments, the serial TTY is not available so it can not ever be started successfully. Potentially this can appear in the system log and be forwarded to SIEM.
This is enabled by default to permit connectivity, but can be disabled later if it is determined that serial consoles are unavailable to the system.
Syntax
store system serialtty <on, off>
Show command
show system serialtty
Reports whether or not serial TTYs are enabled on the system.
Reports either:
Serial TTY consoles are enabled on this system.
Serial TTY consoles are disabled on this system.
store system scheduler

Scheduling is managed by a timing mechanism within the IBM Guardium application. If the timing function is disrupted, it will restart after the restart interval designated
by this CLI command.
Use store system scheduler restart_interval [5 to 1440 or -1] to restart the timing function after 5 minutes to 1440 minutes. The default is -1 which means the timing
restart mechanism is not installed.
Use store system scheduler wait_for_shutdown [ON | OFF] to restart the scheduler after all jobs currently running finish. The parameters are ON or OFF.
Syntax
store system scheduler restart_interval [5 to 1440 or -1]
store system scheduler wait_for_shutdown [ON | OFF]
Show command
show system scheduler
store system shared secret

Sets the system's shared secret value to the specified value. This key must be the same for a Central Manager and all of the appliances it will manage; or an Aggregator,
and all of the appliances from which it aggregates data. After an appliance has registered for management by a Central Manager, the shared secret on that unit is no longer
used. (You cannot unregister a unit from Central Management by changing this value.)
Dynamic password for aggregator OS user

The aggregator password will be <the current password> concatenated with the shared secret, meaning: password=<current passwd><share secret>
Users will need to make sure the collectors' shared secret and the aggregator's shared secret is exactly the same, otherwise the SCP transfer will fail from the collector to
the aggregator (This is a requirement for managed units and aggregators, collectors and aggregators, and export setup screen). The shared secret can be set both from CLI
and from the System pane in the Admin Console tab.
Syntax
store system shared secret <key>
store system snif-alerts-facility

This parameter allows the user to configure the facility for snif generated alerts. Previously alerts directly generated by snif would use the user facility while indirect alerts
would use the daemon facility (via the guard_sender utility).
Syntax
store system snif-alerts-facility <facility>
USAGE: store snif-alerts-facility <facility>
facility is one of: daemon ftp local0 local1 local2 local3 local4 local5 local6 local7 lpr user
The default facility is daemon.
Show command
show system snif-alerts-facility
store system snif-buffers-reclaim

Use this CLI command only when directed by IBM Guardium Technical Services.
The new configuration will be effective once the CLI command, restart inspection-core, is executed.
Syntax
store system snif-buffers-reclaim [ON | OFF]
Show command
show system snif-buffers-reclaim
store system snif-thread-number

Use this CLI command to specify how many threads are running.
The new configuration will be effective once the CLI command, restart inspection-core, is executed.
Syntax
store system snif-thread-number [new | default]
Show command
show system snif-thread-number
Snif is running with 6 threads on the 32-bit system
store system snmp contact

Stores the email address for the snmp contact (syscontact) for the IBM Guardium appliance. By default it is info@guardium.com.
Syntax
store system snmp contact <email-address>
Show Command
show system snmp contact
store system snmp location

Stores the snmp system location (syslocation) for the IBM Guardium appliance. By default it is Unknown.
Syntax
store system snmp location <string>
Show Command
show system snmp location
store system snmp query community

Stores the snmp system query community for the IBM Guardium appliance. By default it is guardiumsnmp.

Syntax
store system snmp query community <string>
Show Command
show system snmp query community
User Account, Password and Authentication CLI Commands

Use these CLI commands to configure user accounts, passwords and authentication.
Set guiuser Authentication

When logging on via CLI with one of the default CLI accounts (guardcli1, ...guardcli5), it is required to run the CLI command, set guiuser, before any GuardAPI commands
will work. This authentication is required to prevent users with limited roles in the GUI from gaining unauthorized access to GuardAPI commands.
The use of the guardcli1 ... guardcli5 accounts requires the setting of a local password. Use the CLI command, set guisuer, command to reset the guardcli1 ... guardcli5
accounts and then add a local password, as shown in the Syntax.
Certain CLI commands are dependent on the role of the guiuser. For example, the role of the guiuser (marked when creating a new user from accessmgr view) must be
accessmgr in order to access grdapi create_user, grdapi set_user_roles, and grdapi update_user
Syntax
set guiuser <gui_user> password <password>
Example
$ ssh guardcli1@a1.corp.com
IBM Security Guardium , Command Line Interface (CLI)
guardcli1@a1.corp.com's password:
Last login: Thu Nov Â 4 14:56:34 2012 from 123.a1.corp.com
================================================================
IBM Security Guardium
Unauthorized access is prohibited
================================================================
a1.corp.com> set guiuser johny_smith password 3wel9s887s
ok
a1.corp.com>
create_user
Examples
>grdapi create_user firstName=john lastName=smith
password=pASSW0rd confirmPassword=pASSW0rd email=jsmith@us.ibm.com
userName=john disabled=0
ID=20000
>grdapi set_user_roles userName="john"
roles="dba,diag,cas,user"
ID=20000
Added role (dba).
Failed to add role (diag). Diag must have one of these roles: cli or admin.
Added role (cas).
Added role (user).
> grdapi set_user_roles userName="john"
roles="dba,diag,cas,user,cli"
ID=20000
Added role (dba).
Added role (diag).

Added role (cas).
Added role (user).
Added role (cli).
> grdapi update_user userName="john"
email="john.smith@gmail.com"
ID=20000
> grdapi list_users
ID=0
####### User 3 #######
Username: accessmgr
First Name: accessmgr
Last Name: accessmgr
Email:
Disabled: false
####### User 1 #######
Username: admin
First Name: admin
Last Name: admin
Email:
Disabled: false
####### User 33 #######
Username: anon
First Name: anon
Last Name: anon
Email:
Disabled: false
####### User 20000 #######
Username: john
First Name: john
Last Name: smith
Email: john.smith@gmail.com
Disabled: false
####### User 2 #######
Username: bill
First Name: bill
Last Name: green
Email:
Disabled: true
set_user_roles
set_user_roles
Each time that you execute a set_user_roles, you reset the roles of a user. You don't append to the roles. You reset.
When you create a user using GrdAPI, it will create the user with user role. Whenyou set the role, you have to specify all of its roles This is done to enable deletion of
existing roles and addition of new roles.
Even in GUI, it displays all roles, in which you can either check or uncheck a role and when you save it, it will save everything that you checked.
What GrdAPI does, is to give user kevin only role INV, where any user must have one of these roles: user, cli, admin, or accessmgr
The correct way to call this GrdAPI is:

grdapi set_user_roles userName="kevin" roles="user,inv"
Example
> set guiuser accessmgr password ASDFasdf
ok
> grdapi create_user firstName=kevin
lastName=smith password=pASSW0rd confirmPassword=pASSW0rd
email=ksmith@company.com userName=kevin disabled=0
ID=20000
ok
> grdapi set_user_roles userName="kevin" roles="inv"
set_user_roles:
ERR=3700
User must have one of these roles: user, cli, admin, or accessmgr.
Error executing the command
ok
> grdapi set_user_roles userName="kevin"
roles="user,inv"
ID=20000
Added role (user).
Failed to add role (inv). Sorry, before assigning the inv role the user's Last Name must be set to the name of one of the three investigation databases -
INV_1, INV_2, or INV_3 (case-sensitive)
ok
> grdapi set_user_roles userName="kevin"
roles="dba,diag,cas,user"
ID=20000
Added role (dba).
Failed to add role (diag). Diag must have one of these roles: cli or admin.
Added role (cas).
Added role (user).
ok
>
show guiuser
This displays the user (by role) of GUI.
Show command
show guiuser
Password Control Commands

Use the following commands to control user passwords, as follows:
store password disable - Set the number of days after which an inactive account will be disabled.
store password expiration - Set the number of days after which a password will expire.
store password validation - Enable or disable the hardened password validation rules.
Account Lockout Commands

Use the account lockout commands to disable a GuardiumÂ® user account after one or more failed login attempts. Use these commands to:
Enable or disable the feature. See store account lockout.

Set the maximum number of login failures allowed an account within a given time interval. See store account strike count and store account strike interval.
Set the maximum number of failures allowed an account for the life of the Guardium appliance. See store account strike max.
To unlock the admin user account in the event it becomes locked, see the unlock admin command description.
After a Guardium user account has been disabled, it can be enabled from the Guardium portal, and only by users with the accessmgr role, or the admin user.
Example

Enable account lockout, lock an account after 5 login failures within 10 minutes, and set the maximum number of failures allowed to 999.
store account lockout on
store account strike count 5
store account strike interval 10
store account strike max 999
Note:
If the admin user account is locked, use the unlock admin command to unlock it.
If account lockout is enabled, setting the strike count or strike max to zero does NOT disable that type of check. On the contrary, it means that after just one failure the
user account will be disabled!
store account lockout

Enables (on) or disables (off) the automatic account lockout feature, which disables a user account after a specified number of login failures.
Syntax
store account lockout <on | off>
Show Command
show account lockout
store account strike count

Sets the number of failed login attempts (n) in the configured strike interval before disabling the account.
Syntax
store account strike count <n>
Show Command
show account strike count
store account strike interval

Sets the number of seconds (n) during which the configured number of failed login attempts must occur in order to disable the account.
Syntax
store account strike interval <n>
Show Command
show account strike interval
store account strike max

Sets the maximum number (n) of failed login attempts to be allowed for an account over the life of the server, before the account is disabled.
Syntax
store account strike max <n>
Show Command
show account strike max
store password disable

Sets the number of days of inactivity, after which user accounts will be disabled. When set to 0 (zero), no accounts will be disabled by inactivity. At installation, the default
value is zero. You must restart the GUI after changing this setting (see restart gui).
Syntax
store password disable <days>
Show Command
show password disable
store password expiration

Sets the age (in days) for user password expiration. When set to -1, the password never expires. For GUI users, when set to 0 (zero), the password never expires. For any
other value, the account user must reset the password the first time they log in after the current password has expired. The default value is 90. You must restart the GUI
after changing this setting.
Syntax

store password expiration cli <days>
store password expiration gui <days>
Show Command
show password expiration
store password validation

Turns password validation on or off. The default value is on. Running this command restarts the GUI to apply this setting.
When password validation is enabled, the password must be eight or more characters in length, and must include at least one uppercase alphabetic character (A-Z), one
lowercase alphabetic character (a-z), one digit (0-9), and one special character from the table. When disabled (not recommended), any length or combination of
characters is allowed.
Syntax
store password validation <on | off>
Show Command s
show password validation
Table 1. Special Characters for Guardium Passwords

Character Description
@ Commercial at sign
# Number sign
$ Dollar sign
% Percent sign
^ Circumflex accent (carat)
& Ampersand
. Full stop (Period)
; Semicolon
! Exclamation mark
- Hyphen (minus)
+ Plus sign
= Equals sign
_ Low line (underscore)
store user password

Use this command to reset the cli user password. To simplify the support process, we suggest that you keep the cli user password assigned initially by Guardium. There is
no way to retrieve the cli user password once it is set. If you lose this password, contact Guardium Support to have it reset.
Syntax
store user password
You will be prompted to enter the current password, and then the new password (twice). None of the password values you enter on the keyboard will display on the
screen.
The cli user password requirements differ from the requirements for user passwords. The cli user password must be at least six characters in length, and must contain at
least one each of the following types of characters:
Digits (0-9)
Lowercase alphabetic characters (a-z)
Uppercase alphabetic characters (A-Z)
Running this CLI command will also update the change-time record in the password expiration file.
unlock accessmgr
Use this command to enable the Guardium accessmgr user account after it has been disabled. This command does not reset the accessmgr user account password.
Note: Only users with admin role are allowed to run this CLI command.
Syntax
unlock accessmgr
restart gui
unlock admin
Use this command to enable the Guardium admin user account after it has been disabled. This command does not reset the admin user account password.

Note: Only users with admin role are allowed to run this CLI command.
Syntax
unlock admin
restart gui
Authentication commands
The following commands display or control the type of authentication used.
store auth
Use this command to reset the type of authentication used for login to the Guardium appliance, to SQL_GUARD (i.e. Local Guardium authentication, the default).
Optional authentication methods (LDAP or Radius, for example) can be configured and enabled from the administrator portal, but not from the CLI. See Configure
Authentication for more information.
Syntax
store auth SQL_GUARD
Show Command
show auth
GuardAPI Reference
GuardAPI provides access to GuardiumÂ® functionality from the command line.
This allows for the automation of repetitive tasks, which is especially valuable in larger implementations. Calling these GuardAPI functions enables a user to quickly
perform operations such as create datasources, maintain user hierarchies, or maintain the Guardium features such as S-TAPÂ® just to name a few.
Proper login to the CLI for the purpose of using GuardAPI requires the login with one of the five CLI accounts (guardcli1,...,guardcli5) and an additional login (issuing the
'set guiuser' command) with a user (GUI username/guiuser) that has been created by access manager and given either the admin or cli role. See Set guiuser
Authentication for more information.
GuardAPI is a set of CLI commands, all of which begin with the keyword grdapi.
To list all GuardAPI commands available, enter the grdapi command with no arguments or use the 'grdapi commands' command with no search argument. For
example:
CLI> grdapi
or
CLI> grdapi commands
To display the parameters for a particular command, enter the command followed by '--help=true'. For example:
CLI> grdapi list_entry_location --help=true

ID=0
fileName
hostName - required
path - required
ok
To search for GuardAPI commands given a search string use the CLI command, grdapi commands <search-string>. For example:
CLI> grdapi commands user

ID=0
Matching API Function list :
execute_appUserTranslation
list_user_hierarchy_by_parent_user
update_user_db
To display a values list for a parameter, enter the command followed by '--get_param_values=<parameter>;'. For example:
CLI> grdapi create_group --get_param_values=appid

Value for parameter 'appid' of function 'create_group' must be one of:
Public
Audit Process Builder
Classifier
DB2 zOS Groups
Express Security
IMS zOS Groups
Policy Builder
Security Assessment Builder

ID=0
ok
Table 1. APIs that support the â€“get_param_values command structure

API Function Parameter
create_datasource application, type, severity, shared
create_group appid, type
Case Sensitivity
Both the keyword and value components of parameters are case sensitive.
Parameter Values with Spaces

If a parameter value contains one or more spaces, it must be enclosed in double quote characters.
For example:
grdapi create_datasource type ="MS SQL SERVER" ...
NULL Values and Empty Strings

In general, when calling a GuardAPI function and a value for a non-required parameter is not specified or is set to an empty string ("""") GuardAPI will convert that
parameter to a NULL value when calling the GuardAPI function. This translates into GuardAPI ignoring the parameter just as if it were not specified.
If, for example, you wanted to clear out a group from a policy rule you instead would set that group to space ("" "") and not an empty string (""""). Using an empty string
("""") would signal GuardAPI to ignore that group and not change that group selection.
Example for clearing out a group from a policy value

grdapi update_rule fromPolicy=V8 ruleDesc="LogFull Details" dbUserGroup=" " dbUser=" " objectGroup=" " commandsGroup=" "
Return Codes
Regardless of the outcome of the GuardAPI command, a return code is always returned in the first line of output, in the following format:
Table 2. Return Codes

Return Code Description
ID=identifier Successful. The identifier is the ID of the object operated upon; for example, the ID of a group that has just been
defined.
ERR=error_code Error. The error_code identifies the error, and one or more additional lines provide a text description of the error.
There is a table of common errors in the Overview and a complete listing of error codes in GuardAPI Error Codes.
For example, if we use the create_group command to successfully define an objects group named agroup, the ID of that group is returned:
CLI> grdapi create_group desc=agroup type=objects appid=Public

ID=20001
ok
CLI>
We could use that ID in the list_group_by_id command to display the group definition
CLI> grdapi list_group_by_id id=20001

ID=20001
Group GroupId=20001
Group GroupTypeId=3
Group ApplicationId=0
Group GroupDescription=agroup
Group GroupSubtype=null
Group CategoryName=null
Group ClassificationName=null
Group Timestamp=2008-05-10 07:34:11.0
Group type = OBJECTS
Application Type = Public
Touple Group
ok
For an unsuccessful execution, an error code is returned. For example, if we enter the list_group_by_id command again with an invalid ID, we receive the following
message:
a1.corp.com> grdapi list_group_by_id id=20123

ERR=140
Could not retrieve Group - check Id.
ok
Common Error Codes

Error codes with a value less than 100 are for common error conditions. Error codes greater than 100 apply to specific functions, and those are described following each
function.
To see a complete list of GuardAPI error codes, type grdapi-errors, at the CLI command prompt.

Table 3. Common Error Codes
Error Description
0 Missing parameters or unknown errors such as unexpected exceptions.
1 An Exception has occurred, please contact Guardium's support
2 Could not retrieve requested function - check function name. To list all functions, type either the CLI command, grdapi, or grdapi commands, with no
arguments.
To search, by function name, given a search string, use the CLI command, grdapi commands <search-string>
3 Too many arguments. To get the list of parameters for this function call the function --help=true
4 Missing required parameter. To get the list of parameters for this function call the function with --help=true
5 Could not decrypt parameter, check if encrypted with the correct shared secret.
6 Wrong parameter format, specify a function name followed by a list of parameters using <name=value> format.
7 Wrong parameter value for parameter type.
8 Wrong parameter name, please note, parameters are case sensitive.
9 User has insufficient privileges for the requested API function
10 Parameter Encryption not enabled - shared secret not set.
11 Failed sending API call request to targetHost
12 Error Validating Parameter
13 Target host must be the ip address of the central manager
14 Target host is not managed by this manager
15 Target host is not online
16 Target host cannot be specified on a standalone unit
17 User is not allowed to operate on the specified object
18 Target host cannot be specified
19 Missing end quote
20 User is not allowed to run grdapi commands
21 --username and --source-host are grdapi reserved words and cannot be passed on the command line.
22 A parameter name cannot be specified more than once, please check the command line for duplicate parameters.
23 Value not in constant list.
24 Not a valid encrypted value.
25 Not a valid parameter format - parameters should be specified as <name=value>, spaces are not allowed.
GuardAPI Activity Log

The Guardium Activity Log records all grdapi commands that are executed on the system. To view the commands from the administrator portal, navigate to the User
Activity Audit Trail report on the Guardium Monitor tab.
All grdapi activity will be attributed to the cli user. Double-click on the cli row in that report, and select the Detailed Guardium User Activity drill-down report. Every
command entered will be listed, along with any and all changes made. In addition, the IP address from which the command was issued is listed.
Encrypted Parameter
GuardAPI is intended to be invoked by scripts, which may contain sensitive information, such as passwords for datasources. To ensure that sensitive information is kept
encrypted at all times, the grdapi command supports passing of one encrypted parameter to an API Function. This encryption is done using the System Shared Secret
which is set by the administrator and can be shared by many systems, and between all units of a central management and/or aggregation cluster; enabling scripts with
encrypted parameters to run on machines that have the same shared secret.
Note: Trying to run an API call with encrypted parameter on a system where shared secret was not set results in an error message of
Parameter Encryption not enabled - shared secret not set
For Guard API scripts generated through the GUI, if encryption is required it is done using the shared secret of the system where script generation is performed.
The optional parameter encryptedParam is available on every grdapi call. This parameter can be used to pass an encrypted value for another parameter.
The procedure for manual encryption is as follows:
1. Use the Parameter Encryption API
The encrypt_value API accepts a value to encrypt and the target system's shared secret (key) and then prints out the encrypted value. If the key is not the system's
shared secret it will print out a warning.
a1.corp.com> grdapi encrypt_value --help=true

ID=0
key - required
valueToEncrypt - required
api_target_host
ok

Table 4. Encrypted Parameter
key The target system's shared secret
valueToEncrypt The value to be encrypted
api_target_host In a central management configuration only, allows the user to specify a target host where the API will execute. On a Central
Manager (CM) the value is the host name or IP of any managed units. On a managed unit it is the host name or IP of the CM.
Example
a1.corp.com> grdapi encrypt_value valueToEncrypt="some value" key=guard

ID=0
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (GNU/Linux)
jA0EAgMCTEIUShudn0tgyTB9GL7wR79UL9X9DCAa6RkUQRbegG52olA4gwOzmpHF
0qEhsd6Uz7l8rUsheUyX9v4=
=c1Cq
-----END PGP MESSAGE-----
2. Copy the generated content and embed within your cli script.
example of cli.gsh code :

set guiuser johny_smith password 3wel9s887s
grdapi create_datasource type=oracle name=myOra host=somehost application=AuditTask owner=admin user=sa serviceName=ora
encryptedParam=password
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (GNU/Linux)
jA0EAgMCTEIUShudn0tgyTB9GL7wR79UL9X9DCAa6RkUQRbegG52olA4gwOzmpHF
0qEhsd6Uz7l8rUsheUyX9v4=
=c1Cq
-----END PGP MESSAGE-----
3. Run the script to invoke GrdApi:
user> ssh cli@a1.corp.comuser> ssh cli@a1.corp.com
Central Management Caution

When using GuardAPI in a Central Management environment, be sure that you understand what components are defined on the Central Manager, and what components
are defined on managed units. For information on this topic, see Central Management.
Display attributes for certain users in Query Builder

The admin user can see all query attributes in Query Builder and non-admin users can see query attributes in Query Builder, except those that are designed as admin only
(IDs, for example).
There are some entities (like FULL SQL) that have large numbers of attributes in them.
By default, all attributes will show up for all users (admin and non-admin).
Two GuardAPI commands have been added to display or not display certain attributes for certain users.
These GuardAPI commands will enable disable/enable ONLY specific groups of attributes in Full SQL: VSAM, ISAM, MApReduce, APEX, Hive and BigInsight.
Two New GuardAPIs named: grdapi enable_special_attributes and grdapi disable_special_attributes
Both receive only one parameter: attributesGroup.
The valid values for this parameter are: VSAM, IMS, MapReduce, APEX, Hive, BI (BigInsights), IMS/VSAM, DB2 i, F5 (Not case sensitive).
Each Grdapi will enable (disable) all the correspondent attributes for the group, for example VSAM will enable (disable) the following attributes:
VSAM records
VSAM records delected
VSAM records inserted
VSAM records retrieved
VSAM records updated
VSAM User Group ID
Hive will enable (disable) the following attributes:
Hive command
Hive database
Hive error
Hive parsed SQL
Hive table name
Hive user
Note: The attributes will still be displayed if the user has the admin role; enabling or disabling these attributes applies ONLY to non-admin users (with no admin role).
Note: The GUI does not have to be restarted for the change to take effect. With this exception: If a report with the attributes of group F5 has been created and added it to
My New Reports, even though the attributes have been enabled, the no admin-user does not have the privilege to view the report. The GUI needs to be restarted to see
the report fields.
GuardAPI Archive and Restore Functions

GuardAPI Assessment Functions
Use these CLI commands to add, delete and update Assessment Functions.

GuardAPI Auto-discovery Functions
Use these CLI commands to create, modify, list and run Auto-discovery Functions.
GuardAPI Catalog Entry Functions
Use these GuardAPI commands to create, list, delete, and update Catalog Entry Functions.
GuardAPI Classification Functions
Use the following GuardAPI commands for Classification policy configuration, for test automation and, for scripting of prerequisite data preparation.
GuardAPI Cloud Datasource Functions
Use this command to define a cloud datasource.
GuardAPI Database User Functions
Use these GuardAPI commands to maintain database user mapping, non-credential scan and set debug level.
Use these GuardAPI commands to create, list, delete, and update Datasource Functions.
GuardAPI Datasource Reference Functions
Use these GuardAPI commands to create, list, and delete Datasource Reference Functions.
GuardAPI Data User Security Functions
Use these GuardAPI commands to create, list, delete, and update Data User Security Functions.
Use these GuardAPI commands to view and set load balancing parameters, view the current load map, and manage S-TAP and managed unit group associations.
GuardAPI Entitlement Optimization Functions
Use these GuardAPI commands to enable and configure the Entitlement Optimization datasources and reporting.
GuardAPI External Feed Functions
Use these GuardAPI functions to create mappings for external feeds.
Use the following GuardAPI commands to enable and disable the file activity monitor, configure the file Investigation Dashboard activity and entitlement extractions
schedule, and get information on the file activity monitor.
GuardAPI GIM Functions
Use these CLI commands to list, update, assign, remove and cancel GIM Functions.
GuardAPI Group Functions
Use these GuardAPI commands to create, list, and delete Datasource Group Functions.
GuardAPI Input Generation
GuardAPI Input Generation allows the user to take the output of one Guardium report and feed it as the input for another Guardium entity; allowing users to used
prepared calls to quickly call API functionality.
Use these GuardAPI commands to enable, disable, or configure Investigation Dashboard features and parameters.
GuardAPI Native Audit Functions
Use these GuardAPI commands to enable, disable, DB Audit (native audit) on a cloud database; add and remove objects from the Object Audit (audit trail); get
configuration, collectors and objects.
Use the following GuardAPI commands to enable, disable, and configure the Outliers Detection function.
GuardAPI Process Control Functions
Use these GuardAPI commands to execute, copy, upload, list, and delete Process Control Functions.
GuardAPI Query Rewrite Functions
Automate testing or create definitions for certain complex queries that cannot be done from the user interface by using Guardium APIs at the command-line
interface.
GuardAPI Role Functions
Use these GuardAPI commands to grant, list and revoke Role Functions.
GuardAPI S-TAP functions
Use these CLI commands to create, list, delete, restart, and set S-TAP functions.
Parent topic: CLI and API
GuardAPI Archive and Restore Functions

list_expiration_dates_for_restored_days
List the expiration dates for all restored days.
Parameter Value type Description
newExpDate string Required. The new expiration date for the day restored.
restoredDay string Required. Identifies the restore day for data.
api_target_host string Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the
unit on which command is executed. Valid values:

Guardium V10.1 and 10.1.2: In a central management configuration only, specifies a target host where the API
will execute. On a Central Manager (CM) the value is the host name or IP of any managed units. On a managed
unit it is the host name or IP of the CM.
Example
grdapi list_expiration_dates_for_restored_days

get_expiration_date_for_restored_day
Get the expiration date associated with a given restored day.
newExpDate string Required. The new expiration date for the day restored.
restoredDay string Required. Identifies the restore day for data.
api_target_host string Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the

Example:
grdapi get_expiration_date_for_restored_day restoredDay=restoredDay
where restoredDay can be of the format of a real day yyyy-mm-dd hh:mi:ss or relative day such as NOW -10 day.
set_expiration_date_for_restored_day
Set the expiration date for a given restored day.
V
a
l
u
e
t
y
p
Parameter e Description
newExpDate s Required. The new expiration date for the day restored.
t
r
i
n
g
restoredDay s Required. Identifies the restore day for data.

t
r
i
n
g
api_target_host s Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the unit on which command
t is executed. Valid values:
r
i all_managed: for all managed units
n all: all managed units and CM
g group:<group name>: where group name is a group of managed units
Example:
grdapi set_expiration_date_for_restored_day newExpDate=newExpDate restoredDay=restoredDay
where newExpDate and restoredDay can be of the format of a real day yyyy-mm-dd hh:mi:ss or relative day such as NOW -10 day.
set_import
Start or stop import of Aggregation data.

V
a
l
u
e
t
y
p
state s Required. START or STOP

t
r
i
n
g
r
Example
grdapi set_import [START]
configure_export
Configure the export of Aggregation data.
V
a
l
u
e
t
y
p
aggHost S Required. Host name of Aggregator.

t
r
i
n
g
aggSecHost S Â
t
r
i
n
g
exportOlderThan i Required. Detail what data to export by time.

n
t
e
g
e
r
exportValues i Required. 0, 1
n
t
e
g
e
r

V
a
l
u
e
t
y
p
ignoreOlderThan i Required. Detail what data to ignore by time.

n
t
e
g
e
r
r
Example
grdapi configure_export [aggHost] [aggSecHost] [exportOlderThan] [exportValues] [ignoreOlderThan]
configure_archive
Configure the archive of Aggregation data.
V
a
l
u
e
t
y
p
accessKey s Shared secret key of Aggregator.

t
r
i
n
g
archiveOlderThan i Required. Detail what data to archive by time.

n
t
e
g
e
r
archiveValues i Required. 0 or 1
n
t
e
g
e
r
bucketName s Â
t
r
i
n
g

V
a
l
u
e
t
y
p
destHost s Host name of archive destination.

t
r
i
n
g
ignoreOlderThan i Required. Detail what data to ignore by time.

n
t
e
g
e
r
passwd s Password
t
r
i
n
g
passwdRetype s Retype Password

t
r
i
n
g
port i Port number

n
t
e
g
e
r
protocol s Required. SCP, FTP, or AMAZON

t
r
i
n
g
retention i How long to retain.

n
t
e
g
e
r
secretKey s Â
t
r
i
n
g
targetDir s Â
t
r
i
n
g
userName s User name.

t
r
i
n
g

V
a
l
u
e
t
y
p
r
i
n
g

Example
grdapi configure_archive [accessKey] [archiveOlderThan] [archiveValues][bucketName][destHost][ignoreOlderThan][passwd]

[passwdRetype] [port] [protocol] [retention] [secretKey] [targetDir] [userName]
GuardAPI Assessment Functions

Use these CLI commands to add, delete and update Assessment Functions.
Use the following GuardAPI commands to:
Add, delete, update the Security Assessment definition

Add, delete a datasource from an existing Security Assessment
Add, delete tests from an existing Security Assessment
create_assessment
Use this GuardAPI command to add a security assessment.
Table 1. create_assessment
V
a
l
u
e
t
y
p
assessmentDescription s Required. Free text â€“ unique - must ensure there is no previous assessment with the same description. If there is one, then ERROR.
t
r
i
n
g
fromDate Â Valid date or relative date. Not mandatory. Default: NOW -1 DAY


V
a
l
u
e
t
y
p
toDate Â Valid date or relative date. Not mandatory. Default: NOW

FilterClientIP Â Valid IP address. Not mandatory. Default null.

FilterServerIP Â Valid IP address. Not mandatory. Default null.

Action: If all parameters are validated created a new record in SECURITY_ASSESSMENT table (MODIFIED_FLAG leave default â€“ 0)
Example
grdapi create_assessment assessmentDescription=Assess1
add_assessment_datasource
Use this GuardAPI command to add a datasource to a security assessment.
Table 2. add_assessment_datasource
V
a
l
u
e
t
y
p
assessmentDescription s Required. Free text. Unique - must ensure there is no previous assessment with the same description. If there is one, then ERROR.
t
r
i
n
g
datasourceName s Required. Free Text: Must be the Name of an existing datasource, if such datasource not present, then ERROR
t
r
i
n
g
Action: If all parameters are validated then it adds a record to: ASSESSMENT_DATASOURCE using the ASSESSMENT ID and DATASOURCE ID for the assessment and
datasource with the names provided.
Example
grdapi add_assessment_datasource assessmentDescription=Assess1 datasourceName=DS1
add_assessment_test
Use this GuardAPI command to add a test to an existing security assessment.
V
a
l
u
e
t
y
p
assessmentDescription s Required - Free text â€“ unique - must ensure there is no previous assessment with the same description, if there is one, then ERROR
t
r
i
n
g

V
a
l
u
e
t
y
p
testDescription s Required - Free Text: Must match the TEST_DESC of an existing test in AVAILABLE_TEST , if such test not present, then ERROR
t
r
i
n
g
severity s Validates against SEVERITY_DESC table (using DESCRIPTION) â€“ Not mandatory. The default value is INFO.
t
r
i
n
g
thresholdValue Â If Threshold value required from available test = 0, then IGNORE this parameter.

Else (THRESHOLD) value required in available_test = 1, then parameter must be an integer
If the parameter is not provided, then use DEFAULT_THRESHOLD_VALUE from AVAILABLE_TEST.
exceptionsGroup Â Check the value CAN_HAVE_EXCEPTIONS_GROUP in AVAILABLE_TEST.

The parameter is NOT mandatory.
If 0 then (exceptions group not supported for this test): If the parameter is provided, then ERROR (can not provide exception group for
this test); If the parameter is NOT provided, then use -1 to populate.
Else Â (Exception group supported for the test): If the parameter is NOT provided then use -1 to populate; IF the parameter is provided
validate the group and use the group ID.
To validate the group select from GROUP_DESC where GROUP_DESCRIPTION = the description provided, and check whether the
record exist and the GROUP_TYPE_ID
If there is not such group ERROR, then exception group does not exists.
If there is such group and the GROUP_TYPE_ID != 55, then ERROR: Exception group must be of the type â€œVA Exceptionsâ€
If the group is present and the type = 55, then use the GROUP_ID.
Additional Validation: Check whether there is already a record in ASSESSMENT_TEST for the ASSESSMENT_ID and TEST_ID, if there is such record: ERROR, this test is
already present in the assessment can not add it again.
Action: If all parameters validated then add a record to ASSESSMENT_TEST (note SEVERITY must be populated with the DESCRIPTION)
Example
grdapi add_assessment_test assessmentDescription=Assess1 testDescription="The first test"
delete_assessment
Use this GuardAPI command to delete a security assessment.
V
a
l
u
e
t
y
p
assessmentDescription s Required. Free text. Unique. Must ensure there is no previous assessment with the same description, if there is one, then ERROR
t
r
i
n
g
Additional Validation: Must ensure there are no results for the assessment to be deleted by:
Select count (*) from ASSESSSMENT_RESULT_HEADER where ASSESSMENT_ID = TheIdToRemve
IF the select returns > 0 then do not remove, ERROR

Action: If the parameter is validated (identifies the security assessment record, and there are no results for the assessment) delete the SECURITY_ASSESSMENT records,
THE ASSESSMENT_TEST records and the ASSESSMENT_DATASOURCE records (all three deletes using the ASSESSMENT_ID)
Example
grdapi delete_asssessment assessmentDescription=Assess1
delete_assessment_datasource
Use this GuardAPI command to delete a datasource from a security assessment.
V
a
l
u
e
t
y
p
assessmentDescription s Required. Free text â€“ unique - must ensure there is no previous assessment with the same description. If there is one, then ERROR.
t
r
i
n
g
datasourceName s Required. Free Text: Must be the Name of an existing data-source, if such datasource not present, then ERROR
t
r
i
n
g
Action: If all parameters validated, then check whether there is a record in ASSESSMENT_DATASOURCE for the assessment and datasource provided. If no such record
Error, otherwise delete the record.
Example
grdapi delete_asssessment_datasource assessmentDescription=Assess1 datasourceName=DS1
delete_assessment_test
Use this GuardAPI command to delete a test from an existing security assessment
V
a
l
u
e
t
y
p
assessmentDescription s Required. Free text â€“ unique - must ensure there is no previous assessment with the same description, if there is one then ERROR
t
r
i
n
g
testDescription s Free Text: Must match the TEST_DESC of an existing test in AVAILABLE_TEST , if such test not present, then ERROR
t
r
i
n
g
Additional Validation: Check whether there is a record in ASSESSMENT_TES for the ASSESSMENT_ID and TEST_ID, if there is no such record: ERROR, this test is not
present in the assessment
Action: If all parameters validated then delete the record from ASSESSMENT_TEST.
Example
grdapi delete_asssessment_test assessmentDescription=Assess1
list_assessments
Use this GuardAPI command to list the security assessments.

V
a
l
u
e
t
y
p
assessmentDescription s Required. Free text â€“ unique - must ensure there is no previous assessment with the same description, if there is one then ERROR
t
r
i
n
g
Example
grdapi list_assessments
list_assessment_tests
Use this GuardAPI command to show the list of tests for the security assessment.
The output of list_available_tests is in the following format: TEST=[<test description>], DS_TYPE=[<datasource type>] (The actual values are encapsulated within the
brackets)
The output of list_assessment_tests is in the following format: TEST_DESC=[<available test description>], DS_TYPE=[<datasourcetype>]
The parameters of list_assessment_tests API command are non-mandatory and support filtering.
V
a
l
u
e
t
y
p
Parameter e Validation
assessmentDescription Â The API will:

Validate the description is ONE valid assessment description and will retrieve the ID of the assessment. (if there is no
assessment, then error)
Show the list of tests for the assessment (and the datasource type).
Select AVAILABLE_TEST.TEST_DESC, DATASOURCE_TYPE.NAME from ASSESSMENT_TEST, DATASOURCE_TYPE, AVAILABLE_TEST,

SECURITY_ASSESSMENTÂ Â where AVAILABLE_TEST.DATASOURCE_TYPE_ID = DATASOURCE_TYPE.DATASOURCE_TYPE_IDÂ Â and
ASSESSMENT_TEST.ASSESSMENT_ID = SECURITY_ASSESSMENT.ASSESSMENT_IDÂ Â and
SECURITY_ASSESSMENT.ASSESSMENT_DESC like â€œYour Paramâ€
Example
grdapi list_assessment_tests
update_assessment
Use this GuardAPI command to update the record of the security assessment.
V
a
l
u
e
t
y
p
assessmentDescription s Must match an existing record in SECURITY_ASSESSMENT

t
r
i
n
g

V
a
l
u
e
t
y
p
newAssessmentDescription s Free Text â€“ IF empty, means do not update the description, use the value from the previous parameter, otherwise: unique must
t ensure there is no previous assessment with the same description, if there is one then ERROR.
r
i
n
g
fromDate s Valid date or relative date

t
r
i
n
g
toDate s Valid date or relative date

t
r
i
n
g
filterContentIP s Valid IP address

t
r
i
n
g
filterServerIP s Valid IP address

t
r
i
n
g
Action: If all parameters validated (and there it identified a SECURITY_ASSESSMENT record with the description provided, then update the record with the values
provided)
Example
grdapi update_assessment assessmentDescription=Assess1 filterClientIP=192.168.1.1.
GuardAPI Auto-discovery Functions

Use these CLI commands to create, modify, list and run Auto-discovery Functions.
add_autodetect_task
This command adds a task to the specified process.
V
a
l
u
e
t
y
p
process_name s Required. Name of process

t
r
i
n
g

V
a
l
u
e
t
y
p
hosts_list s Required. Lists of hosts. Space separated list of IPs or IP ranges and wild cards such as 192.168.0.1 192.168.1.*
t
r
i
n
g
ports_list s Required. List of ports. Comma separated list of ports or port ranges such as 22,23,1400-1600
t
r
i
n
g
r
Example
grdapi add_autodetect_task process_name=myProcess hosts_list="192.168.1.1 192.168.1.3" ports_list="22,23"
create_autodetect_process
This command creates an autodetect process.
V
a
l
u
e
t
y
p
check_ICMP_echo Â Required. PE parameter to nmap (*) . Values are 'true' or 'false'

host_timeout s Required. Parameter to nmap (*) . Timeout value.

t
r
i
n
g

t
r
i
n
g
run_probe_after_scan Â Required. Values are 'true' or false'.

use_dns Â Required. Parameter to nmap1. Values are 'R' or 'true' for always, 'n' or 'false' for never.


V
a
l
u
e
t
y
p
r
Note: * nmap options are accessible from API only and not from GUI. For details of nmap parameters and their impact on scan performance see man nmap.
Example
grdapi create_autodetect_process process_name=myProcess
modify_autodetect_process
This command modifies an autodetect process.
V
a
l
u
e
t
y
p
check_ICMP_echo Â Required. PE parameter to nmap (*) . Values are 'true' or 'false'

host_timeout s Required. Parameter to nmap (*) . Timeout value.

t
r
i
n
g

t
r
i
n
g
run_probe_after_scan Â Required. Values are 'true' or false'.

use_dns Â Required. Parameter to nmap1. Values are 'R' or 'true' for always, 'n' or 'false' for never.


V
a
l
u
e
t
y
p
r
Note: * nmap options are accessible from API only and not from GUI. For details of nmap parameters and their impact on scan performance see man nmap.
Example
grdapi modify_autodetect_process process_name=myProcess
delete_autodetect_scans_for_process
This command remove all the tasks for a process, but cannot run if a process is running, scheduled or has results.
V
a
l
u
e
t
y
p

t
r
i
n
g
r
Example
grdapi delete_autodetect_scans_for_process process_name=myProcess
list_autodetect_processes
This command lists all processes.
V
a
l
u
e
t
y
p

V
a
l
u
e
t
y
p
r
Example
grdapiÂ list_autodetect_processes
list_autodetect_tasks_for_process
This command lists all tasks of a specified process.
V
a
l
u
e
t
y
p

t
r
i
n
g
r
Example
grdapi list_autodetect_tasks_for_process process_name=myProcess
execute_autodetect_process
This command runs the specified process, but it cannot run if no tasks are defined for the process or if the process is currently running.
V
a
l
u
e
t
y
p

t
r
i
n
g

V
a
l
u
e
t
y
p
r
i
n
g

Example
grdapi execute_autodetect_process process_name=myProcess
show_autodetect_process_status
This command shows process status and progress summary.
V
a
l
u
e
t
y
p

t
r
i
n
g
r
Example
grdapi show_autodetect_process_status process_name=myProcess
stop_autodetect_process
This command stops the run of a specific process.

V
a
l
u
e
t
y
p

t
r
i
n
g
r
Example
grdapi stop_autodetect_process process_name=myProcess
GuardAPI Catalog Entry Functions

Use these GuardAPI commands to create, list, delete, and update Catalog Entry Functions.
create_entry_location
Adds a new archive entry to the internal catalog location table.
V
a
l
u
e
t
y
p
entryType s Required. Must be one of the following:

t
r CollectorDataArchive
i AggDataArchive
n AggResultArchive
g
processDesc s Used and required only when the entryType is AggResultArchive.

t
r
i
n
g
fileName s Required. Identifies the file.

t
r
i
n
g
hostName s Required. Identifies the host.

t
r
i
n
g

V
a
l
u
e
t
y
p
path s Required. For FTP: specify the directory relative to the FTP account home directory; for SCP: Specify the directory as an
t absolute path.
r
i
n
g
user s Required. User account to access the host.

t
r
i
n
g
password s Required. Password for user.

t
r
i
n
g
retention i Optional. The number of days this entry is to be kept in the catalog (the default is 365).
n
t
e
g
e
r
storageSystem s Required. Must be one of the following: EMC CENTERA, FTP, SCP, TSM.
t
r
i
n
g
api_target_host s Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the unit on which
t command is executed. Valid values:
r
Guardium V10.1 and 10.1.2: In a central management configuration only, specifies a target host where the API will execute. On
a Central Manager (CM) the value is the host name or IP of any managed units. On a managed unit it is the host name or IP of
the CM.
Example
grdapi Â create_entry_location entryType=CollectorDataArchive Â fileName=733392-a1.corp.com-w20071223.133546-d2007-12-

27.dbdump.enc password=somePassword user=someUser path=/var/dump/ hostName=192.168.1.241 Â storageSystem=scp
list_entry_location
Lists one archive location if a fileName is specified, or lists multiple archive locations when the fileName is omitted.
Â
fileName s Optional. Identifies the single file location to be listed. If omitted, all file locations on the specified hostName and path will be
t listed.
r
i
n
g

t
r
i
n
g

Â
t absolute path.
r
i
n
g
r
the CM.
Example
grdapi list_entry_location Â Â path=/mnt/nfs/ogazit/archive_results/ hostName=192.168.1.33
delete_entry_location
Updates one archive location if a fileName is specified, or removes multiple archive locations when the fileName is omitted.
V
a
l
u
e
t
y
p
fileName s Optional. Identifies the single file location to be removed. If omitted, all file locations on the specified hostName and path will
t be removed.
r
i
n
g

t
r
i
n
g
t absolute path.
r
i
n
g
r
the CM.
Example
grdapi delete_entry_location Â path=/var/dump/mojgan hostName=192.168.1.18
update_entry_location
Updates one archive locations if a fileName is specified, or updates multiple archive locations when the fileName is omitted.

V
a
l
u
e
t
y
p
fileName s Optional. Identifies the single file location to be updated. If omitted, all file locations on the specified hostName and path will
t be updated.
r
i
n
g

t
r
i
n
g
t absolute path.
r
i
n
g
newHostName s Optional. When used, specifies the new host name.

t
r
i
n
g
newPath s Optional. When used, specifies the new path.

t
r
i
n
g
user s Required. User account to access the host.

t
r
i
n
g
password s Required. Password for user.

t
r
i
n
g
retention i Optional. The number of days this entry is to be kept in the catalog (the default is 365).
n
t
e
g
e
r
storageSystem s Optional. Use one of the following: EMC CENTERA, FTP, SCP, TSM.
t
r
i
n
g

V
a
l
u
e
t
y
p
r
the CM.
Example
grdapi update_entry_location Â fileName=a1.corp.com-1_4_2008-01-10_10:27:24.res.70.tar.gz.enc

path=/mnt/nfs/ogazit/archive_results/ hostName=qaserver Â Â Â storageSystem=SCP newPath=/var/dump/mojgan
Â newHostName=192.168.1.18
GuardAPI Classification Functions

Use the following GuardAPI commands for Classification policy configuration, for test automation and, for scripting of prerequisite data preparation.
For instructions on how to use GuardAPI commands, see GuardAPI Reference Overview help topic.
create_classifier_action
V
a
l
u
e
t
y
p
y
actionName s Required. String

t
r
i
n
g
actualMemberContent s Required. String

t
r
i
n
g

V
a
l
u
e
t
y
p
y
actionType s Required. String

t
r For reference, here is the list of action types with the associated required parameters. Â The required parameters depends on what
i you choose for the action type.
n
add_to_group_objects
g
actionName - String - required
actualMemberContent - String - required
objectGroup - String - required
policyName - String - required
ruleName - String - required
add_to_group_object_fields
objectFieldGroup - String - required
create_access_rule
accessPolicy - String - required
accessRuleAction - String - required
create_privacy_set
privacySet - String - required
log_policy_violation
action_send_alert
receiver - String - required

V
a
l
u
e
t
y
p
y
description s
t
r
i
n
g
objectGroup s Required.
t
r
i
n
g
policyName s Required.
t
r
i
n
g
ruleName s Required.
t
r
i
n
g
replaceGroupContent b Â
o
o
l
e
a
n
objectFieldGroup s Required.
t
r
i
n
g
accessPolicy s Required.
t
r
i
n
g
t
r
i
n
g
accessRuleAction s Required.
t
r
i
n
g
commandsGroup s Â
t
r
i
n
g

V
a
l
u
e
t
y
p
y
includeField b Â
o
o
l
e
a
n
includeServerIP b Â
o
o
l
e
a
n
receiver s Â
t
r
i
n
g
privacySet s Required.
t
r
i
n
g
severity s Â
t
r
i
n
g
notificationType s
t
r
i
n
g
r
Examples
grdapi create_classifier_action actionType=add_to_group_objects policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc
objectGroup="DW All Objects" replaceGroupContent=1 actualMemberContent=%FULLLIKE
grdapi create_classifier_action actionType=add_to_group_object_fields policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc objectFieldGroup="DW All Object-Field" replaceGroupContent=1
grdapi create_classifier_action actionType=create_access_rule policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc
accessPolicy=pci accessRuleAction="alert daily" commandsGroup="Select command" includeField=1 includeServerIP=0
receiver="syslog,snmp,mail=admin,mail=a b c,custm=-b"
grdapi create_classifier_action actionType=create_privacy_set policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc
privacySet=-b
grdapi create_classifier_action actionType=log_policy_violation policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc

severity=MED
grdapi create_classifier_action actionType=send_alert policyName=-policy1 ruleName=-rule1 actionName=-action1 description=desc

notificationType=High receiver="syslog,snmp,mail=admin,mail=a b c,custm=-b"
GuardAPI command values

See the table for a list of GuardAPI command values for the command, grdapi create_classifer_action that are used in the GUI. Use these values when creating
groups.
Table 1. GrdAPI create_classifer_action

GUI values GrdAPI values
%/%.Name %/NAME
%/Full %/FULL
Change/%.Name CHANGE/NAME
Change/Full CHANGE/FULL
Fully Qualified FULLNAME

Name(Schema.Object)
Like %Full %FULLLIKE
Like %Full% %FULLLIKE%
Like %Name %NAMELIKE
Like %Name% %NAMELIKE%
Like Full% FULLLIKE%
Like Name% NAMELIKE%
Object Name Only NAMEONLY
Read/%.Name READ/NAME
Read/Full READ/FULL
Example
grdapi create_classifier_action actionName=classgrpobjectseach1 actionType=ADD_TO_GROUP_OBJECTS

policyName="A Group Object Each Type Policy" ruleName=groupobjects1 commandsGroup=groupofobjects
objectGroup="Classifier Group of Each Objects" actualMemberContent=NAMEONLY description="object type NAMEONLY"
Examples of group object types
grdapi create_group appid=Classifier type=OBJECTS desc="Classifier Group of Each Objects" owner=admin category=classifier
classification=classifier subtype=classifier
grdapi create_datasource type="Oracle (DataDirect)" user=scott password=tiger host="swan.guard.swg.usma.ibm.com"

name="Swan Oracle Object Each" shared=true owner=admin application=Classifier port=1521 serviceName=on8swan0
grdapi create_classifier_policy policyName="A Group Object Each Type Policy" category="Object Each Process"
classification="Object Each Process"
grdapi create_classifier_rule policyName="A Group Object Each Type Policy" category="Object Each Process"
classification="Object Each Process" ruleName=groupobjects1 ruleType=SEARCH_FOR_DATA dataTypes=TEXT continueOnMatch=1
tableNameLike="EMP_INFORMATION"
columnNameLike="PHONE" tableTypeTable=1

objectGroup="Classifier Group of Each Objects" actualMemberContent=NAMEONLY description="object type NAMEONLY"

objectGroup="Classifier Group of Each Objects" actualMemberContent=FULLNAME description="object type FULLNAME"

objectGroup="Classifier Group of Each Objects" actualMemberContent="%NAMELIKE" description="object type %NAMELIKE"

objectGroup="Classifier Group of Each Objects" actualMemberContent="NAMELIKE%" description="object type NAMELIKE%"

objectGroup="Classifier Group of Each Objects" actualMemberContent="%NAMELIKE%" description="object type %NAMELIKE%"

objectGroup="Classifier Group of Each Objects" actualMemberContent="%FULLLIKE" description="object type %FULLLIKE"

objectGroup="Classifier Group of Each Objects" actualMemberContent="FULLLIKE%" description="object type FULLLIKE%"

objectGroup="Classifier Group of Each Objects" actualMemberContent="%FULLLIKE%" description="object type %FULLLIKE%"

objectGroup="Classifier Group of Each Objects" actualMemberContent="Change/Full" description="object type Change/Full"

objectGroup="Classifier Group of Each Objects" actualMemberContent="CHANGE/NAME" description="object type Change/%.name"

objectGroup="Classifier Group of Each Objects" actualMemberContent="Read/Full" description="object type Read/Full"

objectGroup="Classifier Group of Each Objects" actualMemberContent="READ/NAME" description="object type Read/%.name"

objectGroup="Classifier Group of Each Objects" actualMemberContent="%/Full" description="object type %/Full"

objectGroup="Classifier Group of Each Objects" actualMemberContent="%/NAME" description="object type %/%.name"
grdapi create_classifier_process policyName="A Group Object Each Type Policy"

processName="A Group Object Each Type Process" datasourceNames="Swan Oracle Object Each"

objectGroup="Classifier Group of Each Objects" actualMemberContent="FULLNAME" description="Fully Qualified Name(Schema.Object)
create_classifier_policy
V
a
l
u
e
t
y
p
category s Required.
t
r
i
n
g
classification s Required.
t
r
i
n
g
description s Â
t
r
i
n
g
r
Example
grdapi create_classifier_policy policyName=-policy1 classification=class1 description=desc1 category=cat1
create_classifier_process
create_classifier_process
Note: Create a classification policy and datasource before calling this GuardAPI.

V
a
l
u
e
t
y
p
comprehensive b Â
o
o
l
e
a
n
datasourceNames s Required.
t
r
i
n
g
includeInternalTables b The setting is disabled by default.

o
o Enabling includeInternalTables indicates that you want to scan internal system databases and schema used by the database software
l provider. Internal system databases and schema are unlikely to contain sensitive data and are not scanned by default. When including
e internal tables, verify that the classifier datasource user has sufficient privileges to scan the internal databases and schema.
a Insufficient privileges may result in unexpected classification policy errors.
n
To view and edit the databases and schema affected by the includeInternalTables parameter, use the Group Builder to edit one of the
predefined Excluded Classification groups.
t
r
i
n
g
processName s Required.
t
r
i
n
g
sampleSize i
n
t
e
g
e
r
r
Example
grdapi create_classifier_process datasourceNames=sample_cls_0001 policyName=APITEST_Cls_Ply_10001_1

processName=APITEST_Clps_10001_1
create_classifier_rule

V
a
l
u
e
t
y
p
t
r
i
n
g
t
r
i
n
g
ruleType s Required.
t
r For reference, here is the list of valid rule types with the associated required parameters. Â Depending on what the user selects for the
i rule type will determine which parameters are required
n
catalog_search_add
g
search_by_permissions_add
grantTypes - String - required
search_for_data_add
search_for_unstructured_data_add
category s Â
t
r
i
n
g
classification s Â
t
r
i
n
g
continueOnMatch b Â
o
o
l
e
a
n
description s Â
t
r
i
n
g

V
a
l
u
e
t
y
p
columnNameLike s Â
t
r
i
n
g
fireOnlyWithMarker s Â
t
r
i
n
g
tableNameLike s Â
t
r
i
n
g
tableTypeSynonym b Â
o
o
l
e
a
n
tableTypeSystemTable b Â
o
o
l
e
a
n
tableTypeTable b Â
o
o
l
e
a
n
tableTypeView b Â
o
o
l
e
a
n
grantTypes s Â
t
r
i
n
g
role s Â
t
r
i
n
g
roleGroup s Â
t
r
i
n
g

V
a
l
u
e
t
y
p
user s Â
t
r
i
n
g
userGroup s Â
t
r
i
n
g
withAdminOption b Â
o
o
l
e
a
n
compareToValuesInGroup s Â
t
r
i
n
g
compareToValuesInSQL s Â
t
r
i
n
g
dataTypes s Â
t
r
i
n
g
evaluationName s Â
t
r
i
n
g
hitPercentage i Â
n
t
e
g
e
r
maxLength i Â
n
t
e
g
e
r
minLength i Â
n
t
e
g
e
r

V
a
l
u
e
t
y
p
searchExpression s Â
t
r
i
n
g
searchLike s Â
t
r
i
n
g
grantTypes s Â
t
r
i
n
g
showUniqueValues T Â
r
u
e
o
r
F
a
l
s
e
uniqueValueMask s Â
t
r
i
n
g
r
Examples
grdapi create_classifier_rule policyName=-policy1 ruleName=-rule1 category=-cat1 classification=-class1 description=-desc1

ruleType=CATALOG_SEARCH continueOnMatch=1 tableTypeTable=1 tableTypeSynonym=1 tableTypeSystemTable=1 tableTypeView=1
tableNameLike=t1
columnNameLike=c1 fireOnlyWithMarker=m1

ruleType=SEARCH_BY_PERMISSIONS continueOnMatch=1 tableTypeTable=1 tableTypeSynonym=1 tableTypeSystemTable=1 tableTypeView=1
user=user1
userGroup="suspicious users" role=role1 roleGroup=-role1 withAdminOption=1 grantTypes=CONTROL,DELETE,DROP fireOnlyWithMarker=m1

ruleType=SEARCH_FOR_DATA continueOnMatch=1 tableTypeSynonym=1 tableNameLike=tl1 dataTypes=DATE,NUMBER,TEXT columnNameLike=cl1
minLength=11 searchLike=sel1 searchExpression=se1 evaluationName=en1 hitPercentage=44 compareToValuesInSQL=cv1sql
compareToValuesInGroup="dw all objects" fireOnlyWithMarker=m1

ruleType=SEARCH_FOR_UNSTRUCTURED_DATA continueOnMatch=1 searchLike=s1 searchExpression=e1 fireOnlyWithMarker=m1
grdapi create_datasource type="Oracle (DataDirect)" user=scott password=tiger host="swan.guard.swg.usma.ibm.com"

name="Swan Oracle8 all values" shared=true owner=admin application=Classifier port=1521 serviceName=on8swan0
grdapi create_group appid=Classifier type=OBJECTS desc="AA Classifier ALL Values" owner=admin category=classifier
classification=classifier subtype=classifier

grdapi create_member_to_group_by_desc desc="AA Classifier ALL Values" member=ACCOUNTING
grdapi create_member_to_group_by_desc desc="AA Classifier ALL Values" member=ACCOUNTTING
grdapi create_member_to_group_by_desc desc="AA Classifier ALL Values" member=ACCOUNTTING
grdapi create_member_to_group_by_desc desc="AA Classifier ALL Values" member=AG
grdapi create_classifier_policy policyName="Search ALL DATA SEARCH smoke values" category="ALL" classification="ALL"
grdapi create_classifier_rule policyName="Search ALL DATA SEARCH smoke values" category="ALL" classification=ALL
ruleName=ALL1 ruleType=SEARCH_FOR_DATA dataTypes=TEXT,NUMBER continueOnMatch=1 tableNameLike="DEPT14%" minLength=1 maxLength=100
tableTypeSynonym=1 tableTypeSystemTable=1 tableTypeTable=1 tableTypeView=1 fireOnlyWithMarker=ACCT searchLike="A%"
searchExpression="ÂA*" columnNameLike="DNAME" evaluationName="com.guardium.classifier.custom.RichardEvaluation" hitPercentage=10
compareToValuesInGroup="AA Classifier ALL Values" compareToValuesInSQL="select DNAME from SCOTT.DEPT where DNAME like 'A%G'"
showUniqueValues="true" uniqueValueMask="ÂA*"
grdapi create_classifier_process policyName="Search ALL DATA SEARCH smoke values"

processName="Search ALL DATA SEARCH smoke values Process" datasourceNames="Swan Oracle8 all values"
delete_classifier_action
V
a
l
u
e
t
y
p
actionName s Required.
t
r
i
n
g
t
r
i
n
g
Example
grdapi delete_classifier_action policyName=-policy1 ruleName=-rule1 actionName=-action1
delete_classifier_policy
V
a
l
u
e
t
y
p
t
r
i
n
g
r
Example
grdapi delete_classifier_policy policyName=-policy1
delete_classifier_process

V
a
l
u
e
t
y
p
processName s Â
t
r
i
n
g
r
example
grdapi delete_classifier_process processName=APITEST_Clps_10001_1
delete_classifier_rule
V
a
l
u
e
t
y
p
t
r
i
n
g
t
r
i
n
g
r
Example
grdapi delete_classifier_rule policyName=-policy1 ruleName=-rule1
execute_cls_process
Execute (submit) a classification process
Runs a classification process. Â It is equivalent of executing Run Once Now from Classification Process Builder. It submits the job which places the process on the
GuardiumÂ® Job Queue, from which the appliance runs a single job at a time. Administrators can view the job status by selecting Guardium Monitor > Guardium Job
Queue.
Note: Create a classification process before calling this API.

V
a
l
u
e
t
y
p
processName s Name of the classification process

t
r
i
n
g
r
Example
grdapi execute_cls_process processName="classPolicy1" Â
Here is a list of the classifier functions and the parameters for each. Â In the case where the parameter will have a set list of valid entries, the list will be supplied.
list_classifier_policies
V
a
l
u
e
t
y
p
t
r
i
n
g
t
r
i
n
g
r
Example
grdapi list_classifier_policy policyName=-policy1 ruleName=-rule1 actionName=-action1 recursive=1
Note: Executing this function with no arguments will list all policies. Â Passing an argument for the policy will list all rules and actions for the policy. Â Passing a policy and
rule will list all of the actions for the rule.
list_classifier_process

V
a
l
u
e
t
y
p
processName s Â
t
r
i
n
g
r
example:
grdapi list_classifier_process processName=APITEST_CLPS_30001
set_classification_concurrency_limit
The set_classification_concurrency_limit command defines the number of classifier processes that can run concurrently.
Syntax: grdapi set_classification_concurrency_limit limit=[value].
a
l
u
e
t
y
p
e
limit I The limit value defines the number of classifier processes that can run concurrently. The limit value is the lesser of 100 or twice the
n number of CPU cores installed on the Guardium system.
t
e For example, if a system has 8 CPU cores, the maximum limit value is 16. If a system has 64 CPU cores, the maximum limit value is
g 100.
e
The default limit value is 1.
r
:
1
-
1
0
0
,
d
e
p
e
n
d
i
n
g
o
n
t
h
e
h
a
r
d
w

a
l
u
e
t
y
p
e
a
r
e
c
o
n
fi
g
u
r
a
ti
o
n
o
f
t
h
e
G
u
a
r
d
i
u
m
s
y
s
t
e
m
.
T
h
e
d
e
f
a
u
l
t
v
a
l
u
e
i
s
1
.
Example:
grdapi set_classification_concurrency_limit limit=11
Show values: grdapi get_classification_concurrency_limit
update_classifier_action

V
a
l
u
e
t
y
p
actionName s Required.
t
r
i
n
g
actualMemberContent s Required.
t
r
i
n
g
description s Â
t
r
i
n
g
objectGroup s Required.
t
r
i
n
g
t
r
i
n
g
ruleName s Required. String

t
r
i
n
g
replaceGroupContent b Â
o
o
l
e
a
n
objectFieldGroup s Required.
t
r
i
n
g
t
r
i
n
g
accessRuleAction s Required.
t
r
i
n
g

V
a
l
u
e
t
y
p
commandsGroup s Â
t
r
i
n
g
includeField b Â
o
o
l
e
a
n
includeServerIP b Â
o
o
l
e
a
n
receiver s Â
t
r
i
n
g
privacySet s Required.
t
r
i
n
g
severity s Â
t
r
i
n
g
notificationType s Â
t
r
i
n
g
r
Example
grdapi update_classifier_action actionType=add_to_group_objects policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc objectGroup="DW All Objects" replaceGroupContent=1 actualMemberContent=%FULLLIKE
grdapi update_classifier_action actionType=add_to_group_object_fields policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc objectFieldGroup="DW All Object-Field" replaceGroupContent=1
grdapi update_classifier_action actionType=update_access_rule policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc accessPolicy=pci accessRuleAction="alert daily" commandsGroup="Select command" includeField=1 includeServerIP=0
receiver="syslog,snmp,mail=admin,mail=a b c,custm=-b"

grdapi update_classifier_action actionType=update_privacy_set policyName=-policy1 ruleName=-rule1 actionName=-action1
description=desc privacySet=-b
grdapi update_classifier_action actionType=log_policy_violation policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc severity=MED
grdapi update_classifier_action actionType=send_alert policyName=-policy1 ruleName=-rule1 actionName=-action1

description=desc notificationType=High receiver="syslog,snmp,mail=admin,mail=a b c,custm=-b"
update_classifier_policy
V
a
l
u
e
t
y
p
policyName s Required
t
r
i
n
g
category s Required
t
r
i
n
g
classification s Required
t
r
i
n
g
description s Â
t
r
i
n
g
r
Example
grdapi update_classifier_policy policyName=-policy1 classification=class1 description=desc1 category=cat1
update_classifier_process
update_classifier_process
V
a
l
u
e
t
y
p

V
a
l
u
e
t
y
p
comprehensive b Â
o
o
l
e
a
n
datasourceNames s Required.
t
r
i
n
g
includeInternalTables Â The setting is disabled by default.

Enabling includeInternalTables indicates that you want to scan internal system databases and schema used by the database software
provider. Internal system databases and schema are unlikely to contain sensitive data and are not scanned by default. When including
internal tables, verify that the classifier datasource user has sufficient privileges to scan the internal databases and schema.
Insufficient privileges may result in unexpected classification policy errors.
To view and edit the databases and schema affected by the includeInternalTables parameter, use the Group Builder to edit one of the
predefined Excluded Classification groups.
newName s Â
t
r
i
n
g
t
r
i
n
g
processName s Required
t
r
i
n
g
sampleSize i Â
n
t
e
g
e
r
r
Example:
grdapi update_classifier_process datasourceNames=sample_cls_0001,sample_cls_0002 policyName=APITEST_Cls_Ply_10001_1

processName=APITEST_Clps_10001_1 comprehensive=0 sampleSize=3000
update_classifier_rule

V
a
l
u
e
t
y
p
t
r
i
n
g
ruleName s Required
t
r
i
n
g
ruleType s Required. Values:

t
r catalog_search
i search_by_permissions
n search_for_data
g search_for_unstructured_data
category s Â
t
r
i
n
g
classification s Â
t
r
i
n
g
continueOnMatch b Â
o
o
l
e
a
n
description s Â
t
r
i
n
g
columnNameLike s Â
t
r
i
n
g
fireOnlyWithMarker s Â
t
r
i
n
g
tableNameLike s Â
t
r
i
n
g

V
a
l
u
e
t
y
p
tableTypeSynonym b Â
o
o
l
e
a
n
tableTypeSystemTable b Â
o
o
l
e
a
n
tableTypeTable b Â
o
o
l
e
a
n
tableTypeView b Â
o
o
l
e
a
n
grantTypes s Â
t
r
i
n
g
role s Â
t
r
i
n
g
roleGroup s Â
t
r
i
n
g
user s Â
t
r
i
n
g
userGroup s Â
t
r
i
n
g
withAdminOption b Â
o
o
l
e
a
n

V
a
l
u
e
t
y
p
compareToValuesInGroup s Â
t
r
i
n
g
compareToValuesInSQL s Â
t
r
i
n
g
dataTypes s Â
t
r
i
n
g
evaluationName s Â
t
r
i
n
g
hitPercentage i Â
n
t
e
g
e
r
maxLength i Â
n
t
e
g
e
r
minLength i Â
n
t
e
g
e
r
searchExpression s Â
t
r
i
n
g
searchLike s Â
t
r
i
n
g

V
a
l
u
e
t
y
p
r
Examples
grdapi update_classifier_rule policyName=-policy1 ruleName=-rule1 category=-cat1 classification=-class1 description=-desc1

ruleType=CATALOG_SEARCH continueOnMatch=1 tableTypeTable=1 tableTypeSynonym=1 tableTypeSystemTable=1 tableTypeView=1
tableNameLike=t1
columnNameLike=c1 fireOnlyWithMarker=m1

ruleType=SEARCH_BY_PERMISSIONS continueOnMatch=1 tableTypeTable=1 tableTypeSynonym=1 tableTypeSystemTable=1 tableTypeView=1
user=user1
userGroup="suspicious users" role=role1 roleGroup=-role1 withAdminOption=1 grantTypes=CONTROL,DELETE,DROP fireOnlyWithMarker=m1

ruleType=SEARCH_FOR_DATA continueOnMatch=1 tableTypeSynonym=1 tableNameLike=tl1 dataTypes=DATE,NUMBER,TEXT columnNameLike=cl1
minLength=11
maxLength=22 searchLike=sel1 searchExpression=se1 evaluationName=en1 hitPercentage=44 compareToValuesInSQL=cv1sql
compareToValuesInGroup="dw all objects" fireOnlyWithMarker=m1

ruleType=SEARCH_FOR_UNSTRUCTURED_DATA continueOnMatch=1 searchLike=s1 searchExpression=e1 fireOnlyWithMarker=m1
GuardAPI Cloud Datasource Functions

Use this command to define a cloud datasource.
create_cloud_datasource
application String. See description Required. The application for which the datasource is being defined. One of the following:
Access Policy
Application User Translation
Audit Task
Change Audit System
Classifier
Custom Domain
Database Analyzer
Monitor Values
Security Assessment
Stap Verification
cloudTitle string. see Description Required. Name of cloud account already defined in Guardium
compatibilityMode String The mode used when monitoring a table.
conProperty String Optional. Use only if additional connection properties must be included on the JDBC URL to
establish a JDBC connection with this datasource. The required format is property=value,
where each property and value pair is separated from the next by a comma.
customURL String Optional. Connection string to the datasource; otherwise connection is made using host, port,
instance, properties, etc. of the previously entered fields. This is useful, for example, when
creating Oracle Internet Directory (OID) connections.
dbInstanceAccount String Optional. Database Account Login Name that is used by CAS
dbInstanceDirectory String Optional. Directory where database software was installed is used by CAS
dbName String Optional. For a DB2Â® or Oracle datasource, enter the schema name. For others, enter the
database name.
description String Optional. Longer description of the datasource.

host String Required. The host name or the IP address.
importServerSSLcert Boolean Â
KerberosConfigName String Optional. Name of Kerberos configuration already defined in Guardium system
name String Required. A unique name for the datasource in the Guardium system
objectLimit 0, positive integer Required. The maximum number of sensitive objects found in the classification process that are
added automatically to the list of audited objects. Default = 20.
password string Password for user.
port Integer Optional. Port number.
primaryCollector Integer The collector that extracts the audit data from the cloud database.
region value list Required.
savePassword Boolean Saves and encrypts your authentication credentials on the Guardium appliance. Required if you
are defining a datasource with an application that runs as a scheduled task (as opposed to on
demand). When set to yes, login name and password are required.
serviceName String Optional. Required for Oracle, InformixÂ®, DB2, and IBMÂ® ISeries. For a DB2 datasource enter
the database name, for others enter the service name.
severity value list Optional. Severity Classification (or impact level) for the datasource. One of:
LOW
NONE
MED
HIGH
shared value list Optional. Set to True or Share to share with other applications. To share the datasource with
other users, you will have to assign roles from the GUI. Values:
Share
Not Shared
True
False
type value list Required. Identifies the datasource type. Valid values:
Oracle (DataDirect - SID)

Oracle (DataDirect - Service Name)
useKerberos Boolean Optional (boolean). Set to yes to use Kerberos authentication. If yes, KerberosConfigName
must be supplied.
useLDAP Boolean Optional (boolean). Set to yes to use LDAP
user String Optional. User for the datasource. If used, password must also be used.
useSSL Boolean Optional (boolean). Set to yes to use SSL authentication.
list_cloud_datasource_by_name
name string Required. Cloud datasource defined in Guardium.
api_target_host string Optional parameter that specifies the target host(s) to execute the API. When not specified, it
defaults to the unit on which command is executed. Valid values:

from CM only, the host name or IP of any managed unit, for example,
api_target_host=10.0.1.123
restart_cloud_instance
Restarts the specified cloud instance.

type
datasource_na string Required. Cloud datasource defined in Guardium.

me

type
api_target_hos string Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the unit on which command is
t executed. Valid values:

update_cloud_datasource
Updates the cloud datasource configuration.
cloudTitle value list Required. Title define by GRDAPI command
conProperty String Optional. Use only if additional connection properties must be included on the JDBC URL to
establish a JDBC connection with this datasource. The required format is property=value,
where each property and value pair is separated from the next by a comma.
customURL String Optional. Connection string to the datasource; otherwise connection is made using host, port,
instance, properties, etc. of the previously entered fields. This is useful, for example, when
creating Oracle Internet Directory (OID) connections.
dbInstanceAccount String Optional. Database Account Login Name that is used by CAS
dbInstanceDirectory String Optional. Directory where database software was installed that will be used by CAS
dbName String Optional. For a DB2Â® or Oracle datasource, enter the schema name. For others, enter the
database name.
description String Optional. Longer description of the datasource.
host String Required. The host name or the IP address.
importServerSSLcert Boolean Â
KerberosConfigName String Name of Kerberos configuration already defined in Guardium system
name String Required. A unique name for the datasource in the Guardium system
newName String Optional. Provides a new name, which must be unique for a datasource on the system.
objectLimit integer: 0 and higher Required. The maximum number of sensitive objects found in the classification process that are
added automatically to the list of audited objects.
password String Password for user
port Integer Cloud datasource defined in Guardium.
primaryCollector Integer Collector that receives data from cloud DB
region value list Required.
savePassword Boolean Saves and encrypts your authentication credentials on the Guardium appliance. Required if you
are defining a datasource with an application that runs as a scheduled task (as opposed to on
demand). When set to yes, login name and password are required.
serviceName String Optional. Required for Oracle, InformixÂ®, DB2, and IBMÂ® ISeries. For a DB2 datasource enter
the database name, for others enter the service name.
severity value list Optional. Severity Classification (or impact level) for the datasource. One of:
LOW
NONE
MED
HIGH
shared value list Optional. Set to True or Share to share with other applications. To share the datasource with
other users, you will have to assign roles from the GUI. Values:
Share
Not Shared
True
False
useKerberos Boolean Optional (boolean). Set to yes to use Kerberos authentication. If yes, KerberosConfigName
must be supplied.
useLDAP Boolean Optional (boolean). Set to yes to use LDAP
user String Optional. User for the datasource. If used, password must also be used.
useSSL Boolean Optional (boolean). Set to yes to use SSL authentication.


GuardAPI Database User Functions
Use these GuardAPI commands to maintain database user mapping, non-credential scan and set debug level.
non_credential_scan
API that allows for submitting jobs that will scan databases within the serversGroup for enabled default users in the usersGroup. Submitted jobs will run under the
Classifier Listener and may be tracked using the Classifier/Assessment Job Queue report. A submitted job may be canceled from the Classifier/Assessment Job Queue
report by double-clicking on the job and choosing Stop Job.
Note: If a server within the serversGroup can not be reached, an exception of type Scheduled Job Exception is added and the serveris not scanned.
V
a
l
u
e
t
y
p
databaseType v Required. Must be one of the following: ORACLE, DB2Â®, SYBASE, MS SQL SERVER, MYSQL, TERADATA, POSTGRESQL,
a NETEZZA, IBM ISERIES, INFORMIX
l
u
e
s
l
i
s
t
serversGroup v Required. Must be a valid group of servers (Server IP/Instance Name/Port) as defined with Group Builder.
a
l
u
e
s
l
i
s
t
usersGroup v Required. Must be a valid group of users (DB User/DB Password) as defined with Group Builder. Default groups exist within
a Group Builder.
l
u
e
s
l
i
s
t
Example
grdapi non_credential_scan databaseType=ORACLE serversGroup=oracleServers usersGroup="ORACLE Default Users"
Maintain Database Mapping

These APIs help maintain the mapping between database users (Invokers of SQL that caused a violation) and email addresses for real time alerts. See Alerting Actions for
more information on Invokers.
Use of wildcards:
In the 'delete' and the 'list' commands, all 4 parameters accept wildcards ('%')
'create' command:
serverIp - wildcard is valid, '%' can be placed instead of the number in the ip_address format
192.168.2.% - valid
192.%.2.% - valid
192.% - invalid
serviceName - wildcards (%) are allowed
dbUserName - no wildcards, '%' is valid, but will be considered as the symbol '%'
emailAddress - no wildcards, '%' is valid, but will be considered as the symbol '%'

V
a
l
u
e
t
y
p
serverIp s Required. Format: IP address as A.B.C.D

t
r
i
n
g
(
I
P
A
d
d
r
e
s
s
)
serviceName s Required. Identifies the service name.

t
r
i
n
g
dbUserName s Required (any string). Identifies the database user name.

t
r
i
n
g
emailAddress s Required (any string and requires an '@' sign). Identifies the email address.
t
r
i
n
g
r
the CM.
Example
grdapi create_db_user_mapping serverIp=192.168.1.104 serviceName=ora1 dbUserName=scott emailAddress=scott@oracle.com
Use of wildcards:
'create' command:
192.168.2.% - valid
192.%.2.% - valid
192.% - invalid

V
a
l
u
e
t
y
p

t
r
i
n
g
(
I
P
A
d
d
r
e
s
s
)

t
r
i
n
g
dbUserName s Required. Identifies the database user name.

t
r
i
n
g
t
r
i
n
g
r
the CM.
Example
Use of wildcards:
'create' command:
192.168.2.% - valid
192.%.2.% - valid
192.% - invalid

V
a
l
u
e
t
y
p

t
r
i
n
g
(
I
P
A
d
d
r
e
s
s
)

t
r
i
n
g
dbUserName s Required (any string). Identifies the database user name.

t
r
i
n
g
t
r
i
n
g
r
the CM.
Example
get debug level

Use this GuardAPI command to view the debug level for IMSâ„¢ output.
set_debug_level
Use this GuardAPI command to control IMS output.
If the IMS debug_level = 1, IMS debug fields like mvs_is_plex, mvs_ipaddr, mvs_dlta_sign, mvs_dlta_val output to internal database tables,
GDM_CONSTRUCT_TEXT.FULL_SQL or GDM_EXCEPTION.FULL_SQL.
If the IMS debug level is 0, then the IMS debug fields are not distributed.

Use these GuardAPI commands to create, list, delete, and update Datasource Functions.
create_datasource
Use this command to define a new datasource.
Note: In a Central Manager environment, datasources are defined on the Central Manager. GuardAPI will allow you to create datasources on a managed unit, but those
datasources cannot be seen or used.
To create Cloud datasources, refer to GuardAPI Cloud Datasource Functions.
V
a
l
u
e
t
y
p
application v Required. Identifies the application for which the datasource is being defined. It must be one of the following:
a
l Access_policy
u
Application User translation
e
li AuditDatabase
s
t AuditTask
ChangeAuditSystem
Classifier
CustomDomain
DatabaseAnalyzer
MonitorValues
SecurityAssessment
Stap_Verification
compatibilityMode Â Compatibility Mode: Choices are Default or MSSQL 2000. The processor is told what compatibility mode to use when
monitoring a table.
conProperty c Optional. Use only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with
o this datasource.
m
m For a Sybase database with a default character set of Roman8, enter the following property: charSet=utf8
a
s
e
p
a
r
a
t
e
d
li
s
t
o
f
p
r
o
p
e
r
t
y
=
v
a
l
u
e
customURL Â Optional. Connection string to the datasource; otherwise connection is made using host, port, instance, properties, etc. of the
previously entered fields. As an example this is useful for creating Oracle Internet Directory (OID) connections.

V
a
l
u
e
t
y
p
dbInstanceAccount s Optional. Database Account Login Name that will be used by CAS
t
r
i
n
g
dbInstanceDirectory s Optional. Directory where database software was installed that will be used by CAS
t
r
i
n
g
dbName s Optional. For a DB2Â® or Oracle datasource, enter the schema name. For others, enter the database name.
t
r
i
n
g
description s Optional. Longer description of the datasource.

t
r
i
n
g
host s Required. Can be the host name or the IP address.

t
r
i
n
g
KerberosConfigName s Optional. Name of Kerberos configuration already defined in Guardium system

t
r
i
n
g
name s Required. Provides a unique name for the datasource on the system.
t
r
i
n
g
password s Optional. Password for user.

t
r
i
n
g
port i Optional. Port number.

n
t
e
g
e
r
savePassword b Saves and encrypts your authentication credentials on the Guardium appliance. Required if you are defining a datasource with
o an application that runs as a scheduled task (as opposed to on demand). When set to yes, login name and password are
o required.
l
e
a
n

V
a
l
u
e
t
y
p
serviceName s Required for Oracle, InformixÂ®, DB2, and IBMÂ® ISeries. For a DB2 datasource enter the database name, for others enter the
t service name.
r
i
n
g
severity Â Optional. Severity Classification (or impact level) for the datasource.

shared b Optional. Set to true to share with other applications. To share the datasource with other users, you will have to assign roles
o from the GUI.
o
l
e
a
n
type v Required. Identifies the datasource type. Valid values:

a
l DB2
u
DB2 for i
e
li DB2 for z/OS
s
t Informix
MS SQL Server
MS SQL Server (DataDirect)
MySQL
NA
Netezza
Oracle (DataDirect)
Oracle (Service Name)
Oracle (SID)
PostgreSQL
Sybase
Sybase IQ
Teradata
The following can be used when the application is CustomDomain or Classifier:
TEXT
TEXT:FTP
TEXT:HTTP
TEXT:HTTPS
TEXT:SAMBA
useKerberos b Optional. Set to yes to use Kerberos authentication. If yes, KerberosConfigName must be supplied.
o
o
l
e
a
n

V
a
l
u
e
t
y
p
useLDAP b Optional. Set to yes to use LDAP

o
o
l
e
a
n
user s Optional. User for the datasource. If used, password must also be used.
t
r
i
n
g
useSSL b Optional. Set to yes to use SSL authentication.

o
o
l
e
a
n
Example
grdapi create_datasource type=DB2 name=chickenDB2 Â password=guardium user=db2inst1 dbName=dn0chick application=Access_policy

shared=true port=50000 host=chicken.corp.com
create_test_exception
Use this command to add records to the Tests Exceptions. This effects the behavior for vulnerability assessments, if a test on a specific datasource fails it will check the
last record of the test exceptions table for that test/datasource such that if the execution date is contained within the from and to dates of the last record the test will be
set to PASS, the recommendation will be set to the explanation (from the exceptions record) and the result text will be set to:
Test passed, based on exception approved by: .... effective from date to date.
Note: The API only adds records to remove an exception a new record should be created with new dates according to the needs.
V
a
l
u
e
t
y
p
datasourceName s Required. Valid name of a defined datasource.

t
r
i
n
g
testDescription s Required. A valid test name within Security Assessments.

t
r
i
n
g
fromDate Â Required. Beginning date for when the exception is valid.

toDate Â Required. Ending date for when the exception is valid.

explanation s Required. A recommendation as to why the test will pass.

t
r
i
n
g

Example
grdapi create_test_exception datasourceName=ORAPROD5 testDescription="CVE-2009-0997" fromDate="2012-07-01 08:00:00" toDate="2012-

07-31 08:00:00" explanation="Currently in testing stage"
list_datasource_by_name
Displays a datasource definition identified by a name.
V
a
l
u
e
t
y
p
name s Required. The datasource name.

t
r
i
n
g
r
the CM.
Example
CLI> grdapi list_datasource_by_name name=chickenDB2

ID=20000
Datasource DatasourceId=20000
Datasource DatasourceTypeId=2
Datasource Name=chickenDB2
Datasource Description=null
Datasource Host=chicken.corp.com
Datasource Port=50000
Datasource ServiceName=
Datasource UserName=db2inst1
Datasource Password=[B@1415de6
Datasource PasswordStored=true
Datasource DbName=dn0chick
Datasource LastConnect=null
Datasource Timestamp=2008-04-18 15:40:58.0
Datasource ApplicationId=2
Datasource Shared=true
Datasource ConProperty=null
Datasource type =DB2
Application Type = Access_policy
ok
list_datasource_by_id
Displays a datasource definition identified by an ID key.
V
a
l
u
e
t
y
p
id i Required. The ID number of the datasource to be listed.

n
t
e
g
e
r

V
a
l
u
e
t
y
p
r
the CM.
Example
grdapi list_datasource_by_id id=2
delete_datasource_by_name
Deletes the specified datasource definition, unless that datasource is being used by an application. This function removes the datasource, regardless of who created it.
V
a
l
u
e
t
y
p
name s Required. The datasource name.

t
r
i
n
g
r
the CM.
Example
grdapi delete_datasource_by_name name=swanSybase
delete_datasource_by_id
Deletes the specified datasource definition, unless that datasource is being used by an application. This function removes the datasource, regardless of who created it.
V
a
l
u
e
t
y
p

V
a
l
u
e
t
y
p
id i Required. The ID number of the datasource to be listed.

n
t
e
g
e
r
r
the CM.
Example
grdapi delete_datasource_by_id id=2
update_datasource_by_name
Updates a datasource definition.
V
a
l
u
e
t
y
p
name s Required. Identifies the datasource to be updated.

t
r
i
n
g
newName s Optional. Provides a new name, which must be unique for a datasource on the system.
t
r
i
n
g

t
r
i
n
g
host s Optional. Can be the host name or the IP address.

t
r
i
n
g

V
a
l
u
e
t
y
p

n
t
e
g
e
r
o required.
l
e
a
n
serviceName s Optional. For an Oracle datasource, enter the service name.

t
r
i
n
g
t
r
i
n
g
password s Optional. Password for user. If used, user must also be used.
t
r
i
n
g
dbName s Optional. For DB2 datasources, enter the database name.

t
r
i
n
g

V
a
l
u
e
t
y
p
conProperty C Optional. Use only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with
o this datasource.
m
m For a Sybase database with a default character set of Roman8, enter the following property: CHARSET=utf8
a
s
e
p
a
r
a
t
e
d
li
s
t
o
f
:
p
r
o
p
e
r
t
y
=
v
a
l
u
e
t
r
i
n
g
t
r
i
n
g
o from the GUI.
o
l
e
a
n
customURL s Optional. Connection string to the datasource; otherwise connection is made using host, port, instance, properties, etc. of the
t previously entered fields. As an example this is useful for creating Oracle Internet Directory (OID) connections.
r
i
n
g


V
a
l
u
e
t
y
p
r
the CM.
o
o
l
e
a
n
useLDAP b Optional). Set to yes to use LDAP

o
o
l
e
a
n

o
o
l
e
a
n
Example
grdapi update_datasource_by_name name=chickenDB2 newName="chicken DB2" user=" " password=" "
update_datasource_by_id
Updates a datasource definition.
V
a
l
u
e
t
y
p
id i Required. Identifies the datasource.

n
t
e
g
e
r
newName s Optional. Provides a new name, which must be unique for a datasource on the system.
t
r
i
n
g

V
a
l
u
e
t
y
p

t
r
i
n
g
host s Optional. Can be the host name or the IP address.

t
r
i
n
g

n
t
e
g
e
r
o required.
l
e
a
n
serviceName s Optional. For an Oracle datasource, enter the service name.

t
r
i
n
g
t
r
i
n
g
password s Optional. Password for user. If used, user must also be used.
t
r
i
n
g
dbName s Optional. For DB2 datasources, enter the database name.

t
r
i
n
g

V
a
l
u
e
t
y
p
conProperty C Optional. Use only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with
o this datasource.
m
m For a Sybase database with a default character set of Roman8, enter the following property: CHARSET=utf8
a
s
e
p
a
r
a
t
e
d
li
s
t
o
f
p
r
o
p
e
r
t
y
=
v
a
l
u
e
t
r
i
n
g
t
r
i
n
g
o from the GUI.
o
l
e
a
n
customURL s Optional. Connection string to the datasource; otherwise connection is made using host, port, instance, properties, etc. of the
t previously entered fields. As an example this is useful for creating Oracle Internet Directory (OID) connections.
r
i
n
g


V
a
l
u
e
t
y
p
r
the CM.
o
o
l
e
a
n
useLDAP b Optional. Set to yes to use LDAP

o
o
l
e
a
n

o
o
l
e
a
n
Example
grdapi update_datasource_by_id id=20000 user=" " password=" " newName="chickenDB2hooo"
list_db_drivers
List only the name of database drivers Oracle (DataDirect) and MS SQL SERVER (DataDirect) are now supported as datasource types.
list_db_drivers_by_details
Lists each database driver in more details (name, class, driver class, URL, and datasource type ID)
GuardAPI Datasource Reference Functions

Use these GuardAPI commands to create, list, and delete Datasource Reference Functions.
create_datasourceRef_by_id
For a specific object of a specific application type (for example, a specific Classification process), creates a reference to a datasource.
V
a
l
u
e
t
y
p

V
a
l
u
e
t
y
p
appId i Required. Identifies the application. Must be from this list:

n
t 8 = SecurityAssessment
e 47 = CustomTables
g 51 = Classifier
e
r
datasourceId i Required. Identifies the datasource (from the datasource definition).

n
t
e
g
e
r
objId i Required. Identifies an instance of the appID type specified. For example, if apID=51, this would be the ID of a classification
n process.
t
e
g
e
r
Example
grdapi create_datasourceRef_by_id appId=51 datasourceId=20000 objId=2
create_datasourceRef_by_name
For a specific object of a specific application type (for example, a specific Classification process), creates a reference to a datasource.
Table 1. create_datasourceRef_by_name
V
a
l
u
e
t
y
p
application s Required. Identifies the application. Must be from this list:

t
r SecurityAssessment
i
CustomTables
n
g Classifier
datasourceName s Required. Identifies the datasource (from the datasource definition).

t
r
i
n
g
objName s Required. Identifies an instance of the application type specified. For example, if the application is Classifier, this would be the
t name of a specific classification process.
r
i
n
g
Example
grdapi create_datasourceRef_by_name application=Classifier datasourceName=swanSybase objName=â€ class process1â€
list_datasourceRef_by_id
For a specific object of a specific application type (for example, a specific Classification process), lists all datasources referenced.

V
a
l
u
e
t
y
p
appID i Required. Identifies the application. Must be from this list:

n
t 8 = SecurityAssessment
e
47 = CustomTables
g
e 51 = Classifier
r
objID s Required. Identifies an instance of the application type specified. For example, if the application is Classifier, this would be the
t ID of a specific classification process.
r
i
n
g
r
the CM.
Example
grdapi list_datasourceRef_by_id appId=13 objId=1
list_datasourceRef_by_name
For a specific object of a specific application type (for example, a specific Classification process), lists all datasources referenced.
V
a
l
u
e
t
y
p
application Â Required. Identifies the application. Must be from this list:

SecurityAssessment
CustomTables
Classifier
r
i
n
g
r
the CM.

Example
grdap list_datasourceRef_by_name application=Classifier objName="class process1"
delete_datasourceRef_by_id
For a specific object of a specific application type (for example, a specific Classification process), removes a datasource reference.
V
a
l
u
e
t
y
p
appId Â Required (integer). Identifies the application. Must be from this list:

8 = SecurityAssessment
47 = CustomTables
51 = Classifier
datasourceId i Required. Identifies the datasource (from the datasource definition).

n
t
e
g
e
r
objId i Required. Identifies an instance of the appID type specified. For example, if apID=51, this would be the ID of a classification
n process.
t
e
g
e
r
r
the CM.
Example
grdapi delete_datasourceRef_by_id appId=51 datasourceId=2 objId=1
delete_datasourceRef_by_name
For a specific object of a specific application type (for example, a specific Classification process), removes a datasource reference.
V
a
l
u
e
t
y
p
application Â Required. Identifies the application. Must be from this list:

SecurityAssessment
CustomTables
Classifier

V
a
l
u
e
t
y
p
datasourceName s Required. Identifies the datasource (from the datasource definition).

t
r
i
n
g
r
i
n
g
r
the CM.
Example
grdapi delete_datasourceRef_by_name application=Classifier datasourceName=swanSybase objName=â€ class process1â€
GuardAPI Data User Security Functions

Use these GuardAPI commands to create, list, delete, and update Data User Security Functions.
Add a relationship between a user and parent in the user data security hierarchy
V
a
l
u
e
t
y
p
userName s Required. The name of the user

t
r
i
n
g
parentUserName s Required. the name of the parent user.

t
r
i
n
g

V
a
l
u
e
t
y
p
r
the CM.
Example
grdapi create_user_hierarchy userName=admin parentUserName=accessmgr
Note: An error will occur if the insert is cyclic (a parent reports to a child)
list_user_hierarchy_by_parent_user
List relationships in the user data security hierarchy
V
a
l
u
e
t
y
p

t
r
i
n
g
create b If set (true or false) will or will not generate create statements for create_user_hierarchy API calls.
o
o Use this parameter to get all the commands necessary to generate a batch file. This batch file can be used to move each parent
l and child pairing to another Guardium system.
e
a
n
r
the CM.
Example

grdapi list_user_hierarchy_by_parent_user userName=admin create=true
Note: Only lists immediate parent-child relationship - will not display "grandchildren"
Deletes a relationship in the user data security hierarchy by entry id
V
a
l
u
e
t
y
p
id i Required. Identifies the entry

n
t
e
g
e
r
r
the CM.
Example
grdapi delete_user_hierarchy_by_entry_id id=1
Note: There is no failure condition if the entry doesn't exist
Deletes a relationship in the user data security hierarchy by user
V
a
l
u
e
t
y
p

t
r
i
n
g
r
the CM.
Example
grdapi delete_user_hierarchy_by_user userName=admin
Note:

There is no failure condition if the user doesn't exist.
Multiple deletes occurs if the user has multiple parents.
create_allowed_db
Create a User-DB association
V
a
l
u
e
t
y
p

t
r
i
n
g
serverIp Â Required. The server IP

instanceName s Required. The instance name

t
r
i
n
g
r
the CM.
Example
grdapi create_allowed_db userName=admin serverIp=192.168.1.1 instanceName=abcd
List User-DB associations by user
V
a
l
u
e
t
y
p

t
r
i
n
g

V
a
l
u
e
t
y
p
r
the CM.
Example
grdapi list_allowed_db_by_user userName=admin
delete_allowed_db_by_entry_id
Delete a User-DB association by entry id
V
a
l
u
e
t
y
p
id i Required. Identifies the entry.

n
t
e
g
e
r
r
the CM.
Example
grdapi delete_allowed_db_by_entry_id id=1
Delete a User-DB association by user
V
a
l
u
e
t
y
p

V
a
l
u
e
t
y
p

t
r
i
n
g
serverIp Â The server IP.

instanceName s The instance name.

t Note: For "blank" instance names, enter instanceName=[blank] (not instanceName=blank)
r
i
n
g
r
the CM.
Example
grdapi delete_allowed_db_by_user userName=scott
update_user_db
Fully apply all recent changes to the active User-DB association map
V
a
l
u
e
t
y
p
r
the CM.
Example
grdapi update_user_db
Note: In a Central Management configuration, this command should be run on a Central Manager.

Use these GuardAPI commands to view and set load balancing parameters, view the current load map, and manage S-TAP and managed unit group associations.

get_load_balancer_load_map
View the current load map.
grdapi get_load_balancer_load_map
get_load_balancer_params
View the current load balancer configuration parameters.
grdapi get_load_balancer_params
set_load_balancer_param
Set load balancer configuration parameters.
grdapi set_load_balancer_param [paramName=value][paramValue=value][paramType=STAP]
See Enterprise load balancing configuration parameters for a list of available parameters and allowed values.
For example, grdapi set_load_balancer_params paramName=LOAD_BALANCER_ENABLED paramValue=0 paramType=STAP
Use this format for correct input
grdapi set_load_balancer_param --help=true
ID=0
function parameters : paramName - String - required
paramType - String - required
paramValue - String - required
To get a Constant values list for a parameter, call the function with --get_param_values
assign_load_balancer_groups
Assign a managed unit group to an application or S-TAP group.
grdapi assign_load_balancer_groups muGroupName=[value] appGroupName=[value]
muGroupName managed unit group name For example, muGroupName=mu_group_NA.
appGroupName application or S-TAP group name For example, appGroupName=app_group_NA.
ifFailoverGroup 1 or 0 For Example, isFailoverGroup=0
unassign_load_balancer_groups
Unassign a managed unit group from an application or S-TAP group.
grdapi unassign_load_balancer_groups muGroupName=[value] appGroupName=[value]
muGroupName managed unit group name For example, muGroupName=mu_group_NA.
appGroupName application or S-TAP group name For example, appGroupName=app_group_NA.

GuardAPI Entitlement Optimization Functions

Use these GuardAPI commands to enable and configure the Entitlement Optimization datasources and reporting.
enable_entitlement_optimization
Enables the entitlement optimization feature on this Collector.
grdapi enable_entitlement_optimization
disable_entitlement_optimization
Disables the entitlement optimization feature on this Collector.
grdapi disable_entitlement_optimization
add_datasource_to_entitlement_optimization
Adds the data from this source to the entitlement optimization data collection, and to individual tabs as specified.
grdapi add_datasource_to_entitlement_optimization

datasource datasourceName Name of datasource
Name
isEnabled one of: true, false Datasource is enabled, or disabled, for entitlement optimization
Default = false
userScope One or more comma separated Guardium Optional. Entitlement recommendations results are filtered by this group of users. Browse Entitlements
user group IDs (groups must contain only results: indicates whether users are included in this scope or not; does not present user activity count of
users) users outside the scope.
default = NULL
objectScop One or more comma separated Guardium Optional. Entitlement recommendations results are filtered by this group of objects.
e object group IDs (groups must contain only
objects) default = NULL
extractActiv one of: true, false Enables, disables extraction of datasource activity.
ity
Must be true for Browse Entitlements and What If.
Default = false
extractEntitl one of: true, false Enables, disables extraction of entitlement data.
ement
Must be true for What's New, Users and Roles, Recommendations, and Browse Entitlements
Default = false
generateRol one of: true, false Enables, disables extraction of behavioral role clustering from the data source, used in the What If tab.
eClusters
Must be true for What If.
Default = false
generateNe one of: true, false Activity from this datasource is included in the What's New? tab.
ws
Default = false
generateRe one of: true, false Activity from this datasource is included in the Recommendations.
commendat
ions Default = false
filterTempO one of: true, false For future use.

bjects
Temporary objects are filtered from the data source's collected data.
Default = true
filterIgnore one of: true, false For future use.

Verbs
Ignore verbs are filtered from the data source's collected data.
Default = true
remove_datasource_from_entitlement_optimization
Removes all data from this source from the entitlement optimization data collection.
remove_datasource_from_entitlement_optimization
set_entitlement_datasource_parameter
Modifies parameters for data source that is already enabled for entitlement optimization. Uses the same parameters as add_datasource_to_entitlement_optimization.
grdapi set_entitlement_datasource_parameter
get_entitlement_datasource_parameter
Displays the parameter settings for each data source on this Collector.
grdapi get_entitlement_datasource_parameter
Example:
Entitlement Optimization is enabled

===================================
Datasource: SCALE-DB16
===================================
isEnabled: true
userScope:
objectScope:
generateNews: true
===================================
Datasource: on12scal
===================================

isEnabled: true
userScope:
objectScope:
generateNews: true
GuardAPI External Feed Functions

Use these GuardAPI functions to create mappings for external feeds.
create_ef_mapping
This function creates a mapping and populates tables based on the name of the report specified by the reportName parameter. Each mapping has a name stored in
EF_MAP_TYPE_HDR.EF_TYPE_DESC, and that name will be identical to the value of reportName. The target table name will also be based on the reportName parameter,
with underscores added between the words. For example, "My Report" becomes MY_REPORT.
V
a
l
u
e
t
y
p
reportName s Name of the report to use for external feed mapping. This parameter also determines the name of the mapping and the target
t table name.
r
i
n
g
modify_ef_mapping
Sometimes the names generated by create_ef_mapping are not suitable for particular database, and modify_ef_mapping can be used to adjust the names to fit database
requirements. Only mappings with ID >= 20000 may be modified in order to protect predefined Guardium mappings.
V
a
l
u
e
t
y
p
reportName s Name of the mapping to modify.

t
r
i
n
g
modifyObj Â Specifies the database object to modify, either table or column. Existing values can be retrieved using the list_ef_mapping
function.
oldName Â Specifies the old table name to remove.

newName s Specifies the new table name to use.

t
r
i
n
g
delete_ef_mapping
This function allows you to delete existing mappings. Only mappings with ID >= 20000 may be deleted in order to protect predefined Guardium mappings.

V
a
l
u
e
t
y
p
reportName s Name of the mapping to delete.

t
r
i
n
g
list_ef_mapping
If run without any parameters, this function returns a list of all customer-created mappings. If run with the reportName parameter, this function returns details of the
specified mapping (such as the table and column names used by the external feed).
Table 1.
V
a
l
u
e
t
y
p
reportName s Optional. Name of the mapping for which to return details.

t
r
i
n
g

Use the following GuardAPI commands to enable and disable the file activity monitor, configure the file Investigation Dashboard activity and entitlement extractions
schedule, and get information on the file activity monitor.
Use the GuardAPI command, grdapi create_policy, to create a FAM policy. After the policy is created, use FAM-specific GuardAPI commands.
For example:
grdapi create_policy ruleSetDesc='TEST'
grdapi create_fam_rule policyName='TEST' ruleName=r-test-sles11 actionName="Log As Violation and Audit" serverHost="9.70.144.98:FAM" filePath="/famtest/*"
For instructions on how to use GuardAPI commands, see GuardAPI Reference.
enable_fam_crawler
Sets the Guardium system to process crawler results and file activity data. The results will be added automatically to quick search index files. Use the parameters to
schedule file quick search activity, entitlement extractions, and remote group population.
Note: The Investigation Dashboard must also be enabled with the command grdapi enable_quick_search schedule_interval=1.
V
a
l
u
e
t
y
p
extraction_start Â Initial date/time from which data is extracted to file quick search. It is limited to 2 days in the past. The default is current time. If the
unit is set to HOUR, then it is rounded to an hour. If it is set to DAY, then it is rounded to a day.
schedule_start Â The default is current time.


V
a
l
u
e
t
y
p
activity_schedule_interval i Required. This parameter sets activity schedule interval. The recommended interval is 2 with the unit set to MINUTE.
n
t
e
g
e
r
activity_schedule_units v Required. This parameter sets the unit of the activity unit. The values are either MINUTE or HOUR. The recommended unit is MINUTE.
a
l
u
e
l
i
s
t
entitlement_schedule_interva i Required. This parameter sets the entitlement schedule interval. The recommended interval is 1 with the unit set to DAY.
l n
t
e
g
e
r
entitlement_schedule_units v Required. This parameter sets the unit of the entitlement schedule. The possible values are MINUTE, HOUR, and DAY. The
a recommended unit is DAY.
l
u
e
l
i
s
t
Example
grdapi enable_fam_crawler extraction_start=< > schedule_start=< >

activity_schedule_interval=2 activity_schedule_units=MINUTE
entitlement_schedule_interval=10 entitlement_schedule_units=MINUTE
disable_fam_crawler
Disables the file activity monitor. The file quick search activity and entitlement extractions scheduler are removed. This function also disables remote group population.
Example
grdapi disable_fam_crawler
get_fam_crawler_info
Shows the status of the file activity monitor. If it is enabled, the command shows the settings for the entitlement extraction and file quick search activity schedule.
FAM Crawler (server side) is disabled.
FAM Crawler (server side) is enabled. Entitlement(1 DAY) Activity(2 MINUTE)
Example
grdapi get_fam_crawler_info
list_policy_fam_rule
Lists all the rules in a FAM policy.
a
l
u
e
t
y
p
e

policyName s Required. Policy name
t
r
i
n
g
ruleName s Optional. If no ruleName is provided, all policy rules with details will be shown. If a ruleName is provided, details will be listed for
t that rule.
r
i
n
g
create_fam_rule
Creates a new FAM rule.
V
a
l
u
e
t
y
p
policyName s Required. Policy name.

t
r
i
n
g
ruleName s Required. Rule name.

t
r
i
n
g
filePath s File path to be monitored. Either filePath or filePathGroup must be specified.

t
r
i
n
g
notfilePath b Must be yes or no. Yes means apply this rule to all files except those in the specified path.
o
o
l
e
a
n
filePathGroup s Group of file paths. Either filePath or filePathGroup must be specified.

t
r
i
n
g
includeSubDirectory b Must be yes or no. Yes means include files in all subdirectories.
o
o
l
e
a
n
removableMedia s Must be yes or no.

t
r
i
n
g
osUser s OS user name.

t
r
i

n
g
osUserGroup s Group of OS users.

t
r
i
n
g
notOSUser s Must be yes or no. Yes means use all users except the specified osUser,
t
r
i
n
g
serverHost s Host name.

t
r
i
n
g
serverHostGroup s Group of hostnames.

t
r
i
n
g
command s The command name to be included in the rule, one of

t
r DELETE
i EXECUTE
n FILEOP
g READ
WRITE
commandGroup s Group of commands.

t
r
i
n
g
notCommand s Must be yes or no. Yes means use all commands except the specified command.
t
r
i
n
g
actionName s Required, The name of the FAM action.

t
r
i
n
g
messageTemplate s Message template name.

t
r
i
n
g
notificationType s Notification type, one of

t
r MAIL
i SNMP
n CUSTOM
g SYSLOG
userLoginName s User login name.

t
r
i
n
g
classDestination s Name of custom class to be invoked.

t
r
i

n
g
policy_fam_rule_delete
Deletes a rule from a FAM policy.
V
a
l
u
e
t
y
p
policyName s Required. Policy name

t
r
i
n
g
ruleName s Required. Name of the rule to be deleted.

t
r
i
n
g
add_action_to_fam_rule
Adds an action to an existing FAM rule.
V
a
l
u
e
t
y
p
actionName s Required. The name of the FAM action.

t
r
i
n
g
alertReceiver s AlertReceiver is any user of the appliance like admin, etc.

t
r
i
n
g
command s The command name to be included in the rule. One of:

t
r DELETE
i EXECUTE
n FILEOP
g READ
WRITE
messageTemplate s String. Message template name.

t
r
i
n
g
notificationType s Notification type, one of:

t
r MAIL
i SNMP
n CUSTOM
g SYSLOG
policyName s Required. Valid policy name.

t

r
i
n
g
ruleName s Required. Name of the rule to be updated.

t
r
i
n
g
GuardAPI GIM Functions

Use these CLI commands to list, update, assign, remove and cancel GIM Functions.
gim_list_registered_clients
Lists all the registered clients.
V
a
l
u
e
t
y
p
r
Example
grdapi gim_list_registered_clients
gim_list_client_params
Lists all the (module) parameters assigned to a specific client.
V
a
l
u
e
t
y
p
clientIP s Required - Client IP Address

t
r
i
n
g
r
Example

grdapi gim_list_client_params clientIP=192.168.12.210
gim_update_client_params
Updates a single module parameters in a specific client.
V
a
l
u
e
t
y
p
clientIP s Required. IP of target client

t
r
i
n
g
paramName s Required. Parameter Name

t
r
i
n
g
paramValue s Required. Parameter Value

t
r
i
n
g
r
Example
grdapi gim_update_client_params clientIP=192.168.1.100 paramName=STAP_TAP_IP paramValue=192.168.1.100
gim_list_client_modules
Lists all the modules assigned to a specific client and their state
V
a
l
u
e
t
y
p

t
r
i
n
g

V
a
l
u
e
t
y
p
r
Example
grdapi gim_list_client_modules clientIP=192.168.2.210
gim_load_package
Loads all the modules within 'filename'.
Note: This command will load a file which resides on local file system, therefore the procedure (cmd='fileserver') of loading a file to the CM/Guardium appliance must
precede this command.
V
a
l
u
e
t
y
p
r
Example
grdapi gim_load_package Â filename=*.gim
Note: The wildcard "*" can be used within filename.
gim_assign_bundle_or_module_to_client_by_version
Assigns a bundle/module to a client.
V
a
l
u
e
t
y
p

t
r
i
n
g

V
a
l
u
e
t
y
p
module s Required - Module

t
r
i
n
g
moduleVersion s Required - Module Version

t
r
i
n
g
r
Example
grdapi gim_assign_bundle_or_module_to_client_by_version clientIP=192.168.1.100 Â module=BUNDLE-STAP

moduleVersion=â€ 8.0_r1234_1â€
gim_schedule_install
Schedules for installation all the modules/bundles that were assigned to a client and haven't been installed yet (for example, PENDING). If the parameter module is
specific, only the requested module will be scheduled.
V
a
l
u
e
t
y
p

t
r
i
n
g
module s Optional - Module. If module is not specified in the command, all the modules for the specified clientIP will be scheduled for install.
t
r
i
n
g
date Â Required - Date; Format: 'now' or 'yyyy-MM-dd HH:mm'

r

Example
grdapi gim_schedule_install clientIP=192.168.1.100 module=BUNDLE-STAP Â date=â€ 2008-07-02 14:50â€
grdapi gim_schedule_install clientIP=192.168.1.100 date=â€ 2008-07-02 14:50â€
Note: Date in the past may be used to run something immediately.
gim_list_client_status
Displays the status of the latest operation executed for a specific client.
V
a
l
u
e
t
y
p

t
r
i
n
g
r
Example
grdapi gim_list_client_status clientIP=192.168.1.100
gim_uninstall_module
Uninstalls a module/bundle on a specific client.
V
a
l
u
e
t
y
p

t
r
i
n
g
module s Required - Module.

t
r
i
n
g


V
a
l
u
e
t
y
p
r
Example
grdapi gim_uninstall_module clientIP=192.168.1.100 module=BUNDLE-STAP
gim_cancel_install
Cancels installation of Â a bundle/module on a specific client. Canceling installation is possible only if a module/bundle is not already in the process of being installed by a
client (STATE=IP or IP-PR)
V
a
l
u
e
t
y
p

t
r
i
n
g
module s Required- Module.

t
r
i
n
g
r
Example
grdapi gim_cancel_install clientIP=192.168.1.100 module=BUNDLE-STAP
gim_list_bundles
Lists all the available bundles. A bundle is a group of modules that can be installed on a client.

V
a
l
u
e
t
y
p
r
Example
grdapi gim_list_bundles
gim_list_mandatory_params
Lists the mandatory parameters for a single module.
V
a
l
u
e
t
y
p
module s The name of the GIM module for which to display the mandatory parameters
t
r
i
n
g
version s The version of the GIM module for which to display the mandatory parameters
t
r
i
n
g
Example
grdapi gim_list_mandatory_params module=name version=number
gim_assign_latest_bundle_or module_to_client
Assigns the latest (i.e. the highest version) available bundle or module for a specific client.
V
a
l
u
e
t
y
p

t
r
i
n
g

V
a
l
u
e
t
y
p

t
r
i
n
g
r
Example
grdapi gim_assign_latest_bundle_or_module_to_client clientIP=192.168.1.100 Â module=BUNDLE_STAP
gim_schedule_uninstall
Schedules uninstallation of all the modules/bundles that were assigned to a client and haven't been uninstalled yet (i.e. â€œPENDINGâ€ ). If the parameter 'module' is
specific, only the requested module will be scheduled.
V
a
l
u
e
t
y
p

t
r
i
n
g
module s Optional - Module. If module is not specified in the command, all the modules for the specified clientIP will be scheduled for install.
t
r
i
n
g

r
Example
grdapi gim_schedule_uninstall clientIP=192.168.1.100 module=BUNDLE-STAP Â date=â€ 2008-07-02 14:50â€ grdapi

gim_schedule_uninstall clientIP=192.168.1.100 date=â€ 2008-07-02 14:50â€
gim_cancel_uninstall

Cancels uninstallation of Â a bundle/module on a specific client. Canceling uninstallation is possible only if a module/bundle is not already in the process of being installed
by a client (STATE=IP or IP-PR)
V
a
l
u
e
t
y
p

t
r
i
n
g

t
r
i
n
g
r
Example
grdapi gim_cancel_uninstall clientIP=192.168.1.100 module=BUNDLE-STAP
gim_remove_bundle
The command will delete bundlePackageName from the database as well as from the file system (from /var/log/guard/gim_packages , and also
from/var/gim_dist_packages if the Guardium system is a central manager).
parameters (required):
bundlePackageName
Parameter value take bundle package name as specified in the output of the gim_list_unused_bundles. The command will be successful only if:
2.1 The value of bundlePackageName refers to a BUNDLE
2.2 The value of bundlePackageName is not assigned to any client
2.3 The value of bundlePackageName exists
2.4 There is one and only one bundle that refers to the value of bundlePackageName
ALL the conditions (2.1 to 2.4) must be true in order to delete a bundle from the database/file system. Otherwise an error will be generated.
Example
grdapi gim_remove_bundle bundlePackageName= bundlePackageName
gim_unassign_client_module
Unassigns a module from a client. Unlike 'gim_remove_module', this command will untie the connection between a module and a specific client on the CM/Guardium
appliance. This command is will NOT uninstall or remove the module on the actual DB-server machine. It is to be used only in cases on synchronization problems between
the DB-server (i.e client) information and the CM/Guardium appliance information regarding the current state of the modules.
V
a
l
u
e
t
y
p

V
a
l
u
e
t
y
p

t
r
i
n
g
module s Optional. Module. If module is not specified in the command, all the modules for the specified clientIP will be scheduled for install.
t
r
i
n
g
date Â Required. Date; Format: 'now' or 'yyyy-MM-dd HH:mm'

r
Example
grdapi gim_unassign_client_module clientIP=192.168.1.100 Â module=STAP
gim_get_purge_list
List old software packages (GIM files) that have previously been uploaded to the GuardiumÂ® appliance or CM.
V
a
l
u
e
t
y
p
olderThan s Required - Number of days. Files older than the number of days specified will be purged. Valid value is any number greater or equal to
t 0.
r
i
n
g
excludeLatest b Optional - true or false (default value is true).

o
o true: Avoid purging the latest version per OS per module.
l
false: Purge the latest version per OS per module.
e
a
n
r

Example
grdapi gim_get_purge_list olderThan=30 excludeLatest=true
gim_purge
Remove old software packages (GIM files) that have previously been uploaded to the Guardium appliance or CM.
V
a
l
u
e
t
y
p
olderThan s Required - Number of days. Files older than the number of days specified will be purged. Valid value is any number greater or equal to
t 0.
r
i
n
g
excludeLatest b Optional - true or false (default value is true).

o
o true: Avoid purging the latest version per OS per module.
l
false: Purge the latest version per OS per module.
e
a
n
filename s Optional - A specific file that is to be removed. If the file specified is a bundle (for example, starts with 'guard-bundle'), the content of
t this bundle will be removed.
r
i
n
g
r
Example
grdapi gim_purge olderThan=30
Note:
Either the 'filename' parameter or (olderThan and/or excludeLatest) can be specified in the command.
GIM purge will not purge files that are currently scheduled for installation.
GIM purge will not allow the removal of any file (for example, parameter filename) that includes '/' character.
gim_get_available_modules
List the available modules / bundles available to install on a specific server.
V
a
l
u
e
t
y
p

t
r
i
n
g

Example
grdapi gim_get_available_modules clientIP=192.168.1.100
gim_get_client_last_event
List the latest operation executed for a specific client.
gim_get_client_last_event is a GrdAPI command with limited functionality. All it does is show the last event occurred during the latest installation attempt. For example, if
during the latest installation of S-TAP there were some errors, it will show up by running that grdapi command. However, if you manually fix the installation problem
directly on the database server, this grdapi command will still show the same original error message (even though S-TAP is now running). This command should not be
used to evaluate S-TAP status after manual fixes on the database server.
V
a
l
u
e
t
y
p

t
r
i
n
g
Example
grdapi gim_get_client_last_event clientIP=winx64
gim_get_modules_running_status
List the modules / bundles currently running on a specific server.
V
a
l
u
e
t
y
p

tr
i
n
g
process s name of process

tr
i
n
g
status O Â
N
o
r
O
F
F
tr is executed. Valid values:
i
n all_managed: for all managed units
g all: all managed units and CM

Example
grdapi gim_get_modules_running_status clientIP=192.168.1.100 process= status=
gim_list_unused_bundles
The command returns a list of unused (not installed on any database server) bundles and individual Windows modules that can be uploaded (for example, Windows CAS,
Windows FAM).
parameters (required):
includeLatest ( valid values 0/1)
If set to value 1, the returned list of unused bundles will include the latest unused bundle.
Example
grdapi gim_list_unused_bundles includeLatest=1
gim_reset_client
Disassociate modules from selected client.
V
a
l
u
e
t
y
p

t
r
i
n
g
r
Example
grdapi gim_reset_client clientIP=192.168.1.100
gim_set_diagnostics
Set diagnostics collection within GIM.
V
a
l
u
e
t
y
p

t
r
i
n
g

V
a
l
u
e
t
y
p
r
Example
grdapi gim_set diagnostics clientIP=192.168.1.100
gim_set_global_param
Set global parameters within GIM.
V
a
l
u
e
t
y
p

t
r
i
n
g
paramName s Required - Name of the parameter within the API function to be mapped
t
r
i
n
g
paramValue s Required - Value of the parameter within the API function to be mapped
t
r
i
n
g
sqlguardip s Optional - IP address /host name of the collector this GIM agent will connect to.
t
r
i
n
g
ca_file s Optional - Full file name path to the certificate authority PEM file.
t
r
i
n
g
key_file s Optional - Full file name path to the private key PEM file.
t
r
i
n
g

V
a
l
u
e
t
y
p
cert_file s Optional - Full file name path to the certificate PEM file.
t
r
i
n
g
gim_listener_default_port s Optional - Set a different port for the GIM agent server mode.
t
r
i
n
g
gim_listener_default_shared_se s Optional - Set a shared secret to verify collectors that are sending requests to the new server mode GIM agent.
cret t
r
i
n
g
no_listener s Optional - Disable the GIM agent in server mode.

t
r
i
n
g
r
Example
grdapi gim_set_global_param clientIP=192.168.1.100 paramName=gim_listener_default_port paramValue=8445
gim_remote_activation
Connects the collector's IP address to a server mode GIM agent or group of GIM agents.
V
a
l
u
e
t
y
p
targetGroup s Optional - The group name of all the database servers that the collector connects to. It cannot be specified with the
t targetHost parameter.
r
i
n
g
sharedSecret s Optional - The shared secret that was configured during installation.
t
r
i
n
g

V
a
l
u
e
t
y
p
targetPort s Optional - The port server mode of the GIM agent.

t
r
i
n
g
r
Guardium V10.1 and 10.1.2: In a central management configuration only, specifies a target host where the API will execute.
On a Central Manager (CM) the value is the host name or IP of any managed units. On a managed unit it is the host name or
IP of the CM.
Example
grdapi gim_remote_activation targetGroup=<someGroup> sharedSecret=<password> targetPort=8445
GuardAPI Group Functions

Use these GuardAPI commands to create, list, and delete Datasource Group Functions.
Note: In a Central Management environment, all groups are defined on the Central Manager and sent to the managed units on a scheduled basis.
Group Functions
create_group
list_group_by_id
list_group_by_desc
delete_group_by_id
delete_group_by_desc
update_group_by_id
update_group_by_desc
flatten_hierarchical_groups
Member Functions
create_member_to_group_by_id
create_member_to_group_by_desc
list_group_members_by_id
list_group_members_by_desc
delete_member_from_group_by_id
delete_member_from_group_by_desc
create_group
create_group
Create a group definition.

V
a
l
u
e
t
y
p
desc s Required. Enter a unique description for the new group.

t
r
i
n
g
type v Required. Must be one of the following:

a
l Application Event Value Number
u
Application Event Value String
e
l Application Event Value Type
i
s Application Item Name
t
Application Module
Application System ID
Application Transaction Code
APPLICATION USER
Audit Task Type
Client Hostname
Client IP
Client IP/DB User
Client IP/Src App./DB User
Clietn IP/Src App./DB User/Server IP/Svc. Name
Client MAC Address
Client OS
COMMANDS
CVE Pre-defind Tests
Database Name
DB Error Codes
DB PROTOCOL
DB PROTOCOL VERSION
DB Role
DB User/Object/Privilege
DB Ver./Patches
EXCEPTION TYPE
FIELDS
Files Permissions
Global ID
GuardiumÂ® Audit Categories
Guardium Role
Guardium Users
Login Succeded Code
NET PROTOCOL
Object/Command
Object/Field

V
a
l
u
e
t
y
p
OBJECTS
Operation Type
OS User
PORT
Qualified Objects
Records Affected
SCHEMA
SENTENCE DEPTH
Server Description
Server Hostname
Server IP
Server IP/DB User
Server IP/Server Port
Server IP/Svc. Name/DB User
Server OS
SERVER TYPE
Service Name
SOURCE PROGRAM
SQL Based pre-defined Tests
TeraData Profile/DB User
TTL
USERS
VA Tests Exception
WEEKDAY
YEAR
appid v Required. Identifies the application for the group. It must be one of the following values:
a
l Public
u
Audit Process Builder
e
l Baseline Builder
i Attention: The Baseline Builder and related functionality is deprecated starting with Guardium V10.1.4.
s
t Classifier
DB2_zOS groups
Express Security
IMS zOS groups
Policy Builder
Security Assessment Builder
Â
subtype s Optional. A sub type is used to collect multiple groups of the same group type, where the membership of each group is exclusive. For
t example, assume that you have database servers located in three datacenters, and that you want to group the servers by location. You
r would define a separate group of database servers for each location, and define all three groups with the same sub type (datacenter,
i for example).
n
g

V
a
l
u
e
t
y
p
category s Optional.Â A category is an optional label that is used to group policy violations and groups for reporting.
t
r
i
n
g
classification s Optional. A classification is another optional label that is used to group policy violations and groups for reporting.
t
r
i
n
g
r
Examples (follow exactly, upper-case and lower-case letters where indicated)
grdapi create_group desc=agroup type=OBJECTS appid=Public owner=admin
grdapi create_group appid=Access_policy owner=admin type="OBJECTS" desc=groupName1
list_group_by_id
Display the properties of a specific group.
V
a
l
u
e
t
y
p
id i Required. Identifies the group.

n
t
e
g
e
r
r
Example
grdapi list_group_by_id id=100003
list_group_by_desc
Display the properties of a specific group.

V
a
l
u
e
t
y
p
desc Â Required. The name of the group to be displayed.

r
Example
grdapi list_group_by_desc desc=agroup
delete_group_by_id
V
a
l
u
e
t
y
p
id i Required. Identifies the group.

n
t
e
g
e
r
r
Example
grdapi delete_group_by_id id=100005
delete_group_by_desc
V
a
l
u
e
t
y
p
desc s Required. The name of the group to be removed.

t
r
i
n
g

V
a
l
u
e
t
y
p
r
i
n
g

Example
grdapi delete_group_by_desc desc=agroup
update_group_by_id
Update properties of the specified group.
V
a
l
u
e
t
y
p
id i Required. Identifies the group to be updated.

n
t
e
g
e
r
newDesc s Optional. Enter a unique description for the new group.

t
r
i
n
g
i for example).
n
g
t
r
i
n
g

V
a
l
u
e
t
y
p
t
r
i
n
g
r
Example
grdapi update_group_by_id id=100002 newDesc=beegroup subtype=bee category=be classification=bea
update_group_by_desc
Update properties of the specified group.
V
a
l
u
e
t
y
p
desc s Required. The name of the group to be updated.

t
r
i
n
g
newDesc s Optional. Enter a unique description for the group.

t
r
i
n
g
i for example).
n
g
t
r
i
n
g
t
r
i
n
g

V
a
l
u
e
t
y
p
r
i
n
g

Example
grdapi update_group_by_desc desc=beegroup newDesc=beegroupee category=bebebe classification=bebebebe
flatten_hierarchical_groups
Update ALL hierarchical groups that exist in Group Builder.
V
a
l
u
e
t
y
p
r
Example
grdapi flatten_hierarchical_groups
create_member_to_group_by_id
Add a member to a group specified by the group ID.

V
a
l
u
e
t
y
p
id i Required. Identifies the group to which the member is to be added.

n
t
e
g
e
r
member s Required. The new member name, which must be unique within the group.
t
r
i
n
g
r
Example
grdapi create_member_to_group_by_id id=100005 member=turkey
create_member_to_group_by_desc
Add a member to the named group.
V
a
l
u
e
t
y
p
desc s Required. The name of the group to which the member is to be added.
t
r
i
n
g
member s Required. The new member name, which must be unique within the group.
t
r
i
n
g
r
Example
grdapi create_member_to_group_by_desc desc=bgroup member=turkey

Use these commands to add members to the group
grdapi create_member_to_group_by_desc desc=groupName1 member=member_1
Additional group GuardAPI commands
create_hierarchical_member_to_group_by_desc
delete_hierarchical_member_from_group_by_desc
desc - String - required
member - String - required
list_group members_by_id
List the members of the specified group.
V
a
l
u
e
t
y
p
id i Required. Identifies the group whose members are to be listed.

n
t
e
g
e
r
r
Example
grdapi list_group_members_by_id id=100001
list_group_members_by_desc
List the members of the specified group.
V
a
l
u
e
t
y
p
desc s Required. The name of the group whose members are to be listed.
t
r
i
n
g

V
a
l
u
e
t
y
p
r
n
g

Example
grdapi list_group_members_by_desc desc=bgroup
delete_member_from_group_by_id
Remove a member from a specified group.
V
a
l
u
e
t
y
p
id i Required. Identifies the group from which the member is to be removed.

n
t
e
g
e
r
member s Required. The name of the member to be removed.

t
r
i
n
g
r
Example
grdapi delete_member_to_group_by_id id=100005 member=turkey
delete_member_from_group_by_desc
Remove a member from a specified group.

V
a
l
u
e
t
y
p
desc s Required. The name of the group from which the member is to be removed.
t
r
i
n
g
member s Required. The name of the member to be removed.

t
r
i
n
g
r
Example
grdapi delete_member_from_group_by_desc desc=bgroup member=boston
GuardAPI Input Generation

GuardAPI Input Generation allows the user to take the output of one GuardiumÂ® report and feed it as the input for another Guardium entity; allowing users to used
prepared calls to quickly call API functionality.
Generate Input for Guard API Calls

The generation of Guard API calls from reports can be invoked in one of two ways, either from a single row within a report or multi-rows that is based on a whole report
(what is seen on the screen). Â See the how-to topic, Generate API Call From Reports, for an example.
When a report is displayed:
For Single Row:
1. Double-clicking on a row for drill-down displays an option to Invoke... Click the Invoke... option to display a list of APIs that are mapped to this report.
For Multi Row
1. Click the Invoke... icon (within the report status line) to display a list of APIs that are mapped to this report.
Continue the steps for both Single and Multi Row
2. Click the API you would like to invoke; bringing up the API Call Form for the Report and Invoked API Function. Invoking an API call from a report for multiple rows
produces an API Call Form that displays and enables the editing of all records that are displayed on the screen (dependent on the fetch size) to a maximum of 20
records.
3. Fill in the Required Parameters and any non-Required Parameters for the selected API call. Many of the parameters are pre-filled from the report but might be
changed to build a unique API call. For specific help in filling out required or non-required parameters, see the individual API function calls within the GuardAPI
Reference guide.
For multi row, use the set of parameters for the API (those with a button for each parameter) to enter a value for a parameter and then click the down arrow button
populate that parameter for all records. Also, use the check boxes for each row to select or deselect a row from being included in the API call.
Note: Parameters with the name of 'password' are masked.
- displays additional information to screen, 2 - puts information into the Guardium application debug logs, 3 - will do both 1 & 2)
a. If Invoke Now is selected, the API call runs immediately and display an API Call Output screen showing the status of the API call.
b. If Generate Script is selected
i. Open the generated script with your favorite editor or optionally save to disk to edit and execute later.
Example Script

# A template script for invoking Sqlguard API function delete_datasource_by_name seven times:
# Usage: ssh cli@a1.corp.com<delete_datasource_by_name_api_call.txt
set guiuser <username> password <password>
grdapi delete_datasource_by_name name=192.168.2.91
grdapi delete_datasource_by_name name=egret-oracle
grdapi delete_datasource_by_name name=egret-oracle3
ii. Modify the script; replacing any of the empty parameter values (denoted by '< >')
Note: Empty parameters might remain in the script as the API call ignores them
Example Modified Script
# A template script for invoking Sqlguard API function delete_datasource_by_name seven times:
# Usage: ssh cli@a1.corp.com<delete_datasource_by_name_api_call.txt
set guiuser <username> password <password>
grdapi delete_datasource_by_name name=egret-oracle3
iii. Execute the CLI function call
Example Call
$ ssh
cli@a1.corp.com<c:/download/delete_datasource_by_name_api_call.txt
Mapping GuardAPI to Report Results

Guardium comes with a battery of predefined reports and many of them have already been mapped to GuardAPI functions to ease configuration. In addition, Guardium
offers users the capability to define additional reports, even their own custom made reports, and map them to GuardAPI functions per report.
1. Go to any predefined report in the Daily Monitor tab, Guardium Monitor tab, or Tap Monitor tab.
2. Click the Invoke ... button.
3. Choose the Add API mapping selection.
4. At the new window, Add API mapping shows the name of the report, for example, Guardium Logins; a search/filter mechanism to find the appropriate GuardAPI
command; and, selection choices for API functions available under the Predefined Report. Choose the API function, and then click Map Report Attributes.
5. At the new window, API-Report Parameter Mapping, map the parameter name to the Report field. Sometimes there might be data that is not supplied with a
Guardium report. For these instances, a constant can be created, added to the report and used within the API parameter mappings.
Note: Save overrides the current mapping.
Note: If the Guardium report, with a constant added, is exported, the constant will not be exported.
To simplify the mapping between the GuardAPI parameters and Guardium attributes, Guardium created the predefined report Query Entities & Attributes that list all the
Guardium attributes; giving users a GUI interface and allowing them to easily drill down from that report and create the linkages quickly.
Existing Guardium attributes or user-defined constants may be mapped to the GuardAPI parameters of Existing Attributes or Constants.
Note: When GuardAPI parameters are mapped to report attributes, if a report has more than one attribute that is mapped to the same GuardAPI parameter, the value
picked for the API call is the first of these attributes according to the order of display in the report.
Existing Attributes
1. Go to the Query Entities & Attributes report to add the API parameter mappings. (Guardium Monitor -> Query Entities & Attributes)
2. The Query Entities & Attributes report is long because it lists all the Guardium attributes. Narrow down the records you are interested in by using the
Customize button.
3. To create the mapping, double-click the attribute row you would like to assign to a parameter name
4. Click the Invoke... option
5. Select the create_api_parameter_mapping API function
6. Fill in the functionName and parameterName in the API Call Form
7. Click the Invoke now button to create the API to Report Parameter Mapping
See how-to topic, Using API Calls From Custom Reports, for a full scenario that maps GuardAPI parameters through the GUI.
Constants
Sometimes there may be data that is not supplied within a Guardium report. For these instances, a constant can be created, added to the report, and then used
within the API parameter mappings.
1. Go to the Query Entities & Attributes report to add the API parameter mappings. (Guardium Monitor -> Query Entities & Attributes)
2. The Query Entities & Attributes report is long because it lists all the Guardium attributes. Narrow down the records you are interested in by using the
Customize button.
3. To create a constant attribute, double-click any row for the entity you would like to create a constant attribute for
5. Select the create_constant_attribute API function

6. Fill in the constant value to use and an attributeLabel you like to name it
7. Click the Invoke now button to create the constant
8. To create the mapping, double-click the newly created attribute row
10. Select the create_api_parameter_mapping API function
11. Fill in the functionName and parameterName in the API Call Form
12. Click the Invoke now button to create the API to Report Parameter Mapping
13. The newly created attribute must be added to the report. Modify the Query through Query Builder and add the field.
See how-to topic, Using Constants within API Calls, for a full scenario that creates and maps a constant attribute through the GUI.
Note: If the Guardium report, with a constant added, is exported, the constant will not be exported.
Note: When using API mapping, table columns in a report appears in the report field as long as the table column is an attribute of an entity. Some of the columns
such as count column will not be displayed in the report field because it cannot be mapped.
Object Security for Certain GuardAPI commands

Role validation implements controls on selected GuardAPI commands to consider the roles of the specific components (and not only the application) and disallow actions
if the roles do not match.
This means a user that has the appropriate roles for Policy Builder is able to execute the GuardAPI command, delete_rule, on any policy, regardless of the roles of this
specific policy.
Role validation exists for the following Policy rules GuardAPI commands: change_rule_order; copy_rule; copy_rules, delete_rule; update_rule.
Role validation exists for the following Group Description GuardAPI commands: create_member_to_group_by_desc; create_member_to_group_by_id;
delete_group_by_desc; delete_group_by_id; delete_member_from_group_by_desc; delete_member_from_group_by_id; update_group_by_id; update_group_by_desc.
Role validation exists for the following Datasource GuardAPI commands: delete_datasource_by_id; delete_datasource_by_name; update_datasource_by_id;
update_datasource_by_name.
Role validation exists for the following Audit Process GuardAPI commands: stop_audit_process.
API to run an audit process from tabular and graphical reports

An GuardAPI can be invoked automatically from any report portlet. When the GuardAPI is invoked, it creates a new audit process report.
If such process for the user exists, then the parameters are updated and the same process is used.
The behavior of the GuardAPI is as follows:
1 - If new process, it creates one receiver per email in the list (if any) with <p>a content type as indicated in the emailContentType parameter. It will also create a user
receiver for the user that is logged in (invoking the API) if the includeUserReceiver parameter is true.
2 - If existing process, Â all email receivers are removed and replaced with the emails from the new list (if any) with the content type as defined in the emailContentType
parameter. If the list is empty, it removes all email address receivers. If there is already a receiver for the user it will NOT be removed even if the includeUserreceiver is
false, however if the parameter is true and there is no such receiver then it is added.
Once the audit process is generated, it is automatically executed (similar to a Run Once Now) and users should expect an item on their to-do list for that audit process.
create_ad_hoc_audit_and_run_once
Parameters:
1 - reportId - The ID on the report to be used for the only task in the Audit process
2 - isForReportRunOnce boolean indicates whether the process should be run once after it is created.
3 - changeParIfExist boolean indicates whether the task parameters should be updated if the process exists
4 - taskParameter All task parameters and the value for each concatenated with the characters ^^ should be like: PAR1=Val1^^PAR2=Val2^^ etc it is valid to leave a
parameter empty, for example if PAR2 should remain empty it looks like: PAR1=VAL1^^PAR2=^^PAR3=VAL3^^...
5 - processNamePar - Name of the process if empty it creates a process with the name.
6 - sendToEmails: A comma-separated list of email addresses
7 - emailContentType 0-PDF or 1-CSV (applies ONLY to email receivers
8 - includeUserReceiver boolean indicates whether to create a receiver for the user that is logged in
An GuardAPI can be invoked automatically from any report portlet. When the GuardAPI is invoked, it creates a new audit process report.
Schedule APIs
modify_schedule parameters jobName jobGroup cronString startTime optional
list schedule
delete_schedule parameters jobName jobGroup deleteJob optional
schedule_job parameters jobType objectName optional cronString startTime optional
Note: Some job types for the grdapi schedule_job function do not require an object name. No validation is performed on the object name parameter and users see the
standard 'OK' prompt when the function is run with anything entered as the objectName parameter for the following jobs types:csvExportJob, systemBackupJob,
dataArchiveJob, dataExportJob, dataImportJob, resultsArchiveJob, AppUserTranslation, IpHostToAlias

grdapi schedule_job --get_param_values=jobType - Value for parameter 'jobType' of function 'schedule_job' must be one of: CustomTableDataUpload;
AutoDetectProbeJob; AppUserTranslation; InstallPolicy: AuditJob; ResultArchive; AutoDetectScanJob; CustomTableDataPurge; CSVExport; DataExport; DataArchive;
DataImport; PopulateGrpFromQry; SystemBackup; PopulateAlias; IpHostToAlias; UnitUtilization
grdapi set_purge_batch_size
Set the batch size that is used during purge, aids in performance of purge and has a default setting of 200,000. A trade-off in performance and disk space usage should be
noted as setting to a larger batch size increases the speed of the purge but consumes more disk space and setting to a low batch size decreases the speed of the purge but
not consume as much disk space.
function parameters: batchSize - required api_target_host Example vx29> grdapi set_purge_batch_size batchSize=200000 ID=0 ok
grdapi get_purge_batch_size
Gets the current setting for the purge batch size
function parameters: api_target_host Example vx29> grdapi get_purge_batch_size ID=0 Purge Batch Size = 200000 ok
grdapi patch_install
function parameters: patch_date patch_number - required
grdapi populate_from_dependencies
function parameters: descOfEndingGroup - required descOfStartingGroup - required flattenNamespace getFunctions getJavaClasses getPackages getProcedures
getSynonyms getTables getTriggers getViews isAppend - required isEndingGroupQualified owner - required reverseIt selectedDataSourceName - required api_target_host
create_computed_attribute
Use in Reports.
V
a
l
u
e
t
y
p
attributeLabel s Required.
t
r
i
n
g
entityLabel s Required. Database user

t
r
i
n
g
expression s Required. Server IP. The user must specify the tableName.field in the expression.
t
r
i
n
g
r
grdapi create_computed_attribute attributeLabel="CustomUserName" entityLabel="App User Name"

expression="SUBSTRING_INDEX(GDM_CONSTRUCT_INSTANCE.APP_USER_NAME,'.',1)"
delete_computed_attribute
Use in Reports.

V
a
l
u
e
t
y
p
t
r
i
n
g
entityLabel s Required.
t
r
i
n
g
expression s Required.
t
r
i
n
g
r
update_computed_attribute
Use in Reports.
V
a
l
u
e
t
y
p
t
r
i
n
g
t
r
i
n
g
expression s Required.
t
r
i
n
g

V
a
l
u
e
t
y
p
r
create_constant_attribute
Use in Reports.
V
a
l
u
e
t
y
p
t
r
i
n
g
t
r
i
n
g
constant s Required.
t
r
i
n
g
r
delete_constant_attribute
Use in Reports.
V
a
l
u
e
t
y
p

V
a
l
u
e
t
y
p
t
r
i
n
g
t
r
i
n
g
t
r
i
n
g
r
update_constant_attribute
Use in Reports.
V
a
l
u
e
t
y
p
t
r
i
n
g
t
r
i
n
g
t
r
i
n
g

V
a
l
u
e
t
y
p
r
create_ad_hoc_audit_and_run_once
Use in Reports.
V
a
l
u
e
t
y
p
chnageParlfExist B Required.
o
o
l
e
a
n
emailContentType i
n
t
e
g
e
r
includeUserReceiver b Â
o
o
l
e
a
n
isForReportRunOnce b Required.
o
o
l
e
a
n
processNamePar s Â
t
r
i
n
g
reportID i Required
n
t
e
g
e
r

V
a
l
u
e
t
y
p
sendToEmails s Â
t
r
i
n
g
taskParameter s Â
t
r
i
n
g
r
REST API
JSON (JavaScript Object Notation) output option supports GuardAPI functions. This is part of REST APIs. REST stands for Representational State Transfer. It relies on a
stateless, client/server, cacheable communications protocol, and in virtually all cases, the HTTP protocol is used. REST is an architecture style for designing networked
applications. The idea is that, rather than using complex mechanisms such as CORBA, RPC, or SOAP to connect between machines, simple HTTP is used to make calls
between machines. RESTful applications use HTTP requests to post data (create and/or update), read data (for example, make queries), and delete data. Thus, REST uses
HTTP for all four Create/Read/Update/Delete operations. REST is a lightweight alternative to mechanisms like RPC (Remote Procedure Calls) and Web Services (SOAP,
WSDL).
Guardiumâ€™s Implementation of REST
1. Register Application (only once) and get Client Secret.
2. Store Client Secret in secure place.
3. Request Access Token for authorization.
4. Store Access Token so grdAPI command is authenticated properly.
5. Use Access Tokens to submit GuardAPI commands.
Example use cases
I want the ability to dynamically get a small amount of audit data for a certain IP address without having to login to the Guardium GUI.
I want to populate an existing group, so I can update my policy to prevent unauthorized access to sensitive information.
I want to get a list of all users within a certain authorized access group.
I want my application development team to help identify what sensitive tables to monitor.
I want to script access to grdAPIâ€™s without using â€œexpectâ€ scripting language, which requires me to code response text from the target system.
HTTP has a vocabulary of operations (request methods)
GET (pass parameters in the URL)
POST (pass parameters in JSON object)
PUT (pass parameters to change as JSON object)
DELETE (pass parameters as JSON object)
Special user for internal REST API requests
For internal REST API requests, there is a special ROLE and USER predefined in the system.
This user cannot be removed or modified through the accessmgr UI and cannot be used to log in the UI.
This user's password will never expire, but is revoked if client ID is revoked.

On OAuth client registration, a new function accepts this user and client ID. It generates a random strong password for the user and store it in the TURBINE_USER
table.
It returns a client secret and the generated password.
The internal (S-TAP, maybe others) client must secure the client secret and password.
Permissions for different functions can be assigned to the role through accessmgr UI.
RestAPI vs. GuardAPI
GET = List
POST = Create
PUT = Update
DELETE = Delete
GuardAPIs
list_datasourcename_by_name (parameters - ?name="MSSQL_1")
-X GET https://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1"
create_datasource
-X POST https://10.10.9.239:8443/restAPI/datasource
update_datasource_by_name - JSON Object '{password:guardium}â€˜
-X PUT -d '{password:guardium, name:"MSSQL_1}â€˜
delete_datasource_by_id - JSON Object '{"id":20020}â€˜
-X DELETE -d '{"id":20020}â€˜
For further information, go to the Using the IBM Security Guardium REST API article on DeveloperWorks.
http://www.ibm.com/developerworks/data/library/techarticle/dm-1404guardrestapi/index.html
Query and restart internal UnitPinger thread

Use this GuardAPI command to query and restart internal UnitPinger thread.
NOTE: This GuardAPIs command needs to be called with api_target_host=127.0.0.1 parameter.
Example
grdapi get_unit_pinger api_target_host=127.0.0.1
register_oauth_client
Use this GuardAPI command to wrap supported GuardAPI functions in a RESTful API that uses JSON (JavaScript Object Notation) for input and output.
Use the GrdAPI command, grdapi register_oauth_client, to register the client and obtain the necessary access token to call the REST services.
REST stands for Representational State Transfer. It relies on a stateless, client/server, cacheable communications protocol, and in virtually all cases, the HTTP protocol is
used.
REST is an architecture style for designing networked applications. The idea is that, rather than using complex mechanisms such as CORBA, RPC, or SOAP to connect
between machines, simple HTTP is used to make calls between machines.
RESTful applications use HTTP requests to post data (create and/or update), read data (for example, make queries), and delete data. Thus, REST uses HTTP for all four
Create/Read/Update/Delete operations. REST is a lightweight alternative to mechanisms like RPC (Remote Procedure Calls) and Web Services (SOAP, WSDL).
client_id - String - required
grant_types - String - required. The only grant type that is supported is password.
redirect_uris - String - required
scope - String - required.
fetchSize - String- optional (default is 20 recores to retain backward compatibility, maximum value is 30000.
sortColumn - optional - If specified must be the column title of one of the report fields.
sortType - optional - asc or desc
Syntax
grdapi register_oauth_client <client_id> <grant_types> <redirect_uris> <scope>
getOAuthTokenExpirationTime
Use this GuardAPI command to get the expiration time of the REST API token

setOAuthTokenExpirationTime
Use this GuardAPI command to set the expiration time of the REST API token.
expirationTime - Integer - required
Syntax
grdapi setOAuthTokenExpirationTime ExpirationTime=10000

Use these GuardAPI commands to enable, disable, or configure Investigation Dashboard features and parameters.
disable_quick_search
Note that the Investigation Dashboard includes the Quick Search Results Table, in addition to the Activity Chart, and various other pre-defined charts.
Disable Investigation Dashboard functionality.
grdapi disable_quick_search
Paramet
er Value Description
all true or In an environment with a Central Manager, use this parameter to disable search on all managed units. For example, all=true.
false
This parameter is optional.
api_targ hostname or In a central management configuration only, specifies a target host where the API will execute. On a Central Manager (CM) the value is the
et_host IP address host name or IP of any managed units. On a managed unit it is the host name or IP of the CM.
Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to unit on which command is executed.
Valid values:

from CM only, the host name or IP of any managed units, for example, api_target_host=10.0.1.123
enable_quick_search
Enable Investigation Dashboard functionality.
grdapi enable_quick_search schedule_interval=[value] schedule_units=[value]
For example, the following command enables the Investigation Dashboard with a 2-minute data extraction interval: grdapi enable_quick_search
schedule_interval=2 schedule_units=MINUTE.
Paramete
r Value Description
all true or In an environment with a Central Manager, use this parameter to enable search on all managed units. For example, all=true.
false
api_target hostname or In a central management configuration only, specifies a target host where the API will execute. On a Central Manager (CM) the value is the
_host IP address host name or IP of any managed units. On a managed unit it is the host name or IP of the CM.
Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to unit on which command is
executed. Valid values:

extraction date Define the date by which to start the extraction of audit data for search. If this parameter is omitted, extraction starts immediately.
_start
includeVi true or Determine whether to include violations in the search indexes. Omitting violations can help reduce the size of search indexes.
olations false

schedule_ integer Used with the schedule_units parameter to define the interval for extracting audit data. For example, schedule_interval=2
interval schedule_units=MINUTE.
This parameter is required.
schedule_ date Date on which to begin following the extraction interval defined by the schedule_interval and schedule_units parameters.
start
schedule_ HOUR or Used with the schedule_interval parameter to define the interval for extracting audit data. For example, schedule_interval=2
units MINUTE schedule_units=MINUTE.
This parameter is required.
set_enterprise_search_options
Define the search mode for the Investigation Dashboard .
grdapi set_enterprise_search_options distributed_search=[value]
For example, the following command configures the Investigation Dashboard in all_machines mode to allow searching of data across the entire Guardium environment
from any Guardium machine in that environment: grdapi set_enterprise_search_options distributed_search=all_machines.
Paramete
r Value Description
api_target hostname or IP In a central management configuration only, specifies a target host where the API will execute. On a Central Manager (CM) the value is
_host address the host name or IP of any managed units. On a managed unit it is the host name or IP of the CM.
Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to unit on which command is
executed. Valid values:

distribute cm_only, local_only, cm_only

d_search or all_machines Searches submitted from a Central Manager return results from across the Guardium environment, but searches submitted
from managed units only return local results from that managed units
local_only
Searches submitted from individual machines return results from that machine only. There is no ability to search data from
across the Guardium environment.
all_machines
Searches can be submitted from any machine and return results from across the Guardium environment.
This parameter is required, and the default value is cm_only.

GuardAPI Native Audit Functions

Use these GuardAPI commands to enable, disable, DB Audit (native audit) on a cloud database; add and remove objects from the Object Audit (audit trail); get
configuration, collectors and objects.
add_ip_to_sg
Adds the specified Guardium IP to the cloud security group.
add_objects_native_audit parameter=value
datasource_n string. Required. Cloud datasource defined in Guardium

ame
api_target_ho hostname or IP Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the unit on which
st address command is executed. Valid values:

add_objects_native_audit
Adds objects to the Object Audit (audit trail) on the specified datasource.
add_objects_native_audit parameter=value

datasource_n string Required. Cloud datasource defined in Guardium

ame
objects string. Comma separated list of objects. View objects with the get_native_audit_objects or in the GUI.

disable_native_audit
Disables DB Audit (native audit) on the specified cloud datasource.
disable_native_audit parameter=value

ame

enable_native_audit
Enable DB Audit (native audit) on the specified datasource.
enable_native_audit parameter=value

ame

get_native_audit_collectors
Returns the name of the collector, in your environment, that is receiving data from the specified host, port, and service name.
get_native_audit_collectors parameter=value
host string Required. AWS host name
port integer Required.
service_nam string Required.

e
api_target_h hostname or IP Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the unit on which command
ost address is executed. Valid values:

get_native_audit_configurations

Returns all details on the specified host, port, service name: cloud environment id, cloud environment, provider, datasource id, instance name, database engine, service
name, host, port, Guardium security group, objects limit, objects, collector.
get_native_audit_configurations parameter=value

e

get_native_audit_objects
Returns all objects found by the classification process on the specified host, port, service name.
get_native_audit_objects parameter=value

e

remove_objects_native_audit
Disable the object audit (audit trail) on the specified objects in the specified datasource.
remove_objects_native_audit parameter=value

ame
objects string Comma separated list of objects. View objects with the get_native_audit_objects or in the GUI.


Use the following GuardAPI commands to enable, disable, and configure the Outliers Detection function.
grdapi enable_outliers_detection_agg
grdapi enable_outliers_detection_agg
grdapi disable_outliers_detection_agg
Run on a central manager to enable or disable sending export data from all collectors in the CM environment that send their data to the specified aggregator, except a
collector that is running outliers detection locally. Data is collected hourly and sent to the aggregator for outliers detection processing. A distributed report mechanism is
used to extract and send data to an aggregator.

Table 1. grdapi enable_outliers_detection_agg
V
a
l
u
schedule_interval 1 Mandatory. Must be set to 1
schedule_units h Mandatory. Must be set to hour

o
u
r
aggregator_host_name Â The specific aggregator enabled/disabled for outlier detection.

DAM_FAM D Optional. Specifies the type of outliers. The default is DAM.

A
M
o
r
F
A
M
grdapi enable_outliers_detection
grdapi enable_outliers_detection
grdapi disable_outliers_detection
Run on a collector to enable/disable outliers detection locally on the collector.
V
a
l
u
schedule_interval 1 Mandatory. Must be set to 1
schedule_units h Mandatory. Must be set to hour

o
u
r
DAM_FAM D Optional. Specifies the type of outliers. The default is DAM.

A
M
o
r
F
A
M
grdapi set_outliers_detection_parameter privUsersGroupIds

Add additional user groups to the outlier detection algorithm. Use this command to find a group ID: grdapi list_group_by_desc desc=[group name]
V
a
l
u
privUsersGroupIds s One or more admin user group IDs.

t
r
i
n
g
sensitiveObjectGroupIds s One or more sensitive object group IDs.

t
r
i
n
g
GuardAPI Process Control Functions

Use these GuardAPI commands to execute, copy, upload, list, and delete Process Control Functions.
execute_cls_process
Executes (submits) a classification process. It is equivalent of executing Run Once Now from Classification Process Builder. It submits the job which places the process on
the GuardiumÂ® Job Queue, from which the appliance runs a single job at a time. Administrators can view the job status by selecting Guardium Monitor > Guardium Job
Queue.
Note: Create a classification process before calling this API.

V
a
l
u
processName Â Â s Name of the classification process

t
r
i
n
g
api_target_host h Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the unit on which command
o is executed. Valid values:
s
t all_managed: for all managed units
a group:<group name>: where group name is a group of managed units
m from CM only, the host name or IP of any managed unit, for example, api_target_host=10.0.1.123
e from managed unit, the host name or IP of the CM
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi execute_cls_process processName="classPolicy1"
execute_assessment
Executes (submits) a security assessment. It is equivalent of executing Run Once Now from Security Assessment Finder. It submits the job. This places the process on the
Guardium Job Queue, from which the appliance runs a single job at a time. Administrators can view the job status by selecting Guardium Monitor > Guardium Job Queue.
Note: Create a Security Assessment before calling this API.

V
a
l
u
assessmentDesc Â Â Name of the assessment

s
o
r
I
P
a
d
d
r
e
s
s
Example

grdapi execute_assessment assessmentDesc="assessment1"
execute_auditProcess
Executes an Audit process. Runs the specified audit process. It is equivalent of executing Run Once Now from Audit Process Builder.
Note: Create an audit process before calling this API.

Note: If the audit report returns a lot of data, the user should execute the audit process from the GUI, due to CLI command heap size limitation.
V
a
l
u
auditProcess Â Â Name of the audit process

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi execute_auditProcess auditProcess="Appliance Monitoring"
stop_audit_process
The stop_audit_process API can not be used through the GuardAPI command line. This function is only usable as an invocation through a drill down. See the sub-topic,
Stop an audit process, in Compliance Workload Automation help topic.
V
a
l
u
process Â Name of the audit process

run Â The RunID of the audit process

s
o
r
I
P
a
d
d
r
e
s
s
Example
stop_audit_process
execute_populateGroupFromQuery

Executes a populate group from query. It populates the chosen group by executing a configured query. It is the equivalent of executing Run Once Now from Populate
Group From Query Set Up screen. If the group is not configured for import, it displays an error message.
Note: This grdapi can only be used for groups that have already been configured in Populate Group From Query Set Up screen (query should have been chosen and
parameters should have been set)
V
a
l
u
groupDesc Â Â Group name

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi execute_populateGroupFromQuery groupDesc="A test"
grdapi execute_appUserTranslation
Execute an application user translation. Imports the user definitions for all configured applications in Application User Translation Configuration screen. It is equivalent of
executing Run Once Now from Application User Translation Configuration screen.
Note: To run this grdapi, must define at least one Application User Detection in Application User Translation Configuration screen. If not a message will be displayed.
V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi execute_appUserTranslation
execute_flatLogProcess
Merges the flat log information to the internal database. It is equivalent of executing Run Once Now from Flat Log Process screen.
Note: This grdapi can only be executed if Flat Log Process is configured as Process in Flat Log Process screen. If not, an error message will be displayed.

V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi execute_flatLogProcess
execute_incidentGenProcess
Executes a query which is defined for the selected incident generation process, using the processId, against the policy violations log. It generates incidents based on that
query. It is equivalent of executing Run Once Now from Edit Incident Generation Process screen.
Note: Create a Incident Generation Process before calling this API.

V
a
l
u
processID Â Process ID of the incident

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi execute_incidentGenProcess processId=20003
execute_incidentGenProcess_byDetails
Executes a query which is defined for the selected incident generation process, using the query name, against the policy violations log. It generates incidents based on
that query. It is equivalent of executing Run Once Now from Edit Incident Generation Process screen.
Note: Create a Incident Generation Process before calling this API.

V
a
l
u

V
a
l
u
queryName Â Â Query name

categoryName Â Category Name

user Â User

threshold Â Threshold

severity Â Severity level

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi execute_incidentGenProcess_byDetails queryName="Policy Violation Count" user=admin severity=info
upload_custom_data
Executes (submits) a classification process. Uploads data to the custom table specified by tableName. It is the equivalent of executing Upload from Import Data screen of
Custom Table Builder. To run this grdapi, must first configure the specified custom table in Import Table Structure of Custom Table Builder. From the UI, go to Tools/Report
Builder/Custom Table Builder, select a Custom Table, click upload data, and select datasource.
V
a
l
u
tableName Â e Name of custom table

x
i
s
t
i
n
g
c
u
s
t
o
m
t
a
b
l
e

V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi upload_custom_data tableName="TEST_TABLE"
Import LDAP users. It imports Guardium user definitions from an LDAP server configured in LDAP User Import screen. It is equivalent of executing Run Once Now from
LDAP User Import screen. (login in as accessmgr /LDAP Import)
Note: LDAP must be configured. Otherwise, the system will give an error message.
V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi execute_ldap_user_import
policy_install
Install a policy or multiple policies. If multiple policies are to be installed then the policies need to be delimited by a pipe character '|' with policies being in the order you
want to be installed. This needs to be done even if only one policy might have had changes.
Install multiple policies with grdapi policy_install command. Install by position by specifying the policies in the order that you want to install.
Even in UI, when you install a policy after another installed policy, it will reinstall all of them. which is the same as grdapi policy_install command.
V
a
l
u

V
a
l
u
policy Â Policy name

api_target_host Â In a central management configuration only, allows the user to specify a target host where the API will execute. On a Central Manager
(CM) the value is the host name or IP of any managed units. On a managed unit it is the host name or IP of the CM.
Examples
grdapi policy_install policy="Policy 1|Policy 2"
grdapi policy_install policy="policy 20|policy 30|policy 40"
delete_policy
Use the delete_policy command to delete a policy specified by the policyDesc parameter.
V
a
l
u
policyDesc Â Policy name.

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi delete_policy policyDesc="Hadoop Policy"
list_policy
Use the list_policy command to display a list of available policies or to display details about a single policy.
V
a
l
u
policyDesc Â Policy name. If unspecified, the list_policy command returns a list of available policies.

detail Â Accepts values of true or false. The default value is true and returns policy details. Specifying a value of false returns only policy
names.

V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
Examples
Display details of a specific policy:
grdapi list_policy policyDesc="Hadoop Policy"
Display a detailed list of available policies:
grdapi list_policy
Display a list of available policy names (no details):
grdapi list_policy detail=false
copy_rule
Copy a rule <ruleDesc> of <fromPolicy> to the end of <toPolicy> rule's list.
Note: It Copies a rule of Â <fromPolicy> to the end of <toPolicy> rule's list. Both <fromPolicy> Â and <toPolicy> must be created, before running this grdapi.
V
a
l
u
ruleDesc Â Rule Description

fromPolicy Â Policy name

toPolicy Â Policy name

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi copy_rule ruleDesc="Rule Description" fromPolicy="policy1" toPolicy=" policy2 "

clone_policy
Use this GuardAPI command to clone a policy.
V
a
l
u
policyDesc Â Policy name

clonedpolicyDesc Â Cloned Policy name

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi clone_policy policyDesc="Hadoop Policy" clonedPolicyDesc="Hadoop Policy cloned1"
update_rule
Update policy rule. Update a rule <ruleDesc> of <fromPolicy> for a rule parameter.
See Policies for additional information on the following policy rule parameters that can be altered with the update_rule API call.
V
a
l
u


newDesc Â New Rule Description

clientIP Â Client IP

clientNetMask Â Client Net Mask

serverIP Â Server IP

serverNetMask Â Server Net Mask

objectName Â Object Name

sourceProgram Â Source Program

dbName Â Database Name

dbUser Â Database User

command Â Command


V
a
l
u
appUserName Â Application User Name

dateTime Â Date and Time

logFlag Â Log Flag

exceptionType Â Exception Type

minCount Â Minimum Count

continueToNext Â Continue to Next

resetInterval Â Reset Interval

serviceName Â Service Name

osUser Â O/S User

dbType Â Database Type

netProtocol Â Net Protocol

clientMac Â Client MAC

fieldName Â Field Name

pattern Â Patter

appEventExists Â Application Event Exists

eventType Â Event Type

appEventStrValue Â Application Event String Value

appEventNumValue Â Application Event Number Value

appEventDate Â Application Event Date

eventUserName Â Event User Name

errorCode Â Error Code

severity Â Severity

category Â Category

classification Â Classification

dataPattern Â Data Pattern

sqlPattern Â SQL Pattern

xmlPattern Â XML Patter

mvcSystem Â MVSâ„¢ System

clientIpNotFlag Â Client IP Not Flag


V
a
l
u
serverIpNotFlag Â Server IP Not Flag

objectNameNotFlag Â Object Name Not Flag

sourceProgramNotFlag Â Source Program Not Flag

dbNameNotFlag Â Database Name Not Flag

dbUserNotFlag Â Database User Not Flag

commandNotFlag Â Command Not Flag

appUserNameNotFlag Â Application User Name Not Flag

exceptionTypeIdNotFlag Â Exception Type ID Not FLag

serviceNameNotFlag Â Service Name Not Flag

osUserNotFlag Â O/S User Not Flag

clientMacNotFlag Â Client MAC Not Flag

fieldNameNotFlag Â Field Name Not Flag

errorCodeNotFlag Â Error Code Not Flag

replacementChar Â Replacement Character

messageTemplate Â Message Template

recordsAffectedThreshold Â Records Affected Threshold

matchedReturnedTreshold Â Matched Returned Treshold

clientIpGroup Â Client IP Group

serverIpGroup Â Server IP Group

objectGroup Â Object Group

objectCommandGroup Â Object Command Group

objectFieldGroup Â Object Field Group

dbUserGroup Â Database User Group

commandsGroup Â Commands Group

dbNameGroup Â Database Name Group

sourceProgramGroup Â Source Program Group

appUserGroup Â Application User Group

serviceNameGroup Â Service Name Group

osUserGroup Â O/S User Group


V
a
l
u
netProtocolGroup Â Net Protocol Group

fieldNameGroup Â Field Name Group

errorGroup Â Error Group

appEventStrGroup Â Application Event String Group

clientProgramUserServerInstance Â Client Program User Server Instance Group

Group
quarantineMinutes Â Quarantine Minutes

clientInfo Â Use for DB2 and DB2_COLLECTION_PROFILE

clientInGroup Â Use for DB2_COLLECTION_PROFILE

api_target_host h Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the unit on which
o command is executed. Valid values:
s
o
r
Central Manager (CM) the value is the host name or IP of any managed units. On a managed unit it is the host name or IP of the
I
CM.
P
a
d
d
r
e
s
s
Example
grdapi update_rule ruleDesc="Rule Description" fromPolicy="policy1" serviceName="ANY"
change_rule_order
Change policy rule order. Change the ordered position of a rule within a policy.
V
a
l
u

order Â New order position for Rule



V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi change_rule_order ruleDesc="Copy of policy1 exception1" fromPolicy="policy1" order=10
list_policy_rules
List the rules for a policy.
V
a
l
u
policy Â Policy name

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi list_policy_rules policy="policy1"
delete_rule
Remove a rule from a policy.
V
a
l
u

toPolicy Â Policy name


V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi delete_rule ruleDesc="Copy (3) of policy1 exception1" fromPolicy="policy1"
uninstall_policy_rule
Use the uninstall_policy_rule command to uninstall the policy rule(s) specified by the policy and ruleName parameters.
V
a
l
u
policy Â Policy name.

ruleName Â Rule name(s). Specify multiple policy rules using the pipe character, for example ruleName="rule1|rule2|rule3.

s
o
r
I
P
a
d
d
r
e
s
s
Examples
Uninstall a single policy rule:
grdapi uninstall_policy_rule policy="Hadoop Policy" ruleName="Low interest Objects: Allow"
Uninstall multiple policy rules:
grdapi uninstall_policy_rule policy="Hadoop Policy" ruleName="Low interest Objects: Allow|Low Interest Commands: Allow"
reinstall_policy_rule
Use the reinstall_policy_rule command to reinstall the policy rule(s) specified by the policy and ruleName parameters.

V
a
l
u
policy Â Policy name.

ruleName Â Rule name(s). Specify multiple policy rules using the pipe character, for example ruleName="rule1|rule2|rule3.

s
o
r
I
P
a
d
d
r
e
s
s
Examples
Reinstall a single policy rule:
grdapi reinstall_policy_rule policy="Hadoop Policy" ruleName="Low interest Objects: Allow"
Reinstall multiple policy rules:
grdapi reinstall_policy_rule policy="Hadoop Policy" ruleName="Low interest Objects: Allow|Low Interest Commands: Allow"
delete_Audit_process_result
Use this command to delete any audit process results.
V
a
l
u
ExecutionDateFrom Â When did audit process begin

ExecutionDateTo Â When did audit process end

ProcessName Â Required. What is name of audit process

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi delete_Audit_process_result ExecutionDateFrom=, ExecutionDateTo=, ProcessName=abab

create_api_parameter_mapping
Map API parameters to Domain entities and attributes so the parameters can be populated by report values on API call generation or API automation.
Note: The Mapping GuardAPI Parameters to Domain Entities and Attributes in GuardAPI Input Process Generation shows the domains, entities and attributes of the
system and has a GUI interface to invoke this API function.
V
a
l
u
functionName Â Name of the API function

parameterName Â Name of the parameter within the API function to be mapped

domain Â Any of the Guardium reporting domains such as Access, Alert, Discovered Instances, Exceptions, Group Tracking, etc.

entityLabel Â Any of the entities for the reporting domain

attributeLabel Â Any of the attributes within the entity

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi create_api_parameter_mapping functionName="create_group" parameterName="desc" domain="Group Tracking" entityLabel="Group"

attributeLabel="Group Description"
list_param_mapping_for_function
List the parameter mappings for an API function.
V
a
l
u


V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi list_param_mapping_for_function functionName="create_group"
delete_api_parameter_mapping
Delete API Parameter Mappings for Domain Entities and Attributes. Remove the parameter mappings for an API function.
V
a
l
u

parameterName Â Name of the parameter within the API function to be mapped

domain Â Any of the Guardium reporting domains such as Access, Alert, Discovered Instances, Exceptions, Group Tracking, etc.

entityLabel Â Any of the entities for the reporting domain

attributeLabel Â Any of the attributes within the entity

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi delete_api_parameter_mapping functionName="create_group" parameterName="desc" domain="Group Tracking" entityLabel="Group"

attributeLabel="Group Description"
close_default_events

Close all the events defined on a specific process/task/execution. Close all the events defined on a specific process/task/execution for tasks of type report. Specially
needed if for example there is a task with a default event that returned a large number of records, such task can not be signed unless all the events are closed.
V
a
l
u
eventStatus Â Required. Event status. Must be a valid status for the default event defined for the audit task and must be a final status.

execDate Â Required. Execution Date and Time

processDesc Â Required. Audit process description.

taskDesc Â Required. Audit task description.

s
o
r
I
P
a
d
d
r
e
s
s
Example
grdapi close_default_events eventStatus=Done execDate="2010-03-01 08:00:00" processDesc="Audit Process" taskDesc="Task

Description"
create_quarantine_allowed_until
Use in Policies.
V
a
l
u
allowedUntil Â Required.

dbUser Â Required. Database user

serverIP Â Required. Server IP

serverName Â Required. Server name

Type Â Required. Value must be one of: normal, DB2z, or IMS.


V
a
l
u
s
o
r
I
P
a
d
d
r
e
s
s
create_quarantine_until
Use in Policies.
V
a
l
u
quarantineUntil Â Required.





s
o
r
I
P
a
d
d
r
e
s
s
delete_quarantine_until
Use in Policies.
V
a
l
u

V
a
l
u





s
o
r
I
P
a
d
d
r
e
s
s
must_gather
Use grdapi must_gather command to collect information on the state of the Guardium system that can be used by Guardium Support. See Basic information for IBM
Support for further information on this topic.
V
a
l
u
commandsList Â String - required

description Â String - required

duration Â Integer - required

emailDestination Â String - required

invokingUser Â String - required

maxLength Â Integer - required

pmrNumber Â String - required

start Â Date - required

timestamp Â Date - required


V
a
l
u
s
o
r
I
P
a
d
d Guardium V10.1 and 10.1.2: In a central management configuration only, specifies a target host where the API will execute. On a
r Central Manager (CM) the value is the host name or IP of any managed units. On a managed unit it is the host name or IP of the CM.
e
s
s
restart_job_queue_listener
Use the restart_job_queue_listener command to restart the job queue listener if the job queue fails to start, does not run waiting jobs, or if a job appears stuck in running
or stopping status for a prolonged period of time. Issuing this command immediately restarts the job queue, and any currently executing jobs will be halted and restarted.
Example:
grdapi restart_job_queue_listener
The restart_job_queue_listener command does not accept any parameters.
update_quarantine_allowed_until
Use in Policies.
V
a
l
u
allowedUntil Â Required.





s
o
r
I
P
a
d
d
r
e
s
s
update_quarantine_until

Use in Policies.
V
a
l
u





s
o
r
I
P
a
d
d
r
e
s
s
GuardAPI Query Rewrite Functions

Automate testing or create definitions for certain complex queries that cannot be done from the user interface by using Guardium APIs at the command-line interface.
Note: If you create query rewrite definitions by using APIs, you can still use the UI to retrieve those definitions for testing with the Query Rewrite Builder.
The GuardAPI functions related to query rewrite include:
assign_qr_condition_to_action
create_qr_action
create_qr_add_where
create_qr_add_where_by_id
create_qr_condition
create_qr_definition
create_qr_replace_element
create_qr_replace_element_byId
list_qr_action
list_qr_add_where
list_qr_add_where_by_id
list_qr_condition
list_qr_condition_to_action
list_qr_definitions
list_qr_replace_element
list_qr_replace_element_byId
remove_all_qr_replace_elements
remove_all_qr_replace_elements_byId

remove_qr_action
remove_qr_add_where_by_id
remove_qr_condition
remove_qr_definition
remove_qr_replace_element_byId
update_qr_action
update_qr_add_where_by_id
update_qr_condition
update_qr_definition
update_qr_replace_element_byId
assign_qr_condition_to_action
Create an association between a query rewrite condition and an associated action.
V
a
l
u
actionName Â Required. The name of the query rewrite action.

conditionName Â Required. The name of the query rewrite condition to be associated with the specified action.

definitionName Â Required. The name of the query rewrite definition that is associated with the specified condition and action.


Example:
grdapi assign_qr_condition_to_action definitionName="case 15" actionName="qr action15_2" conditionName="qr cond15_2"
create_qr_action
Create a query rewrite action for a specified query rewrite definition.
V
a
l
u
actionName Â Required. The unique name of the query rewrite action.

definitionName Â Required. The query rewrite definition that is associated with this action.

description Â An optional description.


Example:

grdapi create_qr_action definitionName="case 15" actionName="qr action15_3"
create_qr_add_where
Associate a query rewrite function to add a WHERE condition to the specified query rewrite action.
V
a
l
u


whereText Â Text to add to a WHERE clause.


Example:
grdapi create_qr_add_where definitionName="qrw_def_Oracle_1" actionName="qrw_act__addwhere_id2" whereText="id=2"
create_qr_add_where_by_id
Associate a query rewrite function to add a WHERE condition to the specified query rewrite action.
V
a
l
u
qrActionId Â Required (integer). The unique ID of query rewrite action.

whereText Â Text to add to a WHERE clause.


Â Â Â

Example:
grdapi create_qr_add_where_by_id qrActionId=10002 whereText="id=2"
create_qr_condition
Create a query rewrite condition.
V
a
l
u
conditionName Â Required. The unique name of this query rewrite condition.


V
a
l
u
definitionName Â Required. The query rewrite definition that is associated with this condition.

depth Â Integer that specifies the depth of the parsed SQL that this condition applies to (1 and higher). The default -1 means that the query
rewrite condition applies to any matching SQL at any depth.
isForAllRuleObjects Â True or false. Use this parameter to associate this condition with objects in a policy access rule. True indicates that the specified
condition applies to all objects in the access ruleâ€™s Object field or Object group for a fired rule. The default is false, which means
the query condition is specified using the objects that are defined in this condition. Neither option impacts any rule triggering behavior.
isForAllRuleVerbs Â True or false. Use this parameter to associate this condition with objects in a policy access rule. True, indicates that the specified
condition applies to all verbs in the access ruleâ€™s Verb field or Verb group for a fired rule. The default is false, which means the
query condition is specified using the verbs that are defined in this condition. Neither option impacts any rule triggering behavior.
isObjectRegex Â True or false. Indicates that the specified object is specified by using a regular expression. Default is false.

isVerbRegex Â True or false. Indicates that the specified verb is specified by using a regular expression. Default is false.

object Â An object (table, view). The default "*" means all objects. This can also be specified as a regular expression, in which case set the
isVerbRegex to True.
order Â Used to specify the order in which to assemble multiple related query rewrite conditions for complex SQL. Default is 1.

verb Â A verb (select, insert, update, delete). The default "*" means all verbs.


Example:
grdapi create_qr_condition definitionName="case 15" conditionName="qr cond15_3" verb=select isForAllRuleObjects=false object=* depth=2 order=3
create_qr_definition
Create a query rewrite definition.
V
a
l
u
dataBaseType Â Required. The type of database this query rewrite definition is associated with. Acceptable values are: ORACLE or DB2.

definitionName Â Required. A unique name for this query rewrite definition condition.


isNegateQrCond Â Indicates whether there is a NOT flag on the set of query rewrite conditions that are associated with this definition.


Example:
grdapi create_qr_definition dataBaseType="ORACLE" definitionName="case 15"

create_qr_replace_element
Create a replacement element, or set of elements, such as an entire SQL sentence or a SELECT list.
V
a
l
u
actionName Â Required. The unique name of the query rewrite action this rewrite function is associated with.


isFromAllRuleElements Â True or false. Indicates that this action applies to all FROM elements. Default is false.

isFromRegex Â True or false. Indicates that the â€˜fromâ€™ element is specified by using a regular expression. Default is false.

isReplaceToFunction Â True or false. Indicates that the "replace to" is the name of a function, such as user-defined function.

replaceFrom Â The incoming string for a matching rule that is to be replaced. Use replaceType to indicate specifically which element of the incoming
query to examine.
replaceTo Â The replacement string for the matching element.

replaceType Â Required. Indicates what is to be replaced.

Must be one of the following:
SELECT
VERB
OBJECT
SENTENCE
SELECTLIST

Example:
grdapi create_qr_replace_element definitionName="case 15" actionName="qr action15_2" replaceType=VERB replaceFrom="select" replaceTo="select++"
create_qr_replace_element_byId
Create a replacement specification for a specified query rewrite action.
V
a
l
u
isFromAllRuleElements Â True or false. Indicates that this action applies to all FROM elements. Default is false.

isFromRegex Â True or false. Indicates that the "from" element is specified by using a regular expression. Default is false.


qrActionId Â Required (integer). The unique ID of query rewrite action.

query to examine.


V
a
l
u
replaceType Â Required. Indicates what is to be replaced.

Must be one of the following:
SELECT
VERB
OBJECT
SENTENCE
SELECTLIST

Example:
grdapi create_qr_replace_element_byId qrActionID="1116" replaceType=OBJECT replaceFrom="employee" replaceTo="employee_2"
list_qr_action
Lists query actions for a specified query definition.
V
a
l
u
actionName Â The name of the query rewrite action.

definitionName Â Required. The query rewrite definition name.

detail Â True or false. The default is true, which lists all the associated attributes of the actions. Only the name is returned for false.


Example:
grdapi list_qr_action definitionName="case 2"
Output:
qrwg1.guard.swg.usma.ibm.com> grdapi list_qr_action definitionName="case 2"

#######################################################################
QR actions of definition 'case 2' - (id = 1 )

#######################################################################
qr action ID: 1
qr action name: qr action2
qr action description: add where by id
ok
Example:
grdapi list_qr_action definitionName="case 2" detail=false
Output:
qrwg1.guard.swg.usma.ibm.com> grdapi list_qr_action definitionName="case 2" detail=false

#################################
QR actions of definition 'case 2' - (id = 1 )
#################################
qr action2
ok
list_qr_add_where
Lists "add where" functions for a specified query action and query definition pair.
V
a
l
u
actionName Â The name of the query rewrite action.

definitionName Â Required. The query rewrite definition name.


Â Â Â

Example:
grdapi list_qr_add_where actionName="qrw_act_addwhere_id2" definitionName="qrw_def_Oracle_1"
list_qr_add_where_by_id
Lists "add where" functions for a specified query action.
V
a
l
u
qrActionId Â Required (integer). The unique identifier for the query rewrite action.


Â Â Â

Â Â Â

Example:
grdapi list_qr_add_where_by_id qrActionId=20023

list_qr_condition
Lists the query rewrite conditions that are associated with a particular query rewrite definition.
V
a
l
u
conditionName Â The name of a query rewrite condition.

definitionName Â Required. A query rewrite definition.

detail Â True or false. The default is true, which lists all the associated attributes of the conditions. Only the name is returned for false.


Example:
grdapi list_qr_condition definitionName="case 2" conditionName="qr cond2"
Output:
qrwg1.guard.swg.usma.ibm.com> grdapi list_qr_condition definitionName="case 2" conditionName="qr cond2"

#######################################################################
QR Condtions of Definition 'case 2' - (id = 1 )
#######################################################################
qr condition id: 1
qr condition name: qr cond2
qr definition ID: 1
qr condition verb: *
qr condition object: *
qr condition dept: -1
is verb regex: false
is object regex: false
is action for all rule verbs: false
is action for all rule objects: false
qr condition order: 1
list_qr_condition_to_action
Lists the associations between a query rewrite condition and a query rewrite action for a particular query definition.
V
a
l
u
actionName Â Required (integer). The unique identifier for the query rewrite action.


Detail Â True or false. The default is true, which lists all the associated attributes of the conditions for the specified action and definition. Only
the name is returned for false.

Example:

grdapi list_qr_condition_to_action actionName="qr action15_2" definitionName="case 15"
Output:
qrwg1.guard.swg.usma.ibm.com> grdapi list_qr_condition_to_action actionName="qr action2" definitionName="case 2"

#######################################################################
QR Condtions of Action 'qr action2' - (id = 1 )
#######################################################################
qr condition id: 1
qr condition name: qr cond2
qr definition ID: 1
qr condition verb: *
qr condition object: *
qr condition dept: -1
is verb regex: false
is object regex: false
is action for all rule verbs: false
is action for all rule objects: false
qr condition order: 1
list_qr_definitions
Lists query rewrite definitions.
V
a
l
u

Detail Â True or false. The default is true, which lists all the associated attributes of the conditions for the specified action and definition. Only
the name is returned for false.

Â Â Â

Example:
grdapi list_qr_definitions
Output:
qrwg1.guard.swg.usma.ibm.com> grdapi list_qr_definitions

#######################################################################
QR Definitions
#######################################################################
qr definition ID: 1
qr definition name: case 2
qr definition description:
is negation set on qr conditions: false
list_qr_replace_element
Lists replacements for a specified query rewrite action and query rewrite definition pair.
V
a
l
u
actionName Â Required. A query rewrite action.


Detail Â True or false. The default is true, which lists all the associated attributes of the replacement elements for the specified action and
definition. Only the names are returned for false.

V
a
l
u
replaceType Â If specified, must be one of the following:

SELECT
VERB
OBJECT
SENTENCE
SELECTLIST

Example:
grdapi list_qr_replace_element actionName="qr action2" definitionName="case 2"
Output:
qrwg1.guard.swg.usma.ibm.com> grdapi list_qr_replace_element actionName="qr action2" definitionName="case 2"

#######################################################################
QR replace elements for action 'qr action2' - (qrActionId = 1 )
#######################################################################
qr replace element ID: 1

qr replace type: object
qr replace from: emp
qr replace to: NEW_EMP
qr is from regex: false
qr is from all rule elements: false
***********************************************************************
qr replace element ID: 2
qr replace type: selectList
qr replace from: Whole select list
qr replace to: EMPNO,SAL
qr is from regex: false
qr is from all rule elements: false
list_qr_replace_element_byId
Lists replacements for a specified query rewrite action.
V
a
l
u
detail Â True or false. The default is true, which lists all the associated attributes of the replacement elements for the specified action and
definition. Only the names are returned for false.
qrActionId Â Required (integer). The unique identifier for the query rewrite action.


V
a
l
u

SELECT
VERB
OBJECT
SENTENCE
SELECTLIST

Example:
grdapi list_qr_replace_element_byId detail=true qrActionId="22222" replaceType="OBJECT"
remove_all_qr_replace_elements
Deletes query replacement specifications from the system.
V
a
l
u

definitionName Â Required (integer). The unique identifier for the query rewrite action.


SELECT
VERB
OBJECT
SENTENCE
SELECTLIST

Example:
grdapi remove_all_qr_replace_elements definitionName="new case 2" actionName="new qr action2â€œ
remove_all_qr_replace_elements_byId
Deletes query replacement specifications from the system.
V
a
l
u
qrActionId Â Required (integer). A query rewrite action identifier.


V
a
l
u


SELECT
VERB
OBJECT
SENTENCE
SELECTLIST
If replaceType is not specified, then all replacements for the specified action and definition is deleted.

Example:
grdapi remove_all_qr_replace_elements actionName="qr action15_2" definitionName="case 15" replaceType="OBJECT"
remove_qr_action
Deletes a specified query rewrite action from the system.
V
a
l
u



Â Â Â

Example:
grdapi remove_qr_action actionName="qr action15_2" definitionName="case 15"
remove_qr_add_where_by_id
Deletes a specified "add where" function from the system.
V
a
l
u
qrAddWhereId Â Required (integer). An "add where" function.


V
a
l
u

Â Â Â

Â Â Â

Example:
grdapi remove_qr_add_where_by_id qrAddWhereId=22666
remove_qr_condition
Deletes a query rewrite condition from the system.
V
a
l
u
conditionName Â Required. A query rewrite condition.



Â Â Â

Example:
grdapi remove_qr_condition conditionName="qr cond15_1" definitionName="case 15"
remove_qr_definition
Deletes a query rewrite definition from the system.
V
a
l
u


V
a
l
u

Â Â Â

Â Â Â

Example:
grdapi remove_qr_definition definitionName="case 15"
remove_qr_replace_element_byId
Deletes a specified query element replacement from the system.
V
a
l
u
qrReplaceElementId Â Required (integer). A replacement definition ID.


Â Â Â

Â Â Â

Example:
grdapi qrReplaceElementId=33333
update_qr_action
Updates an existing query rewrite action with a new name and optional description.
V
a
l
u



newName Â The new name for the query rewrite action.


V
a
l
u

Example:
grdapi update_qr_action definitionName="case 2" actionName="qr action2" newName="new qr action2"
update_qr_add_where_by_id
Allows update of an existing "add where" function with new replacement text.
V
a
l
u
qrAddWhereId Â Required (integer). The unique identifier for the query rewrite "add where" function.

whereText Â The replacement text for the identified where clause.


Â Â Â

Example:
grdapi update_qr_add_where_by_id 22222 whereText="1=2"
update_qr_condition
Update an existing query rewrite condition.
V
a
l
u
conditionName Â Required. The unique name of this query rewrite condition.

definitionName Â Required. The query rewrite definition that is associated with this condition.

depth Â Integer that specifies the depth of the parsed SQL that this condition applies to (1 and higher). The default -1 means that the query
rewrite condition applies to any matching SQL at any depth.
isForAllRuleObjects Â True or false. Indicates that the specified condition applies to all objects for the fired rule. Default is false.

isForAllRuleVerbs Â True or false. Indicates that the specified condition applies to all verbs for the fired rule Default is false.

isObjectRegex Â True or false. Indicates that the specified object is specified by using a regular expression. Default is false.


V
a
l
u
isVerbRegex Â True or false. Indicates that the specified verb is specified by using a regular expression. Default is false.

newName Â The new name for the query rewrite condition.

Object Â An object (table or view). The default "*" means all objects. This can also be specified as a regular expression, in which case set the
isVerbRegex to True.
Order Â Used to specify the order in which to assemble multiple related query rewrite conditions for complex SQL. Default is 1.

Verb Â A verb (select, insert, update, delete). The default "*" means all verbs.


Example:
grdapi update_qr_condition definitionName="case 16" conditionName="qr cond15_3" newName="qr cond16_3" verb=select object=* dept=2 order=3
update_qr_definition
Update an existing query rewrite definition.
V
a
l
u
dataBaseType Â Required. The type of database this query rewrite definition is associated with. Must be either ORACLE or DB2.



isNegateQrCond Â Indicates whether there is whether there is a NOT flag on the set of query rewrite conditions that are associated with this definition.

newName Â Optional. Specify a new unique name.

sampleSql Â Optional. Specify a sample SQL statement. In most cases, you will not use this unless you want to use the inputted sample SQL later in
the UI.

Example:
grdapi update_qr_definition dataBaseType="DB2" definitionName="case 15" sampleSql="select EMPNO from EMP where ENAME = (select
ENAME from EMP where SAL = (select SAL from EMP where HIREDATE = to_date('06/09/1981 00:00:00', 'MM/DD/YYYY HH24:MI:SS')))"
newName="DB2_case 15"
update_qr_replace_element_byId
Update an existing replacement specification for a specified query rewrite action.

V
a
l
u
isFromAllRuleElements Â Required. The type of database this query rewrite definition is associated with. Must be either ORACLE or DB2.

isFromRegex Â True or false. Indicates that the "from" element is specified by using a regular expression. Default is false.


qrReplaceElementId Â Required (integer). The unique ID of query rewrite action.

query to examine.


Example:
grdapi update_qr_replace_element_byId qrReplaceElementId=1 isFromAllRuleElements=false isFromRegex=false isReplaceToFunction=false

replaceFrom=emp replaceTo=NEW_EMP_UPDATED
GuardAPI Role Functions

Use these GuardAPI commands to grant, list and revoke Role Functions.
Note: In a Central Management environment, the object to which you want to add a role may reside on the Central Manager or on a managed unit. See the Overview of the
Aggregation & Central Management help book, for more information.
grant_role_to_object_by_id
Add a role to the specified object - a Classification process, for example. Dependencies are checked before adding the role. For example, before adding a role to a
Classification process, that role must be assigned to all components contained by that Classification process (the classification policy and any datasources referenced).
V
a
l
u

V
a
l
u
objectTypeId Â Required (integer). Identifies the type of object to which the role will be assigned. It must be one of the following integers:

1=Query
2=Report
3=Alert
4=Baseline
5=Policy
6=SecurityAssessment
7=PrivacySet
8=AuditProcess
12=CustomTable
13=Datasource
14=CustomDomain
15=ClassifierPolicy
16=ClassificationProcess
objectId Â Required (integer). Identifies the object to which the role will be assigned.

roleId Â Required (integer). Identifies the role to assign. This can be any existing role ID, or the special value -1, which allows access by all
roles.

Example
grdapi grant_role_to_object_by_id objectTypeId=13 objectId=2 roleId=3
grant_role_to_object_by_Name
Add a role to the specified object - a Classification process, for example. Dependencies are checked before adding the role. For example, before adding a role to a
Classification process, that role must be assigned to all components contained by that Classification process (the classification policy and any datasources referenced).
Parameters
V
a
l
u

V
a
l
u
objectType Â Required. Identifies the type of object to which the role will be assigned. It must be one of the following:

Query
Report
Alert
Baseline
Policy
SecurityAssessment
PrivacySet
AuditProcess
CustomTable
Datasource
CustomDomain
ClassifierPolicy
ClassificationProcess
objectName Â Required. The name of the object (the query or report, for example) to which the role will be assigned.

role Â Required. The name of the role to assign. This can be any existing role, or all_roles to allow access by all roles.


Example
grdapi grant_role_to_object_by_Name objectType=Datasource objectName= â€œswanSybaseâ€ role=admin
list_roles_granted_to_object_by_id
Displays the roles assigned to the specified object - a Classification process, for example.
V
a
l
u

V
a
l
u

1=Query
2=Report
3=Alert
4=Baseline
5=Policy
7=PrivacySet
8=AuditProcess
12=CustomTable
13=Datasource
14=CustomDomain

roles.

Example
grdapi list_roles_granted_to_object_by_id objectTypeId=7 objectId=1
list_roles_granted_to_object_by_Name
Displays the roles assigned to the specified object - a Classification process, for example.
V
a
l
u

V
a
l
u

Query
Report
Alert
Baseline
Policy
SecurityAssessment
PrivacySet
AuditProcess
CustomTable
Datasource
CustomDomain
ClassifierPolicy



Example
grdapi list_roles_granted_to_object_by_Name objectType=PrivacySet objectName="privaceSet 1"
revoke_role_from_object_by_id
Removes a role from the specified object - a Classification process, for example. Dependencies are handled automatically. For example, if the role foo is removed from a
specific query, the role foo will also be removed from any report based on that query.
V
a
l
u

V
a
l
u

1=Query
2=Report
3=Alert
4=Baseline
5=Policy
7=PrivacySet
8=AuditProcess
12=CustomTable
13=Datasource
14=CustomDomain

roles.

Example
grdapi revoke_role_from_object_by_id objectTypeId=13 objectId=5 role=-1
revoke_role_from_object_by_Name
Removes a role from the specified object - a Classification process, for example. Dependencies are handled automatically. For example, if the role foo is removed from a
specific query, the role foo will also be removed from any report that uses that query.
V
a
l
u

V
a
l
u

Query
Report
Alert
Baseline
Policy
SecurityAssessment
PrivacySet
AuditProcess
CustomTable
Datasource
CustomDomain
ClassifierPolicy



Example
grdapi revoke_role_from_object_by_Name objectType=Datasource objectName="swanSybase" role=admin
GuardAPI S-TAPÂ® functions

Use these CLI commands to create, list, delete, restart, and set S-TAP functions.
create_stap_inspection_engine
Add an inspection engine to the specified S-TAP. S-TAP configurations can be modified only from the active GuardiumÂ® host for that S-TAP, and only when the S-TAP is
online.
V
a
l
u
stapHost Â Required. The host name or IP address of the database server on which the S-TAP is installed.


V
a
l
u
protocol Â Required. The database protocol, which must be one of the these values:

DB2Â®
DB2 Exit (DB2 version 10)
FTP
InformixÂ®
Kerberos
Mysql
NetezzaÂ®
Oracle
PostgreSQL
Sybase
Teradata
Teradata Exit (v10.1.3 and up)
Windows File Share
exclude IE
Windows S-TAP hosts can also use the following protocols:
MSSQL
named pipes
portMin Â Required (integer). Starting port number of the range of listening ports that are configured for the database. (Do not use large
inclusive ranges, as this degrades the performance of the S-TAP.)
portMax Â Required (integer). Ending port number of the range of listening ports for the database.

teeListenPort Â Optional (integer). Not used for Windows. Under UNIX, replaced by the KTAP DB Real Port when the K-TAP monitoring mechanism is
used. Required when the TEE monitoring mechanism is used. The Listen Port is the port on which the S-TAP listens for and accepts
teeRealPort local database traffic. The Real Port is the port onto which S-TAP forwards traffic.
connectToIp Â Optional (integer). The IP address for the S-TAP to use to connect to the database. Some databases accept local connection only on
the â€œrealâ€ IP address of the machine, and not on the default (127.0.0.1).
client Â Required. A list of Client IP addresses and corresponding masks to specify which clients to monitor. If the IP address is the same as
the IP address for the database server, and a mask of 255.255.255.255 is used, only local traffic is monitored. A client address/mask
value of 1.1.1.1/0.0.0.0 monitors all clients. (See the example.)
encryption Â Optional. Activate ASO encrypted traffic where encryption=0 (no) or encryption=1 (yes).

excludeClient Â Optional. A list of Client IP addresses and corresponding masks to specify which clients to exclude. This option enables you to
configure the S-TAP to monitor all clients, except for a certain client or subnet (or a collection of these options).
procNames Â For a Windows Server: For Oracle or MS SQL Server only, when named pipes are used. For Oracle, the list usually has two entries:
oracle.exe,tnslsnr.exe. For MS SQL Server, the list is usually just one entry: sqlservr.exe.
namedPipe Â Windows only. Specifies the name of a named pipe. If a named pipe is used, but nothing is specified here, the S-TAP retrieves the
named pipe name from the registry.
ktapDbPort Â Optional (integer). Not used for Windows. Under UNIX, used only when the K-TAP monitoring mechanism is used. Identifies the
database port to be monitored by the K-TAP mechanism.
dbInstallDir Â UNIX only. Enter the full path name for the database installation directory. For example: /home/oracle10

procName Â For a UNIX Server: For a DB2, Oracle, or Informix database, enter the full path name for the database executable. For example:

/home/oracle10/prod/10.2.0/db_1/bin/oracle
procNames Â Optional


V
a
l
u
db2SharedMemAdjustment Â These three parameters are used for a DB2 inspection engine, only under the following conditions:

db2SharedMemClientPosition The DB2 server is running under Linux.
db2SharedMemSize The K-TAP monitoring mechanism is installed.
Clients connect to DB2 using shared memory.
When these parameters are used, grdapi verifies only that the protocol is db2; it does not verify that the conditions have been met.
See the DB2 Linux S-TAP Configuration Parameters topic for a detailed explanation of how to use these parameters.
instanceName Â Optional (string). Used only for MSSQL or Oracle encrypted traffic. Either the MSSQL or ORACLE encryption flag must be turned on
before this parameter can be used.
informixVersion Â Informix Version.

ieIdentifier Â Optional (string).

interceptTypes Â Optional (string).

Â


Example
grdapi create_stap_inspection_engine stapHost=192.168.2.118 protocol=Oracle portMin=1521 portMax=1521 dbInstallDir=/data/oracle10

procName=/data/oracle10/oracle/product/10.2.0/db_1/bin/oracle client=192.168.0.0/255.255.0.0 ktapDbPort=1521
Note:
Sometimes, when adding an inspection engine, a false message of Configuration rejected by S-TAP- see S-TAP event log for details, is displayed even though the
configuration was not rejected and installed correctly.
Client IP/mask is required for UNIX S-TAP, optional for Windows S-TAP.
list_inspection_engines
Display the properties of all S-TAPs on the specified host, optionally for a specific database type only.
V
a
l
u
stapHost Â Required. The host name or IP address of a database server on which S-TAPs are installed (and configured to report to this Guardium
appliance).
type Â Optional. If used, inspection engines for the specified database type only will be listed. Type must be one of the following:

db2
informix
mssql
mssql-np
oracle
sybase

V
a
l
u

Example
a1.corp.com> grdapi list_inspection_engines stapHost=192.168.2.33 type=oracle
ID=20162
Stap Host: 192.168.2.33 - Not Active
oracle Inspection Engines:
Â Â Â Â Â Â Â Â Â name =ORACLE2
Â Â Â Â Â Â Â Â Â type =ORACLE
Â Â Â Â Â Â Â Â Â connect to IP=127.0.0.1
Â Â Â Â Â Â Â Â Â install dir = /home/oracle10
Â Â Â Â Â Â Â Â Â exec file = /home/oracle10/product/10.2.0/db_1/bin/oracle-guard
Â Â Â Â Â Â Â Â Â instance name = MSSQLSERVER
Â Â Â Â Â Â Â Â Â encrypted = no
Â Â Â Â Â Â Â Â Â port range = 1521 - 1521
tee listen port = null, tee rel port = 1521
Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â client = 127.0.0.1/255.255.255.255
Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â client = 192.168.0.0/255.255.0.0
Â Â Â Â Â Â Â Â Â name =ORACLE3
Â Â Â Â Â Â Â Â Â type =ORACLE
Â Â Â Â Â Â Â Â Â connect to IP=127.0.0.1
Â Â Â Â Â Â Â Â Â install dir = /home/oracle9
Â Â Â Â Â Â Â Â Â exec file = /home/oracle9/bin/oracle
Â Â Â Â Â Â Â Â Â instance name = MSSQLSERVER
Â Â Â Â Â Â Â Â Â encrypted = no
Â Â Â Â Â Â Â Â Â port range = 1521 - 1521
ok Â
list_staps
Display the database servers from which S-TAPs report to this Guardium system, optionally listing only the servers that have S-TAPs for which this Guardium system is the
active host (that is, the one to which the S-TAP is sending data and the one from which the S-TAP configuration can be modified).
V
a
l
u
onlyActive Â Optional (Boolean). Enter true, or omit this parameter, to list only those hosts having S-TAPs for which this Guardium system is the
active host. Enter false to list all hosts on which S-TAPs have been configured to use this Guardium system as either a primary or
secondary host.

V
a
l
u

Example
a1.corp.com> grdapi list_staps onlyActive=false
ID=0
staps:
stap host = FALCON
stap host = 192.168.2.33
stap host = 192.168.2.173
stap host = 192.168.2.248
stap host = jumbo
ok Â
delete_stap_inspection_engine
Remove an S-TAP inspection engine. This Guardium system must be the active host for the S-TAP from which the inspection engine will be removed.
V
a
l
u

type Â Required. Identifies the type of inspection to be removed. Type must be one of the following:

Cassandra, CouchDB, DB2, DB2 Exit, FTP, GreenPlumDB, Hadoop, HTTP, iSERIES, Informix, KERBEROS, MongoDB, MS SQL, mssql-np,
Mysql, Named Pipes, Netezza, Oracle, PostgreSQL, SAP Hana, Sybase, Teradata, Teradata Exit (v10.1.3 and up), or Windows File Share
sequence Â Required (integer). The sequence number of the inspection engine to be removed within the set of inspection engines of the specified
type. You can use the grdapi list_inspection_engines command with the type option first, to verify the sequence number of the
inspection engine to be removed.
waitForResponse Â Optional. Specifies whether the API will wait for a response from the S-TAP. Valid values are 0 (do not wait) and 1 (wait for a
response). The default is 1 when stapHost is a single host name or IP address and 0 in all other cases.

Example
grdapi delete_stap_inspection_engine stapHost=192.168.2.118 type=Oracle sequence=1
Note: Sometimes, when deleting an inspection engine, a false message of Cannot remove Inspection Engine - the specified inspection engine is not found, is displayed
even though the removal was successful.
restart_stap
Restart an S-TAP inspection engine.

V
a
l
u


Example
grdapi restart_stap stapHost=192.168.2.118
set_stap_debug
Filter log content by database, protocol, client information, instead of dumping all traffic to the log.
stapDebugInterval - required
stapDebugLevel - required
stapDebugOn - required
stapHost - required
api_target_host
store_stap_approval
Use this function to block unauthorized S-TAPs from connecting to the Guardium system.
If ON, then S-TAPs can not connect until they are specifically approved.
If an unapproved S-TAP connects, it is immediately disconnected until the specific authorization of the IP address of that S-TAP.
There is a pre-defined report for approved clients, Approved TAP clients. It is available on the Daily Monitor tab.
Note:
A valid IP address is required, not the host name.
The store_stap_approval command does not work within an environment where there is an IP load balancer.
Within a Central Managed environment, after adding the IP addresses to approved S-TAPs, there is a wait time associated with synchronization that might take up to an
hour. After synchronization is complete, the status of the approved S-TAP will appear green in the GUI.
Function: store_stap_approval
isNeeded - Boolean - required
Syntax
grdapi store_stap_approval ON | OFF
CLI command
store stap approval and show stap approval
add_approved_stap_client
Use this GuardAPI command to add an approved S-TAP client.
Use of this GuardAPI command does not restart the sniffer and does not affect already connected S-TAPs. This command affects only new S-TAP connections.
Function: add_approved_stap_client
stapHost - String - required

Syntax
grdapi add_approved_stap_client <stapHost>
list_approved_stap_client
Use this GuardAPI command to list approved S-TAP clients.
Syntax
grdapi list_approved_stap_client
list_stap_verification_results
Use this GuardAPI command to list S-TAP verification results.
stapHost - String. The host name or IP address of the database server on which the S-TAP is installed.
Syntax
grdapi list_stap_verification_results <stapHost>
delete_approved_stap_client
Use this GuardAPI command to remove an approved S-TAP client.
Use of this GuardAPI command does not restart the sniffer and does not affect other already connected S-TAPs. This command affects only the specified S-TAP
connections.
stapHost - String - required
Syntax
grdapi delete_approved_stap_client <stapHost - String - required>
set_ktap_debug
ID=0
ktapDebugInterval - required
ktapFunctionNames
stapHost - required
api_target_host
display_stap_config
Display all the properties of all S-TAPs on the specified host.
V
a
l
u
stapHost Â Required. The host name or IP address of a database server on which S-TAPs are installed and configured to report to this Guardium
system, or a comma-separated list of host names or IP addresses. You can also use these values:
all_active
All S-TAPs that are configured to report to this Guardium system
all_windows_active
All S-TAPs that are configured to report to this Guardium system and are running on Windows machines
all_unix_active
All S-TAPs that are configured to report to this Guardium system and are running on UNIX machines

V
a
l
u
Â Â Â

Examples:
grdapi display_stap_config stapHost=myhost1,myhost2

grdapi display_stap_config stapHost=all_active
update_stap_config
Update properties of all S-TAPs on the specified host.
V
a
l
u
stapHost Â Required. The host name or IP address of a database server on which Guardium system, or a comma-separated list of host names or
IP addresses. You can also use these values:
all_active
all_windows_active
all_unix_active
updateValue Â Required. One or more key-value pairs, in this format: section.parameter_name:new_value. section indicates the section of the
guard_tap.ini file in which the parameter is contained, and can be TAP or DB_x, where DB_x is a designation for an inspection engine
that appears as a section header in the file. You can specify new values for multiple parameters by separating the entries with an
ampersand (&) .
waitForResponse Â Optional. Specifies whether the API will wait for a response from the S-TAP. Valid values are 0 (do not wait) and 1 (wait for a
response). The default is 1 when stapHost is a single host name or IP address and 0 in all other cases.
Examples:
grdapi update_stap_config stapHost=all_windows_active updateValue=TAP.XXXX
verify_stap_inspection_engine_with_sequence
Use this command to verify the S-TAP inspection engine.
V
a
l
u
addToSchedule Â String. Constant values list; valid values are Yes and No.

datasourceName Â String. If this parameter is specified, advanced verification is performed against the specified datasource. If this parameter is
omitted, standard verification is performed.
sequence Â Required. Integer. The sequence number of the existing inspection engine for verification. You can use the grdapi
list_inspection_engines command with the type option first, to verify the sequence number of the inspection engine to be verified.
stapHost Â Required. String. The host name or IP address of the database server on which the S-TAP is installed.

protocol Â Required. The database protocol, which must be one of the these values: DB2, DB2 Exit (DB2 version 10), FTP, Informix, Kerberos,
Mysql, Netezza, Oracle, PostgreSQL, Sybase, Teradata, Teradata Exit (v10.1.3 and up), exclude IE. Windows S-TAP hosts can also use
the following protocols: MSSQL, named pipes.
Example:
grdapi verify_stap_inspection_engine_with_sequence stapHost=9.70.144.212

sequence=3
revoke_ignore_stap
This command revokes existing IGNORE S-TAP SESSION (REVOKABLE) policy rule actions that ignore S-TAP session traffic. This command only revokes soft ignore rules
(marked as REVOKABLE) and cannot revoke hard rules (not marked as REVOKABLE).

stapHost Â Required. The host name or IP address of a database server on which S-TAPs are installed and configured to
report to this Guardium system, or a comma-separated list of host names or IP addresses. You can also use
these values:
all_active

all_windows_active
all_unix_active
api_target_host Â Optional parameter that specifies the target host(s) to execute the API. When not specified, it defaults to the

Example
grdapi revoke_ignore_stap stapHost=myhost1
set_ztap_logging_config
This command controls the logging parameters described below.
Syntax: grdapi set_stap_logging_config parameter=[parameter] value=[value].
a
l
u
e

a
l
u
e
log_db2z_target 0 When enabled using log_db2z_target=1, targets in db2z protobuf message are logged to GDM_OBJECT in addition to objects
t from the parser.
o
d
is
a
b
l
e
1
t
o
e
n
a
b
l
e
P
a
r
a
m
e
t
e
r
is
d
is
a
b
l
e
d
b
y
d
e
f
a
u
lt
.

a
l
u
e
log_zkey_to_full_sql 0 When enabled using log_zkey_to_full_sql=1, VSAM or IMS Key values will be logged in the full SQL statement for policies using
t "Log full details."
o
d
is
a
b
l
e
1
t
o
e
n
a
b
l
e
P
a
r
a
m
e
t
e
r
is
d
is
a
b
l
e
d
b
y
d
e
f
a
u
lt
.
Example
grdapi set_ztap_logging_config parameter=log_db2z_target value=1
Show values: grdapi get_ztap_logging_config.

enable_advanced_threat_scanning
Enables the scanner processes to check for specific database attacks such as SQL injection and malicious stored procedures.
a
l
u
e
all Â Optional. In a central management configuration only, enables all threat detection scanners on all managed units. Allowable values:
true, false.
schedule_start Â Optional. Specifies the date and time to start running the processes. The accepted format is yyyy-mm-dd hh:mm:ss (24-hour clock).


a
l
u
e

Example:
grdapi enable_advanced_threat_scanning all=true schedule_start="2016-03-24 12:00:05â€
You will see the following message if threat analytics is enabled when outlier detection is not:
Warning - Enabling advance threat scanning (AKA Eagle Eye) when Analytic anomaly detection is disabled.
Advance threat scanning (AKA Eagle Eye) enabled.
ok
disable_advanced_threat_scanning
Disables threat detection scanners on the collector.
a
l
u
e
all Â In a central management configuration only, disables all threat detection scanners on all managed units.


get_eagle_eye_info
Displays the current settings for threat detection parameters.
a
l
u
e

Â Â Â

Example:
grdapi get_eagle_eye_info
Eagle Eye Parameters Values:
EI_CASES_DISPLAY_LIMIT = 3
EI_CONFIDENCE_PCT_CHANGE_TO_REDISPLAY_CASE = 30
EI_EAGLE_EYE_ENABLED = 1
EI_PROCESSOR_TIMEOUT_SEC = 420

EI_SCANNER_PATCH_DEF = 10
EI_SCANNER_TIMEOUT_SEC = 300ok
set_eagle_eye_parameter
Use under the direction of IBM personnel. Changes configuration parameters for threat detection. These parameters must be set explicitly using parameter_name and
parameter_value as follows:
a
l
u
e
EI_CASES_DISPLAY LIMIT Â The number of cases to be displayed in the to-do list report. Default is 3.

EI_CONFIDENCE_PCT_CHANG Â The percent of â€œconfidenceâ€ change that will cause this case to be redisplayed in the to-do list report, even if it has already
E_TO_REDISPLAY CASE appeared before. This can happen if Guardium detects another symptom or symptoms that raise the confidence by this percentage
value. Default is 30.
EI_PROCESSOR_TIMEOUT_SEC Â Processors that run longer time than this threshold are turned off. Default is 420 seconds.

EI_SCANNER_PATCH_DEF Â To avoid false positives as a result of patch installation, if in a single process run the number of stored procedures created exceeds
this parameter then the process assumes a patch is installed and it stops analyzing symptoms. Default is 10 stored procedure
creations detected in one run.
EI_SCANNER_TIMEOUT_SEC Â Scanners that run longer time than this threshold are turned off. Default is 300 seconds.


get_eagle_eye_scanners_info
Return scanner settings information.
a
l
u
e

Â Â Â

The data returned will contain the following information:
Field Description
ID The scanner ID.
Name The scanner name.
Status The status of the scanner from the last run:
I: in progress
D: done
K: killed
E: done with errors

Field Description
Enabled Indicates if the scanner is enabled.
True: enabled
False: disabled
Permanent disabled If the scanner was disabled 3 times in 24 hours, then it is permanently disabled.
True: disabled
False: enabled
Example:
grdapi get_eagle_eye_scanners_info
ID=0
ID:1, Name:SQLInjectionExceptionsScanner, Status:D, Enabled:true, Permanent disabled:false
ID:2, Name:NumNewConstructScanner, Status:D, Enabled:true, Permanent disabled:false
ID:3, Name:SQLInjectionSuspiciousObjectScanner, Status:D, Enabled:true, Permanent disabled:false
ID:4, Name:SqliQueryScanner, Status:Unknown, Enabled:false, Permanent disabled:true
ID:5, Name:EagleEyeSTPCreateProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:6, Name:EagleEyeSTPCallProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:7, Name:EagleEyeSTPExceptionProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:8, Name:EagleEyePreviousStpUsageProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:9, Name:EagleEyeSTPViolationProcedureScanner, Status:D, Enabled:true, Permanent disabled:false
ID:10, Name:EagleEyeSTPUserOutlierScanner, Status:D, Enabled:true, Permanent disabled:false
ok
set_eagle_eye_scanner_parameter
Use under the direction of IBM personnel. Activate or deactivate a scanner. These parameters must be set explicitly using parameter_name and parameter_value as
follows:
a
l
u
e
scanner_id Â Required. The unique ID of the scanner, which you can get from get_eagle_eye_scanners_info GuardAPI command.

is_active Â Defines if the scanner should run. Used to start a scanner that was stopped automatically because it timed out.

0 : the scanner is stopped
1: the scanner is activated
is_permanent_inactive Â If the scanner was permanently disabled after it was disabled 3 times in 24 hours then it can only be enabled again using this
GuardAPI.
1: the scanner is stopped permanently
0: the scanner is enabled

Example:
The following example reactivates a permanently deactivated scanner.
set_eagle_eye_scanner_parameter scanner_id=2 parameter_name=is_permanent_inactive parameter_value=0
get_eagle_eye_symptom_period_hours
Show the value of the symptom period parameter in hours. The symptom period determines how long back the process is looking and analyzing the collected symptoms
for one case.
a
l
u
e

a
l
u
e


Example:
grdapi get_eagle_eye_symptom_period_hours case_name=STP

The symptoms period for case type: STP is: 168 in hours
ok
set_eagle_eye_symptom_period_hours
Set a value for the symptom period parameter in hours. The symptom period determine how long back the process is looking and analyzing the collected symptoms for a
case.
a
l
u
e

symptom_period_hours Â Required. Integer. The number of hours in the past to analyze symptoms for a case.


Example:
grdapi set_eagle_eye_symptom_period_hours case_name=STP symptom_period_hours=170

The symptoms period for case type: STP was changed. The old value was: 168. The new value is: 170
ok
get_eagle_eye_debug_level
For use by IBM Service personnel. Displays current debug level:
1: on
0: off
a
l
u
e

a
l
u
e

Example:
grdapi get_eagle_eye_debug_level
ID=0
component=EAGLE_EYE level=1
ok
set_eagle_eye_debug_level
For use by IBM Service personnel. Displays current debug level.
a
l
u
e
level Â Integer. Required. Allowable values:

1: on
0: off

Example:
grdapi set_eagle_eye_debug_level level=0

ID=0
ok
S-TAP for z/OS V10.1.3 User's Guide

IBM Security Guardium S-TAP for Db2 on z/OS
These topics describe how to use IBMÂ® Security GuardiumÂ® S-TAPÂ® for DB2Â® on z/OSÂ® V10.1.3 (also referred to as IBM Guardium S-TAP for Db2). The
V10.1.3 S-TAP is optimized for the V10.1 Guardium system. IBM Guardium S-TAP for Db2 collects and correlates data access information from a variety of Db2
resources to produce a comprehensive view of business activity for auditors.
IBM Security Guardium S-TAP for IMS on z/OS
These topics describe how to use IBM Security Guardium S-TAP for IMS on z/OS V10.1.3 (also referred to as IBM Guardium S-TAP for IMS). The V10.1.3 S-TAP is
optimized for the V10.1 Guardium system. IBM Guardium S-TAP for IMS collects and correlates data access information from a variety of IMS resources to produce
a comprehensive view of business activity for auditors.
IBM Security Guardium S-TAP for Data Sets on z/OS
These topics describe how to use IBM Security Guardium S-TAP for Data Sets on z/OS V10.1.3 (also referred to as IBM Guardium S-TAP for Data Sets). The V10.1.3
S-TAP is optimized for the V10.1 Guardium system. IBM Guardium S-TAP for Data Sets collects and correlates data access information from a variety of resources
to produce a comprehensive view of business activity for auditors.
IBM Security Guardium S-TAP for Db2 on z/OS

These topics describe how to use IBM Security Guardium S-TAP for Db2 on z/OS V10.1.3 (also referred to as IBM Guardium S-TAP for Db2). The V10.1.3 S-TAP is
optimized for the V10.1 Guardium system. IBM Guardium S-TAP for Db2 collects and correlates data access information from a variety of Db2 resources to produce a
comprehensive view of business activity for auditors.
About these topics

This information is designed to help database administrators, system programmers, and application programmers perform these tasks:
Plan for the installation of IBM Guardium S-TAP for Db2

Install and operate IBM Guardium S-TAP for Db2
Configure the IBM Guardium S-TAP for Db2 environment
Diagnose and recover from IBM Guardium S-TAP for Db2 problems
A PDF of this User's Guide is also available here.
IBM Security Guardium S-TAP for Db2 on z/OS overview

IBM Security Guardium S-TAP for Db2 on z/OS (also referred to as IBM Guardium S-TAP for Db2) collects and correlates data access information from Db2 to
produce a comprehensive view of business activity for auditors. IBM Guardium S-TAP for Db2 enables you to determine which users updated or read a particular
table, on a specific z/OS Db2 system, within a specific time period.
Configuring IBM Security Guardium S-TAP for Db2 on z/OS
After you install IBM Guardium S-TAP for Db2, you must customize some files for your system. All configuration steps are required in both stand-alone and data
sharing environments.
Data collection
IBM Guardium S-TAP for Db2 collects data from an audited Db2 subsystem, in accordance with the collection policies that you create through the IBM Guardium
system. Use a collection policy to specify filtering criteria that captures relevant data and filters out irrelevant data. The filtering criteria that you specify determines
which data is streamed to your IBM Guardium system.
Reference information
These reference topics are designed to provide you with quick access to information about IBM Guardium S-TAP for Db2 sample library members, parameters, and
variables.
Messages and codes for IBM Security Guardium S-TAP for DB2 on z/OS
Parent topic: S-TAP for z/OS V10.1.3 User's Guide
IBM Security Guardium S-TAP for Db2 on z/OS overview

IBM Security Guardium S-TAP for Db2 on z/OS (also referred to as IBM Guardium S-TAP for Db2) collects and correlates data access information from Db2 to produce a
comprehensive view of business activity for auditors. IBM Guardium S-TAP for Db2 enables you to determine which users updated or read a particular table, on a specific
z/OS Db2 system, within a specific time period.
Use IBM Guardium S-TAP for Db2 to collect and correlate the following types of data to the Guardium system:
Modifications to an object (SQL UPDATE, INSERT, DELETE)

Reads of an object (SQL SELECT)
Explicit GRANT and REVOKE operations to capture events where users might be attempting to modify authorization levels
Assignment or modification of an authorization ID
Authorization attempts that are denied because of inadequate authorization
CREATE, ALTER, and DROP operations against an object (such as a table)
Utility access to an object (IBM utilities only)
Db2 commands entered, including which users are issuing specific commands
IBM Guardium S-TAP for Db2 uses Db2 data sharing to obtain audit information from all members of the data sharing group.
What's new in IBM Security Guardium S-TAP for Db2 on z/OS V10.1.3?
Version 10.1.3 of IBM Guardium S-TAP for Db2 provides speed and monitoring enhancements.
The IBM Security Guardium S-TAP for Db2 on z/OS installation environment
The IBM Guardium S-TAP for Db2 SQL Collector Agent collects data from an audited Db2 subsystem in accordance with the filtering policies you set with the
Guardium system.
Installation and operation requirements
Verify that you have the hardware and software that is required to install and operate IBM Guardium S-TAP for Db2.
Parent topic: IBM Security Guardium S-TAP for Db2 on z/OS
What's new in IBM Security Guardium S-TAP for Db2 on z/OS V10.1.3?
Version 10.1.3 of IBM Guardium S-TAP for Db2 provides speed and monitoring enhancements.
Enhancements to this version of the product include:
New Simulation mode enables you to test policies without sending data to the appliance. Data is collected on z/OS.
Support for the collection of BIND/REBIND events
Support for the collection of CICS Unit of Work ID
Improved memory management
Support for blocking policies pushed-down from the appliance
Improved filtering of events
MODIFY command now collects more diagnostic information
Ability to exclude host variables
Support for initiating an appliance MUST GATHER command from z/OS
Support for S-TAP logging
Support for Internet Protocol version 6 (IPV6) introduced with PH16991
Parent topic: IBM Security Guardium S-TAP for Db2 on z/OS overview
The IBM Security Guardium S-TAP for Db2 on z/OS installation environment

The IBM Guardium S-TAP for Db2 SQL Collector Agent collects data from an audited Db2 subsystem in accordance with the filtering policies you set with the Guardium
system.
The IBM Guardium S-TAP for Db2 collector agent runs as a started task and is responsible for the collection of audit data in an IBM Guardium S-TAP for Db2 environment.
As shown in the following diagram, SQL collector data is filtered and sent to the Guardium system, enabling you to view reports on your workstation.
Figure 1. An overview of the IBM Guardium S-TAP for Db2 environment
Guardium Appliance System

The Guardium system can gather, and report on, information from multiple agents running on multiple z/OS systems. The Guardium system:
Provides the user interface, which processes requests and displays the resulting information.
Enables you to create filtering policies, which specify the types of data to be collected by the agent.
Stores the collected data.
Guardium Appliance System and S-TAP Collector Agent communication

The Guardium system and the IBM Guardium S-TAP for Db2 agent communicate by using a TCP/IP connection. The filtering policies that you create instruct the agent
about the data to collect, such as which jobs and data sets to monitor for data accesses.
The IBM Guardium S-TAP for Db2 agent is responsible for:
Collecting Db2 audit data based on the policy settings.

Enabling activities to be blocked.
Streaming collected event activity to the Guardium system.
For more information about how Guardium system policies are interpreted and enabled by the S-TAP, see Policy pushdown.
With the Guardium system installed, configured, and running in your environment, you can test your connection from the z/OS platform to the Guardium system by
configuring and running the IBM Guardium S-TAP for Db2 sample library member, ADHTCPD. Consult your network security team to review the results and confirm that
connection from the z/OS platform to the Guardium system is available.
Installation and operation requirements

Verify that you have the hardware and software that is required to install and operate IBM Guardium S-TAP for Db2.
FEC common code FMID H25F132 is required, and must be present on the system for the successful installation of this product.

IBM Db2 Data Access Common Collector for z/OS V1.1 (CQC) common code FMID HCQC110 is required, and must be present on the system for the successful installation
of this product.
Hardware requirements
Any hardware that is capable of running Db2 for z/OS (V11 or later, until end of service).
Collector agent requirements

Db2 Version 11 or later, until end of service.
z/OS Version 2 Release 2 or later, until end of service.
The IBM Guardium S-TAP for Db2 collector agent must be run on an operating system version that is equivalent to the operating system version on which the
product SMP/E installation is performed.
Resource Recovery Services (RRS) must be configured and enabled for IBM Guardium S-TAP for Db2 to use the RRSAF attachment facility to connect to Db2.
Compatibility with IBM Db2 Query Monitor for z/OS

IBM Guardium S-TAP for Db2 does not require Db2 Query Monitor to be installed or activated on a Db2 subsystem that IBM Guardium S-TAP for Db2 audits. If you
are running Db2 Query Monitor on your system, be aware that IBM Guardium S-TAP for Db2 can audit a Db2 subsystem that is running Db2 Query Monitor Version
3.2 or later. Certain IBM Guardium S-TAP for Db2 PTFs require Db2 Query Monitor PTFs through SMP/E IFREQ.
Required user ID authorizations
To operate IBM Guardium S-TAP for Db2, the S-TAP collector agent started task must run under the authority of a Time Sharing Option (TSO) user ID with these
authorizations.
Compatibility with IBM Db2 Query Monitor for z/OS

IBM Guardium S-TAP for Db2 does not require Db2 Query Monitor to be installed or activated on a Db2 subsystem that IBM Guardium S-TAP for Db2 audits. If you are
running Db2 Query Monitor on your system, be aware that IBM Guardium S-TAP for Db2 can audit a Db2 subsystem that is running Db2 Query Monitor Version 3.2 or later.
Certain IBM Guardium S-TAP for Db2 PTFs require Db2 Query Monitor PTFs through SMP/E IFREQ.
To implement Db2 Query Monitor, your site must have the appropriate operating system, environment, hardware, software, and network requirements. For information
about installing and operating Db2 Query Monitor, refer to the IBM Db2 Query Monitor for z/OS Knowledge Center.
Compatible releases and maintenance levels

The following product abbreviations are used:
InfoSphereÂ® Guardium S-TAP for Db2: STP

IBM Security Guardium S-TAP for Db2 on z/OS: STP
Db2 Query Monitor: CQM
Table 1. Compatible releases and maintenance

levels
CQM 3.2 CQM 3.3 STP 9.1 STP 10.0 STP V10.1.3
CQM 3.2 --- LPAR Db2 Db2 Db2
CQM 3.3 LPAR --- Db2 Db2 Db2
STP 9.1 Db2 Db2 --- LPAR LPAR
STP 10.0 Db2 Db2 LPAR --- LPAR
STP 10.1.3 Db2 Db2 LPAR LPAR ---
Where:
LPAR
The two products releases can coexist on the same LPAR (provided they use a different MASTER name), but cannot be active on the same Db2 subsystem.
Db2
The two products releases can coexist on the same LPAR and can both be active on the same Db2 subsystem/shared collector.
Parent topic: Installation and operation requirements
Required user ID authorizations

To operate IBM Guardium S-TAP for Db2, the S-TAP collector agent started task must run under the authority of a Time Sharing Option (TSO) user ID with these
authorizations.
The collector agent user ID requires Db2 privileges. Grant the collector agent user ID SYSCTRL authority, and the authority to issue the SELECT statements on these
tables:
SYSIBM.SYSTABLES
SYSIBM.SYSTABLESPACE
SYSIBM.SYSINDEXES
OMVS segment
The collector agent uses UNIX System Services (USS) callable services as the network interface to the appliance. The USS callable services require that an OMVS segment
is defined in the RACFÂ® profile for the user ID under which the collector agent job runs. The OMVS segment that is defined for the user ID must contain the following
minimum requirements:

A numeric user ID that is assigned to the user
A valid path to an existing home directory
A program name, for example: /bin/sh or /bin/echo for non-shell
A numeric group ID that is assigned to the user's DEFAULT group
To verify that the ID has an OMVS segment in its RACF profile, use the following command:
LU user ID OMVS
To add an OMVS segment to the RACF profile of an ID, refer to this sample command:
ALTUSER user ID
OMVS(UID(nnn)HOME('/u/ user ID)
PROGRAM('/bin/sh')
Parent topic: Installation and operation requirements

After you install IBM Guardium S-TAP for Db2, you must customize some files for your system. All configuration steps are required in both stand-alone and data sharing
environments.
Before you begin

Review the collector agent security and system requirements before proceeding with the following steps. A list of sample library members is provided in this User's Guide.
About this task

The following table describes the configuration steps and the corresponding SADHSAMP sample library member that is required for customization.
Table 1. Configuration steps
Step Description of configuration step SADHSAMP sample library member to use
1 APF authorizing the LOAD library data set (Not applicable)
2 Customizing JCL members using the ADHEMAC1 macro ADHEMAC1
3 Binding DBRMs using the JCL bind job ADHBIND
4 Granting required authorizations to USERID and ADHPLAN by using the JCL authorization member ADHGRANT
5 Creating the IBM Guardium S-TAP for Db2 control file ADHSJ000
6 Configuring the IBM Guardium S-TAP for Db2 control file ADHSJ001
7 Configuring the collector agent ADHCFGP and ADHCSSID
8 Authorizing ADHPLCY for policy pushdown Define ADHPLCY to RACF or an equivalent security system
Upgrading from IBM Guardium S-TAP for Db2 V9.0, V9.1, or V10.0
You can upgrade to IBM Guardium S-TAP for Db2 V10.1.3 from IBM Guardium S-TAP for Db2 V9.0, V9.1, or V10.0 by completing these steps.
After installation, configure IBM Guardium S-TAP for Db2 by completing the steps that are described in this section.
Upgrading from IBM Guardium S-TAP for Db2 V9.0, V9.1, or V10.0
You can upgrade to IBM Guardium S-TAP for Db2 V10.1.3 from IBM Guardium S-TAP for Db2 V9.0, V9.1, or V10.0 by completing these steps.
Procedure
1. Complete the SMP/E installation of IBM Guardium S-TAP for Db2 V10.1.3.
2. APF-authorize the V10.1.3 SADHLOAD data set.
3. Customize and run the Db2 bind job in SADHSAMP(ADHBIND).
4. Customize and run the Db2 grant job in SADHSAMP(ADHGRANT).
5. Export and save your collection profiles.
(V8.1 collection profiles, or policies, were administered either with the InfoSphereÂ® Guardium S-TAP for Db2 administration client, or the IBM Guardium system.)
6. Stop the previous version's collector agent and server address spaces.
7. Update the collector started task JCLs (ADHCssid) to:
Remove the previous version of the product SADHLOAD data sets.
Include the new V10.1.3 product SADHLOAD data sets in the STEPLIB DD concatenation members.
Note: ADHSssid and ADHAssid started tasks are not used in IBM Guardium S-TAP for Db2 V10.1.3.
8. Update the V10.1.3 collector configuration member (typically SADHSAMP(ADHCFGP).
9. Install a collection policy on the IBM Guardium system.
If policy pushdown was used for V8.1 collection administration, follow the Guardium Policy Builder instructions for migrating policies for V8.1 to V10.1.3.
If the InfoSphere Guardium S-TAP for Db2 administration client was used for V8.1 collection administration, use the XML exported in Step 4 as a reference
for the Guardium Policy Builder to define collection policies for V10.1.3.
10. Start the collector address space by typing /S ADHCssid at the z/OSÂ® command prompt.
What to do next
Now you can install policies on the z/OS host by using the IBM Guardium system interface. No additional configuration steps are required.
Parent topic: Configuring IBM Security Guardium S-TAP for Db2 on z/OS
Configuring IBM Security Guardium S-TAP for Db2 on z/OSÂ®

After installation, configure IBM Guardium S-TAP for Db2 by completing the steps that are described in this section.
APF authorizing the LOAD library data set

The system programmer must APF authorize the product LOAD library for data collection to work correctly. The system programmer must modify the IEAAPFxx or
PROGxx PARMLIB members to define the IBM Guardium S-TAP for Db2 data set, as specified by ADHEMAC1 macro value #SADHLOAD, as an APF authorized
library.
Enabling the dynamic LPA facility service CSVDYLPA
The user ID that was used to start the Collector Agent PROC must be enabled to use the dynamic LPA facility CSVDYLPA to enable the collector agent to collect
data.
Service class considerations
The collector agent started task must be set at a dispatching priority that is the same as, or higher than, that of Db2.
Customizing JCL members
Use the edit macro ADHEMAC1 to customize the variables in the JCL to be run. Running ADHEMAC1 allows you to modify members without requiring you to
remember plan names, creators, and other variables from one editing session to the next editing session.
Creating the IBM Guardium S-TAP for Db2 control file
IBM Guardium S-TAP for Db2 configuration information is stored in a VSAM data set, which is the product control file.
Configuring the IBM Guardium S-TAP for Db2 control file
IBM Guardium S-TAP for Db2 requires information that identifies target Db2 subsystems, product options, and data set attributes. The product configuration is
saved in the VSAM product control file data set that you created previously.
Configuring the collector agent
To configure the collector agent, complete the steps provided in each of the subsequent sections. The address space dispatching priority for IBM Guardium S-TAP
for Db2 must be the same as, or higher than, that of Db2.
Configuring the collector agent for additional Db2 subsystems
The collector agent must be configured for each Db2 subsystem that is to be audited.
Support Services Address Space overview
IBM Guardium S-TAP for Db2 uses a Support Services Address Space, also referred to as a Master Address Space. Learn about how the Master Address Space
works, as well as the implications for using and stopping it.
Enabling CICS Login User ID reporting
You can capture the CICSÂ® Login User ID for SQL Statements that are run in Db2 for CICS. The capture of CICS transactions is limited to CICS versions TS 4.2 or
later, until end of support.
APF authorizing the LOAD library data set

The system programmer must APF authorize the product LOAD library for data collection to work correctly. The system programmer must modify the IEAAPFxx or PROGxx
PARMLIB members to define the IBM Guardium S-TAP for Db2 data set, as specified by ADHEMAC1 macro value #SADHLOAD, as an APF authorized library.
About this task

The IBM Guardium S-TAP for Db2 agent requires that all data sets accessed in the STEPLIB of the collector job be APF authorized, including:
the LOAD library data set

adhhlq.SADHLOAD
the FEC data set fechlq.SFECLOAD (where adhhlq and fechlq are the data set high level qualifier where S-TAP and FEC products are installed)
the CQC data set cqchlq.SCQCLOAD (where adhhlq and cqchlq are the data set high level qualifier where S-TAP and CQC products are installed)
Other data sets that require APF authorization are:
CEE.SCEERUN
CEE.SCEERUN2
Db2 EXIT data set (i.e. DSN.VAR1.SDNEXIT)
Db2 LOAD library data set (i.e. DSN.VAR1.SDSNLOAD)
SYS1.LINKLIB
Refer to the z/OSÂ® Knowledge Center for more information about how to APF authorize libraries.
Enabling the dynamic LPA facility service CSVDYLPA

The user ID that was used to start the Collector Agent PROC must be enabled to use the dynamic LPA facility CSVDYLPA to enable the collector agent to collect data.
About this task

Determine whether the dynamic LPA facility CSVDYLPA is SAF protected. If the dynamic LPA facility CSVDYLPA is not SAF protected, this step is not required.
Procedure
Provide the user ID with ADD/UPDATE/DELETE authority.
For more information about how to enable the CSVDYLPA resource, see section 5.6.3 of the z/OSÂ® V1R7.0 MVSâ„¢ Planning: Operations Guide (SA22-7601-06), section
Controlling/Adding A Module to LPA after IPL.

The collector agent started task must be set at a dispatching priority that is the same as, or higher than, that of Db2.

Related tasks

Use the edit macro ADHEMAC1 to customize the variables in the JCL to be run. Running ADHEMAC1 allows you to modify members without requiring you to remember
plan names, creators, and other variables from one editing session to the next editing session.
Procedure
1. Copy member ADHEMAC1 from the adhhilvl.SADHSAMP to your site's CLIST library, and then edit the ADHEMAC1 macro with the appropriate variables.
2. After you copy the edit macro to your CLIST library, use it to edit each sample library member individually. You might need to update the macro between edits
depending on the member being edited and the context of the variable to be modified in the sample library.
3. To run the macro, type the ADHEMAC1 command to automatically update the appropriate variables in the member that you are editing.
Related reference
ADHEMAC1 edit macro variables
Creating the IBM Guardium S-TAP for Db2 control file

IBM Guardium S-TAP for Db2 configuration information is stored in a VSAM data set, which is the product control file.
About this task

Using the sample JCL that is included with the product, complete these steps to create the IBM Guardium S-TAP for Db2 control file:
Procedure
1. Edit SADHSAMP member ADHSJ000.
2. Add the appropriate job card to ADHSJ000.
3. In the DELETE instruction, change the data set name.
4. In the DEFINE CLUSTER instruction, change the following text within parentheses:
Data set NAME
VOLUMES
DATA NAME
INDEX NAME
5. In the REPRO instruction, change the name of the OUTDATASET.
6. Run ADHSJ000 to create the control file. The job steps must end with a return code of zero.
Configuring the IBM Guardium S-TAP for Db2 control file

IBM Guardium S-TAP for Db2 requires information that identifies target Db2 subsystems, product options, and data set attributes. The product configuration is saved in
the VSAM product control file data set that you created previously.
About this task

Update the product control file by using the sample JCL that is included with IBM Guardium S-TAP for Db2. Sample library member ADHSJ001 contains the JCL to update
the control file. The following steps list the tasks required to configure the product control file data set.
Important: The Db2 plan names that are specified in the product configuration options must match the product plan names assigned to the product's Db2 plans bind plan
job.
Procedure
1. Edit SADHSAMP member ADHSJ001.
2. Add the appropriate job card to ADHSJ001.
3. Change ADH.V0A00.CONTROL to the name of the VSAM control data set that you created using member ADHSJ000.
4. Change #SADHLOAD to the name of the product LOADLIB used for IBM Guardium S-TAP for Db2.
5. Modify the SYSIN DD statements as instructed in the sample member. For more information, see Required statements for each subsystem.
Important: In a data-sharing environment, specify subsystem names (not group names) in ADHSJ001.
6. Run ADHSJ001.
Ensure that the update job steps of the product control file end with a return code of zero. If a non-zero return code occurs, review the job output for errors, correct
the problem, and resubmit the JCL.
Required statements for each subsystem

The following statements are required for each Db2 subsystem that is added to the control file.

Required statements for each subsystem
The following statements are required for each Db2 subsystem that is added to the control file.
Table 1. Required statements for

each subsystem
Statement Setting
SET DB2 SSID #SSID
UPDATE DB2 ZPARMS #SZPARM
UPDATE DB2 BOOTSTRAP 1 #SBSDS01
UPDATE DB2 LOADLIB 1 #SDSNEXIT
UPDATE DB2 LOADLIB 2 #SDSNLOAD
SET PRODUCT CFG NULL
SET PRODUCT VER NULL
UPDATE ADH PLAN 1 ADHPLAN1
UPDATE ADH CORR ID 1 ADH ID 1
UPDATE ADH CORR ID 2 ADH ID 2
Parent topic: Configuring the IBM Guardium S-TAP for Db2 control file

To configure the collector agent, complete the steps provided in each of the subsequent sections. The address space dispatching priority for IBM Guardium S-TAP for Db2
must be the same as, or higher than, that of Db2.
1. Configuring the JCL for ADHBIND

SADHSAMP(ADHBIND) is a job that binds the packages and plan used by the collector agent.
2. Configuring the JCL for ADHGRANT
SADHSAMP(ADHGRANT) is a job that grants authorizations to the user ID and plan that are used by the collector agent.
3. Configuring the ADHCFGP data set
The ADH#MAIN program uses parameters to define the IBM Guardium S-TAP for Db2 subsystem name, the monitored Db2 subsystem, the Guardium system host
name or network address TCP/IP port, and other parameters that control how the IBM Guardium S-TAP for Db2 collector agent is implemented.
4. Defining the collector agent started task JCL
The collector agent runs as a started task. The sample library member ADHCSSID contains the sample JCL to set up the IBM Guardium S-TAP for Db2 collector
agent started task.
Related reference
Configuring the JCL for ADHBIND

SADHSAMP(ADHBIND) is a job that binds the packages and plan used by the collector agent.
Procedure
1. Customize and submit the JCL according to the instructions in the member.
2. Submit the ADHBIND JCL to bind the collector agent packages and plan on each Db2 subsystem on which you want to use IBM Guardium S-TAP for Db2.
Parent topic: Configuring the collector agent

Next topic: Configuring the JCL for ADHGRANT
Configuring the JCL for ADHGRANT

SADHSAMP(ADHGRANT) is a job that grants authorizations to the user ID and plan that are used by the collector agent.
Procedure
1. Customize and submit the JCL according to the instructions in the member.
2. Submit the ADHGRANT JCL to grant authorizations to the user ID and plan that are used by the collector agent for each Db2 subsystem on which you want to use
IBM Guardium S-TAP for Db2.
Note: The ADHGRANT job contains examples of the GRANTs that meet the minimal authorization requirements for the collector agent. Alternative authorizations
and, subsequently, GRANTs, can be used to meet the minimal authorization requirements for the collector agent.

Previous topic: Configuring the JCL for ADHBIND
Next topic: Configuring the ADHCFGP data set
Configuring the ADHCFGP data set

The ADH#MAIN program uses parameters to define the IBMÂ® GuardiumÂ® S-TAPÂ® for DB2Â® subsystem name, the monitored Db2 subsystem, the Guardium system
host name or network address TCP/IP port, and other parameters that control how the IBM Guardium S-TAP for Db2 collector agent is implemented.

About this task
These parameters are defined in an 80-byte sequential or partitioned data set that you must allocate to the ADHPARMS DD. A sample is available in the SADHSAMP library
member ADHCFGP.
Note: The AUDIT parameter is required. It instructs the collector agent to audit a specific Db2 subsystem. It supports only one Db2 subsystem.
To use the sample ADHCFGP member:
Procedure
1. Copy ADHCFGP to the appropriate location (PARMLIB) on your system.
2. Verify that the parameters are valid for your environment. If necessary, edit the parameter file for your IBM Guardium S-TAP for Db2 objects.
3. Edit the ADHPARMS DD in the started task JCL to point to the ADHCFGP data set that you have customized.
Example
An example of the ADHCFGP member contents is as follows:
BROWSE ADH.SMPE.SAMPLIB(ADHCFGP) - 01 L
Command ===>
SUBSYS(#SSID)
AUDIT(#SSID)
MASTER_PROCNAME(ADHMST31)
APPLIANCE_SERVER(#APPSRVR)

Previous topic: Configuring the JCL for ADHGRANT
Next topic: Defining the collector agent started task JCL
Defining the collector agent started task JCL

The collector agent runs as a started task. The sample library member ADHCSSID contains the sample JCL to set up the IBM Guardium S-TAP for Db2 collector agent
started task.
Before you begin

To run the collector agent as a started task, the JCL must be in a cataloged procedure library. Modify the sample started task JCL in SADHSAMP library member ADHCSSID
for your site, according to the instructions in the member.
About this task

The started task requires:
READ access to the ADHCFGP data set in the RACFÂ® DATASET class
UPDATE access to the DB2PARMS data set in the RACF DATASET class
The ability to connect to the Db2 subsystem that is monitored by the collector agent
The ability to read data from the following Db2 subsystem catalog tables:
SYSTABLES
SYSINDEXES
SYSDBRM
SYSPACKAGE
SYSPACKSTMT
SYSSTMT
Procedure
1. Using the sample library member ADHCSSID as a template, customize the member according to the directions contained in the sample JCL. Any valid member
name can be used for the started task name, but the suggested started task name is ADHCSSID, where SSID is the identifier of the Db2 subsystem that is to be
monitored.
2. Copy the customized JCL to an appropriate SYSPROC data set. The JCL must include definitions for the following data descriptions:
ADHPARMS
ADHPARMS must name the IBM Guardium S-TAP for Db2 collector agent configuration file.
DB2PARMS
DB2PARMS must name the IBM Guardium S-TAP for Db2 product control file (example: ADH.V0A00.CONTROL).
ADHPLCY
ADHPLCY enables policy persistence. For more information, see the Policy Persistence information provided in Policy pushdown.
If ADHPLCY is defined, it must point to a data set that is allocated with a record format of fixed blocked (RECFM=FB) and a record length (LRECL) greater than
or equal to 256.
The ADHPLCY data set should be allocated with a minimum of 50 primary tracks and 10 secondary tracks. The ADHPLCY data set can be sequential, PDS, or
PDS/E. If you use PDS or PDS/E, the space requirements might need to be increased in relation to the number of members that are contained within the data
set.
ADHLOG
ADHLOG is the SYSOUT data set to which IBM Guardium S-TAP for Db2 collector agent log messages will be written.
STEPLIB
STEPLIB must include the IBM Guardium S-TAP for Db2 SADHLOAD data set.
Note: Every data set allocated to STEPLIB must be APF-authorized.
SYSPRINT
SYSPRINT is the SYSOUT data set to which log messages will be written.

Previous topic: Configuring the ADHCFGP data set
Related reference
Sample library members
Configuring the collector agent for additional Db2 subsystems

The collector agent must be configured for each Db2 subsystem that is to be audited.
Before you begin

You must have the following user ID authorities:
READ access to ADHCFGx parameter data sets, Db2 catalogs, and VSAM control data sets
Access to the DSNR resource class in Db2
OMVS segment definition
GRANT authority for SYSCTRL Db2 to communicate with the agent started task user IDs on all Db2 subsystems to be audited
READ authority for the Db2 catalog tables
Authority to use the dynamic LPA facility CSVDYLPA
To define additional Db2 subsystems for auditing, follow these steps:
Procedure
1. For additional stand-alone Db2 subsystems, use the SADHSAMP member ADHBIND to bind IBM Guardium S-TAP for Db2 plans on each Db2 subsystem that is to
be audited.
For data sharing group members, use ADHBIND to bind one member of the data sharing group. The bind will apply to all additional group members.
When configuring the product control file for each member of the data sharing group, the PLAN value that is used in the ADHBIND job can also be used for
the ADHPLAN1 value in the SJ001 JCL job.
For the first member of the data sharing group, PACKAGES and PLANS that are used in the ADHBIND job will work for all members of the data sharing group.
2. For each data sharing group or additional stand-alone Db2 subsystem, grant EXECUTE permission for the agent started task ID to the ADH PLAN 1, as specified in
the PCF file for the Db2 subsystem. Refer to the JCL SADHSAMP member ADHGRANT for additional details on granting EXECUTE permission to the ADH PLAN.
3. Update the control file with the new SSID, or create a new S-TAP control file for each SSID by using the SADHSAMP member ADHSJ001.
4. Configure a new S-TAP agent configuration file.
5. Add the agent started task name to the z/OSÂ® started task table.
6. Start the new S-TAP agent.
Note:
Dispatching priority must be the same as, or higher than, Db2.
After you start the agent, review the agent log and MVSâ„¢ log for any error messages. When an active collection policy is received, the agent starts collecting audit
data.
Support Services Address Space overview

IBM Guardium S-TAP for Db2 uses a Support Services Address Space, also referred to as a Master Address Space. Learn about how the Master Address Space works, as
well as the implications for using and stopping it.
A Support Services Address Space, also referred to as a Master Address Space, starts for each z/OSÂ® image after the first instance of IBM Guardium S-TAP for Db2,
InfoSphereÂ® Optimâ„¢ Query Workload Replay for Db2, or IBM Db2 Query Monitor for z/OS starts with a MASTER_PROCNAME value that is not yet in use on that z/OS
image.
The Master Address Space is a Service Address Space for all instances of IBM Guardium S-TAP for Db2, InfoSphere Optim Query Workload Replay for Db2, or IBM Db2
Query Monitor for z/OS that specify the same MASTER_PROCNAME parameter value that is running on the z/OS image. The Master Address Space acts as a placeholder
for shared collector resources, and is similar to other Master Address Spaces that are used throughout MVSâ„¢. For sample, MVS and Db2 both have Master Address
Spaces.
The Master Address Space:
Never shuts down

Does not run any code except for its initialization routines
Owns resources that are needed by the shared collector
Does not require a formal shutdown and should not be canceled or forced to shut down during the operation of IBM Guardium S-TAP for Db2, InfoSphere Optim
Query Workload Replay for Db2, or IBM Db2 Query Monitor for z/OS.
Forcing the Master Address Space to stop causes the abnormal termination of all IBM Guardium S-TAP for Db2, InfoSphere Optim Query Workload Replay for Db2,
and IBM Db2 Query Monitor for z/OS subsystems on the LPAR.
Important: During installation, do not stop or start the Master Address Space unless required by product maintenance or instructed to do so by IBM Software Support.
Usage considerations for the Master Address Space

The following considerations apply to the use of the Support Services Address Space when you are using IBM Guardium S-TAP for Db2 to monitor the same Db2
subsystem, or multiple Db2 subsystems, on the same LPAR.
Stopping the Master Address Space
Do not stop the Master Address Space unless you are directed to do so by IBM Software Support or by a ++HOLD(ACTION) in a PTF.

Usage considerations for the Master Address Space
The following considerations apply to the use of the Support Services Address Space when you are using IBM Guardium S-TAP for Db2 to monitor the same Db2
subsystem, or multiple Db2 subsystems, on the same LPAR.
Monitoring the same Db2 subsystem

If you use multiple collector products (such as IBM Guardium S-TAP for Db2, InfoSphereÂ® Optimâ„¢ Query Workload Replay for Db2, or IBM Db2 Query Monitor for
z/OSÂ®) to monitor the same Db2 subsystem, each product must specify the same value for the MASTER_PROCNAME parameter.
Monitoring multiple Db2 subsystems that reside on the same LPAR
If you use multiple collector products (such as IBM Guardium S-TAP for Db2, InfoSphere Optim Query Workload Replay for Db2, or IBM Db2 Query Monitor for
z/OS) or multiple instances of the same product to monitor different Db2 subsystems that reside on the same LPAR, each product can have a different value for the
MASTER_PROCNAME parameter.
Note: This rule applies to instances when you are running different maintenance levels of the same product on the same LPAR (for example, if you are testing new
maintenance levels prior to upgrading your production system).
Parent topic: Support Services Address Space overview
Stopping the Master Address Space

Do not stop the Master Address Space unless you are directed to do so by IBM Software Support or by a ++HOLD(ACTION) in a PTF.
To ensure product stability, the Master Address Space should only be stopped by using the sample job that is provided in SADHSAMP, member ADHMSTR. This job verifies
that no IBM Guardium S-TAP for Db2, InfoSphereÂ® Optimâ„¢ Query Workload Replay for Db2, or IBM Db2 Query Monitor for z/OSÂ® subsystems are using the Master
Address Space before it is stopped.
Parent topic: Support Services Address Space overview
Enabling CICS Login User ID reporting

You can capture the CICSÂ® Login User ID for SQL Statements that are run in Db2 for CICS. The capture of CICS transactions is limited to CICS versions TS 4.2 or later,
until end of support.
About this task

Update the CICS Connection definition to capture the CICS Login User ID:
Procedure
1. Set the ATTACHSEC parameter to ATTACHSEC(IDENTIFY) for the user ID to be passed from the Terminal-Owning Region (TOR) to the Application-Owning Region
(AOR).
This makes the user ID available for collection.
2. Ensure that the CICS_USERID collector agent parameter is set to Y to enable reporting of the CICS login user ID. For more information, see Collector agent
parameters.
Results
The CICS Login User ID is reported in Guardium interface DB2 Client Info field for SQL Statements that are run in Db2 for CICS transactions.
Data collection
IBM Guardium S-TAP for Db2 collects data from an audited Db2 subsystem, in accordance with the collection policies that you create through the IBM Guardium system.
Use a collection policy to specify filtering criteria that captures relevant data and filters out irrelevant data. The filtering criteria that you specify determines which data is
streamed to your IBM Guardium system.
You can define and manage data collection and filtering in the Guardium Policy Builder of the IBM Guardium system interface.
Data collection process

During the collection process, IBM Guardium S-TAP for Db2 collects event data and verifies the data against the collection criteria that is defined in the collection
policy.
Filtering
IBM Guardium S-TAP for Db2 V10.1.3 greatly simplifies the filtering process from that which was used in past product versions. All filtering occurs at the point of
collection regardless of the field types that are included in the rules for the active collection policy. Filtering occurs at the point of collection with or without the
specification of object types, which results in efficient CPU usage.
Policy pushdown
At startup, the IBM Guardium S-TAP for Db2 collector agent waits for a policy to be streamed (or pushed down) from the Guardium system before activating a
collection. When the collector agent receives a policy, it inactivates the active collection (if a collection is active), updates the collection profile with the new policy,
and then activates the collection policy.
Streaming audit data to multiple systems
Multistream mode enables S-TAP audit events to be sent to multiple connected appliances. You can enable multistreaming to up to 6 Guardium appliances
(APPLIANCE_SERVER + APPLIANCE_SERVER_n, where n can be 1 - 5).
Starting and stopping the collector agent
After you configure the product and review the data collection information, you can start the collector agent. Use the commands provided to start and stop the
collector agent started task from a cataloged procedure library.
Including or excluding failed accesses and negative SQL code
IBM Guardium S-TAP for Db2 enables you to include or exclude failed accesses and negative SQL code on a per-policy basis.

Quarantining SQL activity
IBM Guardium S-TAP for Db2 enables you to quarantine the SQL activity of specific users for specific periods of time.
SQL Blocking
You can block the SQL activity of Db2 users' (Auth IDs) access to specific tables and databases. SQL statements that are run against accelerated tables are eligible
for blocking if the blocking filtering criteria is met. If a SQL statement matches the blocking criteria, the SQL statement is prevented from running. Use the Guardium
appliance interface to define blocking policies.
Controlling host variable collection
IBM Guardium S-TAP for Db2 enables you to specify, on a per-rule basis, whether host variable information will be sent to the appliance for activity that matches
that rule.
Collecting Command activity by using the Audit SQL Collector
IBM Guardium S-TAP for Db2 enables you to collect Command activity by using the Audit SQL Collector.
Collecting SET CURRENT SQLID events by using the Audit SQL Collector
IBM Guardium S-TAP for Db2 V10.1.3 enables you to collect SET CURRENT SQLID events by using the Audit SQL Collector.
Data collection process

During the collection process, IBM Guardium S-TAP for Db2 collects event data and verifies the data against the collection criteria that is defined in the collection policy.
Collection includes the following:
All reads and all changes (with collector agent based collection)
Host variables up to a maximum of 256 bytes per variable
Dynamic SQL text up to 2 million bytes per statement
Static SQL text up to 4000 bytes
Data collected from Db2 is filtered during the collection process, and non-relevant events are discarded. Specify filtering criteria by defining a collection policy so that only
relevant events are captured. This limits the amount of unnecessary data that is collected and stored by IBM Guardium S-TAP for Db2.
Collection policy
The collection policy is defined by the Guardium policy. It is used to determine which events (SQL, Command, Utilities, etc.) are streamed from the z/OS collector
agent to the Guardium appliance. The following methodology determines how the collection policy determines whether to stream events to the Guardium
appliance.
Collected event types
All event types are collected with the SQL Collection mechanism, which is not dependent on other SQL Trace information such as the Db2 Trace (IFI) or SMF data.
Filtering criteria is defined and managed through the IBM Guardium system interface. This table lists the types of events that can be collected.
Parent topic: Data collection
Collection policy
The collection policy is defined by the Guardium policy. It is used to determine which events (SQL, Command, Utilities, etc.) are streamed from the z/OS collector agent to
the Guardium appliance. The following methodology determines how the collection policy determines whether to stream events to the Guardium appliance.
The collection policy is comprised of one or more rules. Each rule includes a list of filtering criteria (fields), which is used to determine the events that are streamed. An
event is streamed to the appliance if the fields within the event match all of the fields defined within any rules of the collection policy. (Evaluation of the rules within the
collection policy is or.) For example, if a collection policy is composed of three rules (rule 1, rule 2, and rule 3), an event is streamed if it matches rule 1, or rule 2, or rule 3.
Each rule is made up of filter types and values (fields) that are used to determine if an event should be collected. If the fields of the rule are equivalent to the
corresponding fields in the event, the rule evaluates the event to be true, or a match, and the event is captured. A rule is considered true if one of each specified filter type
and value matches that of the event. (Evaluation of the rule is and.) For example:
If a rule is comprised of the filters DBUser=User1 and PLAN=DSNTEP2, an event is collected by the rule if both DBUser=User1 and PLAN=DSNTEP2 are present in
the event. If only one of the filtering criterion is present, or neither of the filtering criteria are present, the event does not meet the conditions of the rule and will not
be collected by the rule.
If a rule is comprised of the filters NET_PROTOCOL=TSO and OS_USER=User1, then only TSO workload events executed by User1 will be collected by the rule
(wherein User1 is Original Auth ID). Non-TSO workloads run by User1 will not be collected by the rule, nor will TSO workloads run by User2.
The following sections further describe how to filter the collector agent.
Parent topic: Data collection process

All event types are collected with the SQL Collection mechanism, which is not dependent on other SQL Trace information such as the DB2Â® Trace (IFI) or SMF data.
Filtering criteria is defined and managed through the IBMÂ® GuardiumÂ® system interface. This table lists the types of events that can be collected.
Table 1. Collected event types

All reads (SQL SELECT)
All changes (SQL UPDATE, INSERT, DELETE)
Authorization
Audit data for Db2 utilities
Grant/Revoke
Access attempts
Binds/Rebinds
Commit/Rollbacks

Db2 commands
Db2 utilities
Failed logins
Create, Alter, Drop table
Create, Alter, Drop all other object types
Static SQL host variables
Static SQL text
Dynamic SQL host variables
Dynamic SQL text
Negative SQL events
SQL events involving Accelerated/IDAA tables
Information collected for CICS events

For events that are collected with Net Prtcl of a type that originates from CICS, the Internet Protocol (IP) address is reported as Terminal ID and the CICS End User is
reported as the DB2 User Name in the IBM Guardium system interface.
Audit data for Db2 Utilities

You can collect table information for Db2 utility operations that are run against tablespaces. The IBM Guardium S-TAP for Db2 collector agent reports the name of
the table associated with the tablespace. Configure audit data for Db2 utilities according to the following rules.
Parent topic: Data collection process
Audit data for Db2 Utilities

You can collect table information for Db2 utility operations that are run against tablespaces. The IBM Guardium S-TAP for Db2 collector agent reports the name of the
table associated with the tablespace. Configure audit data for Db2 utilities according to the following rules.
Set the STAP_UTILITY_TS_TO_TABLE parameter to Y to collect audit data for Db2 utilities. See Collector agent parameters for more information.
Audit data for Db2 utilities is collected according to the following rules:
When a single table is contained in the tablespace, the table information is reported.
When more than one table is contained in the tablespace, the product can be configured to report either:
No tables
The tablespace is reported, but no tables are reported.
All tables in the tablespace
Utility operations are reported against the accessed table.
This option can result in false positives being reported against tables in the tablespace that were not affected by the running of the utility.
Parent topic: Collected event types
Filtering
IBM Guardium S-TAP for Db2 V10.1.3 greatly simplifies the filtering process from that which was used in past product versions. All filtering occurs at the point of
collection regardless of the field types that are included in the rules for the active collection policy. Filtering occurs at the point of collection with or without the
specification of object types, which results in efficient CPU usage.
Filtering occurs when you create a filter that uses one or more of the following filter fields:
Net Prtcl
Specifies the appliance connection type to Db2.
OS User
Specifies the original operator user ID that is used to connect to Db2.
DB User
Specifies the primary AUTHID that is used for authorization within Db2. In most situations, this value is the same as OS User.
App. User (PROG=program)
Specifies a valid DB2 program name, such as DSNTEP2.
App. User (PLAN=plan)
Specifies a valid DB2 plan name, such as DSNTEP2.
Client Info (APPL=transaction name)
Specifies a valid program (or user workstation transaction) name, such as db2.exe.
Client Info (WKSTN=workstation name)
Specifies a valid user workstation name, such as PCsys1.
Client Info (USER=user name)
Specifies a valid user name, such as PCuser1.
Object type (%/SYSIBM.SYSTABLE)
Specifies a table.
These fields can be fully qualified, or partially qualified by using the percent sign wildcard character. For more information about using wildcard characters, see
Filter wildcard support.
The most efficient CPU usage is achieved when you create a filter that eliminates the greatest number of events. To increase filtering efficiency, refine your filtering
criteria by indicating the additional filtering types with specific values that are associated with the data that you want to collect.
Improving filtering efficiency

You can improve the CPU efficiency of filtering by including filter types in the filter. Specifying the plan, auth ID, connection type, operator ID, program, workstation user,
workstation name, or object filter types that are associated with the performed action improves efficiency, as shown in the following example.
Example
To capture access to a table called MY.TABLE, you could create the following filter:
Filter 1
Schema.Table equal to MY.TABLE
This filter causes IBM Guardium S-TAP for Db2 to capture only those events that access MY.TABLE.
To increase efficiency in this example, specify a filter field, such as plan, even if you are sure that plan is the only plan that accesses this table. To capture access to the
table MY.TABLE for an application that runs under a specific plan, such as MYPLAN, the following is an example of a more efficient filter:
Filter 2
Plan equal to MYPLAN
Schema.Table equal to MY.TABLE
Specifying the plan results in only those events with the specified plan and object being streamed to appliance. Fewer events streamed to the appliance results in
improved CPU usage.
Event types and filtering

The following table shows the correlation between the event type and filtering. You can define and manage filtering criteria by setting the Database Type to DB2
Collection Profile in the Guardium Policy Builder of the Guardium appliance interface.
Filtering by database name
IBM Guardium S-TAP for Db2 enables you to filter by database name. You can specify database name filters, on a per-rule basis, to be included in the SQL activity
filters.
Filter wildcard support
When you are creating a filter, value strings can include the percent sign (%) as a wildcard character. The wildcard character (%) enables the collector to match
strings without you having to provide all possible string values for a filter value.
Event types and filtering

The following table shows the correlation between the event type and filtering. You can define and manage filtering criteria by setting the Database Type to DB2 Collection
Profile in the Guardium Policy Builder of the GuardiumÂ® appliance interface.
If you enable collection of SELECT/UPDATE/INSERT/DELETE events, then the event collection is subjected to additional filtering. If you enable collection of event types
other than SELECT/UPDATE/INSERT/DELETE, then the events are collected without being subjected to filtering.
Table 1. Event types and filtering

Event type Subjected to filtering?
SELECT/UPDATE/INSERT/DELETE (SUID) Yes
CREATE/ALTER/DROP No
GRANT/REVOKE No
SET CURRENT SQLID No
DB2Â® COMMANDS No
Db2 UTILITIES No
FAILED LOGINS No
NEGATIVE SQLCODEs No
COMMIT/ROLLBACK No
BINDS/REBINDS No
Enabling the collection of specific event types

The active policy determines which event types are enabled for collection. If the event type is enabled within a rule for the active policy, it is enabled for all rules within the
active policy.
An event that is enabled in Rule 1 is subjected to subsequent rule filters. The following is an example using ASC event type collection:
Rule 1 contains an Object field value of %/%.%.

Rule 1 contains AUTHID filtering for User 1.
SELECT/UPDATE/DELETE/INSERT/SET CURRENT USERID/CREATE/ALTER/DROP events are collected for all tables for both User 1 and User 2.
Tip: This example could be simplified by placing both AUTHIDs into a group within a single rule.
The following is an example using event type collection:
Rule 1 contains the collection of Utility events.

Rule 2 does not contain the collection of Utility events, but it contains AUTHID filtering for User 2.
All Utility events are collected because they are enabled for Rule 1.
This list describes how you can enable the collection of specific event types:
SELECT/UPDATE/INSERT/DELETE (SUID)
Enable collection by including any filter type or non-blank value in the Object field of the rule.

Two target records are reported for nested INSERT/UPDATE/DELETE events: SELECT, and either INSERT, UPDATE, or DELETE. All nested INSERT/UPDATE/DELETE
events are considered Table Change events. If the table filter is set to collect only READ events, then these events are filtered out (not collected).
Wildcarding can be used within the Object field value, for example: %/SYSIBM.SYSTABLES or %/%.%.
CREATE/ALTER/DROP
Collection is automatically enabled by including any filter type or non-blank value in the Object field of the rule.
GRANT/REVOKE
Enable collection through the GRANT/REVOKE command setting.
SET CURRENT SQLID
Collection is automatically enabled by including any filter type or non-blank value in the Object field of the rule.
DB2 COMMANDS
Enable collection through the DB2 Commands command setting.
DB2 UTILITIES
Enable collection through the UTILITES command setting.
FAILED LOGINS
Enable collection through the FAILED AUTHID CHANGES command setting.
NEGATIVE SQLCODES
Enable collection through the presence of a negative SQLCODE list. Only one list is allowed per policy.
SQLCODE collection can be added to an active collection policy. A policy that contains a single rule with only negative SQLCODES results in an inactive policy.
COMMIT/ROLLBACK
Enable collection by adding COMMIT/ROLLBACK to the Guardium appliance policy.
Parent topic: Filtering
Filtering by database name

IBM Guardium S-TAP for Db2 enables you to filter by database name. You can specify database name filters, on a per-rule basis, to be included in the SQL activity filters.
The following operations are supported:
Included operations
The event is audited if any of the objects are in any of the DBNAMEs.
Excluded operations
If all of the objects are not in any of the DBNAMEs, then it is a considered a match.
Example: All of the objects must be in one or more of the DBNAMEs for them to be excluded. If an object is from a DBNAME that is not in the list, then it is
considered a match. If any database that is accessed by the query is not in the EXCLUDE DB list, then the query must be captured.
Wildcarding
Filter values can include the percent sign (%) as a wildcard character.
Filter wildcard support

When you are creating a filter, value strings can include the percent sign (%) as a wildcard character. The wildcard character (%) enables the collector to match strings
without you having to provide all possible string values for a filter value.
Note: The use of wildcards in filters can potentially result in the collection of significant amounts of captured data.
Filtering fields can be fully qualified, or partially qualified, by using the percent sign wildcard character. You can insert the wildcard character (%) anywhere within the
value string. The presence of the wildcard character (%) represents a string of zero of more characters. It can be embedded within a string in the following ways to achieve
the following results:
%
Matches all strings.
%a
Matches all strings that end with the letter a, for example: a, ba, cba.
a%
Matches all strings that start with the letter a, for example: a, ab, abc.
a%a
Matches all strings the begin and end with the letter a, for example a, aba, aca.
Note: The wildcard character (%) cannot be used explicitly as part of the filter value.
Policy pushdown
At startup, the IBM Guardium S-TAP for Db2 collector agent waits for a policy to be streamed (or pushed down) from the Guardium system before activating a collection.
When the collector agent receives a policy, it inactivates the active collection (if a collection is active), updates the collection profile with the new policy, and then activates
the collection policy.
The following processing occurs in the collector agent when a policy is received:
1. The new policy is compared to the currently active policy if the new policy contains one or more rules.
a. If the policies are identical, no further processing is required.
b. If the policies are not identical, the policy is written to DD:ADHPLCY (if defined) and it becomes the active collection policy.
2. If the new policy does not apply to this subsystem, processing continues without any changes. In this case, if there is an active policy, the collection continues to
use it. If no policy is active, none is started.
3. If the new policy is inactive (contains no general audit settings, table or target definitions), the active policy is inactivated.

Policy persistence
For a policy to be pushed down, the z/OS collector agent requires connection to the Guardium appliance. If the z/OS collector agent is unable to connect to the appliance,
the z/OS collector agent will read the policy from the ADHPLCY DD (if it is defined in the started task JCL). The z/OS collector agent will activate collection based on the
policy that is read from the DD until a connection with the appliance is established. When the connection is established, the policy that is pushed down from the appliance
replaces the policy that was read from the DD.
The file contents defined by the ADHPLCY DD contains the policy from the last successful policy pushdown from the appliance.
If ADHPLCY is defined, it must point to a data set that is allocated with a record format of fixed blocked (RECFM=FB) and a record length (LRECL) greater than or equal to
80.
Suggested ADHPLCY DD settings are as follows:
Record format (RECFM): FB

Record length (LRECL): 80
Block size (BLCKSIZE): 3120
Data set name type (DSNTYPE): LIBRARY
Data set organization (DSORG): PO
The ADHPLCY data set should be allocated with a minimum of 50 primary tracks and 10 secondary tracks. The ADHPLCY data set can be sequential, PDS, or PDS/E. If you
use PDS or PDS/E, the space requirements might need to be increased in relation to the number of members that are contained within the data set.
For more information about creating, activating, and inactivating policies from the Guardium system interface, see the how-to topics in the Security Guardium V10.1.3
documentation in the IBM Knowledge Center.
For more information about using data sets, see the z/OS documentation in the IBM Knowledge Center,
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.idad400/toc.htm.

Multistream mode provides a mechanism for distributing a high-volume workload over multiple connected appliances. In multistream mode, a single audit event is only
sent to a single appliance. Multistream mode does not enable mirroring of the same set of audit events to multiple appliances.
IBM Guardium S-TAP for Db2 sends events to a single appliance until a ping occurs, or the number of records that is specified by MEGABUFFER_COUNT is reached.
To enable multistreaming, you must specify MULTI_STREAM when you configure the APPLIANCE_SERVER_LIST parameter. Parameters APPLIANCE_SERVER and
APPLIANCE_SERVER_[1-5] specify the appliances to which you intend to stream events. The appliance that is specified by APPLIANCE_SERVER provides the policy that is
used for event matching.
The APPLIANCE_SERVER parameter specifies the first appliance to which audit events are streamed. The collection policy that is pushed down from the first appliance
determines which events are collected and streamed to all appliances that are enabled for multistreaming.
The IBM Guardium S-TAP for Db2 agent streams events to the first appliance, then sequentially to each subsequent appliance in the multistreaming set. Each appliance in
the multistreaming set then processes (logs and discards) each event in accordance with the locally installed policies.
Starting and stopping the collector agent

After you configure the product and review the data collection information, you can start the collector agent. Use the commands provided to start and stop the collector
agent started task from a cataloged procedure library.
Procedure
1. To start the collector agent, use the START command.
Example: /S ADHCSSID
2. To stop the collector agent, use the STOP command, or the MODIFY command with the STOP parameter.
Example:
/P ADHCSSID
or
/F ADHCSSID,STOP
Including or excluding failed accesses and negative SQL code

IBMÂ® GuardiumÂ® S-TAPÂ® for DB2Â® enables you to include or exclude failed accesses and negative SQL code on a per-policy basis.
In the Guardium appliance interface, create a list of SQL codes to include of exclude during data collection. A policy can contain either all values to be included, or all
values to be excluded. In an include list, any SQL activity that fails within the SQLCODE list will be collected. In an exclude list, any SQL activity that does not fail within the
SQLCODE list will be collected.
Note:

No other filtering criteria will be ANDed with the SQLCODE filter rule when determining the collection status of the event.
Enabling AUDIT TRACE CLASS 1 (collection of failed accesses) is deprecated because negative SQL codes for these failed accesses will be collected.
Failed access events are streamed to the appliance if the negative SQL code is:
Included in the list of negative SQLCODE to be captured
Not based on ALL FAILED AUTHORIZATIONS being included in the COMMANDS filter setting for the policy. ALL FAILED AUTHORIZATIONS can be removed
from the COMMANDS filter setting.
Quarantining SQL activity

IBMÂ® GuardiumÂ® S-TAPÂ® for DB2Â® enables you to quarantine the SQL activity of specific users for specific periods of time.
Quarantining a user of a specific Db2 subsystem means that for the period of time that is specified, the quarantined user will not be able to run SQL statement in the
targeted Db2 subsystem. If a quarantined user attempts access during a restricted time, access will be denied. Use the Guardium appliance interface to quarantine user
activity.
Note: Quarantine does not take effect immediately. The SQL statement that produces the event to trigger the quarantine is completed before the quarantine takes effect.
It is possible for additional SQL statements to be run by the quarantined user before the quarantine takes effect.
SQL Blocking
You can block the SQL activity of DB2Â® users' (Auth IDs) access to specific tables and databases. SQL statements that are run against accelerated tables are eligible for
blocking if the blocking filtering criteria is met. If a SQL statement matches the blocking criteria, the SQL statement is prevented from running. Use the GuardiumÂ®
appliance interface to define blocking policies.
Enabling blocking policy

Blocking policy pushdown maps blocking policies to the S-TAPÂ® blocking mechanism within the collector agent. At startup, the collector agent checks if a blocking policy
was streamed (or pushed down) from the IBMÂ® Guardium system when a collection policy was pushed. When the collector agent receives a blocking policy, it inactivates
any incidence of active blocking, updates the blocking policy, and activates blocking.
When a blocking policy is received, the collector agent completes the following steps:
1. Compares the new blocking policy to the currently active blocking policy, if the new policy contains one or more rules.
If the blocking policies are identical, the collector agent determines that no further processing is required.
If the blocking policies are different, then the new blocking policy replaces the old one.
2. Evaluates the pushed-down list and filters to determine which events to block.
3. Validates the list of supplied objects.
The object must exist at the time of the installation of the blocking policy.
If a table that is included in the blocking policy does not exist when the blocking policy is installed, message ADHP190W is generated to identify the table.
Blocking is not enabled for tables that are reported by a ADHP190W message.
The obid/dbid for the object are checked for performance reasons.
If the object is dropped and then recreated, the policy must be reinstalled.
If the field values of the SQL event match corresponding filter values (blocking rule conditions) in the blocking policy, then the SQL statements are blocked and ended with
a -807 error code.
For more information about creating, activating, and inactivating blocking policies from the IBM Guardium system interface, refer to the Security Guardium documentation
in the IBM Knowledge Center.
Enable or disable blocking on the host

If permitted, you can enable blocking, disable blocking, or report the blocking status (enabled or disabled) by using the following operator commands:
/F <adhstc>,BLOCKING ENABLE
/F <adhstc>,BLOCKING DISABLE
/F <adhstc>,BLOCKING STATUS
These commands override and determine the blocking status whether or not a blocking policy is present. By default, blocking is enabled at startup; but if you use the /F
<adhstc>,BLOCKING DISABLE command and push down blocking rules, the blocking rules will be processed and blocking will be established within the z/OSÂ® agent, but
blocking will not be enabled. If you use the /F <adhstc>,BLOCKING ENABLE command, blocking is not activated until a blocking policy is pushed down.
The ADHPARMS z/OS collector agent parameter, STAP_BLOCKING, controls whether the blocking operator command is permitted and whether blocking is enabled or
disabled. For more information about STAP_BLOCKING, see Collector agent parameters.
Controlling host variable collection

IBMÂ® GuardiumÂ® S-TAPÂ® for DB2Â® enables you to specify, on a per-rule basis, whether host variable information will be sent to the appliance for activity that matches
that rule.
In the Guardium appliance interface, specify whether host variable information should be sent to the appliance for activity that matches a rule. When host variable
collection is enabled, up to 256 bytes per variable of host variable data is sent to the Guardium appliance. For enhanced security of Personally Identifiable Information
(PII), host variables are not collected by default in IBM Guardium S-TAP for Db2 V10.0 and later.
In the Guardium appliance interface, specify whether host variable information should be sent to the appliance for activity that matches a rule.

The Guardium appliance interface can be overridden by the FORCE_LOG_LIMITED parameter. This parameter enables you to restrict the collection of personal data by
controlling whether the active policy controls the collection of host variables.
If FORCE_LOG_LIMITED is set to Y, the policy setting for the collection of host variables is ignored, and host variables are not collected.
If FORCE_LOG_LIMITED is set to N, the collection of host variables is controlled by the host variable settings in the active policy.
For more information, see Collector agent parameters.

Collecting Command activity by using the Audit SQL Collector

IBM Guardium S-TAP for Db2 enables you to collect Command activity by using the Audit SQL Collector.
Command events are not subjected to filtering. All command events are streamed directly to the Guardium appliance for post-collection filtering. All command events are
streamed directly to the Guardium appliance for optional post-collection filtering.
Collecting SET CURRENT SQLID events by using the Audit SQL Collector
IBM Guardium S-TAP for Db2 V10.1.3 enables you to collect SET CURRENT SQLID events by using the Audit SQL Collector.
In IBM Guardium S-TAP for Db2 V10.1.3, IFI TRACE CLASS 7 is no longer enabled, and SET CURRENT SQLID events are automatically collected by using the Audit SQL
Collector. SET CURRENT SQLID events are streamed to the Guardium appliance without being subjected to filtering.
These reference topics are designed to provide you with quick access to information about IBM Guardium S-TAP for Db2 sample library members, parameters, and
variables.
Topics:
Collector agent parameters
Collector agent sample parameter file
Other resources
The following IBM documentation provides more information about configuring and operating this product.
IBM Ported Tools for z/OSÂ®: Open SSH User's Guide

z/OS UNIX System Services Planning
z/OS MVSâ„¢ JCL User's Guide
Db2 Administration Guide
Monitoring and Tuning Db2 Performance

Use the following sample library members that are included with IBM Guardium S-TAP for Db2 for installation and configuration.
MODIFY command
The MODIFY command allows you to issue requests against, and dynamically change, characteristics of an active S-TAP task.
Requesting and viewing S-TAP logging information
Use the S-TAP Logging command to issue a request for logging information from the S-TAP agent collector.
The collector agent parameters are described in this section.
Keeping connections active when HOT_FAILOVER is enabled
When the HOT_FAILOVER feature is enabled by the APPLIANCE_SERVER_LIST parameter, all connection types (POLICY and ASC) for each connected Guardium
appliance are kept active by pings.
The following sample parameter file is the minimum set of parameters required in a collector agent parameter file (ADHCFGP). If you want to use this sample file,
verify that the values on each parameter are appropriate for your environment.
This table shows the ADHEMAC1 edit macro variables, including their default value and instructions for use. An example is also provided.

Use the following sample library members that are included with IBM Guardium S-TAP for Db2 for installation and configuration.
Table 1. Installation and configuration sample library members

Member Type Description
ADHBIND JCL Bind job used to bind DBRMs.
ADHBIND JCL Bind job used to bind packages.
B

ADHCFGP 80-byte sequential or partitioned A listing of required parameters that control how the collector is implemented.
data set
ADHCFGP 80-byte sequential or partitioned A listing of optional parameters that control how the collector is implemented.
E data set
ADHCSSI Procedure IBM Guardium S-TAP for Db2 collector started task procedure. Runs an instance of the IBM Guardium S-TAP for Db2
D collector started task.
ADHGRA JCL Grants required authorizations to USERID and PLAN.
NT
ADHEMA (edit macro) Customizes the variables that appear in the DDL and JCL to be run.
C1
ADHMST JCL Stops the IBM Guardium S-TAP for Db2 master address space.
R
ADHSJ00 JCL Allocates VSAM product control file.
0
ADHSJ00 JCL Sets product configuration options.
1
ADHSJ00 JCL Generates the product control file content report.
3
ADHSTAP JCL Produces an IBM Guardium S-TAP for Db2 diagnostic report.
D
ADHTCPD JCL Produces a TCP/IP diagnostic report to use for troubleshooting network connectivity and throughput issues.
Parent topic: Reference information
Related tasks
Defining the collector agent started task JCL
MODIFY command
The MODIFY command allows you to issue requests against, and dynamically change, characteristics of an active S-TAP task.
The abbreviated version of the MODIFY command is the letter F. The general format of MODIFY is as follows:
>>-+-MODIFY-+--procname--,--parameter--------------------------><
'-F------'
wherein:
procname
The name of the member in a procedure library that was used to start the server or address space.
parameter
Any of the parameters that are valid for the server.
S-TAP supported MODIFY options with descriptions

The following is a sample syntax diagram:
>>-+-MODIFY-+--procname,--+-STAP-+-----------------+
| +-,HELP ----------|
| +-,ALL------------|
| +-,POLICY---------|
| +-,COUNTS---------|
| +-,CONFIG---------|
| +-,HISTORY_QUEUE--|
| +-,HISTORY_FILTER-|
| +-,HISTORY_IO-----|
| +-,BLOCKING-------|
| +-,QUARANTINE-----|
| +-,GET_STATUS-----|
+-BLOCKING--+ ENABLED-----|
| -+ DISABLED----|
| -+ STATUS------|
| +-,MUSTGATHER------|
| +-,TRACE_POLICY,ENABLE----|
| +-,TRACE_POLICY,DISABLE---|
| +-,TRACE_COMPILE,ENABLE---|
| +-,TRACE_COMPILE,DISABLE--|
| +-,TRACE_PROTOBUF,ENABLE--|
| +-,TRACE_PROTOBUF,DISABLE-|
| +-,LOG_EVENTS,ENABLE------|
| +-,LOG_EVENTS,DISABLE-----|
| +-,LOG_LEVEL,F|I|W|E|S----|
| +-,RESET_CONFIG-----------|
Note the space (rather than the comma) before BLOCKING ENABLED, DISABLED, and STATUS.
Options are defined as follows:
HELP
Display all available commands
STAP
Display the current status of the started task
ALL

View all log information
POLICY
View log information about the active policy
COUNTS
View a log of detailed counts
CONFIG
View a log about the current configuration
HISTORY_QUEUE
View log details about the internal events queue
HISTORY_FILTER
View log information about event filter results
HISTORY_IO
View log details about the streaming of events
BLOCKING
View log information about the active blocking policy
QUARANTINE
View log information about the active quarantine policy
GET STATUS
Request the most recent count of events that were received/processed by the appliance
BLOCKING
ENABLED: Enable the blocking feature. Blocking is activated if a blocking rule is pushed.
DISABLED: Disable the blocking feature.
STATUS: Display blocking status.
MUSTGATHER
Send a must-gather request to the appliance
TRACE_POLICY,ENABLE
View information about the policy component
TRACE_POLICY,DISABLE
Hide information about the policy component
TRACE_COMPILE,ENABLE
View information about the filter component
TRACE_COMPILE,DISABLE
Hide information about the filer component
TRACE_PROTOBUF,ENABLE
View information about the streaming component
TRACE_PROTOBUF,DISABLE
Hide information about the streaming component
LOG_EVENTS,ENABLE
Log events that are streamed to the appliance
LOG_EVENTS,DISABLE
Hide events that are streamed to the appliance
LOG_LEVEL,F|I|W|E|S
Control the amount of output log information that is generated by the agent: debugging, informational, warning, error, severe
RESET_CONFIG
Reset agent configurations to the default settings
The following example displays the active S-TAP policy:
F ADHPROC,STAP,POLICY
ADHP110I IBM Security Guardium DB2 S-TAP mode: STREAMING EVENTS

ADHP140I Event Counts:
ADHP141I CONNTYPE_OTHER (0) . . . . . . . . . . 1
ADHP141I CONNTYPE_TSO (1) . . . . . . . . . . . 0
ADHP141I CONNTYPE_CALL_ATTACH (2) . . . . . . . 0
ADHP141I CONNTYPE_DLI_BATCH (3) . . . . . . . 0
ADHP141I CONNTYPE_CICS_ATTACH (4) . . . . . . . 0
ADHP141I CONNTYPE_IMS_ATTACH_BMP (5) . . . . . 0
ADHP141I CONNTYPE_IMS_ATTACH_MPP (6) . . . . . 0
ADHP141I CONNTYPE_DB2_PRIVATE_PROTOCOL (7) . . 0
ADHP141I CONNTYPE_DRDA_PROTOCOL (8) . . . . . . 0
ADHP141I CONNTYPE_IMS_CONTROL_REGION (9) . . . 0
ADHP141I CONNTYPE_IMS_TRANSACTION_BMP (10) . . 0
ADHP141I CONNTYPE_DB2_UTILITIES (11) . . . . . 0
ADHP141I CONNTYPE_RRSAF (12) . . . . . . . . . 0
ADHP142I MISC sent . . . . . . . . . . . . . . 0
ADHP142I UTILITY sent . . . . . . . . . . . . . 0
ADHP142I DB2 COMMAND sent . . . . . . . . . . . 1
ADHP142I SELECT sent . . . . . . . . . . . . . 0
ADHP142I UPDATE sent . . . . . . . . . . . . . 0
ADHP142I DELETE sent . . . . . . . . . . . . . 0
ADHP142I INSERT sent . . . . . . . . . . . . . 0
ADHP142I REVOKE sent . . . . . . . . . . . . . 0
ADHP142I GRANT sent . . . . . . . . . . . . . 0
ADHP142I COMMIT-ROLLBACK sent . . . . . . . . 0
ADHP142I BIND-REBIND sent . . . . . . . . . . 0
ADHP142I FAILED_SQLCODE sent . . . . . . . . 0
ADHP143I ALTER sent . . . . . . . . . . . . . 0
ADHP143I DROP sent . . . . . . . . . . . . . . 0
ADHP143I CREATE sent . . . . . . . . . . . . . 0
ADHP144I Bytes sent . . . . . . . . . . . . . 363
ADHP145I Events Sent . . . . . . . . . . . . . 1
ADHP146I Statements processed . . . . . . . . 0
ADHQ3270I STAP INFO: STAGE1 FILTER IS............... ACTIVE
ADHQ3270I STAP INFO: STAGE2 FILTER IS............... NOTACTIV
ADHQ3270I STAP INFO: TOTAL EXEC SQL CALLS SEEN...... 0000000000000000

ADHQ3270I STAP INFO: STMTS PASSED STAGE1 FILTER.... 0000000000000000
ADHQ3270I STAP INFO: STMTS FAILED STAGE1 FILTER.... 0000000000000000
ADHQ3270I STAP INFO: STMTS PASSED, STAGE1 BYPASSED. 0000000000000000
ADHQ3270I STAP INFO: AUDS BLOCKS QUEUED............. 0000000000000000
ADHQ3270I STAP INFO: AUDS BLOCKS SENT TO APPLIANCE.. 0000000000000001
ADHQ3270I STAP INFO: AUDS BLOCKS NOT SENT TO APPL... 0000000000000000
ADHQ3270I STAP INFO: AUDS BLOCKS FREED ............. 0000000000000000
ADHQ3270I STAP INFO: AUDS BLOCKS FREED LOST ........ 0000000000000000
ADHQ3270I STAP INFO: BYTES SENT..................... 000000000000016B
ADHQ3270I STAP INFO: UTILITY EVENTS QUEUED.......... 0000000000000000
ADHQ3270I STAP INFO: UTILITY EVENTS FREED........... 0000000000000000
ADHQ3270I STAP INFO: UTILITY REQ COUNT.............. 0000000000000000
The following example displays the S-TAP blocking status:
F ADHPROC,STAP,POLICY
ADHQ9899I - BLOCKING STATUS

ADHQ2023I - AUTHID BLOCKING IS ENABLED
ADHQ2034I - BLOCK TABLE 181_9901F000 HASH TABLES 181_99101000 SQLHS 1E8B6000
<policy>
<selectblocking-rule>
<target>
<schema>DBTROS</schema>
<name>TABLE1</name>
</target>
<target>
<schema>DBTROS</schema>
<name>TABLE2</name>
</target>
</selectblocking-rule>
</policy>
The following example displays the results of S_TAP GET_STATUS:
F ADHPROC,STAP,GET STATUS
ADHP170I - Event count reported by the appliance at time: 112
Requesting and viewing S-TAP logging information

Use the S-TAP Logging command to issue a request for logging information from the S-TAP agent collector.
About this task

From the S-TAP control panel of the IBMÂ® GuardiumÂ® system interface:
Procedure
1. Locate the policy component for your S-TAP (for example, RS22:A91A:POLICY) and select the G icon.
2. Select STAP Logging for Command.
3. Select a logging level and click Apply to request S-TAP logging.
S-TAP logging levels provide log information as follows:
Level 0
Logs program levels, event queue statistics, agent configuration, policy, and event counts.
Level 1
Logs agent configuration, policy, and event counts.
Level 2
Logs agent configuration.
Level 3
Logs policy.
Level 4 or higher
Logs event counts.
4. To view the S-TAP logging information, locate the policy component of your S-TAP and click the i icon.

The collector agent parameters are described in this section.
APPLIANCE_CONNECT_RETRY_COUNT
Required: No
Default: 0
Description: The number of consecutive failed connection attempts before terminating. The value of 0 indicates to never stop attempting connections. A value of 1
indicates a stop immediately after connection attempt fails. Range: 0 - 99999.
Syntax:

APPLIANCE_CONNECT_RETRY_COUNT(retry_count)
Example:
APPLIANCE_CONNECT_RETRY_COUNT(1000)
APPLIANCE_NETWORK_REQUEST_TIMEOUT
Default: 0
Range: 0 or 500 - 12000
Description: The value in milliseconds of the period of time to wait for network communication request send or receive to complete. A value of 0 results in no
timeout period.
Syntax:
APPLIANCE_NETWORK_REQUEST_TIMEOUT(timeout)
Example:
APPLIANCE_NETWORK_REQUEST_TIMEOUT(0)
APPLIANCE_PING_RATE
Required: No
Default: 5
Description: Specifies the time interval between accesses to the Guardium system to prevent timeouts (disconnects) during idle periods. The value is in number of
seconds.
Syntax:
APPLIANCE_PING_RATE(ping_interval)
Example:
APPLIANCE_PING_RATE(5)
APPLIANCE_PORT
Required: No
Default: 16022
Valid ports: 16022 or 16023
Description: The IP port number of the Guardium system to which the IBM Guardium S-TAP for Db2 audit data collector should connect. This parameter must be
properly configured to enable collection of audit data and a connection to the IBM Guardium system. If port 16023 is used, encryption support is required for the
connection to the appliance.
Note: Specifying this keyword and parameter designates the port on which the Guardium appliance is listening to the S-TAP. The port is dedicated to the IP address
of the appliance. Port 16022 or 16023 can also be in use on z/OSÂ® by another application.
Syntax:
APPLIANCE_PORT(port_number)
Example:
APPLIANCE_PORT(16022)
APPLIANCE_RETRY_INTERVAL
Required: No
Default: 3
Description: Specifies the time interval between attempts to establish a connection to the IBM Guardium system. The value is in number of seconds.
Syntax:
APPLIANCE_RETRY_INTERVAL(retry_interval)
Example:
APPLIANCE_RETRY_INTERVAL(3)
APPLIANCE_SERVER
Required: Yes
Default: None
Description: The host name or IP address (in dotted-decimal notation, for example: 1.2.3.4) of the IBM Guardium system to which the IBM Guardium S-TAP for
Db2 audit data collector should connect.
Note: This parameter must be properly configured to enable collection of audit data, and a connection to the IBM Guardium system. The value can contain up to
128 characters.
Syntax:
APPLIANCE_SERVER(hostname|ip_address)

Example:
APPLIANCE_SERVER(192.168.2.205)
APPLIANCE_SERVER_FAILOVER_[1-5]
Required: No
Default: None
Description: The host name or IP address (in dotted-decimal notation, for example: 1.2.3.4) of the IBM Guardium system to which the IBM Guardium S-TAP for
Db2 audit data collector should fail over to if APPLIANCE_SERVER is not available.
Note:
1. This parameter must be properly configured to enable collection of audit data and a connection to the IBM Guardium system. The value can contain up to
128 characters.
2. The collector agent attempts to connect to the fail over systems beginning with APPLIANCE_SERVER_FAILOVER_1, and ending with
APPLIANCE_SERVER_FAILOVER_5.
3. Both the APPLIANCE _SERVER_FAILOVER_[1-5] and APPLIANCE_SERVER_[1-5] parameters can be used to designate servers for multistreaming or failover.
Use the APPLIANCE_SERVER_LIST(MULTI_STREAM|FAILOVER) parameter to designate how these parameters are used.
Syntax:
APPLIANCE_SERVER_FAILOVER_1(hostname|ip_address)
Example parameter settings to enable multistream support:
APPLIANCE_SERVER_LIST(MULTI_STREAM)
APPLIANCE_SERVER(guardium1.company.com)
APPLIANCE_SERVER_1(guardium2.company.com)
APPLIANCE_SERVER_2(guardium3.company.com
APPLIANCE_SERVER_LIST(FAILOVER|MULTI_STREAM|HOT_FAILOVER)
Required: No
Default: FAILOVER
Description: If set to MULTI_STREAM, this parameter specifies that a Guardium appliance connection is to be established for each server that is identified by the
APPLIANCE_SERVER_n parameter.
If a connection is lost, S-TAP audit events continue to transmit over the remaining appliance connection.
Lost connections are retried at regular intervals that are determined by multiplying the APPLIANCE_CONNECT_RETRY_COUNT by the
APPLIANCE_PING_RATE.
If set to FAILOVER, this parameter specifies that one Guardium appliance connection is to be active at a time.
If the connection to the primary appliance is lost, a failover action occurs, which results in an attempt to connect to the next available server. The next
available server is identified by the APPLIANCE_SERVER_FAILOVER_n parameter.
After a failover action occurs, the connection to the primary server is retried at regular intervals that are determined by multiplying the
APPLIANCE_CONNECT_RETRY_COUNT by the APPLIANCE_PING_RATE.
With either setting of APPLIANCE_SERVER_LIST, if all connections fail, and a spill file is specified (parameter OUTAGE_SPILLAREA_SIZE), events are buffered to
the spill file until a connection becomes available. If no spill file is specified, and all connections are lost, data loss occurs.
If set to HOT_FAILOVER, this parameter causes all connection types (POLICY and ASC) for each connected Guardium appliance to be kept active by pings. You can
specify the primary Guardium appliance by using the APPLIANCE_SERVER parameter. If the primary Guardium appliance becomes unavailable and failover occurs,
HOT_FAILOVER maintains the activity of the primary appliance policy.
Syntax:
APPLIANCE_SERVER_LIST_FAILOVER
Example:
APPLIANCE_SERVER_LIST_FAILOVER
AUDIT
Required: Yes
Default: None
Description: The Db2 subsystem ID for the Db2 subsystem on which the IBM Guardium S-TAP for Db2 Collector Agent should capture query data.
Note: This parameter must be properly configured to enable collection of capture data. The value can contain up to 4 characters.
Syntax:
AUDIT(ssid)
Example:
AUDIT(DSN1)
AUTHID
Required: No
Default: Defaults to the user ID under which the started task will run.

Description: The AUTHID parameter defines the Db2 AUTHID that IBM Guardium S-TAP for Db2 uses when establishing a connection to Db2 during interval
processing. If you are using RACFÂ® on your Db2 system, this ID must be defined to RACF. The AUTHID specified needs to be authorized through the resident
security package, such as RACF, to perform the functions needed for all processes done by the started task and the Collector Agent monitoring subsystem. Such
processes include connecting to each of the monitored Db2 SSIDs and performing file update activities against the IBM Guardium S-TAP for Db2 VSAM control file.
Notes:
1. The ID specified in the startup parameter AUTHID must be a valid TSO user ID and not a RACF group name.
2. If the AUTHID parameter is defined in the RACF Started Procedures Table (ICHRIN03), it should not be used as a startup parameter. The Started Procedures
Table (ICHRIN03) associates the names of started procedures with specific RACF user IDs and group names. It can also contain a generic entry that assigns
a user ID or group name to any started task that does not have a matching entry in the table. However, it is recommended that you use the STARTED class for
most cases rather than the started procedures table.
Syntax:
AUTHID(db2authid)
Where db2authid is the Db2 AUTHID that IBM Guardium S-TAP for Db2 uses when establishing a connection to Db2 during interval processing.
Example:
AUTHID(DB2USER)
CICS_USERID
Required: No
Default: N
Description: If set to Y, the CICS_USERID parameter enables the capture of CICS Login User ID for SQL statements that are run in Db2 for CICS. For more
information see Enabling CICS Login User ID reporting.
Syntax:
CICS_USERID(YES|NO)
Example:
CICS_USERID(Y)
COLLECT_COMMIT_ROLLBACK
Required: No
Default: N
Description: If set to Y, the COLLECT_COMMIT_ROLLBACK parameter enables the collection of COMMIT and ROLLBACK events.
Syntax:
COLLECT_COMMIT_ROLLBACK(YES|NO)
Example:
COLLECT_COMMIT_ROLLBACK(Y)
DEBUG
Required: No
Default: N
Description: The DEBUG parameter turns on debug mode and produces diagnostic messages for use by IBM Software Support.
Syntax:
DEBUG(YES|NO)
Example:
DEBUG(Y)
FORCE
Required: No
Default: N
Description: The FORCE parameter forces installation of a monitoring agent. If you use this parameter, any return codes from any failure reported in message
ADHQ2002E are overridden.
Note: This parameter should not be specified without instruction by IBM Software Support.
Syntax:
FORCE(YES|NO)
Example:
FORCE(Y)
FORCE_LOG_LIMITED
Required: No

Default: N
Description: This parameter enables you to restrict the collection of sensitive data by controlling whether the active policy controls the collection of host variables.
If this parameter is set to Y:
The policy setting for collection of host variables is ignored and host variables are not collected.
The APPLIANCE_PORT parameter must be set to 16023. Port 16023 is used for AT-TLS-configured encrypted communications. If APPLIANCE_PORT is not
set to 16023, the S-TAP agent will generate a log message indicating the configuration inconsistency, and shut down.
If this parameter is set to N, the collection of host variables is controlled by the host variable settings in the active policy.
Syntax:
FORCE_LOG_LIMITED(YES|NO)
Example:
FORCE_LOG_LIMITED(Y)
HOSTVAR_LIMIT
Required: No
Default: 1500
Description: This parameter designates the number of storage blocks to be allocated for host variable collection per event. The valid range is 1 -- 9999. If this
parameter is not customized, the default value of 1500 is set.
If error message ADHQ1203I is encountered with RC=0008 and RSN=003F, increase the HOSTVAR_LIMIT setting to accommodate the collection of host variables
for the monitored workload.
If IBM Guardium S-TAP for Db2 and IBM Db2 Query Monitor for z/OS are simultaneously monitoring the same Db2 subsystem, both products must have matching
HOSTVAR_LIMIT settings to avoid receiving a mismatch error.
Syntax:
HOSTVAR_LIMIT(n)
where n is an integer between 1 - 9999.

Example:
HOSTVAR_LIMIT(1500)
ISM_CONSTRAINT_AGE
Required: No
Default: 300
Description: This parameter controls how much time must have passed since the last storage constraint occurrence for a given ISM storage space before the
constraint event is considered to have been relieved.
Syntax:
ISM_CONSTRAINT_AGE(n)
where n is an integer between 1 - 60000 specified in .01 seconds. The default value is 300.
Example:
ISM_CONSTRAINT_AGE(16)
ISM_ERROR_DETAIL
Required: No
Default: Y
Description: This parameter controls whether messages ADHQ1203I and ADHQ1204I are issued to provide detailed information for ISM Storage Constraint
situations. The product recommendation is to leave this parameter set to Y. This setting can be overridden at run time with the /f cqmstc,ISMERROR_DETAIL
command.
Syntax:
ISM_ERROR_DETAIL(Y|N)
Example:
ISM_ERROR_DETAIL(Y)
ISM_ERROR_BLOCKS
Required: No
Default: 256
Description: This parameter determines the number of ISM Error Blocks that are allocated when IBM Guardium S-TAP for Db2 initializes.
If this value is too low, message ADHQ1219W might be issued. ISM Error Blocks communicate a storage constraint event from somewhere in the product to the
task that issues storage constraint messages. If you run out of ISM Error Blocks, the storage constraint message will not be issued. However, an abend table entry
will be created to document this event. This is most likely a temporary situation and it does not impact the overall performance of IBM Guardium S-TAP for Db2.

Syntax:
ISM_ERROR_BLOCKS(n)
where n is an integer, 16 - 8192. The default value is 256.

Example:
ISM_ERROR_BLOCKS(256)
ISM_ERROR_MSG_BLOCKS
Required: No
Default: 256
Description: This parameter determines the number of ISM Error Message Blocks that are allocated when IBM Guardium S-TAP for Db2 initializes. If this value is
too low, duplicate ISM error message can be issued for the same space and reason instead of incrementing the occurrence count.
ISM Error Message Blocks are used by the task that issues storage constraint messages to do two things:
1. To consolidate similar storage constraint events to eliminate duplicate messaging for the same condition, and
2. To keep track of storage constraint events so that the Storage Constraint Relieved situation can be detected and messaged.
If you run out of ISM Error Message Blocks, this consolidation will not always occur. This would result in additional, duplicate messages in the log for the similar
storage constraint events.
Syntax:
ISM_ERROR_MSG_BLOCKS(n)
where n is an integer between 16 - 8192. The default value is 256.

Example:
ISM_ERROR_MSG_BLOCKS(256)
MASTER_PROCNAME
Required: Yes
Default: None.
Description: The MASTER_PROCNAME parameter enables users to specify the PROCNAME to be used for the Master Address Space. Specifying this parameter
causes IBM Guardium S-TAP for Db2 to use the Master Address Space with the same name.
The MASTER_PROCNAME for IBM Guardium S-TAP for Db2 and Query Monitor must be the same when each is started at the same time for the same Db2
Subsystem.
If this Master Address Space is already started, it is shared with other IBM Guardium S-TAP for Db2 subsystems that are already using it.
If this Master Address Space has not already been started, it will start automatically.
Syntax:
MASTER_PROCNAME(procname)
where procname is the specified Master Address Space PROCNAME (character, 8 bytes).)
Example:
MASTER_PROCNAME(CQMMASTR)
MAXIMUM_ALLOCATIONS
Required: No
Default: 2048
Description: This parameter determines the maximum amount of global shared memory to be allocated by IBM Guardium S-TAP for Db2 for internal Integrated
Storage Manager spaces.
Syntax:
MAXIMUM_ALLOCATIONS(n)
where n is an integer between 512 - 32768 specified in megabytes; must be smaller than SMEM_SIZE.
Example:
MAXIMUM_ALLOCATIONS(2048)
MESSAGE_LOG_LEVEL
Required: No
Default: I
Description: Controls the amount of output log information that is generated by the agent:
I
Includes all log messages with an informational severity or higher
W
Includes all log messages with a warning severity or higher
E
Includes all log messages with an error severity or higher

S
Includes all log messages with a severe severity or higher
The ADHPARMS file is read when the agent is started. Modifying the log-level setting in the ADHPARMS file does not implement the new setting until you restart the
collector agent.
Note: During installation, it is recommended that you set the MESSAGE_LOG_LEVEL to I.
Syntax:
MESSAGE_LOG_LEVEL(I|W|E|S)
Example:
MESSAGE_LOG_LEVEL(I)
OUTAGE_SPILLAREA_SIZE
Required: No
Default: 0
Description: This parameter determines the maximum amount of memory to be allocated to support the retention of audit data in the event of a Guardium system
connection outage.
Note: A value of 0 disables spillfile support. When enabled, OUTAGE_SPILLAREA_SIZE supersedes SEND_FAIL_EVENT_COUNT for temporary data retention.
Syntax:
OUTAGE_SPILLAREA_SIZE(n)
where n is an integer between 0 - 1024 specified in megabytes.

Example:
OUTAGE_SPILLAREA_SIZE(2)
PREFER_IPV4_STACK
Required: No
Default: N
Description: If set to Y, this parameter causes a request to be issued to the Domain Name Server (DNS) for an IPV4 address for the hostname that is specified in
the APPLIANCE_SERVER parameter:
The DNS lookup request for an IPV4 address is attempted. If an IPV4 address is defined for the hostname, the DNS will respond with the value that will be
used to connect to the Guardium appliance.
If only an IPV6 address is defined at the DNS, then the DNS will respond with the IPV6 address that will be used to connect to the Guardium appliance.
If both IPV4 and IPV6 addresses are defined at the Guardium appliance, the DNS will respond with both addresses, and the IPV4 address will be used to
connect to the appliance.
If this parameter is set to N or omitted from configuration, a request for an IPV6 address is issued to the DNS for the hostname that is specified by the
APPLIANCE_SERVER parameter:
Note: Whether or not this parameter is used, if the address returned from the DNS is not valid for the hostname, it will result in failure to connect to the appliance,
and the IBM Guardium S-TAP for Db2 started task will terminate.
Syntax:
PREFER_IPV4_STACK(Y|N)
Example:
PREFER_IVP4_STACK(Y)
SEND_FAIL_EVENT_COUNT
Required: No
Default: 100
Description: Specifies the maximum number of events to be buffered during a communication outage with the Guardium system. Events are buffered in internal
memory objects and streamed to the appliance at the time of reconnection.
Note: SEND_FAIL_EVENT_COUNT and OUTAGE_SPILLAREA_SIZE are mutually exclusive. When OUTAGE_SPILLAREA_SIZE is specified, spillfile support is enabled,
which supersedes SEND_FAIL_EVENT_COUNT for temporary data retention.
Syntax:
SEND_FAIL_EVENT_COUNT (event_count)
where event_count is an integer between 0 â€“ 1024 that represents the number of events to be buffered.
Example:
SEND_FAIL_EVENT_COUNT(100)
SMEM_SIZE(5|n)
Required: No

Default: 5
Description: This parameter determines the maximum amount global shared memory to be allocated by IBM Guardium S-TAP for Db2 for all purposes.
Syntax:
SMEM_SIZE(n)
where n is an integer between 3 - 32 specified in gigabytes; must be three times larger than MAXIMUM_ALLOCATIONS.
Example:
SMEM_SIZE(5)
STAP_BLOCKING
Required: No
Default: ENABLED
Description: The STAP_BLOCKING parameter controls whether blocking is enabled or disabled and whether the blocking operator command is permitted to enable,
disable, or report status for blocking. This parameter cannot be overwritten by the BLOCKING operator command. STAP_BLOCKING parameter options are as
follows:
STAP_BLOCKING(ENABLED) enables the blocking feature. Blocking is activated if a blocking rule is pushed.
STAP_BLOCKING(DISABLED) disables the blocking feature.
STAP_BLOCKING(OPERATOR) enables the blocking feature and enables the BLOCKING operator command. Blocking is activated if a blocking rule is pushed.
Syntax: STAP_BLOCKING(ENABLED|DISABLED|OPERATOR)
Example: STAP_BLOCKING(ENABLED)
STAP_MEGABUFFER
Required: No
Default: Y
Description: When multiple IBM Guardium S-TAP for Db2 audit events are accumulated in a buffer, it is referred to as a megabuffer. A megabuffer reduces the CPU
usage that is related to TCP/IP activity. To optimize IBM Guardium S-TAP for Db2 performance, STAP_MEGABUFFER must remain set to Y. However,
STAP_MEGABUFFER can be set to N when buffering is not desired.
Setting the STAP_MEGABUFFER parameter to N eliminates buffering, and provides near real-time event streaming to the Guardium appliance. It also increases CPU
usage, due to additional TCP/IP calls.
Syntax:
STAP_MEGABUFFER(Y|N)
Example:
STAP_MEGABUFFER(Y)
STAP_STREAM_EVENTS
Required: No
Default: Y
Description: This parameter specifies whether events will be streamed to the IBM Guardium system. The default value, Y, enables streaming. Specify N to disable
streaming and enable Simulation mode.
Syntax:
STAP_STREAM_EVENTS(Y|N)
Example:
STAP_STREAM_EVENTS(Y)
STAP_TERMINATE_OPTIMIZE
Required: No
Default: N
Description: This parameter can be used to improve the response time for processing STAP_TERMINATE requests from the Guardium appliance. Roundtrip time for
STAP_TERMINATE activity is impacted by the STAP_MEGABUFFER parameter. STAP_TERMINATE policies require near real-time event recording to the IBM
Guardium system to analyze events against the policy and issue the termination requests to IBM Guardium S-TAP for Db2. To enable near real-time event recording
to the Guardium appliance, set the STAP_MEGABUFFER parameter to N.
Syntax:
STAP_TERMINATE_OPTIMIZE(Y|N)
Example:
STAP_TERMINATE_OPTIMIZE(N)
STAP_UTILITY_MULTITABLE
Required: No
Default: N

Description: The STAP_UTILITY_MULTITABLE parameter works in conjunction with the STAP_UTILITY_TS_TO_TABLE parameter. These parameters control how
table information is reported for Db2 Utility access events that involve tablespaces. The STAP_UTILITY_MULTITABLE parameter controls the behavior of the
collector when multiple tables are contained in the tablespace. When STAP_UTILITY_MULTITABLE is set to Y:
The collector will report all tables in the tablespace that are impacted by the utility. This guarantees that tablespace access by a utility execution will result in
an audit event against the table name.
Tables within a tablespace, which were not accessed by the utility, might be reported.
When STAP_UTILITY_MULTITABLE is set to N, no attempt is made to report table information for multi-table tablespaces accessed by a utility. Only the tablespace
name is reported.
Syntax:
STAP_UTILITY_MULTITABLE(Y|N)
Example:
STAP_UTILITY_MULTITABLE(N)
No table names are reported (default).
STAP_UTILITY_MULTITABLE(Y)
All table names are reported.

STAP_UTILITY_TS_TO_TABLE
Required: No
Default: Y
Description: The STAP_UTILITY_TS_TO_TABLE parameter controls how table information is reported for Db2 Utility accesses to tablespaces. When the parameter is
set to Y, the collector queries the Db2 catalog. The collector then determines and reports on which table exists within the tablespace that has been accessed by the
utility execution. If multiple tables are contained in the tablespace, the STAP_UTILITY_MULTITABLE parameter controls whether the collector reports either:
All tables
All table names in the accessed tablespace
No tables
Only the tablespace is reported.
This action is controlled by STAP_UTILITY_MULTITABLE parameter setting.

Syntax:
STAP_UTILITY_TS_TO_TABLE(Y|N)
Example:
STAP_UTILITY_TS_TO_TABLE(Y)
STARTUP_DIAGNOSTICS
Required: No
Default: N
Description: The STARTUP_DIAGNOSTICS parameter causes IBM Guardium S-TAP for Db2 to produce diagnostic information output during startup of the collector
agent. This output might be useful to IBM Support when diagnosing reported problems.
Syntax:
STARTUP_DIAGNOSTICS(Y|N)
Example:
STARTUP_DIAGNOSTICS(Y)
SHUTDOWN_DIAGNOSTICS
Required: No
Default: N
Description: The SHUTDOWN_DIAGNOSTICS parameter causes IBM Guardium S-TAP for Db2 to produce diagnostic information output during shutdown (stop) of
the collector agent. This output might be useful to IBM Support when diagnosing reported problems.
Syntax:
SHUTDOWN_DIAGNOSTICS(Y|N)
Example:
SHUTDOWN_DIAGNOSTICS(Y)
SUBSYS
Required: No
Default: The default value is the Db2 subsystem name.
Description: The SUBSYS parameter defines the SQL Collector subsystem name. The subsystem name does not need to correspond to a Db2 subsystem nor an
MVSâ„¢ operating system name. The name must be 1-4 characters in length.
Syntax:

SUBSYS(ssid)
Where ssid is the 1-4 character SQL Collector subsystem name.

Note: The SQL Collector subsystem ID must be unique across the SYSPLEX. A SQL Collector component subsystem must be running on each LPAR that has a Db2
subsystem to be captured. When choosing a collector agent subsystem ID name, be sure it will not conflict with another on the SYSPLEX. If the specified SUBSYS is
not unique across the SYSPLEX, message ADHQ1003E will be issued.
Example:
SUBSYS(ADH1)
TS_OFFSET(E|W.HH.MM)
Required: No
Default: None (no offset)
Description:
This parameter enables you to adjust the event timestamps that are steamed to the appliance by specifying the amount of time to adjust (offset) based on
timezone.
For example, if running with a clock that is set to UTC 0.0 in a timezone that it is UTC + 9, GMT can be considered 9 hours west of the current time. In
this situation, the parameter should be set as follows: TS_OFFSET(W.09.00). Event timestamps will be adjusted (offset) by subtracting 9 hours from
the original timestamp.
If TS_OFFSET is not supplied, the timestamps that are streamed to the appliance are not adjusted based on timezone.
Syntax:
E|W
East or west offset from GMT
HH
Number of hours
MM
Number of minutes
Example: TS_OFFSET(W.09.00)
ZIIP_FILTER(Y|N)
Required: No
Default: ZIIP_FILTER(N)
Description:
ZIIP_FILTER(Y) indicates that the z/OS image running the collector agent started task has an IBM System zÂ® Integrated Information Processor (zIIP). In this
case, allow collector agent to perform offload profile filtering to a zIIP.
If ZIIP_FILTER(Y) is specified and the collector agent started task is running on a z/OS that has no zIIP, message ADHQ1060I is issued, indicating the WLM
related service has failed. In this case, collector agent continues to run as if ZIIP_FILTER(N) were set.
Syntax:ZIIP_FILTER(Y)
Example:ZIIP_FILTER(Y)
ZIIP_TCP(Y|N)
Required: No
Default:ZIIP_TCP(N)
Description:
ZIIP_TCP(Y) indicates that the z/OS image running the collector agent started task has an IBM System z Integrated Information Processor (zIIP). In this case,
allow collector agent to offload TCP/IP message processing to a zIIP.
If ZIIP_TCP(Y) is specified and the collector agent started task is running on a z/OS that has no zIIP, message ADHQ1060I is issued, indicating the WLM
related service has failed. In this case, collector agent continues to run as if ZIIP_TCP(N) were set.
Note: ZIIP_TCP(Y) requires that zIIP filter support be enabled: ZIIP_FILTER(Y). If ZIIP_FILTER(N) and ZIIP_TCP(Y) are specified together, ZIIP_FILTER will be
automatically set to Y.
Syntax:ZIIP_TCP(Y)
Example:ZIIP_TCP(Y)
/f cqmstc,ISMERROR_DETAIL(Y|N)
Description: This parameter controls whether ISM constraint message detail is on or off. When the parameter is specified, messages ADHQ1203I and ADHQ1204I
are issued for ISM storage constraint situations.

When the HOT_FAILOVER feature is enabled by the APPLIANCE_SERVER_LIST parameter, all connection types (POLICY and ASC) for each connected GuardiumÂ®
appliance are kept active by pings.
If the primary appliance becomes unavailable and failover occurs, the appliance policy that was originally pushed from the primary appliance continues to be active. When
all Guardium appliances are connected, the status of each appliance connection, listed in the Guardium interface, is green.


The following sample parameter file is the minimum set of parameters required in a collector agent parameter file (ADHCFGP). If you want to use this sample file, verify
that the values on each parameter are appropriate for your environment.
- 5655-STP
- (C) COPYRIGHT ROCKET SOFTWARE, INC. 1999 - 2015 ALL RIGHTS RESERVED.
-
- MEMBER: ADHCFGP
-
- DESCRIPTION: THIS IS A SAMPLE MINIMUM ADHCFGP MEMBER
- USED FOR IBM SECURITY GUARDIUM S-TAP for DB2 on z/OS
- COLLECTOR AGENT STARTUP.
- VERIFY THAT THE VALUES ON EACH PARM ARE APPROPRIATE
- FOR YOUR ENVIRONMENT.
-
- NOTE: AFTER USING THE EDIT MACRO, VERIFY THAT NONE OF THE
- STATEMENTS EXCEED COLUMN 72 IN LENGTH.
-
-
SUBSYS(#SSID) -
AUDIT(#SSID) -
MASTER_PROCNAME(ADHMST31) -
APPLIANCE_SERVER(#APPSRVR)

This table shows the ADHEMAC1 edit macro variables, including their default value and instructions for use. An example is also provided.
Table 1. ADHEMAC1 Edit macro variables

Variabl
Default Instructions
e
#SSID MYSSID Change the default to a valid Db2 subsystem ID.
Note: The ADHEMAC1 macro sets the SUBSYS parameter using the #SSID variable. Running the macro sets SUBSYS to the Db2 subsystem ID used
by the collector agent task. Do not change the #SSID variable in the ADHEMAC1 macro to be anything other than the Db2 subsystem ID used by the
collector agent task.
#ADHO &ZUSER Change &ZUSER to the value of #ADHQUALIFIER. #ADHOWNER is used to configure the owner of the plans and packages. It is used as the owner
WNER value of objects created by statements contained within the package or plan.
#ADHQ SYSTOOLS Change the default to the schema name being used with this product.
UALIFI
ER
#ADHU &ZUSER Use as the authorization ID for the collector agent task.
SERID
#SADH ADH.IBMTA Change the default to the data set containing the IBM Guardium S-TAP for Db2 load modules.
LOAD PE.
SADHLOAD
#SADH ADH.IBMTA Change the default to the data set containing the IBM Guardium S-TAP for Db2 DBRMs.
DBRM PE.
SADHDBRM
#SDSN DSN.Vxxx.S Change the default to the data set containing the Db2 load modules.
LOAD DSNLOAD
#SDSN DSN.Vxxx.R Change the default to the data set containing the Db2 DSNTEP2 module.
RUNL UNLIB.LOAD
#DSNT DSNTEP2 Change the default to the DSNTEP2 plan name.
EP2
ADHPL ADHPLAN1 Change the default to a valid plan name. This plan used to collect information about the Db2 System catalog during audit data collection.
AN1
#SZPA MYSSIDPAR Change the default to the Db2 ZPARM member that is associated with the Db2 subsystem.
RM M
#SBSD MYSSID.BS Change the default to the DSN of the bootstrap data set 01.
S01 DS01
#SBSD MYSSID.BS Change the default to the DSN of the bootstrap data set 02.
S02 DS02
#SDSN DSN.Vxxx.S Change the default to the data set containing the Db2 ZPARMs.
EXIT DSNEXIT
#SFEC None Data set name of the required FEC load library.
LOAD
#SCQC None Data set name of the required CQC load library.
LOAD
#ADHC ADH.V0A00. Change the default to an appropriate DSN HLQ for the IBM Guardium S-TAP for Db2 VSAM Control file.
NTRLFI CONTROL
LE
#APPS appliance.co Host name or IP address of the IBM Guardium system.
RVR mpany.com

The following example shows the contents of the ADHEMAC1 member:
ISREDIT MACRO (NP)

ISPEXEC VGET (ZUSER)
ISREDIT CHANGE ALL '#SSID' MYSSID
ISREDIT CHANGE ALL '#ADHOWNER' &ZUSER
ISREDIT CHANGE ALL '#ADHUSERID' &ZUSER
ISREDIT CHANGE ALL '#SADHLOAD' ADH.IBMTAPE.SADHLOAD
ISREDIT CHANGE ALL '#SADHDBRM' ADH.IBMTAPE.SADHDBRM
ISREDIT CHANGE ALL '#SDSNLOAD' DSN.Vxxx.SDSNLOAD
ISREDIT CHANGE ALL '#SDSNRUNL' DSNxxx.RUNLIB.LOAD
ISREDIT CHANGE ALL '#DSNTEP2' DSNTEP2
ISREDIT CHANGE ALL 'ADHPLAN1' ADHPLAN1
ISREDIT CHANGE ALL '#SZPARM' MYSSIDPARM
ISREDIT CHANGE ALL '#SBSDS01' MYSSID.BSDS01
ISREDIT CHANGE ALL '#SBSDS02' MYSSID.BSDS02
ISREDIT CHANGE ALL '#SDSNEXIT' DSN.Vxxx.SDSNEXIT
ISREDIT CHANGE ALL '#SFECLOAD' FEC.IBMTAPE.SFECLOAD
ISREDIT CHANGE ALL '#SCQCLOAD' CQC.IBMTAPE.SCQCLOAD
ISREDIT CHANGE ALL '#ADHCNTRLFILE' ADH.V0A00.CONTROL
ISREDIT CHANGE ALL '#APPSRVR' appliance.company.com
Related tasks
Messages and codes for IBM Security Guardium S-TAP for DB2 on z/OS
These topics document the messages and error codes issued by Security Guardium S-TAP for DB2. Messages are presented in ascending alphabetical and numerical
order.
Error messages
Error messages and codes: ADHAxxx
Error messages and codes: ADHGxxx
Error messages and codes: ADHIxxxx
Error messages and codes: ADHKxxxx
Error messages and codes: ADHPxxxx
Error messages and codes: ADHQxxxx
Error messages
Security Guardium S-TAP for DB2 messages adhere to the following format: ADHnnnx
Where:
ADH
Indicates that the message was issued by Security Guardium S-TAP for DB2.
nnn
Indicates the message identification number.
x
Indicates the severity of the message:
Table 1. Error message severity codes
Severity Code Description
E Indicates that an error occurred, which might or might not require operator intervention.
I Indicates that the message is informational only.
S Indicates that operator intervention is required before processing can continue.
W Indicates that the message is a warning to alert you to a possible error condition.
Parent topic: Messages and codes for IBM Security Guardium S-TAP for DB2 on z/OS
Error messages and codes: ADHAxxx

The following information is about error messages and codes that begin with ADHA.
ADHA507E
Callable service invocation failed with return code = rc and reason code = rs
ADHA507E Callable service invocation failed with return code = rc and reason code = rs
Explanation
A callable service invocation failed with a return code and reason code that are identified in the message.

User response
Refer to the IBM Db2 for z/OSÂ® product documentation for an explanation of this reason and return code.
Common causes of this error include:
Insufficient authorization to ADH PLAN specified in the control file

If either of these issues are indicated by the reason code, verify that SAMPLIB member ADHGRANT was customized and submitted during configuration of the
IBMÂ® GuardiumÂ® S-TAPÂ® for DB2Â® agent.
A DB2 Trace is currently running
Issue the Db2Â® command -DISPLAY TRACE to view info about any audit traces that might still be running. If audit traces are running, stop them by using the Db2
command -STOP TRACE and then restart the agent. If this does not resolve the problem, check for the existence of additional messages.
If the problem is not resolved after attempting all user responses for existing additional messages, contact IBM Software Support.
Parent topic: Error messages and codes: ADHAxxx
Error messages and codes: ADHGxxx

The following information is about error messages and codes that begin with ADHG.
ADHG000I
Attempting connection to server server-address port=server-port
ADHG001I
Establishing ASC connection to server [server-address]
ADHG002I
Connection established to server [server-address]
ADHG003I
Connection re-established to [server-address]
ADHG004W
Connection was lost from server [server-address]
ADHG005S
Unable to establish a connection to a server [server-address]
ADHG006E
Data loss has occurred as the result of a network send failure
ADHG007E
Unable to create a communications interface
ADHG008S
Required parameter was not supplied. Parameter=parameter-name
ADHG009I
TCP/IP streaming disabled due to user setting.
ADHG010I
Disconnecting from server server-name
ADHG011E
Unable to create an output stream
ADHG012E
Unable to set socket timeout value. rc=return-code reason=reason-code
ADHG013I
Connection attempt timed out. Reattempting connection reattempt-number of total-reattempts
ADHG014I
Spillfile support enabled. Spill area size: [size] MB
ADHG015W
Primary server is unavailable
ADHG017W
Data is being temporarily stored in a spillfile until a connection is re-established
ADHG018I
Spillfile contents have been successfully be sent to server [server]
ADHG019S
Spillfile storage has been exhausted. Data loss will occur.
ADHG020I
Registering server [server] as eligible for failover.
ADHG021E
Spillfile is approaching [50% | 85% | 95% |100$] capacity.
ADHG022I
A connection has been established to failover server [server].
ADHG026W
Invalid port specified for APPLIANCE_PORT. Port 16022 will be used instead.
ADHG027I
Registering server server as eligible for multi-stream.
ADHG030I
Security Guardium S-TAP for DB2 Collector Agent is terminating
ADHG031I
Security Guardium S-TAP for DB2 V10.1.3 [component] connection established
ADHG097E
Unexpected error: [error_description]. Return code:[return_code].
ADHG098I
This event will be logged due to an unexpected data condition.
ADHG099E
Unexpected error: error-condition

ADHG210I
A thread termination request was received for thread [thread-token]
ADHG501E
pbSend: Bad host name. code=error-code
ADHG502E
pbSend: Interface not open. code= error-code
ADHG503E
pbSend: Socket I/O problem. code= error-code
ADHG550E
Unable to send message. Connection to server is unavailable.
ADHG510E
pbWrite: No such message. code= error-code
ADHG511E
pbWrite: Nested too deep. code= error-code
ADHG512E
pbWrite: Stack underflow. code= error-code
ADHG513E
pbWrite: Not in message. code= error-code
ADHG514E
pbWrite: No such field in message. code= error-code
ADHG515E
pbWrite: Not a 32-bit integer field. code= error-code
ADHG516E
pbWrite: Not implemented. code= error-code
ADHG517E
pbWrite: Not a message type. code= error-code
ADHG520W
Encoding exception: Event exceeds protocol message size limit. code=error-code
ADHG521W
Total encoding exceptions encountered due to exceeded message size: exception-count
ADHG522E
Write failed length=length rc=returncode rsn=reasoncode
ADHG000I Attempting connection to server server-address port=server-port
Explanation
The S-TAPÂ® collector will attempt to establish a TCP/IP connection to a GuardiumÂ® system at the specified server address and port.
User response
No action is required.
Parent topic: Error messages and codes: ADHGxxx
ADHG001I Establishing ASC connection to server [server-address]

Explanation
The S-TAPÂ® collector is preparing to establish the TCP/IP connection to the specified GuardiumÂ® system.
User response
ADHG002I Connection established to server [server-address]
Explanation
The S-TAPÂ® collector was successful in establishing a TCP/IP connection to the GuardiumÂ® system.
User response
ADHG003I Connection re-established to [server-address]
Explanation
The S-TAPÂ® collector was successful in re-establishing a TCP/IP connection to the GuardiumÂ® system following a disconnect.

User response
ADHG004W Connection was lost from server [server-address]
Explanation
The TCP/IP connection between the S-TAPÂ® collector and the GuardiumÂ® system was lost. The S-TAP collector will automatically attempt to re-establish the connection,
however a potential for data loss does exist if the connection is not re-established. A data loss condition is indicated by message ADHG006E.
User response
Determine the cause of the network interruption and correct the problem so that the connection can be re-established.
ADHG005S Unable to establish a connection to a server [server-address]
Explanation
The S-TAPÂ® collector was unable to establish a TCP/IP connection to the GuardiumÂ® system.
User response
Ensure that the Guardium system is listening for a connection at the server and port specified in message ADHG001I.
Ensure that no firewalls are blocking connections between the collector and Guardium system.
If port 16023 is used, ensure that AT-TLS has been configured properly between the z/OSÂ® LPAR and the appliance.
ADHG006E Data loss has occurred as the result of a network send failure
Explanation
During a disconnected state, the S-TAPÂ® collector exceeded the number of events to retain in memory while waiting for the network connection to the GuardiumÂ®
system to be reestablished.
User response
Determine the cause of the network interruption and correct the problem so that the connection can be reestablished.
If deemed necessary, increase the SEND_FAIL_EVENT_COUNT value in the ASC ADHPARMS parameter file to increase the number of events that can be retained in
memory during short outages.
ADHG007E Unable to create a communications interface
Explanation
An attempt to create an internal communications interface failed.
User response
Contact IBMÂ® Software Support.
ADHG008S Required parameter was not supplied. Parameter=parameter-name
Explanation
A required parameter was not supplied.
User response
Supply a parameter and value for the specified parameter.
ADHG009I TCP/IP streaming disabled due to user setting.
Explanation

A debug setting was specified that has disabled TCP/IP streaming between the S-TAPÂ® collector and the GuardiumÂ® appliance.
User response
ADHG010I Disconnecting from server server-name
Explanation
The S-TAPÂ® collector is disconnecting from the GuardiumÂ® system.
User response
ADHG011E Unable to create an output stream
Explanation
An attempt to create an internal output stream failed.
User response
Contact IBMÂ® Customer Support.
ADHG012E Unable to set socket timeout value. rc=return-code reason=reason-code
Explanation
An attempt to set the timeout threshold in the socket interface failed.
User response
ADHG013I Connection attempt timed out. Reattempting connection reattempt-number of total-

reattempts
Explanation
The S-TAPÂ® collector agent was unable to establish a TCP/IP connection to the GuardiumÂ® system within the timeout period. The connection will be reattempted until
the reattempt-number specified meets the total-reattempts number specified.
User response
Ensure that the Guardium system is listening for a connection at the server and port specified in message ADHG001I.
Ensure that there no firewalls are blocking connections between the collector and Guardium system.
ADHG014I Spillfile support enabled. Spill area size: [size] MB
Explanation
A spillfile area was successfully allocated at the specified size.
User response
ADHG015W Primary server is unavailable
Explanation

A connection to the primary GuardiumÂ® system is not available. Failover systems will be attempted for connection.
User response
Determine the cause of the connection interruption to the primary Guardium system and attempt to restore the connection.
ADHG017W Data is being temporarily stored in a spillfile until a connection is re-established
Explanation
A GuardiumÂ® system connection is unavailable. Collected data is written to the spillfile area until a system connection can be established.
User response
Determine the cause of the system connection outage and attempt to restore the connection.
ADHG018I Spillfile contents have been successfully be sent to server [server]
Explanation
The GuardiumÂ® system connection has been restored. The spillfile data that was collected during a connection outage has been sent to the specified system.
User response
ADHG019S Spillfile storage has been exhausted. Data loss will occur.
Explanation
A GuardiumÂ® system connection is unavailable and the spillfile is out of space. Data collected after this time will be lost.
User response
Determine the cause of the connection outage to the system and attempt to restore the connection. Notify others of the outage as necessary.
ADHG020I Registering server [server] as eligible for failover.
Explanation
The specified server will be added to the list of failover servers to register for the connection. Registration is attempted after all failover servers have been added. A
successful failover registration is indicated by message ADHG012I.
User response
ADHG021E Spillfile is approaching [50% | 85% | 95% |100$] capacity.
Explanation
A GuardiumÂ® system connection is unavailable and the spillfile area is at the specified capacity.
User response
Determine the cause of the connection outage to the system and attempt to restore the connection.
ADHG022I A connection has been established to failover server [server].
Explanation
A connection to the primary GuardiumÂ® system is not available. A connection has successfully been established to one of the specified failover server.
User response

Determine the cause of the connection interruption to the primary system and attempt to restore the connection.
ADHG026W Invalid port specified for APPLIANCE_PORT. Port 16022 will be used instead.
Explanation
The APPLIANCE_PORT parameter currently supports a setting of 16022, but the parameter has been retained for future support. If APPLIANCE_PORT is specified with a
value other than 16022, message ADHG026W is issued, and port 16022 will be used instead.
User response
Change APPLIANCE_PORT parameter setting to 16022 or remove the parameter entirely.
ADHG027I Registering server server as eligible for multi-stream.
Explanation
The specified server will be added to the list of servers that are eligible for multistream support.
User response
ADHG030I Security GuardiumÂ® S-TAPÂ® for DB2Â® Collector Agent is terminating
Explanation
The collector is terminating.
User response
ADHG031I Security GuardiumÂ® S-TAPÂ® for DB2Â® V10.1.3 [component] connection

established
Explanation
The specified component successfully established a TCP/IP connection to the Guardium system.
User response
ADHG097E Unexpected error: [error_description]. Return code:[return_code].
Explanation
An unexpected error was encountered.
User response
ADHG098I This event will be logged due to an unexpected data condition.
Explanation
A collected event contained unexpected or invalid data fields. The event fields are written to DD:ADHLOG for use in diagnosing the problem.
User response
Contact IBMÂ® Software Support with the error log.

ADHG099E Unexpected error: error-condition
Explanation
User response
ADHG210I A thread termination request was received for thread [thread-token]
Explanation
A â€“CANCEL THREAD command was issued by Security GuardiumÂ® S-TAPÂ® for DB2Â® as a result of a request received by the Guardium system. The command ended
successfully. Thread-token represents the cancelled thread token, as would be reported by a â€“DISPLAY THREAD DB2 command.
User response
ADHG501E pbSend: Bad host name. code=error-code
Explanation
While sending a message, the socket interface encountered a bad host name condition.
User response
Verify that the host name value provided for APPLIANCE_SERVER in the ASC ADHPARMS parameter file is valid.
ADHG502E pbSend: Interface not open. code= error-code
Explanation
While sending a message, a problem was encountered with an internal interface.
User response
ADHG503E pbSend: Socket I/O problem. code= error-code
Explanation
While sending a message, the socket interface encountered a socket I/O problem.
User response
ADHG550E Unable to send message. Connection to server is unavailable.
Explanation
An attempt to send a status (non-audit) message to the GuardiumÂ® system failed because a connection was unavailable.
User response
ADHG510E pbWrite: No such message. code= error-code

Explanation
While building a message, a problem was encountered with an internal interface
User response
ADHG511E pbWrite: Nested too deep. code= error-code
Explanation
While building a message, a problem was encountered with an internal interface.
User response
ADHG512E pbWrite: Stack underflow. code= error-code
Explanation
User response
ADHG513E pbWrite: Not in message. code= error-code
Explanation
User response
ADHG514E pbWrite: No such field in message. code= error-code
Explanation
User response
ADHG515E pbWrite: Not a 32-bit integer field. code= error-code
Explanation
User response
ADHG516E pbWrite: Not implemented. code= error-code
Explanation

User response
ADHG517E pbWrite: Not a message type. code= error-code
Explanation
User response
ADHG520W Encoding exception: Event exceeds protocol message size limit. code=error-code
Explanation
The network protocol used to communicate to the GuardiumÂ® system is limited to 64 KB in payload size. If an audited event results in a payload that exceeds this limit,
this message is issued, and a truncated message is built and sent to the system. This message is only issued once per collector instance. At termination, message
ADHG521W reports the total number of events impacted by this exception. The specified error-code value is for use by technical support.
User response
No action is required. If an excessive number of exceptions are observed, or if you are concerned that the exceptions are impacting audit data integrity, use
APPLIANCE_PORT(16022), which uses a communications protocol capable of delivering events with larger payloads.
ADHG521W Total encoding exceptions encountered due to exceeded message size: exception-
count
Explanation
The network protocol used to communicate to the GuardiumÂ® system is limited to 64 KB in payload size. If an audited event results in a payload that exceeds this limit,
message ADHG520W is issued. At termination, this message reports the total number of events that have been impacted by this exception, displayed as exception-count.
User response
No action is required. If an excessive number of exceptions are observed, or if you are concerned that the exceptions are impacting audit data integrity, use
APPLIANCE_PORT(16022), which uses a communications protocol capable of delivering events with larger payloads.
ADHG522E Write failed length=length rc=returncode rsn=reasoncode
Explanation
During an attempted TCP/IP data send of the length specified, the send failed with the specified return and reason code.
User response
Refer to the IBM manual, z/OS UNIX System Services Messages and Codes, for an explanation of the reason code. The last 4 digits of the reason code correspond to the
errors of the send API. Also, review the ADHLOG of the S-TAP Collector Agent for other messages that might indicate problems with the connection between the S-TAP
Collector Agent and the Guardium appliance.
This send failure might be the result of excessive amounts of data being sent to the appliance. Refer to the appliance reporting to determine whether excessive numbers of
events were sent to the appliance prior to the send failure. If you determine the failure to be the result of excessive amounts of data, review and modify the active policy to
decrease the amount of data that is sent to the appliance.
Error messages and codes: ADHIxxxx

The following information is about error messages and codes that begin with ADHI.
ADHI026W
ADHI031I
Security Guardium S-TAP for DB2 V10.1.3 [component] connection established
ADHI530E
DB2 connection failed [function] SQLCODE=[sqlcode] RSN=[reason-code]

ADHI531W
Option STAP_UTILITY_TS_TO_TABLE(Y) is ignored due to a previous error
ADHI612E
Termination requested as the result of a previous error
ADHI613E
SQLCODE -805 encountered for plan name [plan_name]
ADHI697E
Unexpected error: [error_description]. Return code:[return_code]
ADHI699E
Unexpected error: [error-condition]
ADHI026W Invalid port specified for APPLIANCE_PORT. Port 16022 will be used instead.
Explanation
User response
Parent topic: Error messages and codes: ADHIxxxx
ADHI031I Security GuardiumÂ® S-TAPÂ® for DB2Â® V10.1.3 [component] connection

established
Explanation
The specified component successfully established a TCP/IP connection to the Guardium system.
User response
None action is required.
ADHI530E DB2Â® connection failed [function] SQLCODE=[sqlcode] RSN=[reason-code]
Explanation
A DB2 attachment facility error occurred.
User response
An error occurred while performing a DB2 attachment function. See the IBMÂ® DB2 for z/OSÂ® Messages and Codes manual for more information about the return and
reason codes.
ADHI531W Option STAP_UTILITY_TS_TO_TABLE(Y) is ignored due to a previous error
Explanation
The option STAP_UTILITY_TS_TO_TABLE was set to enable collection of expanded utility information. However, an error occurred when attempting to establish the DB2Â®
connection, which is required for this feature. The option is disabled.
User response
Review ADHLOG for occurrences of message ADHG503E to determine the cause of the DB2 connection failure.
ADHI612E Termination requested as the result of a previous error
Explanation
An unrecoverable error condition was encountered. A shutdown request will sent to the collector agent.
User response
Check the ADHLOG for prior errors and attempt to resolve any previous errors.

ADHI613E SQLCODE -805 encountered for plan name [plan_name]
Explanation
A DB2Â® bind error -805 was encountered for the specified plan name.
User response
Run the ADHBIND job located in the SADHSAMP library.
ADHI697E Unexpected error: [error_description]. Return code:[return_code]
Explanation
User response
Contact IBMÂ® Support.
ADHI699E Unexpected error: [error-condition]

Explanation
User response
Error messages and codes: ADHKxxxx

The following information is about error messages and codes that begin with ADHK.
ADHK001I
Scope expression received, len = length of expression text
ADHK002I
Starting Compilation...
ADHK004I
Constant Pool for routine: (at memoryLocation).
ADHK005W
Level level â€˜compilerMessage'.
ADHK101I
Compiling filter. Flags1 Flags; Compile Trace True/False; Runtime Trace RuntimeTraceFlag; RuntimeTrace RuntimeTraceValue; Stage 1 Requested True/False.
ADHK102I
Rule Expression.
ADHK103I
Profile contained no filter information for this agent.
ADHK104I
Filter Compile Failed.
ADHK105I
Variable text
ADHK106I
Compiled filter requires bytes bytes of dynamic save area.
ADHK110I
Rule expression:
ADHK111I
Compiling filter. flags1 flags1 trace=trace runtimeTraceFlag runtimeTraceFlag runtimeTrace runtimeTrace
ADHK203I
Stage one filtering was not enabled.
ADHK204I
Error while creating stage one filter.
ADHK205I
No valid stage one filter criteria found.
ADHK001I Scope expression received, len = length of expression text
Explanation

The filter compiler has received a filter expression of length length and expression text of expression Text. Only the first line of the expression text is output with this
message. Only issued when trace-filter is true.
User response
None required.
Parent topic: Error messages and codes: ADHKxxxx
ADHK002I Starting Compilation...
Explanation
The expression compiler is starting to compile the filter expression. Only issued when trace-filter is true.
User response
ADHK004I Constant Pool for routine: (at memoryLocation).
Explanation
This is a debugging message that shows the memory location of an important data structure for the compiled filter. This line is followed by a hexadecimal printout of the
contents of that memory. Only issued when trace-filter is true.
User response
ADHK005W Level level â€˜compilerMessage'.
Explanation
These are messages generated by the filter compiler if there is anything wrong with the generated filter expression. The compiled filter will not be used. The agent and/or
collector will shut down.
User response
Contact IBMÂ® Software Support. Provide the agent and/or collector logs along with the xml file for the active profile at the time the message was generated.
ADHK101I Compiling filter. Flags1 Flags; Compile Trace True/False; Runtime Trace
RuntimeTraceFlag; RuntimeTrace RuntimeTraceValue; Stage 1 Requested True/False.
Explanation
An informational message is issued whenever a new profile is about to be compiled into a compiled filter.
User response
ADHK102I Rule Expression.
Explanation
The following lines show the filter expression that was generated from the profile.
User response
No response required.
ADHK103I Profile contained no filter information for this agent.
Explanation

The currently active filter had nothing specified to be collected in the current context. For example, in the ASC started task, if the filter has no targets, or if none of the
targets had any events checked, then there is nothing for the ASC started task to collect.
User response
No response is required, in general. However, if you had intended data to be collected, you may wish to review the active profile. If you believe the message is issued in
error, contact IBMÂ® Software Support.
ADHK104I Filter Compile Failed.
Explanation
The expression that was generated from the currently active profile could not be compiled into a filter.
User response
ADHK105I Variable text
Explanation
This message has been issued from the filter compiler
User response
ADHK106I Compiled filter requires bytes bytes of dynamic save area.
Explanation
The compiled filter needs a certain amount of filter working memory to be able to do filtering, and this message only appears if the amount of filter working memory
allocated (8192 bytes) is insufficient. This is unusual, and indicates a very large and complicated profile.
User response
You can consider reducing the size of the profile through the use of wildcards. If that is not possible, contact IBMÂ® Software Support.
ADHK110I Rule expression:
Explanation
his message will be followed by a full, multi-line, display of the filter expression generated from the profile. This message is only printed if trace-filter is true.
User response
ADHK111I Compiling filter. flags1 flags1 trace=trace runtimeTraceFlag runtimeTraceFlag

runtimeTrace runtimeTrace
Explanation
An informational message issued whenever a new profile is about to be compiled into a compiled filter.
User response
ADHK203I Stage one filtering was not enabled.
Explanation

Stage 1 filtering must be enabled.
User response
To enable stage 1 filtering, enter STAGE1_FILTER(Y) in the ADHCPARMS DD.
ADHK204I Error while creating stage one filter.
Explanation
A bug in the filtering code prevented the correct creation of a filter for stage 1. If the stage 2 filter compiled correctly, filtering proceeds successfully at a higher overhead.
User response
Contact IBMÂ® Software Support with XML export of the profile, and the JES output that contained this message.
ADHK205I No valid stage one filter criteria found.
Explanation
Stage 1 filtering is based on a subset of the profile fields. If one or more rules in the profiles do not include at least one of the profile fields, then stage 1 filtering might not
apply.
User response
Review the filtering stages section of the User's Guide and adjust the profile accordingly.
Error messages and codes: ADHPxxxx

The following information is about error messages and codes that begin with ADHP.
ADHP000I
Attempting connection to server server-address port=server-port
ADHP001I
Establishing Policy connection to server [server-address]
ADHP002I
Connection established to server [server-address]
ADHP003I
Connection was re-established to [server name]
ADHP004W
Connection was lost from server [server-address]
ADHP005S
Unable to establish a connection to server [server-address]
ADHP006E
Data loss has occurred as the result of a network send failure
ADHP007E
Unable to create a communications interface
ADHP008S
Required parameter was not supplied. Parameter=parameter-name
ADHP009I
TCP/IP streaming disabled due to user setting.
ADHP010I
Disconnecting from server server-name
ADHP012I
Failover support enabled
ADHP013I
Connection attempt timed out. Reattempting connection reattempt-number of total-reattempts.
ADHP015W
Primary server is unavailable
ADHP017W
Data is being temporarily stored in a spillfile until a connection is re-established
ADHP018I
Spillfile contents have been successfully be sent to server [server]
ADHP019S
Spillfile storage has been exhausted. Dataloss will occur
ADHP020I
Registering server [server] as eligible for failover
ADHP021E
Spillfile is approaching [50% | 85% | 95% |100%] capacity
ADHP022I
A connection has been established to failover server [server]

ADHP023I
A persisted policy from DD:ADHPLCY is being used.
ADHP026W
ADHP028E
Required policy not available at initialization.
ADHP030I
Security Guardium S-TAP for DB2 Policy component is terminating
ADHP031I
Security Guardium S-TAP for DB2 V10.1.3 component connection established
ADHP093E
Policy discarded because all DB2 rules contain errors
ADHP094E
Policy discarded due to error
ADHP095E
error: rule discarded due to error
ADHP096E
rule error: [error]
ADHP097E
Unexpected error: [error_description]. Return code:[return_code]
ADHP099E
Unexpected error: error-condition
ADHP101W
Invalid value for filter. Reason: [reason]. Value: [value]
ADHP102E
Invalid value for sqlcode: [*_sqlcode_*]
ADHP110I
Security Guardium S-TAP for DB2 mode: *****
ADHP111I
STAP command [STAP MODIFY command]
ADHP120I
Installed Policy:
ADHP121I
[policy segment]
ADHP122I
Installed Quarantine:
ADHP123I
[quarantine segment]
ADHP124I
Installed Blocking:
ADHP125I
[blocking segment]
ADHP126I
STAP BLOCKING mode: [ENABLED|DISABLED|OPERATOR]
ADHP130I
Agent configuration:
ADHP131I
[agent configuration segment]
ADHP140I
Event Counts:
ADHP141I
[event type] [total collected]
ADHP142I
ADHP143I
ADHP144I
ADHP145I
ADHP146I
ADHP150I
Program levels:
ADHP151I
[program level segment]
ADHP160I
S-TAP allocation queue history:
ADHP161I
TimeStamp-------Queued------------Freed
ADHP162I
[allocation queue segment]
ADHP163I
S-TAP filter history:
ADHP164I
TimeStamp----Pass Stage 1-- ---Pass Stage2
ADHP165I
[filter queue segment]
ADHP166I
S-TAP IO history:

ADHP167I
TimeStamp--------Sent----------Bytes sent--------Write time
ADHP168I
[filter queue segment]
ADHP170I
Event count reported by the appliance at time: [count]
ADHP179E
Option [option] is invalid for STAP command
ADHP180I
[policy | quarantine | blocking] policy push detected.
ADHP183E
FORCE_LOG_LIMITED is enabled but APPLIANCE_PORT is not compatible.
ADHP182I
SUPPORT_FORCE_LOG_LIMITED is enabled.
ADHP183I
FORCE_LOG_LIMITED is not supported by the appliance.
ADHP184I
A pushed down [policy | blocking | quarantine] is in use.
ADHP185I
A [policy | quarantine | blocking] from DD is in use.
ADHP186I
A [policy | quarantine | blocking] from DD is in use, ignoring any pushed down policy.
ADHP188I
Blocking policy removed.
ADHP189W
There is no table found in database: [database name]
ADHP190W
DB2 object: [object type] with name: [object name] does not exist.
ADHP191W
Blocking is NOT ACTIVE because there is no valid target in the policy.
ADHP192E
SQL statement execution was unsuccessful, SQLCODE is: [sqlcode value] SQLSTATE is: [sqlstate value]
ADHP193I
STAP Logging command pushed down from UI to request STAP logging information.
ADHP200E
Unexpected element in policy definition: <element>
ADHP201E
A policy must contain at least one rule
ADHP203E
Duplicate schema specification: [schema-name]
ADHP204E
Duplicate table specification: [table-name]
ADHP205E
Duplicate First Read event specification.
ADHP206E
Duplicate First Change event specification.
ADHP207E
Expected <policy> specification but found <***>.
ADHP208E
Policy syntax error
ADHP209E
Error in opening data set: [dataset]
ADHP210I
A thread termination request was received for thread [thread ID]
ADHP211W
Policy syntax error [error]
ADHP212W
[policy | quarantine | blocking] not enabled for ddname [ddname] reason: XML error
ADHP213E
Blocking policy syntax error: Invalid network [network]
ADHP214E
Blocking policy syntax error: Invalid netmask [netmask]
ADHP215E
Blocking policy syntax error: Invalid IP address [IP address]
ADHP216W
Blocking policy is ignored due to a previous error.
ADHP217W
Incomplete rule discarded. Rule name: [_rule-name_]
ADHP218W
Only one SQLCODE list is allowed. SQLCODE is discarded: [sqlcode]
ADHP220I
Appliance connect retry count has been reached, appliance ping rate is now increased to [number]
ADHP250E
Unable to send message. Connection to server is unavailable.
ADHP550E
Unable to send message. Connection to server is unavailable

ADHP000I Attempting connection to server server-address port=server-port
Explanation
The S-TAPÂ® policy component will attempt to establish a TCP/IP connection to a GuardiumÂ® system at the specified server address and port.
User response
Parent topic: Error messages and codes: ADHPxxxx
ADHP001I Establishing Policy connection to server [server-address]
Explanation
The Security GuardiumÂ® S-TAPÂ® for DB2Â® policy component is preparing to establish the TCP/IP connection to the specified Guardium system.
User response
ADHP002I Connection established to server [server-address]
Explanation
The S-TAPÂ® policy component was successful in establishing a TCP/IP connection to the GuardiumÂ® system.
User response
ADHP003I Connection was re-established to [server name]
Explanation
The S-TAPÂ® policy component was successful in establishing a TCP/IP connection to the GuardiumÂ® system following a disconnect.
User response
ADHP004W Connection was lost from server [server-address]
Explanation
The TCP/IP connection between the S-TAPÂ® policy component and the GuardiumÂ® system was lost. The S-TAP policy component will automatically attempt to
reestablish the connection, however a potential for data loss exists if the connection is not established. A data loss condition is indicated by message ADHP006E.
User response
Determine the cause of the network interruption and correct the problem so that the connection can be established.
ADHP005S Unable to establish a connection to server [server-address]
Explanation
The S-TAPÂ® Policy component was unable to establish a TCP/IP connection to the GuardiumÂ® system.
User response
Ensure that the Guardium system is listening for a connection at the server and port specified in message ADHP001I. .
Ensure that there are no firewalls blocking connections between the collector and the Guardium system.
ADHP006E Data loss has occurred as the result of a network send failure
Explanation
During a disconnection, the S-TAPÂ® policy component exceeded the number of events that can be retained in memory while waiting for the network connection to the
GuardiumÂ® system to be reestablished.
User response
Determine the cause of the network interruption and correct the problem so that the connection can be established.
If necessary, increase the SEND_FAIL_EVENT_COUNT value in the ASC ADHPARMS parameter file to increase the number of events that can be retained in memory
during short outages.
ADHP007E Unable to create a communications interface
Explanation
An attempt to create an internal communications interface failed.
User response
ADHP008S Required parameter was not supplied. Parameter=parameter-name
Explanation
A required parameter was not supplied.
User response
Supply a parameter and value for the specified parameter.
ADHP009I TCP/IP streaming disabled due to user setting.
Explanation
A debug setting was specified that has disabled TCP/IP streaming between the S-TAPÂ® policy component and the GuardiumÂ® system.
User response
ADHP010I Disconnecting from server server-name
Explanation
The S-TAPÂ® policy component is disconnecting from the GuardiumÂ® system.
User response
ADHP012I Failover support enabled
Explanation
One or more failover servers were successfully registered with the communications interface, enabling failover support.
User response
ADHP013I Connection attempt timed out. Reattempting connection reattempt-number of total-

reattempts.

Explanation
The S-TAPÂ® policy component was unable to establish a TCP/IP connection to the GuardiumÂ® system within the timeout period. An attempt to be made to reestablish
the connection until the reattempt-number reaches the total-reattempts number.
User response
Ensure that the Guardium system is listening for a connection at the server and port specified in message ADHP001I.
Ensure that no firewalls are blocking connections between the collector and Guardium system.
ADHP015W Primary server is unavailable
Explanation
A connection to the primary GuardiumÂ® system is not available. Failover appliances will be attempted for connection.
User response
ADHP017W Data is being temporarily stored in a spillfile until a connection is re-established
Explanation
A GuardiumÂ® system connection is unavailable and collected data is being written to the spillfile area until an system connection can be restored.
User response
ADHP018I Spillfile contents have been successfully be sent to server [server]
Explanation
The spillfile data that was collected during a connection outage has been sent to the specified GuardiumÂ® system upon reconnection.
User response
ADHP019S Spillfile storage has been exhausted. Dataloss will occur
Explanation
A GuardiumÂ® system connection is unavailable and the spillfile is out of space. Data collected after this time will be lost.
User response
Determine the cause of the connection outage to the system and attempt to restore the connection. Notify others of the outage as necessary.
ADHP020I Registering server [server] as eligible for failover
Explanation
The specified server will be added to the list of failover servers to register for the connection. Registration is attempted after all failover servers have been added. A
successful failover registration is indicated by message ADHP012I.
User response
ADHP021E Spillfile is approaching [50% | 85% | 95% |100%] capacity

Explanation
A GuardiumÂ® system connection is unavailable and the spillfile area has reached the specified percentage of capacity.
User response
ADHP022I A connection has been established to failover server [server]
Explanation
A connection to the primary GuardiumÂ® system is not available. A connection has successfully been established to one of the specified failover server.
User response
ADHP023I A persisted policy from DD:ADHPLCY is being used.
Explanation
The S-TAPÂ® policy component was unable to establish a connection to the GuardiumÂ® system. A persisted policy from DD:ADHPLCY is being used.
User response
ADHP026W Invalid port specified for APPLIANCE_PORT. Port 16022 will be used instead.
Explanation
User response
ADHP028E Required policy not available at initialization.
Explanation
At startup, the policy manager did not receive a policy from the Guardium appliance or policy DD.
User response
If APPLIANCE_SERVER_LIST is set to FAILOVER, this problem can be resolved by verifying that either:
the primary server is active and a policy is installed, or

the persistence policy DD is configured and has a valid policy installed from a previous policy.
IF APPLIANCE_SERVER_LIST is set to MULTI_STREAM, verify that the primary server is active during startup.
ADHP030I Security GuardiumÂ® S-TAPÂ® for DB2Â® Policy component is terminating
User response
ADHP031I Security GuardiumÂ® S-TAPÂ® for DB2Â® V10.1.3 component connection

established
Explanation

The S-TAP Policy component successfully established a TCP/IP connection to the Guardium system.
User response
ADHP093E Policy discarded because all DB2Â® rules contain errors
Explanation
All of the DB2 collection profile interception policies that were pushed down from the GuardiumÂ® appliance contain errors. As a result, Security Guardium S-TAPÂ® for
DB2 collection is deactivated.
User response
Review the ADHLOG for messages that were issued prior to this message that indicate why the DB2 rules were discarded. Examples of relevant messages include
ADHP096E and ADHP101W. Use the reason and value that is reported in the message to correct the incorrect value or error in the collection policy.
ADHP094E Policy discarded due to error
Explanation
One or more errors were detected while processing an interception policy that was pushed down from the Guardium appliance. As a result, the entire policy, as well as any
rules that are contained within the policy, are ignored.
User response
Review the ADHLOG for messages that were issued prior to this message (for example, ADHP101W) that indicate why the policy was discarded. Use the reason and value
that is reported in the message to correct the incorrect value or error in the collection policy.
ADHP095E error: rule discarded due to error
Explanation
One or more errors were detected while processing an interception policy rule that was pushed down from the Guardium appliance. As a result, the rule containing these
errors is ignored.
User response
Review the ADHLOG for messages that were issued prior to this message that indicate why the rule was discarded. Examples of relevant messages include ADHP096E and
ADHP101W. Use the reason and value that is reported in the message to correct the incorrect value or error in the collection policy.
ADHP096E rule error: [error]
Explanation
An error was detected while processing an interception policy rule that was pushed down from the Guardium appliance.
User response
Use the error text that is provided in this message to correct the value or error in the collection policy.
ADHP097E Unexpected error: [error_description]. Return code:[return_code]
Explanation
User response
ADHP099E Unexpected error: error-condition

Explanation
User response
ADHP101W Invalid value for filter. Reason: [reason]. Value: [value]
Explanation
An invalid value was detected while processing the collection policy received from the GuardiumÂ® system.
User response
Attempt to correct the invalid value or error in the collection policy by referencing the reason and value reported in the message.
ADHP102E Invalid value for sqlcode: [*_sqlcode_*]
Explanation
A SQL code that was detected while processing the collection policy from the IBMÂ® GuardiumÂ® system is not valid.
User response
Attempt to correct the SQL code in the collection policy by referencing the value that is reported in the message. See SQL error codes in the IBM Knowledge Center for
more information.
ADHP110I Security GuardiumÂ® S-TAPÂ® for DB2Â® mode: *****
Explanation
This message is issued when information about the event streaming mode is requested by issuing the /F STAP command, where ***** is either STREAMING EVENTS or
POLICY SIMULATION.
User response
ADHP111I STAP command [STAP MODIFY command]
Explanation
This message indicates that an S-TAP MODIFY command has been issued.
User response
ADHP120I Installed Policy:
Explanation
The header of the installed policy
User response
ADHP121I [policy segment]
Explanation

A segment of the installed policy
User response
ADHP122I Installed Quarantine:
Explanation
The header of the installed quarantine policy
User response
ADHP123I [quarantine segment]
Explanation
A segment of the installed quarantine policy
User response
ADHP124I Installed Blocking:
Explanation
The header of the installed blocking policy
User response
ADHP125I [blocking segment]
Explanation
A segment of the installed blocking policy
User response
ADHP126I STAP BLOCKING mode: [ENABLED|DISABLED|OPERATOR]
Explanation
This message indicates whether S-TAP blocking is enabled, disabled, or in operator mode.
User response
No action is required. See SQL Blocking for more information.
ADHP130I Agent configuration:
Explanation
The header of the agent configuration
User response

ADHP131I [agent configuration segment]
Explanation
A segment of the agent configuration
User response
Explanation
The header of the event collection statistics
User response
ADHP141I [event type] [total collected]
Explanation
The total count collected for the event
User response
Explanation
User response
Explanation
User response
Explanation
User response

Explanation
User response
Explanation
User response
ADHP150I Program levels:
Explanation
The header of S-TAP program levels
User response
ADHP151I [program level segment]
Explanation
A segment of S-TAP program levels
User response
ADHP160I S-TAP allocation queue history:
Explanation
The header of S-TAP allocation queue history
User response
ADHP161I TimeStamp-------Queued------------Freed
Explanation
The subheader of S-TAP allocation queue history
User response
ADHP162I [allocation queue segment]
Explanation
A segment of the allocation queue history

User response
ADHP163I S-TAP filter history:
Explanation
The header of S-TAP filter history
User response
ADHP164I TimeStamp----Pass Stage 1-- ---Pass Stage2
Explanation
The subheader of the S-TAP filter history
User response
ADHP165I [filter queue segment]
Explanation
A segment of S-TAP filter history
User response
ADHP166I S-TAP IO history:
Explanation
The header of S-TAP IO history
User response
ADHP167I TimeStamp--------Sent----------Bytes sent--------Write time
Explanation
The subheader of S-TAP IO history
User response
ADHP168I [filter queue segment]
Explanation
A segment of S-TAP IO history
User response

ADHP170I Event count reported by the appliance at time: [count]
Explanation
Number of collected events reported by the appliance.
User response
ADHP179E Option [option] is invalid for STAP command
Explanation
An invalid value was detected while processing the S-TAP command.
User response
Check the command and try again.
ADHP180I [policy | quarantine | blocking] policy push detected.

Explanation
A policy pushdown from the Guardium appliance has been detected.
User response
ADHP183E FORCE_LOG_LIMITED is enabled but APPLIANCE_PORT is not compatible.
Explanation
The FORCE_LOG_LIMITED parameter is enabled but APPLIANCE_PORT is not set correctly.
User response
Check the compatible values for FORCE_LOG_LIMITED and APPLIANCE_PORT.
ADHP182I SUPPORT_FORCE_LOG_LIMITED is enabled.
Explanation
The S-TAP has been configured not to collect host variables.
User response
ADHP183I FORCE_LOG_LIMITED is not supported by the appliance.
Explanation
The appliance does not support the FORCE_LOG_LIMITED feature.
User response
Check for the compatible appliance with which to use the FORCE_LOG_LIMITED feature.
ADHP184I A pushed down [policy | blocking | quarantine] is in use.
Explanation

Policy push down is in use.
User response
ADHP185I A [policy | quarantine | blocking] from DD is in use.
Explanation
A policy supplied by DD is in use rather than one from push down.
User response
ADHP186I A [policy | quarantine | blocking] from DD is in use, ignoring any pushed down
policy.
Explanation
A policy supplied by DD is in use. Any pushed down policy will be discarded.
User response
ADHP188I Blocking policy removed.
Explanation
All blocking policies have been uninstalled.
User response
ADHP189W There is no table found in database: [database name]
Explanation
The database [database name] that was specified in the blocking policy is either empty or not defined.
User response
Rebuild the blocking policy with a valid database for blocking to be active for the database.
ADHP190W DB2 object: [object type] with name: [object name] does not exist.
Explanation
The DB2 object [object type] specified in the blocking policy does not exist.
User response
Rebuild the blocking policy with valid blocking targets for blocking to be active for the DB2 object.
ADHP191W Blocking is NOT ACTIVE because there is no valid target in the policy.
Explanation
No valid blocking target has been found in the blocking policy. Blocking will not be activated.

User response
Rebuild the blocking policy with valid blocking targets for blocking to be activated.
ADHP192E SQL statement execution was unsuccessful, SQLCODE is: [sqlcode value] SQLSTATE
is: [sqlstate value]
Explanation
A SQL statement execution was unsuccessful during policy pushdown process.
User response
Determine the cause of the SQLCODE. Correct the installed policy if necessary.
ADHP193I STAP Logging command pushed down from UI to request STAP logging information.
Explanation
S-TAP logging levels provide log information as follows:
Level 0
Logs program levels, event queue statistics, agent configuration, policy, and event counts.
Level 1
Logs agent configuration, policy, and event counts.
Level 2
Logs agent configuration.
Level 3
Logs policy.
Level 4 or higher
Logs event counts.
User response
ADHP200E Unexpected element in policy definition: <element>
Explanation
An unexpected element has been found while parsing policy.
User response
Correct the unexpected element and update the policy.
ADHP201E A policy must contain at least one rule

Explanation
No rule was found in the policy.
User response
Update the policy to contains at least one rule.
ADHP203E Duplicate schema specification: [schema-name]
Explanation
A duplicated schema within one target has been detected.
User response
Update the policy with only one schema per target.

ADHP204E Duplicate table specification: [table-name]
Explanation
A duplicate table within one target has been detected.
User response
Update the policy with only one table per target.
ADHP205E Duplicate First Read event specification.
Explanation
A duplicate First Read event has been detected.
User response
Update the policy with only one First Read event per target.
ADHP206E Duplicate First Change event specification.
Explanation
A duplicate First Change event has been detected.
User response
Update the policy with only one First Change event per target.
ADHP207E Expected <policy> specification but found <***>.
Explanation
The <policy> tag was expected but a different tag (<***>) was found.
User response
Correct the policy.
ADHP208E Policy syntax error
Explanation
A syntax error was found while parsing the policy.
User response
Correct the policy.
ADHP209E Error in opening data set: [dataset]
Explanation
An error occurred while opening a data set for policy parsing.
User response
Make sure the dataset exists and is associated with the appropriate permissions.
ADHP210I A thread termination request was received for thread [thread ID]
Explanation

A termination request was received for thread [thread ID].
User response
ADHP211W Policy syntax error [error]
Explanation
A syntax error was found while parsing the policy.
User response
Correct the policy.
ADHP212W [policy | quarantine | blocking] not enabled for ddname [ddname] reason: XML
error
Explanation
The policy from DD is not enabled because a syntax error was found.
User response
Correct the policy in the DD.
ADHP213E Blocking policy syntax error: Invalid network [network]
Explanation
Network value is not valid in the installed blocking policy.
User response
Correct the network value and reinstall the blocking policy.
ADHP214E Blocking policy syntax error: Invalid netmask [netmask]
Explanation
Netmask value is not valid in the installed blocking policy.
User response
Correct the netmask value and reinstall the blocking policy.
ADHP215E Blocking policy syntax error: Invalid IP address [IP address]
Explanation
IP address value is not valid in the blocking policy.
User response
Correct the IP address value and reinstall the blocking policy.
ADHP216W Blocking policy is ignored due to a previous error.
Explanation
The installed blocking policy contains a syntax error. The blocking policy is discarded.

User response
Resolve the error and reinstall the blocking policy.
ADHP217W Incomplete rule discarded. Rule name: [_rule-name_]
Explanation
An incomplete policy rule is detected.
System action
The rule is discarded.
User response
Use the Guardium Policy Builder of the GuardiumÂ® appliance interface to define and manage data collection and filtering. Correct the specified rule rule-name and add
the necessary filters to make it a complete rule.
ADHP218W Only one SQLCODE list is allowed. SQLCODE is discarded: [sqlcode]
Explanation
More than one SQLCODE list is detected.
System action
The first list is accepted. Additional lists are discarded.
User response
Ensure that there is only one SQLCODE list for each installed policy.
ADHP220I Appliance connect retry count has been reached, appliance ping rate is now
increased to [number]
Explanation
Ping rate has been increased to a larger value after reaching the specified number of APPLIANCE_CONNECT_RETRY_COUNT attempts.
User response
ADHP250E Unable to send message. Connection to server is unavailable.
Explanation
S-TAP was unable to send messages to the appliance.
User response
Make sure the appliance is online and reachable by the S-TAP.
ADHP550E Unable to send message. Connection to server is unavailable
Explanation
An attempt to send a non-audit status message to the GuardiumÂ® system failed because no connection to the appliance is available.
User response

Error messages and codes: ADHQxxxx
The following information is about error messages and codes that begin with ADHQ. These messages are generated from the collector agent.
ADHQ1000E
NOT APF AUTHORIZED
ADHQ1001I
DB2 QUERY COMMON COLLECTOR INITIALIZATION IN PROGRESS FOR SUBSYSTEM
ADHQ1002I
DB2 AUDIT SQL COLLECTOR INITIALIZATION COMPLETE FOR SUBSYSTEM
ADHQ1003E
SUBSYSTEM ssid ALREADY ACTIVE
ADHQ1004I
QUERY COMMOON COLLECTOR TERMINATION IN PROGRESS FOR SUBSYSTEM subsystem
ADHQ1005I
QUERY COMMON COLLECTOR TERMINATION COMPLETE FOR SUBSYSTEM ssid
ADHQ1006E
statement DD STATEMENT MISSING
ADHQ1007E
INVALID USERID SPECIFIED FOR AUTHID
ADHQ1010I
DEBUG MODE ON
ADHQ1011I
DEBUG MODE OFF
ADHQ1016E
INVALID COMMAND SYNTAX
ADHQ1017E
INVALID COMMAND
ADHQ1019I
INTERVAL EXTERNALIZATION MODE OFF
ADHQ1020E
DB2 SUBSYSTEM ssid IS NOT DEFINED
ADHQ1024E
dsn SPECIFICATION INVALID
ADHQ1026E
SHARED MEMORY FAILURE FOR OBJECT object request RC =rc RS=rs
ADHQ1027I
CPU=CPU Type-CPU Model-CPU Manufacturer. OS Name OS Version.OS Release.OS Modification.
ADHQ1028E
Component requires a 64 bit processor and z/OSÂ® 1.5 or higher.
ADHQ1031E
Serious error in master address space address space.
ADHQ1032I
Recreating master address space.
ADHQ1033E
Unable to create master address space address space.
ADHQ1034I
Master address space has started.
ADHQ1035E
Unable to restart master (RS=rc).
ADHQ1055E
CQM1055E DB2 ssid IS EXPERIENCING STORAGE CONSTRAINTS, DATA LOSS MAY OCCUR, REASON=code
ADHQ1060I
ZIIP SUPPORT IS NOT ACTIVE. nnnnnnnn RC=yy RSN=zzzzzzzz nnnnnnnn is the name of the service that failed with a nonzero return code (RC).
ADHQ1061E
MISSING PARAMETER: parameter
ADHQ1062E
COMMUNICATION INTERFACE DISABLED BY CROSS MEMORY FAILURE
ADHQ1062I
ZIIP SUPPORT IS INSTALLED
ADHQ1065E
REQUIRED DATA ACCESS COMMON COLLECTOR MODULE NOT FOUND
ADHQ1066E
Subsystem terminating due to abend while compiling the collection profile. SVCDUMP collected.
ADHQ1070E
Terminating due to XML profile processing error RC (xxxxxxxx)
ADHQ1071E
Terminating due to missing XML profile at start up
ADHQ1080I
POLICY MANAGER STARTED.
ADHQ1081I
POLICY MANAGER STOPPED.
POLICY PUSH DETECTED.
ADHQ1083I
POLICY PUSH SENT.
ADHQ1084I
QUARANTINE ONLY POLICY DETECTED.
ADHQ1085I
CURRENT QUARANTINE POLICY IS REMOVED.

ADHQ1086I
BOTH NEW POLICY AND QUARANTINE POLICY DETECTED.
ADHQ1086E
ADHQ1086E statement DD STATEMENT MISSING
ADHQ1153E
RETURN CODE return_code REASON CODE reason_code WAS ENCOUNTERED DURING TRANSLATION SOURCE CCSID ccsid TARGET CCSID ccsid
ADHQ1202I
STORAGE CONSTRAINT RELIEVED FOR SPACE â€“ space â€“ OCCURRENCES: count
ADHQ1203I
ASID=asid,TCB=tcb,CPID=cpid, MODULE=module,ADDR=addr, RC=rc,RSN=rsn
ADHQ1204I
FUNC=func,SP=subpool,FLG2=flag,FLG3=flag
ADHQ1205E
ISM ERROR OCCURRED, DETAIL FOLLOWS: note
ADHQ1209I
ISM ERROR RC=rc,RSN=rsn,SPACE â€“ space
ADHQ1210E
ISM SPACE IS DISABLED â€“ space
ADHQ1211I
AN ABEND OCCURRED DURING ISM PROCESSING FOR SPACE â€“ space
ADHQ1212E
AN ERROR OCCURRED IN THE EXTENT EXIT ROUTINE FOR SPACE â€“ space
ADHQ1213W
SPACE IS FULL AND NO MORE EXTENTS CAN BE OBTAINED FOR SPACE â€“ space
ADHQ1214W
OWNER LIMIT EXCEEDED FOR SPACE â€“ space
ADHQ1215W
SPACE IS FULL AND NO MORE LARGE EXTENTS CAN BE OBTAINED FOR SPACE â€“ space
ADHQ1216E
EXTENT PROCESSING FAILED (ABEND) FOR SPACE â€“ space
ADHQ1217W
SPACE IS FULL AND NO MORE LARGE EXTENTS CAN BE OBTAINED FOR SPACE â€“ space
ADHQ1218W
MAXIMUM EXTENTS HAS BEEN REACHED FOR SPACE â€“ space
ADHQ1219W
ALL ISMERROR MESSAGE BLOCKS ARE IN USE
ADHQ1500E
ABNORMAL EOT FOR subtask SUBTASK
ADHQ2001E
DB2 SUBSYSTEM ssid ALREADY MONITORED BY SUBSYSTEM ssid
ADHQ2002E
MONITORING AGENT INSTALLATION FAILED FOR SUBSYSTEM ssid
ADHQ2003I
FORCING MONITORING AGENT INSTALLATION FOR ssid
ADHQ2005I
MULTIPLE MONITORING AGENT INSTALLATION FOR SUBSYSTEM ssid
ADHQ2008E
DB2 SYSTEM ssid IS BEING MONITORED BY A 2.2 OR BELOW VERSION CQM SUBSYSTEM AND CANNOT BE AUDITED
ADHQ2009E
DB2 SYSTEM ssid WAS PREVIOUSLY MONITORED BY A 2.2 OR EARLIER CQM SUBSYSTEM qmid WHICH HAS NOT APPLIED APAR PK55535.
ADHQ2010I
CURRENTLY ACTIVE POLICY RESULTS IN DISABLED COLLECTION
ADHQ2013I
CURRENTLY ACTIVE POLICY RESULTS IN GRANT/REVOKE COLLECTION
ADHQ2014I
CURRENTLY ACTIVE POLICY RESULTS NO HOST VARIABLE COLLECTION.
ADHQ2015I
CURRENTLY ACTIVE POLICY RESULTS NEGATIVE SQL CODES COLLECTION.
ADHQ2016I
CURRENTLY ACTIVE POLICY RESULTS DB2 COMMANDS COLLECTION.
ADHQ2017I
CURRENTLY ACTIVE POLICY RESULTS IN DBNAMES OPTIMIZATION.
ADHQ2018I
CURRENTLY ACTIVE POLICY RESULTS IN A QUARANTINE LIST.
ADHQ2019I
CURRENTLY ACTIVE POLICY RESULTS IN DB2 UTILITIES COLLECTION
ADHQ2020I
CURRENTLY ACTIVE POLICY RESULTS IN FAILED LOGIN COLLECTION.
ADHQ2100E
UNRECOGNIZED PARAMETER
ADHQ2101E
PARAMETER ERROR DETECTED FOR parameter
ADHQ2103E
DUPLICATE PARAMETER DETECTED FOR parameter
ADHQ2110E
TERMINATING DUE TO ERRORS IN PARAMETER FILE
ADHQ2111E
ERROR READING PARAMETER DATASET - MEMBER NOT FOUND
ADHQ2402I
DATASPACE MANAGEMENT IN PROGRESS FOR dsmgmt

ADHQ2403I
n DATASPACE PAGES RELEASED FOR ssid
ADHQ2408E
INVALID REPLY. REPLY "U" TO ACCEPT OR "R" TO REJECT
ADHQ2601E
ALLOCATION FAILED FOR VSAM DATASET dsn RETCD=rc REAS=rs
ADHQ2603E
DEALLOCATION FAILED FOR DATASET data_set RETCD=return_code REAS=reason_code
ADHQ3001I
DB2 STARTUP DETECTED FOR SUBSYSTEM ssid
ADHQ3002I
MONITORING AGENT STARTED FOR SUBSYSTEM ssid
ADHQ3003I
DB2 SHUTDOWN DETECTED FOR SUBSYSTEM ssid
ADHQ3005I
MONITORING AGENT DEACTIVATED FOR ssid
ADHQ3006I
AUDITING AGENT ACTIVATED FOR ssid
ADHQ3192E
LEVEL STATUS DB2(ssid) message
ADHQ3192I
LEVEL STATUS DB2(ssid) message
ADHQ3200I
DISPLAY AGENTS
ADHQ3201I
DB2 SUBYSYSTEM ssid AGENT ADDRESS address
ADHQ3202I
ssid AGENT ADDRESS address
ADHQ3203I
ASC DIAGNOSTIC DISPLAY:
ADHQ3204I
SDA ADDRESS address
ADHQ3205I
ssid ADDRESS address
ADHQ3206I
DIAGNOSTIC DATA FOR ABEND AT PSW psw
ADHQ3207I
SYSTEM COMPLETION CODE code
ADHQ3208I
OCCURRENCES n DATE date TIME time
ADHQ3209I
GPR 0-3 info
ADHQ3210I
GPR 4-7 info
ADHQ3211I
GPR 8-11 info
ADHQ3212I
GPR 12-15 info
ADHQ3213I
AR 0-3 info
ADHQ3214I
AR 4-7 info
ADHQ3215I
AR 8-11 info
ADHQ3216I
AR 12-15 info
ADHQ3240I
DB2 QM DATASPACE USAGE DISPLAY:
ADHQ3241I
dataspace DATASPACE
ADHQ3242I
NODE SIZE size
ADHQ3243I
TOTAL NODES n
ADHQ3244I
AVAILABLE NODES n
ADHQ3245I
PERCENT UTILIZED n
ADHQ3250I
POSTING INTERVAL PROCESSOR
ADHQ3251I
INTERVAL PROCESSOR NOT POSTED - DB2 UNAVAILABLE
ADHQ3252I
INTERVAL PROCESSING ALREADY IN PROGRESS
ADHQ3308E
DB2 SYSTEM ssid IS MONITORED BY DB2 QUERY MONITOR ssid WHICH HAS MISMATCHED OBJ AGENT
ADHQ3315E
MASTER SUBSYSTEM DOES NOT MATCH
ADHQ3402I
ISSUING COMMAND cmd

ADHQ3551E
VSAM LOGIC ERROR ENCOUNTERED WHILE ACCESSING CONTROL FILE FOR DB2 ssid. VSAMRC='rc' VSAMRS=X'rs'
ADHQ3552E
SETUP INFORMATION MISSING FROM CONTROL FILE FOR DB2 ssid
ADHQ3553E
message ERROR message
ADHQ4001E
CONNECT TO DB2 ssid FAILED FOR PLAN plan RETURN CODE rc REASON CODE rs
ADHQ4003E
CONNECT FAILED - DB2 NOT OPERATIONAL
ADHQ5010I
MONITORING AGENT DEINSTALLATION IN PROGRESS FOR SUBSYSTEM ssid
ADHQ5011I
MONITORING AGENT DEINSTALLATION COMPLETE FOR SUBSYSTEM ssid
ADHQ5012I
REQURESTING MONITORING AGENT ACTIVATION FOR DB2 SUBSYSTEM ssid
ADHQ5013I
REQUESTING MONITORING AGENT DEACTIVATION FOR DB2 SUBSYSTEM ssid
ADHQ6101E
LOCATE FAILED FOR dataset R0=code RC=rc
ADHQ6102E
SCRATCH FAILED FOR file SCRATCH STATUS CODE=code RO=ro
ADHQ7001E
table TABLE NOT LOCATED IN DB2 CATALOG
ADHQ7008E
QUERY COMMON COLLECTOR ssid NOT VALID OR HAS NOT BEEN STARTED SINCE IPL
ADHQ7009E
OUT OF SPACE CONDITION DETECTED WHILE WRITING TO THE dsn DATASET
ADHQ7010E
MISSING "ADD" PARAMETER FOR parameter AT LINE line COLUMN column
ADHQ7011E
INTERNAL ERROR - UNABLE TO RESOLVE ALTERNATE COLUMN column
ADHQ7015E
NUMBER OF BSDS SPECIFICATIONS INVALID OR MISSING
ADHQ7016E
DUPLICATE RECORD STORE ATTEMPTED FOR DB2 SUBSYSTEM ssid
ADHQ8001E
ERRORS DETECTED IN parameters PARAMETERS:
ADHQ8002E
UNIDENTIFIED KEYWORD DETECTED AT LINE line COLUMN column
ADHQ8003E
INVALID SYNTAX SPECIFIED FOR parameter NEAR LINE line COLUMN column
ADHQ8004E
PARAMETER LENGTH EXCEEDED FOR parameter NEAR LINE line COLUMN column
ADHQ8005E
PARAMETER MISSING FOR parameter NEAR LINE line COLUMN column
ADHQ8006E
NON NUMERIC DATA SPECIFIED FOR parameter NEAR LINE line COLUMN column
ADHQ8007E
INVALID VALUE SPECIFIED FOR parameter NEAR LINE line COLUMN column
ADHQ8008E
value MUST BE value THAN value
ADHQ8009E
DUPLICATE PARAMETER parameter AT LINE line COLUMN column
ADHQ8010E
DUPLICATE SUBPARAMETER DETECTED FOR PARAMETER parameter AT LINE line COLUMN column
ADHQ8011E
DB2 VERSION NOT SUPPORTED
ADHQ8012E
ERROR OPENING DDNAME ddname
ADHQ8013E
INVALID PARAMETER LENGTH FOR parameter
ADHQ8014E
LOGIC ERROR: error
ADH8022I
adh parameter value
ADH9899I
adh modify command
ADHQ1000E NOT APF AUTHORIZED
Explanation
The collector agent started task or job is not APF authorized.
User response

The collector agent requires that the target load libraries be APF-authorized.
Parent topic: Error messages and codes: ADHQxxxx
ADHQ1001I DB2Â® QUERY COMMON COLLECTOR INITIALIZATION IN PROGRESS FOR

SUBSYSTEM
Explanation
This message appears during the normal initialization process of the collector agent.
User response
ADHQ1002I DB2Â® AUDIT SQL COLLECTOR INITIALIZATION COMPLETE FOR SUBSYSTEM
Explanation
This message appears during the normal initialization process of the collector agent and confirms the initialization process has completed.
User response
ADHQ1003E SUBSYSTEM ssid ALREADY ACTIVE
Explanation
The collector agent indicated in the message is already active and can therefore cannot process another activate command.
User response
Verify that you are activating the correct system. If you are attempting to activate a subsystem that is already active, do not attempt activation.
ADHQ1004I QUERY COMMOON COLLECTOR TERMINATION IN PROGRESS FOR SUBSYSTEM

subsystem
Explanation
This message appears during normal shutdown of the Collector Agent and indicates the collector is undergoing shutdown.
User response
ADHQ1005I QUERY COMMON COLLECTOR TERMINATION COMPLETE FOR SUBSYSTEM ssid
Explanation
The collector agent subsystem has been terminated. This message could appear as part of normal shutdown or as a failure to connect to a subsystem.
User response
Investigate other write-to-operator (WTO) messages preceding this one to determine the reason for the termination.
ADHQ1006E statement DD STATEMENT MISSING
Explanation
The parameter DD statement (for example, ADHCFGP DD statement) is missing from the JCL for the collector agent started task.

User response
Create the necessary DD statement and code the appropriate parameters in the data set.
ADHQ1007E INVALID USERID SPECIFIED FOR AUTHID
Explanation
The user ID entered in the AUTHID parm in the ADHCFGP data set has not been defined to RACFÂ® or an equivalent security system.
User response
Correct the user ID, or ensure the ID is defined to your security system.
ADHQ1010I DEBUG MODE ON
Explanation
Debugging mode has been turned on.
User response
None required.
ADHQ1011I DEBUG MODE OFF
Explanation
Debugging mode has been turned off.
User response
None required.
ADHQ1016E INVALID COMMAND SYNTAX
Explanation
The command syntax is invalid.
User response
Correct the command.
ADHQ1017E INVALID COMMAND
Explanation
An invalid MVSâ„¢ Modify command was issued.
User response
Correct the command and execute it again.
ADHQ1019I INTERVAL EXTERNALIZATION MODE OFF
Explanation
The collector agent subsystem was started with externalization mode set to off.

User response
ADHQ1020E DB2Â® SUBSYSTEM ssid IS NOT DEFINED
Explanation
The DB2 subsystem indicated in the message is not defined.
User response
Verify that you have specified the correct DB2 subsystem.
ADHQ1024E dsn SPECIFICATION INVALID
Explanation
The data set name listed in this message is not valid.
User response
Verify that you specified the correct data set name in ADHCFGP.
ADHQ1026E SHARED MEMORY FAILURE FOR OBJECT object request RC =rc RS=rs
Explanation
A shared memory failure has occurred for the indicated object.
User response
ADHQ1027I CPU=CPU Type-CPU Model-CPU Manufacturer. OS Name OS Version.OS Release.OS

Modification.
Explanation
This message displays information about the CPU and the operating system.
User response
ADHQ1028E Component requires a 64 bit processor and z/OSÂ® 1.5 or higher.
Explanation
Your system does not meet the minimum system requirements.
User response
Upgrade to the minimum requirements.
ADHQ1031E Serious error in master address space address space.
Explanation
A serious error has occurred in the master address space specified.

User response
Verify that the master address space is available.
ADHQ1032I Recreating master address space.
User response
ADHQ1033E Unable to create master address space address space.
Explanation
DB2Â® Query Monitor is not able to create the master address space specified.
User response
Many issues that cause this error relate to security setup. If you encounter this message, send your console log to IBMÂ® Software Support.
ADHQ1034I Master address space has started.
User response
ADHQ1035E Unable to restart master (RS=rc).
Explanation
The master address space could not be restarted.
User response
verify the master address space is available and restart.
ADHQ1055E CQM1055E DB2Â® ssid IS EXPERIENCING STORAGE CONSTRAINTS, DATA LOSS

MAY OCCUR, REASON=code
Explanation
The DB2 subsystem indicated in the message is experiencing storage constraints.
User response
Verify that your DB2 subsystem has the needed storage allocations.
ADHQ1060I ZIIP SUPPORT IS NOT ACTIVE. nnnnnnnn RC=yy RSN=zzzzzzzz nnnnnnnn is the
name of the service that failed with a nonzero return code (RC).
Explanation
Table 1. Return code explanations
Service Description
IWM4ECRE (WLM The return codes and reason codes are documented in z/OS V1R10.0 MVSâ„¢ Programming Workload Management Services.
Enclave Create)
IWM4EoCT (WLM CPU The return codes and reason codes are not documented in any existing WLM manual. However, RC=4 typically means no ZIIP is configured on
Offload Time Service) the instance of z/OSÂ®. If you have a ZIIP processor and it is properly configured, report the RC to the vendor.
MAXWFLOAD (Enclave An error occurred trying to LOAD ADHMAXWF (the enclave SRB routine that runs on the ZIIP). Make sure you have the correct STEPLIB
SRB load service) configured.
IEAVAPE (Z/OS Allocate These return codes are described in z/OS V1R10.0 MVS Programming Assembler Services References V2. If the ADHQ1060I has IEAVAPE has
Pause Element) the failing service, contact the vendor for resolution.

ADHQ1061E MISSING PARAMETER: parameter
Explanation
The specified parameter has not been defined in the sample library member ADHCFGP.
User response
Add the missing parameter to the ADHCFGP sample library member.
ADHQ1062E COMMUNICATION INTERFACE DISABLED BY CROSS MEMORY FAILURE
Explanation
A cross memory failure has occurred and as a result the communication interface has been disabled.
User response
Troubleshoot the memory failure and restart the ASC.
ADHQ1062I ZIIP SUPPORT IS INSTALLED
Explanation
The collector agent has detected that WLM is configured for zIIP support. This does not necessarily indicate that zIIP processors are installed or are available for zIIP
offload of collector agent processing.
User response
ADHQ1065E REQUIRED DATA ACCESS COMMON COLLECTOR MODULE NOT FOUND
Explanation
The started task did not find the Data Access Common Collector (CQC) initialization module, which prevented successful startup.
User response
Verify that the Data Access Common Collector (CQC) has been installed and that the load library is included in the started task STEPLIB concatenation
ADHQ1066E Subsystem terminating due to abend while compiling the collection profile.
SVCDUMP collected.
Explanation
An abend was detected when compiling the collection profile. A memory dump was collected to gather the diagnostic information.
User response
If you are unable to take corrective measures to resolve the abend, then the SVCDUMP, the collector joblog, and the details of the collection profile in use should be
reported to IBMÂ® Software Support for resolution of this error.
ADHQ1070E Terminating due to XML profile processing error RC (xxxxxxxx)
Explanation
A policy is sent from the GuardiumÂ® system to the Security Guardium S-TAPÂ® for DB2Â® collector agent during their initial communication. If the policy received by the
collector agent is not composed of valid XML syntax, the collector terminates.
User response

Verify that the Guardium system is properly configured, using the APPLIANCE_SERVER parameter. The system should be set up to accept connections from collectors. If
the problem persists, contact IBMÂ® Software Support with the return code specified in this message.
ADHQ1071E Terminating due to missing XML profile at start up
Explanation
A policy is sent from the GuardiumÂ® system to the Security Guardium S-TAPÂ® for DB2Â® collector agent during their initial communication. If the policy is not received by
the collector agent during the initial communication set up, then the collector terminates.
User response
Verify that the Guardium system is properly configured, using the APPLIANCE_SERVER parameter. The appliance should be set up to accept connections from collectors.
If the problem persists, contact IBMÂ® Software Support.
ADHQ1080I POLICY MANAGER STARTED.
Explanation
The internal policy manager task has started.
User response
ADHQ1081I POLICY MANAGER STOPPED.
Explanation
The internal policy manager task has stopped.
User response
POLICY PUSH DETECTED.
Explanation
A policy was received from the appliance.
User response
ADHQ1083I POLICY PUSH SENT.
Explanation
The policy was sent to Audit SQL Collector.
User response
ADHQ1084I QUARANTINE ONLY POLICY DETECTED.
Explanation
A pushed policy was included on a quarantine list. The currently active audit policy is unchanged and is still active.
User response

ADHQ1085I CURRENT QUARANTINE POLICY IS REMOVED.
Explanation
A new policy push occurred which resulted in the removal of the quarantine list.
User response
ADHQ1086I BOTH NEW POLICY AND QUARANTINE POLICY DETECTED.
Explanation
A new policy push occurred, which resulted in new policy and quarantine lists to be activated.
User response
ADHQ1086E ADHQ1086E statement DD STATEMENT MISSING
Explanation
The parameter DD statement (for example, ADHPARMS DD statement) is missing from the JCL for the collector agent started task.
User response
Create the necessary DD statement and code the appropriate parameters in the data set.
ADHQ1153E RETURN CODE return_code REASON CODE reason_code WAS ENCOUNTERED

DURING TRANSLATION SOURCE CCSID ccsid TARGET CCSID ccsid
Explanation
An error was encountered during the translation of the indicated CCSIDs. This may be the result of not having defined conversion paths between the CCSID of the
collected SQL text and CCSID 1208 when performing a DB2Â® offload.
User response
To offload SQL text, verify that all necessary CCSID paths to 1208 are installed. You must define conversion paths between the CCSID of the collected SQL text and CCSID
1208.
ADHQ1202I STORAGE CONSTRAINT RELIEVED FOR SPACE â€“ space â€“ OCCURRENCES:
count
Explanation
An Integrated Storage Manager error had previously occurred due to a storage constraint for the space named in the message. The storage constraint has now been
relieved. The number of storage constraint occurrences for this incident is displayed in the message.
User response
ADHQ1203I ASID=asid,TCB=tcb,CPID=cpid, MODULE=module,ADDR=addr, RC=rc,RSN=rsn
Explanation

A Security GuardiumÂ® S-TAPÂ® for DB2Â® Integrated Storage Manager error has occurred. This message provides details that can be used by IBMÂ® Software Support to
diagnose the situation.
User response
Provide the text of this message to IBM Software Support.
ADHQ1204I FUNC=func,SP=subpool,FLG2=flag,FLG3=flag
Explanation
A Security GuardiumÂ® S-TAPÂ® for DB2Â® Integrated Storage Manager error has occurred. This message provides details that can be used by IBMÂ® Software Support to
User response
Provide the text of this message to IBM Software Support.
ADHQ1205E ISM ERROR OCCURRED, DETAIL FOLLOWS: note
Explanation
A Security GuardiumÂ® S-TAPÂ® for DB2Â® Integrated Storage Manager error has occurred. This message and messages ADHQ1203I and ADHQ1204I provide details that
can be used by IBMÂ® Software Support to diagnose the situation.
User response
Provide the text of this message and messages ADHQ1203I and ADHQ1204I along with any memory dumps that have been produced to IBM Software Support.
ADHQ1209I ISM ERROR RC=rc,RSN=rsn,SPACE â€“ space
Explanation
User response
ADHQ1210E ISM SPACE IS DISABLED â€“ space
Explanation
User response
ADHQ1211I AN ABEND OCCURRED DURING ISM PROCESSING FOR SPACE â€“ space
Explanation
A Query Monitor Integrated Storage Manager error has occurred. This message and messages ADHQ1203I and ADHQ1204I provide details that can be used by IBMÂ®
Software Support to diagnose the situation.
User response
Provide the text of this message and messages ADHQ1203I and ADHQ1204I along with any dumps that may have been produced to IBM Software Support.

ADHQ1212E AN ERROR OCCURRED IN THE EXTENT EXIT ROUTINE FOR SPACE â€“ space
Explanation
User response
Provide the text of this message and messages ADHQ1203I and ADHQ1204I along with any memory dumps that might been produced to IBM Software Support.
ADHQ1213W SPACE IS FULL AND NO MORE EXTENTS CAN BE OBTAINED FOR SPACE â€“
space
Explanation
A Security GuardiumÂ® S-TAPÂ® for DB2Â® Integrated Storage Manager operation has failed because no more extents can be obtained for the space named in the
message. This message and messages ADHQ1203I and ADHQ1204I provide details that can be used by IBMÂ® Software Support to diagnose the situation.
User response
This may be a temporary situation due to the level of DB2 activity currently monitored by Security Guardium S-TAP for DB2. If message ADHQ1202I is also issued to
indicate that the Storage Constraint has ended, then processing resumes. If this situation occurs frequently, adjust the amount of data collected by Security Guardium S-
TAP for DB2, or increase the amount of available memory by using the MAXIMUM_ALLOCATIONS and SMEM_SIZE parameters.
If you need assistance with modifying these parameters, provide the text of this message and messages ADHQ1203I and ADHQ1204I to IBM Software Support.
ADHQ1214W OWNER LIMIT EXCEEDED FOR SPACE â€“ space

Explanation
A Security GuardiumÂ® S-TAPÂ® for DB2Â® Monitor Integrated Storage Manager error has occurred. This message and messages ADHQ1203I and ADHQ1204I provide
details that can be used by IBMÂ® Software Support to diagnose the situation.
User response
Provide the text of this message and messages ADHQ1203I and ADHQ1204I along with any memory dumps that might have been produced to IBM Software Support.
ADHQ1215W SPACE IS FULL AND NO MORE LARGE EXTENTS CAN BE OBTAINED FOR SPACE
â€“ space
Explanation
A Security GuardiumÂ® S-TAPÂ® for DB2Â® Monitor Integrated Storage Manager operation has failed because no more large extents can be obtained for the space named
in the message. This message and messages ADHQ1203I and ADHQ1204I provide details that can be used by IBMÂ® Support to diagnose the problem.
User response
This might be a temporary situation due to the level of DB2 activity currently being monitored by Security Guardium S-TAP for DB2. If message ADHQ1202I is also issued
to indicate that the Storage Constraint has ended, then processing resumes. If this situation occurs frequently, adjust the amount of data collected by Security Guardium
S-TAP for DB2, or increase the amount of available memory by using the MAXIMUM_ALLOCATIONS and SMEM_SIZE parameters.
ADHQ1216E EXTENT PROCESSING FAILED (ABEND) FOR SPACE â€“ space
Explanation
User response

ADHQ1217W SPACE IS FULL AND NO MORE LARGE EXTENTS CAN BE OBTAINED FOR SPACE
â€“ space
Explanation
A Security GuardiumÂ® S-TAPÂ® for DB2Â® Integrated Storage Manager operation has failed because the request would have exceeded the maximum storage allocation
specified in the MAXIMUM_ALLOCATIONS parameter in ADHPARMS. At the time of the error, Security Guardium S-TAP for DB2 was attempting to allocate additional
storage for the space named in the message. This message and messages ADHQ1203I and ADHQ1204I provide details that can be used by IBMÂ® Software Support to
User response
This might be a temporary situation due to the level of DB2 activity currently being monitored by Security Guardium S-TAP for DB2. If message ADHQ1202I is also issued
to indicate that the Storage Constraint has ended, then processing resumes. If this situation occurs frequently, adjust the amount of data collected by Security Guardium
S-TAP for DB2, or increase the amount of available memory by using the MAXIMUM_ALLOCATIONS and SMEM_SIZE parameters.
ADHQ1218W MAXIMUM EXTENTS HAS BEEN REACHED FOR SPACE â€“ space
Explanation
An Integrated Storage Manager operation has failed because the request would have exceeded the maximum number of extents allowed for the space named in the
message. This message and messages ADHQ1203I and ADHQ1204I provide details that can be used by IBMÂ® Software Support to diagnose the situation.
User response
This might be a temporary situation due to the level of DB2Â® activity currently being monitored. If message ADHQ1202I is issued later to indicate that the Storage
Constraint has ended, then processing resumes normally. If this situation rarely occurs, it might not be a problem. If this situation occurs frequently, adjust the amount of
data collected by Security GuardiumÂ® S-TAPÂ® for DB2, or increase the amount of available memory by using the MAXIMUM_ALLOCATIONS and SMEM_SIZE parameters.
If you need assistance with tuning these parameters, provide the text of this message and messages ADHQ1203I and ADHQ1204I to IBM Software Support.
ADHQ1219W ALL ISMERROR MESSAGE BLOCKS ARE IN USE
Explanation
An Integrated Storage Manager error has occurred. However there were no free ISMERROR message blocks available.
User response
Increase the value of the ISM_ERROR_BLOCKS parameter in the ADHPARMS file. If this parameter is already set to the maximum value and the problem persists, contact
IBMÂ® Software Support.
ADHQ1500E ABNORMAL EOT FOR subtask SUBTASK
Explanation
An abnormal end of task occurred for the subtask indicated in the message.
User response
Verify conditions surrounding the abnormal end of task and reissue the subtask.
ADHQ2001E DB2Â® SUBSYSTEM ssid ALREADY MONITORED BY SUBSYSTEM ssid
Explanation
The indicated DB2 subsystem is already being monitored by the collector agent shown in the message.
User response

A DB2 subsystem can only be monitored by a single collector agent. To monitor the DB2 subsystem with another collector agent, first stop the monitoring of the DB2
subsystem by the collector agent (shown in the message).
ADHQ2002E MONITORING AGENT INSTALLATION FAILED FOR SUBSYSTEM ssid
Explanation
A monitoring agent was unable to start. Another SQL-type monitoring product might be active within the specified DB2Â® subsystem.
User response
Check to see if another SQL-type monitoring product is active. If so, shut down the other product and restart the S-TAPÂ® collector. If this does not resolve the problem,
contact IBMÂ® Software Support.
If you encounter message ADHQ2002E and receive a memory dump, contact IBM Software Support and provide the memory dump for diagnostic purposes.
ADHQ2003I FORCING MONITORING AGENT INSTALLATION FOR ssid
Explanation
The collector agent has detected that a monitoring agent is already active, but is forcing installation because FORCE
(Y) was included.
User response
ADHQ2005I MULTIPLE MONITORING AGENT INSTALLATION FOR SUBSYSTEM ssid
Explanation
The collector agent has installed multiple monitoring agents for the subsystem shown in the message.
User response
ADHQ2008E DB2 SYSTEM ssid IS BEING MONITORED BY A 2.2 OR BELOW VERSION CQM
SUBSYSTEM AND CANNOT BE AUDITED
Explanation
This message indicates an incompatibility between DB2 Query Monitor and S-TAP. InfoSphereÂ® Guardium S-TAP for DB2 Version 9.1 will not start auditing a DB2
subsystem that is running Query Monitor at Version 3.1 or earlier.
User response
Ensure that you are running compatible versions of S-TAP and Query Monitor, or run only one product at a time.
ADHQ2009E DB2Â® SYSTEM ssid WAS PREVIOUSLY MONITORED BY A 2.2 OR EARLIER CQM
SUBSYSTEM qmid WHICH HAS NOT APPLIED APAR PK55535.
Explanation
You must apply Query Monitory V2R2 APAR PK55535.
User response
Apply the required maintenance.

ADHQ2010I CURRENTLY ACTIVE POLICY RESULTS IN DISABLED COLLECTION
Explanation
The currently installed collection policy, as received from the GuardiumÂ® system, results in no ASC collection. This can be the result of:
No policies are installed on the system.

No DB2Â® Collection Profile policies are installed on the system.
No DB2 Collection Profile policies matching the Svc. Name of the collector agent SSID are installed on the system.
No DB2 Collection Profile policies contain Object entries that would result in ASC collection.
User response
If ASC collection is expected when this message is issued, review installed policy definitions in the Guardium system administration interface for the previously listed
conditions. If no ASC collection is expected when this message is issued, no action is required.
ADHQ2013I CURRENTLY ACTIVE POLICY RESULTS IN GRANT/REVOKE COLLECTION
Explanation
The activated policy enables the collection of GRANT and REVOKE SQL statements. GRANT and REVOKE SQL statements are collected if they match the policy filter
criteria.
User response
ADHQ2014I CURRENTLY ACTIVE POLICY RESULTS NO HOST VARIABLE COLLECTION.
Explanation
Host variables, which are also known as BIND variables, are not collected.
User response
ADHQ2015I CURRENTLY ACTIVE POLICY RESULTS NEGATIVE SQL CODES COLLECTION.
Explanation
The active policy contains a negative SQL code list that results in the collection of events ending with a negative SQL code.
User response
ADHQ2016I CURRENTLY ACTIVE POLICY RESULTS DB2 COMMANDS COLLECTION.
Explanation
Collection of COMMAND events is enabled.
User response
ADHQ2017I CURRENTLY ACTIVE POLICY RESULTS IN DBNAMES OPTIMIZATION.
Explanation
The currently active policy contains rules with DBNAME filters, which enables optimized filtering of audit events.
User response

ADHQ2018I CURRENTLY ACTIVE POLICY RESULTS IN A QUARANTINE LIST.
Explanation
The active policy contains a quarantine list that might cause DB2 activity to be quarantined.
User response
ADHQ2019I CURRENTLY ACTIVE POLICY RESULTS IN DB2 UTILITIES COLLECTION
Explanation
The active policy enables the collection of DB2 utilities.
User response
ADHQ2020I CURRENTLY ACTIVE POLICY RESULTS IN FAILED LOGIN COLLECTION.
Explanation
The active policy enables the collection of Failed Login events.
User response
ADHQ2100E UNRECOGNIZED PARAMETER
Explanation
The collector agent has encountered an unrecognized parameter.
User response
Check the startup parameters to ensure that the parameters specified are all valid.
ADHQ2101E PARAMETER ERROR DETECTED FOR parameter
Explanation
The collector agent has encountered an error in one of the startup parameters.
Note: Message ADHQ2101E can be issued when the collector agent is started if the ADHCFGP file specifies primary space allocations for back store data sets that are less
than the default.
User response
Check the startup parameters to ensure that all are specified properly. Check that primary space allocations for back store data sets are not set for less than their default
values.
ADHQ2103E DUPLICATE PARAMETER DETECTED FOR parameter
Explanation
Duplicate parameters were specified in the Query Common Collector startup parameters.
User response

Check the startup parameters to ensure that all are specified properly. Remove any duplicate parameters.
ADHQ2110E TERMINATING DUE TO ERRORS IN PARAMETER FILE
Explanation
An error in the collector agent parameter file caused the termination of processing.
User response
Verify that the input you specified for your collector agent parameters in ADHCFGP is valid and correct for your objectives.
ADHQ2111E ERROR READING PARAMETER DATASET - MEMBER NOT FOUND
Explanation
The collector agent encountered an error while attempting to read the ADHCFGP data set. The ADHPARMS DD statement specified a PDS data set and the member name
specified did not exist.
User response
Correct the JCL specification for the ADHPARMS DD statement and specify a valid member name.
ADHQ2402I DATASPACE MANAGEMENT IN PROGRESS FOR dsmgmt
Explanation
Indicates dataspace management is in progress for the subsystem shown in the message.
User response
ADHQ2403I n DATASPACE PAGES RELEASED FOR ssid
Explanation
Displays the number of dataspace pages that have been released for the subsystem shown in the message.
User response
ADHQ2408E INVALID REPLY. REPLY "U" TO ACCEPT OR "R" TO REJECT
Explanation
The replay you entered is not valid.
User response
Enter U to accept or R to reject.
ADHQ2601E ALLOCATION FAILED FOR VSAM DATASET dsn RETCD=rc REAS=rs
Explanation
This message is issued by the started task if there is a problem during the dynamic allocation of a data set. When this message occurs, the collector agent stops and the
startup process and terminates.

User response
To further diagnose and resolve the problem using the return code and reason code listed in the message, refer to the MVSâ„¢ Programming Authorized Assembler Services
Guide (SA22-7608-07).
ADHQ2603E DEALLOCATION FAILED FOR DATASET data_set RETCD=return_code

REAS=reason_code
Explanation
This message reports errors encountered during the execution of a CLOSE macro instruction.
User response
To further diagnose and resolve the problem using the return code and reason code listed in the message, refer to the z/OSÂ® V1R1.0 DFSMS/DFP Diagnosis Reference
(GY27-7618-01) or the following Web page:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/dgt2r101/20.8.1.2
ADHQ3001I DB2Â® STARTUP DETECTED FOR SUBSYSTEM ssid
Explanation
The collector agent determined that a DB2 subsystem in its monitor list has started.
User response
ADHQ3002I MONITORING AGENT STARTED FOR SUBSYSTEM ssid
Explanation
Security GuardiumÂ® S-TAPÂ® for DB2Â® has initiated monitoring for the named subsystem.
User response
ADHQ3003I DB2Â® SHUTDOWN DETECTED FOR SUBSYSTEM ssid
Explanation
The collector agent determined that a DB2 subsystem in its monitor list has shut down.
User response
ADHQ3005I MONITORING AGENT DEACTIVATED FOR ssid
Explanation
The monitoring agent has been deactivated for the indicated Collector Agent.
User response
None required.
ADHQ3006I AUDITING AGENT ACTIVATED FOR ssid

Explanation
The collector agent has been instructed to start the monitoring agent for a given DB2Â® subsystem when it becomes active. Monitoring of SQL for the DB2 subsystem will
start when the monitoring agent is started indicated by message ADHQ3002I. Monitoring will continue after message ADHQ3002I is issued until one of the following
events occur:
1. The DB2 subsystem is stopped.

2. A deactivate for the monitoring agent is performed.
3. The collector agent subsystem that is monitoring the DB2 subsystem is stopped.
User response
ADHQ3192E LEVEL STATUS DB2(ssid) message
Explanation
This message displays if a mismatch in code level exists between Security GuardiumÂ® S-TAPÂ® for DB2Â® and Query Monitor. One message per mismatched code level
will occur.
User response
Ensure that all the programs listed have the Query Monitor and corresponding Security Guardium S-TAP for DB2 maintenance applied.
ADHQ3192I LEVEL STATUS DB2(ssid) message
Explanation
This message displays if a mismatch in code level exists between Security GuardiumÂ® S-TAPÂ® for DB2Â® and DB2 Query Monitor. This message occurs once per
mismatched code level.
User response
Verify that all the programs listed have the Query Monitor and corresponding S-TAP for DB2 maintenance applied.
ADHQ3200I DISPLAY AGENTS
Explanation
This message is used in conjunction with other messages to indicate display agents.
User response
ADHQ3201I DB2Â® SUBYSYSTEM ssid AGENT ADDRESS address
Explanation
Indicates the DB2 subsystem and agent address.
User response
None required.
ADHQ3202I ssid AGENT ADDRESS address
Explanation
Indicates the monitoring agent address.
User response

ADHQ3203I ASC DIAGNOSTIC DISPLAY:
Explanation
Indicates ASC diagnostic display is in effect.
User response
ADHQ3204I SDA ADDRESS address
Explanation
Indicates the SDA address.
User response
ADHQ3205I ssid ADDRESS address
Explanation
This message is used in conjunction with other messages to indicate the address.
User response
None required.
ADHQ3206I DIAGNOSTIC DATA FOR ABEND AT PSW psw
Explanation
The message displays diagnostic data for the abend.
User response
ADHQ3207I SYSTEM COMPLETION CODE code
Explanation
The message indicates the system completion code.
User response
ADHQ3208I OCCURRENCES n DATE date TIME time
Explanation
Indicates the number of occurrences and the date and time at which the took place.
User response
None required.

ADHQ3209I GPR 0-3 info
Explanation
This message displays diagnostic information about the current contents of the register.
User response
Explanation
User response
Explanation
User response
Explanation
User response
ADHQ3213I AR 0-3 info
Explanation
User response
Explanation
User response

Explanation
User response
Explanation
User response
ADHQ3240I DB2Â® QM DATASPACE USAGE DISPLAY:
Explanation
This message appears in conjunction with other messages as a result of the MVSâ„¢ Modify command DISPLAY DATASPACES.
User response
ADHQ3241I dataspace DATASPACE
Explanation
This message appears in conjunction with ADHQ3240I as a result of the MVSâ„¢ Modify command DISPLAY DATASPACES.
User response
ADHQ3242I NODE SIZE size
Explanation
This message appears in conjunction with ADHQ3240I as a result of the MVSâ„¢ Modify command DISPLAY DATASPACES. This message lists the node size for the named
data space.
User response
ADHQ3243I TOTAL NODES n
Explanation
This message appears in conjunction with ADHQ3240I as a result of the MVSâ„¢ Modify command DISPLAY DATASPACES. This message lists the total number of nodes
allowed for the named data space.
User response

ADHQ3244I AVAILABLE NODES n
Explanation
This message appears in conjunction with ADHQ3240I as a result of the MVSâ„¢ Modify command DISPLAY DATASPACES. This message lists the total number of nodes
available for use by the named data space.
User response
ADHQ3245I PERCENT UTILIZED n
Explanation
This message appears in conjunction with ADHQ3240I as a result of the MVSâ„¢ Modify command DISPLAY DATASPACES. This message lists the percentage of nodes
used for the named data space.
User response
ADHQ3250I POSTING INTERVAL PROCESSOR
Explanation
This message appears to inform you that the interval processor has been started through an MVSâ„¢ Modify INTERVAL command.
User response
ADHQ3251I INTERVAL PROCESSOR NOT POSTED - DB2Â® UNAVAILABLE
Explanation
The interval processor was not started because a DB2 subsystem is not available.
User response
Verify the status of all monitored DB2 subsystems.
ADHQ3252I INTERVAL PROCESSING ALREADY IN PROGRESS
Explanation
This message appears to inform you that the interval processor was already started through an MVSâ„¢ Modify INTERVAL command.
User response
ADHQ3308E DB2Â® SYSTEM ssid IS MONITORED BY DB2 QUERY MONITOR ssid WHICH HAS
MISMATCHED OBJ AGENT
Explanation

This message indicates that the maintenance levels of one or more object modules do not match between the Security GuardiumÂ® S-TAPÂ® for DB2 and Query Monitor
installations. The maintenance code levels for Security Guardium S-TAP for DB2 and Query Monitor installations must match.
User response
Ensure that the maintenance levels match between the Security Guardium S-TAP for DB2 and Query Monitor installations. Apply maintenance as required to one or both
environments to ensure that the maintenance levels match.
ADHQ3315E MASTER SUBSYSTEM DOES NOT MATCH
Explanation
For monitoring and auditing to be active on the DB2Â® subsystem, a DB2 subsystem that is monitored by DB2 Query Monitor or Workload Replay for DB2 for z/OSÂ® or
audited by Security GuardiumÂ® S-TAPÂ® for DB2 must have a matching MASTER_PROCNAME parameter between the Query Monitor subsystem and the Workload Replay
DB2 subsystem, or the Security Guardium S-TAP for DB2 ASC started task.
User response
Update the MASTER_PROCNAME parameter for DB2 Query Monitor, Security Guardium S-TAP for DB2, or Workload Replay so that the same MASTER_PROCNAME is in use
by all products for the monitored DB2 subsystem. After updating the MASTER_PROCNAME, restart the started task for the task that is affected by the parameter change.
ADHQ3402I ISSUING COMMAND cmd
Explanation
Indicates command execution.
User response
ADHQ3551E VSAM LOGIC ERROR ENCOUNTERED WHILE ACCESSING CONTROL FILE FOR
DB2Â® ssid. VSAMRC='rc' VSAMRS=X'rs'
Explanation
A VSAM logic error was encountered when accessing the control file for the DB2 subsystem indicated in the message.
User response
Verify that the DB2 control file for the DB2 subsystem listed in the message has been properly allocated and that the appropriate DB2 subsystem and plan names
information have been specified correctly.
ADHQ3552E SETUP INFORMATION MISSING FROM CONTROL FILE FOR DB2Â® ssid
Explanation
There is insufficient information in the control file for the DB2 subsystem indicated in the message.
User response
Modify the control file to include the necessary information.
ADHQ3553E message ERROR message
Explanation
An error has occurred. This message is customized to display various messages such as initialization errors.
User response

ADHQ4001E CONNECT TO DB2Â® ssid FAILED FOR PLAN plan RETURN CODE rc REASON CODE
rs
Explanation
Security GuardiumÂ® S-TAPÂ® for DB2 was not able to connect to the DB2 subsystem using the plan shown in the message.
User response
Refer to DB2 Universal Database for z/OSÂ® V8 Messages (GC18-9602-01) and DB2 Universal Database for z/OS V8 Codes (GC18-9603-01) to further diagnose and
resolve the problem.
ADHQ4003E CONNECT FAILED - DB2Â® NOT OPERATIONAL
Explanation
The collector agent was not able to connect to the DB2 subsystem because DB2 is not currently operational.
User response
Verify that DB2 is functioning correctly.
ADHQ5010I MONITORING AGENT DEINSTALLATION IN PROGRESS FOR SUBSYSTEM ssid
Explanation
The monitoring agent deinstallation is in progress for the DB2Â® subsystem indicated in the message.
User response
ADHQ5011I MONITORING AGENT DEINSTALLATION COMPLETE FOR SUBSYSTEM ssid
Explanation
The monitoring agent deinstallation completed for the DB2Â® subsystem indicated in the message.
User response
ADHQ5012I REQURESTING MONITORING AGENT ACTIVATION FOR DB2Â® SUBSYSTEM ssid
Explanation
The monitoring agent for the indicated DB2 subsystem is being requested for activation.
User response
ADHQ5013I REQUESTING MONITORING AGENT DEACTIVATION FOR DB2Â® SUBSYSTEM ssid
Explanation
The monitoring agent for the indicated DB2 subsystem is being requested for deactivation.
User response

ADHQ6101E LOCATE FAILED FOR dataset R0=code RC=rc
Explanation
A catalog located failed during interval data set expiration processing. r0 contains the contents of the register zero and rc is the LOCATE return code.
User response
See z/OSÂ® DFSMSdfp Advanced Services (SC26-7400-02) for a description of the return codes issued by LOCATE.
ADHQ6102E SCRATCH FAILED FOR file SCRATCH STATUS CODE=code RO=ro

Explanation
The scratch failed for the indicated file.
User response
See z/OSÂ® DFSMSdfp Advanced Services (SC26-7400-02) for a description of the return codes issued by LOCATE.
ADHQ7001E table TABLE NOT LOCATED IN DB2Â® CATALOG
Explanation
The table indicated in the message cannot be found in the DB2 catalog.
User response
Verify that the table you specified exists.
ADHQ7008E QUERY COMMON COLLECTOR ssid NOT VALID OR HAS NOT BEEN STARTED SINCE
IPL
Explanation
The collector agent shown in the message is not a valid collector agent.
User response
Verify that you specified the correct Query Common Collector subsystem ID, and that the collector agent is available.
ADHQ7009E OUT OF SPACE CONDITION DETECTED WHILE WRITING TO THE dsn DATASET
Explanation
An out-of-space condition was encountered when attempting to write to the data set indicated in the message.
User response
Verify that adequate space has been allocated to the data set.
ADHQ7010E MISSING "ADD" PARAMETER FOR parameter AT LINE line COLUMN column
Explanation
The ADD parameter is missing for the indicated line and column.
User response

Specify an ADD parameter.
ADHQ7011E INTERNAL ERROR - UNABLE TO RESOLVE ALTERNATE COLUMN column
Explanation
There has been an internal error.
User response
ADHQ7015E NUMBER OF BSDS SPECIFICATIONS INVALID OR MISSING
Explanation
An invalid number of BSDS parameters has been sent as input to the ADH#CTLF utility.
User response
Verify that the two boot strap data sets used for your DB2Â® subsystem are properly specified.
ADHQ7016E DUPLICATE RECORD STORE ATTEMPTED FOR DB2Â® SUBSYSTEM ssid
Explanation
This message describes an error condition when attempting to load records into the control file that already exist without specifying REPLACE(Y) for the DB2 subsystem
indicated in the message.
User response
Edit your ADH#CTLF job to include REPLACE(Y). Refer to the instructions in SADHSAMP library member ADH#CTLF for details.
ADHQ8001E ERRORS DETECTED IN parameters PARAMETERS:
Explanation
Errors have been detected in ADHCFGP.
User response
Verify that the parameters you specified in ADHCFGP are correct and modify any syntax errors before proceeding.
ADHQ8002E UNIDENTIFIED KEYWORD DETECTED AT LINE line COLUMN column
Explanation
An unknown keyword has been found.
User response
Verify the correct syntax and modify the keyword as needed.
ADHQ8003E INVALID SYNTAX SPECIFIED FOR parameter NEAR LINE line COLUMN column
Explanation
The syntax specified for the parameter indicated in the message is not valid.
User response

Correct the syntax and resubmit the job.
ADHQ8004E PARAMETER LENGTH EXCEEDED FOR parameter NEAR LINE line COLUMN column
Explanation
The length of the value specified for the parameter indicated in the message exceeded the valid length for that parameter.
User response
ADHQ8005E PARAMETER MISSING FOR parameter NEAR LINE line COLUMN column
Explanation
A required parameter is missing from ADHLOADP.
User response
ADHQ8006E NON NUMERIC DATA SPECIFIED FOR parameter NEAR LINE line COLUMN column
Explanation
Non-numeric data was specified in ADHLOADP for the parameter listed in the message.
User response
Specify numeric data for the parameter.
ADHQ8007E INVALID VALUE SPECIFIED FOR parameter NEAR LINE line COLUMN column
Explanation
An invalid value was specified in ADHLOADP.
User response
Correct the value and resubmit the job.
ADHQ8008E value MUST BE value THAN value
Explanation
The value of the parameter shown in the message must be within the specified range.
User response
Correct the value of the parameter so it falls within the range indicated in the message text.
ADHQ8009E DUPLICATE PARAMETER parameter AT LINE line COLUMN column
Explanation
A parameter you specified is a duplicate.
User response

Correct the syntax to eliminate the duplicate parameter.
ADHQ8010E DUPLICATE SUBPARAMETER DETECTED FOR PARAMETER parameter AT LINE line

COLUMN column
Explanation
A sub-parameter you specified is a duplicate.
User response
Correct the syntax to eliminate the duplicate sub-parameter.
ADHQ8011E DB2Â® VERSION NOT SUPPORTED
Explanation
The version of DB2 with which you are attempting to use is not supported by unload functionality of the collector agent.
User response
The collector agent unloads data to DB2 Version 8, DB2 Version 9, or DB2 Version 10.
ADHQ8012E ERROR OPENING DDNAME ddname
Explanation
The collector agent encountered an error attempting to open the TEXTDATA data set.
User response
Verify that the TEXTDATA data set is configured properly and has adequate space available.
ADHQ8013E INVALID PARAMETER LENGTH FOR parameter
Explanation
The value you specified for the TBCREATOR parameter is too long and is therefore invalid.
User response
Specify a valid value for TBCREATOR. Valid values are up to eight characters in length.
ADHQ8014E LOGIC ERROR: error
Explanation
The collector agent has encountered a logic error.
User response
ADH8022I adh parameter value
Explanation
This message is used to display the contents of the ADHPARMS file that was processed when Security GuardiumÂ® S-TAPÂ® for DB2Â® was started.

User response
ADH9899I adh modify command
Explanation
This message is used to display the text of a modify command that was issued to Security GuardiumÂ® S-TAPÂ® for DB2Â®.
User response

optimized for the V10.1 Guardium system. IBM Guardium S-TAP for IMS collects and correlates data access information from a variety of IMS resources to produce a
About these topics

This information is designed to help database administrators, appliance programmers, and application programmers perform these tasks:
Plan for the installation of IBM Guardium S-TAP for IMS

Install and operate IBM Guardium S-TAP for IMS
Configure the IBM Guardium S-TAP for IMS environment
Diagnose and recover from IBM Guardium S-TAP for IMS problems
A PDF of this User's Guide is available here.

optimized for the V10.1 Guardium system. IBM Guardium S-TAP for IMS collects and correlates data access information from a variety of IMS resources to produce
a comprehensive view of business activity for auditors.
What does IBM Security Guardium S-TAP for IMS on z/OS V10.1.3 do?
IBM Security Guardium S-TAP for IMS on z/OS (also referred to as IBM Guardium S-TAP for IMS) is an auditing tool that collects and correlates data access
information from IMS Online regions, IMS batch jobs, IMS archived log data sets, and SMF records to produce a comprehensive view of business activity that occurs
within one or more IMS environments.
Installing IBM Security Guardium S-TAP for IMS on z/OS
The following sections describe hardware, software, and user ID authority prerequisites for product installation.
IBM Security Guardium S-TAP for IMS on z/OS security
IBM Guardium S-TAP for IMS requires access to various IMS data sets and IBM Guardium system components.
Configuration overview
These actions are required to configure IBM Guardium S-TAP for IMS.
Configuring the IBM Security Guardium S-TAP for IMS on z/OS agent
This section describes the information necessary for configuring the agent.
Setting up an IMS environment for auditing
This section describes how to customize IMS environments to capture DLI calls, including customizing IMS catalogued procedures, coexisting with other DFSFLGX0
and DFSISVI0 exit routines, customizing IMS to use a zIIP, copying common load modules from SAUILOAD to SAUIIMOD, and the security considerations related to
IMS processing.
Using agent configuration keywords to customize auditing
Some agent configuration keywords must be used for the product to function. You can also use agent configuration keywords for optional auditing specifications.
IBM Security Guardium S-TAP for IMS on z/OS agent reference information
The IBM Guardium S-TAP for IMS agent provides access to database and appliance services, in support of the product's remote clients. The agent also reads
audited DLI events placed in the z/OS System Logger log streams by the IMS Online and DLI/DBB batch Data collectors and sends the DLI events to the IBM
Guardium system using TCP/IP connections.
Data collection
The collection process involves the gathering of audit event data at run time. Specify various filtering criteria to capture all relevant events and limit the amount of
data that is collected and stored.
Creating and modifying IMS definitions
An IMS definition establishes a connection from your Guardium system to the IMS environment that you want to audit. To create and modify IMS definitions from
the Guardium system interface, the agent address space (AUIASTC) must have a preestablished connection to the Guardium system.
This chapter provides IBM Guardium S-TAP for IMS reference information.
Troubleshooting
Use the following topics to diagnose and correct problems that you experience with IBM Guardium S-TAP for IMS.

Parent topic: IBM Security Guardium S-TAP for IMS on z/OS
What does IBM Security Guardium S-TAP for IMS on z/OS V10.1.3 do?

IBM Security Guardium S-TAP for IMS on z/OS (also referred to as IBM Guardium S-TAP for IMS) is an auditing tool that collects and correlates data access information
from IMS Online regions, IMS batch jobs, IMS archived log data sets, and SMF records to produce a comprehensive view of business activity that occurs within one or
more IMS environments.
IBM Guardium S-TAP for IMS assists auditors in determining who read or updated a particular IMS database and its associated data sets, what mechanism was used to
perform that action, and when the access took place.
IBM Guardium S-TAP for IMS can collect and correlate many different types of information, including:
Accesses to databases and segments from IMS Online regions.

Accesses to databases and segments from IMS DLI/DBB batch jobs.
Accesses to databases, image copies, IMS logs, and RECON data sets and security violations to these data sets as recorded by SMF.
IMS Online region START and STOP, database, and PSB change of state activity and user signon and signoff as recorded in the IMS Archived Log data sets.
Restriction: IBM Guardium S-TAP for IMS supports auditing of Data Entry Databases (DEDBs) and IMS Full Function databases. Auditing of Main Storage Databases
(MSDBs) is not supported.
What's new in IBM Security Guardium S-TAP for IMS on z/OS V10.1.3?
Here's what's new in version 10.1.3 of IBM Guardium S-TAP for IMS.
IBM Guardium S-TAP for IMS components
IBM Guardium S-TAP for IMS consists of an agent, a Common Storage Management Utility, and the IBM Guardium system.
What's new in IBM Security Guardium S-TAP for IMS on z/OS V10.1.3?
Here's what's new in version 10.1.3 of IBM Guardium S-TAP for IMS.
Enhancements to this version include:
Echoing of active policy XML as described in Echoed XML statement definitions.

Increased security of online and batch log streams as described in z/OS log streams.
Filtering of DLI called based on IMS LTERM names
Collection of the accessed HALDB PARTITION name during DLI call processing
Check agent status without accessing z/OS by using a Guardium interface command
Ability to enable simulation mode to simulate mainframe activity levels, test deployment, and gauge appliance requirements without sending data to the Guardium
appliance
New parameters to simplify audit record validation, debugging, and agent configuration
Simplified agent configuration:
Complete SMF configuration is no longer required if the SMF_CYCLE_INTERVAL(0) parameter is specified in the AUICONFG file and SMF processing is
disabled.
Complete IMSL configuration is no longer required if the IMSL_CYCLE_INTERVAL(0) parameter is specified in the AUICONFG file and IMSL processing is
disabled.
Messages AUII050I and AUIJ250I now include the IMSID to help identify which IMS system issued the message.
Reduced CPU consumption and greater reliability during processing of IMS DLI calls in IMS online environments.
RECON data sets that are read by the SMF (AUIFSTC and IMS SLDS (AUILSTC) can optionally be copies of the live IMS RECON data sets.
Option to disable DLI call auditing of IMS online DLI calls that originate from the following IMS region types: AER, BMP, CICSÂ®, DBCTL, IFP, MPP, and ODBA.
Support for Internet Protocol version 6 (IPV6) introduced with PH16991
Parent topic: What does IBM Security Guardium S-TAP for IMS on z/OS V10.1.3 do?
IBM Guardium S-TAP for IMS components

IBM Guardium S-TAP for IMS consists of an agent, a Common Storage Management Utility, and the IBM Guardium system.
IBM Guardium system

The IBM Guardium system can gather and report information from multiple agents running on multiple z/OS systems.
IBM Guardium S-TAP for IMS agent
The IBM Guardium S-TAP for IMS agent coordinates the collection of audited data, and the transmission of audited DLI call data to the IBM Guardium system.
Parent topic: What does IBM Security Guardium S-TAP for IMS on z/OS V10.1.3 do?
IBM Guardium system

The IBM Guardium system can gather and report information from multiple agents running on multiple z/OS systems.
Note: In environments where multiple agents connect to a common IBM Guardium system or appliance, the z/OS agent started task names (AUIASTC, AUILSTC, AUIFSTC)
must be unique. Unique started task names enable the IBM Guardium S-TAP for IMS policies that are pushed from the IBM Guardium system to be attributed to, and
monitored by, the correct z/OS agent.
IBM Guardium system components

The IBM Guardium system:
Provides the user interface, which processes requests and displays the resulting information.
Enables you to create collection policies, which specify the types of data to be collected by the agent.
IBM Guardium system and S-TAP agent communication

The IBM Guardium system and the IBM Guardium S-TAP for IMS agent communicate using a TCP/IP connection. The policies you create, using the user interface, tell the
agent what data to collect. The policy specifies filter information, such as which data sets are to be monitored for data accesses.
Parent topic: IBM Guardium S-TAP for IMS components
IBM Guardium S-TAP for IMS agent

The IBM Guardium S-TAP for IMS agent coordinates the collection of audited data, and the transmission of audited DLI call data to the IBM Guardium system.
The IBM Guardium S-TAP for IMS agent can collect data from one or more of the following sources within a SYSPLEX:
A single IMS system

Multiple IMS systems that share a common set of RECON data sets
Multiple IMS systems using diverse RECON data sets
The agent maintains the communication links that are needed to exchange information with:
The IBM Guardium system

IMS Online and Batch data collectors and activity monitors
The IMS Archive Log data set and SMF activity monitors
The agent also provides data collection schemas, called policies, to the activity monitors on which detail the IMS artifacts are to be audited, and to what level.
The agent runs as a started task on the z/OS host. An example of the JCL to be used is in member AUIASTC of the SAUISAMP installation data set.
The agent collects data from the following sources:
IMS online activities

IMS batch activities
SMF data
IMS archived log data
IMS RECON data sets
For more information about how data is collected from these sources, see Data collection monitors.
Parent topic: IBM Guardium S-TAP for IMS components
Installing IBM Security Guardium S-TAP for IMS on z/OS

The following sections describe hardware, software, and user ID authority prerequisites for product installation.
Review the IBM Guardium S-TAP for IMS V10.1.3 Program Directory for a list of product materials and SMP/E installation instructions.
Hardware and software prerequisites

The following hardware and software are required to operate IBM Guardium S-TAP for IMS V10.1.3.
User ID authorities that are required for installation
The following z/OS USERID authorities are needed to install IBM Guardium S-TAP for IMS.
Hardware and software prerequisites

The following hardware and software are required to operate IBM Guardium S-TAP for IMS V10.1.3.
z/OS Version 2 Release 2 or later, until end of service.

IMS V13 -- V15, until end of service.
Any hardware capable of running z/OS Version 2 Release 1 or later, until end of service.
IBM Guardium S-TAP for IMS requires use of the following:
64-bit memory
TCP/IP connectivity
z/OS System logger log streams
UNIX System Services
OMVS segment
Parent topic: Installing IBM Security Guardium S-TAP for IMS on z/OS
User ID authorities that are required for installation

The following z/OS USERID authorities are needed to install IBM Guardium S-TAP for IMS.
If you are installing this product, your z/OS user ID must have the authority to:
Define z/OS system log streams

Update the IMS cataloged procedure data set members DLIBATCH and DBBBATCH to include product load libraries
Parent topic: Installing IBM Security Guardium S-TAP for IMS on z/OS
IBM Security Guardium S-TAP for IMS on z/OS security

IBM Guardium S-TAP for IMS requires access to various IMS data sets and IBM Guardium system components.
APF authorization
IBM Guardium S-TAP for IMS requires certain data sets to be accessible and APF-authorized on all LPARS of the SYSPLEX where IMS batch jobs or monitored IMS
online regions might run.
OMVS segment
TCP/IP connectivity and other UNIX System services on z/OS require that the address space that is using these services use a z/OS user ID or group name that is
defined with an OMVS segment.
TCP/IP connections
IBM Guardium S-TAP for IMS uses Transmission Control Protocol/Internet Protocol (TCP/IP) to connect to the Guardium appliance. To enable this communication,
make sure you have the correct permissions assigned.
z/OS log streams
IBM Guardium S-TAP for IMS monitors the IMS batch jobs and online regions and writes audit data to z/OS log streams.
IMS RESLIB data sets
READ access to the IMS RESLIB/SDFSRESL data sets is required for each IMS system that requires the IMS SLDS to be processed by IBM Guardium S-TAP for IMS.
READ access is required to allow a LOAD/READ of module DFSVC000 to determine the version release level of the audited IMS.
SMF and IMS archive log data sets
READ access to the SMF data sets and the IMS archived logs data sets (SLDS) is required for the user under whose authority the agent runs. If these data sets are
protected by RACFÂ® or another security product, a policy must be defined to grant this access. The z/OS catalogs containing the names of these data sets, as well
as the physical data sets themselves, must be accessible from the LPAR on which the IBM Guardium S-TAP for IMS agent runs.
DBRC RECON data sets
IBM Guardium S-TAP for IMS uses the native VSAM services to read data from the RECON data sets. These RECON data sets must be accessible from all the LPARS
where the IBM Guardium S-TAP for IMS agents might run.
Operator commands
You can use z/OS Operator commands, to start IBM Guardium S-TAP for IMS tasks.
Quarantining Database DLI calls
IBM Guardium S-TAP for IMS enables you to quarantine the DB DLI calls of specific users for specific periods of time.
APF authorization
IBM Guardium S-TAP for IMS requires certain data sets to be accessible and APF-authorized on all LPARS of the SYSPLEX where IMS batch jobs or monitored IMS online
regions might run.
About this task

Refer to the z/OS Knowledge Center for more information about how to APF authorize libraries.
Procedure
1. APF-authorize product data set SAUILOAD on all LPARS of the SYSPLEX.
SAUILOAD contains the IMS Online and Batch Activity Monitor executable code.
2. APF-authorize product data set SAUIIMOD on all LPARS of the SYSPLEX where IMS batch jobs or IMS online regions to be monitored might run.
SAUIIMOD contains IMS specific executable load modules.
Parent topic: IBM Security Guardium S-TAP for IMS on z/OS security
OMVS segment
TCP/IP connectivity and other UNIX System services on z/OS require that the address space that is using these services use a z/OS user ID or group name that is defined
with an OMVS segment.
Defining your z/OS user ID or group name with an OMVS segment might require the use of the IBM RACF command ADDUSER/ALTUSER xxxxxx OMVS(UID(zzz)) or a
security product equivalent command. Review your z/OS Security Server documentation for more information.
TCP/IP connections
IBM Guardium S-TAP for IMS uses Transmission Control Protocol/Internet Protocol (TCP/IP) to connect to the Guardium appliance. To enable this communication, make
sure you have the correct permissions assigned.
If you are working from a secure communications port, enable the user ID that is associated with the agent started task to have READ/WRITE permissions on the ports
that are assigned to the agent.
See Using agent configuration keywords to customize auditing for more information about the ADS_LISTENER_PORT, APPLIANCE_PORT, and LOG_PRT_SCAN_START
configuration keywords.
z/OS log streams

IBM Guardium S-TAP for IMS monitors the IMS batch jobs and online regions and writes audit data to z/OS log streams.
The IBM Guardium S-TAP for IMS Online and DLI/DBB batch data collectors audit DLI events that occur in the IMS Online and DLI/DBB Batch regions. Audited DLI events
are written to z/OS System Logger log streams, which are then read by the IBM Guardium S-TAP for IMS agent. The IMS agent sends the audit data to the IBM Guardium
appliance by using TCP/IP connections.

To permit the IMS Online and DLI/DBB batch collectors to write to the log streams, systems authorization facility (SAF) security access of UPDATE to the z/OS log stream is
required for all user IDs associated with the audited IMS Control region and DLI/DBB batch jobs that might cause IMS DLI calls to be audited.
You can now use an additional SAF resource to further secure the online and batch log streams. For example, you can now prevent the log streams from being read by a
user program or utility that is initiated by a user who is authorized to update to the log stream. Apply z/OS V2R3 and V2R4 APAR OA56050 to optionally add an additional
authority check for a SAF profile that covers resource (WRITE_ONLY_log-stream-name) in class LOGSTRM. This new profile option enables you to limit users to only
connecting to (IXGCONN REQUEST=CONNECT), writing to (IXGWRITE), and disconnecting from (IXGCONN REQUEST=DISCONNECT) the log stream. Other IXG calls, such
as IXGBRWSE (read), are rejected with return code 8 and reason code '081C'x. For more information, refer to the documentation provided in the HOLD data for APAR
OA56050.
Note: User IDs that are associated with the IBM Guardium S-TAP for IMS agent must have authority to read and delete data from the log stream and should not be limited
by using resource (WRITE_ONLY_log-stream-name). Log stream UPDATE authority is recommended for the IBM Guardium S-TAP for IMS agents.
IMS RESLIB data sets

READ access to the IMS RESLIB/SDFSRESL data sets is required for each IMS system that requires the IMS SLDS to be processed by IBM Guardium S-TAP for IMS. READ
access is required to allow a LOAD/READ of module DFSVC000 to determine the version release level of the audited IMS.
SMF and IMS archive log data sets

READ access to the SMF data sets and the IMS archived logs data sets (SLDS) is required for the user under whose authority the agent runs. If these data sets are
protected by RACFÂ® or another security product, a policy must be defined to grant this access. The z/OS catalogs containing the names of these data sets, as well as the
physical data sets themselves, must be accessible from the LPAR on which the IBM Guardium S-TAP for IMS agent runs.
Consult your security administrator to determine what is currently protected and how to grant the required access.
DBRC RECON data sets

IBM Guardium S-TAP for IMS uses the native VSAM services to read data from the RECON data sets. These RECON data sets must be accessible from all the LPARS where
the IBM Guardium S-TAP for IMS agents might run.
VSAM access to the RECON data sets is READ-ONLY, allowing the IBM Guardium S-TAP for IMS jobs and started tasks with a security access of READ to process the
RECON data sets.
Consult your security administrator to determine how your RECON data sets are protected, and how to grant the required access.
Operator commands
You can use z/OS Operator commands, to start IBM Guardium S-TAP for IMS tasks.
The user ID that is assigned to the IBM Guardium S-TAP for IMS agent started task must be permitted to issue START commands to initiate the AUIFstc, AUILstc, and
AUIUstc tasks. During installation, administrators can configure the z/OS security product to restrict users and programs from issuing z/OS Operator commands.
Quarantining Database DLI calls

IBM Guardium S-TAP for IMS enables you to quarantine the DB DLI calls of specific users for specific periods of time.
Quarantining a user of a specific IMS subsystem means that for the specified time period, the quarantined user is not able to run DB DLI calls either by using the targeted
IMS subsystem, or while running DLI/DBB batch jobs.
If a quarantined user attempts access during a restricted time, the DLI call is not performed, and a status code of AI is returned in the DBPCB status code field.
To create quarantine rules, access the Policy Builder from the Tools and Views section of the Guardium appliance interface Setup menu.
Note:
DLI calls that are made to IMS Fast Path databases by using IMS Fast Path exclusive transactions or BMPs cannot be quarantined.
Quarantine does not take effect immediately. The audited DLI call that produces the event to trigger the quarantine is completed before the quarantine takes effect.
It is possible for DLI calls to be run by the quarantined user before the quarantine takes effect.
These actions are required to configure IBM Guardium S-TAP for IMS.
Review the following steps, which are described in greater detail in the following sections:
Verify that you have the resource authorizations that are required to configure the product.

Review the steps to plan your configuration and customize your environment.
Set up the z/OS log streams. Review the CFRM and log stream size requirements, and the related security considerations, limitations, and restrictions. Define the
log streams for batch and online jobs.
Determine a naming convention for the agent (AUIASTC, AUIFSTC, AUILSTC, and AUIUSTC) started tasks, where STC can be changed to any 1 - 4 character length
string.
Tip: Retain the AUI prefix to simplify task identification.
Configure the agent by customizing the configuration file, customizing the agent JCL, and starting the agent.
Set up the IMS environment for auditing by customizing the IMS cataloged procedure, configuring IMS exits, customizing IMS to use an IBM System zÂ® Integrated
Information Processor (zIIP), and review the related security considerations.
Note: No WLM (Workload Manager) considerations are necessary. All agent started tasks use the STC WLM class.
Upgrading from Guardium S-TAP for IMS V9.0

Complete the following steps to upgrade from InfoSphereÂ® Guardium S-TAP for IMS V9.0 to IBM Guardium S-TAP for IMS V10.1.3. These steps enable V9.0
product assets, such as JCLs and configuration and repository contents, to be upgraded to V10.1.3, while allowing the full use and functionality of the V10.1.3
product.
Upgrading from Guardium S-TAP for IMS V9.1 or V10.0
The agent JCL and configuration file that are used by IBM Guardium S-TAP for IMS V9.1 and V10.0 are compatible with IBM Guardium S-TAP for IMS V10.1.3. No
configuration changes are required to upgrade from IBM Guardium S-TAP for IMS V9.1 to IBM Guardium S-TAP for IMS V10.1.3.
Planning your configuration and customizing your environment
Collect user ID and environment information before you configure IBM Guardium S-TAP for IMS V10.1.3.

Complete the following steps to upgrade from InfoSphereÂ® Guardium S-TAP for IMS V9.0 to IBM Guardium S-TAP for IMS V10.1.3. These steps enable V9.0 product
assets, such as JCLs and configuration and repository contents, to be upgraded to V10.1.3, while allowing the full use and functionality of the V10.1.3 product.
Before you begin

New versions or releases of IBM Guardium S-TAP for IMS should be installed as a new installation base. However, if circumstances prevent you from doing so, follow these
instructions to upgrade from the previous version's installation base.
Procedure
1. Deactivate or uninstall all policies that apply to the agent that you are upgrading.
2. Shut down the agent that you are upgrading.
3. Customize the AUIMIG10 SAMPLIB member to convert the configuration file and repository to V10.1.3 format, and submit.
The comments that are contained in the AUIMIG10 SAMPLIB member describe how to customize the JCL. A V10.1.3 format configuration file, and an IMS definition
report will be produced.
4. Use the IMS definition report, which is produced by the AUIMIG10 utility, to add the IMS definitions to your IBM Guardium system.
5. Update the new configuration file, which is produced by the AUIMIG10 utility, with any changes.
6. Update the AGENT (AUIASTC) and Memory Management Utility (AUIUSTC) JCLs as follows:
a. Remove the //AUICFG DD JCL statement.
b. Add a //AUICONFG DD JCL statement, and set it to reference the new configuration member produced by the AUIMIG10 utility.
c. Change the //STEPLIB DD JCL statement to reference the V10.1.3 product load library (SAUILOAD).
d. Remove the //AUIREPOS DD JCL statement from the AUIUSTC JCL.
7. Update the SMF (AUIFSTC) and IMS Archive Log (AUILSTC) JCLs as follows:
a. Remove the //AUICFG DD JCL statement, and any procedure parameters that reference it.
b. Change the //STEPLIB DD JCL statement to reference the V10.1.3 product load library (SAUILOAD).
8. Update the IMS Control region JCLs that are audited by the agent to use the V10.1.3 product IMS load library (SAUIIMOD).
9. Update the IMS DBBBATCH and DLIBATCH cataloged procedures, and any equivalent JCL members, to use the V10.1.3 product IMS load library (SAUIIMOD).
10. Start the agent.
11. Install or activate the policies that you want to apply.
12. Stop and restart your IMS systems.
What to do next
Now, you can:
Install additional policies on the z/OS host by using the IBM Guardium system user interface.
Manage agent and IMS definitions by using the IBM Guardium system user interface.
Note: The format of the data that is written to the z/OS logstreams has changed from V9.0 to V10.1.3. IBM Guardium S-TAP for IMS V10.1.3 converts any existing V9.0
data from existing logstreams to a usable format. If you migrate from a V10.1.3 system back to a V9.0 system, you must reinitialize the z/OS log streams before restarting
InfoSphere Guardium S-TAP for IMS V9.0.
Parent topic: Configuration overview

The agent JCL and configuration file that are used by IBM Guardium S-TAP for IMS V9.1 and V10.0 are compatible with IBM Guardium S-TAP for IMS V10.1.3. No
configuration changes are required to upgrade from IBM Guardium S-TAP for IMS V9.1 to IBM Guardium S-TAP for IMS V10.1.3.
Before you begin

Do not attempt to run AUIMIG10 to upgrade from Guardium S-TAP for IMS V9.1 or V10.0 to IBM Guardium S-TAP for IMS V10.1.3.

About this task
The format of the data that is written to the z/OS logstreams has changed in V10.1.3. IBM Guardium S-TAP for IMS V10.1.3 converts any existing Guardium S-TAP for IMS
V9.1 and V10.0 data from existing logstreams to a usable format. If you migrate from a V10.1.3 system back to a V9.1 or V10.0 system, you must reinitialize the z/OS log
streams before restarting the previous product version.
Planning your configuration and customizing your environment

Collect user ID and environment information before you configure IBM Guardium S-TAP for IMS V10.1.3.
Tip: To upgrade to IBM Guardium S-TAP for IMS from a previous version, refer to the appropriate topic:

If you are upgrading from a previous version to V10.1.3, no further configuration steps are required. Upgrading to V10.1.3 requires the use of, and modifications to, the
same agent name and JCLs that were used with previous versions. For your reference, see the Sample library members table.
Before you configure a new installation of IBM Guardium S-TAP for IMS V10.1.3, determine the following:
The user IDs that will be used to run the agent started tasks
Where the agent started tasks will run
Then, customize the ISPF edit macro, review the job card requirement, and set up the z/OS log streams, as described in the following sections.
Customizing the ISPF edit macro

The SAUISAMP data set shipped with IBM Guardium S-TAP for IMS includes an ISPF edit macro to help with the editing of the rest of the SAMPLIB members to be
used in the subsequent steps.
Job cards for the sample JCL in the SAMPLIB
Some JCL members included with the product SAMPLIB have a filler card for the job card.
Setting up z/OS log streams
IBM Guardium S-TAP for IMS uses the z/OS System Logger to funnel events from IMS online regions and DLI/DBB batch jobs to the DLI event processor (AUIASTC
task). Both XCF based and DASD based log streams are supported.
Customizing the ISPF edit macro

The SAUISAMP data set shipped with IBM Guardium S-TAP for IMS includes an ISPF edit macro to help with the editing of the rest of the SAMPLIB members to be used in
the subsequent steps.
About this task

The edit macro is named AUIEMAC1 and provides a straightforward way to customize the variable values for the variables that appear in the JCL that will run. Use this edit
macro as part of a command list (CLIST) to edit the other SAMPLIB members.
Procedure
1. To set up the edit macro, copy AUIEMAC1 from the #HLQ.SAUISAMP to a CLIST library.
2. Edit the macro by providing the appropriate values for each of the variables.
3. To run the macro, type the name of the edit macro in the command line in ISPF.
Results
After you modify the edit macro, you can use it as a command to customize other SAMPLIB members in the following steps, unless otherwise specified.
Example
The contents of the edit macro AUIEMAC1 included in the SAMPLIB are as follows:
ISREDIT MACRO (NP)

ISPEXEC VGET (ZUSER)
ISREDIT CHANGE ALL '#AUILOAD' AUI.IBMTAPE.SAUILOAD
ISREDIT CHANGE ALL '#AUIIMOD' AUI.IBMTAPE.SAUIIMOD
ISREDIT CHANGE ALL '#AUISAMP' AUI.IBMTAPE.SAUISAMP
ISREDIT CHANGE ALL '#AUICONFG' AUICONFG
This table describes each variable in the edit macro AUIEMAC1 included in the SAMPLIB:
Table 1. AUIEMAC1 Edit macro variables

Variable Default Instructions
#AUILOA AUI.IBMTAPE. Change the default value to point to the location of the SAUILOAD for IBM Guardium S-TAP for IMS.
D SAUILOAD
#AUIIMO AUI.IBMTAPE. Change the default value to point to the location of the SAUIIMOD for IBM Guardium S-TAP for IMS.
D SAUIIMOD
#AUISAM AUI.IBMTAPE. Change the default value to point to the location of the SAUISAMP data set, or copy of that data set where you will be performing the
P SAUISAMP configuration and customization edits.
#AUICON AUICONFG Change the default value to point to the member name in the configuration file that you want to use.
FG

Parent topic: Planning your configuration and customizing your environment
Job cards for the sample JCL in the SAMPLIB

Some JCL members included with the product SAMPLIB have a filler card for the job card.
A valid job card conforming to your site's JCL standards must be provided before submitting any of the JCL.
Setting up z/OS log streams

IBM Guardium S-TAP for IMS uses the z/OS System Logger to funnel events from IMS online regions and DLI/DBB batch jobs to the DLI event processor (AUIASTC task).
Both XCF based and DASD based log streams are supported.
Each agent requires two unique log streams:
one log stream for DLI events generated by IMS Control regions
one log stream for DLI events generated by DLI/DBB batch jobs
Log streams cannot be shared between agents. Each log stream name must be unique.
It is recommended that XCF based log streams be used whenever possible, because this type of log stream is accessible from any LPAR within a sysplex, and has
performance benefits. For more information about log streams, refer to the IBM publication: System Programmer's Guide to: z/OS System Logger.
Log stream security

Verify the following conditions have been met to insure log stream security.
XCF-based log streams
The advantages of using XCF-based log streams, as opposed to DASD-based log streams, include accessibility from any LPAR within the sysplex, and improved
performance.
DASD-based log streams
This section provides rules and information about DASD-based log streams. Using DASD-based log streams limits auditing by the agent to the LPAR within which
the agent is started. IMS Control regions and IMS DLI/DBB batch jobs that run on other LPARS will not be audited.
Log stream security

Verify the following conditions have been met to insure log stream security.
Important:
The USERID your IMS online control region runs under must have WRITE access to the log stream.
If DLI/DBB batch jobs runs under a common USERID, that USERID must have WRITE permission to the log stream.
The USERID under which the DLI Event Collector (AUIASTC task) executes must have READ/WRITE access to the log streams.
If individual users are permitted to run DLI/DBB batch jobs under their own USERID, a universal access of WRITE is recommended for the log stream.
Parent topic: Setting up z/OS log streams
XCF-based log streams

The advantages of using XCF-based log streams, as opposed to DASD-based log streams, include accessibility from any LPAR within the sysplex, and improved
performance.
AUILSTR1
Two JCL members in the SAUISAMP product data set are included to assist in the definition of XCF-based log streams.
This JCL is used to define the XCF structures to a CFRM policy needed by the log streams used by the DLI/DBB batch and IMS online control regions. Detailed instructions
are in the comments of the JCL.
Note: The addition of structures to a CFRM policy are cumulative, and the execution of this JCL without consideration to previously defined structures within the CFRM
policy result in the loss of existing CFRM structure definitions. It is highly recommended that a systems programmer customize and submit this JCL.
There are two DEFINE STRUCTURE sections for this JCL: one for the batch structure, and one for the online structure. The following values must be customized for the
batch structure:
The name of the batch structure

(NAME(batch_struc_name))
The coupling facility used to contain the structure
(PREFLIST(cfname))
The following values must be customized for the online structure:
The name of the online structure

(NAME(online_struc_name))
The coupling facility used to contain the structure
(PREFLIST(cfname))
Do not change any other values, such as SIZE, INITSIZE, and ALLOWAUTOALT without carefully considering the impact that your changes will have on performance and
data integrity.

Note:
AUILSTR1 must run successfully before proceeding.

When auditing in a large test or production environment, the INITSIZE and SIZE parameters can be increased to a higher value (example: 49200) for improved
throughput.
AUILSTR2
This JCL is used to add the XCF based log streams to a LOGR policy used by the IMS Control region and DLI/DBB batch jobs. Detailed instructions are in the comments of
the JCL.
Note: The addition of structures to a CFRM policy are cumulative, and the execution of this JCL without consideration to previously defined structures within the CFRM
policy result in the loss of existing CFRM structure definitions. It is highly recommended that a systems programmer customize and submit this JCL.
There are two DEFINE STRUCTURE sections for this JCL: one for the batch structure and log stream, and one for the online structure.
Values that must be customized for IMS Batch processing include:

DEFINE STRUCTURE values:
The name of the batch structure (from AUILSTR1)

(NAME(batch_struc_name))
The name of this log stream is used as input to the Batch DLI Log Stream Name field when defining log streams to the agent. Use the LOG_STREAM_DLIB keyword of the
configuration member that is specified by the AUICONFG DD statement of the agent (AUIASTC) JCL. The LOGSNUM, MAXBUFSIZE and AVGBUFSIZE should not be
changed from the default values.
The name of the batch structure (from AUILSTR1)

(STRUCTNAME(batch_struc_name))
The selection of the Staging data set classes
(STG_DATACLAS, STG_MGMTCLAS, and STG_STORCLAS)
These parameters indicate the SMS classes to be used when the System logger allocates a staging data set for the log stream. The IBM publication, System Programmer's
Guide to: z/OS System Logger contains recommendations and considerations for the choice of these parameters.
The selection of offload data set classes

(LS_DATACLAS, LS_MGMTCLAS, and LS_STORCLAS)
These parameters indicate the SMS classes to be used when the System logger allocates an offload data set for the log stream. The IBM publication, System Programmer's
Guide to: z/OS System Logger contains recommendations and considerations for the choice of these parameters.
The size of the Batch Log stream DASD data sets

(STG_SIZE)
Note: This can be removed if the STG_DATACLAS value is specified.
The allocation/size of the offload data sets

(LS_SIZE(13500))
The default value is 13500 (the number of 4K blocks). The IBM publication, System Programmer's Guide to: z/OS System Logger contains recommendations and
considerations for the choice of this size. When auditing in a large test or production environment, a value of 40500 might improve throughput.
The High level qualifier of the offload and staging data sets
(HLQ or EHLQ)
The HLQ and EHLQ are mutually exclusive and only one can be used. Other parameters found in the batch structure and online log stream definition might have a do not
change comment. These parameters contain the recommended values and should not be altered without careful consideration of the impact of changes to log stream
performance and data integrity. The IBM publication, System Programmer's Guide to: z/OS System Logger contains recommendations and considerations of each potential
parameter.
You must customize the following values for online structure and log stream processing:
DEFINE STRUCTURE values:
The name of the online structure (from AUILSTR1)

(NAME(online_struc_name))
The LOGSNUM, MAXBUFSIZE and AVGBUFSIZE should not be changed from the default values.
DEFINE LOGSTREAM values:
The name of the log-stream

(NAME(online_logstream_name))
The name of this log stream is used as input to the Online DLI Log Stream Name field when defining log streams to the agent. Use the LOG_STREAM_DLIO keyword of the
configuration member specified by AUICONFG DD statement of the agent (AUIASTC) JCL.
The name of the online structure (from AUILSTR1)

(STRUCTNAME(online_struc_name))
These parameters indicate the SMS classes to be used when the System logger allocates a staging data set for the log stream. The IBM publication, System Programmer's
Guide to: z/OS System Logger contains recommendations and considerations of each potential parameter.
The size of the ONLINE Log stream DASD data sets

(STG_SIZE)

These parameters indicate the SMS classes to be used when the System logger allocates an offload data set for the log stream. The IBM publication, System Programmer's
Guide to: z/OS System Logger contains recommendations and considerations of each potential parameter.

(LS_SIZE(13500))
The default value is 13500 (the number of 4K blocks). The IBM publication, System Programmer's Guide to: z/OS System Logger contains recommendations and
considerations for the choice of this size. When auditing in a large test or production environment, a value of 40500 might improve throughput.
(HLQ or EHLQ)
performance and data integrity. The IBM publication, System Programmer's Guide to: z/OS System Logger contains recommendations and considerations of each potential
parameter.
DASD-based log streams

This section provides rules and information about DASD-based log streams. Using DASD-based log streams limits auditing by the agent to the LPAR within which the agent
is started. IMS Control regions and IMS DLI/DBB batch jobs that run on other LPARS will not be audited.
DASD-based logs streams can only be accessed from one LPAR at a time. Any IMS Online Control regions and DLI/DBB batch jobs to be audited must run on the same
LPAR as the agent runs on.
One JCL member in the SAUISAMP product data is included to assist in the definition of DASD-based log streams.
AUILSTR3
This JCL is used to add the DASD based log streams to a LOGR policy used by the IMS Control region and DLI/DBB batch jobs. Detailed instructions can be found within
the comments of the JCL.
Note: It is highly recommended that a systems programmer customize and submit this JCL.
There are two DEFINE STRUCTURES sections to this JCL: one for the batch structure, and one for the online structure. Values which must be customized for IMS batch log
stream processing are as follows:

(NAME(batch_logstream_name))
The name of this log stream is used as input to the Batch DLI Log Stream Name field when defining log streams to the agent. Use the LOG_STREAM_DLIO keyword of the
configuration member specified by AUICONFG DD statement of the agent (AUIASTC) JCL.

(STG_DATACLAS, STG_MGMTCLAS and STG_STORCLAS)
These parameters indicate the SMS classes to be used when the System logger allocates a staging data set for the log stream. Other parameters found in the batch
structure and online log stream definition might have a do not change comment. These parameters contain the recommended values and should not be altered without
careful consideration of the impact of changes to log stream performance and data integrity. For more information, the IBM publication, System Programmer's Guide to:
z/OS System Logger contains recommendations and considerations for the choice of these parameters, and can be found on the IBM Information Center.

(LS_DATACLAS, LS_MGMTCLAS and LS_STORCLAS)
These parameters indicate the SMS classes to be used when the System logger allocates an offload data set for the log stream. For more information, the IBM publication,
System Programmer's Guide to: z/OS System Logger contains recommendations and considerations for the choice of these parameters, and can be found on the IBM
Information Center.
The size of the Batch Log stream DASD data sets

(STG_SIZE)

(LS_SIZE(13500))
A value of 13500 (the number of 4K blocks) is the default/supplied value. For more information, the publication, System Programmer's Guide to: z/OS System Logger
contains recommendations and considerations for the choice of this size, and can be found on the IBM Information Center.
(HLQ or EHLQ)
The HLQ and EHLQ are mutually exclusive and only one can be used. For more information, the IBM publication, System Programmer's Guide to: z/OS System Logger
contains recommendations and considerations of each potential parameter, and can be found on the IBM Information Center.
Values which must be customized for IMS ONLINE processing include the following:

(NAME(online_logstream_name))
The name of this log stream is used as input to the Online DLI Log Stream Name field when defining log streams to the agent using the Guardium user interface.

These parameters indicate the SMS classes to be used when the System logger allocates a staging data set for the log stream. For more information, the IBM publication,
Information Center.
The size of the ONLINE Log stream DASD data sets

(STG_SIZE)

These parameters indicate the SMS classes to be used when the System logger allocates an offload data set for the log stream. For more information, the publication,
Information Center.

(LS_SIZE(13500))
A value of 13500 (the number of 4K blocks) is the default/supplied value. For more information, the publication, System Programmer's Guide to: z/OS System Logger
contains recommendations and considerations for the choice of this size, and can be found on the IBM Information Center.
(HLQ or EHLQ)
performance and data integrity. For more information, the publication, System Programmer's Guide to: z/OS System Logger contains recommendations and considerations
of each potential parameter, and can be found on the IBM Knowledge Center
Configuring the IBM Security Guardium S-TAP for IMS on z/OS agent
This section describes the information necessary for configuring the agent.
The agent has a primary agent address space that runs as a started task (AUIASTC) and multiple secondary address spaces (AUIFSTC, the SMF collector, AUILSTC, the IMS
log collector, AUIUSTC, the common storage utility) that are automatically started and stopped by the primary address space.
The agent primary address space reads the configuration file specified by the AUICONFG DD statement in the AUIASTC JCL, and passes the appropriate configuration
information to the associated AUIFSTC and AUILSTC tasks. The AUIUSTC JCL requires the same configuration file to be specified as was specified for the AUIASTC task.
Use the AUICONFG DD statement to specify the configuration file.
The SAUISAMP member AUICONFG provides a sample configuration that can be used by the agent primary address space started task.
Refer to the following instructions about the AUICONFG data set or the instructions in the data sets to complete the next steps.
Note:
The data set must be edited using the EBCDIC encoding (1047 CCSID).
It is recommended that you make a copy of the AUICONFG from SAUISAMP and customize it for use by a given agent.
Customizing the agent by using agent parameter keywords

Use agent parameter keywords to customize the agent. The agent configuration file provides the parameters that can be customized. The parameters that do not
have a default value must be specified before you start the agent started task.
Agent configuration
The IP addresses of the IBM Guardium system appliances are specified using the SAUISAMP data set AUICONFG member using the APPLIANCE_SERVER and
APPLIANCE_SERVER_FAILOVER_[1-5] keywords.
Customizing the agent JCL
The SAUISAMP member AUIASTC provides a sample JCL that can be used for the agent started task. This topic describes how to customize the JCL.
Starting and stopping the agent
Start the agent by issuing the command /S AUIASTC from the SDSF command line. The primary agent address space starts the AUIFSTC address spaces. One or
more instances of AUILSTC might also be started, depending on the list of active collections.
Agent security considerations
The user ID of the agent started tasks (the primary and the secondary started tasks) should have the necessary RACFÂ® profiles for reading the configuration
member contents.
Modifying the frequency of AUIJ012I messages
You can modify how frequently the agent provides a count of DLI calls (from the default of every 10K DLI calls to a value of your choice, 10K â€“ 999K, 1M â€“
10M.)

Use agent parameter keywords to customize the agent. The agent configuration file provides the parameters that can be customized. The parameters that do not have a
default value must be specified before you start the agent started task.
How to use the agent parameters

Use the AUICONFG DD statement to reference these parameters with the agent JCL (AUIASTC) and Memory Management secondary address space JCL (AUIUSTC).

The AUICONFG DD can be used in other agent secondary address space JCLs (AUIFSTC and AUILSTC).
Define the data set (DSORG=PS) or data set member (DSORG=PDS|PDS/E) that contains these parameters as RECFM=FB LREL=80.
Specify only one keyword and parameter per line.
An asterisk (*) or hyphen (-) in column one indicates that the line is a comment.
Characters in column 72 and beyond are ignored.
Required parameters
The following parameters must be manually configured:
APPLIANCE_SERVER
LOG_STREAM_DLIB
LOG_STREAM_DLIO
SMF_DSN_MASK
SMF_SPILL_FILE
All available agent parameters

ADS_SHM_ID
Required: No
Default: None
Description: This keyword is optional when only one agent exists in a sysplex environment. If more than one agent exists, the configuration file for each agent
should have this keyword specified with a unique integer with a value of 100000 - 999999 specified as its parameter. This keyword identifies a shared memory
segment that is specific to each agent.
Note:
This keyword must be used in combination with ADS_LISTENER_PORT.

If you specify this keyword, you must add an //AUICONFG DD statement to the AUIFSTC and AUILSTC address space JCLs. This DD statement should point to
the same data set and member as the agent AUIASTC and AUIUSTC JCLs to enable communication between all participating address spaces.
Syntax: ADS_SHM_ID(Shared_Memory_label)
Example: ADS_SHM_ID(100010)
ADS_LISTENER_PORT
Required: No
Default: 39987
Description: This keyword is optional when only one agent exists in a sysplex environment. If more than one agent exists, the configuration file for each agent
should have this keyword specified with a unique port number specified. This keyword identifies an agent-specific communications port between the agent
(AUIASTC) and the agent secondary address spaces (AUIFSTC, AUILSTC). Valid port numbers are 1 - 65535. Check with your network administrator for a list of
ports available for this use.
Note:
This keyword must be used in combination with ADS_SHM_ID.

If you specify this keyword, you must add an //AUICONFG DD statement to the AUIFSTC and AUILSTC address space JCLs. This DD statement should point to
the same data set and member as the agent AUIASTC and AUIUSTC JCLs to enable communication between all participating address spaces.
Syntax: ADS_LISTENER_PORT(port_number)
Example: ADS_LISTENER_PORT(16055)
APPLIANCE_SERVER
Required: Yes
Default: None
Description: The host name or IP address (in dotted decimal notation, for example: 1.2.3.4) of the IBM Guardium system to which the agent (AUIASTC) should
connect.
Note: This parameter must be correctly configured to enable a connection to the IBM Guardium system. This value can contain up to 128 characters.
Syntax: APPLIANCE_SERVER(hostname|IP_address)
Example:
APPLIANCE_SERVER(wal-vm-guardium20)
APPLIANCE_SERVER(192.168.2.205)
APPLIANCE_SERVER_[1-5]
Required: No
Default: None
Description: Enables alternative host names or TCP/IP addresses to be used for multistream Guardium appliance destinations or failover recovery processing. Up
to five alternative host names or TCP/IP addresses are supported.
To specify one or more entries, include this parameter with a numeric suffix from 1 - 5. Provide a unique host name or TCP/IP address for each entry.
Valid values are any valid host name or TCP/IP address.
Note:
The use of this keyword does not eliminate the need for the APPLIANCE_SERVER keyword.
The APPLIANCE_SERVER_LIST parameter designates how this parameter is used.
If used in combination, this parameter overrides the APPLIANCE _SERVER_[MULTI_STREAM|FAILOVER|HOT_FAILOVER]_[1-5] parameter.
Syntax:
APPLIANCE_SERVER_n(hostname|IP_addr)
where n can be 1, 2, 3, 4, or 5.
Example:
APPLIANCE_SERVER_1(nwt-vm-guardium3)
APPLIANCE_SERVER_1(192.168.2.205)

APPLIANCE_SERVER_[MULTI_STREAM|FAILOVER|HOT_FAILOVER]_[1-5]
Required: No
Default: None
Description: The host name or IP address (in dotted decimal notation, for example: 1.2.3.4) of the IBM Guardium system for the IBM Guardium S-TAP for IMS
agent to use to stream to multiple Guardium appliance destinations or for failover processing. This value can contain up to 128 characters.
Note:
The use of this keyword does not eliminate the need for the APPLIANCE_SERVER keyword.
If this parameter, or the APPLIANCE_SERVER_[1-5] parameter, is not detected at startup, then neither failover nor hot failover processing is activated.
The APPLIANCE_SERVER_LIST parameter designates how this parameter is used.
If used in combination, this parameter is overridden by the APPLIANCE_SERVER_[1-5] parameter.
Syntax:
APPLIANCE_SERVER_[MULTI_STREAM|FAILOVER|HOT_FAILOVER]_n(hostname|IP_address)
where n can be 1, 2, 3, 4, or 5.
Example:
APPLIANCE_SERVER_MULTI_STREAM_1(wal-vm-guardium20)
APPLIANCE_SERVER_FAILOVER_1(nwt-vm-guardium8)
APPLIANCE_SERVER_HOT_FAILOVER_1(wal-vm-guardium16)
APPLIANCE_SERVER_MULTI_STREAM_1(192.168.2.201)
APPLIANCE_SERVER_FAILOVER_1(192.168.2.202)
APPLIANCE_SERVER_HOT_FAILOVER_1(192.168.2.203)
APPLIANCE_SERVER_LIST(MULTI_STREAM|FAILOVER|HOT_FAILOVER)
Required: No
Default: FAILOVER
Description: Set APPLIANCE_SERVER_LIST to MULTI_STREAM for a Guardium appliance connection to be established for each server that is identified by the
APPLIANCE_SERVER_MULTI_STREAM_n parameter.
Set APPLIANCE_SERVER_LIST to FAILOVER for one Guardium appliance connection to be active at a time.
available server is identified by the APPLIANCE_SERVER_FAILOVER_n parameter. The agent attempts to connect to subsequent Guardium systems,
beginning with APPLIANCE_SERVER_FAILOVER_1 and ending with APPLIANCE_SERVER_FAILOVER_5.
Set APPLIANCE_SERVER_LIST to HOT_FAILOVER to cause connection types for each connected Guardium appliance identified by the
APPLIANCE_SERVER_HOT_FAILOVER_n parameter to be kept active by pings.
You must specify the primary Guardium appliance by using the APPLIANCE_SERVER parameter.
If the primary Guardium appliance becomes unavailable and failover occurs, HOT_FAILOVER maintains the activity of the primary appliance policy.
With any setting of APPLIANCE_SERVER_LIST, if all connections fail, and a spill file is specified (parameter OUTAGE_SPILLAREA_SIZE), events are buffered to the
spill file until a connection becomes available. If no spill file is specified, and all connections are lost, data loss occurs.
The default is FAILOVER.
APPLIANCE_PORT
Required: No
Default: 16022
Valid ports: 16022 or 16023
Description: The IP port number of the IBM Guardium system to which the IBM Guardium S-TAP for IMS agent should connect. This parameter must be correctly
configured to enable a connection to the IBM Guardium system. If port 16023 is used, encryption support is required for the connection to the appliance.
Note: Specifying this keyword and parameter designates the port on which the IBM Guardium system is listening to the S-TAP. The port is dedicated to the IP
address of the appliance. Port 16022 or 16023 can also be in use on z/OS by another application.
Syntax: APPLIANCE_PORT(port_number)
Example: APPLIANCE_PORT(16022)
APPLIANCE_PING_RATE
Required: No
Default: 5
Description: Specifies the interval time between accesses to the IBM Guardium system to prevent timeout disconnections during idle periods. The value is in
number of seconds.
Syntax: APPLIANCE_PING_RATE(ping_interval)
Example: APPLIANCE_PING_RATE(5)
Required: No
Default: 500
Description: Specifies a value in milliseconds of time to wait for the completion of a network communication request to send or receive. A value of 0 results in no
timeout period. Range: 0 or 500 - 12000.
Syntax: APPLIANCE_NETWORK_REQUEST_TIMEOUT(milliseconds)
Example: APPLIANCE_NETWORK_REQUEST_TIMEOUT(500)
AUIU_EXCLUDE_LPAR
Required: No
Default: None
Description: Specifies a list of LPAR names (one to eight characters) in a SYSPLEX environment where the Common Storage Management Utility (AUIUSTC) should
not be scheduled. Multiple AUIU_EXCLUDE_LPAR statements can be specified to allow for LPAR name strings that are longer than 53 bytes.
Note: Use this keyword with caution. DLI calls run on the excluded LPARS are not audited.

With the exception of the LPAR where the agent resides, all LPARS can be excluded by using the option *ALL in place of an LPAR name.
Syntax: AUIU_EXCLUDE_LPAR(list_of_lpars)
Example: AUIU_EXCLUDE_LPAR(RS21,MYLPAR,YOURLPAR) or AUIU_EXCLUDE_LPAR(*ALL)
AUIU_PROC_NAME
Required: No
Default: AUIUSTC
Description: Specifies the PROCLIB member name that contains the Common Storage Management Utility JCL. This JCL is supplied as member name AUIUSTC in
the sample library (AUISAMP). If multiple agents are used within a sysplex, each agent requires a separate JCL for each AUIUSTC address space.
Syntax: AUIU_PROC_NAME(auiu_mbr_name)
Example: AUIU_PROC_NAME(AUIUV1013)
DISPLAY_IMSMSG_DLIB(Y|N)
Required: No
Default: N
Description: Controls the output of informational messages AUIJ255I, AUIJ256I, AUIJ257I, and AUIJ258I in the AUILOG output DD of the AUIASTC agent address
space. These messages are generated from data that is produced by the IMS DLI/DB batch jobs, and is passed to the agent from the DLIB z/OS log stream.
The default setting, N, prevents these messages from being written to the AUILOG DD.
Specify Y for these messages to be written to the AUILOG DD.
Syntax: DISPLAY_IMSMSG_DLIB(Y|N)
Example: DISPLAY_IMSMSG_DLIB(Y)
DISPLAY_IMSMSG_DLIO(Y|N)
Required: No
Default: N
Description: Controls the output of informational messages AUIJ255I, AUIJ256I, AUIJ257I, and AUIJ258I in the AUILOG output DD of the AUIASTC agent address
space. These messages are generated from data that is produced by the IMS Control Region and passed to the agent from the DLIO z/OS log stream.
The default setting, N, prevents these messages from being written to the AUILOG DD.
Specify Y for these messages to be written to the AUILOG DD.
Syntax: DISPLAY_IMSMSG_DLIO(Y|N)
Example: DISPLAY_IMSMSG_DLIO(Y)
DLIFREQ
Required: No
Default: 100K
Description: Enables you to customize the number of DLI calls that are sent to the Guardium appliance before message AUIJ012I (providing a count of the number
of events sent to appliance) is issued.
The count can be represented in thousands (K) or millions (M). Valid values are 10K â€“ 999K and 1 â€“ 10M.
Syntax: DLIFREQ(100K)
Example: DLIFREQ(100K)
FORCE_LOG_LIMITED
Required: No
Default: N
Description: Enables you to force limited audit logging by removing sensitive information (such as IMS segment data and concatenated key values) from data that
is sent to the Guardium appliance by the S-TAP.
Specify Y to restrict sensitive data from being sent to the Guardium appliance.
Syntax: FORCE_LOG_LIMITED(Y|N)
Example: FORCE_LOG_LIMITED(N)
IMSL_AUDIT_LEVELS
Required: No
Default: ALL
Description: Specifies the events to be audited from those that are found using the IMS Archive Log task (AUILSTC) for each IMS instance under control of this
agent. A specification other than ALL limits auditing to the events you specify.
For example, if you specify USERS, then all audited IMS instances under the agent report user signons and signoffs. If you specify ALL, you can use the Guardium
interface to specify further limitations on what is audited for each audited IMS subsystem.
Table 1. IMSL_AUDIT_LEVELS audit parameters

and events.
Parameter Audited event
ALL All events are audited (default)
CTL_STRT IMS control region stops and starts
USERS User signon and signoff
DBOPN Database opens and closes
DB_PSB DBDDUMP, DB/PSB START/STOP/LOCK/UNLOCK
Syntax: IMSL_AUDIT_LEVELS(ALL|CTL_STRT|USERS|DBOPN|DB_PSB)
Example: IMSL_AUDIT_LEVELS(ALL)
IMSL_CYCLE_INTERVAL
Required: No
Default: 15
Description: Specifies the frequency (in minutes) that the IMS Archive Log task (AUILSTC) checks the RECON data sets for new IMS SLDS (System Log Data Sets) to
process. This value should correspond to the frequency at which IMS generates SLDS data sets during a normal workload. For example, if IMS SLDS are produced
every 20 minutes, the IMSL_CYCLE_INTERVAL should be set to 20. A value of 0 (zero) can be specified to instruct the agent not start the AUILSTC task for any IMS
subsystem that the agent controls. Valid parameters are 0 â€“ 1440.
Syntax: IMSL_CYCLE_INTERVAL(time_in_minutes)

Example: IMSL_CYCLE_INTERVAL(45)
IMSL_ID_PREFIX
Required: No
Default: None
Description: Allows the partial customization of the 8-byte ID that is used when starting the AUILSTC task.
When this keyword is not used, the string AAAAAAAA is used for the first AUILSTC task to be started. Subsequent started AUILSTC tasks cause the ALPHA string to
be incrementally increased by one character until the value of ZZZZZZZZ is reached. When ZZZZZZZZ is reached, the string is reset to AAAAAAAA when the agent
(AUIASTC) is stopped and restarted.
When this keyword is used, the specified prefix (up to 6 bytes) is used, while the remaining two to seven characters are incrementally increased in the manner
previously described. This enables a constant value (the specified prefix) to be used, alongside a wildcard character, when you are defining the ID to the TCP/IP
security package to permit access to TCP/IP ports.
Note: The first character of the keyword must be an alphabetic character.
Syntax: IMSL_ID_PREFIX(your_prefix)
Example: IMSL_ID_PREFIX(MYPFX)
The example IMSL_ID_PREFIX(MYPFX) results in a generated AUILSTC ID of MYPFXAAA -- MYPFXZZZ.
IMSL_PROC_NAME
Required: No
Default: AUILSTC
Description: Specifies the PROCLIB member name that contains the IMS Archive Log JCL. This JCL is supplied as member name AUILSTC in the sample library
(AUISAMP). If multiple agents are used within a sysplex, each agent requires a separate JCL for each AUILSTC address space.
Syntax: IMSL_PROC_NAME(auil_mbr_name)
Example: IMSL_PROC_NAME(AUILV1013)
IMSL_SLDS_SRCH
Required: No
Default: 30
Description: This keyword can be used to limit the number of days within which the IMS log reader (AUILxxxx) will search for IMS system log data sets (SLDS) to
process.
If an IMS checkpoint does not exist for the SLDS reader, AUILxxxx will search for IMS SLDS that were created on the current day and for x days prior to the
current day (where x is the value that you set for this parameter).
If an IMS checkpoint that is set for the SLDS reader exceeds the number of days between the current day and the value that you set for this parameter, then
the IMS checkpoint will be used as the starting point for IMS SLDS to be read and processed.
If you set a value of 0 (zero) for this parameter, then only the current day's IMS SLDS will be processed. Also, IMS SLDS that were migrated from a
hierarchical storage manager product will not be recalled for processing.
Note: If you set a value of 0 (zero) for this parameter, AUILxxxx processing will omit any IMS SLDS that were created on the previous day. This can cause data
to be missed if, for example, the AUILxxxx task is run at 12:05 AM. IMS SLDS that were created prior to midnight will not be recognized as being within the
current day, and thus will not be processed.
Syntax: IMSL_SLDS_SRCH(number_of_days)
Example: IMSL_SLDS_SRCH(15)
LOG_FILTER(I/E)
Required: No
Default: I (include)
Description: Specifies whether to include or exclude messages that have been specified by the LOG_FILTER_MSG_ID parameter.
The default value, I, allows only the specified message IDs to be included in the AUILOG output stream. Message IDs that are not specified by the
LOG_FILTER_MSG_ID(messages) parameter will be suppressed. The default value should be used unless there is a specific business need to suppress
messages.
The optional value, E, suppresses the specified message IDs from the AUILOG output stream.
Tip: The E value should only be used if the LOG_FILTER_MSG_ID keyword has been customized to suppress specific messages. Do not use the optional value
(E) in conjunction with LOG_FILTER_MSG_ID(*) unless you want to prevent all messages from being written to the AUILOG output stream. Suppressing all
messages is not recommended.
Syntax: LOG_FILTER(include/exclude)
Example: LOG_FILTER(E)
LOG_FILTER_MSG_ID(messages)
Required: No
Default: * (all messages)
Description: Can be used in conjunction with the LOG_FILTER(I/E) parameter to suppress specific messages from being written to the AUILOG output stream.
Tip: The LOG_FILTER_MSG_ID(*) default value should only be used with the LOG_FILTER(I) default value. Do not specify LOG_FILTER(E) in conjunction with
LOG_FILTER_MSG_ID(*) unless you want to prevent all messages from being written to the AUILOG output stream. Suppressing all messages is not recommended.
Syntax: LOG_FILTER_MSG_ID(id1,id2,id3...)
Example: LOG_FILTER_MSG_ID(AUIZ014W)
LOG_PORT_SCAN_START
Required: No
Default: 41500
Description: Specifies the first communications port number to be checked for availability to be used for internal message logging communications. Use this
keyword if environmental conditions dictate that a sequential scan and test of ports from port numbers 41500 - 65535 should not be performed. You can override
the starting port with a port of your choice. This keyword and parameter can be used with the LOG_PORT_SCAN_COUNT keyword to limit the ports that are scanned
to a specific range.
Syntax: LOG_PORT_SCAN_START(port_number)
Example: LOG_PORT_SCAN_START(41500)
LOG_PORT_SCAN_COUNT
Required: No
Default: 10
Description: This keyword can be used in conjunction with the LOG_PORT_SCAN_START keyword to limit number of the ports that are scanned and tested for
availability. The integer specified (1 - 65535) represents the number of ports that should be scanned. If the port number specified by the LOG_PORT_SCAN_START
value plus the LOG_PORT_SCAN_COUNT value exceeds 65535, the scan terminates at port 65535.
Syntax: LOG_PORT_SCAN_COUNT(number_of_ports)
Example: LOG_PORT_SCAN_COUNT(1000)
LOG_STREAM_DLIB

Required: Yes
Default: None
Description: This required keyword is used to specify the z/OS System Logger log stream to stream audited events from DLI DBB batch jobs. The value should be
the BATCH_LOGSTREAM_NAME value specified as the DEFINE LOGSTREAM NAME parameter of the AUILSTR2 or AUILSTR3 JCLs.
Syntax: LOG_STREAM_DLIB(log_stream_name)
Example: LOG_STREAM_DLIB(AUI_BATCH_LOG_STREAM)
LOG_STREAM_DLIO
Required: Yes
Default: None
Description: This required keyword is used to specify the z/OS System Logger log stream to be used to stream audited events from IMS Control Regions. The value
should be the ONLINE_LOGSTREAM_NAME value specified as the DEFINE_LOGSTREAM_NAME parameter of the AUILSTR2 or AUILSTR3 JCLs.
Syntax: LOG_STREAM_DLIO(log_stream_name)
Example: LOG_STREAM_DLIO(AUI_ONLINE_LOG_STREAM)
LOOPBACK_ADDRESS
Required: No
Default: LOCALHOST
Description: Specifies the loopback host or IP address that is used for communications between the agent and the agent secondary address spaces. For most
network configurations, the default value of LOCALHOST can be used. If LOCALHOST cannot be resolved on your system, consult your network specialist for the
correct loopback mnemonic or IP address to be used.
Syntax: LOOPBACK_ADDRESS(hostname|IP_address)
Example: LOOPBACK_ADDRESS(LOCALHOST)
LPAR_MONITOR_INTERVAL
Required: No
Default: 5
Description: Specifies the frequency (in minutes) for the agent to request a list of LPARs that are active within the SYSPLEX. Schedule the Common Storage
Management Utility (AUIUSTC) tasks on any LPAR coming online to the SYSPLEX. Valid parameters are integers between 1 and 60.
Syntax: LPAR_MONITOR_INTERVAL(minutes)
Example: LPAR_MONITOR_INTERVAL(5)
MESSAGE_LOG_LEVEL
Required: No
Default: I
Description: Controls the amount of output log information that is generated by the agent.
Table 2. Message severity codes and descriptions.
Message severity code Description
I Includes all log messages
W Includes all log messages with a warning severity or higher
E Includes all log messages with an error severity or higher
O Instructs the agent not to log error messages
S Includes all log messages with a severe error code
Syntax: MESSAGE_LOG_LEVEL(I|W|E|O|S)
Example: MESSAGE_LOG_LEVEL(I)
OUTAGE_SPILL_AREA_SIZE
Required: No
Default: 0
Description: Determines the maximum amount of memory in megabytes to be allocated for the retention of audit data in the event of a IBM Guardium system
connection outage. A value of 0, or the absence of this keyword, disables spill area support. The maximum value permitted as a parameter is 1024.
Syntax: OUTAGE_SPILL_AREA_SIZE(memory_size)
Example: OUTAGE_SPILL_AREA_SIZE(15)
POLICY_READ_INTERVAL
Required: No
Default: 5
Description: Determines the frequency in seconds that the connection to the IBM Guardium system checks for changes to the installed policies that are used to
determine audited event collection.
Syntax: POLICY_READ_INTERVAL(time_in_seconds)
Example: POLICY_READ_INTERVAL(5)
STAP_STREAM_EVENTS
Required: No
Default: Y
Description: Specifies whether events will be streamed to the IBM Guardium system. The default value, Y, enables streaming. Specify N to disable streaming and
enable Simulation mode.
Syntax: STAP_STREAM_EVENTS(Y|N)
Example: STAP_STREAM_EVENTS(Y)
PREFER_IPV4_STACK
Required: No
Default: N
Description: If set to Y, this parameter causes a request to be issued to the Domain Name Server (DNS) for an IPV4 address for the hostname that is specified in
the APPLIANCE_SERVER parameter:
If this parameter is set to N or omitted from configuration, a request for an IPV6 address is issued to the DNS for the hostname that is specified by the
APPLIANCE_SERVER parameter:

Note: Whether or not this parameter is used, if the address returned from the DNS is not valid for the hostname, it will result in failure to connect to the appliance,
and the IBM Guardium S-TAP for IMS started task will terminate.
Syntax:
PREFER_IPV4_STACK(Y|N)
Example:
PREFER_IVP4_STACK(Y)
SMF_AUDIT_LEVELS
Required: No
Default: ALL
Description: Specifies which events to audit of those found using the SMF task (AUIFSTC). A specification other than ALL limits the events to be audited to the
events you specify. For example, if DELETE is specified, then all audited IMS instances under the agent would only be capable of reporting data set DELETE events.
If ALL is specified, you can further limits what is audited for each audited IMS subsystem, using the user interface.
Table 3. SMF_AUDIT_LEVELS audit
parameters and events
Parameter Audited event
ALL All events are audited (default)
UPDATE Data sets opened with UPDATE access
DELETE Data sets deleted
READ Data sets opened with READ access
CREATE Data sets created
ALTER Data sets opened with ALTER access
RACFÂ® RACF violations on data sets
Syntax: SMF_AUDIT_LEVELS(ALL|UPDATE|DELETE|READ|CREATE|ALTER|RACF)
Example: SMF_AUDIT_LEVELS(ALL)
SMF_CYCLE_INTERVAL
Required: No
Default: 300
Description: Specifies the frequency (in minutes) that the SMF task (AUIFSTC) checks the z/OS catalog for new data sets, which meet the specified data set masks,
using the SMF_DSN_MASK keyword. This value should correspond to the frequency at which your z/OS system swaps SMF logging VSAM files (sometimes known as
SMF MANX|MANY) during a normal workday. For example, if the SMF logging files are swapped every 8 hours, the SMF_CYCLE_INTERVAL should be set to 480 (8
hours * 60 minutes). A value of zero can be specified to indicate that the agent should not start the AUIFSTC task and SMF auditing should not be performed. Valid
parameters are 0 â€“ 1440.
Syntax: SMF_CYCLE_INTERVAL(time_in_minutes)
Example: SMF_CYCLE_INTERVAL(45)
SMF_DSN_MASK_[1-10]
Required: Yes
Default: None
Description: At least one instance of this keyword is required (SMF_DSN_MASK_1). This keyword provides a data set mask used to query the z/OS catalog for
sequential format data sets containing SMF data offloaded from the SMF log-files (MANX|MANY) using the IFASMFDP program. These sequential files can be the
original files created when offloading the MANX|MANY files, or a copy of these sequential files created by customizing and running AUISMFDF and AUISMFDP jobs
located in the product sample data set. In most environments, only one SMF_DSN_MASK would be specified, but up to 10 are allowed.
Table 4. Masking character rules
Characte
Rule
r
% Indicates that only one alphanumeric or national character can occupy that position
%%% Indicates that more than one character can be substituted, with the number of substitution characters being equal to the number of percent signs
specified.
Example 1: specifying a GDG data set in the mask: If the AUISMFDP job has been customized to produce a GDG data set as the SORTOUT DD output data sets,
you can choose to specify the fully qualified GDG base name in the mask for system name field. For example, A.B.C. IBM Guardium S-TAP for IMS uses catalog
services to determine the names of all cataloged GDG entries under this name, for example:
A.B.C.G0001V00
A.B.C.G0002V00
A.B.C.G0003V00
Example 2: specifying a data set name explicitly: Provide the generation and version values as a mask. For example, A.B.C.G%%%%V%%. IBM Guardium S-TAP
for IMS uses catalog services to determine the names of all cataloged data sets that match this mask, for example:
A.B.C.G0021V00
A.B.C.G0022V00
A.B.C.G0023V00
Example 3: specifying a DSN using a DATE/TIME naming convention: If you have customized the AUISMFDP job to produce a data set name that contains date
and time values as qualifiers within the data set name as the SORTOUT DD output data sets, you can specify the data set name using a string of percent signs within
the date and time qualifier names. For example: HLQ.D%%%%%%.T%%%%%%.SMFDATA. IBM Guardium S-TAP for IMS uses catalog services to determine the
names of all cataloged data sets matching the mask, for example:
HLQ.D091122.T131000.SMFDATA

Note: The percent (%) wildcard character should only be specified for the numeric characters of the generation and version node of GDG data sets, or as the
numeric characters of date or time nodes of the SMF dataset.
Syntax: SMF_DSN_MASK_1(SMF.DUMP.DSN)
Example:
SMF_DSN_MASK_1(AUI.SMF.DUMP.COPY)
SMF_DSN_MASK_2(AUI.SMF.DUMP.GDG.G%%%%V%%)
SMF_DSN_MASK_3(AUI.SMF.D%%%%%%.T%%%%%%.COPY)
SMF_EVENT_EXPIRY
Required: No
Default: 5
Description: Specifies the number of days that incomplete SMF events should be retained in the SMF spill file. Incomplete SMF events are audited events that have
not yet received the associated SMF Type 30 record, which indicates that the step/job is complete, and contains information that is needed to complete the
reporting of the event. When an event exceeds the expiration date, it is flagged as incomplete, sent to the IBM Guardium system, and removed from the SMF spill
file. The valid range is 1 to 180 days.
Syntax: SMF_EVENT_EXPIRY(days)
Example: SMF_EVENT_EXPIRY(5)
SMF_PROC_NAME
Required: No
Default: AUIFSTC
Description: Specifies the PROCLIB member name that contains the SMF secondary address space JCL. This JCL is supplied as member name AUIFSTC in the
sample library (AUISAMP). If multiple agents are used within a sysplex, each agent requires a separate JCL for each AUIFSTC address space.
Syntax: SMF_PROC_NAME(auif_mbr_name)\
Example: SMF_PROC_NAME(AUIFV91)
SMF_SELF_AUDIT
Required: No
Default: N
Description: Indicates whether to audit the accesses of IMS data sets that are used by the product to determine the names of IMS artifacts to be audited.
Examples of IMS data sets that can be accessed include RECON data sets and IMS archived logs (SLDS). A value of N indicates that these accesses should not be
audited. A value of Y indicates that these data sets should be considered for auditing.
Syntax: SMF_SELF_AUDIT(N|Y)
Example: SMF_SELF_AUDIT(N)
SMF_SPILL_FILE
Required: Yes
Default: None
Description: Specifies the DSN of a sequential format fixed block data set with a LRECL of 300. This data set is used to store incomplete audited SMF events.
Incomplete audited SMF events are events triggered by SMF records that have yet to encounter an SMF Type 30 record, indicating the step or job has completed.
The AUIFUSPL member of the SAUISAMP data set provides an example of the allocation specifications for this data set.
Syntax: SMF_SPILL_FILE(dsn)
Example: SMF_SPILL_FILE(AUI.V1013.SPILL)
TCPIP_BUFFER_SIZE
Required: No
Default: 32768
Description: Specifies the size of an internal buffer that is used to hold audited events in preparation of the TCP/IP send to the IBM Guardium system, and specifies
the size of the TCP/IP buffer. In most environments, the size of this buffer should not be changed
Syntax: TCPIP_BUFFER_SIZE(buffer_size)
Example: TCPIP_BUFFER_SIZE(32768)
TRACE_CONFIG
Required: No
Default: ON
Description: TRACE_CONFIG(ON) enables IBM Guardium S-TAP for IMS configuration values to display by default at agent startup. You can optionally use this
keyword to disable the IBM Guardium S-TAP for IMS configuration value display. To prevent the displayed report of agent configuration parameters during agent
startup, specify TRACE_CONFIG(OFF).
Syntax: TRACE_CONFIG(ON|OFF)
Example: TRACE_CONFIG(OFF)
WTO_MSG
Required: No
Default: None
Description: Allows a user to request that specific informational, warning, or error messages written to the AUILOG DD statement of the agent (AUIASTC) or agent
secondary address spaces (AUIFSTC, AUILSTC or AUIUSTC) also be written to the Operator Console (WTO). This enables these messages to be recognized by an
automated operations tool, or provides higher operator visibility for these messages and allows appropriate action to be taken. Each message requires a separate
keyword, and each keyword must be specified on a separate line.
Syntax: WTO_MSG(msgnumber)
Example:
WTO_MSG(AUIJ011I)
WTO_MSG(AUIL607W)
WTO_MSG(AUIY006E)
XML_ECHO_AUILOG(Y|N)
Required: No
Default: N
Description: Indicates that when an audit policy is installed on a IBM Guardium system appliance, its corresponding XML is to be echoed to the AUILOG DD. If there
is more than one policy installed on the agent, the XML of each policy is echoed. If all installed policies are subsequently uninstalled, then the echoed XML reflects
that there are no installed policies. For more information about echoed XML statements, see XML statement definitions.
Syntax: XML_ECHO_AUILOG(Y|N)
Example: XML_ECHO_AUILOG(Y)
XML_ECHO_DATASET(Data_Set_Name[,Cylinders])
Required: No
Default: None
Description:

Indicates that when the IBM Guardium system installs an audit policy, its corresponding XML is echoed to a data set (specified by the data set name value in this
parameter). If there is more than one policy installed on the agent, the XML of each is echoed. If all installed policies are subsequently uninstalled, then the echoed
XML reflects that there are no installed policies. The XML will not be echoed when the installed policy is already active, is being reinstalled, and there have been no
changes to the policy.
If Data_Set_Name is intended to be a Generation Data Group (GDG), then it must be set as the GDG base name. The agent checks the system catalog to determine
whether Data_Set_Name exists and whether or not it is a GDG base name.
Data_Set_Name can contain z/OS system symbols such as &SYSNAME. To determine the names of the system symbols that are currently defined to the system,
issue the DISPLAY SYMBOLS command to the system console.
If Data_Set_Name does not exist, and there is no GDG base defined in this name, the agent allocates the data set as non-GDG. If Data_Set_Name is a regular
physical sequential data set (non-GDG based) and does exist, the agent allocates space for the Cylinders keyword when the agent is restarted.
Cylinders defaults to 1 and can range from 1 â€“ 10.

Syntax: XML_ECHO_DATASET(&Data_Set_Name[,Cylinders])
Example: XML_ECHO_DATASET(AUIAGENT.ECHO.XML.GDG.BASE,2)
ZIIP_AGENT_DLI
Required: No
Default: N
Description: Indicates that the following agent processes should be zIIP capable: agent reads of audited events from the z/OS System Logger log streams,
formatting of these events into protobuf style messages, and sending of these messages to the IBM Guardium system using TCP/IP.
Note: Use of the zIIP depends on the presence of a zIIP on the LPAR where the agent is running, as well as use of the Workload Management Service Policies. For
more information about zIIP, see the topic on Customizing IMS to use a System zÂ® Integrated Information Processor (zIIP).
Syntax: ZIIP_AGENT_DLI(Y|N)
Example: ZIIP_AGENT_DLI(Y)
Parent topic: Configuring the IBM Security Guardium S-TAP for IMS on z/OS agent
Related reference
Customizing IMS to use a System z Integrated Information Processor (zIIP)
Agent configuration
The IP addresses of the IBM Guardium system appliances are specified using the SAUISAMP data set AUICONFG member using the APPLIANCE_SERVER and
APPLIANCE_SERVER_FAILOVER_[1-5] keywords.
See Providing Guardium system failover for more information.

Customizing the agent JCL

The SAUISAMP member AUIASTC provides a sample JCL that can be used for the agent started task. This topic describes how to customize the JCL.
Before you begin

In environments where multiple agents connect to a common IBM Guardium system or appliance, the z/OS agent started task names (AUIASTC, AUILSTC, AUIFSTC) must
be unique. Unique started task names enable the IBM Guardium S-TAP for IMS policies that are pushed from the IBM Guardium system to be attributed to, and monitored
by, the correct z/OS agent.
Procedure
1. Edit SAUISAMP members AUIASTC, AUIFSTC, AUILSTC and AUIUSTC by running the ISPF edit macro.
See Planning your configuration and customizing your environment for more details.
2. Modify the CFG=AUI.V100.AGTCFG(AUICONFG) in AUIASTC to specify the location of the customized configuration data set for the agent created in the previous
section.
3. Optional: You can rename the AUIASTC member to any character name that is valid for started tasks in your environment.
4. Optional: You can rename the AUIFSTC, AUILSTC, and AUIUSTC. AUIFSTC, AUILSTC, and AUIUSTC names should match the values of the IMSL_PROC_NAME,
SMF_PROC_NAME, and AUIU_PROC_NAME keywords that you supply in the configuration file.
5. Copy the AUIASTC, AUIFSTC, AUILSTC and AUIUSTC members to the PROCLIB for the site.
Contact the z/OS systems programmer to determine the location of the PROCLIB.
Note: APF authorization of the AUILOAD file is required for each of these members before they are started.
Starting and stopping the agent

Start the agent by issuing the command /S AUIASTC from the SDSF command line. The primary agent address space starts the AUIFSTC address spaces. One or more
instances of AUILSTC might also be started, depending on the list of active collections.
Stop the agent by issuing the command /STOP AUIASTC, or /MODIFY AUIASTC,STOP, from the SDSF command line. The primary agent address space then stops all the
secondary address spaces that are online, and shuts down. Depending on the load, and the activity in the other secondary address spaces, the shut down process can take
time. Monitor the AUILOG DD of the primary address space AUIASTC for informational messages on the status of the secondary address spaces.

Agent security considerations
The user ID of the agent started tasks (the primary and the secondary started tasks) should have the necessary RACFÂ® profiles for reading the configuration member
contents.
Important: Contact your system administrator to ensure that localhost is resolving to 127.0.0.1 (loopback address). The TCP/IP communication between the agent and
the secondary address spaces relies on this resolution. If this is not possible at your site, use the loop-back-address element in the AUICONFG sample library member to
avoid localhost resolution by specifying the loopback IP address directly, or by specifying an appropriate host name that resolves to the loopback address.
Modifying the frequency of AUIJ012I messages

You can modify how frequently the agent provides a count of DLI calls (from the default of every 10K DLI calls to a value of your choice, 10K â€“ 999K, 1M â€“ 10M.)
Use the agent parameter keyword DLIFREQ to modify the frequency of AUIJ012I messages, or issue the command /MODIFY AGENT,SET CONFIG DLIFREQ aaaK | bbM,
from the SDSF command line.
Setting up an IMS environment for auditing

This section describes how to customize IMS environments to capture DLI calls, including customizing IMS catalogued procedures, coexisting with other DFSFLGX0 and
DFSISVI0 exit routines, customizing IMS to use a zIIP, copying common load modules from SAUILOAD to SAUIIMOD, and the security considerations related to IMS
processing.
Security considerations for IMS processing

IBM Guardium S-TAP for IMS does not impose any additional RACFÂ® or other security restrictions on IMS assets during IMS processing. However, the IMS control
region and any DLI/DBB batch jobs being executed, must have UPDATE authority to the z/OS system log streams you have defined for use by IBM Guardium S-TAP
for IMS.
Customizing IMS environments to capture DLI calls
For IBM Guardium S-TAP for IMS to report on IMS database accesses, it needs to be sensitive to IMS DL/I calls. Use the following sections to establish proper set-
up of the relationship between your IMS online and batch environments and IBM Guardium S-TAP for IMS.
Customizing IMS cataloged procedures
For IBM Guardium S-TAP for IMS to monitor DL/I calls from IMS online Transactions, BMPs and DLI/DBB batch jobs, the IMS Control region and DLI/DBB batch jobs
require access to these IBM Guardium S-TAP for IMS programs.
Coexisting with other DFSFLGX0 and DFSISVI0 exit routines
IBM Guardium S-TAP for IMS provides product-specific DFSFLGX0 (IMS Logger) and DFSISVI0 (IMS Batch) exits to enable the product to report on IMS DL/I call
activity. In some IMS environments, user requirements or third-party vendor products also require the use of these exits. IBM Guardium S-TAP for IMS can
accommodate the use of multiple DFSFLGX0 and DFSISVI0 exit routines.
Defining LOGWRT exits
Use the EXITDEF parameter in the USER_EXITS section of the DFSDFxxx IMS PROCLIB member to define LOGWRT exits to be used by your IMS subsystem.
IBM Guardium S-TAP for IMS allows you to configure an IMS control region to prepare specific auditing functions for execution on a System zÂ® Integrated
Information Processor (zIIP). Execution on a zIIP is governed by the Workload Management software on your appliance, as well as the workload already assigned to
the zIIP.
Copying common load modules from SAUILOAD to SAUIIMOD
After the initial SMP/E installation of IBM Guardium S-TAP for IMS, copy common load modules from the SAUILOAD to SAUIIMOD data set using the modules
described in this topic.
Configuring APP_EVENT support
IBM Guardium S-TAP for IMS allows IMS DLI application programs to store user information on the IBM Guardium system. This enables your user data to be linked
with DLI DB calls that are made from within the same application checkpoint, unit-of-work, or commit. APP_EVENT calls are linked to audited DLI calls by
subsystem ID, application sequence number, and number of commits within a schedule. Follow these steps to install and configure a new IMS database, named
AUIAPPEV, to be used for this purpose.
Security considerations for IMS processing

IBM Guardium S-TAP for IMS does not impose any additional RACFÂ® or other security restrictions on IMS assets during IMS processing. However, the IMS control region
and any DLI/DBB batch jobs being executed, must have UPDATE authority to the z/OS system log streams you have defined for use by IBM Guardium S-TAP for IMS.
Parent topic: Setting up an IMS environment for auditing
Customizing IMS environments to capture DLI calls

For IBM Guardium S-TAP for IMS to report on IMS database accesses, it needs to be sensitive to IMS DL/I calls. Use the following sections to establish proper set-up of
the relationship between your IMS online and batch environments and IBM Guardium S-TAP for IMS.
Note: The IBM Guardium S-TAP for IMS programs that are used to communicate with your IMS environments are found in the SAUIIMOD data set, and are created during
product installation.
Customizing IMS cataloged procedures

For IBM Guardium S-TAP for IMS to monitor DL/I calls from IMS online Transactions, BMPs and DLI/DBB batch jobs, the IMS Control region and DLI/DBB batch jobs
require access to these IBM Guardium S-TAP for IMS programs.
The IBM Guardium S-TAP for IMS programs that must be accessed reside in the SAUIIMOD installation data set. The preferred method of installing IBM Guardium S-TAP
for IMS into your IMS environment is to copy the entire contents of the SAUIIMOD data set into your IMS RESLIB (IMS.SDFSRESL) data set.
If copying IBM Guardium S-TAP for IMS programs into your IMS RESLIB is not possible, then the SAUIIMOD data set must be included in your IMS control region JCL as
the first data set of the STEPLIB DD concatenation. The SAUIIMOD data set must also be included as the first data set of the STEPLIB DD concatenation of the DLI batch
cataloged procedure (DLIBATCH member of the IMS PROCLIB data set) and the DBB batch cataloged procedure (DBBBATCH member of the IMS PROCLIB data set).
Note:
If the SAUIIMOD data set is included in any JCL, you must ensure that it is APF-authorized.
IBM Guardium S-TAP for IMS provides and uses the DFSFLGX0 and DFSISIV0 IMS exits to establish communication with IMS services, however no customization of
these exits is required.
Coexisting with other DFSFLGX0 and DFSISVI0 exit routines

IBM Guardium S-TAP for IMS provides product-specific DFSFLGX0 (IMS Logger) and DFSISVI0 (IMS Batch) exits to enable the product to report on IMS DL/I call activity.
In some IMS environments, user requirements or third-party vendor products also require the use of these exits. IBM Guardium S-TAP for IMS can accommodate the use
of multiple DFSFLGX0 and DFSISVI0 exit routines.
Using IMS Tools Generic Exits

IMS Tools Generic Exits are a collection of components that provide common command and exit routine interfaces to support the operation of IMS tools in an IMS
environment.
IBM Guardium S-TAP for IMS supports the protocols used by the IMS Tools Generic Exit product. You can define the IBM Guardium S-TAP for IMS copy of the DFSFLGX0
exit by either supplying IMS with a PROCLIB member using a BPE-style control statement, or by building a load module that contains the required information.
An example of the PROCLIB control statement follows:
EXITDEF(TYPE(LOGR) EXITNAME(AUIFLGX0) LOADLIB(AUI.SAUIIMOD))
See the IBM IMS Tools Generic Exit Reference Manual for Generic Logger Exit setup and usage.
Important: The IBM IMS Tools Generic Exit product does not support exit DFSISVI0.
Using IBM Guardium S-TAP for IMS exit cascading

For situations where the IBM IMS Tools Generic Exit is not available for use, IBM Guardium S-TAP for IMS provides a method of supporting two instances of the DFSFLGX0
and DFSISVI0 exits.
When loaded and run, the IBM Guardium S-TAP for IMS supplied program AUIFLGX0 (DFSFLGX0) and AUIISVI0 (DFSISIV0) determines from which DSN within the
JOBLIB/STEPLIB concatenation it was loaded from. It then searches all subsequent DSNs within the JOBLIB/STEPLIB DD concatenation, looking for the next occurrence
of the exit with the same name.
If none are found, or it is determined that the IMS Tools Generic Exit product is involved in executing the exit, no cascading is done.
If an exit is found, and it is determined that the exit found is in fact another instance of the IBM Guardium S-TAP for IMS exit (as could happen if the SAUIIMOD data
set was specified multiple times in the JOBLIB/STEPLIB concatenation), the search will continue with the remainder of the DSNs in the concatenation.
If a non-IBM Guardium S-TAP for IMS Exit is found, this new exit is loaded, and called with R13 pointing to the save area supplied by IMS. A new 512 byte user
work area, obtained specifically for this exit instance, is then pointed to by the SXPLAWRK field of the IMS Standard User Exit Parameter List (DFSSXPL). This 512
byte work area is obtained when the first (or INIT) call is done; the work area address (in the SXLPAWRK field) and work area content are maintained for all
subsequent calls.
Exit cascading restrictions

Note: These restrictions only apply when using the exit cascading feature, and not when using the IBM IMS Tools Generic Exit product.
The IBM Guardium S-TAP for IMS Exit (AUIFLGX0 or AUIISVI0) must be first in the JOBLIB/STEPLIB concatenation, unless the exit that exists in a prior DSN also has a
method of cascading calls to other exits, and is capable of providing an IMS formatted area in R13 and the address of a unique, persistent 512 byte work area in the
SXPLAWRK parameter list field to the AUIFLGX0 or AUIISVI0 program.
In a non-APF-authorized environment, such as when executing program DFSULTR0 or an IMS DLI/DBB batch program, the exit load module to be cascaded to must have
an ALIAS, and the ALIAS must be appropriately either DFSFLGX0 or DFSISVI0, if the target exit module has the RENT or REUS attribute on.
Defining LOGWRT exits

Use the EXITDEF parameter in the USER_EXITS section of the DFSDFxxx IMS PROCLIB member to define LOGWRT exits to be used by your IMS subsystem.
You must specify the exit name AUIFLGX0 in the list of LOGWRT exits to be used. This disables the cascading feature, which prevents other LOGWRT exits in the STEPLIB
from being unintentionally invoked. You must include the SAUIIMOD load library in the IMS Control Region STEPLIB concatenation.
Example:
<SECTION=USER_EXITS>
EXITDEF=(TYPE=LOGWRT,EXITS=(AUIFLGX0))

IBM Guardium S-TAP for IMS allows you to configure an IMS control region to prepare specific auditing functions for execution on a System zÂ® Integrated Information
Processor (zIIP). Execution on a zIIP is governed by the Workload Management software on your appliance, as well as the workload already assigned to the zIIP.
To use this feature, the LPAR on which the IMS Control region executes must have a zIIP installed. The IMS Control Region should also make use of the z/OS Workload
Manager product. For more information on using z/OS Workload Manager with the IMS Control Region, see the Workload Manager and IMS section of the IBM IMS System
Administration manual.
The following processes can be scheduled on a zIIP:
Calling of the compiled filter to determine if the DLI event is to be audited, and if the segment concatenated key or segment data should be sent to the Guardium
appliance.
Movement of the audited DLI calls to a storage buffer used to hold audited data until a write to the z/OS System Logger log-stream can be executed
Calling of the z/OS System Logger IXGWRITE, which moves the audited data from the buffer to the log-stream when the buffer fills, or a flush of the buffer is
scheduled
To indicate that the IMS Control region should attempt to schedule these processes on the zIIP, a //AUIZIIP DD DUMMY DD statement should be added to the IMS Control
Region JCL. When detected, the audit code produces the informational message AUII055I, indicating that zIIP processing will be attempted.
Warning messages AUII042W and AUII043W are issued if zIIP processing is requested when a zIIP is not available, and when IMS is not using Workload Manager. Error
message AUII044E indicates that the request was rejected. In all instances where the attempt to use the zIIP has failed, audit processing continues without attempting to
execute the audit code on the zIIP.
Related reference
Copying common load modules from SAUILOAD to SAUIIMOD

After the initial SMP/E installation of IBM Guardium S-TAP for IMS, copy common load modules from the SAUILOAD to SAUIIMOD data set using the modules described in
this topic.
AUI$NAP
Module used to trace data
Provided in the SAUILOAD data set
Also needed in the SAUIIMOD data set
AUICPMOD
An SAUISMAP member
Performs a copy of the AUI$NAP module from the SAUILOAD to the SAUIIMOD data set
Should be customized and submitted after the initial SMP/E installation
Configuring APP_EVENT support

IBM Guardium S-TAP for IMS allows IMS DLI application programs to store user information on the IBM Guardium system. This enables your user data to be linked with
DLI DB calls that are made from within the same application checkpoint, unit-of-work, or commit. APP_EVENT calls are linked to audited DLI calls by subsystem ID,
application sequence number, and number of commits within a schedule. Follow these steps to install and configure a new IMS database, named AUIAPPEV, to be used
for this purpose.
Procedure
1. Perform a Database Descriptor Generator (DBD gen) for the AUIAPPEV database.
An example of the DBD source to use is in member AUIAPPEV of the SAUISAMP data set.
2. Create a database data set for the AUIAPPEV database.
3. If appropriate for your site, register the DB and DDN to DBRC, specifying NOREOV if possible.
4. If appropriate for your site, create a dynamic allocation (MDA) member for the database data set.
5. Modify application program PSBs to include a PCB for the AUIAPPEV database.
Use a PROCOPT of G and a KEYLENGTH of 0.
6. If the APP_EVENT feature is to be used by an IMS Online system, perform an ACBGEN for DBD member AUIAPPEV and the modified PSBs.
7. Modify application programs to send APP_EVENT information using the AUIAPPEV PCB:
a. In the 2000 byte I/O area, modify the application programs to include the information that you want to be sent to the appliance.
b. Perform a DLI GET call by using the AUIAPPEV PCB.
A DLI status code of blanks will be returned.
APP_EVENT examples
Examples of the AUIAPPEV database, a PSB with DBPCB for the AUIAPPEV database included, the Assembler language of an IMS DLI call, and a C program are
provided here. These code samples are for example purposes only. There is no guarantee of the reliability, serviceability, or function of these programming
examples.
APP_EVENT examples

Examples of the AUIAPPEV database, a PSB with DBPCB for the AUIAPPEV database included, the Assembler language of an IMS DLI call, and a C program are provided
here. These code samples are for example purposes only. There is no guarantee of the reliability, serviceability, or function of these programming examples.
AUIAPPEV database
The AUIAPPEV database is used to support the transmittal of environmental information from an application program to the Guardium appliance. The following is an
example:
DBD NAME=AUIAPPEV,ACCESS=(HDAM,OSAM),RMNAME=(DFSHDC40,10,20)
DATASET DD1=AUIAPPEV,SIZE=2048
SEGM NAME=ROOT,PARENT=0,BYTES=2000
DBDGEN
FINISH
END
PSB with DBPCB for the AUIAPPEV database included

The following is an example of a PSB with DBPCB for the AUIAPPEV database included:
PCB TYPE=DB,PROCOPT=A,KEYLEN=4,DBDNAME=AUEVOL01, PCBNAME=ODBPCB1

SENSEG NAME=ROOT,PARENT=0
PCB TYPE=DB,PROCOPT=G,KEYLEN=0,DBDNAME=AUIAPPEV, PCBNAME=APPEV01
SENSEG NAME=ROOT,PARENT=0
PSBGEN LANG=ASSEM,CMPAT=YES,PSBNAME=AUIPSBAV
END
Assembler language of an IMS DLI call

The following is an example in the Assembler language of an IMS DLI call that will send a string to the Guardium appliance:
MVC IOAREA(20),=CL20'THIS IS AN APP_EVENT' /Set APP_EVENT message

XC PARM@(12*4),PARM@ /Clear parameter area
LA R1,GN /Addr of GN literal
ST R1,PARM@+0 /Save in parmlist
L R2,APPCB@ /Addr of AUIAPPEV PCB
LA R1,IOAREA /Addr of IOAREA
OI PARM@+8,X'80' /Terminate parmlist
LA R1,PARM@ /Addr of parmlist
L R15,DLI@ /Addr of ASMTDLI program
BASR R14,R15 /Call ASMTDLI
C program
The following is an example of a C program:
#define iopcb (IO_PCB_TYPE *)(__pcblist) /* I/O PCB */

#define dbpcb (PCB_STRUCT_8_TYPE *)(__pcblist) /* DB PCB */
#define aepcb (PCB_STRUCT_8_TYPE *)(__pcblist) /* AUIAPPEV DB PCB */
int rc = 0;
const static char GU = "GU ";
struct {
char output 2000Â¨;
} iodata ;
....
....
/* create a APP_EVENT */
sprintf(iodata.output, "THIS IS AN APP_EVENT");
rc = ctdli(GU, aepcb, &iodata);
Parent topic: Configuring APP_EVENT support
Using agent configuration keywords to customize auditing

Some agent configuration keywords must be used for the product to function. You can also use agent configuration keywords for optional auditing specifications.
Required keywords
The following keywords must be set for the product to function:
APPLIANCE_SERVER
This is the host name, or IP address, of the IBM Guardium system to which the agent should connect.
LOG_STREAM_DLIO
This is the log stream name for online DLI calls.
LOG_STREAM_DLIB
This is the log stream name for batch DLI calls.
You can also audit accesses to database-related data sets using SMF records. To audit accesses to IMS data sets that occur outside of IMS services, use the following
keywords:
SMF_SPILL_FILE

This is the data set name.
SMF_DSN_MASK_1
This is the data set mask value.
Optional keywords
To set the following optional specifications, use the keyword that is listed. More information about each specification is provided, following this list.
Enabling Simulation mode

STAP_STREAM_EVENTS(N)
Restricting IMS segment and concatenated key data from being sent to the Guardium appliance
Using multiple SMF data set masks
SMF_DSN_MASK_2 through SMF_DSN_MASK_10
Disabling SMF auditing at the agent level
SMF_CYCLE_INTERVAL(0)
Note: If SMF_CYCLE_INTERVAL(0) is specified, no additional SMF configuration parameters are required.
Controlling the frequency of SMF z/OS catalog queries
SMF_CYCLE_INTERVAL(time in minutes)
Changing the retention period of incomplete SMF events
SMF_EVENT_EXPIRY(number of days)
Changing the name of the SMF address space JCL
SMF_PROC_NAME(new name)
Auditing IMS data set access
SMF_SELF_AUDIT(Y)
Changing the type of events audited using SMF records
SMF_AUDIT_LEVELS(ALL|UPDATE|DELETE|READ|CREATE|ALTER|RACF)
Overriding the range of ports used for address space communications
LOG_PORT_SCAN_START(41501), LOG_PORT_SCAN_COUNT(24003)
Requesting specific agent messages to be issued to the operator console
WTO_MSG(AUIF507E), WTO_MSG(AUIT013I)
Determining the context of APPLIANCE_SERVER_[1-5] or APPLIANCE_SERVER_[FAILOVER|MULTI_STREAM|HOT_FAILOVER]_[1-5]
APPLIANCE_SERVER_LIST(FAILOVER|MULTI_STREAM|HOT_FAILOVER)
Providing Guardium system failover support
APPLIANCE_SERVER_FAILOVER_[1-5](IP address or host name)
Providing Guardium system multistream support
APPLIANCE_SERVER_MULTI_STREAM_[1-5](IP address or host name)
Providing Guardium system hot failover support
APPLIANCE_SERVER_HOT_FAILOVER_[1-5](IP address or host name)
Providing a spill area for short term outages
OUTAGE_SPILL_AREA_SIZE(megabytes)
Disabling IMS SLDS auditing at the agent level
IMSL_CYCLE_INTERVAL(0)
Note: If IMSL_CYCLE_INTERVAL(0) is specified, no additional IMSL configuration parameters are required.
Controlling the frequency IMS System Log Data Sets are allocated and read
IMSL_CYCLE_INTERVAL(time in minutes)
Changing the name of the IMSL address space JCL
IMSL_PROC_NAME(new name)
Changing the type of events audited using IMS SLDS records
IMSL_AUDIT_LEVELS(ALL|CTL_STRT|USERS|DBOPN|DB_PSB)
Changing the name of the Common Memory Management address space JCL
AUIU_PROC_NAME(new name)
Excluding DLI calls occurring on specific LPARS from being audited
AUIU_EXCLUDE_LPAR(lpar1, lpar2â€¦lpar9)
Running more than one agent in a SYSPLEX
ADS_SHM_ID(100010), ADS_LISTENER_PORT(16055)
Removing Segment data and Concatenated Key values from audited data at the agent level
Using the System z Integrated Information Processor (zIIP)
ZIIP_AGENT_DLI
Viewing AUI messages that are produced by the IMS Control regions in the AUI agent log
DISPLAY_IMSMSG_DLIO(N|Y)
Viewing AUI messages produced by the IMS DLI/DBB batch jobs in the AUI agent log
DISPLAY_IMSMSG_DLIB(N|Y)
Restricting auditing to specific IMS systems when multiple IMSs share RECON data sets
IMSNAME_EQ_IMSSSID(N|Y)
Enabling/Disabling the IBM Guardium S-TAP for IMS configuration value display at agent startup
TRACE_CONFIG(ON|OFF)
Setting the number of days within which AUILxxxx will process IMS system log data sets (SLDS)
IMSL_SLDS_SRCH(number of days)
Simulation mode
Simulation mode enables you to simulate agent processing. IBM Guardium S-TAP for IMS uses various z/OS MVS system services to gather audit data and move it
to the agent address space. The agent address space evaluates this data according to the specified policy, and transmits the audit record to the Guardium appliance
by using TCP/IP. To assess the impact on MVS processing, use the STAP_STREAM_EVENTS parameter to simulate data collection.
Specifying multiple SMF data set masks
You can use the SMF_DSN_MASK keyword to specify up to nine additional SMF data set masks.
You can use the SMF_CYCLE_INTERVAL keyword to disable SMF auditing at the agent level.

You can change the frequency of SMF z/OS catalog queries by using the SMF_CYCLE_INTERVAL keyword to specify a value in minutes:
By default, incomplete SMF events will be retained in your SMF spill data set for 5 days. You can change this time range by specifying the SMF_EVENT_EXPIRY
keyword:
To change the name of the AUIFSTC JCL member name, use the SMF_PROC_NAME keyword to change AUIFSTC to a name of your choice:
To obtain a report of IMS artifact access, use the SMF_SELF_AUDIT keyword.
Changing the types of events that are audited using SMF records
Use the SMF_AUDIT_LEVELS keyword to indicate a list of events to be audited, instead of collecting all event types.
Using alternate RECON data sets for SMF and SLDS processing
You can optionally use copies of the IMS RECON data sets when processing SMF (AUIFSTC) and IMS SLDS (AUILSTC) data instead of using the live RECON data sets.
Overriding the range of ports used for communication between address spaces
You can set the available port scan starting point and limit the number of ports to check for availability.
Overriding the TCP/IP DNS resolver table
IBM Guardium S-TAP for IMS uses TCP/IP as a host path for intra- and inter-address space communication of information such as collection policy details and
address space status updates. To receive information from an AUIUSTC_(Common Storage Management Utility) address space running on a different LPAR in the
sysplex, the AUIASTC_(agent) address space must determine its own physical IP address and make it known to AUIUSTC.
Specifying agent messages to issue to the operator console
You can use the WTO_MSG keyword to specify the messages to issue to the operator console.
Creating a spill area for short-term outages
Use the OUTAGE_SPILL_AREA_SIZE keyword and parameter to indicate the size in megabytes to allocate for the spill area.
You can turn off the auditing process that uses IMS SLDS records by specifying the IMSL_CYCLE_INTERVAL keyword with a value of zero.
Controlling the frequency with which IMS System Log Data Sets are allocated and read
You can specify the frequency of IMS RECON data set queries by specifying the IMSL_CYCLE_INTERVAL keyword.
To change the JCL member name AUILSTC, use the IMSL_PROC_NAME keyword.
Changing the types of events audited using IMS SLDS records
To audit some, instead of all event types, you can specify each event type to be audited by using the IMSL_AUDIT_LEVELS keyword.
Use the AUIU_PROC_NAME keyword to change the member name from AUIUSTC to a name of your choice.
Excluding DLI calls on specific LPARS from being audited
To stop the transmission of the AUIUSTC address spaces to all LPARs, the AUIU_EXCLUDE_LPAR keyword can be used to exclude specific LPARS from the target list
of eligible LPARS.
If two or more IMS agents are running on one SYSPLEX, use the ADS_SHM_ID and ADS_LISTENER_PORT keywords to differentiate the shared memory segment
and port for each agent environment.
Restricting auditing to specific IMS systems when multiple IMS systems share RECON data sets
If multiple unrelated IMS systems share RECON data sets, and you want to audit only on one or more specific IMS systems, use the keyword
IMSNAME_EQ_IMSSSID(Y) to isolate auditing to the desired IMS system.
You can use the System zÂ® Integrated Information Processor (zIIP) when running IBM Guardium S-TAP for IMS Control region address space, and in the agent
address space (AUIASTC). Use the ZIIP_AGENT_DLI keyword with the Y parameter to cause the agent to make a zIIP-enabled enclave SRB initialization attempt.
Using multiple Guardium systems
You can configure multiple Security Guardium systems for automatic failover. By configuring one or more backup systems, you ensure continuous auditing
capability. This process is known as failover. You can also enable the streaming of audited data from one or more IBM Guardium S-TAP for IMS agents to up to 6
connected Security Guardium systems. This process is known as multistreaming.
Simulation mode
Simulation mode enables you to simulate agent processing. IBMÂ® GuardiumÂ® S-TAPÂ® for IMS uses various z/OS MVS system services to gather audit data and move it
to the agent address space. The agent address space evaluates this data according to the specified policy, and transmits the audit record to the Guardium appliance by
using TCP/IP. To assess the impact on MVS processing, use the STAP_STREAM_EVENTS parameter to simulate data collection.
When STAP_STREAM_EVENTS is set to N, the parameter stops the agent TCP/IP data transmission process. The agent performs all data collection processes but does not
send the audit record to the Guardium appliance.
Parent topic: Using agent configuration keywords to customize auditing

You can use the SMF_DSN_MASK keyword to specify up to nine additional SMF data set masks.

The naming conventions of some environments prohibit the use of a SMF_DSN_MASK_1 value, which allows all required data sets to be read. To audit accesses to
database-related data sets from multiple LPARS of your SYSPLEX, you can specify up to nine additional data set mask values: SMF_DSN_MASK_2 through
SMF_DSN_MASK_10.

You can use the SMF_CYCLE_INTERVAL keyword to disable SMF auditing at the agent level.

For any IMS systems that are audited by this agent, you can disable audit access to IMS data sets that occur outside the use of IMS services. To do so, specify the
following keyword with the value of zero: SMF_CYCLE_INTERVAL(0)
Specifying SMF_CYCLE_INTERVAL(0) turns off auditing process that uses SMF records. The agent address space (AUIASTC) will not start the SMF auditing address space
(AUIFSTC).

You can change the frequency of SMF z/OS catalog queries by using the SMF_CYCLE_INTERVAL keyword to specify a value in minutes:
To determine if any new, unread data sets match the specified SMF_DSN_MASK_x values, the SMF processing address space (AUIFSTC) periodically performs a query
against the z/OS catalog, looking for data sets to process. By default, this query is performed when the AUIFSTC task is started, and repeated every 300 minutes (5 hours).
To change the default time value, use the keyword SMF_CYCLE_INTERVAL(time in minutes). If you specify a time value of zero, the SMF auditing feature will be disabled.

By default, incomplete SMF events will be retained in your SMF spill data set for 5 days. You can change this time range by specifying the SMF_EVENT_EXPIRY keyword:
In some situations, such as a canceled job or end-of-memory events, a type 30 record is not produced for a step or job. To keep these types of records from filling your
SMF spill data set, you can set a time limit in days to determine how long incomplete SMF records are retained. The default value is 5 days and can be changed by
specifying the SMF_EVENT_EXPIRY keyword to indicate the number of days of your choice: SMF_EVENT_EXPIRY(number of days).

To change the name of the AUIFSTC JCL member name, use the SMF_PROC_NAME keyword to change AUIFSTC to a name of your choice:
AUIFSTC is the name of the JCL that provides auditing of data set accesses using SMF records. AUIFSTC is provided in the product installation sample data set
(SAUISAMP). If the name AUIFSTC conflicts with your site's naming convention standards, or if more than one agent is being used, you can change the name of this JCL.
Use the SMF_PROC_NAME keyword to change the member name from AUIFSTC to a name of your choice: SMF_PROC_NAME(new name).
Ensure that this JCL resides in a procedure data set (PROCLIB) that allows the z/OS START command S taskname to be used.

To obtain a report of IMS artifact access, use the SMF_SELF_AUDIT keyword.
IBM Guardium S-TAP for IMS reads the IMS RECON data sets and system log data sets produced by IMS (SLDS) to obtain IMS environment information, such as IMS
artifact names. IMS artifact names determine the databases and data sets that are used to create audit information.
By default, IBM Guardium S-TAP for IMS does not report accesses of IMS artifacts. To obtain a report of these accesses, specify a value of Y using the SMF_SELF_AUDIT
keyword: SMF_SELF_AUDIT(Y).
Changing the types of events that are audited using SMF records
Use the SMF_AUDIT_LEVELS keyword to indicate a list of events to be audited, instead of collecting all event types.
When auditing using SMF records is enabled, the default action is to provide auditing for all of the following accesses to data sets:
Open events with READ access

Open events with UPDATE/WRITE access
Open events with ALTER access
Data set DELETE events
Data set CREATE events
Access denied (RACF violation)
To specify some and not all of these events for auditing, you can specify each type of event to be audited by using the SMF_AUDIT_LEVELS keyword: SMF_AUDIT_LEVELS
(ALL|READ|UPDATE|DELETE|CREATE|ALTER|RACF).
Remember: This keyword affects the SMF auditing level for all IMS subsystems controlled by this agent. If you do not include READ accesses in the SMF_AUDIT_LEVELS
parameter, then no READ accesses will be reported for any of the IMS environments that are audited by using the agent.
Note: You can separate parameters for the collection of different event types. For example, to audit UPDATE and READ events, include the UPDATE and READ records as
follows:
SMF_AUDIT_LEVELS(UPDATE)
SMF_AUDIT_LEVELS(READ)
instead of:
SMF_AUDIT_LEVELS(UPDATE|READ)

Using alternate RECON data sets for SMF and SLDS processing
You can optionally use copies of the IMS RECON data sets when processing SMF (AUIFSTC) and IMS SLDS (AUILSTC) data instead of using the live RECON data sets.
To use alternate RECON data sets for SMF and SLDS processing:
1. Add a //AUIARCN DD statement to the AUIFSTC and AUILSTC JCLs that contain the name of the IMS system (as defined in the IMS Definition panel of the Guardium
interface).
2. Add the alternate RECON data set names to be used when processing these two types of data sources.
Note: Specifying alternate RECON data set names only affects AUIFSTC and AUILSTC task processing. It has no effect on processing of any other tasks.
Use IDCAMS, or another VSAM-compatible method, to create cataloged, VSAM copies of your live RECON data sets.
The data set that is specified by the AUIARCN DD statement must be defined as Fixed Block (FB) with a record length of 80 bytes (LRECL=80), and it can be a PDS, PDS/E,
or sequential file. The following guidelines apply:
An asterisk (*) in column 1 indicates that the line is a comment.

Keywords must start in column 1.
No spaces are allowed within keywords and parameters.
Multiple IMSNAME keywords can be specified in one AUIARCN file.
At least one RECON data set must be included under each IMSNAME identifier.
Alternate RECON data sets must be cataloged and in IMS format.
Table 1. IMSNAME and RECON data set values, defined:

Value Purpose
IMSNAME= Specifies the IMS to which the subsequent RECON1, 2, and 3 keywords pertain.
RECON1= Specifies the alternate data set name to be used for RECON1.
Example:
IMSNAME=IMSV14
RECON1=IMSEA1.ALT.RECON1
*
IMSNAME=IMSV13
RECON1=IMSDA1.ALT.RECON1
RECON2=IMSDA1.ALT.RECON2
Overriding the range of ports used for communication between address spaces
You can set the available port scan starting point and limit the number of ports to check for availability.
IBM Guardium S-TAP for IMS uses a communications port to pass messages between threads within each address space. The default port is 41500. If the address space
determines that port 41500 is not available for use, all subsequent ports up to 65535 are examined, and the first available port is used.
Some installations have restrictions on which ports should be examined and used. Use the LOG_PORT_SCAN _START and LOG_PORT_SCAN_COUNT keywords to set the
available port scan starting point and limit the number of ports to be checked for availability:
LOG_PORT_SCAN_START(41501)
LOG_PORT_SCAN_COUNT(24003)
The sum of the value of the SCAN_START port number plus the SCAN_COUNT should not exceed 65535.
Overriding the TCP/IP DNS resolver table

IBM Guardium S-TAP for IMS uses TCP/IP as a host path for intra- and inter-address space communication of information such as collection policy details and address
space status updates. To receive information from an AUIUSTC_(Common Storage Management Utility) address space running on a different LPAR in the sysplex, the
AUIASTC_(agent) address space must determine its own physical IP address and make it known to AUIUSTC.
To determine its physical IP address, the IBM Guardium S-TAP for IMS agent uses the z/OS getaddrinfo function and passes it to the LPAR name specified in the
CVTSNAME field of the z/OS CVT control block. The getaddrinfo function uses the DNS resolver table to map the agent's LPAR name to its physical IP address. The DNS
resolver table should contain entries that associate each LPAR within the sysplex to its physical IP address. If there is no association found, the agent (AUIASTC) uses the
z/OS gethostname and getaddrinfo services to obtain the physical IP address of its own LPAR; but the IP addresses of other LPARs in the sysplex cannot be determined. In
that case, inter-address space communication is not possible and events that occur on other LPARs are not reported to the Guardium appliance. Similarly, inter-address
space communications can fail if users of Dynamic Virtual IP Addressing (VIPA) attempt to associate multiple IP addresses to a single VIPA token.
To determine if the LPAR name, in the CVTSNAME field, is included in the DNS table:
1. Run the Rexx executable that is located in the SAUISAMP data set of member AUIPING.
2. If the ping is successful, the LPAR name is defined in the DNS table and no further action is required.
3. If the ping fails due to an unknown host error, the LPAR name was not found in the DNS table. Contact your network administrator to request the addition of the
LPAR name and the associated IP address to the DNS table.

Network administrators can manually associate the LPAR name that is found in the z/OS CVTSNAME field with the name that is used in the DNS revolver table by including
the AUIHOST DD statement file in all IMS S-TAP agent task address space JCLs.
cvts_lpar_name(dns_name)
Required if AUIHOST DD is specified.
Default: None.
Description: Translates the CVTSNAME to the name in the DNS table.
lpar_name
Found in the z/OS CVTSNAME field.
Use the AUIPING REXX exec found in the SAUISAMP data set to obtain that name.
The lpar_name value can be from 1 -- 8 bytes in length.
dns_name
Found in the DNS table that associates the LPAR with an IP address.
The DNS_NAME value must conform to the following z/OS TCP/IP HOSTNAME rules:
Must contain 1 or more tokens separated by a period.

Each token must be at least 1 character and less than 64 characters.
Each token must start with a letter or number.
Remaining characters in each token must be a letter, number, or hyphen.
Example: PRODA(SYSTEM_1)
wherein:
PRODA is the LPAR name found in the CVTSNAME field of your z/OS system
SYSTEM_1 is the mnemonic used in your DNS table to relate this LPAR to a TCP/IP address.
The AUIHOST DD statement file must meet the following standards:
It must be a sequential file, or a member of a Partitioned Data Set (PDS) or Extended Partitioned Data Set (PDSE).
It must be defined with a Fixed Blocked (FB) Record Format (RECFM).
It must have a Logical Record Length (LRECL) of 80 bytes.
Commented lines can be indicated by an asterisk (*) in column one or by a slash-asterisk (/*) in columns one and two.
It must contain all host definitions on one line.
Up to 16 DNS names can be specified.
The following is an example of an AUIHOST DD statement file:
MYLPAR20(MYLPAR20.mycompany.com)
Specifying agent messages to issue to the operator console

You can use the WTO_MSG keyword to specify the messages to issue to the operator console.
IBM Guardium S-TAP for IMS allows you to specify informational, warning, or error messages to be written to the operator console. This allows an automated operations
product to take some predefined action or provide a higher level of operator visibility to these messages. You can use the WTO_MSG to specify which messages should be
write-to-operated.
WTO_MSG(AUIF507E)
WTO_MSG(AUIT013I)
You can specify one message ID per WTO_MSG instance. Messages originating from the AUIASTC, AUIFSTC, AUILSTC, and AUIUSTC address spaces are supported.
Creating a spill area for short-term outages

Use the OUTAGE_SPILL_AREA_SIZE keyword and parameter to indicate the size in megabytes to allocate for the spill area.
Short-term communication outages between the agent address spaces and the IBM Guardium system can be handled by using a z/OS data space spill area. Use of the
spill area can prevent the loss of audited data by allowing the z/OS agent to save audited data until the connection to the IBM Guardium system is restored. The
restoration of the communications link results in the flushing of the data space contents to the IBM Guardium system.
Use the OUTAGE_SPILL_AREA_SIZE keyword and parameter to indicate the size in megabytes to allocate for the spill area: OUTAGE_SPILL_AREA_SIZE(megabytes). If
you specify zero or omit this keyword, the spill area will not be allocated or used. The maximum value you can specify is 1024 MB.

You can turn off the auditing process that uses IMS SLDS records by specifying the IMSL_CYCLE_INTERVAL keyword with a value of zero.
For any IMS systems to be audited by this agent, you can disable audit events that are determined by reading IMS System Log Data Sets (SLDS). To disable the auditing
process that uses IMS SLDS records, specify the following keyword with the value of zero: IMSL_CYCLE_INTERVAL(0). The agent address space (AUIASTC) will not start
the IMS SLDS auditing address space (AUILSTC).

Controlling the frequency with which IMS System Log Data Sets are allocated and read
You can specify the frequency of IMS RECON data set queries by specifying the IMSL_CYCLE_INTERVAL keyword.
For the product to determine if any new, unread IMS System Log Data Sets LDS data sets have been created by the IMS Online system, the IMSL processing address space
(AUILSTC) periodically performs a query against the IMS RECON data sets, looking for new SLDS. This query is performed when the AUILSTC task is started, and then by
default, every 15 minutes. The frequency can be changed by providing a value in minutes by using the IMSL_CYCLE_INTERVAL keyword: IMSL_CYCLE_INTERVAL(time in
minutes)
A value of zero will cause the IMS SLDS auditing feature to be disabled.

To change the JCL member name AUILSTC, use the IMSL_PROC_NAME keyword.
AUILSTC is the name of the JCL that is used to audit data sets using IMS SLDS records. AUILSTC is provided in the product installation sample data set (SAUISAMP). If this
name conflicts with your site's naming convention standards, or if more than one agent is being used, you can change the name of this JCL.
Use the IMSL_PROC_NAME keyword to change the member name from AUILSTC to a name of your choice: IMSL_PROC_NAME(new name)
Ensure that this new JCL is in a procedure data set (PROCLIB) that allows the z/OS START command S taskname to be used.
Changing the types of events audited using IMS SLDS records

To audit some, instead of all event types, you can specify each event type to be audited by using the IMSL_AUDIT_LEVELS keyword.
When you enable auditing by using IMS SLDS records, the default is to provide auditing for all of the following event types:
IMS Online region starts and stops

Users sign on/sign off
Database Opens and Closes
PSB|DBD start, stop, lock, unlock, and DBDDUMP
To audit only some of these events, you can specify each event type to be audited using the IMSL_AUDIT_LEVELS keyword: IMSL_AUDIT_LEVELS
(ALL|CTL_STRT|USERS|DBOPN|DB_PSB).
This keyword governs the IMS SLDS auditing level for all IMS subsystems that are controlled by this agent. For example, if user signon/signoff is not included in the
IMSL_AUDIT_LEVELS parameter, then no signon or signoff events will be reported from any of the IMS environments that are audited using the agent.
Note: You can separate parameters for the collection of different event types. For example, to audit CTL_STRT and DBOPN events, include the CTL_STRT and DBOPN
records as follows:
IMSL_AUDIT_LEVELS(CTL_STRT)
IMSL_AUDIT_LEVELS(DBOPN)
instead of:
IMSL_AUDIT_LEVELS(CTL_STRT|DBOPN)
Use the AUIU_PROC_NAME keyword to change the member name from AUIUSTC to a name of your choice.
AUIUSTC is the name of the JCL that is used to build filtering criteria in E/CSA on all LPARS of the SYSPLEX. AUIUSTC is provided in the product installation sample data set
(SAUISAMP). If this name conflicts with your site's naming convention standards, or if more than one agent is being used, you can change the name of this JCL.
Use the AUIU_PROC_NAME keyword to change the member name from AUIUSTC to a name of your choice: AUIU_PROC_NAME(new name).
Ensure that this JCL resides in a procedure data set (PROCLIB) that allows the z/OS START command S taskname to be used.
Excluding DLI calls on specific LPARS from being audited

To stop the transmission of the AUIUSTC address spaces to all LPARs, the AUIU_EXCLUDE_LPAR keyword can be used to exclude specific LPARS from the target list of
eligible LPARS.
By default, the IBM Guardium S-TAP for IMS agent creates Common Memory Management address spaces (AUIUSTC) on all LPAR members of a SYSPLEX. This allocates
E/CSA memory, and inserts DLI call filtering criteria across all LPARS. A single agent monitors IMS control regions and DLI/DBB batch jobs running on any LPAR of the
SYSPLEX.

If you do not want to transmit the AUIUSTC address spaces to all LPARs, the AUIU_EXCLUDE_LPAR keyword can be used to exclude specific LPARS from the target list of
eligible LPARS: AUIU_EXCLUDE_LPAR(lpar1, lpar2â€¦lpar9)
The LPAR where the agent is running cannot be excluded. All other LPARS can be excluded by using the *ALL option in place of the LPAR name.
For example, AUIU_EXCLUDE_LPAR(*ALL).


If two or more IMS agents are running on one SYSPLEX, use the ADS_SHM_ID and ADS_LISTENER_PORT keywords to differentiate the shared memory segment and port
for each agent environment.
The agent address space (AUIASTC) and subordinate address spaces (AUIFSTC and AUILSTC) communicate by using a shared memory segment and communications
port. Multiple agents require multiple unique shared memory segments and port values to ensure correct inter-address space communications. If you need to have two or
more IBM Guardium S-TAP for IMS agents available on one SYSPLEX, the following keywords provide a method of uniquely identifying the shared memory segment and
port for each agent environment:
ADS_SHM_ID(100010)
ADS_LISTENER_PORT(16055)
Specification of the ADS_SHM_ID and ADS_LISTENER_PORT requires the addition of a //AUICONFG DD statement to the AUIFSTC and AUILSTC address space JCLs. This
DD statement should point to the same data set and member as the AUIASTC and AUIUSTC JCLs for the agent, to ensure that communications between all participant
address spaces use the correct memory object and ports.
See Customizing the agent by using agent parameter keywords for complete descriptions of all valid parameters, including the ADS_SHM_ID and ADS_LISTENER_PORT
keywords.
Restricting auditing to specific IMS systems when multiple IMS systems share RECON data
sets
If multiple unrelated IMS systems share RECON data sets, and you want to audit only on one or more specific IMS systems, use the keyword IMSNAME_EQ_IMSSSID(Y) to
isolate auditing to the desired IMS system.
The default option, IMSNAME_EQ_IMSSSID(N), causes only the IMS RECON data sets to be used when IBM Guardium S-TAP for IMS attempts to find and match IMS
systems to active audit policies.
Specifying IMSNAME_EQ_IMSSSID(Y) causes both the IMS RECON data sets, and the 8-byte IMS subsystem/DBCTL RSENAME to be used when IBM Guardium S-TAP for
IMS attempts to find and match IMS systems to active audit policies.
Consider the following example:
RECON data sets A.B.C1/C2/C3 contain information for IMSA and IMSB. Auditing is only desired for IMSB. Policy AUDIT_ALL is installed by using IMS appliance definition
MY_IMS, which references RECON data sets A.B.C1/C2/C3.
If subsystems IMSA and IMSB both use RECON data sets that are referenced by the policy, AUDIT_ALL, and associated with the IMS definition, MY_IMS, then both IMSA
and IMSB are audited when the default, IMSNAME_EQ_IMSSSID(N), is specified.
To restrict auditing to IMSB:
1. Specify IMSNAME_EQ_IMSSSID(Y) in the AUICONFG file.

2. Name the IMS definition in the appliance IMSB.
3. Relate policy AUDIT_ALL to IMSB.
As a result, IMSB is audited with the criteria that is set in policy AUDIT_ALL, and IMSA is not audited.
Note: DLI batch jobs (DLI/DBB) might not be tightly associated with an IMSID, therefore IBM Guardium S-TAP for IMS will report on all DLI batch jobs that use the audited
RECON data set. The IMSNAME_EQ_IMSSID parameter does not affect DLI/DBB batch job auditing.

You can use the System zÂ® Integrated Information Processor (zIIP) when running IBM Guardium S-TAP for IMS Control region address space, and in the agent address
space (AUIASTC). Use the ZIIP_AGENT_DLI keyword with the Y parameter to cause the agent to make a zIIP-enabled enclave SRB initialization attempt.
IMS control region

The following processes are moved to the zIIP in the IMS Online Control Region, pending redirection by the operating system:
DLI call filtering

IXGWRITE of audited DLI call data to the z/OS System Logger log stream
To use a zIIP in the IMS Online Control region, add a //AUIZIIP DD DUMMY to the IMS control region JCL.
Agent address space

The following processes are moved to the zIIP in the agent address space (AUIASTC), pending redirection by the operating system:

IXGBROWSE read of audited data from the z/OS System Logger log streams for both Online and Batch DLI calls
TCP/IP send of the data to the Guardium system
To use a zIIP in the agent address space, use the ZIIP_AGENT_DLI keyword with the Y parameter to the configuration file that is pointed to by the AUICONFG DD
statement in the agent JCL (AUIASTC).
Using multiple Guardium systems

You can configure multiple Security Guardium systems for automatic failover. By configuring one or more backup systems, you ensure continuous auditing capability. This
process is known as failover. You can also enable the streaming of audited data from one or more IBM Guardium S-TAP for IMS agents to up to 6 connected Security
Guardium systems. This process is known as multistreaming.
Providing Guardium system failover

You can specify up to five additional Guardium systems to be connected to the agent by using the APPLIANCE_SERVER_FAILOVER_x keyword, where x = a digit
between one and five.
Streaming to multiple Guardium systems
Multistream mode enables S-TAP audit events to be sent to multiple connected appliances. You can enable multistreaming to up to 6 IBM Guardium system
(APPLIANCE_SERVER + APPLIANCE_SERVER_MULTI_STREAM_n, where n can be 1 - 5).
When the HOT_FAILOVER feature is enabled by setting the APPLIANCE_SERVER_LIST parameter to HOT_FAILOVER, connections for each connected Guardium
appliance are kept active by pings. (The following connection types are kept active: DLIO, DLIB, SMF, IMSL, and MLOG.)
Providing Guardium system failover

You can specify up to five additional Guardium systems to be connected to the agent by using the APPLIANCE_SERVER_FAILOVER_x keyword, where x = a digit between
one and five.
The failover process

IBM Guardium S-TAP for IMS uses the concept of a single primary IBM Guardium system and multiple secondary backup systems.
When a primary IBM Guardium system goes offline, the IBM Guardium S-TAP for IMS agent automatically establishes a connection to a secondary IBM Guardium
system, and the audited data is sent to the secondary system.
When a primary IBM Guardium system comes back online, the IBM Guardium S-TAP for IMS agent detects it, and reestablishes the connection to the primary IBM
Guardium system and restarts, sending data to the primary system.
This allows the use of any IBM Guardium system as a short-term backup, while always attempting to use the primary system as the main data storage medium.
In the following example failover scenario, where none of the systems are online, the IBM Guardium S-TAP for IMS agent attempts to connect to the primary IBM
Guardium system at a regular interval and follows the usual failover logic if the primary IBM Guardium system is offline. A connection is reestablished to any of the
configured appliances as soon as one becomes available.
Enabling multiple system failover support

IBM Guardium S-TAP for IMS allows the specification of up to five additional IBM Guardium system to be connected to the agent. This feature provides failover protection,
which allows the agent to continue to send audited data to one of a number of backup IBM Guardium system in the event of a communication failure with the primary
system. You must use the APPLIANCE_SERVER keyword to enable this feature, because the IBM Guardium system that is referenced by this keyword is the primary
connection. You can specify additional IBM Guardium system by using the APPLIANCE_SERVER_FAILOVER_x keyword, where x = a digit from 1 to 5.
APPLIANCE_SERVER_FAILOVER_1(IP address 1)
APPLIANCE_SERVER_FAILOVER_2(host name 2)
APPLIANCE_SERVER_FAILOVER_5(host name 5)
Example failover scenario

Audit data flows to the primary IBM Guardium system, A.
The TCP/IP connection from the IBM Guardium S-TAP for IMS agent to the primary IBM Guardium system fails.
A connection is made to the secondary IBM Guardium system, B.
Audit data is now flowing to the secondary IBM Guardium system, B.
The TCP/IP connection from the IBM Guardium S-TAP for IMS agent to the primary IBM Guardium system is reestablished.
Audit data now flows to the primary IBM Guardium system, A.
The IBM Guardium S-TAP for IMS agent and IBM Guardium system B disconnect.
Parent topic: Using multiple Guardium systems
Streaming to multiple Guardium systems

Multistream mode enables S-TAP audit events to be sent to multiple connected appliances. You can enable multistreaming to up to 6 IBM Guardium system
(APPLIANCE_SERVER + APPLIANCE_SERVER_MULTI_STREAM_n, where n can be 1 - 5).
IBM Guardium S-TAP for IMS sends events to a single appliance until a ping occurs, or the number of records that is specified by MEGABUFFER_COUNT is reached.
Audited DLI events are distributed amongst additional appliances in a round-robin sequence.
To enable multistreaming, you must specify MULTI_STREAM when you configure the APPLIANCE_SERVER_LIST parameter. The APPLIANCE_SERVER and
APPLIANCE_SERVER_[MULTI_STREAM]_[1-5] parameters specify the appliances to which you intend to stream events. The appliance that is specified by
APPLIANCE_SERVER provides the policy that is used for event matching.
Enabling multistream support

Use the APPLIANCE_SERVER keyword to enable multistream support. The IBM Guardium system that is referenced by the APPLIANCE_SERVER keyword is the primary
connection, and it provides the policy used to match DLI events. You can specify additional appliances by using the APPLIANCE_SERVER_MULTI_STREAM_n keyword,
where n is a digit from 1 - 5.
Specify up to 5 additional IBM Guardium system IP addresses or host names. For example:
APPLIANCE_SERVER_MULTI_STREAM_1(IP address 1)
APPLIANCE_SERVER_MULTI_STREAM_2(host name 2)
APPLIANCE_SERVER_MULTI_STREAM_5(host name 5)

When the HOT_FAILOVER feature is enabled by setting the APPLIANCE_SERVER_LIST parameter to HOT_FAILOVER, connections for each connected GuardiumÂ®
appliance are kept active by pings. (The following connection types are kept active: DLIO, DLIB, SMF, IMSL, and MLOG.)
IBM Security Guardium S-TAP for IMS on z/OS agent reference information
The IBM Guardium S-TAP for IMS agent provides access to database and appliance services, in support of the product's remote clients. The agent also reads audited DLI
events placed in the z/OS System Logger log streams by the IMS Online and DLI/DBB batch Data collectors and sends the DLI events to the IBM Guardium system using
TCP/IP connections.

Use the following sample library members shipped with IBM Guardium S-TAP for IMS to install and configure the product.
Agent environment
The agent must be running before you can use product functions related to the IMS subsystems monitored by that agent.
APF authorization
For security, the agent must be APF-authorized before it can be run.
Agent job output
The primary output of the agent job consists of log messages written to the AUILOG DD. These messages provide status information about the ongoing operation of
the agent, and also record additional messages if errors occur.
Stopping the agent
When running on z/OS, the agent accepts standard z/OS /MODIFY and /STOP commands. When stopping the agent, all secondary address spaces controlled by the
agent will also receive a stop request.
Starting and stopping the secondary address spaces
This topic describes the /MODIFY commands to start and stop the secondary address spaces.

Use the following sample library members shipped with IBM Guardium S-TAP for IMS to install and configure the product.
Table 1. Sample library members

AUIAPPE DBD source DBD source statements, used to define the optional APP_EVENT DBD
V statements
AUIASTC JCL Primary agent address space JCL
AUICONF CONFIG Configuration file containing only the minimum required keywords
G
AUICONF CONFIG Configuration file containing all available keywords
X
AUICPMO JCL JCL to copy utility programs from SAUILOAD to SAUIIMOD data set
D
AUIEMAC MACRO Edit macro to facilitate changes to other sample library members
1
AUIFSTC JCL SMF data collection address space JCL

AUIFUSPL JCL JCL to create the SMF incomplete event spill file for an agent
AUILSTC JCL IMS archived log data collection address space JCL
AUILSTR1 JCL JCL to add CFRM structures for batch and online log streams to a CFRM policy
AUILSTR2 JCL JCL to add batch and online log streams to your CFRM environment
AUILSTR3 JCL JCL to add DASD-only log streams to your LOGR environment
AUIMIG1 JCL JCL used to assist in the upgrade from V9.0 to V10.1.3
0
AUIMLOG JCL JCL used to read the IMS RECONS, detect missing logs, and send notification to the Guardium system
AUIPING REXX EXEC EXEC used to determine the LPAR name, as found in the CVTSNAME field, and issue a PING to determine if the LPAR name is in the
network DNS table
AUISMFD JCL JCL sample, showing the creation of a GDG file base for SMF data collection
F
AUISMFD JCL JCL sample, showing the use of program IFASMFDP to filter SMF record types
P
AUITCPD JCL JCL used to generate a network diagnostic report
AUIUSTC JCL Common storage management utility address space JCL
Parent topic: IBM Security Guardium S-TAP for IMS on z/OS agent reference information
Agent environment
The agent must be running before you can use product functions related to the IMS subsystems monitored by that agent.
Important: Before the agent is started, system services should be started, and completely available for use. Examples of system services include JES, TCP/IP and the
associated DNS RESOLVER, XCF, and the z/OS System Logger.
APF authorization
For security, the agent must be APF-authorized before it can be run.
Agent job output

The primary output of the agent job consists of log messages written to the AUILOG DD. These messages provide status information about the ongoing operation of the
agent, and also record additional messages if errors occur.
In the event of exceptional conditions, additional messages might be written to the SYSOUT DD. If an abend occurs, dump information can be written to the CEEDUMP and
SYSUDUMP DDs, if they are supplied. That information can be used in diagnosis by product support.
Stopping the agent

When running on z/OS, the agent accepts standard z/OS /MODIFY and /STOP commands. When stopping the agent, all secondary address spaces controlled by the agent
will also receive a stop request.
Important: System services, such as but not limited to the following, should remain available for use until the agent has completed termination: JES, TCP/IP and
associated DNS RESOLVER, XCF and the z/OS System Logger.
From SDSF (or anywhere else that you can issue commands), you can issue one of these commands to the agent:
/STOP agent-job-name
This is the recommended command to use to stop the agent. It initiates a graceful agent shutdown, which causes the agent to:
1. Wait for all existing requests to finish.

2. Exit.
/MODIFY agent-job-name,STOP
Performs the same function as the /STOP agent-job-name command.
/MODIFY agent-job-name,FORCE
This initiates an agent hard stop which causes the agent to:
1. Initiate hard cancels on all running threads.

2. Exit as soon as the threads exit.
Note: Use of the FORCE option can result in DUMP-producing ABENDS.

Starting and stopping the secondary address spaces

This topic describes the /MODIFY commands to start and stop the secondary address spaces.
Commands to start and stop the SMF data collector address space

When the agent address space is started, secondary address spaces under the control of the agent may also be started. These include the SMF data collector address
space (SAUISAMP member AUIFSTC) which collects events using SMF log data as input and sends the events to the Guardium appliance. One IMS Archive Log event Data
collector (SAUISAMP member AUILSTC) is also started for each IMS with an active collection.
Note: The following commands should be used against the agent's primary address space.
/MODIFY <jobname>,START COLLECTOR SMF

/MODIFY <jobname>,STOP COLLECTOR SMF
Optionally, the STOP command may be used to stop the SMF address space:
/STOP <jobname>
Commands to start and stop the IMS Archive Log Data collector
There is no z/OS command to start the address space because the IMS Archive Log data collector address space is specific to an IMS definition with an active collection.
The AUILSTC address is started by the agent address space, or activation of a collection.
Stopping a specific AUILSTC address space requires the use of the /STOP <jobname>.<token> command. The <token> value to be used can be found during AUILSTC
startup in the AGENT JOBLOG.
In the following example, AAAAAAAC is the token value:
/S AUILRS22.AAAAAAAC
Or, when viewing the AUILSTC task in TSO SDFS, the token is displayed as the STEPNAME.
Data collection
The collection process involves the gathering of audit event data at run time. Specify various filtering criteria to capture all relevant events and limit the amount of data
that is collected and stored.
IBM Guardium S-TAP for IMS gathers audited events from the following sources:
IMS database DLI calls performed from within IMS Online Control regions and DLI/DBB batch jobs
SMF records
IMS Log records from IMS System Log Data Sets (SLDS).
A single policy containing selection criteria that indicates the events to be audited, is applied to each source.
IMS database DLI calls

IBM Guardium S-TAP for IMS can filter audit events generated by database DLI calls by the following call types: Read, Update, Insert, and Delete.
SMF records
IBM Guardium S-TAP for IMS allows the filtering of audit events generated by access methods outside of IMS DLI services, including z/OS access methods such as
VSAM or QSAM requests generated from z/OS batch jobs or TSO.
Records from IMS system log data sets (SLDS)
IBM Guardium S-TAP for IMS allows the filtering of audit events that are generated by IMS Online Control regions, which are logged to IMS log data sets and are
processed from within the AUILSTC started task.
Filtering stages
Stage 0, Stage 1, and Stage 2 filtering is available for Collector Agent audit event collection when processing DLI calls.
Policy pushdown
This topic describes the policy pushdown process of mapping policies to an IBM Guardium S-TAP for IMS collection profile.
IMS database DLI calls

IBM Guardium S-TAP for IMS can filter audit events generated by database DLI calls by the following call types: Read, Update, Insert, and Delete.
Note: Database DLI calls that do not result in a DBPCB status code of blanks, GA, or GK, are not audited unless the IMS policy indicates that one or more non-blank DLI
codes should be reported. DLI calls performed using an IOPCB or TPPCB are not audited.
Database DLI calls issued from specific PSBs and user IDs can be included or excluded from auditing. PSB names and user IDs can be specified for auditing using fully
qualified names, or by using wildcard characters.
Further filtering can be performed by including or excluding specific database and segment names. Wildcard support is available for both the database and segment name.
When auditing IMS DLI calls, you can obtain the concatenated key value of segments that are audited for all or specific database DLI calls, as well as the segment data for
UPDATE, and INSERT calls. The segment data can also be obtained for READ and UPDATE calls where these calls are logically linked in the Guardium appliance to provide
a before and after image of updated segments.
SMF records
IBM Guardium S-TAP for IMS allows the filtering of audit events generated by access methods outside of IMS DLI services, including z/OS access methods such as VSAM
or QSAM requests generated from z/OS batch jobs or TSO.
Some IMS Database Batch Utilities access IMS databases using access methods other the IMS Database DLI calls. As a result, the source of auditing records for these
batch jobs will be the SMF records produced.

These audit events are based on z/OS SMF records and are processed from within the AUIFSTC agent subtask. Policy criteria input for SMF data auditing is the same as for
IMS DLI calls, but because of the nature of the SMF data, it is used differently.
The following data is not relevant, and therefore not used:
DLI calls types

PSB names
Segment names
Database names are relevant because SMF data is based on data set names (part of the process that converts a policy to a filter, examines the IMS RECON data sets for
artifacts in the RECON which relate to the INCLUDED database). These artifacts include database data set names (DSG/AREA/ADS) and database image copy data sets for
each database data set. The AUIFSTC tasks also audit other IMS related data sets.
By default, these data sets have been included because changes to these data sets can have an effect on data integrity:
IMS RECON data sets

Logging data sets generated by IMS DLI/DBB batch jobs
SLDS/RLDS data sets
IMS Online log data sets (OLDS)
It is possible to ignore the auditing of these data set types, as well as the database image copy data sets, by adding a DUMMY DD statement to the AUIFSTC JCL.
This table lists the data sets and corresponding DD DUMMY statement to include in the AUIFSTC JCL if you want to exclude the auditing of each of these types.
Table 1. Data sets and DD DUMMY statements
Data set Type IMS RECONS IMS LOGS IMS OLDS DB Image Copies
DD NAME AUINRCN AUINLOG AUINOLD AUINICS
Specify filtering of SMF events at the agent level, using access type or security violation, with the use of the SMF_AUDIT_LEVELS keyword in the configuration file. The
keyword is pointed to by the AUICONFG DD statement of the agent (AUIASTC) JCL. Data set accesses to be audited are:
OPEN for Read/Update

Data set Alter/Create/Delete
Any security product (such as RACFÂ®) violations
The auditing of these accesses can be specified at the agent level (for example, all IMS systems defined to the agent), or at the IMS level. See the Changing the type of
events audited using SMF records section for more details.
Records from IMS system log data sets (SLDS)

IBM Guardium S-TAP for IMS allows the filtering of audit events that are generated by IMS Online Control regions, which are logged to IMS log data sets and are processed
from within the AUILSTC started task.
Policy criteria input for IMS Log data auditing is the same as for IMS DLI calls, but is used differently because of the nature of IMS log data:
DLI calls types are not relevant and therefore not used.
Segment names are not relevant and therefore not used.
PSB names are checked only when relevant to the event being examined.
User IDs are checked only when relevant to the event being examined.
DBD names are checked only when relevant to the event being examined.
In addition to filtering performed using the policy criteria, you can further filter IMS log data by event types, using the Guardium user interface. Using the
IMSL_AUDIT_LEVELS keyword, you can set specific events to be audited, including:
IMS Control Region Starts and Stops

USER signon and signoffs
Database OPEN/CLOSE
DBD and PSB STARTS/STOPS/LOCK/UNLOCK
Occurrences of the DB DBDUMP command can also be audited. Auditing of these events can be specified at the agent level (for example, all IMS systems defined to the
agent), or at the IMS level (for example, only for a specific IMS system). For more information, see Changing the types of events audited using IMS SLDS records.
Filtering stages
Stage 0, Stage 1, and Stage 2 filtering is available for Collector Agent audit event collection when processing DLI calls.
Filtering occurs at one or more of the stages, 0, 1, and 2, depending on what fields are included in your filter. As many audit events as possible are filtered at the earliest
possible stage (0, 1, or 2). You can control filtering performance by the fields you include in the rules for the active collection profile.
Stage 0 filtering
Stage 0 filtering occurs immediately after IMS executes the DLI call and it is determined that the call is a candidate for auditing, meaning one of the supported DLI
call types and blanks, or another acceptable DLI status code, is returned.
Stage 1 filtering
Stage 1 filtering occurs through the use of USERID and PSB name values.
Stage 2 filtering
Stage 2 filtering occurs through the use of a filtering program that is compiled at the time of policy installation, using the criteria specified in the policy.

Stage 0 filtering
Stage 0 filtering occurs immediately after IMS executes the DLI call and it is determined that the call is a candidate for auditing, meaning one of the supported DLI call
types and blanks, or another acceptable DLI status code, is returned.
IBM Guardium S-TAP for IMS checks for an active policy for the IMS subsystem and determines if any rules governed by the active policy require the auditing of the DLI
call type. If no policy is active, or no rules require the auditing of the DLI call type, processing control is returned to the application program. This is the most efficient form
of filtering and should be used when possible.
Consider this example, wherein an active policy contains three rules:
One rule only addresses INSERT requests.

The second rule only addresses DELETE requests.
The third rule only addresses UPDATE requests.
In this example, the READ DLI call is performed, and returns a status code of blanks. Since IBM Guardium S-TAP for IMS determines that no rules in the policy can
reference a READ, processing control returns to the application program.
If the event that the DLI call performed in the example was an INSERT request, Stage 1 filtering would be invoked.
Parent topic: Filtering stages
Stage 1 filtering
Stage 1 filtering occurs through the use of USERID and PSB name values.
For Stage 1 filtering to occur, all rules of the active policy must contain identical USERID and PSB name values. Any inconsistencies in these values between rules prevents
Stage 1 filtering from occurring.
Stage 1 filtering allows DLI calls that should be rejected, due to USERID or PSB name, to be excluded from the list of values to be audited. This can be due to the items not
being included, or being intentionally excluded.
The determination that the USERID or PSB is causing the DLI call to be rejected is made by call to the Stage 2 compiled filters. The call to the Stage 2 complied filters is
made when the USERID or PSB name of the current DLI call is not the same as the USERID or PSB name of the previous DLI call made in the same processing region.
In this example, the processing flow is demonstrated when discussing a BMP:
The first DLI call is made and passes through Stage 0 processing.
Stage 2 filtering is invoked, and it is determined that DLI calls from this USERID should not be audited. The DLI call is not audited, and control is returned to the
application program.
The next DLI call is made, and the USERID is the same as the previous DLI call in the region. The previous DLI call was not audited due to the USERID value,
therefore this DLI call will not be audited.
This process continues until the BMP STEP terminates with only one DLI call going through to Stage 2 filtering, and the remaining DLI calls are rejected during Stage
1 processing.
The same benefit can be seen with DLI and DBB batch jobs, because the USERID and PSB will not change during the execution step.
This process benefits online transactions and other processing threads where multiple DLI calls are performed from within a single unit-of-work, as well as when DLI calls
are performed using C and D IMS command codes where multiple segments are affected by a single DLI call and auditing might be required on more than one segment
within the hierarchical path.
Stage 2 filtering
Stage 2 filtering occurs through the use of a filtering program that is compiled at the time of policy installation, using the criteria specified in the policy.
All DLI calls that are not rejected by Stage 0 and Stage 1 filtering are processed by the compiled filter. The compiled filter determines if the DLI call is to be audited based
on all the policy criteria including DBD and segment name.
If the DLI call is to be audited, additional information is returned by the compiled filter, such as if the segment data and concatenated key should be included in the
audited data block.
Policy pushdown
This topic describes the policy pushdown process of mapping policies to an IBM Guardium S-TAP for IMS collection profile.
When the IBM Guardium S-TAP for IMS agent starts, it establishes a dedicated connection to the Guardium appliance for the reading of installed policies. Immediately
after the connection is established, any installed policies are pushed down to the IBM Guardium S-TAP for IMS agent by the Guardium appliance. The Guardium appliance
pushes down a full policy to all connected IBM Guardium S-TAP for IMS agents each time a policy is installed or uninstalled from the Guardium appliance.
Upon receipt of a policy, the IBM Guardium S-TAP for IMS agent compares the applicable rules with the existing collections, and performs a differential install.
Differential install
A differential install of the policy indicates that only policies that have been modified since the last install are acted upon.
The following processing occurs in the IBM Guardium S-TAP for IMS agent upon receipt of a policy:
The new policy is compared to the currently active policy if the new policy contains one or more rules.

If the policies are identical, no further processing is required.
If the new policy does not apply to this subsystem, processing continues without any changes.
If there is an active policy, the collection continues using it.
If no policy is active, none is started.
Creating and modifying IMS definitions

An IMS definition establishes a connection from your Guardium system to the IMS environment that you want to audit. To create and modify IMS definitions from the
Guardium system interface, the agent address space (AUIASTC) must have a preestablished connection to the Guardium system.
Navigating to the IMS Definitions panel

IMS definitions can be created, modified, and deleted from the IMS Definitions panel of the Guardium system interface.
IMS Definition fields
The following fields are available in the IMS Definitions panel for your use in definition an IMS entry. Required fields are indicated with an asterisk.
IMSPLEX data sharing and XRF considerations
When you are considering IMS data sharing and XRF systems, take the following IMSPLEX data sharing and XRF considerations into account.
Adding an IMS definition
Add an IMS definition to the IMS Definitions List to include a defined IMS environment in the list of environments to be audited.
Modifying an IMS definition
You can modify the attributes that are set for an IMS definition on the IMS Definitions List.
Deleting an IMS definition
Delete an IMS definition from the IMS Definitions List to remove the IMS entry from the list of IMS environments to be audited.
Navigating to the IMS Definitions panel

IMS definitions can be created, modified, and deleted from the IMS Definitions panel of the Guardium system interface.
Procedure
1. From the Administration Console tab, select the Local Taps menu.
2. Select the IMS Definitions option.
Parent topic: Creating and modifying IMS definitions
IMS Definition fields

The following fields are available in the IMS Definitions panel for your use in definition an IMS entry. Required fields are indicated with an asterisk.
IMS Name
*IMS Entry Name
A unique 1 - 8 character name to identify this IMS entry.
Description
An optional description of the IMS Entry.
*Agent Name
The name of the agent that audits this IMS entry.
RECONs
The RECON data set names are used to logically link the IMS definition, the active policy, the IMS Online Control region, and the DLI/DBB batch jobs that are running on
z/OS, to audit the correct IMS instances.
*RECON1 Data Set Name

The RECON1 data set name that is used by IMS on z/OS.
*RECON2 Data Set Name
RECON3 Data Set Name
IMS Data Sets

The IMS RESLIB data sets are used to determine the IMS release, during processing of the IMS System Log Data Sets (SLDS), using the AUILSTC address space. If more
than one data set name is required, the data set names can be delimited by a comma.
*RESLIB Data Set Names

A data set containing the IMS DFSVC000 module.
AUII050I Message Frequency
Message AUII050I provides the number of DLI calls that are considered for auditing, and the number of DLI calls that were audited, based on the auditing criteria of
the active policy. This message is produced based on the number of DLI calls that are considered, based on the following formula:
Number of DLI calls in thousands (K) or Millions (M)
or, by using both the formula and the time interval since the last AUII050I message was issued.

Example: If you provide values of 100K (Number of DLI calls = 100,000) and 0100 (time interval of 1 hour), message AUII050I is issued when 100,000 DLI calls
are seen by the product code, or by the 1 hour time interval, whichever comes first. The DLI counts and time interval reset when message AUII050I is issued.
Number of DLI calls

xxx K|M
Time Interval
HH:MM
Auditing Levels
Auditing levels can be set for both IMS Log and SMF events. For an explanation of the levels of auditing that are available for IMS Log and SMF events, see Configuration
overview for a description of the IMSL_AUDIT_LEVELS and SMF_AUDIT_LEVELS configuration keywords.
IMS LOG Events

Audit All IMS Log Events
Audit Control Region Starts/Stops
Audit User Signon/Signoff
Audit DBD Open/Close
Audit DBD/PSB/DUMP/START/STOP/LOCK/UNLOCK
SMF Events
Audit All SMF Events
Audit Dataset Open for Update
Audit Dataset Deletes
Audit Dataset Open for Read
Audit Dataset Create
Audit Dataset Alter
Audit Dataset RACFÂ® Violations
IMSPLEX data sharing and XRF considerations

When you are considering IMS data sharing and XRF systems, take the following IMSPLEX data sharing and XRF considerations into account.
IMSPLEX Data Sharing Considerations

Regardless of the number of LPARS that are involved, only one IMS definition is required in an IMS data sharing environment where all databases are shared by multiple
IMS subsystems.
In an IMS data sharing environment where only a subset of databases is shared, an IMS definition must be created for each IMS subsystem with nonshared databases to
be audited.
XRF Considerations
Only one IMS definition is required in an IMS XRF environment. IBM Security Guardium S-TAP for IMS on z/OS is not sensitive to which XRF partner is currently active. The
product continues to produce audit data in the event of an XRF ACTIVE/BACKUP switch.
Adding an IMS definition

Add an IMS definition to the IMS Definitions List to include a defined IMS environment in the list of environments to be audited.
Procedure
1. From the IMS Definitions List, select the Add symbol, indicated by a plus sign, to the list of defined IMS systems.
Enter the information in the IMS Definitions panel to define the new IMS environment to be audited.
2. Select Apply to save the new IMS definition.
Modifying an IMS definition

You can modify the attributes that are set for an IMS definition on the IMS Definitions List.
Procedure
1. Select the entry that you want to modify.
2. Modify the IMS definition fields.
3. Select Apply to save your changes.
Deleting an IMS definition

Delete an IMS definition from the IMS Definitions List to remove the IMS entry from the list of IMS environments to be audited.

About this task
IMS definitions can be deleted if no active IMS policies reference the IMS definition name. Only IMS definitions that are not part of an installed policy can be deleted.
Procedure
1. From the IMS Definitions List, select the IMS Definition that you want to delete.
2. Click the Delete icon.
Click OK in the confirmation message to confirm the IMS entry deletion.
This chapter provides IBM Guardium S-TAP for IMS reference information.
Data collection monitors

IBM Guardium S-TAP for IMS collects data from IMS online and batch activities, SMF, IMS archived logs, and IMS RECON data sets, by using the following internal
product monitors.
IMS Log types and SMF record types that are collected by IBM Guardium S-TAP for IMS
The following tables show the IMS log types and SMF records types and descriptions that are collected by IBM Guardium S-TAP for IMS.
Fields that are used for IMS policy pushdown
The following fields defined in the Guardium system Access Rule Definition panel are used by IBM Guardium S-TAP for IMS to create policies and rules. Use the
following information as a guideline.
Sizing the z/OS System Logger Log Stream for IBM Guardium S-TAP for IMS
Echoed XML statement definitions
IBM Guardium S-TAP for IMS echoes the XML statements that are produced by the Guardium appliance to represent an Audit Policy. These statements are issued
to a physical data set, agent AUILOG DD, or both, as determined by the XML_ECHO_DATASET and XML_ECHO_AUILOG parameters. This topic provides definitions
of all XML statements that could be echoed from the appliance by the S-TAP.
Data collection monitors

IBM Guardium S-TAP for IMS collects data from IMS online and batch activities, SMF, IMS archived logs, and IMS RECON data sets, by using the following internal product
monitors.
IMS Online Activity Monitor

The IMS Online Activity Monitor interfaces with IMS DL/I Language call analyzer module (DFSDLA00), and the IMS/VS Fast-Path Inter-region Communications
Controller module (DBFIRC10), in order to be sensitive to the DL/I call type, and to access the data that is necessary for producing an audited event. When an INIT
call is made to the IMS logger Exit routine (DFSFLGX0), interfaces to the IMS modules are activated, and they remain active until the DFSFLGX0 routine receives a
TERM notification.
For the activity monitor to be recognized by the IMS Online region, the IMS control region must be stopped and restarted with the SAUIIMOD data sets included as
the first data sets in the STEPLIB DD concatenation.
The IMS Online Activity Monitor and the agent communicate data collection criteria by using E/CSA control blocks. Determination of which DL/I calls and
databases/segments is made at the time the DL/I call is performed, by using information that is derived from the data collection policy that is created through the
IBM Guardium system's Access Rule definition process.
The z/OS System Logger transports the audit data from the IMS Online Activity Monitor to the agent. All IMS online systems that are controlled by an agent use the
same z/OS System Logger log stream. This z/OS system log stream is unique to the agent, and only contains audited events from IMS Online regions.
IMS Batch Activity Monitor
The IMS Batch Activity Monitor interfaces with IMS DL/I language call analyzer module (DFSDLA00) in order to identify the DL/I call type and data that is necessary
to produce an audited event. When the IMS Batch Exit routine (DFSISVI0) is invoked, the interface with the DL/I call analyzer is activated, and remains active until
the batch step terminates.
The IMS Batch Activity Monitor and the agent use E/CSA control blocks to communicate data collection criteria. The DLI calls and databases/segments
determination is made at the time the DL/I call is performed, by using information that is derived from the data collection policy, which is created on the IBM
Guardium system. The audit data from the IMS Batch Data Collector to the agent is transported through the z/OS System Logger.
All IMS batch jobs that are controlled by an agent use the same z/OS System Logger log stream. This z/OS system log stream is unique to the agent, and only
contains audited events from IMS Batch jobs.
IMS Online and Batch Data Collectors
The IMS Online and Batch Data Collectors run as separate threads under the control of the agent address space (AUIASTC). The function of the data collector is to
read audited events from the z/OS System Logger log stream, and send the events to the IBM Guardium system for storage by using a TCP/IP connection.
Each thread maintains its own persistent TCP/IP connection to the Guardium system.
SMF Data Collector
The SMF Data Collector reads a subset of SMF records from SMF memory dump data sets to determine whether data sets associated with audited IMS artifacts
were read, written, deleted, or renamed. Security violations against these data sets can also be reported.
IMS artifact associated data set types include database data sets, database image copy data sets, IMS log data sets (OLDS, SLDS and RLDS), and RECON data sets.
The list of IMS artifact data sets to be monitored during SMF data collection is derived from the data collection policy that is created through the IBM Guardium
system.
As the processing of the SMF data sets is deferred, the data collection policy in force at the time of the SMF data set READ is the collection policy used, not the data
collection policy in effect when the SMF event occurred. The names of the SMF memory dump data sets to be read is based on one or more SMF data set MASK
values that are supplied by the use of one or more SMF_DSN_MASK keywords in the agent configuration file (AUICONFG). The data set names to that the SMF MASK
refers reflects the SMF memory dump data sets that are created during offloading of the SMF recording data sets, or a copy of these data sets containing a subset of
SMF record types that are created explicitly for the use of this product.
Because an agent can monitor SMF events from all LPARS within a SYSPLEX, all SMF data sets to be read must be accessible from the LPAR on which the agent
runs. The SMF Data Collector periodically queries the z/OS catalog for new data set names that meet the SMF MASK value. When cataloged data sets are found,
these data sets are dynamically allocated and read by the SMF Data Collector. Auditable events that are found are formatted, and sent to the IBM Guardium system
by using a TCP/IP connection.

The SMF Data Collector creates and maintains its own TCP/IP connection to the IBM Guardium system. The frequency that the SMF Data Collector queries the z/OS
catalog is determined by the option you set during configuration of this product. The SMF Data Collector can be configured to audit only a subset of events by use of
available options when configuring the agent and defining the IMS appliance through the Guardium system interface. The SMF Data Collector is run as a started task
under the control of the agent. An example of the JCL for this started task can be found in the SAUISAMP data set in the AUIFSTC member.
Note: IBM Guardium S-TAP for IMS only reports audited events for SMF record types that are collected by SMF. If specific SMF record types are not collected by
your appliance or SMF recording data set memory dump utility, the event cannot be reported. Refer to the IMS Log types and SMF record types that are collected by
IBM Guardium S-TAP for IMS topic for a list of SMF record types that are used by IBM Guardium S-TAP for IMS.
IMS Archived Log Data Collector
The IMS Archived Log Data Collector reads IMS Archived Log data sets (SLDS) and provides audit information about the following actions:
IMS user signon and signoff

IMS online region starts and stops
Changes to the status of DBDs and PSBS within the IMS Online environment
The list of IMS artifacts to be monitored during IMS Archived Log collection is derived from the data collection policy you create, by using the Guardium system.
As the processing of the IMS Archived Log sets is deferred, the data collection policy in force at the time that the IMS Archived Log data sets are read is the
collection policy used (as opposed to the data collection policy in effect when the IMS Archived Log event as written to the IMS log data set).
The IMS Archived Log Collector periodically queries the DBRC RECON data sets that are associated with an IMS that is defined to IBM Guardium S-TAP for IMS to
determine if new SLDS data sets were created since the last RECON data set query. New data sets that are found are dynamically allocated and read. Audited
events are sent to the IBM Guardium system by using a TCP/IP connection.
The IMS Archive Log Data Collector can be configured to audit only a subset of events, by using the options available when configuring the agent and defining the
IMS appliance through the Guardium system interface. The IMS Archived Log Data Collector is run as a started task under the control of the agent. An example of
the JCL for this started task can be found in the SAUISAMP data set in the AUILSTC member.
IBM Guardium S-TAP for IMS starts one AUILSTC task for each set of RECON data sets that is actively monitored with a data collection policy.
If an IMS data sharing environment with five IMS subsystems that share a single set of RECON data sets exists, only one AUILSTC task is started.
If two separate IMS subsystems by using two separate sets of RECON data sets are being monitored, two separate AUILSTC tasks are started.
Note: To collect events from the IMS archived logs, the DFSSLOGP (Primary Output SLDS) data set must be created and cataloged by your IMS Log Archive
Utility process (program DFSUARC0).
IBM Guardium S-TAP for IMS dynamically starts and stops the appropriate number of AUILSTC tasks as required.
IMS Missing Log Utility
The IMS Missing Log Utility analyzes IMS RECON data sets to confirm the existence of SLDS/RLDS data sets. This function can be included or excluded, as well as
scheduled without regard to the execution cycle setting for the AUILSTC task. This utility is run by a job or started task (see SAUISAMP member AUIMLOG for an
example). It processes the RECON data sets of IMS systems with active policies audited by the agent and pointed to by the configuration member that is defined in
the AUICONFG DD statement in the AUIMLOG JCL. The IMS RECON data sets are analyzed in search of IMS SLDS and RLDS data sets. If these are found, the z/OS
appliance catalog is queried by using the SLDS/RLDS data set name. If the SLDS/RLDS data set is not found, a missing log event is sent to the IBM Guardium
system.
Note: The AUIMLOG utility must be run under the same user ID, and on the same LPAR, as the AUIASTC task.
Common Storage Management Utility
IBM Guardium S-TAP for IMS uses memory in E/CSA to provide information regarding active data collection policies to the IMS Batch and Online Activity Monitors.
An IBM Guardium S-TAP for IMS agent can be called to monitor IMS Online regions or DL/I batch jobs on many LPARS within a SYSPLEX. A started task is generated
for execution on all LPARS of a SYSPLEX to read all active data collection policies and build the appropriate E/CSA control blocks. This started task is run when the
IBM Guardium S-TAP for IMS agent starts and stops, as well as when a change is made to the state of any collection policy. An example of the JCL for this started
task can be found in the SAUISAMP data set in the AUIUSTC member.
The LPARs where the AUIUSTC task is run might be limited by adding the AUIU_EXCLUDE_LPAR keyword and LPAR names to the configuration file, which is
specified by the AUICONFG DD statement in the AUIASTC JCL.
IMS Log types and SMF record types that are collected by IBM Guardium S-TAP for IMS
The following tables show the IMS log types and SMF records types and descriptions that are collected by IBM Guardium S-TAP for IMS.
Table 1. IMS Logtypes collected by IBM Guardium S-TAP for IMS

Log type number IMS log type IMS log type description
06 IMS/VS Accounting Record X'06' IMS Online was started or stopped.
16 A /SIGN command was successfully completed. A /SIGN command successfully completed.
20 A database was opened. A database was opened.
21 A database was closed. A database was closed.
4C DB/PSB Activity Activity that is related to database or PSB processing
59xx DEDB ADS OPEN Log record DEDB area data set was opened.
5922 DEDB ADS CLOSE Log record DEDB area data set was closed.
5923 DEDB ADS STATUS Log record DEDB area data set status was changed.
SMF is used to obtain additional data set activity that is related to the monitored IMS databases and image copies.
Table 2. SMF record types and descriptions

SMF record Number Type
00 IPL record
14 INPUT or RDBACK data set activity
15 OUTPUT, UPDATE, INOUT, or OUTIN data set activity
17 Scratch data set status
18 Rename non-VSAM data set
30 Common address space work, accounting information
60 VSAM volume data set updated
61 ICF catalog entry define

SMF record Number Type
62 VSAM component or cluster opened
65 ICF delete activity
66 ICF alter activity
80 RACFÂ® operator record
89 Usage data
Note: When image copies are read, they are collected as SMF type 14. When image copies are written, they are collected as SMF type 15. Image copies are sequential
files, with some exceptions. If the image copy is opened as a VSAM file, the image copy is collected as SMF type 60.
Remember: IBM Guardium S-TAP for IMS can only report events that are being collected by SMF. If an SMF record type in this table is not being collected at your site, IBM
Guardium S-TAP for IMS cannot report that event.
Fields that are used for IMS policy pushdown

The following fields defined in the Guardium system Access Rule Definition panel are used by IBM Guardium S-TAP for IMS to create policies and rules. Use the following
information as a guideline.
Table 1. Fields that are used for IMS Policy pushdown

Label Hover text
Service Name IMS names to which this rule applies (case sensitive)
Application User INCLUDE/PSB or EXCLUDE/PSB
Database User INCLUDE/USERID or EXCLUDE/USERID
Object INCLUDE/read+update+delete+insert+data+image/DBNAME.SEGNAME or EXCLUDE/DBDNAME.SEGNAME
Service name/IMS name

Required.
Must be 1 -- 8 characters.
Mixed case is allowed, and field is case sensitive.
Wildcard characters are not allowed.
Application user/PSB
All typed characters should be folded to uppercase.
Supports % as a wildcard character. % matches zero or more characters.
Note: If the keyword EXCLUDE is used, at least one INCLUDE must also be specified.
Database user/User ID
Object/Target DB/Segment
database_name must be 1 -- 8 characters.
segment_name must be 1 -- 8 characters.
wildcard_pattern supports % as a wildcard character. % matches zero or more characters.
Note: You must specify at least one INCLUDE with at least one DLI call type. DBD and segment must also be specified.
DLI Call Code
Used to generate audit records for DLI calls that result in a non-blank status codes. Non-blank status codes can indicate that the DLI call failed or completed with a
warning.
The following DLI status codes can be audited:
FD
FW
GA
GB
GD
GE
GK
L2
LB
LS
NI
UC
US
UX
You can specify one or more DLI status codes.

For more information about DLI status codes, see the About DLI status codes information in the IBM Knowledge Center.
Audit
Used to limit the types of DLI calls to be audited.
NOHLVL causes audit information to be collected for only the target segment of a DLI Patch call (Command code C or D) instead of generating audit data for each
segment of the hierarchical path. This can reduce the volume of audited data that is sent to, and stored by, the Guardium appliance in cases where the target
segment concatenated key is sufficient for auditing purposes.
LTERM Filtering

By default, auditing is considered for any DLI call that has a blank/null LTERM (for example, from a BMP or other region type that does not present IMS with an
LTERM value). When an LTERM value or a group of LTERMs is specified, an option box is presented to enable you to turn off BLANK LTERM auditing. Turning off
BLANK LTERM auditing does not affect the auditing of BMPs; any other region types without an LTERM value are excluded from auditing.
Filtering DLI calls from specific IMS Region types
You can filter out DLI calls from specific IMS Region types. DLI calls that originate from one or more of these region types can be excluded from auditing
consideration:
AER
BMP
CICS
DBCTL
IFP
MPP
ODB
In the Guardium interface, click the pencil icon alongside the Region Types to Exclude field to open a set of check-boxes that enable you to remove regions from
auditing
Sizing the z/OS System Logger Log Stream for IBM Guardium S-TAP for IMS
This section details the process of sizing the z/OS System Logger Log Streams. The z/OS System Logger Log Stream is used to transport audited DLI call data from the IMS
control region or DLI/DBB batch jobs to the IBMÂ® GuardiumÂ® S-TAPÂ® for IMS agent (AUIAxxxx address space) where it is reformatted to a PROTOBUF protocol and sent
to the target Guardium appliance.
Calculating the Optimal Log Stream Size

Filtering by using the IMS POLICY from the Guardium appliance occurs in the IMS Control region, therefore only DLI calls that are to be audited are written to the
log stream(s).
Considerations
There are several variables that must be considered when sizing the log stream(s), including:
Using IBM Documentation
The System Logger Performance and Tuning section of the System Programmerâ€™s Guide to: z/OS System Logger provides a detailed description of the processes
that are needed to tune the System Logger for use with IBM Guardium S-TAP for IMS and other products.
Pertinent Report Fields
Some key fields provided in the System Logger Activity Report (IXGRPT1) are the BYT WRITTN TO INTERIM STORAGE, BYT WRITTN TO DASD, and STRUC FULL.
Additional Resources
IBM provides a spreadsheet utility to assist in the analysis of the log stream SMF88 data and provide suggestions on how to define the log stream for more efficient
use in your environment.
Calculating the Optimal Log Stream Size

Filtering by using the IMS POLICY from the Guardium appliance occurs in the IMS Control region, therefore only DLI calls that are to be audited are written to the log
stream(s).
For most users, the size of the log stream that is provided with the LS_SIZE parameter of the AUILSTR2/3 log stream definition member (LS_SIZE(100)) is appropriate to
use when auditing accesses to sensitive data or when auditing DLI calls performed by a group, or groups, of users who have access to all databases for diagnostic
purposes.
There might be instances where an LS_SIZE parameter value of 13500 (LS_SIZE(13500)) might be used, such as:
during product testing, or

when the number of audited DLI calls exceed twenty-five thousand DLI calls per second, or
when the audited DLI calls include large concatenated key or large segment fields, which can occur when the IMS POLICY includes the +DATA keyword in the
TARGET/DB INCLUDE filter statement
Note: Log stream sizing can be an iterative process. When attempting to audit many DLI calls, the CPU, memory, and disk storage capacity of the Guardium appliance
should be considered.
Parent topic: Sizing the z/OS System Logger Log Stream for IBM Guardium S-TAP for IMS
Considerations
There are several variables that must be considered when sizing the log stream(s), including:
the number of IXGWRITEs that are performed every second

the average number of bytes written, or average buffer size written with each IXGWRITE calls
the rate that the data is offloaded from the log stream
the number/rate of IXGDELETEs that are performed
The average number of IXGWRITEs that are performed and the average number of bytes/average buffer size is determined by the volume of audited DLI calls and the size
of the DLI call event data that is being captured.
IBMÂ® GuardiumÂ® S-TAPÂ® for IMS uses a set of 35K buffers to hold the audited DLI call data. Each buffer is written to the log stream when it fills to capacity, or every
five seconds. The time interval is used to ensure that audited DLI call data is sent to the Guardium appliance in a timely manner. Therefore, the frequency of IXGWRITEs
can vary greatly depending on the IMS Policy and databases that are being accessed.

The log stream offload process IBM Guardium S-TAP for IMSis performed by the agent address space (AUIAxxxx). The agent address space constantly polls the log stream
(once per second) looking for new data to process. When new data is found, the data is read by using the IXGBRWSE call. The data is formatted into a PROTOBUF protocol
and sent to the Guardium appliance by using TCP/IP. The IBM Guardium S-TAP for IMS agent will continually read and process log stream data until no new data exists, at
which time, polling every second will reoccur.
The log stream data is deleted by using the IXGDELETE call after every three blocks of data are successfully read and sent to the Guardium appliance. This ensures that
audited data is not lost in the event of a communication loss between the IBM Guardium S-TAP for IMS agent and the Guardium appliance.
Using IBM Documentation

The System Logger Performance and Tuning section of the System Programmerâ€™s Guide to: z/OS System Logger provides a detailed description of the processes that
are needed to tune the System Logger for use with IBMÂ® GuardiumÂ® S-TAPÂ® for IMS and other products.
You can perform an analysis of the performance and efficiency of the initial log stream size by running program IBM program IXGRPT1 and JCL IXGRPT2 found in
'SYS1.PROCLIBâ€™. This program uses the SMF88 records to help with log stream capacity planning.
SMF88 records can be collected by z/OS by providing the 88 value in the SMPRM parmlib member prior to a system IPL, or by using the z/OS command, â€œSET
SMF=xxâ€ (where xx is the suffix of the parmlib member).
Example:
SYS(TYPE(30,70:79,88,89,100,101,110)),
The IXGRPT1 utility will assemble sub-routine IXGRA1 and compile and link program IXGRPT1, which can be used to extract SMP88 records in preparation for analysis.
The IXGRPT2 JCL can be used to produce other SMP88/log stream reports.
Pertinent Report Fields

Some key fields provided in the System Logger Activity Report (IXGRPT1) are the BYT WRITTN TO INTERIM STORAGE, BYT WRITTN TO DASD, and STRUC FULL.
BYT WRITTN TO INTERIM STORAGE
The BYT WRITTN TO INTERIM STORAGE value (bytes written to interim storage) indicates the amount of data being written to the log stream during the SMP
interval. This value can provide insight as to the volume of data being written to the log stream.
BYT WRITTN TO DASD
The BYT WRITTN to DASD value (bytes written to DASD offload data sets) indicates the number of bytes that were written to the DASD offload/overflow VSAM data
sets.
This number indicates that the interim storage filled up, and in order to retain the data, a set of VSAM files are being used as overflow buffers. This number can rise
and fall during the day as the volume of audited DLI calls increase and decrease.
Some use of the overflow VSAM files can be acceptable because spikes in audited DLI call data can certainly be expected due to the nature of IMS POLICY filtering.
However, constant or extensive use of the VSAM overflow files indicate that the log stream should be sized larger.
STRC FULL
The STRC FULL (Structure Full) value indicates the number of times that the capacity of the CF structure was filled up without an offload occurring. This number
should be zero in a properly sized log stream. Structure such as this can indicate that the volume of data written exceeds the offload capability of the IMS STAP
agent to read, process, and delete audited data, and a larger structure size should be considered.
An abundance of Structure Full conditions will result in a degradation of performance when collecting audited DLI call data, and if not rectified, might result in data
loss. This condition might result in IXGWRITE 0866 errors being issued in the IMS Control region address space.
Additional Resources
IBM provides a spreadsheet utility to assist in the analysis of the log stream SMF88 data and provide suggestions on how to define the log stream for more efficient use in
your environment.
You can access the spreadsheet utility with the following link: ftp://www.redbooks.ibm.com/redbooks/SG246898. Read the disclaimer.txt file before using the tool.
Echoed XML statement definitions

IBMÂ® GuardiumÂ® S-TAPÂ® for IMS echoes the XML statements that are produced by the Guardium appliance to represent an Audit Policy. These statements are issued
to a physical data set, agent AUILOG DD, or both, as determined by the XML_ECHO_DATASET and XML_ECHO_AUILOG parameters. This topic provides definitions of all
XML statements that could be echoed from the appliance by the S-TAP.
XML convention
Start of tag data

=<tag_name>
End of tag data
=</tag_name>
Null/empty tag
=<tag_name/>
See Sample XML file for an example of the XML representation of a valid policy.
IMS-specific statements
Table 1. IMS-specific XML statements
XML statement Definition
<install-info> Beginning of relevant policy information.
<artifacts> Start of IMS definitions.
<ims> Start of individual IMS-specific information.
<name> Name of IMS as specified in the Guardium appliance policy.
<agent> Name of the agent to which IMS is connected.
<description> Appliance IMS description text.
<version> Currently a value of zero (0).
<plexname> Not populated.
<recons> Start of the IMS-specific RECON data set list.
<recon seq="1"> RECON1 data set name. DSN terminated by </recon>.
<reslibs> Start of IMS-specific RESLIB data sets.
<reslib seq="1"> RESLIB 1 in IMS STEPLIB concatenation. DSN terminated by </reslib>.
Log-specific statements
Table 2. Log-specific XML statements
<dbdlibs/> Not populated.
<psblibs/> Not populated.
<thresholds-050i> Start of message AUII050I message frequency parameters.
<max-count> Number of DLI calls needed to prompt message AUII050I.
<max-time> Max time interval (HHMM) between AUII050I messages.
<audit-levels> Start of IMS Logger and SMF auditing criteria.
<collector name="ims"> Start of IMS Logger auditing criteria. Terminated by </collector>.
<audit-level> Start of audit level criteria.
<signon-signoff value="true"/> Audit IMS user sign-ons and sign-offs.
<signon-signoff value="false"/> Do not audit IMS user sign-ons and sign-offs.
<start-stop value="true"/> Audit IMS Control Region starts and stops.
<start-stop value="false"/> Do not audit IMS Control Region starts and stops.
<db-open-close value "true"/> Audit DBD Opens and Closes.
<db-open-close value "false"/> Do not audit DBD Opens and Closes.
<dbd-psb value="true/" Audit DBD/PSB/Dump/Start/Stop/Lock/Unlock
<dbd-psb value="false/" Audit DBD/PSB/Dump/Start/Stop/Lock/Unlock
SMF-specific statements
Table 3. SMF-specific XML statements
<collector name="smf"> Start of SMF auditing criteria. Terminated by </collector>.
<audit-level> Start of audit-level criteria.
<read value="true"/> Audit data sets when they are opened with READ intent.
<read value="false"/> Do not audit data sets when they are opened with READ intent.
<update value="true"/> Audit data sets when opened with UPDATE intent.
<update value="false"/> Do not audit data sets when opened with UPDATE intent.
<delete value="true"/> Audit data set DELETEs.
<delete value="false"/> Do not audit data set DELETEs.
<create value="true"/> Audit data set CREATEs.
<create value="false"/> Do not audit data set CREATEs.
<alter value="true"/> Audit VSAM data set ALTERs.
<alter value="false"/> Do not audit VSAM data set ALTERs.
<racf-violations value "true"/> Audit RACF security violations against data sets.
<racf-violations value "false"/> Do not audit RACF security violations against data sets.
Policy-specific statements
Table 4. Policy-specific XML statements

<policies> Start of policy information.
<collection- Displays the rules defined to the policy. The collection profile policy name appears in the collection-specific statement <collection> for a given <ims>.
profile>
<name> Policy name. Naming convention is: policy_IMS_name.
<description> Concatenation of descriptions of all policies pushed to the appliance.
<rules> Start of individual policy rules.
<rule> Start of rule instance.
<active> Always a value of true.
<filters> Start of PSB/USERID/LTERM INCLUDES/EXCLUDES within the rule.
<psb-filter> PSB instance.
<name> Name of PSB to be audited or ignored.
<type> Value will be INCLUDE (audit) or EXCLUDE (ignore).
<lterm-filter> LTERM instance.
<name> LTERM to be audited or ignored.
Database/segment-specific statements
Table 5. Database/segment-specific XML statements
<targets> Start of DBD/SEGMENT instances within the rule.
<segment-target> Start of list of databases/segments to be INCLUDED/EXCLUDED.
<database-name> Database to be audited or ignored.
<segment-name> Segment to be audited or ignored.
<audit-get> INCLUDE DLI GET calls.
<audit-insert> INCLUDE DLI INSERT calls.
<audit-update> INCLUDE DLI UPDATE (REPL) calls.
<audit-delete> INCLUDE DLI DELETE (DLET) calls.
<capture-before-image> INCLUDE link between DLI GH and DLI REPL calls.
<capture-segment-data> INCLUDE segment data when segment is audited.
<hlvl-filter enabled="false"> Do not report hierarchical parent segment during DLI command calls.
<excluded-regions> Do not audit DLI calls from these region types.
Collection-specific statements
Table 6. Collection-specific XML statements
<collections> A grouping of the individual <collection> XML tags.
<ims> IMS name connection to the collection.
<agent-name> Agent name connection to the collection.
<name> IMS name connection to the collection.
<collection-profile> For each agent name and IMS name, IBM Guardium S-TAP for IMS establishes a connection to the collection profile.
<name> Constructed name of the policy (policy_IMS_NAME).
<dli-status-codes> Two-character DLI status codes to be audited. Terminated by FF value.
Quarantine information
Quarantine XML is only sent from the appliance when the quarantine is triggered by audited events that are sent to the appliance by the agent, and the quarantine is
deemed to be in effect. This causes AI status codes (error opening database) to be returned to the application program in the DLI Status code PCB field (DBPCBSTC), and
message AUIJ252W to appear in the IMS region or batch job.
Quarantine only works with full-function DLI calls because the AUI hook for Fast-Path occurs after the DLI call has completed. (The DLI call cannot be preempted.)
Table 7. Quarantine-specific XML statements

<quarantine-lists> Start of quarantine section.
<quarantine-list agent-name="xxxxxxxx" ims-name="yyyyyyyy"> > Agent and IMS name are affected.
<quarantine-item> Start of quarantine details.
<start-ts>yyyy-mm-dd-hh.mm.ss.000000 Quarantine start date/time.
<end-ts>yyyy-mm-dd-hh.mm.ss.000000 Quarantine end date/time.
<user-id> User ID to be quarantined.
Sample XML file

This is an example of a valid audit policy.
Additional causes of AUIA060W
Warning message AUIA060W can appear if the data set location is incorrect. Review these additional possible causes of the message if the explanation and
recommendation provided by AUIA060W do not resolve the warning.

Sample XML file
This is an example of a valid audit policy.
<install-info>
<artifacts>
<ims>
<name>IMSV14AH</name>
<agent>AUI15A</agent>
<description>IMS V14 Test IEACRX AUI10A27</description>
<version>0</version>
<plexname></plexname>
<recons>
<recon seq="1">IMSEA1.RECON1</recon>
</recons>
<reslibs>
<reslib seq="1">IMSEA1.SDFSRESL</reslib>
</reslibs>
<dbdlibs/>
<psblibs/>
<thresholds-050i>
<max-count>1K</max-count>
<max-time>0015</max-time>
</thresholds-050i>
<audit-levels>
<collector name="ims">
<audit-level>
<signon-signoff value="true"/>
<start-stop value="true"/>
<db-open-close value="true"/>
<dbd-psb value="true"/>
</audit-level>
</collector>
<collector name="smf">
<audit-level>
<read value="true"/>
<update value="true"/>
<delete value="true"/>
<create value="true"/>
<alter value="true"/>
<racf-violations value="true"/>
</audit-level>
</collector>
</audit-levels>
</ims>
</artifacts>
<policies>
<collection-profile>
<name>policy_IMSV14AH</name>
<description>---: Log Full Details With Values,Auv - Event All,IEA1_ALL_ST_AH</description>
<rules>
<rule>
<active>true</active>
<filters/>
<targets>
<segment-target>
<type>include</type>
<database-name>%</database-name>
<segment-name>%</segment-name>
<audit-get>true</audit-get>
<audit-insert>true</audit-insert>
<audit-update>true</audit-update>
<audit-delete>true</audit-delete>
<capture-before-image>false</capture-before-image>
<capture-segment-data>true</capture-segment-data>
</segment-target>
</targets>
<audit/>
<excluded-regions></excluded-regions>
</rule>
</rules>
</collection-profile>
</policies>
<collections>
<collection>
<ims>
<agent-name>AUI15A</agent-name>
<name>IMSV14AH</name>
</ims>
<collection-profile>
<name>policy_IMSV14AH</name>
</collection-profile>
<dli-status-codes>FDFWGAGBGDGEGKL2LBLSNIUCUSUXFFFF</dli-status-codes>
</collection>
</collections>
<quarantine-lists/>
</install-info>
Parent topic: Echoed XML statement definitions

Additional causes of AUIA060W
Warning message AUIA060W can appear if the data set location is incorrect. Review these additional possible causes of the message if the explanation and
recommendation provided by AUIA060W do not resolve the warning.
Data set: <LOCATION> in use

Explanation
An attempt to dynamically allocate the data set failed because the data set was in use by another process. This warning might be temporary. The agent retries the
data set 6 times in 3 seconds before skipping the policy XML echoing.
Response
If this message occurs several times without successful policy XML echoes, check to see that any running user report program is using the data set correctly or
whether a TSO user might be editing the data set.
A dynamic allocation error occurred. Data set <LOCATION>, info code: <info-code>, error code: <error-code>.
Explanation
An attempt to dynamically allocate the data set failed. The specified information and error codes reflect the return and reason codes from the z/OS dynamic
allocation services.
Response
Use the info code and error code to determine the cause of the dynamic allocation failure by referring to the z/OS MVS Programming: Authorized Assembler Services
Guide in the IBM Knowledge Center. Correct the error and restart the agent.
Catalog Search Interface: error RC = <rc>, RSN = <rsn>.

Explanation
Using the z/OS Catalog Search Interface routine, the agent attempted to analyze whether the data set is a Generation Data Group (GDG) data set or a non-VSAM
data set. An error occurred while calling the routine.
Response
Consult the Return Codes for General Purpose Register 15 section of the IBM Catalog Search Interface User's Guide in the IBM Knowledge Center. Contact IBM
Support if additional assistance is needed.
Data set "<LOCATION>" could not be deleted, info code: <code>, error code <code>.
Explanation
An attempt was made to delete and reallocate a non-VSAM non-GDG data set in the catalog.
Response
Ensure that the agent task has RACF (or other security product) authority to delete a data set that contains a high-level qualifier. Attempt to correct the security
problem and restart the agent. If the error persists, contact IBM Support and provide the info and error codes.
XML echo data set <LOCATION> is of an unsupported type

Explanation
Only non-VSAM and GDG base data sets are supported.
Response
Ensure that the data set type is either a non-VSAM data set or a Generation Data Group. Restart the agent.
Parent topic: Echoed XML statement definitions
Troubleshooting
Use the following topics to diagnose and correct problems that you experience with IBM Guardium S-TAP for IMS.
Messages and codes for IBM Security Guardium S-TAP for IMS on z/OS
Messages and codes for IBM Security Guardium S-TAP for IMS on z/OS
This information documents the messages and error codes issued by Security Guardium S-TAP for IMS. Messages are presented in ascending alphabetical and numerical
order.
Note: To set a z/OS message alert for messages that begin with AUII, or messages AUIJ250I and AUIJ252W, use single-dash formatting between the message number
and message text. For all other messages, use a double-dash. For example:
AUIT031I--Starting the command listener thread

Format most message alerts with double-dashes between the message number and message text.
AUII056I - ZIIP PROCESSING ENABLED FOR IMS STAP
Format message alerts for AUII*, AUIJ250I, and AUIJ252W with a single dash between the message number and message text.
Error messages and codes: AUIAxxxx

Error messages and codes: AUIBxxxx
Error messages and codes: AUIFxxxx
Error messages and codes: AUIGxxxx
Error messages and codes: AUIIxxxx
Error messages and codes: AUIJxxxx

Error messages and codes: AUILxxxx
Error messages and codes: AUIPxxxx
Error messages and codes: AUIRxxxx
Error messages and codes: AUITxxxx
Error messages and codes: AUIUxxxx
Error messages and codes: AUIXxxxx
Error messages and codes: AUIYxxxx
Error messages and codes: AUIZxxxx
Parent topic: Troubleshooting
Error messages and codes: AUIAxxxx

The following information is about error messages and codes that begin with AUIA.
AUIA003E
Address Space <name> failed to start successfully on <LPAR name>.
AUIA004E
Address Space <name> (<job number>) failed to stop successfully on <LPAR name> within the timeout period and was abandoned.
AUIA005I
Starting address space <name> on <LPAR name>.
AUIA006I
Address Space <name> (<job number>) is online on <LPAR name>.
AUIA007I
Stopping address space <name> (<job number>) on <LPAR name>.
AUIA008I
Address Space <name> (<job number>) on <LPAR name> is offline.
AUIA009E
Address space <name> is not active.
AUIA010E
Address Space <name> is already active.
AUIA021I
MODIFY command <command text> sent to Address Space <name>.
AUIA022I
<Collector name> collector is disabled: interval is set to <value>.
AUIA023I
<Collector name> collector is disabled: proc name for the collector address space has not been specified in the configuration.
AUIA024I
<Collector name> collector is disabled: not configured.
AUIA027E
Abend occurred while validating <log stream>. Abend code = <code>, RSN = <reason>.
AUIA028S
Agent agent-name on PLEX name for S-TAP version S-TAP version is already online. (ADS_SHM_ID=<Memory Segment ID>)
AUIA029I
collector collector is disabled: no Audit IMS Log Events are selected for IMS source IMS.
AUIA030I
collector collector started successfully.
AUIA031I
collector collector stopped successfully.
AUIA033I
(GDM) Attempting to establish link with the appliance.
AUIA034S
(GDM) An attempt to establish the link to the appliance failed.
AUIA035W
(GDM) Link failed over to a secondary appliance. [host=host, port=port]
AUIA036I
(GDM) Link to primary appliance established. [host=host, port=port]
AUIA037I
(GDM) Link to primary appliance restored. [host=host, port=port]
AUIA038S
(GDM) Link to the appliance lost.
AUIA041I
Guardium policy processing failed due to prior errors.
AUIA042W
The Guardium policy is not applicable.
AUIA043I
The Guardium policy reader thread started.
AUIA044I
The Guardium policy reader thread is terminating.
AUIA045I
The guardium policy reader thread is terminating due to prior errors.
AUIA048I
auiu_taskname is configured to start only on lpar-name.
AUIA049W
auiu_task_name is configured to not start on lpar_name but will be started on lpar_name because aui_agent_name runs on lpar_name
AUIA050W
auiu_task_name is configured to not start on lpar_name but no such system exists.
AUIA051I
auiu_task_name is configured to not start on lpar_name and will not be started on lpar_name.

AUIA052I
Discovered <plex-name> system <system-name>.
AUIA053I
Agent configuration option <option> has been updated to <value>.
AUIA054I
Agent configuration option <option> is set to <value>.
AUIA055I
The agent is waiting for start-up information from the appliance.
AUIA056I
Starting the agent collectors.
AUIA057I
Issuing request to capture agent status.
AUIA058I
Request to capture agent status has completed successfully.
AUIA059I
Policy XMl echo
AUIA060W
Policy XML echo to data set skipped: <MESSAGE> <LOCATION>
AUIA061I
Policy XML echo to data set <LOCATION> completed.
Parent topic: Messages and codes for IBM Security Guardium S-TAP for IMS on z/OS
AUIA003E Address Space <name> failed to start successfully on <LPAR name>.
Explanation
An attempt by the agent to start the named support address space has failed.
User response
Check the named address space logs to identify why it was not able to start. In most cases, this occurs if an address space with that name is already online, there was a
JCL error, or there was an issue resolving the loopback address host name. If further assistance is required, contact IBM Software Support.
Parent topic: Error messages and codes: AUIAxxxx
AUIA004E Address Space <name> (<job number>) failed to stop successfully on <LPAR name>
within the timeout period and was abandoned.
Explanation
The specified address space did not stop within the time out period and was consequently abandoned by the master address space.
User response
Check the named address space logs to identify why it did not stop. If further assistance is needed, contact IBMÂ® Software Support.
AUIA005I Starting address space <name> on <LPAR name>.
Explanation
The agent has automatically started the support address named.
User response
This is an informational message only.
AUIA006I Address Space <name> (<job number>) is online on <LPAR name>.
Explanation
The agent has successfully started the support address space named.
User response
AUIA007I Stopping address space <name> (<job number>) on <LPAR name>.

Explanation
The agent has automatically stopped the support address space named.
User response
AUIA008I Address Space <name> (<job number>) on <LPAR name> is offline.
Explanation
The named address space has successfully stopped.
User response
AUIA009E Address space <name> is not active.
Explanation
The specified address space that the master address space was attempting to control is not online.
User response
Correct and retry.
AUIA010E Address Space <name> is already active.
Explanation
This message indicates that the address space with the specified name is active already and was expected to be. This message occurs when starting the BATCH (or SMF)
collector if they are already running.
User response
Verify that the address space is already running. If the address space is not online and the message occurs, contact IBMÂ® Software Support.
AUIA021I MODIFY command <command text> sent to Address Space <name>.
Explanation
The MODIFY command <command text> sent to address space named.
User response
AUIA022I <Collector name> collector is disabled: interval is set to <value>.
Explanation
Named collector is disabled because the interval value is less than or equal to zero.
User response
If this was not intentional, fix the interval value and restart the agent address space.
AUIA023I <Collector name> collector is disabled: proc name for the collector address space
has not been specified in the configuration.

Explanation
The specified collector is disabled because the procedure name for the collector address space has not been specified in the configuration.
User response
To enable this collector, specify the procedure name for collector address space. If the procedure name is specified and this message still occurs, contact IBMÂ® Software
Support.
AUIA024I <Collector name> collector is disabled: not configured.
Explanation
The specified collector is disabled because it has not been configured.
User response
To enable this collector, configure it using the Guardium user interface. If the specified collector is configured and the message still occurs, contact IBMÂ® Software
Support.
AUIA027E Abend occurred while validating <log stream>. Abend code = <code>, RSN =
<reason>.
Explanation
The Log Stream log stream validation failed with abend code code and reason code reason.
User response
Contact IBM Software Support.
AUIA028S Agent agent-name on PLEX name for S-TAP version S-TAP version is already online.
(ADS_SHM_ID=<Memory Segment ID>)
Explanation
The specified agent is already online. Agent names must be unique per sysplex.
User response
Change the agent-name and restart the agent, or shut down the other agent.
AUIA029I collector collector is disabled: no Audit IMS Log Events are selected for IMS source
IMS.
Explanation
An Audit IMS Log Event must be selected for the IMS source IMS for the collector to be enabled.
User response
To enable the collector, select an Audit IMS Log Event for the IMS source.
AUIA030I collector collector started successfully.
Explanation
The specified collector started.
User response

AUIA031I collector collector stopped successfully.
Explanation
The specified collector stopped.
User response
AUIA033I (GDM) Attempting to establish link with the appliance.
Explanation
The agent is attempting to establish a connection to one of the appliances specified in the agent configuration.
User response
AUIA034S (GDM) An attempt to establish the link to the appliance failed.

Explanation
The agent could not establish a connection to any of the appliances specified in the configuration.
User response
Contact your network administrator or IBMÂ® Software Support.
AUIA035W (GDM) Link failed over to a secondary appliance. [host=host, port=port]
Explanation
The agent lost connection to the primary appliance and switched to the specified secondary appliance.
User response
AUIA036I (GDM) Link to primary appliance established. [host=host, port=port]
Explanation
The agent has connected to the specified primary appliance.
User response
AUIA037I (GDM) Link to primary appliance restored. [host=host, port=port]
Explanation
The agent has reconnected to the specified primary appliance.
User response
AUIA038S (GDM) Link to the appliance lost.
Explanation

All attempts to connect to the appliances specified in the configuration have failed.
System action
Any new policies defined in the appliance will not be pushed down to the IBMÂ® GuardiumÂ® S-TAPÂ® for IMS agent.
User response
Verify network connectivity to the appliance. Contact your network administrator or IBM Software Support.
AUIA041I GuardiumÂ® policy processing failed due to prior errors.
Explanation
The Guardium policies could not be processed.
User response
Check the log for previous errors.
AUIA042W The GuardiumÂ® policy is not applicable.
Explanation
One or more of the policy rules cannot be used by the current agent.
User response
Check the log for previous errors to determine why the policy is not applicable and fix the policy definition.
AUIA043I The GuardiumÂ® policy reader thread started.
Explanation
The Guardium policy reader thread started.
User response
AUIA044I The GuardiumÂ® policy reader thread is terminating.
Explanation
The Guardium policy reader thread is stopping.
User response
AUIA045I The guardium policy reader thread is terminating due to prior errors.
Explanation
The policy reader thread is stopping due to previously reported errors.
User response
Check the previously issued messages to determine why the policy reader is terminating.
AUIA048I auiu_taskname is configured to start only on lpar-name.
Explanation

The configuration file pointed to by the AUICONFG DD statement contains an AUIU_EXCLUDE_LPAR statement that has the *ALL parameter supplied as the excluded LPAR
name.
System action
The AUIUSTC task is scheduled only on the home LPAR where the agent is running.
User response
To schedule the AUIUSTC task for another LPAR, remove or correct the AUIU_EXCLUDE_LPAR statement.
AUIA049W auiu_task_name is configured to not start on lpar_name but will be started on

lpar_name because aui_agent_name runs on lpar_name
Explanation
The AUIU_EXCLUDE_LPAR configuration parameter, found in the AUICONFG SAMPLIB member, was used in an attempt to prevent the AUIU task from executing on the
LPAR named.
System action
The request to exclude this LPAR from AUIU processing is ignored because the specified LPAR is also where the agent is executing.
User response
Remove the LPAR name from the AUICONFG samplib memberâ€™s AUIU_EXCLUDE_LPAR parameter. The change will be implemented at the next restart of the agent.
AUIA050W auiu_task_name is configured to not start on lpar_name but no such system exists.
Explanation
The specified lpar_name has been included as part of the LPARS that are specified in the AUIU_EXCLUDE_LPAR configuration keyword. The specified lpar_name was not
found in the list of members of either the SYSJES or lpar_name XCF groups.
System action
Processing continues.
User response
This message might indicate that the lpar_name is not available or that there is an error in the specified lpar_name.
AUIA051I auiu_task_name is configured to not start on lpar_name and will not be started on
lpar_name.
Explanation
The AUIU_EXCLUDE_LPAR configuration, parameter found in the AUICONFG SAMPLIB member, was used in an attempt to prevent the AUIU task from executing on the
specified LPAR.
System action
An instance of the AUIU task is not routed to the excluded LPAR.
User response
None.
AUIA052I Discovered <plex-name> system <system-name>.
Explanation
This LPAR name was found as a member of the XCF group when performing a z/OS IXCQUERY on the PLEXNAME of SYSJES XCF GROUPS.
System action
Processing continues

User response
AUIA053I Agent configuration option <option> has been updated to <value>.
Explanation
This message indicates that command such as: /f AUIASTC,SET CONFIG <option> ON/OFF processed successfully.
User response
AUIA054I Agent configuration option <option> is set to <value>.
Explanation
This message indicates that command such as: /f AUIASTC,GET CONFIG <option> processed successfully.
User response
AUIA055I The agent is waiting for start-up information from the appliance.
Explanation
The agent has determined that there is no checkpoint information available for this agent in E/CSA, and is awaiting this data to be sent from the appliance.
System action
The agent waits up to 30 seconds for the checkpoint information, and if none is received, processing continues by using default checkpoint values, such as current blocks
from the z/OS log-streams, and SMF and SLDS data sets that were created no earlier than the previous day.
User response
AUIA056I Starting the agent collectors.
Explanation
The agent is starting the auditing threads.
System action
The agent starts the DLIO/DLIB/AUIL/AUIF auditing threads.
User response
AUIA057I Issuing request to capture agent status.
Explanation
A command, such as /f AUIASTC,STATUS, has been issued for processing.
User response
AUIA058I Request to capture agent status has completed successfully.

Explanation
A command, such as /f AUIASTC,STATUS has processed successfully.
User response
AUIA059I Policy XMl echo
Explanation
If the XML_ECHO_AUILOG(Y) keyword exists in the AUICONFG, this message will be followed by the echo of all active XML policies on the AUILOG.
System action
As an example, the first three lines of the echo appear as follows:
<?xml version="1.0" encoding="IBM-1047" standalone="yes"?>


<install-info>
User response
For more information, see Echoed XML statement definitions.
AUIA060W Policy XML echo to data set skipped: <MESSAGE> <LOCATION>
Explanation
The XML of the policy that was installed from the Security GuardiumÂ® system was not echoed to the specified location due to the specified message. If the
&Data_Set_Name parameter contains z/OS system variables, <LOCATION> reflects the data set name after symbol substitution has been done.
<MESSAGE> <LOCATION> can be:
The installed policy has not been changed. The echo is skipped if the newly installed policy has not changed since it was last installed.
The data set location is not valid. Incorrect use of a system symbol in the &Data_Set_Name parameter can invalidate the location. Additional requirements:
The data set name must not exceed 44 characters.
The segment length must be greater than zero and less than or equal to 8.
The first character in each segment must be a letter (A â€“ Z), #, @, $, or hyphen.
System action
User response
Correct the &Data_Set_Name parameter and restart the agent. If the error persists, see Additional causes of AUIA060W .
AUIA061I Policy XML echo to data set <LOCATION> completed.
Explanation
The agent has completed the XML echo of all active policies that were installed from the Security GuardiumÂ® system. <LOCATION> is the data set name specified by the
&Data_Set_name parameter of the XML_ECHO_DATASET keyword.
System action
The data set name reflects the z/OS system variable substitution and the Generation Data Group extension if either exists in the &Data_Set_name parameter.
User response
Error messages and codes: AUIBxxxx

The following information is about error messages and codes that begin with AUIB.
AUIB300I
CONNECTION TO z/OSÂ® SYSTEM type LOG STREAM WAS SUCCESSFUL - LOG STREAM NAME: log_stream_name, LOG STREAM TYPE: XCF-BASED|DASD_ONLY,
CHECKPOINT VALUE: check_point_value, CHECKPOINT PTR: address_of_checkpoint

AUIB302I
DRAIN REQUEST FOR type LOG STREAM HAS COMPLETED. LOG STREAM: name.
AUIB305I
DRAIN COMPLETE FOR LOG STREAM log-stream name
AUIB306E
INVALID RECORD FOUND IN log-stream LOG STREAM -RECORD IMAGE SNAPPED TO AUI$NAP DD
AUIB700I
type: LOGSTREAM CHECKPOINT INFORMATION - LOG STREAM NAME: log-stream-name - CHECKPOINT VALUE: check_point_value - LAST UPDATED (UTC):
date_time
AUIB300I CONNECTION TO z/OSÂ® SYSTEM type LOG STREAM WAS SUCCESSFUL - LOG
STREAM NAME: log_stream_name, LOG STREAM TYPE: XCF-BASED|DASD_ONLY, CHECKPOINT
VALUE: check_point_value, CHECKPOINT PTR: address_of_checkpoint
Explanation
The connection to the log-stream name (log_stream_name) configured to process log_stream_type events completed successfully.
System action
Processing continues
User response
Parent topic: Error messages and codes: AUIBxxxx
AUIB302I DRAIN REQUEST FOR type LOG STREAM HAS COMPLETED. LOG STREAM: name.
Explanation
A DRAIN request, which reads all data from the z/OSÂ® log stream, has completed.
System action
The AUIASTC tasks prepare to terminate.
User response
AUIB305I DRAIN COMPLETE FOR LOG STREAM log-stream name
Explanation
A DRAIN request used to flush read all existing events from the log-stream-name indicated has completed successfully
System action
The log-stream reader thread will start the termination phase.
User response
AUIB306E INVALID RECORD FOUND IN log-stream LOG STREAM -RECORD IMAGE SNAPPED
TO AUI$NAP DD
Explanation
When reading DLI call audit records from the z/OS System log stream, a malformed audit record was encountered or the version of the audit record was not recognized.
System action
Processing continues after writing a SNAP/DUMP of the offending record to the AUI$NAP DD.
User response

First, verify that the S-TAP version that is running in the IMS Control Region and/or Batch Region is the same as is running in the agent. If adjusting the version does not
resolve the issue, forward the AUI$NAP output to IBM Software Support.
AUIB700I type: LOGSTREAM CHECKPOINT INFORMATION - LOG STREAM NAME: log-stream-

name - CHECKPOINT VALUE: check_point_value - LAST UPDATED (UTC): date_time
Explanation
This message provides the highest block ID for the log stream. This is used as the starting checkpoint for processing data from this log stream.
System action
User response
Error messages and codes: AUIFxxxx

The following information is about error messages and codes that begin with AUIF.
AUIF002I
SMF log reader interval set to <n> minutes.
AUIF003E
Command <command> failed; interval value must be between <lower-bound> and <upper-bound>.
AUIF501I
NO NEW CATALOGED SMF DATA SETS FOUND FOR SMF MASK: smf_mask_value
AUIF502I
PROCESSING SMF DATA SET: smf_data_set_name
AUIF503I
PROCESSING COMPLETE FOR SMF DATA SET: smf_data_set_name
AUIF505I
SMF AUDITING IS DISABLED AT THE AGENT LEVEL
AUIF506I
SMF AUDITING IS DISABLED AT THE IMS LEVEL. IMS NAME: ims_name
AUIF507E
PROCESSING FAILED FOR SMF DATA SET: data set name
AUIF508I
SCANNING RECON DATA SETS FOR IMS ARTIFACT DATA SETS. RECON1: recon1_dsn RECON2: recon2_dsn RECON3: recon3_dsn
AUIF702I
SMF MASK CHECKPOINT INFORMATION - MASK VALUE : SMF_mask - LAST DSN READ: SMF_dsn - LAST UPDATED (UTC): date_time
AUIF002I SMF log reader interval set to <n> minutes.
Explanation
The subtask that reads event data from SMF log data sets is scheduled to perform every <n> minutes.
User response
Parent topic: Error messages and codes: AUIFxxxx
AUIF003E Command <command> failed; interval value must be between <lower-bound> and
<upper-bound>.
Explanation
This message indicates that <command> such as:
/f AUIASTC,SET INTERVAL <number>
failed because of incorrect <number> value. Correct value must be between <lower-bound> and <upper-bound>.
User response
Use an interval value between <lower-bound> and <upper-bound>. If that does not resolve the issue, contact IBMÂ® Software Support.

AUIF501I NO NEW CATALOGED SMF DATA SETS FOUND FOR SMF MASK: smf_mask_value
Explanation
When scanning the z/OSÂ® catalog for new data sets that meet the indicated SMF mask value (smf_mask_value) and have not been processed by the product, it was
determined that no z/OS data sets meet that criteria.
System action
The process will continue to examine other SMF Mask values.
User response
AUIF502I PROCESSING SMF DATA SET: smf_data_set_name
Explanation
Processing has started for a SMF data set.
System action
Events will be obtained from the SMF data set based on collection profile criteria.
User response
None.
AUIF503I PROCESSING COMPLETE FOR SMF DATA SET: smf_data_set_name
Explanation
Processing of the SMF data set has completed.
System action
Processing continues with other candidate SMF data sets.
User response
AUIF505I SMF AUDITING IS DISABLED AT THE AGENT LEVEL
Explanation
Auditing of SMF events has been disabled at the agent level, as instructed by the settings chosen in the Guardium user interface.
System action
The auditing of events sourced from SMF data sets is not performed.
User response
AUIF506I SMF AUDITING IS DISABLED AT THE IMS LEVEL. IMS NAME: ims_name
Explanation
Auditing of SMF events has been disabled at the IMS level for the IMS named (ims_name) by use of the Guardium interface and the IMS Auditing Levels editor.
System action
The auditing of events sourced from SMF for the IMS named is not performed.

User response
If this is a desired action, then no response is needed. If SMF events should be audited for this IMS, then the IMS configuration should be modified by using the Guardium
interface and the IMS Auditing Levels to select any or all SMF events you want to audit.
AUIF507E PROCESSING FAILED FOR SMF DATA SET: data set name
Explanation
Processing failed during the reading of the data set, specified by name in the message text.
System action
The collection process terminates.
User response
Determine the cause of the failure and correct it by reviewing previously issued S-TAP and z/OS messages.
AUIF508I SCANNING RECON DATA SETS FOR IMS ARTIFACT DATA SETS. RECON1: recon1_dsn
RECON2: recon2_dsn RECON3: recon3_dsn
Explanation
The AUIFSTC task has started to scan the RECON data sets looking for database data sets, Image copy data sets and optionally IMS SLDS to be audited using SMF records.
System action
The RECON data sets are read using the specified DSN.
User response
AUIF702I SMF MASK CHECKPOINT INFORMATION - MASK VALUE : SMF_mask - LAST DSN
READ: SMF_dsn - LAST UPDATED (UTC): date_time
Explanation
This message provides the SMF data set mask (SMF_mask) and the last SMF data set read (SMF_dsn) that matched that mask. This information is used as a checkpoint to
indicate which SMF data sets have already been processed, and should not be re-read by the AUIFstc tasks.
System action
User response
Error messages and codes: AUIGxxxx

The following information is about error messages and codes that begin with AUIG.
AUIG001S
An unexpected error occurred (/path/to/file.c, linenum).
AUIG002S
An unexpected error occurred with token "token1" (/path/to/file.c,linenum).
AUIG003S
An unexpected error occurred with tokens "token1" and "token2" (/path/to/file.c,linenum).
AUIG004S
An unexpected error occurred with tokens "token1", "token2", "token3", and "token4" (/path/to/file.c,linenum).
AUIG005S
An unexpected error occurred with tokens "token1", "token2", and "token3" (/path/to/file.c,linenum).
AUIG006S
An unexpected error occurred with tokens "token1" and "token2" (/path/to/file.c,linenum).
AUIG014E
dataspace create return code = return-code-hex, reason = reason-code-hex

AUIG015W
MALLOC: big alloc coming memory_size from GDM Read Buffer
AUIG016S
MALLOC: zero alloc from <site>.
AUIG017S
MALLOC: negative malloc memory size at site site.
AUIG018S
MALLOC failed, got NULL for size <memory_size> at site <site>.
AUIG045E
Write failed, sd=bbbb desired write len length buffer at address, ret code xxxx reason 0xyyyyzzzz
AUIG046E
Failure to resolve address for host 'HOST', ret code return-code, reason hex-value.
AUIG047E
Set sockopt failed, level = hex-value, option = hex-value, ret code return-code, reason hex-value.
AUIG048E
Get sockopt failed, ret code return-code, reason hex-value.
AUIG049E
BPXFCT failed, ret code <return-code>; reason <reason-code>.
AUIG050E
Read failed ret code xxxx reason 0xzzzzzzzz
AUIG051I
TCP write disabled
AUIG052I
Write to megabuffer disabled
AUIG053I
Unexpected payload received <hexadecimal string>. Payload ignored.
AUIGF120I
Trace Settings: Compilation 0, Requested Runtime 0, ECSA Flag 32, Actual Runtime 0...
AUIGF201I
Valid stage zero filter criteria found.
AUIGF202I
No valid stage zero filter criteria found.
AUIG001S An unexpected error occurred (/path/to/file.c, linenum).
Explanation
An unknown and unexpected internal error occurred in the product due to the specified tokens.
User response
Parent topic: Error messages and codes: AUIGxxxx
AUIG002S An unexpected error occurred with token "token1" (/path/to/file.c,linenum).
Explanation
User response
AUIG003S An unexpected error occurred with tokens "token1" and "token2"

(/path/to/file.c,linenum).
Explanation
User response
AUIG004S An unexpected error occurred with tokens "token1", "token2", "token3", and
"token4" (/path/to/file.c,linenum).

Explanation
User response
Contact IBMÂ® Software Support
AUIG005S An unexpected error occurred with tokens "token1", "token2", and "token3"
Explanation
User response
AUIG006S An unexpected error occurred with tokens "token1" and "token2"

Explanation
User response
AUIG014E dataspace create return code = return-code-hex, reason = reason-code-hex
Explanation
An attempt to create a data space for spill usage has failed. Spill capability might not be available.
User response
Examine the return code and reason code, and take appropriate action to ensure that data spaces can be created.
AUIG015W MALLOC: big alloc coming memory_size from GDM Read Buffer
Explanation
More than 10,485,760 bytes was required in order to process collection policies pushed from the Security GuardiumÂ® system.
System action
User response
AUIG016S MALLOC: zero alloc from <site>.
Explanation
Zero bytes was required in order to process collection policies pushed from the Security GuardiumÂ® system.
User response

AUIG017S MALLOC: negative malloc memory size at site site.
Explanation
Negative number of bytes required in order to process collection policies pushed from the Security GuardiumÂ® system.
User response
AUIG018S MALLOC failed, got NULL for size <memory_size> at site <site>.
Explanation
Attempt to allocate memory failed.
User response
AUIG045E Write failed, sd=bbbb desired write len length buffer at address, ret code xxxx
reason 0xyyyyzzzz
Explanation
An attempt to read or write to a socket has failed. This error might occur if Security GuardiumÂ® S-TAPÂ® for IMS is connected to a peer that is offline.
System action
The system attempts to reestablish the connection to the peer in order to read or write the data.
User response
Identify the cause of the failure by using the z/OSÂ® UNIX System Services Messages and Codes SA23-2284-xx manual to look up the return and return codes that are
provided in the message text, where bbbb is an internal code, xxxx is the return code, and yyyyzzzz is the reason code. Use the zzzz value to determine the error code, as
described in the Reason codes (errnojrs) section of the z/OS UNIX System Services Messages and Codes manual.
AUIG046E Failure to resolve address for host 'HOST', ret code return-code, reason hex-value.
Explanation
An attempt to resolve the given hostname failed.
User response
Verify that the hostname is specified correctly and is resolvable. Contact IBMÂ® Software Support if hostname is correct and resolvable.
AUIG047E Set sockopt failed, level = hex-value, option = hex-value, ret code return-code,
reason hex-value.
Explanation
An attempt to set a socket option failed.
User response
AUIG048E Get sockopt failed, ret code return-code, reason hex-value.
Explanation
An attempt to set a socket option failed.

User response
AUIG049E BPXFCT failed, ret code <return-code>; reason <reason-code>.
Explanation
The system BPXFCT call failed while attempting to set socket blocking mode.
User response
See the MVS Programming: Authorized Assembler Services Guide for more information about the specified information and error codes.
AUIG050E Read failed ret code xxxx reason 0xzzzzzzzz
Explanation
An attempt to read or write to a socket has failed. This error might occur if Security GuardiumÂ® S-TAPÂ® for IMS is connected to a peer that is offline.
System action
The system attempts to reestablish the connection to the peer in order to read or write the data.
User response
Identify the cause of the failure by using the z/OS USS Return Codes and Reason Codes to look up the return and reason codes that are provided in the message text,
where xxxx is the return code and zzzzzzzz is the reason code.
AUIG051I TCP write disabled
Explanation
TCP/IP processing has been disabled.
System action
The Guardium appliance will not receive data.
User response
AUIG052I Write to megabuffer disabled
Explanation
TCP/IP buffer has been disabled.
System action
User response
AUIG053I Unexpected payload received <hexadecimal string>. Payload ignored.
Explanation
An unexpected string of data was received by the Security GuardiumÂ® S-TAPÂ® for IMS agent from the Guardium appliance or associated firewall. The string does not
conform to the format that is normally associated with a pushed-down policy or other expected data.
System action

The string is ignored and normal processing continues.
User response
If this message appears occasionally, no action is required. If this message appears frequently, contact IBM Support to diagnose whether a problem exists with the
Guardium appliance or firewall.
AUIGF120I Trace Settings: Compilation 0, Requested Runtime 0, ECSA Flag 32, Actual
Runtime 0...
Explanation
This message is produced during the compilation of a filter, using the policy information that was specified.
System action
User response
AUIGF201I Valid stage zero filter criteria found.
Explanation
The collection profile compilation process found that the collection profile criteria will allow for Stage zero filtering of IMS DLI events based on USERIDs or PSB names.
System action
User response
AUIGF202I No valid stage zero filter criteria found.
Explanation
The collection profile compilation process found that the collection profile criteria is not conducive to providing Stage 0 filtering for IMS DLI events. The reasons may
include:
No USERIDS or PSBS were specified in the selection criteria.

Multiple RULES were defined and differences in the USERID and/or PSB specifications in each rule were different.
System action
Processing continues without Stage Zero filtering capability.
User response
If Stage 0 filtering is desired, adjust the USERID and PSB specifications in each rule to be the same.
Error messages and codes: AUIIxxxx

The following information is about error messages and codes that begin with AUII.
Note: To set a z/OS message alert for messages that begin with AUII, use single-dash formatting between the message number and message text. For example:
AUII056I
- ZIIP PROCESSING ENABLED FOR IMS STAP
AUII017I
S-TAPÂ® for V10.1.3 initialization complete using RECON1 DSN: recon1_dsn
AUII018E
IBMÂ® Security GuardiumÂ® S-TAP for IMS on z/OSÂ® initialization failed
AUII019E
IBM Security Guardium S-TAP for IMS on z/OS termination failed
AUII020E
UNABLE TO FIND RECON1 DATA SET NAME

AUII021E
BLDL FAILED FOR ACTION MODULE module_name
AUII022E
INSUFFICENT STORAGE AVAILABLE FOR module_name ACTION MODULE (stg_type)
AUII023E
IMODULE DIRLOAD FAILED FOR ACTION MODULE module_name
AUII024E
Unable to locate IMS SCD address.
AUII025E
Unable to locate IMS SSCD Extension address.
AUII026E
UNABLE TO LOCATE THIS IMS SSCT ADDRESS
AUII027E
INSUFFICIENT STORAGE AVAILABLE FOR AUIPLOG CONTROL BLOCK
AUII028E
IMODULE LOAD OF ACTION MODULE module_name FAILED
AUII029E
DFSTCBTB LOCATE SERVICE CALL FAILED
AUII031E
STAP FOR IMS INTERNAL LOGIC ERROR (rc)
AUII038E
ITASK CREATE FOR ACTION MODULE module_name FAILED
AUII040E
ODBA LOAD OF DFSISSI0 FAILED
AUII041E
ODBA HOOK POINT NOT FOUND (module_name)
AUII042W
ZIIP PROCESSOR NOT AVAILABLE ON THIS LPAR
AUII043W
THIS IMS IS NOT CONNECTED TO WORKLOAD MANAGER
AUII044E
ZIIP PROCESSING REQUEST HAS BEEN REJECTED
AUII046E
NAME/TOKEN SERVICE service-name SERVICE FAILED (name value)
AUII049E
DEDB CALL ANALYSIS INIT FAILURE RC = return code
AUII050I
S-TAP FOR IMS AUDIT STATISTICS
AUII052I
USING IMS STAP V10.1.3 MODULE Module_name APAR# Build_date
AUII055I
ZIIP PROCESSING HAS BEEN REQUESTED FOR IMS STAP
AUII056I
ZIIP PROCESSING ENABLED FOR IMS STAP
AUII057I
process_type PROCESSING FAILED RC: return_code RSN: reason_code
AUII058A
STAP FOR IMS COMPONENT HAS ABENDED
AUII060W
Potential waited PST=xxxxxxxx (PST# = yyyy)
AUII061I
Potential Waited PST xxxxxxxx (PST#= zzzz) RELEASED.
AUII120I
NO COLLECTIONS ACTIVE FOR THIS IMS INSTANCE
AUII172I
AUIprogram LOADED EXIT imsexit FROM DATA SET: data set name
AUII173E
IMS RELEASE ims-vrl IS NOT SUPPORTED
AUII174E
LOAD OF SERVICE MODULE module_name FAILED RC = return_code
AUII175I
NON_ZERO RC FROM EXIT exit_name: RC = return_code
AUII176E
module_name service_type SERVICE ERROR: RC: return_code RS: reason_code
AUII177E
module_name FOUND WITH RENT/REUS ATTRIBUTE IN NON_APF ENVIRONMENT
AUII178E
DATA SET NAME: dsn
AUII017I S-TAPÂ® for V10.1.3 initialization complete using RECON1 DSN: recon1_dsn
Explanation
IBMÂ® GuardiumÂ® S-TAP for IMS has initialized in the DLI/DBB batch job or IMS control region environment. For successful auditing to occur, the RECON1 DSN indicated
in this message should match the RECON1 DSN associated with the IMS definition you have created.

User response
Parent topic: Error messages and codes: AUIIxxxx
AUII018E IBMÂ® Security GuardiumÂ® S-TAPÂ® for IMS on z/OSÂ® initialization failed
Explanation
IBM Guardium S-TAP for IMS was unable to initialize in this IMS Control region. The monitoring of IMS databases will not occur.
System action
IMS processing continues without auditing capabilities.
User response
Examine the JES log for other messages to determine the reason for the initialization failure.
AUII019E IBMÂ® Security GuardiumÂ® S-TAPÂ® for IMS on z/OSÂ® termination failed
Explanation
IBM Guardium S-TAP for IMS was unable to terminate cleanly.
System action
The termination of the IMS online region of DLI/DBB batch job step continues.
User response
This error indicates that an environmental error has occurred. Examine the JES log for other AUI messages to determine the reason for the termination failure.
AUII020E UNABLE TO FIND RECON1 DATA SET NAME
Explanation
An attempt to find the RECON1 data set name used by the IMS Online control region or DLI/DBB batch job step has failed. The RECON1 data set name is critical to the
determination of the collection profile used to audit IMS events.
System action
IMS processing continues without the IMS auditing feature.
User response
Determine why the RECON1 data set name is not available for this IMS control region or DLI/DBB batch job step. An in-stream RECON1 DD statement must be present in
the JCL, or a RECON1 MDALIB member being present in the JOB/STEPLIB DD concatenation is required.
AUII021E BLDL FAILED FOR ACTION MODULE module_name
Explanation
An attempt to find a required processing module (module_name) has failed.
System action
IMS processing continues without auditing.
User response
Examine the STEPLIB/JOBLIB DD concatenation to ensure the SAUIIMOD product data set is included.
AUII022E INSUFFICENT STORAGE AVAILABLE FOR module_name ACTION MODULE (stg_type)
Explanation

An attempt to obtain storage for the module named (module_name) has failed. The storage type field (stg_type) indicates if the storage required is 31bit or 24bit based.
System action
IMS processing continues without IMS auditing available.
User response
Increase the region size used by the job step (REGION=).
AUII023E IMODULE DIRLOAD FAILED FOR ACTION MODULE module_name
Explanation
The DIRLOAD IMS service has failed.
System action
IMS processing continues with auditing.
User response
Determine the cause of the error from the IMS Messages and Codes manual and correct the error. If necessary, contact IBMÂ® Software Support.
AUII024E Unable to locate IMS SCD address.
Explanation
An attempt to locate the IMS SCD during product initialization has failed.
System action
User response
Verify that you are attempting to run the product using a supported IMS release. Contact IBMÂ® Software Support for further assistance.
AUII025E Unable to locate IMS SSCD Extension address.
Explanation
An attempt to locate the IMS SSCD Extension address has failed.
System action
User response
Verify that you are attempting to run the product using a supported IMS release. Contact IBM Software Support for further assistance.
AUII026E UNABLE TO LOCATE THIS IMS SSCT ADDRESS
Explanation
The IMS SCCT address cannot be located by the IMS S-TAP initialization process.
System action
IMS processing continues without auditing capabilities.
User response
AUII027E INSUFFICIENT STORAGE AVAILABLE FOR AUIPLOG CONTROL BLOCK

Explanation
An attempt to obtain E/CSA to hold the AUIPLOG module has failed.
System action
User response
Investigate E/CSA usage on the LPAR.
AUII028E IMODULE LOAD OF ACTION MODULE module_name FAILED
Explanation
An attempt to LOAD module module_name using IMS services has failed.
System action
An attempt to LOAD module module_name using IMS services has failed.
User response
Verify that the SAUIIMOD product data set is available in the STEPLIB/JOBLIB data set concatenation. Contact IBMÂ® Software Support for further assistance.
AUII029E DFSTCBTB LOCATE SERVICE CALL FAILED

Explanation
A call to the IMS DFSTCBTB service has failed.
System action
User response
AUII031E STAP FOR IMS INTERNAL LOGIC ERROR (rc)
Explanation
Security GuardiumÂ® S-TAPÂ® for IMS initialization found a logic error.
System action
User response
AUII038E ITASK CREATE FOR ACTION MODULE module_name FAILED
Explanation
DA call to the DFSCIR IMS service to create an ITASK has failed.
System action
User response

AUII040E ODBA LOAD OF DFSISSI0 FAILED
Explanation
An attempt to LOAD IMS module DFSISSI0 has failed.
System action
IMS processing with auditing continues. The product will be unable to determine the correct USERID for events driven from ODBA threads.
User response
Contact Software Support.
AUII041E ODBA HOOK POINT NOT FOUND (module_name)
Explanation
An attempt to locate a hook point in the indicated module (module_name) has failed.
System action
IMS processing with auditing continues. The product will be unable to determine the correct USERID for events driven from ODBA threads. An output DD: AUI$NAP is
dynamically allocated to SYSOUT, and the area where the hook point was to be located is snapped out to this AUI$NAP DD.
User response
Provide the AUI$NAP output to IBM Software Support.
AUII042W ZIIP PROCESSOR NOT AVAILABLE ON THIS LPAR
Explanation
The AUIZIIP DD statement has been found in the IMS Control Region JCL, which indicates that the zIIP processor should be considered for use when filtering DLI calls
and writing to the z/OSÂ® System Logger. IMS STAP has determined that zIIP processing is not available on this LPAR.
System action
Processing continues exclusively using general processors.
User response
Remove the AUIZIIP DD statement and restart the IMS sub-system.
AUII043W THIS IMS IS NOT CONNECTED TO WORKLOAD MANAGER
Explanation
A request to process DLI call filtering and z/OSÂ® System Logger writes on a zIIP processor has been rejected as the IMS sub-system is not connected to the z/OS
Workload Manager.
System action
User response
AUII044E ZIIP PROCESSING REQUEST HAS BEEN REJECTED
Explanation
A request to process DLI call filtering and z/OSÂ® System Logger writes on a zIIP processor has been rejected.
System action

User response
Review previously issued AUII messages to determine the root cause of the request rejection.
AUII046E NAME/TOKEN SERVICE service-name SERVICE FAILED (name value)
Explanation
An attempt to drive the z/OSÂ® name/token service has failed.
System action
User response
AUII049E DEDB CALL ANALYSIS INIT FAILURE RC = return code
Explanation
An attempt insert product code in the DEDB call analysis area has failed.
System action
IMS processing with DEDB event auditing disabled. An output DD: AUI$NAP is dynamically allocated to SYSOUT, and the area where the code insertion was to be located
is snapped out to this AUI$NAP DD.
User response
Provide the AUI$NAP output to IBMÂ® Software Support.
AUII050I S-TAPÂ® FOR IMS AUDIT STATISTICS
Explanation
This message provides statistics regarding the number of DLI events which have been processed. This message is issued when:
The number of DLI calls specified in the message frequency section of the Guardium client's IMS Data Set definition screen has been reached.
The time specified in the AUII050I message frequency section of the Guardium client's IMS Data Set definition screen has elapsed.
The collection profile for the IMS is made in active.
The DLI/DBB batch job or IMS Online Control Region terminates.
The description of values are as follows:
DLI CALLS RECEIVED

This value indicates the number of IMS DLI calls which had the potential of being audited. This number can be more or less than the number of actual DLI calls
performed, because:
DLI PATH calls which effect multiple segments within a hierarchical path are treated and counted as individual DLI calls.
DLI calls types which are not included in any RULE of the active collection profile are not counted as they are immediately rejected.
DLI CALLS AUDITED

This value indicates the number of IMS DLI calls which resulted in a DLI event being written to the z/OSÂ® System Logger Log-stream for transmittal to the
GuardiumÂ® Appliance.
IXGWRITE ERRORS
This value indicates the number of z/OS System Logger IXGWRITE calls which have failed. One of more AUIJ304E messages will precede the issuance of the
AUII050I message if the number of IXGWRITE errors is greater than zero. A non-zero value for the IXGWRITE ERRORS and a zero value for the DLI CALLS LOST DUE
TO IXGWRITE ERRORS section of this message indicates that the IXGWRITE errors were subsequently retried and the IXGWRITE calls were then completed
successfully.
DLI CALLS LOST DUE TO IXGWRITE ERRORS
A non-zero value in this section indicates that DLI calls which were audited and either:
Could not be placed into a log-stream data buffer (indicated by the issuance of message AUIJ307A).
Audited events already in the data buffer could not be written to the z/OS System Logger Log-Stream using the IXGWRITE call and the collection profile for
the IMS has been deactivated or the DLI/DBB batch job or IMS Online Control region has been terminated (indicated by the issuance of message AUIJ304E).
System action
User response

No action is required. This is an informational message only.
AUII052I USING IMS STAP V10.1.3 MODULE Module_name APAR#

Build_date
Explanation
These messages are issued by the IMS S-TAPÂ® code in the IMS Control region during startup to broadcast the maintenance level of the programs that are in use by
Security GuardiumÂ® S-TAP for IMS.
System action
User response
AUII055I ZIIP PROCESSING HAS BEEN REQUESTED FOR IMS STAP
Explanation
and writing to the z/OSÂ® System Logger.
System action
IMS STAP attempts to create an environment to support zIIP processing.
User response
If this was not intended, remove the AUIZIIP DD statement and restart the IMS sub-system.
AUII056I ZIIP PROCESSING ENABLED FOR IMS STAP
Explanation
The request for zIIP support for IMS STAP and this IMS Control Region has been acted on and all initialization processes have completed successfully.
System action
IMS STAP will schedule DLI call filtering and writes to the z/OSÂ® System Logger as a zIIP eligible enclave SRB.
User response
If this was not intended, remove the AUIZIIP DD statement and restart the IMS sub-system.
AUII057I process_type PROCESSING FAILED RC: return_code RSN: reason_code
Explanation
and writing to the z/OSÂ® System Logger. A process (process_type) used to enable zIIP processing has failed.
System action
The request to enable zIIP processing is rejected and general processor will be used.
User response
Review IBMÂ® supplied documentation for the process which failed using the return and reason codes (return_code/reason_code) to determine the cause of the failure.
AUII058A STAP FOR IMS COMPONENT HAS ABENDED
Explanation

The S-TAPÂ® for IMS component has abnormally ended, causing auditing to disable.
User response
AUII060W Potential waited PST=xxxxxxxx (PST# = yyyy)
Explanation
This warning message indicates that IBMÂ® GuardiumÂ® S-TAPÂ® for IMS has detected a dependent region that has been waiting for an event to be audited for at least 15
seconds. The dependent region is identified by the PST address xxxxxxxx. The PST# value specified as yyyy is the region number in hexadecimal format.
System action
IBM Guardium S-TAP for IMS attempts to process the dependent region.
User response
If the dependent region continues processing, then no action is required. If the dependent region remains in a wait state, then it must be stopped or cancelled. Before you
stop or cancel the dependent region, take an SVC dump of the IMS Control region and provide it to IBM Software Support for analysis.
AUII061I Potential Waited PST xxxxxxxx (PST#= zzzz) RELEASED.
Explanation
This message is a response to message AUII060W (Potential Waited PST xxxxxxxx (PST#= zzzz)). This message indicates that the corresponding IPOST was performed,
and the PST is no longer in a WAIT state.
System action
IMS Processing continues.
User response
AUII120I NO COLLECTIONS ACTIVE FOR THIS IMS INSTANCE
Explanation
Initialization has completed successfully for Security GuardiumÂ® S-TAPÂ® for IMS, but no collections were found that pertain to this batch job or IMS control region.
System action
User response
AUII172I AUIprogram LOADED EXIT imsexit FROM DATA SET: data set name
Explanation
The AUIprogram named found an occurrence of the imsexit later within the JOBLIB/STEPLIB concatenation, and has loaded it.
System action
The imsexit will be invoked with R13 pointing to the save area originally provided by IMS, as well as its own 512 byte work area, provided in the SXPLAWRK field of the IMS
Standard User Exit Parameter list, immediately following each execution of AUIprogram.
User response
For the imsexit to run, no action is required. If the imsexit should not be run in this environment, remove the data set from the JOBLIB/STEPLIB concatenation and restart
the IMS control region or batch job.

AUII173E IMS RELEASE ims-vrl IS NOT SUPPORTED
Explanation
The IMS release being used is not support by this version of the product.
System action
User response
Review supported IMS releases for the release of this product.
AUII174E LOAD OF SERVICE MODULE module_name FAILED RC = return_code
Explanation
LOAD OF SERVICE MODULE module_name FAILED RC = return_code
User response
Ensure that the SAUIIMOD product data set is included in the STEPLIB/JOBLIB DD concatenation.
AUII175I NON_ZERO RC FROM EXIT exit_name: RC = return_code
Explanation
The exit_name indicated returned a non-zero return code value of return_code as specified.
System action
The return code value is returned to IMS.
User response
Correct the exit_name program if the non-zero value was returned in error. Review the IMS Customization Guide or IMS Exit Routine Reference for more information.
AUII176E module_name service_type SERVICE ERROR: RC: return_code RS: reason_code
Explanation
The service_type invoked by the specified module_name has failed.
System action
User response
Review all subsequent AUI error messages to diagnose the problem.
AUII177E module_name FOUND WITH RENT/REUS ATTRIBUTE IN NON_APF ENVIRONMENT
Explanation
Program module_name had the RENT/REUS attribute on in a non-APF-Authorized environment. Security GuardiumÂ® S-TAPÂ® for IMS is unable to load the program.
System action
Processing continues with the exit cascading feature disabled.
User response
Re-link the exit with the NOREUSE attribute.

AUII178E DATA SET NAME: dsn
Explanation
This message is issued in conjunction with a previous message (for example, AUII176E) to indicate an associated data set.
User response
Check the log for the previously issued, associated message and take the action that is advised in that message.
Error messages and codes: AUIJxxxx

The following information is about error messages and codes that begin with AUIJ.
AUIJ005W
UNABLE TO LOAD MESSAGE TABLE table_name RSN: reason_code WILL USE AUIMGENU
AUIJ006E
LOAD FAILED FOR MESSAGE TABLE table_name RSN: reason_code
AUIJ007E
PROGRAM program_name IS NOT EXECUTING APF-AUTHORIZED
AUIJ008I
ATTEMPTING TO CONNECT TO THE GUARDIUM S-TAPÂ® APPLIANCE. TCP/IP Address: ip_address, PORT: port_number, PING RATE: ping_rate
AUIJ009E
LOAD FAILED FOR MODULE module_name. R1: abend_code R15: reason_code
AUIJ010I
IMS STAP ver HAS STARTED.
AUIJ011I
function_type CALL TO GUARDUIM S-TAP APPLIANCE SUCCESSFUL
AUIJ012I
NUMBER OF event_type EVENTS SENT TO APPLIANCE: counter
AUIJ013E
stap_call TO GUARDUIM S-TAP APPLIANCE FAILED (call source) IP ADDRESS: ip_address STAP_RC = rc1 STAP_RS = rs1 GDM_RC = rc2 PB_RC = rc3 GDML_RC = rc4
GDML_RS = rs2
AUIJ014E
OPEN FAILED FOR DD dd_name
AUIJ015E
THIS IMS RELEASE IS NOT SUPPORTED. IMS NAME: ims-name, VRL: ims_version
AUIJ016E
UNABLE TO INITIALIZE APPLIANCE INTERFACE (connection_type)
AUIJ017I
PRIMARY STAP CONNECTION RESTORED (connection_type) - SUCCESSFULLY CONNECTED TO IP ADDRESS: ip_address - PORT : port
AUIJ018W
PREVIOUS STAP CONNECTION FAILED (connection_type) - SUCCESSFULLY CONNECTED TO IP ADDRESS: ip_address - PORT : port
AUIJ019E
STAP CONNECTION FAILED: NO CONNECTIONS AVAILABLE (connection_type) - IP ADDRESS: ip-address - PORT : port
AUIJ020I
All EVENTS HAVE BEEN WRITTEN FROM SPILL AREA TO APPLIANCE (connection_type)
AUIJ021W
EVENTS ARE BEING WRITTEN TO THE SPILL AREA (connection_type)
AUIJ022W
SPILL AREA IS FULL: EVENT DATA IS BEING LOST (connection_type)
AUIJ023E
SPILL AREA IS NOT AVAILABLE (connection_type)
AUIJ024W
NUMBER OF type EVENTS LOST count
AUIJ042W
ZIIP PROCESSING NOT AVAILABLE ON THIS LPAR (type)
AUIJ044W
ZIIP PROCESSING REQUEST HAS BEEN REJECTED (connection_type)
AUIJ055I
ZIIP PROCESSING REQUESTED FOR type PROCESSING
AUIJ056I
ZIIP PROCESSING ENABLED FOR type PROCESSING, ENCLAVE TOKEN: value
AUIJ057W
ZIIP PROCESSING FOR type EVENTS HAS BEEN DISABLED DUE TO ERRORS - PROCESSING WILL CONTINUE USING GCPU
AUIJ058W
ZIIP PROCESSING FOR type EVENTS HAS BEEN DISABLED - TRACING IS ENABLED BY THE USE OF THE AUI$NAP JCL STATEMENT
AUIJ201E
VSAM ERROR ENCOUNTERED
AUIJ202E
AUIJ203E
AUIJ250I
AUDITING IMS EVENTS. COLLECTION PROFILE NAME: collection_profile_name IMS NAME: ims_name AGENT NAME: agent name EXCLUDED REGIONS:
region_types

AUIJ251E
COMPILED FILTER BUILD FAILED. COLLECTION PROFILE NAME : collection _profile_name RC: return_code RSN: reason_code
AUIJ252W
GUARDIUM QUARANTINE IS IN EFFECT; DBPCB STATUS CODES OF AI MAY OCCUR
AUIJ255I
AUII050I MESSAGE RECEIVED FROM: JOBNAME: ims_job_name; SSID: ims_ssid; JOB NUMBER: job_number; LPAR: lpar_name
AUIJ256I
AUIJ250I MESSAGE RECEIVED FROM: JOBNAME: ims_job_name; SSID : ims_ssid; JOB NUMBER: job_number; LPAR: lpar_name
AUIJ257I
AUIJ258I
AUIJ259I
JOBNAME job_name USING IMS STAP V10.1.3 MODULE: pgm_name APAR: fix_number DATE: fix_date
AUIJ303W
request_type REQUEST FOR LOG STREAM log_stream_name FAILED - RC: return_code RS: reason_code - WILL CONTINUE TO RETRY
AUIJ304A
IXGCONN REQUEST FOR LOG_STREAM log_stream_name FAILED with RC = return_code and RS= reason_code
AUIJ304E
IXGWRITE REQUEST FOR <log-stream-name> FAILED - RC: return_code RS: reason_code
AUIJ307A
AUDITED EVENTS ARE BEING LOST DUE TO IXGWRITE ERRORS AND/OR BUFFER SHORTAGES
AUIJ307E
thread_type THREAD IS TERMINATING DUE TO PROCESSING ERRORS.
AUIJ330E
REQUIRED DATA SET IS NOT CATALOGED. - TYPE: dsn_type, DSN: data_set_name
AUIJ331E
service_name SERVICE FAILED - RC: return_code - RSN: reason_code
AUIJ332E
DATA SET IS NOT VALID WITHIN CONTEXT USED - TYPE: data_set_type, DSN: data_set_name, REASON: reason
AUIJ333E
Service SERVICE FAILED for DATA SET: dsn - R15: return_code
AUIJ335W
dd_name DD IS PRESENT IN THIS JCL, dsn_types WILL NOT BE AUDITED
AUIJ400E
INSUFFICIENT MEMORY - MODULE NAME: program_name - MEMORY SEGMENT TYPE: seg_type
AUIJ401E
MODULE module_name FAILED DURING ATTACH of program_name - RETURN CODE: return_code
AUIJ402E
CATALOG SERVICE REQUEST FAILED - MODULE NAME: module_name - RC: return_code RSN: reason_code
AUIJ403E
DYNAMIC ALLOCATION FAILURE - FUNCTION : function_code - DSN: data-set-name - RC: return_code RSN: reason_code
AUIJ404E
DYNAMIC ALLOCATION FAILURE - FUNCTION: function_code -DDN: dd_name - RC: return_code RSN: reason_code
AUIJ406W
TOO MANY RULES SPECIFIED IN POLICY, REQUEST HAS BEEN TRUNCATED. POLICY: policy_name. RULE LIMIT: max_number_of rules_allowed
AUIJ407I
number DATA SETS ADDED TO POLICY policy_name FILTER
AUIJ408E
POLICY name RESULTED IN OVER 102400 DATA SETS TO BE AUDITED; DATA SET RESULT SET HAS BEEN TRUNCATED
AUIJ500I
STARTING cycle_type CYCLE
AUIJ501I
NO NEW CATALOGED SMF DATA SETS FOUND FOR SMF MASK: - smf_mask_value
AUIJ504I
cycle_type CYCLE COMPLETE
AUIJ521W
CONTROL BLOCK AUIDCCOM NOT FOUND
AUIJ510I
ALTERNATE RECON DATA SETS FOUND FOR IMSNAME imsname: RECON1: alt_dsn_1; RECON2: alt_dsn_2, RECON3: alt_dsn_3
AUIJ511E
ALTERNATE RECON DATA SET NOT CATALOGED; DSN: alt_dsn
AUIJ512E
ALTERNATE RECON DATA SET NOT A VSAM FILE; DSN: alt_dsn
AUIJ513E
NO VALID ALTERNATE RECON DATA SETS FOUND FOR IMS imsname; PROCESSING TERMINATED
AUIJ522E
INSUFFICIENT E/CSA STORAGE AVAILABLE FOR control_block CONTROL BLOCK
AUIJ609I
event_types ARE BEING EXCLUDED (excluded_by)
AUIJ800E
REQUIRED DD STATEMENT IS MISSING: dd-name
AUIJ860E
VSAM FILE DEFINITION ERROR - DDN: dd_name - REASON: definition_error
AUIJ999E
AN INTERNAL LOGIC ERROR HAS OCCURRED - MODULE: module_name RSN: reason_code

AUIJ005W UNABLE TO LOAD MESSAGE TABLE table_name RSN: reason_code WILL USE
AUIMGENU
Explanation
An attempt to perform a z/OSÂ® LOAD of the message table named (table_name) failed. The reason for the failure is described in the reason code field (reason_code). The
default U.S. English message table will be used. This message follows the AUI006E message.
System action
Processing continues while using the U.S. English message table.
User response
Determine and correct the cause of the message table load failure.
Parent topic: Error messages and codes: AUIJxxxx
AUIJ006E LOAD FAILED FOR MESSAGE TABLE table_name RSN: reason_code
Explanation
A z/OSÂ® LOAD attempt failed for the message table (table_name) indicated.
System action
If the table name is the U.S. English message table, (AUIMGENU) processing will terminate. Other table names will cause the product to attempt to use the U.S. English
message table after issuing the AUIJ005W message continue processing.
User response
Determine and correct the cause of the message table load failure.
AUIJ007E PROGRAM program_name IS NOT EXECUTING APF-AUTHORIZED
Explanation
The program specified requires APF-Authorization to perform its function.
System action
The program terminates.
User response
Ensure that all data sets included within the STEPLIB DD concatenation of the JCL where this message appeared are APF authorized.
AUIJ008I ATTEMPTING TO CONNECT TO THE GUARDIUM S-TAPÂ® APPLIANCE. TCP/IP

Address: ip_address, PORT: port_number, PING RATE: ping_rate
Explanation
An attempt is being made to establish a connection with the GuardiumÂ® S-TAP appliance using the named TCP/IP address (ip_address) and PORT number (port_number).
PING RATE (ping_rate) indicates how often a message is sent to the appliance to provide the appliance with confirmation that the connection is active. The PINGS are sent
at the rate indicated (ping_rate) which is shown in hour, minutes, and second (hh:mm:ss) format.
System action
The connection to the Guardium S-TAP appliance is attempted.
User response
AUIJ009E LOAD FAILED FOR MODULE module_name. R1: abend_code R15: reason_code
Explanation

An attempt to perform a z/OSÂ® LOAD of the named module (module_name) has failed
System action
The function terminates.
User response
Ensure that all required product data sets are included in the STEPLIB DD concatenation of the JCL where this message appeared. The value in R1 (abend-code) indicates
the ABEND code that would have occurred if the failure had not been trapped by the product. The value in R15 (reason_code) indicates the reason code associated with
the abend. Documentation regarding the abend codes and possible resolutions can be found in the IBMÂ® z/OS MVSâ„¢ System Code manual or equivalent.
AUIJ010I IMS STAP ver HAS STARTED.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent component, using the specified base code level, has started.
System action
User response
AUIJ011I function_type CALL TO GUARDUIM S-TAP APPLIANCE SUCCESSFUL
Explanation
The function request (function_type) to the GuardiumÂ® S-TAPÂ® appliance completed successfully. This message usually follows the AUIJ008I message indicating that
the connection request has been initiated.
Function request values which can be displayed are:
INIT-DLIB
Connection request from the tasks which transmits DLI/DBB batch events.
INIT-DLIO
Connection request from the task which transmits IMS Online DLI events.
INIT_LOG
Connection request from the task which transmits IMS Archive log events.
INIT-SMF
Connection request from the task which transmits SMF events.
System action
User response
AUIJ012I NUMBER OF event_type EVENTS SENT TO APPLIANCE: counter
Explanation
By default, this message is issued every 100,000 events sent to the appliance or approximately every 18 minutes. You can modify this frequency by using the agent
parameter keyword DLIFREQ. This message provides a status of data being collected and sent to the GuardiumÂ® S-TAPÂ® appliance. The count provided (counter) is the
number of events since the last message was issued. The type of events (event_type) can include DLIB (events captured from IMS DLI/DBB batch jobs), DLIO (events
captured from IMS Online regions) SMF (events captured from SMF auditing), IMSL (events captured from IMS archive log processing), and MLOG (missing IMS logs found
during IMS Archive log processing).
System action
User response
None action is required.

AUIJ013E stap_call TO GUARDUIM S-TAPÂ® APPLIANCE FAILED (call source) IP ADDRESS:
ip_address STAP_RC = rc1 STAP_RS = rs1 GDM_RC = rc2 PB_RC = rc3 GDML_RC = rc4 GDML_RS
= rs2
Explanation
The requested call (call_type) to the GuardiumÂ® S-TAP appliance has failed. A non-zero value GDM_RC field indicates an error.
System action
The process terminates.
User response
Determine the cause of the failure by checking the return and reason code.
If GDM_RC is not zero, one or more of the PB_RC, GDML_RC and GDML_RS will be set.
If STAP_RC and STAP_RS are zero but GCM_RC or PB_RC is not zero, an internal error is indicated. Contact IBMÂ® Software Support.
If STAP_RC and STAP_RS are not zero, contact IBM Software Support.
AUIJ014E OPEN FAILED FOR DD dd_name
Explanation
A z/OSÂ® OPEN of the data set(s) referenced by the DD named (dd_name) failed.
System action
Processing terminates.
User response
Examine the JES log for z/OS issued IEA messages issued regarding this DD statement and take appropriate action.
AUIJ015E THIS IMS RELEASE IS NOT SUPPORTED. IMS NAME: ims-name, VRL: ims_version
Explanation
The IMS named (ims-name) was found to be of a release which is not supported by this version of the product.
System action
User response
Review the software requirements documented in this user's guide for a list of IMS releases that are supported by this version of the product.
AUIJ016E UNABLE TO INITIALIZE APPLIANCE INTERFACE (connection_type)
Explanation
An attempt to establish a connection with the appliance has failed.
System action
User response
This error is usually due to the TCP/IP address specified in the <appliance-server> parameter of the AUICONFG or other member used in the AUICONFG DD statement
used to provide the agent with configuration information being incorrect. This error can also occur if the target of the TCP/IP address is unresponsive.
AUIJ017I PRIMARY STAP CONNECTION RESTORED (connection_type) - SUCCESSFULLY

CONNECTED TO IP ADDRESS: ip_address - PORT : port

Explanation
Multiple appliances are defined to IBMÂ® GuardiumÂ® S-TAPÂ® for IMS, and the primary appliance (ip_address + port) was unavailable for some period of time. This
message indicates that the primary appliance has become available and is now being used.
System action
Processing continues sending data to the primary appliance.
User response
AUIJ018W PREVIOUS STAP CONNECTION FAILED (connection_type) - SUCCESSFULLY

CONNECTED TO IP ADDRESS: ip_address - PORT : port
Explanation
Multiple appliances are defined to the IMS STAP the connection to the active appliance has failed. This message indicates that another secondary appliance (ip_address +
port) is now active.
System action
Processing continues sending data to the secondary appliance.
User response
AUIJ019E STAP CONNECTION FAILED: NO CONNECTIONS AVAILABLE (connection_type) - IP

ADDRESS: ip-address - PORT : port
Explanation
The connection to the active appliance (ip_address + port) has failed and there are no secondary appliances available for use.
AUIJ020I All EVENTS HAVE BEEN WRITTEN FROM SPILL AREA TO APPLIANCE
(connection_type)
Explanation
All audited events that were buffered to the spill area have been sent to the appliance.
User response
AUIJ021W EVENTS ARE BEING WRITTEN TO THE SPILL AREA (connection_type)
Explanation
A connection to the appliance has been interrupted, and the spill area is being used to buffer audited events until the appliance connection can be reestablished
System action
Processing continues. Audited events are buffered in the spill area.
User response
Investigate the cause of the appliance connection interruption and correct.
AUIJ022W SPILL AREA IS FULL: EVENT DATA IS BEING LOST (connection_type)
Explanation

A connection to the appliance was interrupted. The spill area was being used to buffer audited events until the appliance connection can be reestablished. The number of
audited events that were generated exceeded the number that could be held in the spill area.
System action
Processing continues. Audited events are discarded.
User response
Investigate the cause of the appliance connection interruption and correct. Look for message AUIJ024W, which is issued at task termination or when a connection is
reestablished, for the number of lost events.
AUIJ023E SPILL AREA IS NOT AVAILABLE (connection_type)
Explanation
An attempt to use the spill area to buffer audited events is unsuccessful.
System action
User response
Specify a value of 1 through 1024 in the SAUISAMP AUICONFG member <SPILL-SIZE> parameter. Review any z/OS error or warning messages that might indicate why the
spill area allocation failed.
AUIJ024W NUMBER OF type EVENTS LOST count
Explanation
Attempts to buffer audited events in the spill area have failed. This message indicates the type of audited events (DLIO, DLIB, SMF etc) which were lost (type), and the
number that were lost (count).
System action
User response
Investigate the cause of the appliance connection interruption and correct.
AUIJ042W ZIIP PROCESSING NOT AVAILABLE ON THIS LPAR (type)
Explanation
A request to process data, using a zIIP enabled enclave, has failed because the Workload Manager feature is not available.
System action
Processing continues, using GCPU (General Central Processor Unit) services.
User response
Remove the ZIIP_AGENT_DLI(Y) keyword from the configuration file that is in use, or change the parameter from Y to N.
AUIJ044W ZIIP PROCESSING REQUEST HAS BEEN REJECTED (connection_type)

Explanation
An attempt to create a zIIP enabled enclave has failed.
System action
Processing continues using GCPU services.
User response
Determine the cause of the failure by reviewing previously issued AUIJ0331E messages and take corrective action.

AUIJ055I ZIIP PROCESSING REQUESTED FOR type PROCESSING
Explanation
The use of a zIIP enabled enclave has been requested by the use of the ZIIP_AGENT_DLI(Y) configuration file keyword.
System action
An attempt is made to create the enclave.
User response
AUIJ056I ZIIP PROCESSING ENABLED FOR type PROCESSING, ENCLAVE TOKEN: value
Explanation
A zIIP enabled enclave has been requested and successfully created.
System action
User response
AUIJ057W ZIIP PROCESSING FOR type EVENTS HAS BEEN DISABLED DUE TO ERRORS -
PROCESSING WILL CONTINUE USING GCPU
Explanation
zIIP processing was requested, however due to previously reported errors, this mode of processing could not be enabled.
System action
Processing continues using General Central Processing Unit (GCPU) resources only.
User response
Review the processing log looking for error and warning messages that were issued prior to this message to help determine why zIIP processing could not be initiated.
AUIJ058W ZIIP PROCESSING FOR type EVENTS HAS BEEN DISABLED - TRACING IS ENABLED
BY THE USE OF THE AUI$NAP JCL STATEMENT
Explanation
Event tracing has been enabled through the addition of the AUI$NAP DD SYSOUT=* JCL statement in the agent JCL. The use of zIIP processing has been disabled because
event tracing cannot coexist with the zIIP environment.
System action
All processing continues with event tracing on. Processing occurs on the General Central Processing Unit (GCPU).
User response
If the addition of the AUI$NAP DD statement was not intentional, remove it from the agent JCL.
AUIJ201E VSAM ERROR ENCOUNTERED
Explanation
FUNCTION

vsam_function
RPL/RECORD TYPE
rpl/record_value
R15
return_code
R0
reason_code
CSI-CALL
function_call
SUBRTN
pgm_routine
While accessing the VSAM repository, an internal logic error was encountered.
System action
User response
There are no user actions available for this failure. Contact IBMÂ® Software Support with the content of this message.
Explanation
FUNCTION:
vsam_function
R15:
return_code
ACBOFLGS:
acboflag_value
CSI-CALL:
function_call
SUBRTN:
pgm_routine
System action
User response
There are no user actions available for this failure. Contact IBMÂ® Software Support with the content of this message.
Explanation
FUNCTION:
vsam_function
RPL/RECORD TYPE
rpl/record_value
FDBWD:
rpl_fdbwd
OPTCD:
rpl_optcd
CSI-CALL:
function_call
SUBRTN:
pgm_routine
System action
User response
There are no user actions available for this failure. Contact IBM Software Support with the content of this message.

AUIJ250I AUDITING IMS EVENTS. COLLECTION PROFILE NAME: collection_profile_name IMS
NAME: ims_name AGENT NAME: agent name EXCLUDED REGIONS: region_types
Explanation
The auditing of IMS events proceeds by using the collection profile (collection_profile_name) that is associated with the IMS definition (ims_name). The agent name
indicates which agent is processing the audited data. Various region types might have been excluded from auditing, such as AER, BMP, CICS, DBCTL, IFP, MPP, ODBA, or
NONE.
System action
Auditing continues.
User response
Note: To set a z/OS message alert for this message, use single-dash formatting between the message number and message text; for example, AUIJ250I - AUDITING IMS
EVENTS.
AUIJ251E COMPILED FILTER BUILD FAILED. COLLECTION PROFILE NAME : collection

_profile_name RC: return_code RSN: reason_code
Explanation
An attempt at building a compiled filter using the collection profile named (collection_profile_name) failed.
System action
Processing terminates, auditing will not be performed.
User response
AUIJ252W GUARDIUM QUARANTINE IS IN EFFECT; DBPCB STATUS CODES OF AI MAY OCCUR
Explanation
The Guardium appliance has detected a list of users for whom access is to be restricted for a period of time. This list is based on policy rules and criteria that are set by the
Guardium administrator who maintains the auditing rules in your environment.
System action
Processing continues. If a user in the list of quarantined user IDs attempts to issue DB/DLI calls, the DLI call fails. A DB PCB status code of AI, or an AIB return/reason
code of 110/C, is returned to the application program.
User response
If access to IMS databases terminate with a DB PCB status code of AI, or an AIB return/reason code of 110/C, contact the Guardium administrator who maintains the
auditing rules in your environment to obtain the reason for the quarantine.
Note: To set a z/OS message alert for this message, use single-dash formatting between the message number and message text; for example, AUIJ252W - GUARDIUM
QUARANTINE IS IN EFFECT
AUIJ255I AUII050I MESSAGE RECEIVED FROM: JOBNAME: ims_job_name; SSID: ims_ssid;

JOB NUMBER: job_number; LPAR: lpar_name
Explanation
This message echoes message AUII050I, which is generated by the S-TAP code, and can appear in the IMS control region and the DLI/DBB batch job output. This
message only appears in the agent if the DISPLAY_IMSMSG_DLIx(Y) configuration option is coded in the AUICONFG file.
System action
User response
No action is required. See the explanation for message AUII050I for details regarding the available output fields.

AUIJ256I AUIJ250I MESSAGE RECEIVED FROM: JOBNAME: ims_job_name; SSID : ims_ssid;

Explanation
This message echoes message AUIJ250I, which is generated by the S-TAP code, and can appear in the IMS control region and the DLI/DBB batch job output. This
System action
User response
No action is required. See the explanation for message AUIJ250I for details regarding the available output fields.

Explanation
System action
User response

Explanation
System action
User response
AUIJ259I JOBNAME job_name USING IMS STAP V10.1.3 MODULE: pgm_name APAR:
fix_number DATE: fix_date
Explanation
This message echoes message AUII052I, which is generated by the S-TAP code, and can appear in the IMS control region. This message appears in the agent if the
DISPLAY_IMSMSG_DLIx(Y) configuration option is coded in the AUICONFG file.
User response
AUIJ303W request_type REQUEST FOR LOG STREAM log_stream_name FAILED - RC:

return_code RS: reason_code - WILL CONTINUE TO RETRY

Explanation
A request (request_type) made to the indicated log stream (log_stream_name) has failed. This is a recoverable situation and the request will be retried.
System action
Processing will continue with the request being retried.
User response
AUIJ304A IXGCONN REQUEST FOR LOG_STREAM log_stream_name FAILED with RC =

return_code and RS= reason_code
Explanation
An attempt to connect to the z/OS System Logger log-stream, by using the IXGCONN function, has failed.
System action
Auditing is disabled, but IMS continues processing.
User response
Correct the issue that has caused the IXGCONN failure; then, uninstall and reinstall the policy to cause IMS to reattempt the connection. Or, correct the issue; then, stop
and restart the Security GuardiumÂ® S-TAPÂ® for IMS agent to cause IMS to reattempt the IXGCONN call.
AUIJ304E IXGWRITE REQUEST FOR <log-stream-name> FAILED - RC: return_code RS:

reason_code
Explanation
An attempt to write to the z/OSÂ® System Logger log-stream using the IXGWRITE function has failed.
System action
One occurrence of this message is issued once per error type (RC + RSN) within the each issuance of message AUII050I. IXGWRITE calls continues until the collection
policy for the IMS system is uninstalled, or the DLI/DBB batch job or IMS control region terminates.
User response
Examine the description of the IXGWRITE error using the RC and RSN codes provided in the IBMÂ® z/OS MVSâ„¢ Programming: Assembler Services Reference, Vol. 2 (IAR-
XCT) or equivalent, under the IXGWRITE Macro description, and take corrective action. The most common reason for the appearance of this message is the volume and
the rate (number of events per second) of DLI events exceeds the capacity of the current z/OS System Logger log stream definition.
AUIJ307A AUDITED EVENTS ARE BEING LOST DUE TO IXGWRITE ERRORS AND/OR BUFFER
SHORTAGES
Explanation
A number of attempts to write audited events to the z/OSÂ® System Logger Log-stream have failed which has caused has resulted in available space in the data buffers
being exhausted. This has resulted in DLI events which are to be audited to be discarded.
System action
DLI events continue to be audited at attempts to write exiting data buffers to the z/OS System Logger Log-stream until. The number of DLI events which were rejected are
noted in subsequent AUII050I message.
User response
Review any AUIJ304E messages which have been issued to determine the cause of the z/OS System Logger Log-stream Write failures.
AUIJ307E thread_type THREAD IS TERMINATING DUE TO PROCESSING ERRORS.
Explanation

The agent has determined that a fatal error or abend occurred in the thread type indicated.
System action
Processing that is associated with this thread will not occur.
User response
Examine previously issued error or abend messages to determine the corrective action to be taken. Then, restart the agent.
AUIJ330E REQUIRED DATA SET IS NOT CATALOGED. - TYPE: dsn_type, DSN: data_set_name
Explanation
The data set name indicated (data_set_name) was not found in the z/OSÂ® catalog.
System action
Processing terminates
User response
Specify the name of a cataloged data set.
AUIJ331E service_name SERVICE FAILED - RC: return_code - RSN: reason_code
Explanation
A z/OSÂ® service (service_name) failed when executed.
System action
User response
Determine the cause of the failure by using the return and reason codes provided. Contact IBMÂ® Software Support for additional assistance.
AUIJ332E DATA SET IS NOT VALID WITHIN CONTEXT USED - TYPE: data_set_type, DSN:
data_set_name, REASON: reason
Explanation
The data set indicated (data_set_name) is not of a type valid for use where it is defined. The reason for the rejection of this data set is found in the REASON field (reason).
System action
User response
Specify a data set of the correct type.
AUIJ333E Service SERVICE FAILED for DATA SET: dsn - R15: return_code
Explanation
A z/OS LOCATE or OBTAIN service failed when it was run against the specified data set dsn.
System action
User response
Ensure that the data set names exists, and has not been migrated. Determine the cause of the failure by examining the LOCATE/OBTAIN MACRO return codes found in the
IBM DFSMSdfp Advanced Services manual. Contact IBM Software Support for additional assistance

AUIJ335W dd_name DD IS PRESENT IN THIS JCL, dsn_types WILL NOT BE AUDITED
Explanation
The AUIFstc task has encountered a DD in the JCL that prevents a specific type of data set from being audited by SMF.
System action
Accesses to the data set types that are specified in the text of this message are not audited.
User response
If you want to audit accesses to these types of data sets, remove the DD statement. See the Data sets and DD DUMMY statements table in the SMF records section of this
user's guide for information on which DDs affect which data set types.
AUIJ400E INSUFFICIENT MEMORY - MODULE NAME: program_name - MEMORY SEGMENT

TYPE: seg_type
Explanation
An attempt at obtaining memory in program (module_name) has failed due to insufficient memory being available.
System action
User response
Increase the region size of the started task where this message appeared. Restart the started task and retry the request.
AUIJ401E MODULE module_name FAILED DURING ATTACH of program_name - RETURN CODE:

return_code
Explanation
An attempt to perform a z/OSÂ® ATTACH of the program_name by module module_name has failed.
System action
User response
Determine the cause of the failure by using the return code (return_code) provided. Correct and restart the task that issued the message. Contact IBMÂ® Software Support
for further assistance if need.
AUIJ402E CATALOG SERVICE REQUEST FAILED - MODULE NAME: module_name - RC:

return_code RSN: reason_code
Explanation
An attempt use the catalog interface has failed.
System action
User response
AUIJ403E DYNAMIC ALLOCATION FAILURE - FUNCTION : function_code - DSN: data-set-name

- RC: return_code RSN: reason_code
Explanation
An attempt to issue a dynamic allocation function (function_code) using the data set name indicated (data_set_name) has failed.
System action
User response
Using the return_code and reason_code determine the cause for the failure. Correct and retry the request.
AUIJ404E DYNAMIC ALLOCATION FAILURE - FUNCTION: function_code -DDN: dd_name - RC:

return_code RSN: reason_code
Explanation
An attempt to issue a dynamic allocation function (function_code) using the DD name indicated (dd_name) has failed.
System action
User response
Using the return_code and reason_code determine the cause for the failure. Correct and retry the request.
AUIJ406W TOO MANY RULES SPECIFIED IN POLICY, REQUEST HAS BEEN TRUNCATED.
POLICY: policy_name. RULE LIMIT: max_number_of rules_allowed
Explanation
Preprocessing of the rules associated with the indicated policy (policy_name) determined that the number of rules that were specified in the policy exceeded the rule limit
of max_number_of rules_allowed. Allowing an excessive number of rules causes memory constraint and performance issues.
System action
The contents of subsequent rules are discarded. Processing continues using all previous rule content.
User response
Review the rules that are included in the policy, and edit the policy to combine the rule content where permissible. If the resulting policy still requires a greater number of
rules than the rule limit permits, contact IBM Software Support.
AUIJ407I number DATA SETS ADDED TO POLICY policy_name FILTER
Explanation
This message provides the number of data set names that are used as input when building the compiled filter for SMF processing.
System action
User response
AUIJ408E POLICY name RESULTED IN OVER 102400 DATA SETS TO BE AUDITED; DATA SET
RESULT SET HAS BEEN TRUNCATED
Explanation
The specified policy has found over 102,400 data sets to audit based on the databases that are specified in the policy rules and the IMS system log data set (SLDS) and
recovery log data set (RLDS) RECON entries. Due to memory constraints, the data set occurrence limit per policy is 102,400 per IMS definition.
System action

Remaining data set names for the database description (DBD) that is being processed are included in the list to be audited, which might cause the 102,400 data set limit
to be slightly exceeded. The process that determines the DBD and DSN pairings ends, no additional rules within the policy are processed, and a filter is created for the
policy based on the 102,400 (or more) data set names. Normal processing continues.
User response
Change the policy rules to audit fewer databases, or modify the rules to reduce or avoid multiple rules from auditing the same databases.
Review the IMS RECON data set that is looking for IMS SLDS and RLDS, database image copy data sets, or database data set group (DSG)/area data sets, which no
longer physically exist but remain listed in the RECON. Delete the RECON references that are no longer needed.
AUIJ500I STARTING cycle_type CYCLE
Explanation
The task is starting the processing cycle specified.
System action
Processing starts for the cycle specified.
User response
AUIJ501I NO NEW CATALOGED SMF DATA SETS FOUND FOR SMF MASK: - smf_mask_value
Explanation
The SMF processing cycle has determined that no new, unprocessed data sets which meet the SMF mask value have been found.
System action
The task waits for the start of the next cycle.
User response
AUIJ504I cycle_type CYCLE COMPLETE
Explanation
The cycle has completed.
System action
The task waits for the start of the next cycle.
User response
AUIJ521W CONTROL BLOCK AUIDCCOM NOT FOUND
Explanation
A critical E/CSA control block was not found.
System action
User response
Contact Software Support.

AUIJ510I ALTERNATE RECON DATA SETS FOUND FOR IMSNAME imsname: RECON1:
alt_dsn_1; RECON2: alt_dsn_2, RECON3:
alt_dsn_3
Explanation
The AUIARCN DD was found in the JCL. The imsname that was used when installing the active IMS policy was found in the AUIARCN file, along with alternate RECON data
sets names (alt_dsn_1/2/3).
System action
User response
AUIJ511E ALTERNATE RECON DATA SET NOT CATALOGED; DSN:

alt_dsn
Explanation
When attempting to validate the alt_dsn value, the data set was not found in the catalog.
System action
Processing continues to validate other specified data set names.
User response
Correct the data set name or catalog the data set.
AUIJ512E ALTERNATE RECON DATA SET NOT A VSAM FILE; DSN:

alt_dsn
Explanation
When attempting to validate the alt_dsn value, the data set was found to in a format invalid for processing. The data set name must be in VSAM format.
System action
Processing continues to validate other specified data set names.
User response
Correct the data set name or catalog the data set.
AUIJ513E NO VALID ALTERNATE RECON DATA SETS FOUND FOR IMS imsname;
PROCESSING TERMINATED
Explanation
The data set validation was completed, and no valid alternate RECON data set names found for the IMSNAME.
System action
User response
Add or correct valid RECON data set names.
AUIJ522E INSUFFICIENT E/CSA STORAGE AVAILABLE FOR control_block CONTROL BLOCK
Explanation

Insufficient E/CSA storage was available to hold the specified control block.
System action
User response
Determine the cause of the E/CSA shortage.
AUIJ609I event_types ARE BEING EXCLUDED (excluded_by)
Explanation
If the excluded_by value is AGENT, then the reporting of event_types is excluded due to the specification of certain configuration keywords. If the excluded_by value is
IMS, these events are excluded as directed by the IMS definition.
System action
Occurrences of these event types are not reported.
User response
If you want to view reports of this event type, review and modify the agent configuration file (SMF_AUDIT_LEVELS or IMSL_AUDIT_LEVELS keywords) or the Guardium
system IMS definition, using the Auditing Levels tab.
AUIJ800E REQUIRED DD STATEMENT IS MISSING: dd-name
Explanation
A critical error has occurred due to a missing DD statement.
System action
User response
This message occurs if a product JCL has been edited and a DD statement has been deleted or omitted. If this is not the case, check for any dynamic allocation error
messages. If none are present, or are not user resolvable, contact IBMÂ® Software Support.
AUIJ860E VSAM FILE DEFINITION ERROR - DDN: dd_name - REASON: definition_error
Explanation
When validating the VSAM repository, an allocation definition error was found.
System action
User response
The VSAM repository requires specific values for the attribute, LRECL, key length and key position. Review the SAUISAMP product distribution data set member AUISJ001
for the correct file definition specifications.
AUIJ999E AN INTERNAL LOGIC ERROR HAS OCCURRED - MODULE: module_name RSN:

reason_code
Explanation
An internal logic error has occurred.
System action
User response

Error messages and codes: AUILxxxx

The following information is about error messages and codes that begin with AUIL.
AUIL002I
Archive log reader interval set to <number> <time interval in hours/minutes>.
AUIL003E
Command <command-text>failed; interval value must be between <lower-bound> and <upper-bound>.
AUIL600I
NO NEW CATALOGED IMS LOG DATA SETS FOUND
AUIL601I
PROCESSING IMS LOG DATA SET: ims_log_data_set_name
AUIL602I
PROCESSING COMPLETE FOR IMS LOG DATA SET: ims_log_data_set_name
AUIL603I
SCANNING RECON DATA SETS FOR IMS LOGS TO PROCESS. RECON1: recon1_dsn - RECON2: recon2_dsn - RECON3: recon3_dsn
AUIL605I
RECON DATA SET SCAN COMPLETE
AUIL606W
RECON HAS NOCATDS SPECIFIED, RESULTS MAY NOT BE ACCURATE
AUIL607W
THERE ARE NO ACTIVE IMS POLICIES FOR AGENT agent_name
AUIL701I
IMS LOG CHECKPOINT INFORMATION - IMSID: IMS_name_from_policy - RECON1 DSN: dsn_of_RECON1 - CREATING SSID: SSID_from_PRILOG - LAST DSN READ:
dsn_of_SLDS - LAST UPDATED (UTC): date_time
AUIL002I Archive log reader interval set to <number> <time interval in hours/minutes>.
Explanation
The Archive log reader is scheduled to process archive logs as specified.
User response
Parent topic: Error messages and codes: AUILxxxx
AUIL003E Command <command-text>failed; interval value must be between <lower-bound>

and <upper-bound>.
Explanation
This message indicates that <command>, such as: /f AUILSTC,SET INTERVAL number failed because of incorrect number value. Correct values must be between <lower-
bound> and <upper-bound>.
User response
Use an interval value between <lower-bound> and <upper-bound>. If that does not resolve the issue, contact IBMÂ® Software Support.
AUIL600I NO NEW CATALOGED IMS LOG DATA SETS FOUND
Explanation
After examining the RECON data sets, it has been determined that no new IMS SLDS data sets were found that have yet to be processed by the product.
User response
AUIL601I PROCESSING IMS LOG DATA SET: ims_log_data_set_name
Explanation
Processing has started for the IMS SLDS data set indicated (ims_log_data_set_name)

System action
User response
AUIL602I PROCESSING COMPLETE FOR IMS LOG DATA SET: ims_log_data_set_name
Explanation
Processing of the IMS SLDS data set has completed.
System action
Processing continues with other candidate IMS SLDS data sets.
User response
AUIL603I SCANNING RECON DATA SETS FOR IMS LOGS TO PROCESS. RECON1: recon1_dsn -
RECON2: recon2_dsn - RECON3: recon3_dsn
Explanation
To determine the candidate IMS SLDS data sets to be read, the IMS RECON data sets must be queried. This message indicates that this query process has started.
System action
User response
AUIL605I RECON DATA SET SCAN COMPLETE
Explanation
This message follows the AUIL603I message and indicates that the scan of the RECON data sets is complete.
System action
User response
AUIL606W RECON HAS NOCATDS SPECIFIED, RESULTS MAY NOT BE ACCURATE
Explanation
When examining the RECON data sets the NOCATDS option was found to be on, meaning any log data sets found might not be cataloged.
System action
User response
The function that produces this message relies on the log data sets existing in the z/OSÂ® catalog or having been in the z/OS catalog at one time. Having the NOCATDS
option on in the RECON data sets might negate the validity of further processing, if the SLDS data sets are not cataloged.

AUIL607W THERE ARE NO ACTIVE IMS POLICIES FOR AGENT agent_name
Explanation
A request to query the RECON data sets of IMS systems defined under the named agent found that there were no IMS systems audited by the agent with an active profile.
The function that produces this message relies on having at least one IMS system with an active collection policy.
System action
User response
Install a collection policy for an IMS under of the control the agent.
AUIL701I IMS LOG CHECKPOINT INFORMATION - IMSID: IMS_name_from_policy - RECON1

DSN: dsn_of_RECON1 - CREATING SSID: SSID_from_PRILOG - LAST DSN READ: dsn_of_SLDS -
LAST UPDATED (UTC): date_time
Explanation
This message provides the name of the IMS SLDS that was last read when processing data for the SSID (SSID_from_PRILOG) found in the set of the DBRC RECON data
sets (dsn_of_RECON1). This information is used as a checkpoint to indicate which SLDS data sets have already been processed, and should not be re-read by the AUILstc
tasks.
System action
User response
Error messages and codes: AUIPxxxx

The following information is about error messages and codes that begin with AUIP.
AUIP001E
A protobuf message schema violation was detected; value value is not a valid boolean value.
AUIP002E
A protobuf message schema violation was detected; value value is not a valid double value.
AUIP003E
A protobuf message schema violation was detected; value value is not a valid integer value.
AUIP004E
A protobuf message schema violation was detected; required message message property property is not present.
AUIP005E
A protobuf message schema violation was detected; required message message sub-message submessage is not present.
AUIP006S
A severe error occurred during protobuf message parsing; an unknown exception occurred.
AUIP007E
A protobuf message schema violation was detected; property name property is invalid.
AUIP008E
A protobuf message schema violation was detected; property property value value is invalid.
AUIP009E
A protobuf message schema violation was detected; message name 'name' is invalid.
AUIP010E
A protobuf message schema violation was detected; message name name is invalid (expected expected name).
AUIP011E
A protobuf message schema violation was detected; value value is not a valid bytes value.
AUIP012E
A protobuf message schema violation was detected; value value is not a valid unsigned integer value.
AUIP013E
An error occurred while parsing item text: String is empty.
AUIP014E
An error occurred while parsing item text: text.
AUIP015E
Failed to send error message to appliance: host/port.
AUIP016E
Policy rule <rule> was ignored: IMS name is empty.

AUIP001E A protobuf message schema violation was detected; value value is not a valid
boolean value.
Explanation
The specified value is not valid.
User response
Contact your administrator or IBMÂ® Software Support.
Parent topic: Error messages and codes: AUIPxxxx
double value.
Explanation
User response
integer value.
Explanation
User response
AUIP004E A protobuf message schema violation was detected; required message message
property property is not present.
Explanation
The specified message property is not present.
User response
Contact your administrator or IBMÂ® Software Support
AUIP005E A protobuf message schema violation was detected; required message message
sub-message submessage is not present.
Explanation
The specified message submessage is not present.
User response
AUIP006S A severe error occurred during protobuf message parsing; an unknown exception
occurred.
Explanation
An error occurred while parsing a protobuf message.

User response
AUIP007E A protobuf message schema violation was detected; property name property is
invalid.
Explanation
The specified property name is not valid.
User response
AUIP008E A protobuf message schema violation was detected; property property value value
is invalid.
Explanation
The specified property value is not valid.
User response
AUIP009E A protobuf message schema violation was detected; message name 'name' is
invalid.
Explanation
The specified message name is not valid.
User response
AUIP010E A protobuf message schema violation was detected; message name name is invalid
(expected expected name).
Explanation
The specified message name is not valued.
User response
AUIP011E A protobuf message schema violation was detected; value value is not a valid bytes
value.
Explanation
User response

unsigned integer value.
Explanation
User response
AUIP013E An error occurred while parsing item text: String is empty.
Explanation
A policy message contained an item field with an empty value.
User response
AUIP014E An error occurred while parsing item text: text.

Explanation
A policy message contained an item field with a value text could not be parsed successfully.
User response
AUIP015E Failed to send error message to appliance: host/port.
Explanation
The IBMÂ® GuardiumÂ® S-TAPÂ® for IMS agent was unable to send the error message to the specified appliance.
User response
Contact your administrator or IBM Software Support.
AUIP016E Policy rule <rule> was ignored: IMS name is empty.
Explanation
The specified policy rule was ignored because it does not apply to any IMS subsystem, or the IMS name is empty.
User response
Error messages and codes: AUIRxxxx

The following information is about error messages and codes that begin with AUIR.
AUIR002E
The provided parameter 'value' is too long; should be less than or equal to maximum length characters.
AUIR004E
A maximum of maximum data sets are allowed for the names libs and a total of libs-count were specified.
AUIR006E
The parameter parameter can't be empty.
AUIR007W
Policy_rule_item <item-name> for Policy_rule <rule-name> has conflicting <value-name> values.
AUIR008W
IMS 050i Max Time threshold was changed from "2460" to "2359".

AUIR002E The provided parameter 'value' is too long; should be less than or equal to maximum
length characters.
Explanation
The value of the specified parameter exceeds the maximum length maximum length.
User response
Specify a shorter value that does not exceed the specified limit for the parameter.
Parent topic: Error messages and codes: AUIRxxxx
AUIR004E A maximum of maximum data sets are allowed for the names libs and a total of libs-
count were specified.
Explanation
The maximum number of data sets was exceeded for the libs specified.
User response
Limit the number of data sets for the specified libs to maximum.
AUIR006E The parameter parameter can't be empty.
Explanation
The parameter value must be specified in the agent configuration.
User response
Update agent configuration, or contact your administrator.
AUIR007W Policy_rule_item <item-name> for Policy_rule <rule-name> has conflicting <value-

name> values.
Explanation
The Guardium policy was processed but there are conflicting fields in the definition. Only one of the policies has been applied.
User response
Check the policy definition, and change the specified values to eliminate the conflict.
AUIR008W IMS 050i Max Time threshold was changed from "2460" to "2359".
Explanation
An invalid time value was supplied through the use of the Message AUII050I Frequency field of the IMS definition screen of the GuardiumÂ® appliance. The invalid value
was automatically corrected by the agent.
System action
User response
When convenient, update the invalid time value in the IMS definition to a value within the range of 00:10 -- 23:59.
Error messages and codes: AUITxxxx

The following information is about error messages and codes that begin with AUIT.

AUIT001E
The specified user ID userid is not defined or does not have an OMVS segment defined.
AUIT006S
The product is not properly configured to authenticate users.
AUIT008E
The configuration file filename is invalid; the root element element is not <agent-config>.
AUIT010E
An error occurred while opening the configuration file filename message text
AUIT012I
Performing discovery of available locations.
AUIT013I
Security GuardiumÂ® S-TAPÂ® for IMS agent is terminating.
AUIT014I
Connected to server <host> on port <port>.
AUIT015I
Attempting connection to server <host> on port <port>.
AUIT017I
Discovered subsystem subsystem-id.
AUIT019I
Security Guardium S-TAP for IMS agent started on <lpar _name> (<lpar_ip>).
AUIT020I
Starting the socket selector thread (thread thread id).
AUIT023I
Received shutdown request.
AUIT025I
The socket selector thread is terminating.
AUIT028E
An error occurred while authenticating user user-id error-text.
AUIT031I
Starting the command listener thread (thread thread-id).
AUIT032I
Received stop command: command-text.
AUIT033I
Received modify command: command-text.
AUIT034S
Security Guardium S-TAP for IMS agent is terminating due to hard stop request.
AUIT044E
The connection to the server has been lost.
AUIT047E
IBMÂ® Security Guardium S-TAP for IMS on z/OSÂ® agent ended with RC = [rc].
AUIT048I
Issuing request to capture service dump.
AUIT049I
Request to capture service dump has completed successfully.
AUIT001E The specified user ID userid is not defined or does not have an OMVS segment
defined.
Explanation
You specified a user ID that is not defined or does not have an OMVS segment defined.
User response
Security GuardiumÂ® S-TAPÂ® for IMS was unable to authenticate the specified user. Either specify a valid user ID, or if the user ID is valid, see your security administrator
to have an OMVS segment defined for the user ID.
Parent topic: Error messages and codes: AUITxxxx
AUIT006S The product is not properly configured to authenticate users.
Explanation
Security GuardiumÂ® S-TAPÂ® for IMS is not properly configured to authenticate users.
User response
An error occurred while authenticating a remote user request. The error code indicates that the installation configuration required to allow this authentication has not
been completed. See IBM Guardium S-TAP for IMS agent for more information about how to complete the required configuration.
AUIT008E The configuration file filename is invalid; the root element element is not <agent-
config>.
Explanation
The configuration file identified in the message is invalid.
User response
The contents of the specified configuration file are invalid. Correct the file contents to specify <agent-config> as the root XML element.
AUIT010E An error occurred while opening the configuration file filename message text
Explanation
An error occurred while opening the configuration file identified in the message. Additional error information is also contained within the message.
User response
Use the specified message text to diagnose the error that occurred. Specify a valid configuration file that is not in use by any other process.
AUIT012I Performing discovery of available locations.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent is looking for available locations.
User response
AUIT013I Security GuardiumÂ® S-TAPÂ® for IMS agent is terminating.
Explanation
The Security Guardium S-TAP for IMS agent is terminating.
User response
AUIT014I Connected to server <host> on port <port>.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent task has connected to the S-TAP to the specified host and port.
User response
AUIT015I Attempting connection to server <host> on port <port>.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent is attempting to connect to the specified host and port number.
User response
AUIT017I Discovered subsystem subsystem-id.

Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent has discovered the identified subsystem.
User response
AUIT019I Security GuardiumÂ® S-TAPÂ® for IMS agent started on <lpar _name> (<lpar_ip>).
Explanation
The IBMÂ® Guardium S-TAP for IMS agent has started.
User response
AUIT020I Starting the socket selector thread (thread thread id).
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent is starting the identified socket selector thread.
User response
AUIT023I Received shutdown request.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent has received a shutdown request.
User response
AUIT025I The socket selector thread is terminating.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent socket selector thread is terminating.
User response
AUIT028E An error occurred while authenticating user user-id error-text.
Explanation
An unexpected return code was returned by the pthread_security_np() callable service.
User response
Ensure that the configuration required to use this service has been completed. See IBM Guardium S-TAP for IMS agent for more information about the required
configuration. Check the agent job log for additional messages which might be generated.
AUIT031I Starting the command listener thread (thread thread-id).

Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent is starting the command listener thread.
User response
AUIT032I Received stop command: command-text.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent received a STOP command.
User response
AUIT033I Received modify command: command-text.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent received a MODIFY command.
User response
AUIT034S Security GuardiumÂ® S-TAPÂ® for IMS agent is terminating due to hard stop
request.
Explanation
Security Guardium S-TAP for IMS agent is terminating due to a user /MODIFY FORCE command.
User response
AUIT044E The connection to the server has been lost.
Explanation
The Security GuardiumÂ® S-TAPÂ® for IMS agent task is unable to communicate with the Security Guardium S-TAP for IMS agent.
User response
Resolve any network connectivity issues, then try logging in again.
AUIT047E IBMÂ® Security GuardiumÂ® S-TAPÂ® for IMS on z/OSÂ® agent ended with RC = [rc].
Explanation
Due to a prior error, the agent has ended with the specified return code.
User response
AUIT048I Issuing request to capture service dump.

Explanation
A command, such as /f AUIASTC,DUMP/DDX, has been issued for processing.
User response
AUIT049I Request to capture service dump has completed successfully.
Explanation
A command, such as /f AUIASTC,DUMP/DDX has processed successfully.
User response
Error messages and codes: AUIUxxxx

The following information is about error messages and codes that begin with AUIU.
AUIUR002I
Migrate Utility for IBMÂ® Security GuardiumÂ® S-TAPÂ® for IMS on z/OSÂ® started.
AUIUR003I
Agent record <agent name> was not found in the repository.
AUIUR002I Migrate Utility for IBMÂ® Security GuardiumÂ® S-TAPÂ® for IMS on z/OSÂ® started.
Explanation
The utility to migrate the configuration of an older version of the product to the current product version has started.
User response
Parent topic: Error messages and codes: AUIUxxxx
AUIUR003I Agent record <agent name> was not found in the repository.
Explanation
An attempt to read an agent record from the repository while migration failed as the record was not found.
System action
The agent record migration fails, processing continues.
User response
Check the configuration file for agent and repository names and use the Guardium user interface to verify that the specified agent definition is presented in specified
repository.
Parent topic: Error messages and codes: AUIUxxxx
Error messages and codes: AUIXxxxx

The following information is about error messages and codes that begin with AUIX.
AUIX013E
A shared memory error occurred on "service name": error message.
AUIX014E
An XML schema violation was detected; value value is not a valid boolean value.
AUIX015E
An XML schema violation was detected; value value is not a valid double value.
AUIX016E
An XML schema violation was detected; value value is not a valid integer value.
AUIX017E
An XML syntax error was detected at offset offset; expected expected-value, found found-value.

AUIX018E
An XML schema violation was detected; required element element attribute attribute\" is not present.
AUIX019E
An XML schema violation was detected; required element <element> child <child-element> is not present.
AUIX020E
Memory allocation failed (number bytes).
AUIX021E
An XML schema violation was detected; element element child child-number has wrong type.
AUIX022E
An XML syntax error was detected; character reference character-reference is invalid.
AUIX023E
An XML syntax error was detected; entity reference entity-reference is invalid.
AUIX024E
An XML syntax error was detected; more than one element was found at the root of the document.
AUIX025E
An XML syntax error was detected; no element was found at the root of the document.
AUIX026E
An XML syntax error was detected; text was found at the root of the document.
AUIX027S
A severe error occurred during XML parsing; an unknown exception occurred.
AUIX028E
The command line option <option name> is invalid.
AUIX034S
A severe error occurred during command line processing; an unknown exception occurred.
AUIX035E
The operation completed successfully.
AUIX036E
The address family is not supported by the protocol family ( socket-return-code).
AUIX037E
The operation is still in progress (socket-return-code).
AUIX038E
Permission is denied (socket-return-code).
AUIX039E
The network is down (socket-return-code).
AUIX040E
No buffer space is available (socket-return-code).
AUIX041E
Too many sockets have been opened (socket-return-code).
AUIX042E
The protocol is not supported (socket-return-code).
AUIX043E
The WSAStartup routine was not called (socket-return-code).
AUIX044E
The protocol is the wrong type for the socket (socket-return-code).
AUIX045E
The socket type is not supported (socket-return-code).
AUIX046E
The destination network is unreachable (socket-return-code).
AUIX047E
The socket handle is invalid (socket-return-code).
AUIX048E
The address is already in use (socket-return-code).
AUIX049E
The function call was interrupted (socket-return-code
AUIX050E
The requested address is not available (socket-return-code).
AUIX051E
The connection was aborted (socket-return-code).
AUIX052E
The connection was refused by the partner (socket-return-code).
AUIX053E
The connection was reset by the partner (socket-return-code).
AUIX054E
The network message is too long (socket-return-code).
AUIX055E
The network dropped the connection when reset (socket-return-code).
AUIX056E
An invalid parameter was specified (socket-return-code).
AUIX057E
The socket is not connected (socket-return-code).
AUIX058E
The operation is not supported (socket-return-code).
AUIX059E
The socket has been closed (socket-return-code).
AUIX060E
The socket is already connected (socket-return-code).
AUIX061S
An unknown error occurred (socket-return-code).
AUIX062E
A socket error occurred on socket-operation with RC = return code: message-text.

AUIX063E
A socket select error occurred: message-text.
AUIX064E
An XML schema violation was detected; expected root element element-expected, but found element-found instead.
AUIX066E
An XML schema violation was detected; element element value value is invalid.
AUIX067E
An XML schema violation was detected; element name element is invalid.
AUIX068E
An XML schema violation was detected; element name element-found is invalid (expected element-expected).
AUIX074E
An abend occurred: <abend code>.
AUIX076E
An XML schema violation was detected; element element attribute attribute value value is invalid.
AUIX085E
A dynamic allocation error occurred: info code = info-code, error code = error-code.
AUIX086E
A dynamic concatenation error occurred: info code = info-code, error code = error-code.
AUIX087E
A dynamic free error occurred: info code = info-code, error code = error-code.
AUIX088E
An invalid dynamic allocation parameter was specified: code = parm-code.
AUIX093S
An unexpected error occurred (file-name, line-number).
AUIX094S
An unexpected error occurred with token token, (file-name, line-number).
AUIX095S
An unexpected error occurred with tokens token and token (file-name, line-number).
AUIX096S
An unexpected error occurred with tokens token, token and token ( file-name, line-number).
AUIX097S
An unexpected error occurred with tokens token, token, token, and token (file-name, line-number.
AUIX098E
A thread error occurred on thread-operation : message-text.
AUIX101E
An event error occurred on event-operation : message-text.
AUIX104E
A mutex error occurred on mutex-operation : message-text.
AUIX109E
A semaphore error occurred on semaphore-operation : message-text.
AUIX110I
The network connection has been disconnected.
AUIX114E
A dynamic allocation query error occurred: info code = info-code, error code = error-code.
AUIX115E
An input command error occurred on \"command-operation\": message-text.
AUIX116I
Received input command: command-text.
AUIX122I
Build date component = date.
AUIX123W
The action was cancelled.
AUIX124S
The task is not running APF-authorized.
AUIX126E
A DLL error occurred on dll-operation : message-text
AUIX127S
An error occurred while opening log file file-name.
AUIX142E
An XML schema violation was detected; element element value value is invalid: expected min <min-value> and max <max value>.
AUIX143E
An XML schema violation was detected; element element attribute value value value is invalid: expected min <minimum> and max <maximum>.
AUIX149E
Data set [data set] is not cataloged.
AUIX150E
Invalid data set 'data set': Data set name must not exceed 44 characters.
AUIX151E
Invalid data set {'data set'}: The segment length must be greater than 0 and less than or equal to 8.
AUIX152E
Invalid data set 'name': The first character in each segment must be alphabetic (A-Z) or national (#, @, $).
AUIX153E
Invalid data set '<data set>': The non-first characters in the segments must be alphabetic (A-Z), numeric, national (#, @, $), or hyphen.
AUIX154E
Invalid data set '<data set>': The non-first characters in the SMF segments must be alphabetic (A -- Z), numeric, national (#, @, $), hyphen, asterisk (*) or percent
(%).
AUIX155E
Data set <data set> is not APF-authorized.
AUIX156E
Invalid data set '<data set>': The first character in SMF segment must be alphabetic (A -- Z) or national (#, @, $), asterisk (*) or percent (%).

AUIX160E
A dynamic allocation query error occurred: info code = <info-code>, error code = <error-code>, DD name = <dd-name>.
AUIX183E
The number of file descriptors (sockets) has exceeded maximum = <number>.
AUIX013E A shared memory error occurred on "service name": error message.
Explanation
This error can occur in the primary agent address space. When the error occurs, the primary agent address space will shut down with a CC of 12. This startup error
indicates that attempts to create a shared memory segment failed because of an already existing shared memory segment that never belonged to, or currently does not
belong to, the primary agent address space.
This message can occur in the secondary address space if the <id> elements in the ADS_SHM_ID and ADS_LISTENER_PORT parameters do not match in the AUICONFG
configuration member that is used by the agent primary address space and the secondary address spaces.
User response
Edit SAUISAMP member AUICONFG (or the customized AUICONFG) and specify the correct <id> elements in the ADS_SHM_ID and ADS_LISTENER_PORT parameters.
Parent topic: Error messages and codes: AUIXxxxx
AUIX014E An XML schema violation was detected; value value is not a valid boolean value.
Explanation
An XML schema violation was detected; value value is not a valid boolean value.
User response
If the error occurred while reading the agent configuration file, correct the file contents. Otherwise, contact IBMÂ® Software Support.
AUIX015E An XML schema violation was detected; value value is not a valid double value.
Explanation
An XML schema violation was detected; value value is not a valid double value.
User response
AUIX016E An XML schema violation was detected; value value is not a valid integer value.
Explanation
An XML schema violation was detected; value value is not a valid integer value.
User response
AUIX017E An XML syntax error was detected at offset offset; expected expected-value, found
found-value.
Explanation
An XML syntax error was detected at offset offset; expected expected-value, found found-value.
User response

AUIX018E An XML schema violation was detected; required element element attribute
attribute\" is not present.
Explanation
An XML schema violation was detected; required element element attribute attribute is not present.
User response
AUIX019E An XML schema violation was detected; required element <element> child <child-
element> is not present.
Explanation
The XML schema must contain the specified elements.
User response
Correct the XML schema and retry.
AUIX020E Memory allocation failed (number bytes).
Explanation
Memory allocation failed (number bytes).
User response
AUIX021E An XML schema violation was detected; element element child child-number has
wrong type.
Explanation
An XML schema violation was detected; element element child child-number has wrong type.
User response
AUIX022E An XML syntax error was detected; character reference character-reference is

invalid.
Explanation
An XML syntax error was detected; character reference character-reference is invalid.
User response
AUIX023E An XML syntax error was detected; entity reference entity-reference is invalid.
Explanation
An XML syntax error was detected; entity reference entity-reference is invalid.

User response
AUIX024E An XML syntax error was detected; more than one element was found at the root of
the document.
Explanation
An XML syntax error was detected; more than one element was found at the root of the document.
User response
AUIX025E An XML syntax error was detected; no element was found at the root of the
document.
Explanation
An XML syntax error was detected; no element was found at the root of the document.
User response
AUIX026E An XML syntax error was detected; text was found at the root of the document.
Explanation
An XML syntax error was detected; text was found at the root of the document.
User response
AUIX027S A severe error occurred during XML parsing; an unknown exception occurred.
Explanation
A severe error occurred during XML parsing; an unknown exception occurred.
User response
AUIX028E The command line option <option name> is invalid.
Explanation
The command line option, which is specified in the message text, is invalid.
User response
Correct the command line option and retry the operation. Review the IBMÂ® GuardiumÂ® S-TAPÂ® for IMS client/server environment information for valid options.
AUIX034S A severe error occurred during command line processing; an unknown exception
occurred.
Explanation
A severe error occurred during command line processing; an unknown exception occurred.
User response
AUIX035E The operation completed successfully.
Explanation
The operation completed successfully.
User response
AUIX036E The address family is not supported by the protocol family ( socket-return-code).
Explanation
The address family is not supported by the protocol family ( socket-return-code).
User response
AUIX037E The operation is still in progress (socket-return-code).
Explanation
The operation is still in progress (socket-return-code).
User response
AUIX038E Permission is denied (socket-return-code).
Explanation
Permission is denied (socket-return-code).
User response
AUIX039E The network is down (socket-return-code).
Explanation
The network is down (socket-return-code).
User response
AUIX040E No buffer space is available (socket-return-code).

Explanation
No buffer space is available (socket-return-code).
User response
AUIX041E Too many sockets have been opened (socket-return-code).
Explanation
Too many sockets have been opened (socket-return-code).
User response
AUIX042E The protocol is not supported (socket-return-code).
Explanation
The protocol is not supported (socket-return-code).
User response
AUIX043E The WSAStartup routine was not called (socket-return-code).
Explanation
The WSAStartup routine was not called (socket-return-code).
User response
AUIX044E The protocol is the wrong type for the socket (socket-return-code).
Explanation
The protocol is the wrong type for the socket (socket-return-code).
User response
AUIX045E The socket type is not supported (socket-return-code).
Explanation
The socket type is not supported (socket-return-code).
User response
AUIX046E The destination network is unreachable (socket-return-code).

Explanation
The destination network is unreachable (socket-return-code).
User response
Specify the correct host name or IP address.
AUIX047E The socket handle is invalid (socket-return-code).
Explanation
The socket handle is invalid (socket-return-code).
User response
AUIX048E The address is already in use (socket-return-code).
Explanation
The address is already in use (socket-return-code).
User response
AUIX049E The function call was interrupted (socket-return-code
Explanation
The function call was interrupted (socket-return-code).
User response
AUIX050E The requested address is not available (socket-return-code).
Explanation
The requested address is not available (socket-return-code).
User response
AUIX051E The connection was aborted (socket-return-code).
Explanation
The connection was aborted (socket-return-code).
User response
AUIX052E The connection was refused by the partner (socket-return-code).

Explanation
The connection was refused by the partner (socket-return-code).
User response
Verify that the correct port number was specified, and that the partner application has been started and is available.
AUIX053E The connection was reset by the partner (socket-return-code).
Explanation
The connection was reset by the partner (socket-return-code).
User response
The partner application ended the network connection. If this is unexpected, diagnose the partner application failure. Otherwise, no action is required.
AUIX054E The network message is too long (socket-return-code).
Explanation
The network message is too long (socket-return-code).
User response
AUIX055E The network dropped the connection when reset (socket-return-code).
Explanation
The network dropped the connection when reset (socket-return-code
User response
AUIX056E An invalid parameter was specified (socket-return-code).
Explanation
An invalid parameter was specified (socket-return-code).
User response
AUIX057E The socket is not connected (socket-return-code).
Explanation
The socket is not connected (socket-return-code).
User response
AUIX058E The operation is not supported (socket-return-code).

Explanation
The operation is not supported (socket-return-code).
User response
AUIX059E The socket has been closed (socket-return-code).
Explanation
The socket has been closed (socket-return-code).
User response
AUIX060E The socket is already connected (socket-return-code).
Explanation
The socket is already connected (socket-return-code).
User response
AUIX061S An unknown error occurred (socket-return-code).
Explanation
An unknown error occurred (socket-return-code).
User response
AUIX062E A socket error occurred on socket-operation with RC = return code: message-text.
Explanation
A socket error occurred.
User response
Use the specified message text to diagnose the error.
AUIX063E A socket select error occurred: message-text.
Explanation
A socket select error occurred.
User response

AUIX064E An XML schema violation was detected; expected root element element-expected,
but found element-found instead.
Explanation
An XML schema violation was detected; expected root element element-expected , but found element-found instead.
User response
AUIX066E An XML schema violation was detected; element element value value is invalid.
Explanation
An XML schema violation was detected; element element value value is invalid.
User response
AUIX067E An XML schema violation was detected; element name element is invalid.
Explanation
An XML schema violation was detected; element name element is invalid.
User response
AUIX068E An XML schema violation was detected; element name element-found is invalid
(expected element-expected).
Explanation
An XML schema violation was detected; element name element-found is invalid (expected element-expected).
User response
AUIX074E An abend occurred: <abend code>.
Explanation
This message indicates a callable service abend has occurred. Additional diagnostic information might be present in the message when applicable.
User response
AUIX076E An XML schema violation was detected; element element attribute attribute value
value is invalid.
Explanation
An XML schema violation was detected; element element attribute attribute value value is invalid.
User response

AUIX085E A dynamic allocation error occurred: info code = info-code, error code = error-code.
Explanation
A dynamic allocation error occurred: info code = info-code, error code = error-code.
User response
See the MVSâ„¢ Programming: Authorized Assembler Services Guide for more information about the specified information and error codes.
AUIX086E A dynamic concatenation error occurred: info code = info-code, error code = error-
code.
Explanation
A dynamic concatenation error occurred: info code = info-code, error code = error-code.
User response
AUIX087E A dynamic free error occurred: info code = info-code, error code = error-code.
Explanation
A dynamic free error occurred: info code = info-code, error code = error-code.
User response
AUIX088E An invalid dynamic allocation parameter was specified: code = parm-code.
Explanation
An invalid dynamic allocation parameter was specified: code = parm-code.
User response
AUIX093S An unexpected error occurred (file-name, line-number).
Explanation
An unexpected error occurred (file-name, line-number).
User response
AUIX094S An unexpected error occurred with token token, (file-name, line-number).
Explanation
An unexpected error occurred with token token, (file-name, line-number).

User response
AUIX095S An unexpected error occurred with tokens token and token (file-name, line-number).
Explanation
An unexpected error occurred with tokens token and token (file-name, line-number).
User response
AUIX096S An unexpected error occurred with tokens token, token and token ( file-name, line-
number).
Explanation
An unexpected error occurred with tokens token, token and token ( file-name, line-number).
User response
AUIX097S An unexpected error occurred with tokens token, token, token, and token (file-name,
line-number.
Explanation
An unexpected error occurred with tokens token, token, token, and token (file-name, line-number.
User response
AUIX098E A thread error occurred on thread-operation : message-text.
Explanation
A thread error occurred on thread-operation : message-text.
User response
AUIX101E An event error occurred on event-operation : message-text.
Explanation
An event error occurred on event-operation : message-text.
User response
AUIX104E A mutex error occurred on mutex-operation : message-text.

Explanation
A mutex error occurred on mutex-operation : message-text.
User response
AUIX109E A semaphore error occurred on semaphore-operation : message-text.
Explanation
A semaphore error occurred on semaphore-operation : message-text.
User response
AUIX110I The network connection has been disconnected.
Explanation
The network connection has been disconnected.
User response
AUIX114E A dynamic allocation query error occurred: info code = info-code, error code = error-
code.
Explanation
A dynamic allocation query error occurred: info code = info-code, error code = error-code.
User response
See the MVSâ„¢ Programming: Authorized Assembler Services Guide for more information about the specified info and error codes.
AUIX115E An input command error occurred on \"command-operation\": message-text.
Explanation
An input command error occurred on \"command-operation\": message-text.
User response
AUIX116I Received input command: command-text.
Explanation
Received input command: command-text.
User response

AUIX122I Build date component = date.
Explanation
Build date component = date.
User response
AUIX123W The action was cancelled.
Explanation
The action was cancelled.
User response
No action is required. The operation was cancelled due to user or administrator request.
AUIX124S The task is not running APF-authorized.
Explanation
The task is not running APF-authorized.
User response
The Security GuardiumÂ® S-TAPÂ® for IMS load library, and the load libraries for all of the IMS subsystems accessed, must be APF-authorized. See IBM Guardium S-TAP
for IMS agent for more information about the required configuration steps.
AUIX126E A DLL error occurred on dll-operation : message-text
Explanation
A DLL error occurred on dll-operation : message-text
User response
AUIX127S An error occurred while opening log file file-name.
Explanation
An error occurred while opening log file file-name.
User response
AUIX142E An XML schema violation was detected; element element value value is invalid:
expected min <min-value> and max <max value>.
Explanation
The element-value given for element-name is out of the range and must be within min-value and max-value.
User response
Correct the value for the element-name in the configuration.

AUIX143E An XML schema violation was detected; element element attribute value value value
is invalid: expected min <minimum> and max <maximum>.
Explanation
The element attribute value is not valid.
User response
If the error occurred while reading the agent configuration file, update the configuration. Otherwise, contact IBMÂ® Software Support.
AUIX149E Data set [data set] is not cataloged.
Explanation
The data set specified in the message text has not been cataloged.
User response
Allocate the data set.
AUIX150E Invalid data set 'data set': Data set name must not exceed 44 characters.
Explanation
MVSâ„¢ data sets cannot exceed 44 characters.
User response
Correct the data set entry, then retry.
AUIX151E Invalid data set {'data set'}: The segment length must be greater than 0 and less
than or equal to 8.
Explanation
The specified data set name has one or more segments that are not between 1 and 8 characters.
User response
Specify a data set where each segment contains more than 0 characters and 8 or fewer characters.
AUIX152E Invalid data set 'name': The first character in each segment must be alphabetic (A-
Z) or national (#, @, $).
Explanation
The data set name provided does not is not a valid name and does not satisfy the MVSâ„¢ data set naming requirements.
User response
Correct the data set name and try again.
AUIX153E Invalid data set '<data set>': The non-first characters in the segments must be
alphabetic (A-Z), numeric, national (#, @, $), or hyphen.
Explanation
The non-first characters in the segments must be alphabetic (A-Z), numeric, national (#, @, $), or hyphen.

User response
Specify a data set where non-first characters in the segments is alphabetic (A-Z), numeric, national (#, @, $), or hyphen.
AUIX154E Invalid data set '<data set>': The non-first characters in the SMF segments must be
alphabetic (A -- Z), numeric, national (#, @, $), hyphen, asterisk (*) or percent (%).
Explanation
The non-first characters in the SMF segments must be alphabetic (A -- Z), numeric, national (#, @, $), hyphen, asterisk (*) or percent (%).
User response
Specify a data set where non-first characters in the SMF segments is alphabetic (A -- Z), numeric, national (#, @, $), hyphen, asterisk (*) or percent (%).
AUIX155E Data set <data set> is not APF-authorized.
Explanation
The specified data set requires APF authorization.
User response
The specified data set must be APF-authorized. See Configuration overview for more information about the required configuration steps.
AUIX156E Invalid data set '<data set>': The first character in SMF segment must be alphabetic
(A -- Z) or national (#, @, $), asterisk (*) or percent (%).
Explanation
The first character in SMF segment must be alphabetic (A -- Z) or national (#, @, $), asterisk (*) or percent (%).
User response
Specify a data set where first character in SMF segments must be alphabetic (A -- Z) or national (#, @, $), asterisk (*) or percent (%).
AUIX160E A dynamic allocation query error occurred: info code = <info-code>, error code =
<error-code>, DD name = <dd-name>.
Explanation
A dynamic allocation query error occurred with the specified information code, error code, and DD name.
User response
See the MVS Programming: Authorized Assembler Services Guide for more information about the specified info and error codes.
AUIX183E The number of file descriptors (sockets) has exceeded maximum = <number>.
Explanation
The active program holds too many file or socket descriptors and exceeded system maximum = <number>.
User response
Contact your system administrator or IBM Software Support.
Error messages and codes: AUIYxxxx

The following information is about error messages and codes that begin with AUIY.

AUIY001E
A callable services abend abend has occurred.
AUIY002E
GPRS number-number: hex-value hex-value hex-value hex-value
AUIY003E
Active module not found.
AUIY004E
Active module = module-name, load point = hex-address, offset = hex-address
AUIY005E
PSW = string string
AUIY006E
Callable service invocation failed with return code = return-code and reason code = reason-code
AUIY007I
Invoking callable service callable service.
AUIY008I
Returned from callable service service-name
AUIY009E
Invalid data set mask: data set mask.
AUIY001E A callable services abend abend has occurred.
Explanation
This message indicates a callable service abend has occurred. Additional diagnostic information is be present in the message when applicable.
User response
Parent topic: Error messages and codes: AUIYxxxx
AUIY002E GPRS number-number: hex-value hex-value hex-value hex-value
Explanation
This message indicates an CSI abend has occurred. Additional diagnostic information is present in the message when applicable.
User response
AUIY003E Active module not found.
Explanation
This message indicates a CSI abend has occurred. Additional diagnostic information is present in the message when applicable.
User response
AUIY004E Active module = module-name, load point = hex-address, offset = hex-address
Explanation
User response
AUIY005E PSW = string string
Explanation
User response

AUIY006E Callable service invocation failed with return code = return-code and reason code =
reason-code
Explanation
A service requested by the agent task has failed.
User response
View the JES log of the agent task to determine the data set name and reason for the error. Contact IBMÂ® Software Support if you are unable to resolve the error.
AUIY007I Invoking callable service callable service.
Explanation
The specified callable service has been invoked successfully.
User response
AUIY008I Returned from callable service service-name
Explanation
Returned from a callable service that is identified in the message.
User response
AUIY009E Invalid data set mask: data set mask.
Explanation
The specified data set mask is not valid.
User response
Enter a valid data set mask and retry.
Error messages and codes: AUIZxxxx

The following information is about error messages and codes that begin with AUIZ.
AUIZ002E
dd-name DD has already been allocated.
AUIZ003W
Attached to existing shared memory segment.
AUIZ004S
Shared memory segment key verification failed ('key-value').
AUIZ005S
Shared memory segment eyecatcher 'value' invalid.
AUIZ007S
The master address space failed to respond to a connect request.
AUIZ008W
IBMÂ® Security GuardiumÂ® S-TAPÂ® for IMS on z/OSÂ® agent failed to shut down properly last time.
AUIZ009S
Attempts to attach to shared memory segment segment key failed.
AUIZ010W
Configuration value for <parameter> is set below the allowed minimum of <limit>.
AUIZ011W
Configuration value for <parameter> is set above the allowed maximum of <limit>.

AUIZ012I
Log-server: listening on port <port>.
AUIZ013E
Log-server: no available port was found in the range <min-port>-<max-port>.
AUIZ014W
Log-server: invalid data received from client <client-ip> (<header-data>).
AUIZ020W
Configuration parameter parameter-name was ignored: duplicate value specified specified-value.
AUIZ021E
Configuration parameter option can't be empty.
AUIZ022E
At least one active appliance is required.
AUIZ023E
Duplicate appliance specified: host/port.
AUIZ024E
Duplicate appliance priority specified: priority.
AUIZ025E
Spill size can't be zero if more than one appliance is enabled.
AUIZ026E
Configuration parameter <option> value <value> is invalid; expected list <value-list>.
AUIZ027W
Host name can't be resolved <host-name>.
AUIZ028E
Configuration parameter element-name value element-value is invalid: expected min value-min and max value-max.
AUIZ029E
Property property-name not found in config.
AUIZ030E
Configuration parameter parameter-name value parameter-value is not valid long value.
AUIZ031E
Configuration parameter parameter-name value parameter-value is not valid unsigned long value.
AUIZ032E
Configuration parameter parameter-name value parameter-value is not valid short value.
AUIZ033E
Configuration parameter parameter-name value parameter-value is not valid unsigned short value.
AUIZ034E
Configuration parameter parameter-name value parameter-value is not valid boolean value.
AUIZ035E
Configuration parameter parameter-name value parameter-value is not valid double value.
AUIZ036E
Configuration parameter element-name value element-value length is invalid: expected min length-min and max length-max characters.
AUIZ037I
Collection profile profile uninstalled successfully.
AUIZ038I
Collection profile profile installed successfully.
AUIZ039I
Guardium policy processing started.
AUIZ040I
Guardium policy processing finished [active = <number1>, installed = <number2>, uninstalled = <number3>].
AUIZ041E
Profile for IMS source ims_name was ignored: unknown IMS.
AUIZ041W
Profile for IMS source ims_name was ignored: unknown IMS.
AUIZ042W
IMS artifact ims-name was ignored: invalid IMS definition.
AUIZ043E
XCF callable service invocation failed: function function-name, RC = nn, reason code = hhhhhhhh, AUIU proc name = proc-name, ADS_SHR_MEM ID = nn.
AUIZ044S
Shared memory segment version S-TAP version found is not compatible with expected expected version.
AUIZ045E
AUICONFG DD must be allocated.
AUIZ046E
module-name callable service invocation failed: RC = return-code, reason code = reason-code.
AUIZ047E
Specified spill file data_set_name does not exist.
AUIZ048E
Problem encountered for <spill>, <problem area>: required <req>, received <res>.
AUIZ049E
z/OS call failure for <spill>, <problemarea>: RC= <rc>, RSN= <rsn>.
AUIZ050E
Specified Log Stream 'xxx.xxx.xxx' does not exist
AUIZ051E
Problem encountered while validating log-stream-name. Function: request: CONNECT, RC = xx, RSN = zzzz.
AUIZ052E
Abend occurred while validating <log stream>. Abend code = <code>, RSN=<reason>.
AUIZ053E
Logging subsystem failed to initialize successfully.
AUIZ054E
The Batch DLI log Stream and Online DLI log stream names must be different.
AUIZ055E
Shared memory segment ID <shm-id> is not available for use.

AUIZ056E
Shared memory segment ID segment_id is owned by agent agent_name and cannot be attached.
AUIZ057E
A configuration syntax error was detected at line <number>; expected "<token1>", found "<token2>".
AUIZ058I
Collection profile <profile-name> updated successfully.
AUIZ059E
Configuration parameter <option> value <value> is invalid: the first character must be alphabetic.
AUIZ060E
The master address space did not respond within 60 seconds.
AUIZ061I
AUIHOST file has been detected.
AUIZ062I
AUIHOST file LPAR name/DNS name overrides in use: CVTS_LPAR_NAME(DNS_NAME)
AUIZ063E
AUIHOST file format is invalid. RECFM must be FB; LRECL must be 80.
AUIZ064E
AUIHOST file contains invalid syntax <line number and string>
AUIZ065W
IMS STAP <name> TCP/IP streaming disabled due to user settings.
AUIZ066E
Configuration parameter "DLIFREQ" value value is invalid: expected 10K-999K, 1M-10M.
AUIZ067W
Configuration parameter <parameter> value <wrong value> is not valid. <Value> will be used instead.
AUIZ002E dd-name DD has already been allocated.
Explanation
The dd-name DD needed for the task, has been previously allocated.
System action
The task terminates with a return code of 12.
User response
dd-name DD is dynamically allocated. Ensure that the dd-name DD is not present in the task JCL. If the dd-name is not present in the JCL, contact IBMÂ® Software
Support.
Parent topic: Error messages and codes: AUIZxxxx
AUIZ003W Attached to existing shared memory segment.
Explanation
This message corresponds to message AUIZ008W. This message indicates that the memory segment has been cleaned, and is being reused.
User response
AUIZ004S Shared memory segment key verification failed ('key-value').
Explanation
Shared memory segment validation failed. This usually implies that the shared memory segment is owned by another product or system.
User response
Change shared memory segment id and restart the agent:
ADS_SHR_MEM_ID
AUIZ005S Shared memory segment eyecatcher 'value' invalid.
Explanation
Shared memory segment validation failed. This implies that the shared memory segment is owned by another product or system.

User response
Change shared memory segment ID and restart the agent:
ADS_SHR_MEM_ID
AUIZ007S The master address space failed to respond to a connect request.
Explanation
A secondary address space failed to connect to the master address space.
User response
Check the listener-port in the address-space-manager-config section of the configuration and verify that it matches in both AUICONFG and members of the primary
address space and secondary address spaces.
AUIZ008W IBMÂ® Security GuardiumÂ® S-TAPÂ® for IMS on z/OSÂ® agent failed to shut down
properly last time.
Explanation
When the agent is restarting, the persistent memory object indicates that the agent was abnormally cancelled or terminated without going through the proper clean-up
routines, for example, Estae processing. This message might also indicate that another instance of the agent is currently executing.
User response
Verify that there is only one instance of this agent running.
AUIZ009S Attempts to attach to shared memory segment segment key failed.

Explanation
This error message always occurs in conjunction with error message AUIX013E.
This startup error indicates that attempts to create a shared memory segment failed because of an already existing shared memory segment that never belonged to, or
currently does not belong to, the primary agent address space.
This message can occur in the secondary address space if the <id> elements in the <address-space-manager-config> parameters of the AUICONFG config member that is
used by the agent primary address space and the secondary address spaces(s) do not match.
User response
Edit SAUISAMP member AUICONFG (or the customized AUICONFG) and specify a different <id> element in the <address-space-manager-config> section.
AUIZ010W Configuration value for <parameter> is set below the allowed minimum of <limit>.
Explanation
Configuration parameter is not valid: <parameter> should be not less than <limit>.
User response
Change the parameter to comply with the requirements.
AUIZ011W Configuration value for <parameter> is set above the allowed maximum of <limit>.
Explanation
Configuration parameter is not valid: <parameter> should exceed the <limit>.
User response
Change the parameter to correspond to the requirements.

AUIZ012I Log-server: listening on port <port>.
Explanation
Identifies the port number that the Log-server is listening to.
User response
AUIZ013E Log-server: no available port was found in the range <min-port>-<max-port>.
Explanation
No available port was found in specified range. This usually implies that the range of ports is used by other installations or products.
User response
AUIZ014W Log-server: invalid data received from client <client-ip> (<header-data>).
Explanation
This message indicates that an unexpected connection occurred from <client-ip> to log-server port.
System action
The connection is refused, and processing continues.
User response
This warning message can be produced during a system-level port security scan. If you do not want to receive this message, suppress it by using the configuration
parameters LOG_FILTER(E) and LOG_FILTER_MSGS_ID(AUIZ014W).
If a port scan was not active when this message was received, it indicates that an unknown message was received by the log-server port. Contact IBM Software Support.
AUIZ020W Configuration parameter parameter-name was ignored: duplicate value specified

specified-value.
Explanation
The specified configuration parameter parameter-name cannot contain a value that has already been specified for a related parameter.
User response
Fix the duplicate value specified-value and restart the agent.
AUIZ021E Configuration parameter option can't be empty.
Explanation
The configuration parameter option contains an invalid value.
User response
Check the valid values for the option and correct the configuration file.
AUIZ022E At least one active appliance is required.
Explanation
No appliances were specified in the agent configuration, or all specified appliances were disabled.

User response
Check agent configuration and add enabled appliances to configuration.
AUIZ023E Duplicate appliance specified: host/port.
Explanation
Specified appliance (host/port) are duplicates of another appliance specified in the configuration.
User response
Update or remove duplicate appliances in the agent configuration.
AUIZ024E Duplicate appliance priority specified: priority.
Explanation
Two or more appliances with duplicate priority (priority) were specified.
User response
Update or remove appliances with duplicate priorities in the agent configuration.
AUIZ025E Spill size can't be zero if more than one appliance is enabled.
Explanation
Spill size should be greater than zero if two or more active appliances are specified.
User response
Specify a valid spill size.
AUIZ026E Configuration parameter <option> value <value> is invalid; expected list <value-
list>.
Explanation
The configuration parameter <option> contains an invalid value.
User response
Check the valid values for the <option> and correct the configuration file.
AUIZ027W Host name can't be resolved <host-name>.
Explanation
An attempt was made to determine the IP address of the host name that was indicated through the use of the z/OS getaddrinfo service. The attempt failed.
System action
If the host name is not the local LPAR, processing continues. The TCP/IP address for any events that occur on this LPAR will not be sent to the appliance for reporting. If
the host name is the local LPAR where the agent (AUIAstc task) is running, the local host name and IP address will be used for INTER and INTRA task communications.
User response
The z/OS network administrator must verify that the LPAR name exists in the DNS table.
AUIZ028E Configuration parameter element-name value element-value is invalid: expected min

value-min and max value-max.

Explanation
The element-value given for element-name is out of the range and must be within min-value and max-value.
User response
Correct the value for the element-name in the configuration.
AUIZ029E Property property-name not found in config.
Explanation
A required property property-name could not be loaded from the configuration file because it has been incorrectly specified, specified multiple times, or not specified at
all.
User response
Update configuration file and add property-name with an appropriate value.
AUIZ030E Configuration parameter parameter-name value parameter-value is not valid long

value.
Explanation
The configuration parameter identified by parameter-name contains an invalid value. The expected value should be of type long.
User response
Correct the configuration value.
AUIZ031E Configuration parameter parameter-name value parameter-value is not valid

unsigned long value.
Explanation
The configuration parameter identified by parameter-name contains an invalid value. The expected value should be of type unsigned long.
User response
AUIZ032E Configuration parameter parameter-name value parameter-value is not valid short

value.
Explanation
The configuration parameter identified by parameter-name contains an invalid value. The expected value should be of type short.
User response

unsigned short value.
Explanation
The configuration parameter identified by parameter-name contains an invalid value. The expected value should be of type unsigned short.
User response

boolean value.
Explanation
The configuration parameter identified by parameter-name contains an invalid value. The expected value should be of type boolean.
User response
AUIZ035E Configuration parameter parameter-name value parameter-value is not valid double

value.
Explanation
The configuration parameter identified by parameter-name contains an invalid value. The expected value should be of type double.
User response
AUIZ036E Configuration parameter element-name value element-value length is invalid:

expected min length-min and max length-max characters.
Explanation
The element-value given for element-name is too long and its length must be within length-min and length-max.
User response
Correct the value for the element-name in the configuration file.
AUIZ037I Collection profile profile uninstalled successfully.
Explanation
The specified collection profile uninstalled.
User response
AUIZ038I Collection profile profile installed successfully.
Explanation
The specified collection profile installed.
User response
AUIZ039I GuardiumÂ® policy processing started.
Explanation
The agent has received a policy message from the appliance and has started to process it.
User response

AUIZ040I GuardiumÂ® policy processing finished [active = <number1>, installed = <number2>,
uninstalled = <number3>].
Explanation
The Guardium policy has been processed. The active, installed, and uninstalled values indicate the number of processed collection profiles.
User response
AUIZ041E Profile for IMS source ims_name was ignored: unknown IMS.
Explanation
The agent received an IMS policy from the Security GuardiumÂ® system which does not relate to this agent instance.
System action
The policy is ignored by this agent.
User response
AUIZ041W Profile for IMS source ims_name was ignored: unknown IMS.
Explanation
The agent received an IMS policy from the Security GuardiumÂ® system which does not relate to this agent instance.
System action
The policy is ignored by this agent.
User response
AUIZ042W IMS artifact ims-name was ignored: invalid IMS definition.
Explanation
During policy pushdown, an ims-name was specified for one of the rules that does not exist in the GuardiumÂ® appliance.
User response
AUIZ043E XCF callable service invocation failed: function function-name, RC = nn, reason code
= hhhhhhhh, AUIU proc name = proc-name, ADS_SHR_MEM ID = nn.
Explanation
An error occurred attempting to retrieve AUIU tokens from the CF.
User response
If the LPAR is not a sysplex member, no action is necessary. If the LPAR is a sysplex member, please contact IBMÂ® Software Support.
AUIZ044S Shared memory segment version S-TAP version found is not compatible with
expected expected version.

Explanation
An attempt to attach to a shared memory segment failed because of version mismatch. This might indicate that the shared memory segment that is identified by
ADS_SHR_MEM_ID is already in use by an older version of the product, or another product.
User response
Verify and change the ADS_SHR_MEM_ID that is specified in the agent configuration.
AUIZ045E AUICONFG DD must be allocated.
Explanation
The address space requires an AUICONFG DD to be specified in the JCL.
User response
Update the JCL for the address space to include an AUICONFG DD.
AUIZ046E module-name callable service invocation failed: RC = return-code, reason code =

reason-code.
Explanation
Invocation of the specified module failed due to the specified return-code and reason-code.
User response
AUIZ047E Specified spill file data_set_name does not exist.
Explanation
During agent startup, the SMF spill file that is named in the configuration parameter SMF_SPILL_FILE(dsn) was not found.
System action
The agent terminates.
User response
Determine why the file cannot be located. Correct any errors, and restart the agent.
AUIZ048E Problem encountered for <spill>, <problem area>: required <req>, received <res>.
Explanation
This spill data set <spill> could not be validated. The <problem area> with the parameters <req> and <res> gives additional details.
User response
Fix the issue in the <problem area> using the required <req> value. If necessary, contact IBMÂ® Software Support for additional help.
AUIZ049E z/OS call failure for <spill>, <problemarea>: RC= <rc>, RSN= <rsn>.
Explanation
An attempt to validate the spill data set has caused an error with the z/OS services. A <problemarea> value with return code <rc> and reason code <rsn> are returned. If
the <problemarea> value is OBTAIN, and the <rc> value is 4, the spill database in question might have been migrated. In that case, the spill database should be recalled
before processing continues.
User response
If a migrated data set is not the problem, contact IBM Software Support.

AUIZ050E Specified Log Stream 'xxx.xxx.xxx' does not exist
Explanation
The z/OS log stream name that was specified in the LOG_STREAM_DLIO or LOG_STREAM_DLIB AUICONFG DD input stream does not exist.
System action
The agent address space terminates.
User response
Correct the log stream name that you provided, or customize and run the AUILSTRx Log Stream definition jobs that are located in the SAUISAMP product data set.
AUIZ051E Problem encountered while validating log-stream-name. Function: request:

CONNECT, RC = xx, RSN = zzzz.
Explanation
There was a failed attempt to validate the z/OSÂ® System Logger Log-Stream, through the use of an IXGCONN call.
System action
User response
Determine the cause of the failure by examining the return and reason codes for the IXGCONN macro. These can be found in the manual, IBMÂ® MVSâ„¢ Programming:
Authorized Assembler Services References.
AUIZ052E Abend occurred while validating <log stream>. Abend code = <code>, RSN=
<reason>.
Explanation
The Log Stream <log stream> validation failed with abend code <code> and reason code <reason>.
User response
AUIZ053E Logging subsystem failed to initialize successfully.
Explanation
This error can occur for several reasons. It is preceded by the specific occurrence that caused the logging subsystem to fail during initialization.
User response
Review previously issued error messages to determine the cause of the logging failure.
AUIZ054E The Batch DLI log Stream and Online DLI log stream names must be different.
Explanation
The log stream name specified for LOG_STREAM_DLIO and LOG_STREAM_DLIB must be different.
User response
Specify different log streams for batch and online in the agent configuration.
AUIZ055E Shared memory segment ID <shm-id> is not available for use.

Explanation
The shared memory segment ID <shm-id> that is specified in the configuration file is not available, or is used by another task.
User response
Check the available <shm-id> and update the confugration files. Contact IBMÂ® Software Support if <shm-id> is set correctly.
AUIZ056E Shared memory segment ID segment_id is owned by agent agent_name and cannot
be attached.
Explanation
The shared memory segment that was identified by the <id> parameter within the address-space-manager-config section of the agent configuration file is already used by
the specified agent, agent_name.
System action
The agent terminates because it is unable to use the shared memory segment.
User response
To avoid a collision with other agents running on the LPAR, change or include the <id> value in the address-space-manager_config section of the agent configuration file.
AUIZ057E A configuration syntax error was detected at line <number>; expected "<token1>",
found "<token2>".
Explanation
An invalid value was found in the AUICONFG file and the indicated line.
System action
User response
Review Configuring the IBM Security Guardium S-TAP for IMS on z/OS agent for information about permissible configuration values. Correct the syntax error and restart
the agent.
AUIZ058I Collection profile <profile-name> updated successfully.
Explanation
The active collection profile <profile-name> has been updated during policy installation.
User response
AUIZ059E Configuration parameter <option> value <value> is invalid: the first character must
be alphabetic.
Explanation
The configuration parameter <option> contains an invalid value.
User response
Review the valid values for the <option> and correct the configuration file.
AUIZ060E The master address space did not respond within 60 seconds.

Explanation
The IBMÂ® GuardiumÂ® S-TAPÂ® for IMS agent did not send the policy report to the Memory Management Utility (AUIUSTC) task within 60 seconds of establishing the
connection.
System action
The AUIUSTC task terminates with RC=12.
User response
AUIZ061I AUIHOST file has been detected.
Explanation
The AUIHOST DD statement has been detected in the JCL.
System action
The IP address for participating LPARs are resolved by the information contained in this file and described by message AUIxxxI.
User response
If this was not intended, remove the DD statement.
AUIZ062I AUIHOST file LPAR name/DNS name overrides in use:

CVTS_LPAR_NAME(DNS_NAME)
Explanation
The AUIHOST DD has provided an override for the host named.
System action
The DNS_NAME is the value that is used to perform the gethostbyname call in order to obtain the relevant IP address.
User response
Verify that the supplied LPAR_NAME and DNS_NAME values are correct.
AUIZ063E AUIHOST file format is invalid. RECFM must be FB; LRECL must be 80.
Explanation
The file format that was provided by using the AUIHOST DD is incorrect.
System action
The address space terminates.
User response
Verify that the supplied file is a Fixed Block (FB) sequential file, has a logical record length (LRECL) of 80 bytes, and is a either a sequential file or a member of a
Partitioned Data Set (PDS or PDS/E). Correct the error and restart the address space.
AUIZ064E AUIHOST file contains invalid syntax <line number and string>
Explanation
The AUIHOST file supplied contains a record with invalid syntax.
System action
The address space terminates.
User response

Review the Overriding the TCP/IP DNS resolver table topic to verify the required syntax. Correct the record and restart the address space.
AUIZ065W IMS STAP <name> TCP/IP streaming disabled due to user settings.
Explanation
Simulation mode is on because the STAP_STREAM_EVENTS parameter has been set to N.
System action
Events will not be streamed to the GuardiumÂ® system.
User response
To stream events to the Guardium system, set the STAP_STREAM_EVENTS parameter to Y.
AUIZ066E Configuration parameter "DLIFREQ" value value is invalid: expected 10K-999K, 1M-
10M.
Explanation
In the AUICONFG file, the DLIFREQ parameter value is outside of the permitted range. Valid values for the DLIFREQ parameter are 10K -- 999K, or 1M -- 10M.
System action
The AUIAxxx task terminates.
User response
Correct the DLIFREQ parameter value.
AUIZ067W Configuration parameter <parameter> value <wrong value> is not valid. <Value>
will be used instead.
Explanation
Configuration parameter is not valid: <parameter> should match <value>.
User response
Change the parameter to correspond to the requirements.
IBM Security Guardium S-TAP for Data Sets on z/OS

These topics describe how to use IBM Security Guardium S-TAP for Data Sets on z/OS V10.1.3 (also referred to as IBM Guardium S-TAP for Data Sets). The V10.1.3 S-TAP
is optimized for the V10.1 Guardium system. IBM Guardium S-TAP for Data Sets collects and correlates data access information from a variety of resources to produce a
About these topics
This information is designed to help database administrators, system programmers, and application programmers perform these tasks:
Plan for the installation of IBM Guardium S-TAP for Data Sets
Install and operate IBM Guardium S-TAP for Data Sets
Configure the IBM Guardium S-TAP for Data Sets environment
Diagnose and recover from IBM Guardium S-TAP for Data Sets problems
A PDF of this User's Guide is also available here.
IBM Security Guardium S-TAP for Data Sets on z/OS overview

IBM Security Guardium S-TAP for Data Sets on z/OS (also referred to as IBM Guardium S-TAP for Data Sets) collects and correlates data access information from
System Management Facilities (SMF) records and realtime system events to produce a comprehensive view of data set access activity for auditors.
Installation requirements for IBM Guardium S-TAP for Data Sets V10.1.3
Review the software and authorization prerequisites for installing IBM Guardium S-TAP for Data Sets V10.1.3.
Configuring the IBM Guardium S-TAP for Data Sets agent
You must configure the IBM Guardium S-TAP for Data Sets agent.
IBM Guardium S-TAP for Data Sets administration
You must configure the Guardium system to communicate with the IBM Guardium S-TAP for Data Sets agent.

This section provides IBM Guardium S-TAP for Data Sets reference information.
Troubleshooting
Use these topics to diagnose and correct problems that you might experience with IBM Guardium S-TAP for Data Sets.
IBM Security Guardium S-TAP for Data Sets on z/OS overview

IBM Security Guardium S-TAP for Data Sets on z/OS (also referred to as IBM Guardium S-TAP for Data Sets) collects and correlates data access information from System
Management Facilities (SMF) records and realtime system events to produce a comprehensive view of data set access activity for auditors.
IBM Guardium S-TAP for Data Sets enables you to collect many different types of information, including:
Access to VSAM and non-VSAM data sets and security violations that are recorded by SMF.
Data set operations that are performed against VSAM data sets, such as delete or rename events, recorded by SMF.
Access to specific records within VSAM data sets, including key-sequenced data sets (KSDS) or relative record data sets (RRDS), captured as they occur.
Transaction information that is associated with a VSAM KSDS or RRDS logical record operation, performed within a transaction that runs on the Customer
Information Control System (CICS) Transaction Server.
Access to read and update events for a particular VSAM cluster (consisting of one or more physical data sets) for actions performed on the data set as a whole, or
actions performed at the individual level for records within the data set.
What's new in IBM Guardium S-TAP for Data Sets V10.1.3?

Speed and monitoring enhancements are now provided in V10.1.3.
IBM Guardium S-TAP for Data Sets components
IBM Guardium S-TAP for Data Sets consists of its data collection agent and the Security Guardium system. The IBM Guardium S-TAP for Data Sets agent collects
data set access information that is obtained from the SMF record exit interface, as well as record access information that is obtained from individual I/O requests.
The Guardium system is a server-based component that provides the product user interface.
Parent topic: IBM Security Guardium S-TAP for Data Sets on z/OS
What's new in IBM Guardium S-TAP for Data Sets V10.1.3?

Speed and monitoring enhancements are now provided in V10.1.3.
Enhanced reporting of partitioned data sets (PDS) and extended partitioned data sets (PDSE) member activity
IBM Guardium S-TAP for Data Sets can now report on the following types of activity:
Member Adds
Member Replaces
Member Renames
Member Deletes
STOW Initialization (PDSE directory clearing)
New Simulation option

Enabling Simulation mode enables you to assess the impact of data collection processing without streaming data to the Guardium appliance.
Increased CICS transaction server support
IBM Guardium S-TAP for Data Sets supports collection of:
CICS Transaction Server 5.3 to capture Record Level Monitoring (RLM) data
8-character CICS local unit of work (with CICS Transaction Server 4.2 and later, until end of service)
Dynamic starting and stopping of RLM data collection with new IBM Guardium S-TAP for Data Sets SAMPLIB members
Ability to restrict reporting of sensitive data

When enabled, the FORCE_LOG_LIMITED parameter enables you to restrict Personally Identifiable Identification (PII) from being sent to the Guardium system.
Reporting of FTP activity
In addition to monitoring of JES2, JES3, ASCH, TSO, and STC address spaces, IBM Guardium S-TAP for Data Sets provides OMVS address space monitoring. This
enables reporting of FTP activity.
Reporting of FTP transmission of non-VSAM data sets
IBM Guardium S-TAP for Data Sets enables you to audit FTP transmission of non-VSAM data sets to and from monitored systems.
New filtering criteria for data set accesses
For VSAM and non-VSAM Data Sets Close events, you can filter by input-only, output-only, or both input and output events.
Support for Internet Protocol version 6 (IPV6)
PH16991 introduces IPV6 support and new subsystem configuration option, PREFER_IPV4_STACK.
Parent topic: IBM Security Guardium S-TAP for Data Sets on z/OS overview
IBM Guardium S-TAP for Data Sets components

IBM Guardium S-TAP for Data Sets consists of its data collection agent and the Security Guardium system. The IBM Guardium S-TAP for Data Sets agent collects data set
access information that is obtained from the SMF record exit interface, as well as record access information that is obtained from individual I/O requests. The Guardium
system is a server-based component that provides the product user interface.
Guardium system and S-TAP agent communication

Communication between the Guardium system and the agent uses a TCP/IP connection. The collection policies that you create, by using the Guardium system user
interface, tell the agent what types of data to collect. The policies specify filter information, such as which jobs and data sets to monitor for data accesses.
Guardium system

Use the Guardium system to gather and generate reports on information from multiple agents that are running on multiple z/OSÂ® systems. The Guardium system:
Provides the user interface, which processes your requests and displays the resulting information.
Enables you to create collection policies, which specify the types of data that are to be collected by the agent.
Agent
The agent collects data from a single z/OS system. Monitoring can be performed at both the data set and record level:
For data set level monitoring, data is collected directly from SMF records, as presented to various SMF exits with which the agent interfaces.
For record level monitoring, data is collected when VSAM records are read or written.
Parent topic: IBM Security Guardium S-TAP for Data Sets on z/OS overview
Installation requirements for IBM Guardium S-TAP for Data Sets V10.1.3
Review the software and authorization prerequisites for installing IBM Guardium S-TAP for Data Sets V10.1.3.
Software prerequisites
IBM Guardium S-TAP for Data Sets requires z/OS Version 2 Release 2 or later, until end of service.
User ID authority requirements
To install the product, you must have the necessary z/OS user ID authorities.
Software prerequisites
IBM Guardium S-TAP for Data Sets requires z/OSÂ® Version 2 Release 2 or later, until end of service.
Customer Information Control System (CICSÂ®) Transaction Server support requires IBM CICS Transaction Server for z/OS V4 Release 2 or later, until end of service.
Parent topic: Installation requirements for IBM Guardium S-TAP for Data Sets V10.1.3
User ID authority requirements

To install the product, you must have the necessary z/OSÂ® user ID authorities.
Your z/OS user ID must have the authority to:
Define the appropriate SMF record collection parameters in the SMFPRMxx PARMLIB member and APF authorize the load library for the product.
Update the appropriate procedure library to include the agent started task.
If you choose to enable CICS support, you must also have the authority to:
Update CICS parameters.

Add CICS program definitions.
Update or create CICS system initialization and termination program list tables for startup and shutdown.
If necessary, contact your system administrator to obtain the required authorities.

Parent topic: Installation requirements for IBM Guardium S-TAP for Data Sets V10.1.3
Configuring the IBM Guardium S-TAP for Data Sets agent

You must configure the IBM Guardium S-TAP for Data Sets agent.
To configure the product, complete the required steps.
Security: Review and establish the security requirements. You must set up access controls in your security product in order to create, authorize, or update the
various data sets that are necessary for product configuration.
Review the required resource authorizations information, including:
APF authorizing the load library
Authorizing the z/OS agent started task for the control data set
Defining an OMVS segment
Planning your configuration: Review the steps that are required to plan your configuration.
Job cards for the sample JCL in the sample library: Provide valid job cards.
Allocating auxiliary storage: Ensure that data will not be lost in the event of an overflow.
Configuring the SMFPRMxx parameter library member: Ensure a complete audit by configuring the SMFPRMxx parameter library to collect the required SMF record
types.
IAM and ACF2 collection considerations: Review information about capturing IAM data set activity and ACF2 access failures.
Creating the control data set: Generate the initial partitioned data set members.
Specifying subsystem options: Review the subsystem changes that you can make to the options member in the control data set.
Configuring the started task JCL: Determine the location of the started task control job language (JCL), and follow configuration steps and tips.
CICS Transaction Server support: Review the requirements for enabling the CICS Transaction Server, and follow the instructions for Configuring CICS Transaction
Server support.

Security
IBM Guardium S-TAP for Data Sets requires access to various z/OS data sets and system components. You must set up access controls in your security product in
order to create, authorize, or update the various data sets that are necessary for product configuration.
Planning your configuration
Use this planning list to determine necessary information before continuing. Then, provide a valid job card, and allocate auxiliary storage if necessary, as described
in the following sections.
Configuring the SMFPRMxx parameter library member
To ensure a complete audit, you must configure the active SMFPRMxx member of the z/OS system PARMLIB to collect the required SMF record types needed by
IBM Guardium S-TAP for Data Sets.
IAM and ACF2 collection considerations
IBM Guardium S-TAP for Data Sets can capture IAM data set activity and ACF2 access failures. Learn how to enable IBM Guardium S-TAP for Data Sets to collect
this information, and be aware of the following collection considerations. These products implement the collection of SMF data in a nonstandard way and require
special consideration.
Creating the control data set
Complete these steps to create the control data set and generate the initial partitioned data set (PDS) members. These members contain required information, and
must be added to the newly created data set for the agent to work correctly.
Specifying subsystem options
To configure IBM Guardium S-TAP for Data Sets, you must specify a four-character IBM Guardium S-TAP for Data Sets subsystem ID (SUBSYS) to associate with this
particular instance of IBM Guardium S-TAP for Data Sets. The SUBSYS identifies the IBM Guardium S-TAP for Data Sets subsystem in messages that are generated
by the product.
Configuring the started task JCL
You must configure the started task JCL statements with values that provide the system with information that is specific to your environment. Follow these steps to
configure the started task JCL.
CICS Transaction Server support
IBM Guardium S-TAP for Data Sets CICS Transaction Server support enables you to filter and capture CICS transaction information.
Configuring CICS signon reporting
IBM Guardium S-TAP for Data Sets can identify the CICS signon that was used for a specific file access event. Configure the product to enable the agent to send the
CICS signon information to the Guardium system.
Starting the product
Start IBM Guardium S-TAP for Data Sets before starting products that perform similar functions.
The following sample library members are included for your use in installing and configuring IBM Guardium S-TAP for Data Sets. The following table lists them by
type and description.
Verifying the installation
After you install and configure the IBM Guardium S-TAP for Data Sets agent, verify that the agent is properly installed. Use the JCL that is provided in the AUVJIVP
member of the SAUVSAMP sample library.
Security
IBM Guardium S-TAP for Data Sets requires access to various z/OSÂ® data sets and system components. You must set up access controls in your security product in order
to create, authorize, or update the various data sets that are necessary for product configuration.
To provide IBM Guardium S-TAP for Data Sets with access to the necessary z/OS data sets and system components, you must APF authorize the load library, authorize the
z/OS started task for the control data set, and define an OMVS segment to your security product, as described in the following sections.
Security products can include various software tools that are currently available, such as IBM Resource Access Control Facility (RACFÂ®), Computer Associates
International Top Secret, and Computer Associates International Access Control Facility (ACF2).

IBM Guardium S-TAP for Data Sets requires certain data sets to be accessible and APF authorized on the system on which the agent started task will run. SMF data
will be collected by the agent.
The z/OS agent started task must be authorized to read and update the control data set. The control data set is a partitioned data set that contains various
members that define options and operating parameters for the product. IBM Guardium S-TAP for Data Sets uses a control data set that is defined in the agent
started task.
You must define an OMVS segment to your security product to make use of TCP/IP connectivity and UNIX System Services. An OMVS segment specifies the user ID
to be used, the home directory, and the shell program name.
Parent topic: Configuring the IBM Guardium S-TAP for Data Sets agent

IBM Guardium S-TAP for Data Sets requires certain data sets to be accessible and APF authorized on the system on which the agent started task will run. SMF data will be
collected by the agent.
The product data set SAUVLOAD, which contains the product load modules that are required for operation, must be APF authorized on the system on which IBM Guardium
S-TAP for Data Sets will be run.
Refer to the z/OS MVS Programming Authorized Assembler Services Guide for guidelines and instructions for using APF.
Parent topic: Security

The z/OSÂ® agent started task must be authorized to read and update the control data set. The control data set is a partitioned data set that contains various members
that define options and operating parameters for the product. IBM Guardium S-TAP for Data Sets uses a control data set that is defined in the agent started task.
Refer to your security product documentation for more information on authorizing the agent started task.

You must define an OMVS segment to your security product to make use of TCP/IP connectivity and UNIX System Services. An OMVS segment specifies the user ID to be
used, the home directory, and the shell program name.
If you are using IBM RACF, refer to z/OS UNIX System Services Planning for guidelines and instructions about OMVS segment definitions. If you are using a security
product other than RACF, refer to your productâ€™s instructions on how to define an OMVS segment.
Planning your configuration

Use this planning list to determine necessary information before continuing. Then, provide a valid job card, and allocate auxiliary storage if necessary, as described in the
following sections.
Before configuration, you must determine:
The user who will configure the product

The user ID that will be used to run the agent
Where the Guardium system and the S-TAP agent will run
Job cards for the sample JCL in the sample library

Some JCL members that are included with the product sample library, SAUVSAMP, have a sample card for the job card. Provide a valid job card that conforms to the
JCL standards of your site before submitting any of the JCL members.
Allocating auxiliary storage
z/OS auxiliary storage consists of DASD space that is allocated to the local page data sets. It is used as temporary backup storage for programs and data located in
virtual and physical memory. IBM Guardium S-TAP for Data Sets can allocate auxiliary storage space if the OUTAGE_SPILLAREA_SIZE parameter is set in
accordance with the following requirements.
Job cards for the sample JCL in the sample library

Some JCL members that are included with the product sample library, SAUVSAMP, have a sample card for the job card. Provide a valid job card that conforms to the JCL
standards of your site before submitting any of the JCL members.
Parent topic: Planning your configuration
Allocating auxiliary storage

z/OS auxiliary storage consists of DASD space that is allocated to the local page data sets. It is used as temporary backup storage for programs and data located in virtual
and physical memory. IBM Guardium S-TAP for Data Sets can allocate auxiliary storage space if the OUTAGE_SPILLAREA_SIZE parameter is set in accordance with the
following requirements.
The OUTAGE_SPILLAREA_SIZE parameter option instructs the address space to allocate a data space equal in size to the value that you set for
OUTAGE_SPILLAREA_SIZE.
Verify that the current local page space can accommodate a new data space.
Example
Specifying OUTAGE_SPILLAREA_SIZE=64 instructs the address space to allocate 64 MB of data space.
Refer to the z/OSÂ® MVSâ„¢ Initialization and Tuning guide for more information about sizing local page data sets.
Parent topic: Planning your configuration
Configuring the SMFPRMxx parameter library member

To ensure a complete audit, you must configure the active SMFPRMxx member of the z/OSÂ® system PARMLIB to collect the required SMF record types needed by IBM
Guardium S-TAP for Data Sets.
The record types can be collected at the subsystem or system level. Maximum auditing of VSAM and non-VSAM data set activity can be achieved by ensuring that all
defined subsystems record all of the SMF record types that are required by the product.
The defaults used at the system level for those subsystems that are not explicitly defined should also specify collection of the required SMF record types. The required
SMF record types are 14, 15, 17, 18, 30, 42, 60, 61, 62, 64, 65, 66, and 80. If any required SMF record types are not defined for collection, message AUV1450W alerts you
to define them.
If the appropriate exit is not defined for the operating system level, SMF records will not be collected. Specify the SMF exits as follows:
For z/OS Version 2 Release 2 and earlier, specify the IEFU83, IEFU84, and IEFU85 SMF exits.
For z/OS Version 2 Release 3 and later, specify the IEFU86 SMF exit.

These exits can be defined at either the subsystem or system level in a manner consistent with the SMF record type specifications.
For more information about setting up and managing SMF, refer to the z/OS MVSâ„¢ System Management Facility (SMF) manual.
Related reference
SMF record types and contexts
IAM and ACF2 collection considerations

IBM Guardium S-TAP for Data Sets can capture IAM data set activity and ACF2 access failures. Learn how to enable IBM Guardium S-TAP for Data Sets to collect this
information, and be aware of the following collection considerations. These products implement the collection of SMF data in a nonstandard way and require special
consideration.
Innovation Access Method (IAM) from Innovation Data Processing provides capabilities beyond standard VSAM. IAM replaces VSAM access with a proprietary non-VSAM
access that simulates VSAM. Because the underlying data sets are non-VSAM, accesses to the IAM-simulated VSAM data sets do not generate VSAM SMF records, such as
the SMF type 62 (VSAM OPEN) and SMF type 64 (VSAM CLOSE).
For IAM data sets, IBM Guardium S-TAP for Data Sets does not report the following items:
Context records for OPEN and UPDATE for IAM data sets (because of the lack of the SMF type 62 records).
IAM simulation of alternate index and path processing (because of the lack of an IAM SMF CLOSE record).
The CLOSE record counters will report IAM data sets differently from native VSAM processing. Although the IAM CLOSE SMF record offers an extensive array of counters,
those corresponding to the VSAM SMF Type 64 record are included in the accumulated counts within the CLOSE context record.
Computer Associates International ACF2 considerations

Unlike some security products, ACF2 does not offer a unique authorization failure code to identify a CONTROL access failure. Instead, it reports these as UPDATE access
failures. In ACF2 facilities, no CONTROL context records will be reported.
Enabling Innovations Data Processing IAM reporting

IAM provides a unique, user-specified record ID, which is written during CLOSE processing. For IBM Guardium S-TAP for Data Sets to report this access:
Enabling Computer Associates International ACF2 reporting
Access Control Facility (ACF2) from Computer Associates International records access failures to a unique, user-specified record ID. For IBM Guardium S-TAP for
Data Sets to report these failures:
Enabling Innovations Data Processing IAM reporting

IAM provides a unique, user-specified record ID, which is written during CLOSE processing. For IBM Guardium S-TAP for Data Sets to report this access:
Procedure
1. Determine the user-specified SMF record ID that was selected for IAM.
2. Specify that value in the IBM Guardium S-TAP for Data Sets control data set IAM_SMF_RECORD_ID option.
Parent topic: IAM and ACF2 collection considerations
Enabling Computer Associates International ACF2 reporting

Access Control Facility (ACF2) from Computer Associates International records access failures to a unique, user-specified record ID. For IBM Guardium S-TAP for Data
Sets to report these failures:
Procedure
1. Determine the user-specified SMF record ID that was selected for ACF2.
2. Specify that value in the IBM Guardium S-TAP for Data Sets control data set ACF_SMF_RECORD_ID option.
Parent topic: IAM and ACF2 collection considerations
Creating the control data set

Complete these steps to create the control data set and generate the initial partitioned data set (PDS) members. These members contain required information, and must
be added to the newly created data set for the agent to work correctly.
Before you begin

Refer to the high-level qualifier that you specified when configuring the started task JCL. The same high-level qualifier must be used in step 1 of the control data set
creation procedure.
About this task

The options and definitions that determine how IBM Guardium S-TAP for Data Sets performs processing in your environment are contained in the control data set.

Procedure
1. The JCL to create the control data set is located in the AUVJCNTL member of the SAUVSAMP library. Configure the AUVJCNTL member by replacing AUV.V10R1M3
with the high-level qualifier of the installed IBM Guardium S-TAP for Data Sets load library.
2. Submit the JCL to create the control data set.
The JCL creates the control data set and populates the data set with these initial members: subsystem options (OPTIONS) and policy rule definition members
(RULEDEFS and RULEDEFB).
Important:
Do not modify the contents of the RULEDEFS or RULEDEFB member.
Do not modify the value of the default INITIAL_RULEDEF option in the RULEDEFS or RULEDEFB members.
3. Specify the APPLIANCE_SERVER and AUDIT parameters in the OPTIONS member to enable the product to function properly.
4. Optional: Consider whether allocating the control data set as an extended partitioned data set (PDSE) is appropriate for your environment.
A PDSE dynamically manages internal space, drastically reducing the need to perform the space compressions that are required for a nonextended partitioned data
set (PDS). The AUVJCNTL member includes statements that can be used to change the allocation to a PDSE.
Specifying subsystem options

To configure IBM Guardium S-TAP for Data Sets, you must specify a four-character IBM Guardium S-TAP for Data Sets subsystem ID (SUBSYS) to associate with this
particular instance of IBM Guardium S-TAP for Data Sets. The SUBSYS identifies the IBM Guardium S-TAP for Data Sets subsystem in messages that are generated by the
product.
How to use subsystem options

Use either the keyword=value or keyword(value) format to specify values for these option members.
Option members and descriptions

The IBM Guardium S-TAP for Data Sets subsystem options are in the OPTIONS member of the IBM Guardium S-TAP for Data Sets control data set that is generated by the
AUVJCNTL member JCL. These options are the global definitions and general operation options that determine where and how IBM Guardium S-TAP for Data Sets
performs its functions.
To specify IBM Guardium S-TAP for Data Sets subsystem options, modify the contents of the OPTIONS member as described.
ACF_SMF_RECORD_ID
If you are using Access Control Facility (ACF2) from Computer Associates International, you must provide product-specific information for your SMF data to be
processed. ACF2 records access failures to a unique record ID. Determine the user-specified SMF record ID that is selected for ACF2 and specify that ID in the IBM
Guardium S-TAP for Data Sets CONTROL data set ACF_SMF_RECORD_ID option if you want the product to report these failures.
ACF2 writes SMF access failure data to a user-defined SMF record ID. Specify a numeric value that identifies the SMF record identification number used by ACF2.
For ACF2 installations, contact your ACF2 administrator to determine the appropriate numeric value to include with this parameter.
Note:
For z/OS Version 2 Release 3 and later, valid values are 128 â€“ 1151.
For z/OS Version 2 Release 2 and earlier, valid values are 128 â€“ 255.
There is no product default value, however, the SAMPLIB member AUVSOPTS includes a default specification of 230.
APPLIANCE_CONNECT_RETRY_COUNT
Specify a numeric value that defines the number of times to retry communicating with the Guardium system when an error is encountered during initialization. If
the communication is still not successful after the number of retries as specified by this value has been completed, the communication is abandoned and no data is
sent. The process also terminates if the number of retries specified is reached with no successful connection.
Valid values are 0 -- 65535. The default value is 20.
Specify a numeric value that defines the number of seconds that must transpire before a timeout is recognized.
Valid values are 0 -- 65535. The default value, in seconds, is 0.
APPLIANCE_PING_RATE
Specify a numeric value that defines the number of seconds between pings to the Guardium system. The ping signals the Guardium system that the S-TAP is active
and available for communications.
APPLIANCE_PORT
Specify a numeric value that defines the TCP/IP port number for communication with the Guardium system by IBM Guardium S-TAP for Data Sets. Use port 16022
for the V10.1.3 system protocol.
The default value is 16022.
If port 16023 is used, encryption support is required for the connection to the appliance.
Note: Specifying this keyword and parameter designates the port on which the Guardium appliance is listening to the S-TAP. The port is dedicated to the IP address
of the appliance. Port 16022 or 16023 can also be in use on z/OSÂ® by another application.
Valid values are 16022 and 16023.
APPLIANCE_RETRY_INTERVAL
Specify a numeric value that defines the number of seconds between retries when an error is encountered during an initial attempt to connect to the Guardium
system.
APPLIANCE_SERVER
Specify the TCP/IP address for the Guardium system with which IBM Guardium S-TAP for Data Sets is to communicate. In multistream processing scenarios, this
address specifies the first Guardium appliance that is to be used.
The address can be specified as a host name (security.guardiumvsam.net) or as four numbers separated by periods (for example, 188.128.6.42).
Maximum length is 53 characters. There is no default.
APPLIANCE_SERVER_[1-5]
Specify alternative TCP/IP addresses to use for failover recovery processing and multistream Guardium appliance destinations. Up to five alternative TCP/IP
addresses are supported.

To specify one or more entries, include this parameter with a numeric suffix from 1 - 5. Provide a unique TCP/IP address for each entry.
The option syntax is as follows:
APPPLIANCE_SERVER_1=addr
or
APPPLIANCE_SERVER_1(addr)
where 1 can be 1, 2, 3, 4, or 5.
Valid values are any valid TCP/IP address. There are no default values. If initialization does not detect this parameter, it does not activate the failover process.
Both the APPLIANCE_SERVER_[1-5] and APPLIANCE _SERVER_FAILOVER_[1-5] parameters can be used to designate servers for multistreaming or failover. Use
the APPLIANCE_SERVER_LIST parameter to designate how these parameters are used.
Maximum length is 51 characters.
APPLIANCE_SERVER_FAILOVER_[1-5]
Specify alternative TCP/IP addresses to use for failover and recovery processing. The product supports up to five alternative TCP/IP addresses. To specify one or
more entries, include this parameter with a numeric suffix from 1 - 5, each time providing a unique TCP/IP address.
The option syntax is as follows:
APPPLIANCE_SERVER_FAILOVER_1=addr
or
APPPLIANCE_SERVER_FAILOVER_1(addr)
where 1 can be 1, 2, 3, 4, or 5.
Valid values are any valid TCP/IP address. There are no default values. If initialization does not detect this parameter, it does not activate the failover process.
Both the APPLIANCE _SERVER_FAILOVER_[1-5] and APPLIANCE_SERVER_[1-5] parameters can be used to designate servers for multistreaming or failover. Use
the APPLIANCE_SERVER_LIST parameter to designate how these parameters are used.
Maximum length is 42 characters.
APPLIANCE_SERVER_LIST(MULTI_STREAM|FAILOVER|HOT_FAILOVER)
Set APPLIANCE_SERVER_LIST to MULTI_STREAM for a Guardium appliance connection to be established for each server that is identified by the
APPLIANCE_SERVER_n or APPLIANCE_SERVER_FAILOVER_n parameters.
Set APPLIANCE_SERVER_LIST to FAILOVER for one Guardium appliance connection to be active at a time.
available server is identified by the APPLIANCE_SERVER_n or APPLIANCE_SERVER_FAILOVER_n parameter.
Set APPLIANCE_SERVER_LIST to HOT_FAILOVER to keep each connected Guardium appliance active via pings. If the primary Guardium appliance (which is set by
the APPLIANCE_SERVER parameter) becomes unavailable and failover occurs, HOT_FAILOVER maintains the activity of the primary appliance policy.
With all settings of APPLIANCE_SERVER_LIST, if all connections fail, and a spill file is specified (parameter OUTAGE_SPILLAREA_SIZE), events are buffered to the
spill file until a connection becomes available. If no spill file is specified, and all connections are lost, data loss occurs.
The default is FAILOVER.
AUDIT
Specify a character string from one through 26 characters that defines the name of this IBM Guardium S-TAP for Data Sets agent.
There is no default.
CICS_SUPPORT
Enabling CICSÂ® Transaction Server support activates additional reporting of CICS-specific information on record level events, including:
CICS File ID
CICS Function Code
CICS Program ID
CICS Region ID
CICS Terminal ID
CICS Transaction ID
CICS User ID
CICS Logical Unit of Work
Enable or disable CICS support by specifying ENABLE or DISABLE.

The default is DISABLE.
If you enable CICS support, you must also configure CICS for record level monitoring events to be captured for CICS. For more information about CICS support, see
CICS Transaction Server support.
FORCE_LOG_LIMITED
Record level monitoring enables you to monitor VSAM file access based on key values. The VSAM key can contain Personally Identifying Information, such as
account number, last name, or Social Security number. When the FORCE_LOG_LIMITED option is enabled, IBM Guardium S-TAP for Data Sets does not monitor any
record level data. If the file is being monitored by a policy, then only file access is reported; monitoring and reporting of access to specific keys is suppressed.
Specify Y to prevent Personally Identifiable Identification (PII) data from being sent to the Guardium system. Data that is sent as part of Record Level Monitoring
and CICS is considered PII. This data will not be sent to the Guardium system if FORCE_LOG_LIMITED(Y) is specified.
The default is N.
IAM_SMF_RECORD_ID
If you are using Innovation Access Method (IAM) from Innovation Data Processing, you must provide product-specific information for your SMF data to be
processed. IAM provides a unique user-specified record ID, which it writes during CLOSE processing. For IBM Guardium S-TAP for Data Sets to report this access,
determine the user SMF record ID for IAM, and specify that value in the IBM Guardium S-TAP for Data Sets control data set IAM_SMF_RECORD_ID option.
IAM writes SMF statistical data to a user-defined SMF record ID. Specify a numeric value that identifies the SMF record identification number used by IAM.
For IAM installations, consult your IAM administrator to determine the appropriate numeric value to include with this parameter.
Note:

For z/OS Version 2 Release 3 and later, valid values are 128 â€“ 1151.
For z/OS Version 2 Release 2 and earlier, valid values are 128 â€“ 255.
There is no product default value; however, the SAMPLIB member AUVSOPTS includes a default specification of 201.
INTERNAL_BUFFER_SIZE
Specify the size of the internal buffer used.
To improve performance, data is stored in an internal buffer that is sent when the buffer is full or during a ping request. If the buffer reaches the
INTERNAL_BUFFER_SIZE, data is sent without waiting for the next ping request.
Specifying an INTERNAL_BUFFER_SIZE value that is too large for your environment can cause connection problems that are due to timing out while trying to send a
large amount of data. Specifying too small a value might cause unnecessary I/O requests.
Tip: Performance varies based on system load, network load, and the load on the Guardium system, so the correct value for your environment cannot be
predetermined. Begin with the default value, and make minor, incremental adjustments to improve performance, if necessary.
Valid values are 0 -- 2047 megabytes. The default is 8.
INITIAL_RULEDEF
You must not change this subsystem option unless IBM Software Support instructs you to do so. If instructed to modify this subsystem option, specify the name of
the rule definitions member to use at startup. The default rule definitions member name is RULEDEFS.
MEGABUFFER_COUNT
Specify the number of IBM Guardium S-TAP for Data Sets audit events that are buffered, prior to the product attempting a TCP/IP send operation.
The megabuffer is flushed when either of two conditions is met:
At regular intervals, based on the APPLIANCE_PING_RATE

When the number of audit events that are held in the megabuffer reaches the count that is specified by this parameter
When MULTI_STREAM mode is enabled by parameter APPLIANCE_SERVER_LIST, and a megabuffer flush occurs, the audit event data stream is switched to the
next available Guardium appliance. The event data stream will switch from appliance to appliance in a round-robin sequence as each megabuffer is sent.
Valid values are 1 -- 8192. The default is 200.
OUTAGE_SPILLAREA_SIZE
Specify the size of the spill file to be used when a connection cannot be made.
If the product includes a spill file, and no secondary APPLIANCE_SERVER_FAILOVER address is specified, or none of the secondary
APPLIANCE_SERVER_FAILOVER addresses respond, it writes to the spill file. The spill file is meant for short-term outages only, because when a connection is
restored to any Guardium system, it clears the spill file content before continuing to send data.
Valid values are 0 -- 1024 megabytes. If a valid value is not specified, a spill file is not created.
PREFER_IPV4_STACK
Specify the request for an IPV4 address to be issued from the Domain Name Server (DNS). The default value is N.
Y causes a request to be issued to the DNS for an IPV4 address for the hostname that is specified in the APPLIANCE_SERVER parameter:
The DNS lookup request for an IPV4 address is attempted. If an IPV4 address is defined for the hostname, the DNS will respond with the value that
will be used to connect to the Guardium appliance.
If only an IPV6 address is defined at the DNS, then the DNS will respond with the IPV6 address that will be used to connect to the Guardium
appliance.
If both IPV4 and IPV6 addresses are defined at the Guardium appliance, the DNS will respond with both addresses, and the IPV4 address will be used
to connect to the appliance.
N or omitting this option from configuration causes a request for an IPV6 address to be issued to the DNS for the hostname that is specified by the
APPLIANCE_SERVER parameter.
The DNS lookup request for an IPV6 address is attempted. If an IPV6 address is defined for the hostname, the DNS will respond with the value that
will be used to connect to the Guardium appliance.
If only an IPV4 address is defined at the DNS, then the DNS will respond with the IPV6 address that will be used to connect to the Guardium
appliance.
If both IPV4 and IPV6 addresses are defined at the Guardium appliance, the DNS will respond with both addresses, and the IPV4 address will be used
to connect to the appliance.
Note: Whether or not this option is specified, if the address returned from the DNS is not valid for the hostname, it will result in failure to connect to the appliance,
and the IBM Guardium S-TAP for Data Sets started task will terminate.
RLM
Specify the initial status of RLM processing by setting the RLM parameter to either ENABLE or DISABLE. ENABLE enables record level monitoring. DISABLE disables
record level monitoring.
The default value is ENABLE.
SOCKET_CONNECT_TIMEOUT
Specify the length of time for socket connection attempts before failure or timeout.
Setting this value too low results in connection failures when the Guardium system is slow to respond. Setting this value too high causes problems in failover
scenarios.
Tip: Performance varies based on system load, network load, and the load on the Guardium system, so the correct value for your environment cannot be
predetermined. Begin with the default value, and make minor, incremental adjustments to improve performance, if necessary.
STAP_STREAM_EVENTS
Specify the initial streaming status by setting the STAP_STREAM_EVENTS parameter to either Y or N.
Y indicates that the IBM Guardium S-TAP for Data Sets agent address space will send data to the server in a manner that is consistent with the active policy.
N indicates that the agent address space will not send data to the server. It will perform all data collection processing in a manner that is consistent with the
active policy. The agent address space will issue message AUV1070I at startup: TCP/IP STREAMING DISABLED DUE TO USER SETTING. See Simulation
mode for more information.
The default value is Y.

SUBSYS
Choose any four-character alphanumerical subsystem ID to identify this particular instance of IBM Guardium S-TAP for Data Sets. For example, AUV1, AUV2, and so
on.
Choose a unique SSID for each agent.
The default subsystem ID is VTAP.
SUPPRESS_INCOMPLETE_EVENTS
Enables SMF records without identifying characteristics to either be suppressed or sent to the appliance. Specify the SMF event filtering preference for SMF records
with missing identifying characteristics, where:

N indicates that missing field values in SMF records should always pass policy rule filters.
Y indicates that missing field values should not pass the filters and the corresponding events should not be sent to the appliance.
The default value is N.

For more information, see SMF record identification considerations.
Configuring the started task JCL

You must configure the started task JCL statements with values that provide the system with information that is specific to your environment. Follow these steps to
configure the started task JCL.
About this task

The IBM Guardium S-TAP for Data Sets started task JCL is located in the AUVJSTC member of the IBM Guardium S-TAP for Data Sets sample library (SAUVSAMP).
Note: Do not start the started task until you finish configuring IBM Guardium S-TAP for Data Sets. Attempting to start the started task before completing configuration can
cause the started task to fail.
Procedure
1. Copy the IBM Guardium S-TAP for Data Sets started task JCL to your system PROCLIB from sample data set member AUVJSTC.
Tip: Name the IBM Guardium S-TAP for Data Sets started task member AUVSTAPV. This name is easily identifiable with the IBM Guardium S-TAP for Data Sets
product.
2. Verify that the statement: //AUVSTAPV PROC OPTSMBR=OPTIONS points to the default member name OPTIONS.
The default member name OPTIONS was created during creation of the control data set.
3. Configure the started task JCL that you copied to your system PROCLIB by replacing AUV.V10R1M3 with the high-level qualifier of the installed IBM Guardium S-
TAP for Data Sets load library.
Note: For operation of the product, policy activation, and correct processing of data, the following conditions must be met:
A DD statement with the DDNAME OPTIONS must be in the IBM Guardium S-TAP for Data Sets started task. This DD statement points to the subsystem
OPTIONS member of the IBM Guardium S-TAP for Data Sets control data set, which contains the global settings for the product. When the started task is
initiated, it references the data in the subsystem options member to establish global settings, including the subsystem identifier for this specific instance of
IBM Guardium S-TAP for Data Sets.
By default, the OPTIONS DD statement uses the same data set as the RULEDEFS and RULEDEFB DD statements. If necessary, you can specify a
different data set for the OPTIONS DD statement other than that which is used for the DD statements RULEDEFS and RULEDEFB. The OPTIONS
member must be present in the data set that is specified for the OPTIONS DD statement.
A DD statement with a DDNAME of CONTROL must be in the IBM Guardium S-TAP for Data Sets started task. For example: //CONTROL DD
DSN=AUV.V10R1M3.CONTROL,DISP=SHR. This DD statement points to the IBM Guardium S-TAP for Data Sets control data set that contains the collection
policy in the RULEDEFS member.
The two DD statements with the DDNAMES RULEDEFS and RULEDEFB must be present and must point to the same control data set name that was specified
in the CONTROL DD statement. The member names RULEDEFS and RULEDEFB must not be changed. If DDNAMES RULEDEFS and RULEDEFB are not
present, are changed, or do not point to the correct data set name, then the agent does not initiate correctly and is unable to collect data.
The high-level qualifier you specify for the control data set JCL when allocating the control data set must match the high-level qualifier you specify in the
started task JCL.
The started task must have the authority to read and update the control data set and load library.
4. After you configure the started task JCL, add it to the z/OSÂ® PROCLIB data set for started task initiation.
Note:
IBM Guardium S-TAP for Data Sets accommodates the use of multistream and improves support for large policies by providing a default started task JCL region size
of 96 megabytes. When multistream is enabled, a buffer is created for each appliance, based on the INTERNAL_BUFFER_SIZE value. (Valid values are 0 - 2047
megabytes. The default value is 8.) The default started task JCL region size of 96 megabytes can accommodate large policies by providing space for up to six
connected appliances with a default INTERNAL_BUFFER_SIZE of 8 megabytes and approximately 150,000 values in a policy.
You might need to increase the started task JCL region size if:
the value specified for INTERNAL_BUFFER_SIZE is greater than 8 megabytes
an installed policy contains more than 150,000 values
CICS Transaction Server support

IBM Guardium S-TAP for Data Sets CICSÂ® Transaction Server support enables you to filter and capture CICS transaction information.
IBM Guardium S-TAP for Data Sets must be running before CICS is started. If changes to a policy are made while a CICS file is open, the file must be closed and reopened
for RLM-related policy changes to take effect.
Verify that the agent is running and correctly configured, and the appropriate work area storage is available.
To capture data on files that are referenced within a transaction, the IBM Guardium S-TAP for Data Sets agent must be running and correctly configured to monitor
each system image on which data sets reside.
CICS support uses the XFCFROUT Global User Exit (GLUE).
The GLUE acquires an above-the-line work area from the extended CICS dynamic storage area (ECDSA) of approximately 1412 bytes for each active or suspended
transaction that performs at least one VSAM file operation. The work area is released at the end of the transaction.
Configuring CICS Transaction Server support

For CICS related information to be captured, you must configure CICS Transaction Server support.

Configuring CICS Transaction Server support
For CICSÂ® related information to be captured, you must configure CICS Transaction Server support.
About this task

If you configure CICS Transaction Server support, you can capture CICS transaction information that is associated with record level monitoring of logical record activities
that occur within a CICS transaction for KSDS and RRDS data sets. Remember to start IBM Guardium S-TAP for Data Sets before starting CICS. If changes to a policy are
made while a CICS file is open, the file must be closed and reopened for any RLM-related policy changes to take effect.
Procedure
1. Configure the CICS system options.
a. Specify the CICS_SUPPORT=ENABLE option, by using the subsystem options that are located in the OPTIONS member of the control data set.
2. Configure the CICS system initialization and system termination program list tables (PLTs), as shown in the example at the end of this topic.
a. Enter the program AUVPLTPI after the DFHDELIM PLT entry.
b. Enter the program AUVPLTPS before the DFHDELIM PLT entry.
c. After creating or modifying the CICS system initialization and system termination PLTs, you must assemble and link them. For more information about
creating a PLT, see the CICS Transaction Server for z/OSÂ® Resource Definition Guide.
3. Specify autoinstall in the CICS system initialization parameters to automatically install the AUVPLTPI, AUVPLTPS, and AUVFROUT programs.
If you do not specify autoinstall in the CICS system initialization parameters, you must define AUVPLTPI, AUVPLTPS, and AUVFROUT in the CICS system definition
file (CSD). To install the program definitions in batch, sample JCL has been provided in member AUVCSDUP of the IBM Guardium S-TAP for Data Sets SAUVSAMP
library that can be modified and used for the CICS program DFHCSDUP. Alternatively, the CICS CEDA Resource Definition Online transaction can also be used to
perform the install of the program definitions. See the CICS Transaction Server for z/OS Resource Definition Guide for more information about installing resource
definitions.
a. Define the following attributes:
LANGUAGE (ASSEMBLER)
STATUS (ENABLED)
CEDF (NO)
DATALOCATION (BELOW)
EXECKEY (CICS)
EXECUTIONSET (FULLAPI)
RELOAD (NO)
For the load modules to be located, the AUVPLTPI, AUVPLTPS, and AUVFROUT programs must be located in a load library located in the CICS DFHRPL
concatenation within the CICS startup JCL.
4. Optional: The CICS facilities that implement RLM support, outside of normal CICS PLT initialization, can be enabled and disabled. To do so, define CICS transactions
accordingly by using the batch CICS program DFHCSDUP or the CICS CEDA Resource Definition Online transaction.
To enable the CICS facilities that are used to implement CICS RLM support, the following attributes must be assigned to the transaction:
TRANSACTION (tran, where tran is your chosen transaction ID)

PROGRAM (AUVPLTPI)
TASKDATAKEY (CICS)
TASKDATALOC (ANY)
To disable the CICS facilities that are used to implement CICS RLM support, the following attributes must be assigned to the transaction:
TRANSACTION (tran, where tran is your chosen transaction ID)
PROGRAM (AUVPLTPS)
TASKDATAKEY (CICS)
TASKDATALOC (ANY)
5. Reference the program initialization and termination PLTs in parameters PLTPI and PLTPSD, as described in the topic, Using CICS system initialization parameters.
Results
If you have configured CICS support, message AUV3004I is displayed during CICS initialization to indicate that the Global User Exit AUVPLTPI XFCFROUT was installed
and enabled.
Example
Enter the program AUVPLTPI after the DFHDELIM PLT entry in the CICS system initialization PLT:
*
* CICS PROGRAM LIST TABLE FOR CICS SYSTEM INITIALIZATION
*
DFHPLT TYPE=INITIAL,SUFFIX=I1
*
* ENTRIES AHEAD OF DFHDELIM ARE EXECUTED IN FIRST PASS OF PLTPI
* DURING THE SECOND PHASE OF CICS SYSTEM INITIALIZATION
*
DFHPLT TYPE=ENTRY,PROGRAM=DFHDELIM
*
* ENTRIES AFTERF DFHDELIM ARE EXECUTED IN SECOND PASS OF PLTPI
* DURING THE THIRD PHASE OF CICS SYSTEM INITIALIZATION
*
DFHPLT TYPE=ENTRY,PROGRAM=AUVPLTPI
*
DFHPLT TYPE=FINAL
*
END
Enter the program AUVPLTS before the DFHDELIM PLT entry in the CICS system termination PLT:
*
* CICS PROGRAM LIST TABLE FOR CICS SYSTEM TERMINATION

*
DFHPLT TYPE=INITIAL,SUFFIX=T1
*
* ENTRIES AHEAD OF DFHDELIM ARE EXECUTED IN FIRST PASS OF PLTPSD
* DURING THE FIRST PHASE OF CICS SYSTEM TERMINATION
*
DFHPLT TYPE=ENTRY,PROGRAM=AUVPLTPS
*
DFHPLT TYPE=ENTRY,PROGRAM=DFHDELIM
*
* ENTRIES AFTERF DFHDELIM ARE EXECUTED IN SECOND PASS OF PLTSD
* DURING THE SECOND PHASE OF CICS SYSTEM TERMINATION
*
*
DFHPLT TYPE=FINAL
*
END
Using CICS system initialization parameters

If you created program initialization and termination program list tables to use with IBM Guardium S-TAP for Data Sets, they must be referenced in the CICS system
initialization parameters PLTPI and PLTSD.
Parent topic: CICS Transaction Server support
Using CICS system initialization parameters

If you created program initialization and termination program list tables to use with IBM Guardium S-TAP for Data Sets, they must be referenced in the CICSÂ® system
initialization parameters PLTPI and PLTSD.
The suffix of the table that was created as the program initialization PLT must be referenced in the PLTPI parameter.
The suffix of the table that was created as the program termination PLT must be referenced in the PLTSD parameter.
Here is a sample set of system initialization parameters that specifies the PLTPI and PLTSD suffixes:
AICONS=YES,
XRF=NO,
AUXTR=OFF,
AUXTRSW=NO,
APPLID=CICSSYSA,
FCT=NO,
...
PLTPI=I1,
PLTSD=T1,
...
SYSIDNT=SYSA
Parent topic: Configuring CICS Transaction Server support
Configuring CICS signon reporting

IBM Guardium S-TAP for Data Sets can identify the CICSÂ® signon that was used for a specific file access event. Configure the product to enable the agent to send the
CICS signon information to the Guardium system.
About this task

Remember: CICS signon records do not indicate a security failure. They are an indication that the identified user successfully accessed the named file or data set.
By default, IBM Guardium S-TAP for Data Sets reports only the CICS address SAF user ID for data set level events and failed security violations. However, for RACFÂ®
environments, both CICS and RACF can be configured for the S-TAP agent to report all of the following:
the CICS signon

the file or data set name that was accessed
the access context (ALTER, CONTROL, UPDATE, or READ)
Note:
Implementation of this facility requires changes to both CICS and RACF. After implementation, the resulting change to SMF type 80 processing results in the
SMF80USR field containing the CICS signon for specific file accesses. Consult your CICS and RACF security administrator when considering the implementation of
this facility.
This facility does not report the data set activity, only the security level for the requested access event.
The following steps are also documented in the RACF Security Guide. For more information, see the CICS Transaction Server for z/OSÂ® RACF Security Guide.
To implement security for files managed by the CICS file control:
Procedure
1. Specify RESSEC(YES) in the CSD resource definition of the transactions that access the files.
2. Using the CICS file names for identification, define the profiles to RACF in the FCICSFCT or HCICSFCT resource classes, or their equivalent if you have a user-
defined resource class names.
a. For example, use the following commands to define files in the FCICSFCT class, and authorize users to read from or write to the files:
RDEFINE FCICSFCT (file1, file2, .., filen)

UACC(NONE) NOTIFY(sys_admin_userid)
PERMIT file1 CLASS(FCICSFCT)
ID(group1, group2) ACCESS(UPDATE)

PERMIT file2 CLASS(FCICSFCT)
ID(group1, group2) ACCESS(READ)
3. To define files as members of a profile in the CICS file resource group class with an appropriate access list, use the following commands:
RDEFINE HCICSFCT (file_groupname)

UACC(NONE) ADDMEM(filea, fileb, .., filez)
NOTIFY(sys_admin_userid)
PERMIT file_groupname
CLASS(HCICSFCT)
ID(group_userid) ACCESS(UPDATE)
4. Specify SEC=YES as a CICS system initialization parameter, or SECPRFX if you define profiles with a prefix.
5. Specify XFCT=YES for the default resource class names of FCICSFCT and HCICSFCT, or XFCT=class_name for user-defined resource class names.
Results
RACF SMF type 80 records contain the CICS user signon in the SMF80USR field. The data is reported to the Guardium system records User ID field.
Starting the product

Start IBM Guardium S-TAP for Data Sets before starting products that perform similar functions.
Product initialization errors might occur if other products, which are known to intercept processing at the point of open, close, or record management functions for VSAM
data sets, are started before IBM Guardium S-TAP for Data Sets. Message AUV1196E will warn you of a product initialization order conflict.
If you receive this error at startup:
1. Shut down IBM Guardium S-TAP for Data Sets and any similar products, including the previous version of this product
2. Close any data sets that are open under IBM Guardium S-TAP for Data Sets.
3. Start IBM Guardium S-TAP for Data Sets before starting similar products. IBM Guardium S-TAP for Data Sets must be running before CICS is started.
Starting and stopping the agent started task

Follow these steps to start and stop the IBM Guardium S-TAP for Data Sets agent started task.
Starting and stopping the agent started task

Follow these steps to start and stop the IBM Guardium S-TAP for Data Sets agent started task.
1. Start the agent started task by issuing the START command from the operator console, for example: START AUVSTAPV
2. Stop the agent started task by issuing the STOP command from the operator console, for example: STOP AUVSTAPV
You can configure the agent started task to start automatically during the z/OSÂ® initial program load (IPL). To set automatic startup, add the appropriate command to the
COMMNDxx member in SYS1.PARMLIB, or contact your system administrator.
Parent topic: Starting the product

The following sample library members are included for your use in installing and configuring IBM Guardium S-TAP for Data Sets. The following table lists them by type and
description.
Table 1. Sample library members, types, and descriptions

AUVCSDUP JCL Sample JCL to create CICS resource definition lists, groups, and program definitions with the CICS DFHCSDUP utility.
AUVJCNTL JCL Sample JCL to allocate and initially populate the control data set.
AUVJIVP JCL Sample JCL to verify installation.
AUVJSTC JCL Sample PROC to start the IBM Guardium S-TAP for Data Sets agent address space.
AUVSOPTS Data Initial data used to populate the control data set OPTIONS member.
AUVSRDEF Data Initial data used to populate the control data set RULEDEFS and RULEDEFB members.
Verifying the installation

After you install and configure the IBMÂ® GuardiumÂ® S-TAPÂ® for Data Sets agent, verify that the agent is properly installed. Use the JCL that is provided in the AUVJIVP
member of the SAUVSAMP sample library.
Before you begin

Before you begin, complete all required tasks for Configuring the IBM Guardium S-TAP for Data Sets agent.
Procedure
1. You must install a policy on the IBM Guardium system with the characteristics listed below. Remember to replace <HLQ> with a valid high-level qualifier.

Job Name.....: AUVJIVP
Data Set Name: <HLQ>.AUVIVP.%%
DB Type......: DATA SET COLLECTION PROFILE
Data Set Type: ALL
Data Set Event: ALL
Actions......: z/OS AUDIT
Note: To see specific records on the IBM Guardium system, you might need to install a policy on the appliance in the first position that specifies Actions: LOG FULL
DETAILS WITH VALUES.
2. Create a query on the IBM Guardium system that will report the events received from IBM Guardium S-TAP for Data Sets. Query characteristics are as follows:
Domain........: Access
Main Entity...: FULL SQL
Recommended Fields: IMS/DATA SET Event time
IMS/DATA SET Job Name
IMS/DATA SET Step Name
IMS/DATA SET Program Name
IMS/DATA SET Previous DSN
IMS/DATA SET Set Type
IMS/DATA SET Context
3. Start the IBM Guardium S-TAP for Data Sets started task.
4. Verify that the required SMF record types are enabled. Message AUV1450W in the Data Sets agent JESMSGLG log will alert you if any SMF record types are not
defined.
5. Verify that the IBM Guardium S-TAP for Data Sets agent is connected to the intended appliance. Message AUV2182I in the Data Sets agent JESMSGLG log indicates
a successful connection between the agent and the appliance.
6. Make the following modifications to the installation verification JCL in SAUVSAMP member AUVJIVP:
a. Add a valid job card.
b. Replace all occurrences of <HLQ> with the same high-level qualifier that was used in the policy as described in Step 1.
7. Submit the modified JCL in SAUVSAMP member AUVJIVP.
Results
Verify that the following data sets contexts appear on the appliance:
Table 1. Data set contexts for installation verification
Step Description Data set contexts
GENDATA Generate input data for subsequent job steps None
VSAM Define, load, rename and delete ESDS, KSDS, and RRDS data sets DATA SET ALTER
DATA SET CLOSE
DATA SET CREATE
DATA SET DELETE
DATA SET OPEN
DATA SET RENAME
DATA SET UPDATE

PDS Create a PDS and write to a new PDS member DATA SET CLOSE
DATA SET CREATE
Member Add
PDSCOPY Copy a PDS member to another PDS member DATA SET CLOSE
Member Add
PDSREPL Copy over an existing PDS member DATA SET CLOSE
Member Replace
PDSTEST Rename a PDS member, create an alias, delete all PDS members, rename the PDS, and delete the PDS DATA SET CLOSE
DATA SET DELETE
DATA SET RENAME
Member Add
Member Delete
Member Rename
STOW Initialize
IBM Guardium S-TAP for Data Sets administration

You must configure the Guardium system to communicate with the IBM Guardium S-TAP for Data Sets agent.
Communicating with the Guardium system

The Guardium system and the S-TAP for Data Sets agent need to communicate policy rules and collected data by using a TCP/IP connection. For the IBM Guardium
S-TAP for Data Sets to communicate with the Guardium system, the following conditions must be met:

Communicating with the IBM Guardium S-TAP for Data Sets started task
IBM Guardium S-TAP for Data Sets operator commands enable authorized users to perform selected operations. Several types of operator commands can be used
to display the status of IBM Guardium S-TAP for Data Sets, to enable and disable certain functions, and to dynamically alter processing without stopping or
quiescing the product.
Data collection
IBM Guardium S-TAP for Data Sets collects data from multiple sources. This section describes the data collection process, as well as filtering stages and their
performance impacts.
Record level and SMF data set monitoring options
You can reduce z/OS CPU and storage usage by setting options for Record level and SMF data set monitoring.
Policy pushdown
Policy pushdown is a method of controlling the data that is collected by the IBM Guardium S-TAP for Data Sets agent. Policy pushdown enables the agent to
evaluate the filtering criteria that you specified.
Data set collection filtering parameters
Use the following filtering parameters to collect data set event data.
CICS collection filtering parameters
Use the following filtering parameters to collect transaction data from CICSÂ®.
Communicating with the Guardium system

The Guardium system and the S-TAP for Data Sets agent need to communicate policy rules and collected data by using a TCP/IP connection. For the IBM Guardium S-TAP
for Data Sets to communicate with the Guardium system, the following conditions must be met:
The IBM Guardium S-TAP for Data Sets TCP/IP connection must be configured.
At least one agent per z/OSÂ® image must be specified. When you are configuring an agent instance:
Specify the host name or IP address on which the Guardium system is running. This value is specified by the APPLIANCE_SERVER element in the agent
configuration file. The complete name of this CONTROL member is OPTIONS.
When the agent is started, it uses the specified configuration information to connect to the Guardium system.

When the HOT_FAILOVER feature is enabled by the APPLIANCE_SERVER_LIST parameter, each connected Guardium appliance is kept active via pings.
Parent topic: IBM Guardium S-TAP for Data Sets administration

IBM Guardium S-TAP for Data Sets sends events to a single appliance until a ping occurs, or the number of records that is specified by MEGABUFFER_COUNT is reached.
To enable multistreaming, you must specify MULTI_STREAM when you configure the APPLIANCE_SERVER_LIST parameter in the OPTIONS member of the CONTROL data
set. Parameters APPLIANCE_SERVER and APPLIANCE_SERVER_[1-5] specify the appliances to which you intend to stream events. The appliance that is specified by
APPLIANCE_SERVER provides the policy that is used for event matching.
For more information about OPTIONS member parameters, see Specifying subsystem options.
Parent topic: Communicating with the Guardium system

When the HOT_FAILOVER feature is enabled by the APPLIANCE_SERVER_LIST parameter, each connected Guardium appliance is kept active via pings.
Parent topic: Communicating with the Guardium system
Communicating with the IBM Guardium S-TAP for Data Sets started task
IBM Guardium S-TAP for Data Sets operator commands enable authorized users to perform selected operations. Several types of operator commands can be used to
display the status of IBM Guardium S-TAP for Data Sets, to enable and disable certain functions, and to dynamically alter processing without stopping or quiescing the
product.
IBM Guardium S-TAP for Data Sets started task commands

If you are an authorized user, you can enter commands to display the status of IBM Guardium S-TAP for Data Sets enable and disable certain functions, and
dynamically alter processing without shutting down or quiescing the system.
IBM Guardium S-TAP for Data Sets started task commands

If you are an authorized user, you can enter commands to display the status of IBM Guardium S-TAP for Data Sets enable and disable certain functions, and dynamically
alter processing without shutting down or quiescing the system.
Commands
Enter operator commands from an MVSâ„¢ operator console, or by using a facility that issues MVS commands, such as SDSF.
The command format is MODIFYstcname, where stcname is the name of the started task, followed by the DISPLAY command.
For example, for record level monitoring, you can enter: MODIFYstcname,DISPLAY RLM. You can also use the shorthand for MODIFY, which is F to enter
Fstcname,DISPLAY RLM.
The following table summarizes the commands for displaying monitoring status and for enabling or disabling monitoring:
Table 1. Started task commands and descriptions

Command Description
DISPLAY Indicates whether record level monitoring is enabled or disabled
RLM
DISPLAY Indicates whether SMF monitoring is enabled or disabled
SMFM
ENABLE Enables record level monitoring
RLM
DISABLE Disables record level monitoring
RLM
ENABLE Enables SMF monitoring
SMFM
DISABLE Disables SMF monitoring
SMFM
DISPLAY Indicates whether audit records are being sent to the appliance
STREAM
DIAG Displays diagnostic information about the agent. Also displays the counters, which record the number of SMF-based and RLM-based audit records that are
created as well as the number of audit records that are sent to the appliance.
Parent topic: Communicating with the IBM Guardium S-TAP for Data Sets started task
Data collection
IBM Guardium S-TAP for Data Sets collects data from multiple sources. This section describes the data collection process, as well as filtering stages and their
performance impacts.
Record level and SMF event monitoring

Event information is gathered at run time through record level and SMF event monitoring. For both record level and SMF event monitoring, the filtering options you specify
can minimize overhead, and control the performance of the data collection and reporting phases of processing. IBM Guardium S-TAP for Data Sets uses the filtering
criteria you define to dynamically tune its processing path for optimal performance.
With few exceptions, you can use the same filtering criteria for both record level and SMF event monitoring.
Specify the minimal filtering criteria necessary for your policy. Filtering only on the data you require minimizes:
Data collection overhead
Event processing
Event reporting
CPU time
Memory usage
Record level monitoring creates the potential for the collection and reporting of large amounts of data. When constructing a policy and specifying filtering criteria,
carefully consider the potential amount of data to be collected and processed.
In the user interface, you can specify lists of elements for some filters, and use generic characters (wildcards) to create more flexibility in your filtering criteria.
Generic characters act as placeholders in the specification of a character-based operand, representative of one or more valid characters for the entity on which an
operation is performed.
The use of generic characters can reduce the total number of policy rules required, but an overly inclusive set of selected entities can ultimately reduce efficiency.
Excessive use of generic characters can increase the scope of selectivity during the qualification of records for processing, and dramatically reduce efficiency and
increase overhead.
SMF event monitoring can be controlled at a higher level through the specifications in the SMFPRMxx z/OSÂ® system PARMLIB member.
Note:
Record level monitoring support for a data set is detected, filtered, and activated at OPEN time. Files that are open at the time of an initial or updated policy
activation will not be intercepted for RLM processing unless the application permits closing and reopening the file. This is of particular importance for CICS, which
typically opens files at initialization or at first-use of a file. If a policy is updated after a CICS file has already been opened, it must be closed and reopened to be
eligible for RLM processing.
Record level monitoring enables you to monitor VSAM file access based on key values. The VSAM key can contain Personally Identifying Information, such as
account number, last name, or Social Security number. When the FORCE_LOG_LIMITED option is enabled, IBM Guardium S-TAP for Data Sets does not monitor any
record level data. If the file is being monitored by a policy, then only file access is reported; monitoring and reporting of access to specific keys is suppressed.
Filtering stages
Both record level and SMF event monitoring are performed in stages. If a collected event does not pass the lowest filtering stage (0), further processing of that event is not
performed. Otherwise, the event is reevaluated during the next stage of filter processing, and IBM Guardium S-TAP for Data Sets determines whether the event should be
auditing and reporting.

Stage 0 filtering
Stage 0 filtering should only be used by advanced users. An understanding of each SMF record type is required.
Stage 0 filtering can be performed for SMF event monitoring only. Only SMF events being recorded by SMF can be monitored for processing.
SMF record types to be monitored must be defined in the SMFPRMxx z/OS System Initialization PARMLIB member. If one or more SMF record types to be monitored
are not specified, data collection cannot be performed. See the SMF record types collected by IBM Guardium S-TAP for Data Sets section of this user's guide for
details on the record types and the associated data collected with each record type.
Stage 1 filtering
Stage 1 filtering can be performed with both record level and SMF event monitoring.
Filter out as much data as possible to achieve the best possible performance.
The filtering criteria specified in the policy associated with this level of filtering include:
Data set name

Data set type
DD name
Job name
Job type
Program name
Security system user ID
Security system group ID
SMF system ID
Subsystem ID
Sysplex name
VSAM record organization*
*VSAM record organization is only available as a filtering criterion for record level monitoring. Only key-sequenced data set (KSDS) and relative record data set
(RRDS) organizations are supported.
Some of the possible filtering criteria for Stage 1 filtering include a wider scope of data than others. For example, a user ID can require a much larger subset of data
for processing than a data set name requires. You can define the minimum amount of data to be monitored, collected, and reported on by including or excluding
selection criteria, creating lists of elements, and specifying relational operators for most criteria.
Stage 1 filtering for record level monitoring: For record level monitoring, Stage 1 filtering occurs at OPEN time for KSDS and RRDS VSAM data sets.
Stage 1 filtering for SMF event monitoring: For SMF event monitoring, Stage 1 filtering occurs in the IBM Guardium S-TAP for Data Sets address space
immediately after a monitored SMF record type is obtained by the collector, located at the SMF User Exit collection point.
Stage 2 filtering
Stage 2 filtering for record level and SMF event monitoring applies to the following event types:
Data set open

Data set close
Data set create
Data set alter
Data set update
Data set delete
Data set rename
Data set SAF alter
Data set SAF control
Data set SAF define
Data set SAF read
Data set SAF update
Member add
Member replace
Member rename
Member delete
STOW initialize
Default or specified event types are collected and passed on to the Guardium system.
Stage 2 filtering for record level monitoring can be based on the type of logical record access as well as one or more values for the key of the VSAM data set. The
types of record level access that can filtered on in Stage 2 are:
Record insert
Record delete
Record update
Record read
You can use a key value or list of key values, as well as a key range or list of key ranges, to further limit the amount and scope of data collected. The key data can be
specified in normal printable characters or in hexadecimal by using the EBCDIC character set.
For key values, you can use generic characters in the specification of the keys. Only those records that pass Stage 2 filtering are collected and passed on to the
Guardium system.
If CICSÂ® support is enabled, you can filter the record level monitoring event data that is captured within a CICS transaction. CICS transaction data can be filtered
by:
CICS user ID
CICS transaction ID
CICS program ID
CICS file ID
CICS region ID
CICS terminal ID
CICS function code
Stage 3 filtering
Stage 3 filtering is performed by IBM Guardium S-TAP for Data Sets based on Stage 2 filtering criteria that you define. During policy pushdown and activation, an
analysis of the policy filtering criteria is performed. This analysis enables prefiltering processing determinations that can be performed across the product. Stage 3
prefiltering can be very efficient in eliminating certain types of data collection, and ultimately reducing the path length through the product to provide optimal
processing performance.

Examples:
Record level monitoring: If no record level monitoring event types are specified in the policy, Stage 2 filtering is eliminated, which reduces overhead
significantly.
SMF event monitoring: The exclusion of certain SMF event monitoring types from your filtering criteria allows IBM Guardium S-TAP for Data Sets to bypass
collection very early in the SMF User Exit data collection, and eliminates all downstream processing for that SMF record type.
Exclusions
IBM Guardium S-TAP for Data Sets does not collect information on the following types of activities:
On IBM Db2Â® subsystems

Activity within address spaces whose STC names have the following endings:
MSTR (example: QA1XMSTR)

DIST (example: QA1XDIST)
IRLM (example: QA1XIRLM)
DBM1 (example: QA1XDBM1)
On IBM IMS subsystems

Accesses performed by the following program names:
DFSMVRC0
CQSINIT0
HWSHWS00
IRTRRC00
DFSRRC00
DFSUARC0
DSPCINT0
DSPURI00
SMF record identification considerations

In certain cases, such as when an SMF record is generated before the issuing job is run, SMF records can have zeros in the fields that the agent uses for record
identification. When this happens, the agent is unable to find a RULEDEFS match for the record by using this field or any dependent fields. To avoid data loss, the agent still
sends these records to the appliance even if the policy rule is set to filter out those fields. If one or more identifying fields are empty, you can use the Guardium appliance
to highlight them, for example, by marking them with a specific color. The data set audit fields that can be affected by this consideration are:
Job name
Job number
Program name
DD name
User ID
Group ID
Job type
Step name
Step number
To optionally suppress incomplete events from being sent to the appliance, use the SUPPRESS_INCOMPLETE_EVENTS parameter as described in Specifying subsystem
options.
Record level and SMF data set monitoring options

You can reduce z/OSÂ® CPU and storage usage by setting options for Record level and SMF data set monitoring.
Record level monitoring performance

During record level monitoring, data is collected when VSAM records are read or written. Record level monitoring can affect performance, TCP/IP traffic, and system load.
Record level monitoring intercepts VSAM accesses at the record level, so excessive monitoring of logical record requests can result in large volumes of data being
transferred to the Guardium system from the TCP/IP telecommunications link, along with a corresponding increase in CPU and storage use within z/OS. Even in a
moderately-sized installation that uses VSAM files, hundreds of millions, if not billions, of logical record requests can be made to VSAM daily. Attempting to monitor and
report on all VSAM requests can result in huge volumes of data that can increase system load on z/OS and data traffic on communication links.
To provide flexibility in controlling the impact of record level monitoring, policy options can be used to limit the scope of monitoring. Carefully consider these options with
the goal of limiting record level monitoring to the logical record requests in specific data sets that must be monitored in your environment.
Record level monitoring filter options

You can use the record level monitoring to filter based on:
Data set name

Data set type
Job name
Job type
Program name
Security system user ID
Security system group ID
SMF system ID
Subsystem ID

Sysplex name
VSAM record organization
DD name
If CICSÂ® support is enabled you can also filter based on:
CICS user ID
CICS transaction ID
CICS program ID
CICS file ID
CICS region ID
CICS terminal ID
CICS function code
You can also limit the monitoring of records to particular keys or key ranges:
VSAM KSDS and RRDS data sets

For KSDS data sets, the key used is defined when the data set is created through an IDCAMS DEFINE.
For RRDS data sets, the key is a relative record number within the data set.
For individual keys, a list of keys is permitted with which a comparison operator can be used. In situations where the key contains unprintable characters, you can
define the keys or key ranges by using hexadecimal notation.
Limit the monitoring of record level requests by the type of logical requests, including:
Record read events

Update write events
Insertions
Deletions
Remember: Each monitored record that matches the various policy filters results in the processing, creation, and transmission of a record monitoring data element to the
Guardium system. Use the Guardium system interface to establish as restrictive a set of policy filters as possible. IBM Guardium S-TAP for Data Sets dynamically tunes
and minimizes processing based on the filtering criteria chosen. Effectively chosen filters allows for maximum efficiency of record level monitoring processing.
Activating record level monitoring

You must define a policy that includes rules that specify one or more of the record level request filters (reads, update writes, insertions, or deletions) in order to activate
record level monitoring.
If a policy does not contain any of these filters, no additional overhead occurs at the logical record request level.
If a particular policy rule contains one or more of these filters, only the specific data set defined in the rule (or data sets associated with other policy filters defined
in the rule) incurs any additional monitoring overhead.
Record level monitoring is only valid for use with VSAM data sets (KSDS and RRDS only).
SMF data set monitoring performance and filtering

Use filtering criteria to limit the amount of VSAM data set monitoring to only particular events. By using policy filters, SMF data set monitoring performance is enhanced by
reducing CPU usage, storage usage, and TCP/IP traffic to the Guardium system.
Filter down to each specific VSAM data set event with the following filters:
Data Set Open

Data Set Update
Data Set Close
Data Set Close (input-only)
Data Set Close (output-only)
Data Set Delete
Data Set Rename
Data Set Create
Data Set Alter
Data Set SAF Alter
Data Set SAF Update
Data Set SAF Read
Data Set SAF Define
Data Set SAF Control
Filter down to each specific non-VSAM data set event with the following filters:
Data Set Close

Data Set Close (input-only)
Data Set Close (output-only)
Data Set Delete
Data Set Rename
Data Set Create
Data Set SAF Alter
Data Set SAF Update
Data Set SAF Read
Data Set SAF Define
Data Set SAF Control
Member Add
Member Delete
Member Rename
Member Replace

STOW Initialize
You can achieve optimal record level monitoring and SMF data set monitoring performance when you create and use a policy that defines only those events that are
required by your organization.
Policy pushdown
Policy pushdown is a method of controlling the data that is collected by the IBM Guardium S-TAP for Data Sets agent. Policy pushdown enables the agent to evaluate the
filtering criteria that you specified.
Evaluating a match
When the product is searching for a match for the filtering criteria that you have specified, an evaluation is performed through each data set level. Access rules are used
for processing a data set, when the filtering criteria of the following access types match the data:
Job name
Program
Data set name
Data set type
DD name
User ID
Group ID
SYSPLEX
SSID
SYS ID
RECORG*
Job type
*RECORG is valid only for the processing of VSAM record level monitoring.
The following values are not used to evaluate for a match on an access rule. They are used as subfiltering criteria after a match on a data set is found:
Key
Key range
Data set event
RLM event
CICSÂ® user ID
CICS transaction ID
CICS program ID
CICS file ID
CICS region ID
CICS terminal ID
CICS function code
Multiple values are allowed in an access rule, as shown in the following example with two access rules:
Access Rule 1
Rule Type = INCLUDE
Job Name = JOBA
Key = "111111"
RLM Event = ALL
Access Rule 2
Rule Type = INCLUDE
Job Name = JOBA
Key = "222222"
RLM Event = ALL
When a match is found on Access Rule 1 for job JOBA, no further scanning of the Access Rules occurs. The keyword Key is not used as part of the Access Rule match. To
filter on keys "111111" and "222222" for a job that is named JOBA, code the Access Rules as follows:
Access Rule 1
Rule Type = INCLUDE
Job Name = JOBA
Key = "111111","222222"
RLM Event = ALL
This rule searches for a match on the job name JOBA. If a match on JOBA is found, the RLM Event and Key values are matched.
Data set collection filtering parameters

Use the following filtering parameters to collect data set event data.
All the fields are optional and most have a default behavior as described. All fields apply to both VSAM and non-VSAM monitoring, unless otherwise specified.
Rule Type
Indicates whether this rule indicates inclusion or exclusion for events that match the criteria.
Allowed values are: INCLUDE|EXCLUDE: Include collects events that satisfy the specified criteria; exclude does not collect those events. If nothing is specified, then
INCLUDE is used.

Job Type
Indicates the type of jobs that should be considered for a match.
If nothing is specified, all types are collected. You can specify the following values, separated by a comma (,): JOB|STC|TSU|APPC|OMVS, where:
JOB
Jobs
STC
Started Task
TSU
Time Sharing User
APPC
Advanced Program-To-Program Communication
OMVS
Open MVS access to non-VSAM data sets, particularly that performed by FTP
SYS ID
Indicates the SMF System IDs to use when searching for a match.
1 - 4 character SMF System ID to match.
Can be optionally followed by a comma (,) and a relational operator. If no relational operator is provided, then EQ is assumed.
Valid wildcards are supported at any position. They are:
Percent sign (%) for zero or more characters

Question mark (?) for a single character match
If left blank, then all SMF System IDs are considered a match.
Examples:
SS01
Matches events that occur on SS01
SS01,EQ
Matches that occur on SS01
SS%,EQ
Matches that occur on systems with SS as the first 2 characters in the SMF system ID
RECORG
Indicates the record organization type to match.
Applies only to VSAM record level monitoring collection.
Can contain zero or more of the following values, separated by a comma (,): KSDS|RRDS, where:
KSDS
Key-sequenced data set
RRDS
Relative record data set
If left blank, all record organization types for record level monitoring are considered a match.
Examples:
KSDS
Matches key-sequenced data set events
KSDS,RRDS
Matches key-sequenced data set, and relative record data set events
User ID
Indicates the user ID to use when searching for a match.
1 - 8 character user ID to match.
Can be optionally followed by a comma (,) and a relational operator. If no relational operator is provided, then EQ is assumed.
Wildcards are supported.
If left blank, then activities for all user IDs are considered a match.
Examples:
PDUSER01
Matches events that are caused by user PDUSER01
PDUSER01,EQ
Matches events that are caused by user PDUSER01
PDUSER%,EQ
Matches events that are caused by users with the prefix PDUSER
SSID
Indicates the AUV ID to use when searching for a match.
1 - 4 character AUV ID optionally followed by a comma (,) and a relational operator. If no relational operator is provided EQ is assumed.
If left blank, activities for all SSID are considered a match.
Examples:
AUV1
Matches events from systems with AUV ID of AUV1
AUV1,EQ
Matches events from systems with AUV ID of AUV1
AUV%,EQ
Matches events from systems with AUV ID prefix of AUV
SYSPLEX
Indicates the z/OS sysplex name to use when searching for a match.

The specific 1 - 8 character z/OS sysplex name, optionally followed by a comma (,) and a relational operator. If no relational operator is provided, EQ is assumed.
If left blank, then activities for all SYSPLEX are considered a match.
Examples:
SYSPLEX1
Matches events from systems on SYSPLEX1
SYSPLEX1,EQ
Matches events from systems on SYSPLEX1
SYSPLEX%,EQ
Matches events from systems on a plex beginning with SYSPLEX
Program
Indicates the program name to use when searching for a match.
1 - 8 character program name, optionally followed by a comma (,) and a relational operator. If no relational operator is provided, EQ is assumed.
If left blank, activities from all programs are considered a match.
Examples:
IDCAMS
Matches events that are accessed from IDCAMS
IDCAMS,EQ
Matches events that are accessed from IDCAMS
IDCAM%,EQ
Matches events that are accessed from programs beginning with IDCAM
Group ID
Indicates the group ID to use when searching for a match.
1 - 8 character representing the security system group ID optionally followed by a comma (,) and a relational operator. If no relational operator is provided EQ is
assumed.
If left blank, then activities from all groups are considered a match.
Examples:
GROUP1
Matches events that are caused by someone within GROUP1
GROUP1,EQ
Matches events that are caused by someone within GROUP1
GROUP%,EQ
Matches events that are caused by someone within a group ID beginning with GROUP
Data Set Name

Indicates the data set name to use when searching for a match.
1 - 44 character that represents the data set name for which activity is collected, optionally followed by the comma character (,) and a relational operator. If no
relational operator is provided, EQ is assumed.
If left blank, all data set names are considered a match.
Examples:
HLQ1.MLQ1.LLQ1
Matches events on HLQ1.MLQ1.LLQ1
HLQ1.MLQ1.LLQ1,EQ
Matches events on HLQ1.MLQ1.LLQ1
HLQ%.MLQ%.LLQ%.EQ
Matches events with the data set name mask HLQ%.MLQ%.LLQ%
%.%%,EQ
Matches all data sets with more than one qualifier
%,EQ
Matches all data sets with one qualifier
DD Name
Indicates the DD name to use when searching for a match.
1 - 8 character DD name, optionally followed by a comma (,) and a relational operator. If no relational operator is provided, EQ is assumed.
If left blank, activities for all DD names are considered a match.
Examples:
PAYFILE
Matches events that are accessed by DD name PAYFILE
PAYFILE,EQ
Matches events that are accessed by DD name PAYFILE
PAYFIL%,EQ
Matches events that are accessed by DD names beginning with PAYFIL
Job Name
Indicates the job name to use when searching for a match.
1 - 8 character name representing the job for which activity must be collected, optionally followed by a comma (,) and a relational operator. If no relational operator
is provided, EQ is assumed.
If left blank, then activities from all jobs are considered a match.
Examples:

AUVJOB01
Matches events that result from a job name AUVJOB01
AUVJOB01,EQ
Matches events that result from a job name AUVJOB01
AUVJOB%,EQ
Matches events that result from any job beginning with AUVJOB
Key
Indicates the keys to consider when searching for a match.
Only applies to VSAM record level monitoring collection.
One or more keys in plain text or hexadecimal format, representing the key for which to match event data during record level monitoring processing.
Multiple keys must be delimited by a comma (,) optionally followed by the comma character (,) and a relational operator. If no relational operator is provided, EQ is
assumed.
Plain text keys can be 1 - 255 characters long.
Hexadecimal keys can be 2 - 510 characters long and must always have an even number of characters.
An individual key must be surrounded in double quotation marks ('"').
If the key is in hexadecimal format, it must be prefixed with x' and suffixed with a single quotation mark ('). It must be placed inside double quotation marks, for
example: "x'F0F0F1'"
A backslash (\) can precede any character to escape the character. For example:
"\x'0123'"
Matches the plain text key "x'0123'" instead of a hexadecimal key. Both types can be supplied together.
Wildcards are supported. If a wildcard is supplied with a hexadecimal key, the wildcard must be in hexadecimal (6C for '%', 6E for '?').
If a provided key is greater than the actual length of the VSAM key, the key will be truncated. If the key provided is shorter than the VSAM key, it will be padded with
hex zeroes.
If the Key and Key Range fields are blank, activities for all keys are considered a match.
Examples:
"KEY01"
Matches record level monitoring events with a key of KEY01
"KEY01","KEY02"
Matches record level monitoring events with a key of KEY01 or KEY02
"x'F0F0'"
Matches record level monitoring events with a key that contains the hexadecimal value F0F0
"x'F0F0'","x'F0F1'"
Matches record level monitoring events with a key that contains the hexadecimal value of F0F0 or F0F1
"KEY01","x'F0F1'"
Matches record level monitoring events with a key of KEY01 or a key with the hexadecimal value of F0F1
"KEY0%"
Matches record level monitoring events with a key beginning with KEY0.
"x'F06C'â€
Matches record level monitoring events with a key with a hexadecimal value beginning with F0
"\x'F06C'â€
Matches record level monitoring events with a key of x'F06C'
Key Range
Indicates the range of keys to consider when searching for a match.
A pair of keys in plain text, or a pair of keys in hexadecimal, representing the range to match for record level monitoring. This must be specified as <key1>,<key2>.
A pair of keys must both be in plain text, or both be in hexadecimal. Each plain text key in a plain text key pair can be 1 - 255 characters long. Each hexadecimal key
in a hexadecimal key pair can be 2 - 510 characters long and must have an even number of characters.
If the keys are in hexadecimal, they must begin with x' and end with a single quotation mark ('). All keys must be enclosed in double quotation marks.
A backslash (\) can precede any characters to escape the character.
There must be an even number of keys in this field.
All key pairs must have the smaller key in the first value and the larger key in the second value; otherwise the key pairs will be rejected.
Wildcards are not supported in this field.
If the provided key is greater than the actual length of the VSAM key, the provided key will be truncated. If the key provided is shorter than the VSAM key, it will be
padded with hex zeroes.
If the Key Range and Key fields are blank, activities for all keys are considered a match.
Examples:
"KEY01","KEY09â€
Matches record level monitoring events where the key is between KEY01 and KEY09
"KEY01","KEY09","KEY11","KEY19â€
Matches record level monitoring events where the key is between KEY01 and KEY09 or between KEY11 and KEY19
"x'F0F0'","x'F0F9'â€
Matches record level monitoring events where the key has a hexadecimal value between F0F0 and F0F9
"x'F0F0'","x'F0F9'","x'F1F0'","x'F1F9'"
Matches record level monitoring events where the key has a hexadecimal value between F0F0 and F0F9 or between F1F0 and F1F9
"\x'F0F0'","\x'F0F9'â€
Matches record level monitoring events where the key is between x'F0F0' and x'F0F9'
RLM Event
Indicates what type of record level monitoring events should be considered for a match.
Must contain zero or more of the following values, separated by a comma (,): RINS|RDEL|RWRT|RGET|ALL|SKIP, where:
RINS
A record insert within a data set of a supported type
RDEL
A record delete within a data set of a supported type
RWRT
A record level update within a record of a supported type

RGET
A record level that is read within a data set of a supported type
ALL
Returns all record level events

SKIP
Returns no record level events
If left blank, then SKIP is the default and nothing is considered a match
Examples:
RINS
Matches record level monitoring events where the operation was a record insert
RINS,RDEL
Matches record level monitoring events where the operation was a record insert or a record delete
Data Set Event

Indicates what type of SMF Data Set Events should be considered for a match.
Must contain zero or more of the following values, separated by a comma (,):
DSCLI|DSCLO|DSOP|DSCL|DSUP|DSDL|DSRN|DSCR|DSALT|DSRAL|DSRCN|DSRRD|
DSRUP|DSRDF|MADD|MREP|MREN|STOWI|ALL|SKIP
where:
DSOP
An OPEN event against a supported data set type
DSCL
A CLOSE event against a supported data set type
DSCLI
A CLOSE event against a supported data set type that was opened for input
DSCLO
A CLOSE event against a supported data sets type that was opened for output
DSUP
An UPDATE event against a supported data set type
DSDL
A DELETE event against a supported data set type
DSRN
A RENAME event against a supported data set type
DSCR
A DEFINE or NEW ALLOCATION event of a supported data set type
DSALT
An ALTER of the attributes of a supported data set type
DSRAL
A security facility ALTER access of a supported data set type
DSRCN
A security facility CONTROL access of a supported data set type
DSRRD
A security facility READ access of a supported data set type
DSRUP
A security facility UPDATE access of a supported data set type
DSRDF
A security facility DEFINE access of a supported data set type
MADD
A member add event against a supported data set type
MREP
A member replace event against a supported data set type
MREN
A member rename event against a supported data set type
MDEL
A member delete event against a supported data set type
STOWI
A STOW initialize event against a supported data set type
ALL
Returns all data set level events
SKIP
Returns no data set level events
If left blank, ALL is the default and all types are considered a match.
Examples:
DSOP
Matches data set events where an open occurred.
DSOP,DSCL
Matches data set events where an open or a close occurred.
Valid relational operators are:
EQ (Equals)
NE (Does not equal)
GE (Greater than or equal to)
LE (Less than or equal to)

GT (Greater than)
LT (Less than)
Note:
If you are using a relational operator with the Group of Values list, you must ensure that the operator is appended to the last field in the list, otherwise it will
be treated as an additional value for that field.
To use individual values along with those listed in the Group of Values list, the relational operator must be appended to the last field in the Group of Values
list, rather than to the individual field.
String comparisons are performed in lexicographical order. Because the strings are in EBCDIC, the order is lowercase, uppercase, and then numeric. Special
character positions depend on the hexadecimal value of the special character itself in relation to the other characters.
Data Set Type
Indicates the type of data sets that should be considered for a match.
Must contain zero or one of the following values:
VSAM|NONVSAM|ALL, where:
VSAM
VSAM data sets
NONVSAM
Non-VSAM data sets
All
Both VSAM and non-VSAM data sets
If nothing is specified, then only VSAM data set types are collected.
CICS collection filtering parameters

Use the following filtering parameters to collect transaction data from CICSÂ®.
CICS User ID
Indicates the CICS logon user ID to use when searching for a match
1 - 8 character CICS logon user ID to match
The user ID can be followed by a comma (,) and a relational operator. If no relational operator is specified, then EQ is assumed.
If left blank, then activities for all CICS logon user IDs are considered a match
Examples:
CICUSR01
Matches events that are caused by CICS logon user CICUSR01
CICUSR01,EQ
Matches events that are caused by CICS logon user CICUSR01
CICUSR%,EQ
Matches events that are caused by CICS logon users with the prefix CICUSR
CICS Transaction ID
Indicates the CICS transaction ID to use when searching for a match
1 - 4 character CICS transaction ID to match
The transaction ID can be followed by a comma (,) and a relational operator. If no relational operator is provided, then EQ is assumed.
If left blank, then activities for all CICS transaction IDs are considered a match.
Examples:
VTAP
Matches events that occur within CICS transaction ID VTAP
VTAP,EQ
VT%,EQ
Matches events that occur within CICS transaction IDs starting with the prefix VT
CICS Terminal ID
Indicates the CICS terminal ID to use when searching for a match
1 - 4 character CICS terminal ID to match
The terminal ID can be optionally followed by a comma (,) and a relational operator. If no relational operator is provided, then EQ is assumed.
If left blank, then activities for all CICS terminal IDs are considered a match.
Examples
VTAP
VTAP,EQ
VT%,EQ
Matches events that occur within CICS transaction IDs starting with the prefix VT
CICS Region ID

Indicates the CICS region ID to use when searching for a match. The Region ID is defined in the CICS Transaction Server System Initialization Table parameter
SYSIDNT.
1 - 4 character CICS region ID to match
The region ID can be followed by a comma (,) and a relational operator. If no relational operator is provided, then EQ is assumed.
If left blank, then activities for all CICS region IDs are considered a match.
Examples:
CICA
Matches events that occur within the CICS region with an ID of CICA
CICA,EQ
Matches events that occur within the CICS region with an ID of CICA
CIC%,EQ
Matches events that occur within the CICS regions with a prefix of CIC
CICS Program Name

Indicates the CICS program name to use when searching for a match.
1 - 8 character CICS program name to match.
The program name can be followed by a comma (,) and a relational operator. If no relational operator is provided, then EQ is assumed.
If left blank, then activities for all CICS program names are considered a match.
Examples:
PAYROLLA
Matches events that occur under control of the program that is named PAYROLLA
PAYROLLA,EQ
Matches events that occur under control of the program that is named PAYROLLA
PAYROLL%,EQ
Matches event

IBM Security Guardium V10.1 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IBM Security Guardium V10.1 en

Uploaded by

Copyright:

Available Formats

IBM Security Guardium V10.

Monitor and Audit 113

Assess and harden 317

Conﬁguring your Guardium system 358

Access Management Overview 376

Aggregation and Central management 391

Managing your Guardium system 424

Troubleshooting problems 498

Windows: S-TAP user's guide 533

Linux and UNIX systems: S-TAP user's guide 566

DB2 for IBM i S-TAP 643

Guardium Installation Manager 646

Installing your Guardium system 663

Upgrading your Guardium System 682

CLI and API 697

S-TAP for z/OS V10.1.3 User's Guide 954

Discovering sensitive data

Troubleshooting and support

Guardium support home

IBM Security Learning Academy

Â© Copyright IBM Corporation 2002, 2017

The IBM Security Guardium solution is offered in two versions:

IBM Security Guardium Database Activity Monitoring (DAM)

IBM Security Guardium V10.1 1

Guardium products can help you:

For more information on the Guardium family of products, visit https://www.ibm.com/security/data-security/guardium.

Parent topic: Product overview

What's new in this release

IBM Security Guardium V10.1.4

Disable TLS1.0/1.1, Enable TLS1.2

VA Support Oracle 12.2

Enhance VA GUI to show short description

Update OpenSSL for Windows/UNIX S-TAP

Support for EMC ATMOS

GDPR accelerator for z/OS

Simpliﬁed deployment of S-TAP via GIM

Allow multiple KTAP buffers with more than ﬁve collectors

Prioritize connection packets over regular packets

IBM Security Guardium V10.1.3

Quick Start compliance monitoring

2 IBM Security Guardium V10.1

Performance and optimization to reduce overhead

Usability and supportability to help accelerate deployment and diagnostics

IBM Security Guardium V10.1.2

1. Outliers detection enhancements

Runs on an aggregator on data from several collectors

2. Hadoop activity monitoring and Cloudera 5.7+ integration/ Ranger enhancements

3. Classiﬁer enhancements and new Cleversafe backup/archive option

4. Enterprise health views

5. FAM enhancements -UID chaining and multi-action rule and outliers

8. UNIX S-TAP RPM changes

Installation to /opt/guardium (location cannot be changed).

RPM default conﬁguration

IBM Security Guardium V10.1 3

Flex loading can be used by exporting NI_ALLOW_MODULE_COMBOS="Y" prior to RPM installation

sqlguard_ip set to 127.0.0.1

tap_ip set to hostname

RPM logs saved to /opt/guardium/rpm_logs

Live update is supported.

STAP will be running after installation, but needs to be conﬁgured.

New script, guard-conﬁg-update, provided to make post-installation conﬁguration easier.

10. Data in-sight

IBM Security Guardium V10.1