Virtual Boot Camp – Day 1 Guardium Database Activity Monitor (DAM) & DB2 for i Scott Forstie forstie@us.ibm.com DB2 for i Business Architect 1 © 2014 IBM Corporation Guardium DAM & DB2 for i DB2 for i • Standard compliant • Secure • Scalable • Functionally Advanced • Excellent Performance • Easier to use • Easier to maintain Value Proposition In d an 7.1 More Built-in Global Variables XMLTABLE More SQL Scalar functions OLAP Extensions Omnifind Encryption enhancements (FIELDPROCs) V5R4 MySQL storage engine Result set support in embedded SQL WebQuery DECFLOAT SSD Memory Preference Grouping sets /super groups CURRENTLY COMMITTED INSERT in FROM Global variables Partitioned tables On Demand Performance Center Named arguments and defaults for parameters VALUES in FROM UFT-8 and UTF-16 Health Center Obfuscation of SQL routines ICU sort sequence Extended Indicator Variables Array support in procedures e nt e stm SQE Stage 1 MQTs Completion of SQL Core IASPs Sequences Scalar fullselect Implicit char/numeric Recursive CTE 6.1 Expression in Indexes ROW CHANGE TIMESTAMP BINARY/VARBINARY INSTEAD OF triggers Statistics catalog Savepoints views GET DIAGNOSTICS Descriptor area UNION in views XA over DRDA CLIENT special DRDA Alias Scalar subselect registers DDM 2-phase DECIMAL(63) UDTFs SQE Stage 6 Scrollable cursor DECLARE GLOBAL SQE Stage 3 DDM and DRDA 2M SQL statement TEMPORARY Ragged SWA IPv6 TABLE 1000 tables in a QDBRPLAY Deferred Restore of query Catalog views MQT and Logicals Online Reorganize 2 © 2014 IBM Corporation Environmental limits MERGE Three-part names and aliases requests TRANSFER OWNERSHIP Array support in UDFs Timestamp precision SQE Adaptive Query Processing Multiple-action Triggers EVI enhancements Built-in Global Variables CREATE OR REPLACE TR-timed enhancements More Services System Limits for IFS Regression Functions/Covarianc High priority customer e/Correlation SQE Logical file support Inline functions Pipeline Row and Column Access Control CONNECT BY ua n i nt V5R3 o C Identity columns v o n on i t a 7.2 XML Support v l In V5R2 Next? 1.7 Terabyte Indexes Navigator Graphing and Charting Journal_Info catalog And more… DB2 Family Products InfoSphere Data Architect Enterprise data modeling and management Optim Data Studio DB2 Connect .NET Plug ins - Entity Framework Graphical development, deployment, and debug of SQL procedures and functions Design Optimize Policies Develop Models Metadata Operate Deploy InfoSphere Optim Test Data Management OmniFind Text Search Server OmniFind Text indexes and text search Cognos Business Intelligence software • Streamlined test data management Database Change Data Capture Database Database .. .. InfoSphere Change Data Capture Enterprise replication 3 © 2014 IBM Corporation … Database InfoSphere Guardium Real-time Database Protection and Compliance InfoSphere Guardium Vulnerability Assessment Helps secure data by recommending best security practices Previous Guardium IBM i Support • • Guardium Collector GUI IBM i Scheduled Guardium JDBC Upload Process Audit data in DB2 for upload to collector Audit Data captured via journals 4 © 2014 IBM Corporation Journaling is the primary vehicle for capturing audit data (for all vendors) Network monitoring also provided Journaling DB2 Audited Tables Audited Database System Audit Journaling Database changes System Activity Guardium STAP for IBM i Both QAUDJRN and SQL information is streamed to the Guardium collector • Global SQL Monitor using a view and instead of trigger captures SQL information and puts them on a Unix queue • Audit server job – Runs in batch – Receives QAUDJRN audit entries and puts them on a Unix queue – Runs a Guardium AIX executable in PASE to receive entries from the queue and send them to the collector – On an IPL we will restart automatically (you may have to start the subsystem) 5 © 2014 IBM Corporation What’s special about Guardium V9.0 & DB2 for i? Comprehensive database monitoring solution Audit Journal, inbound and host-based SQL activity and Data Journals SQL Statement Text with Bind Variables Ability to reconstruct the complete SQL statement Beyond Bind Variables, contextual detail an auditor needs is there Real time monitoring Enables real time action and reaction Integrated IBM i solution SWMA and strategic investment area Extensive filtering capability 6 © 2014 IBM Corporation Guardium STAP for IBM i SQL monitoring based on INSTEAD OF triggers on a view. Journaling over a view significantly reduces overhead and storage requirements Elapsed Time Comparison Storage Used Compatison 140000000 30 120000000 25 100000000 20 80000000 15 60000000 10 40000000 5 20000000 0 0 Traditional Database Monitor View with only 23 columns View with Instead of Trigger Traditional Database Monitor View with only 23 columns View with Instead of Trigger CPU overhead will be reduced even lower with IBM i TR9 (GA – November 11, 2014 7 © 2014 IBM Corporation Filtering Which Data to Capture There are several places where audit data is filtered: • Normal auditing controls filter what data goes into QSYS/QAUDJRN • Filtering only specific Journal Entry Types can be configured • Only certain journal entry types are processed and sent to Guardium • Only certain attributes of the journal entries are processed and sent to Guardium • The database monitor can filter data • The same filtering available on STRDBMON can be configured • Only certain monitor entries are processed and sent to Guardium • Only certain attributes of the monitor entries are captured and sent to Guardium • The Guardium collector can perform additional filtering via Policies. For example: • Only capture security failures • Only capture failures for certain users or objects • Etc. Etc. Etc. 8 © 2014 IBM Corporation Database Monitor Filtering Filtering option Description FILTER_USER The specified user or group user profile filter, if any. Only one user name or generic user name can be specified. With TR9 (7.1 & 7.2) clients can provide from 1-10 filter names The specified job filter, if any. Only one job name or generic job name can be specified. FILTER_JOB FILTER_TCPIP The specified TCP/IP filter, if any. Only one TCP/IP address can be specified. FILTER_TABLE The specified table filter, if any. Up to ten file names or generic file names can be specified. The specified library name must be the system schema name (10 character name). The file name can be either the system table name or table name (long or short name). FILTER_PORT The specified port filter, if any. Only one port filter can be specified. Filtering by port is only supported in release 7.1 and above. FILTER_CLIENT_ACCTING The specified client accounting filter, if any. Only one client accounting filter can be specified. Filtering by client accounting is only supported in release 7.1 and above. FILTER_CLIENT_APPLNAME The specified client application filter, if any. Only one client application filter can be specified. Filtering by client application is only supported in release 7.1 and above. FILTER_CLIENT_PROGRAMID The specified client program filter, if any. Only one client program filter can be specified. Filtering by client program is only supported in release 7.1 and above. FILTER_CLIENT_USERID The specified client user filter, if any. Only one client user filter can be specified. Filtering by client user is only supported in release 7.1 and above. FILTER_CLIENT_WRKSTNNAME The specified client workstation filter, if any. Only one client workstation filter can be specified. Filtering by client workstation is only supported in release 7.1 and above. FILTER_RDB The specified relational database filter, if any. Up to 10 relational database names can be specified. FILTER_SYSTEM_SQL The specified system SQL statement filter. Specifies whether system SQL statements should be audited (Y or N) . The default is Y. FILTER_AUDIT_ENTRY_TYPES The specified QAUDJRN audit entry filter, if any. Specifies which audit journal entry types should be processed. The default is 'AD AF CA CO CP DO GD OM OR OW PG PW RA RO RZ ZC ZR' 9 © 2014 IBM Corporation Monitor Entry Type Filtering Some of the entries are strictly of interest for isolating performance and response time problems. These entries are omitted: (not sent to the Guardium appliance) CH CLOSE (Hard) HC CLOSE (Hard) HH CLOSE (Hard) JR Recycle Prestart Job PD PREPARE DESCRIBE (except authorization errors are captured) PR PREPARE (except authorization errors are captured) ZD HOST SERVER ONLY Some of the DBMON entries are not useful from an audit standpoint. These entries are omitted: (not sent to the Guardium appliance) AD ALLOCATE DESCRIPTOR HL HOLD LOCATOR CL CLOSE RE RELEASE DA DEALLOCATE DESCRIPTOR RG RESIGNAL FE FETCH SC SET CONNECTION FL FREE LOCATOR SD SET DESCRIPTOR GD GET DIAGNOSTICS SG SIGNAL GS GET DESCRIPTOR Xx Entries (-primarily X/Open) Some statements are sub-statements of another statement, these are also omitted: (not sent) IN INSERT that is part of a CREATE TABLE or DECLARE GLOBAL TEMPORARY TABLE AS ... WITH DATA DL DELETE that is part of a MERGE IN INSERT that is part of a MERGE UP UPDATE that is part of a MERGE 10 © 2014 IBM Corporation QAUDJRN Filtering The audit entries that we capture can be controlled by configuring which entry types should be captured. By default, the following are returned: ZR Read object ZC Change object CA Authority change CP Change Profile AD Auditing change AF Authority failure CO Create object DO Delete object GR General purpose audit record OM Object moved or renamed PG Primary group change PW Invalid password or user ID OW Change owner OR Object restored RA Restore authority change RO Restore owner change RZ Restore primary group change SV System Value change Note: CD Command string is supported, but not by default Since the focus is primarily on database changes, we will only return entries related to objects that are database specific: *FILE (a table, view, index, logical file, alias, or device file) *SQLUDT (an SQL user-defined type) *SQLPKG (an SQL package) *PGM (a procedure, function, or program) *SRVPGM (a procedure, function, global variable, or service program) *DTAARA (an SQL sequence) For entries that identify an object, the statement text part of the message will be constructed as follows: XX - 30-byte-text 10-byte-library 10-byte-object-name 8-byte-object-type For example: ZC - Change object 11 © 2014 IBM Corporation <library-name> <file-name> *FILE Attribute filtering Audit Data SQL Monitor Audit Journal Job name Job user Job number Start time End time SQLSTATE Yes Yes Yes Yes Yes Yes Yes Yes Yes Always the same as the Start time Yes 08001 for invalid password (PW) and audit records (GR) 42501 for authority failure (AF) 00000 everything else SQLCODE Yes -30080 for invalid password (PW) and audit records (GR) -551 for authority failure. (AF) 0 everything else SQL statement SQL variables Interface Client application name Client user ID Client workstation Client accounting Client program Current user Thread ID Program schema Program name Client IP Address Local or server port number RDB name Number of rows Yes – limited to 60K No - basic journal entry description instead Yes - limited to 1000 bytes No Yes Always QAUDJRN Yes, No Yes No Yes No Yes No Yes No Yes Yes Yes Yes Yes, if the statement is executed from a PGM or SRVPGM Yes, if the statement is executed from a PGM or SRVPGM Yes, if the statement is executed from a PGM or SRVPGM Yes, if the statement is executed from a PGM or SRVPGM Yes Yes Yes Yes Yes Yes Yes, only for INSERT, DELETE, UPDATE, MERGE, OPEN*, VALUES INTO, CREATE TABLE AS, DECLARE GLOBAL TEMPORARY TABLE AS, and SET VARIABLE No 12 © 2014 IBM Corporation Audit Server Status information STATUS_TIME Timestamp of this request for status SERVER_STARTED Indicates whether the server is currently started or not (YES or NO) START_TIME Timestamp of the last time the server was started SERVER_JOB Job name of the server NUMBER_JOBS_AUDITED_USING_SQL Number of jobs that have processed an SQL statements since the server was started NUMBER_PROCESSED_SQL_STATEMENTS Number of SQL statements that have been processed since the server was started. This does not include SQL statements filtered out by STRDBMON NUMBER_ENQUEUED_SQL_STATEMENTS Number of SQL statements that have been enqueued since the server was started. This does not include SQL statements filtered out. NUMBER_SKIPPED_SQL_STATEMENTS Each job will attempt to put an SQL statement on the queue up to three times. This indicates that some number of SQL statements could not be audited. Rare…typically indicates a queue problem. NUMBER_PROCESSED_VARIABLE_SETS Number of SQL statements that have variables since the server was started. Some SQL statements have variables and some not. This does not include SQL statements filtered out. NUMBER_SKIPPED_VARIABLE_SETS Number of SQL statements whose variable values were discarded. Since the variable values are written to the monitor PRIOR to the actual SQL statement, It is possible that several sets of variables will have to be saved until the SQL statement shows up. Up to 300 sets of variables are saved so this is extremely unlikely. NUMBER_PROCESSED_QAUDJRN_ENTRIES Number of journal audit entries that have been processed since the server was started. This does not include audit entries filtered out. NUMBER_ENQUEUED_QAUDJRN_ENTRIES Number of journal audit entries that have been enqueued since the server was started. This does not include entries filtered out. NUMBER_SKIPPED_QAUDJRN_ENTRIES Number of journal audit entries that were discarded. This indicates that some number of audit journal entries could not be audited. Rare…typically indicates a queue problem. QUEUE_DAMAGED Indicates whether or not the queue is damaged. (YES or NO) NUMBER_MESSAGES_ON_QUEUE Number of messages currently on the queue SIZE_OF_MESSAGES_ON_QUEUE Size of the queue MAXIMUM_SIZE_OF_QUEUE Maximum size of the queue (this is always 16 meg) TOTAL_ENQUEUING_THREADS Total number of threads enqueuing messages LAST_DEQUEUE_TIME Timestamp of the last dequeue operation LAST_ENQUEUE_TIME Timestamp of the last enqueue operation QUEUE_OWNER Owner of the queue. This is the user that started the server LAST_END_MONITOR_JOB Job of the user that last ended the monitor LAST_END_MONITOR_USER User that last ended the monitor 13 © 2014 IBM Corporation Guardium Database Activity Monitoring & DB2 for i IBM i TR5 IBM i TR6 2013 IBM i TR7 SF99701 Level 18 SF99601 Level 28 2014 SF99701 Level 26 SF99601 Level 31 SF99701 Level 24 SF99601 Level 30 SF99702 Level 1 • Tracing Support Added • Serviceability Guide created Product GA • InfoSphere Guardium V9.0 DAM & DB2 for i • White Paper published • Promotional video on YouTube IBM i TR8 7.2 – GA • Add support for: PREVENT_SKIPPED_ENTRIES Enhanced Audit Server status Enhanced CP journal detail • • • Guardium DAM Supported with IBM i 7.2 Add AX audit entry Enhanced PW journal detail Add micro-seconds to Activity entity reports Tech Talk Videos – Implementing a data protection and compliance solution for IBM i Guardium Data Monitoring - DB2 for i fact page https://ibm.biz/GuardiumDAMonIBMi 14 © 2014 IBM Corporation Best Practices • • • • Capture only what you need by using filtering Filtering at the IBM i is better than filtering at the Guardium collector Create a new user profile and a unique job description for the audit server batch job Create a unique group profile and use it to audit your highly privileged users 15 © 2014 IBM Corporation Alert On Failed Login (Exception Rule) APPUSER is generic service account Exception Type = Failed Login Min Count = How often Reset Interval = Between what time period Action = Alert So… Alert on 3 Failed Login attempts from the same user if they occur 3 times within a 5 minute interval You should not have 3 failed logins on a production system! 16 © 2014 IBM Corporation Guardium Database Activity Monitoring & DB2 for i 2014 IBM i TR8 SF99701 Level 29 SF99601 Level 32 Guardium DAM for i improvements: • Reduced CPU overhead for aggressive monitoring of SQL • Multiple User Name SQL Filtering • Guardium on i Technical article • Other High Priority feature requests 17 © 2014 IBM Corporation IBM i 7.1 TR9 7.2 TR1 SF99702 Level 3 SF99701 Level 32 SF99601 Level 33 2015 ??? Guardium for i – Possible Future Enhancements • Guardium Vulnerability Assessment (VA) support for IBM i • Guardium Classifier support for IBM i • Add micro-seconds to exception entity reports • Improved “out of the box” IBM i Activity and Exception reports • Enhancements requested by PoC or clients Guardium Data Monitoring - DB2 for i fact page https://ibm.biz/GuardiumDAMonIBMi Contrasting DB2 for i - Data Compliance Technology Guardium Activity Monitor & DB2 for I Audit Journal Data Journal 6.1, 7.1, 7.2 6.1, 7.1, 7.2 6.1, 7.1, 7.2 InfoSphere Guardium Security ISVs & InfoSphere Guardium Security ISVs Solution infrastructure beyond IBM i Yes No No Capture SQL statements Yes No No Capture SQL host variable values and environment Yes No No Capture database specific Audit Journal details Yes Yes No Capture before and after images of data No No Yes Able to track which rows are seen by users No No No Success factors include: Strategy, Tuning & Consulting Yes Yes Yes Use case Supported IBM i OS releases Analysis & Reporting 18 © 2014 IBM Corporation Contrasting DB2 for i - Data Security Technology Field Procedures Column Masks Row Permissions Views & Logical Files Use case Supported IBM i OS releases 7.1, 7.2 7.2 7.2 6.1, 7.1, 7.2 Limit access to some/all data within a column Yes Yes No Yes Limit access to rows No No Yes Yes External program (complex) SQL rule (simple) SQL rule (simple) DDS or SQL (varies) • Townsend Security • Linoma • Enforcive None at this time None at this time N/A Data encrypted at rest Yes No No No Data encrypted in journal Yes No No No Masked values apply to selection criteria Yes No N/A N/A Data-Centric Solution Yes Yes Yes No Success factors include: Strategy, Tuning & Consulting Yes Yes Yes No Security logic payload (customer experience) Software Vendor component 19 © 2014 IBM Corporation Contrasting DB2 for i - Data Security DB2 for i Data Security options go well beyond the data model. Open Database File (QIBM_QDB_OPEN) exit program is called when a when a job is opening a database file. Use this interface to deploy blocking and more. Query Governor protects against over consumption of CPU or Storage http://www-01.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_72/apis/xqrygovr.htm IBM i Function usage IDs provide a granular role based security authorization (allow or deny) based upon users or groups. https://www.ibm.com/developerworks/community/wikis/home?lang=es#!/wiki/IBM%20i%20Technology%20Updates/p age/DB2%20for%20i%20Security%20Enhancements IBM i has exit programs for connection interfaces and commands. The exit program can block or log or more. 20 © 2014 IBM Corporation Field Procedures and Data Encryption Create a CUSTOMER table where the CCNBR column has a FIELDPROC. Allows for transparent encryption or encoding/decoding of data on SQL or native interfaces CREATE TABLE CUSTOMER ( NAME VARCHAR(50), ADDRESS VARCHAR(100), CCNBR CHAR(16) FIELDPROC ENCRYPTLIB.ENCRYPTPGM1 ) Alter an existing CUSTOMER table to add a FIELDPROC to the CCNBR column. ALTER TABLE CUSTOMER ALTER COLUMN CCNBR SET FIELDPROC ENCRYPTLIB.ENCRYPTPGM1 White Paper: Protecting IBM i data with encryption http://www-304.ibm.com/partnerworld/wps/servlet/ContentHandler/whitepaper/ibmi/db2/encryption Articles: Enable Transparent Encryption with DB2 Field Procedures www.mcpressonline.com/database/db2/enable-transparent-encryption-with-db2-field-procedures.html DB2 Field Procedures Finally Support Conditional Masking www.mcpressonline.com/rpg/db2-field-procedures-finally-support-conditional-masking.html 21 © 2014 IBM Corporation Guardium STAP for IBM i Both QAUDJRN and SQL information is streamed to the Guardium collector Global SQL Monitor using a view and instead of trigger captures SQL information and puts them on a Unix queue Audit server job – Runs in QBATCH (or your choice of subsystem) – Receives QAUDJRN audit entries and puts them on a Unix queue – Runs a Guardium UNIX executable in PASE to receive entries from the queue and send them to the collector – On an IPL it will restart automatically (you may have to start the subsystem) Se cu r e lo ggi ng 22 22 © 2014 IBM Corporation InfoSphere Guardium Database Activity Monitor (DAM) & DB2 for i Leading Medical Practice, Research, and Education Institution supports data security and compliance Need • Requirement to demonstrate SOX compliance to ensure the integrity of financial reporting data stored in DB2 for i • Previous vendor tool was unable to monitor local connections to the database, exposing sensitive data to privileged user access Benefits • Provides comprehensive activity monitoring for both SQL and native access to DB2 for i data • Monitors privileged users, embracing separation of duties • Centralizes and automates audit controls and regulatory reporting 23 23 © 2014 IBM Corporation • Provides proactive security via real-time alerts for critical events without affecting performance or requiring changes to databases or applications DB2 for i - 7.2 Enhancements by role - Security New Boss Option New SQL Statements for security – – – – – – IBM Advanced Data Security for i CREATE PERMISSION ALTER PERMISSION CREATE MASK ALTER MASK ALTER TRIGGER TRANSFER OWNERSHIP (Boss option 47) No Charge New tools in the toolbox… New Built-in Function – VERIFY_GROUP_FOR_USER() New Function Usage ID – QIBM_DB_SECADM New Catalogs – QSYS2/SYSCONTROLS – QSYS2/SYSCONTROLSDEP 24 © 2014 IBM Corporation New Journal Entry Types For journal code D - Database file: M1, M2, M3 for create/drop/alter mask P1, P2, P3 for create/drop/alter permission For journal code T – Audit trail: AX for Row and Column Access Control X2 for Query manager profile changes DB2 for i RCAC Redpaper www.redbooks.ibm.com/redpieces/abstracts/redp5110.html 25 © 2014 IBM Corporation © Copyright IBM Corporation 2014 25 DB2 for i RCAC Workshop • New offering from the STG Lab Services team • Four day facilitated workshop led by the DB2 for i Center of Excellence including the following: – Review of the current state, current requirements, and future requirements for managing data access – Education on possible solutions and related best practices for their implementation – Discussion and formulation of a strategic roadmap for implementation • For more information, contact mcain@us.ibm.com 26 © 2014 IBM Corporation © Copyright IBM Corporation 2014 26 Competition at a glance… Guardium Database Activity Monitor vs Competition** Audit Journal and Data Journal coverage (tie) ODBC requests vs All SQL activity (win) SQL Statement Text vs SQL Statement Text with Bind Variables (win) Integrated IBM i solution vs External monitoring (win) Extensive filtering capability (win) One software product to handle all databases vs IBM i specific solution (win) ** - several competitors and they are all unique in what they provide and how they provide it 27 © 2014 IBM Corporation
© Copyright 2024