© 2015 IBM Corporation

IBM Security

1© 2015 IBM Corporation

MongoDB as an Audit store

© 2015 IBM Corporation

IBM Security

2

Use cases

Customers want this feature because:

– they want to "post-process" the audit information for fraud and other analytic analysis

– they want to store information into another data store that can scale larger than our current collector

capacity for longer on line retention requirements of 1-3 years

What is the problem?

Customers want to have more "on-line" storage for their audit data in order to satisfy regulatory

obligations and forensic requirements.

Allow customers to "easily" move audit data into a long term repository.

What does this feature do?

© 2015 IBM Corporation

IBM Security

3

What is the benefit to the customer?

They can have the audit data "on-line" for longer retention periods than the typical Guardium

collector/aggregator configuration which is typically 1-3 months for regulatory retention

requirements.

This also allows them to run other analytics to satisfy fraud.

Please Note: The audit data is not under Guardium control and is therefore not forensic quality

and may be modified. In order to prevent this, using Guardium STAP on MongoDB store

Restrictions:

• Cannot export to MongoDB with kerberos

• No UI components for this feature in this release - need to use

the grdapi to export to mongodb

© 2015 IBM Corporation

IBM Security

4

Database

Client

Guardium

CollectorAnalysis

engine

Select * from customer

Select * from .

Traffic written to Guardium repository and JSON files simultaneously

Joe

DB Server

STAP

How does it work?

Select * from ….

JSON Text Files

JSON Text Files

JSON Text Files

JSON Text Files

Use grdapi to write JSON files

to mongoDB

Files that are ready for

transfer are marked .ready

Tables extracted to JSON files:

GDM_ACCESS

GDM_CONSTRUCT/CONSTRUCT_TEXT

GDM_SESSION

GDM_CONSTRUCT_INSTANCE

Guardium

Repository

When the feature is turned on and policy has the log external action

© 2015 IBM Corporation

IBM Security

5

Setup

As cli, turn on the feature:

– store log external state on

– Restart Inspection core after turning on the feature

Setup file size (default: 4096MB) - optional

– store log external file_size 500

How often to mark files as ready (default: 60 seconds) - optional

– store log external flush_period

Also, use log external policy action

– This action is only displayed when the cli command is used to turn log external on

© 2015 IBM Corporation

IBM Security

6

How to use this feature

Files are created in JSON format in the directory: /var/IBM/Guardium/data/auditlog

After the time period OR the size limit has passed the files are marked as .ready

Run the following grdapi to move the contents of the .ready files to mongoDB

– grdapi load_mongodb host="mongodb07.guard.swg.usma.ibm.com" port=27017 database="admin"

user="sun1" password="sun123" collectionName="AuditGuardiumSensitive"

Right now, can only

import in the admin db

in mongoDB

Userid/password and

collection in mongoDB

© 2015 IBM Corporation

IBM Security

7

Example

© 2015 IBM Corporation

IBM Security

8

Checklist to make sure feature was installed correctly

To verify the feature was installed correctly:

1. Verify that the feature was turned on using CLI command

• show log external state

2. Verify that there is a policy installed with the log external policy action

3. Verify files are being written to the /var/IBM/Guardium/data/auditlog directory

4. Verify files are written to the MongoDB collection

Troubleshooting

If no files are in the /var/IBM/Guardium/data/auditlog directory:

1. Verify the directory exists

2. Verify feature is turned on

3. Verify policy is installed

4. Verify that traffic is coming in to the system

5. Verify sniffer is up

6. Turn the external logging off using CLI – you don’t need to change the policy

© 2015 IBM Corporation

IBM Security

9

Q&A

What tables within TURBINE are used to create the data?

– GDM_ACCESS

– GDM_CONSTRUCT/CONSTRUCT_TEXT

– GDM_SESSION

– GDM_CONSTRUCT_INSTANCE

How do I know when the file is completed and ready for transfer?

– Files that are ready for transfer are marked .ready

Is there a status to show how many of the files have been processed in the

/var/IBM/Guardium/data/auditlog

– No there is no status, the grdapi just returns after its done

Is there a concern that file system could become full if data is not exported?

– Yes

How long does it take to export to mongo?

© 2015 IBM Corporation

IBM Security

10

What fields are written to file?

– Command

– Service Name

– Application User Name

– Source Program

– DB User

– Client IP

– Client Port

– DB Protocol

– Server Port

– Protocol Version

– Original SQL

– Net Protocol

– Status

– Server Type

– Session Start

– Server IP

– Gmachine IP

– Records Affected

© 2015 IBM Corporation

IBM Security

11

Restrictions

© 2015 IBM Corporation

IBM Security

12

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and

response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product

should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use

or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily

involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT

THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.