Upload
vohanh
View
226
Download
4
Embed Size (px)
Citation preview
© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
MongoDB as an Audit store
© 2015 IBM Corporation
IBM Security
2
Use cases
Customers want this feature because:
– they want to "post-process" the audit information for fraud and other analytic analysis
– they want to store information into another data store that can scale larger than our current collector
capacity for longer on line retention requirements of 1-3 years
What is the problem?
Customers want to have more "on-line" storage for their audit data in order to satisfy regulatory
obligations and forensic requirements.
Allow customers to "easily" move audit data into a long term repository.
What does this feature do?
© 2015 IBM Corporation
IBM Security
3
What is the benefit to the customer?
They can have the audit data "on-line" for longer retention periods than the typical Guardium
collector/aggregator configuration which is typically 1-3 months for regulatory retention
requirements.
This also allows them to run other analytics to satisfy fraud.
Please Note: The audit data is not under Guardium control and is therefore not forensic quality
and may be modified. In order to prevent this, using Guardium STAP on MongoDB store
Restrictions:
• Cannot export to MongoDB with kerberos
• No UI components for this feature in this release - need to use
the grdapi to export to mongodb
© 2015 IBM Corporation
IBM Security
4
Database
Client
Guardium
CollectorAnalysis
engine
Select * from customer
Select * from .
Traffic written to Guardium repository and JSON files simultaneously
Joe
DB Server
STAP
How does it work?
Select * from ….
JSON Text Files
JSON Text Files
JSON Text Files
JSON Text Files
Use grdapi to write JSON files
to mongoDB
Files that are ready for
transfer are marked .ready
Tables extracted to JSON files:
GDM_ACCESS
GDM_CONSTRUCT/CONSTRUCT_TEXT
GDM_SESSION
GDM_CONSTRUCT_INSTANCE
Guardium
Repository
When the feature is turned on and policy has the log external action
© 2015 IBM Corporation
IBM Security
5
Setup
As cli, turn on the feature:
– store log external state on
– Restart Inspection core after turning on the feature
Setup file size (default: 4096MB) - optional
– store log external file_size 500
How often to mark files as ready (default: 60 seconds) - optional
– store log external flush_period
Also, use log external policy action
– This action is only displayed when the cli command is used to turn log external on
© 2015 IBM Corporation
IBM Security
6
How to use this feature
Files are created in JSON format in the directory: /var/IBM/Guardium/data/auditlog
After the time period OR the size limit has passed the files are marked as .ready
Run the following grdapi to move the contents of the .ready files to mongoDB
– grdapi load_mongodb host="mongodb07.guard.swg.usma.ibm.com" port=27017 database="admin"
user="sun1" password="sun123" collectionName="AuditGuardiumSensitive"
Right now, can only
import in the admin db
in mongoDB
Userid/password and
collection in mongoDB
© 2015 IBM Corporation
IBM Security
7
Example
© 2015 IBM Corporation
IBM Security
8
Checklist to make sure feature was installed correctly
To verify the feature was installed correctly:
1. Verify that the feature was turned on using CLI command
• show log external state
2. Verify that there is a policy installed with the log external policy action
3. Verify files are being written to the /var/IBM/Guardium/data/auditlog directory
4. Verify files are written to the MongoDB collection
Troubleshooting
If no files are in the /var/IBM/Guardium/data/auditlog directory:
1. Verify the directory exists
2. Verify feature is turned on
3. Verify policy is installed
4. Verify that traffic is coming in to the system
5. Verify sniffer is up
6. Turn the external logging off using CLI – you don’t need to change the policy
© 2015 IBM Corporation
IBM Security
9
Q&A
What tables within TURBINE are used to create the data?
– GDM_ACCESS
– GDM_CONSTRUCT/CONSTRUCT_TEXT
– GDM_SESSION
– GDM_CONSTRUCT_INSTANCE
How do I know when the file is completed and ready for transfer?
– Files that are ready for transfer are marked .ready
Is there a status to show how many of the files have been processed in the
/var/IBM/Guardium/data/auditlog
– No there is no status, the grdapi just returns after its done
Is there a concern that file system could become full if data is not exported?
– Yes
How long does it take to export to mongo?
© 2015 IBM Corporation
IBM Security
10
What fields are written to file?
– Command
– Service Name
– Application User Name
– Source Program
– DB User
– Client IP
– Client Port
– DB Protocol
– Server Port
– Protocol Version
– Original SQL
– Net Protocol
– Status
– Server Type
– Session Start
– Server IP
– Gmachine IP
– Records Affected
© 2015 IBM Corporation
IBM Security
11
Restrictions
© 2015 IBM Corporation
IBM Security
12
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use
or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.