Lab guide

Configuring CAS in Guardium

Course code LDL0410X
March 2023 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties
in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All names and references for organizations and other
business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.
All names and associated information for people in this deliverable’s scenarios are fictional. Any match with a real person is
coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world­wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware
vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are
trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.

© Copyright International Business Machines Corporation 2023.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 1 Verifying the CAS agent installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Exercise 2 Configuring CAS monitoring templates and datasources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Exercise 3 Viewing CAS results and changing a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

© Copyright IBM Corp. 2023 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Exercises
Configuration auditing is important to data security. Configuration changes can indicate either a
deliberate attempt to attack the database system or an accidental modification that leaves the
system vulnerable. The Configuration Auditing System (CAS) tracks changes to your server
environment. In this lesson, you learn how to use the CAS agent, including CAS templates, hosts,
reporting, and status.

Important: These exercises are presented in a virtual lab format. A virtual lab is an interactive
simulation of the original virtual machines. A virtual lab is not an actual virtual machine.
Therefore, your interaction opportunities are restricted to the exercise steps with some minor
variance. You use this lab guide, which walks you through usage and responses for the
components that are taught.

You can run the virtual lab multiple times without restriction.

© Copyright IBM Corp. 2023 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises

Uempty

In this environment, there are three systems:

• Guardium Central Manager/Aggregator Server: A Guardium server, hostname MA170. In
this lab, the central manager is the Guardium installation manager (GIM) server. You use
MA170 to verify the CAS agent is installed.
• Guardium Collector Managed Unit: A Guardium managed unit, hostname C200. You use
C200 to configure CAS monitoring templates and datasources, and to view CAS results.
• DB Server: A database, CAS agent host, and GUI server, hostname raptor. You use this to
change a file to examine how the CAS agent detects changes.

The CAS agent is installed on a database server, and reports to the Guardium collector when a
monitored entity is changed, either in content, ownership, or permisions. CAS runs totally

2
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Verifying the CAS agent installation

Uempty
independently from S-TAP. A system can host a CAS agent without hosting an S-TAP agent. The CAS agent
can be installed, updated, configured, and removed by the GIM.

In this lab, you verify that the CAS agent is installed on your database server and configure it to
monitor a set of operating system and database files based on some predefined templates. Use
the following exercises to configure CAS:
• Verify the CAS agent installation
• Configure CAS monitoring templates and datasources
• View CAS results and change a file

Exercise 1 Verifying the CAS agent installation

You can use the GIM to install, configure, update, and uninstall CAS.

In this exercise, you verify that the CAS agent is installed on the database server. Since the GIM
server is the central manager, perform this exercise on the MA170 user interface.

1. On the MA170 tab, navigate to Manage > Module Installation > Setup by Client.

3
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Verifying the CAS agent installation

Uempty
The Set up by Client pane opens.

2. Select raptor.example.com and click View Installed Modules.

A list of the installed modules opens.

4
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
3. In the filter field, enter cas and verify that the Statuses for CAS and BUNDLE-CAS are
INSTALLED.

4. Close the list of installed modules.

Exercise 2 Configuring CAS monitoring

templates and datasources
A CAS template set contains a list of item templates that share a common purpose such as
monitoring a particular type of database.

Datasources contain information that allow Guardium CAS to connect to a database and the
hosting server.

In this exercise, you view the available templates and create a new host instance definition to
monitor the Db2 server. Since the CAS agent interacts with a collector, you perform this exercise
on the Collector (C200) user interface.
1. In the web browser, click the Collector (C200) tab.

2. Navigate to Harden > Configuration Change Control (CAS Application) > CAS
Template Set Configuration.

5
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
The CAS Configuration Navigator window opens.

Note: For each supported operating system and database type, Guardium provides
preconfigured, default template sets that can monitor various databases on either UNIX or
Windows platforms. A default template-set is one that you can use as a starting point for any new
template set you define for that template-set type. A template-set type is either an operating
system alone (UNIX or Windows), or a database management system such as Db2, Informix, and
Oracle, which you always qualify by operating system type. Examples are UNIX-Oracle and
Windows-Oracle.

You cannot modify a Guardium default template-set, but you can clone it and modify the cloned
version.

3. To view an existing template, in the List Filtering fields, select:

– OS Type: Unix
– DB Type: DB2

6
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
A filtered list opens with 3 entries.

4. To view the details of Default Unix/DB2 Template Set: UNX - DB2, select it in the list.

5. Click Edit .
The Monitored Item Template Definitions window opens.

7
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
6. Review the information that this template monitors. You see four types of items:
– SQL Queries
– OS Scripts
– Files
– File Patterns

7. When complete, scroll down and click Back.

You return to the CAS configuration navigator.

8. Go to Harden > Configuration Change Control (CAS Application) > CAS Host
Configuration.
The CAS Configuration Navigator window opens again. This time, it contains a list of database
servers. The database server raptor is listed by its IP address, 192.168.42.201.

9. To modify 192.168.42.201, select it and click Edit .

8
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
The Host Instance Definitions window opens.

For any particular CAS host, you use this page to configure one or more templates that CAS
uses to monitor your database server. You can see that a default template for the UNIX
operating system is already added for you and it is linked to a datasource. This template is
labeled UNX - N_A and is not database specific. You see that there are 101 enabled items
monitored.

10. Click Default Unix Template Set: UNX N_A.

A list of the monitored item template definitions is displayed.

9
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
11. To return to the Host Instance Definitions, click Back.

12. Click 101 (101 enabled) item(s) monitored. You see the items which are currently monitored
by the CAS agent on the database server.

13. To return to the Host Instance Definitions, scroll down and click Back.

14. Now you will add a new host instance definition, from the Select-a-Template-Set list, select
Default UNIX/DB2 Template Set v8.0: UNX – DB2 and click Add/Select Datasource.

10
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
The Datasource Finder opens.

15. Some datasources are already created. To create a new datasource, click New.

16. To configure the datasource, enter the following information:

Field Value
Name CAS_Lab_DB2
Database Type DB2
Share Datasource select
Save Password select
Login Name db2inst1
Password guardium
Host Name/IP 192.168.42.201
Port 50000
Database Name sample
Schema db2inst1
CAS Database Instance Account db2inst1
CAS Database Instance Directory /home/db2inst1

11
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty

12
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
17. Scroll down and click Apply.

18. To verify that the datasource can connect, click Test Connection.
You receive a dialog with the message Test Connection was successful for this
database.

19. To close the dialog, click OK.

20. To return to the Datasource Finder page, scroll down and click Back.
Your new datasource is listed.

21. To add the datasource to the template, ensure that your new datasource is selected and click
Add.

13
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring CAS monitoring templates and datasources

Uempty
Your new datasource and template combination is listed.

22. Your host instance definition is in a state of pending and lists 0 enabled monitored items. To
display the enabled items monitored, Click Refresh .
Your result should look similar to the following figure.

CAS is running, and it is monitoring your database server for changes.

14
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Viewing CAS results and changing a file

Uempty
Exercise 3 Viewing CAS results and changing a
file
Now that CAS monitors defined items, it detects changes in these items and sends this
information to the collector, where you can view it in a report.

In this exercise, you view the CAS reports, change a file, and observe the results of changing the
file.
1. Go to Harden > Reports > CAS Changes.
A window opens with two reports; CAS Change Details and CAS Saved Data.

15
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Viewing CAS results and changing a file

Uempty
2. To restore the termial window, click the application tab labeled root@raptor~.

3. Enter the touch command on one of the files that CAS monitors:
# touch /home/db2inst1/.bashrc
And press Enter.

4. To restore the user interface, click the application tab labeled IBM Guardium (C200) Mozilla
Firefox.

5. To update results, click Configure runtime parameters in the CAS Change Details
report.
The Runtime Parameter Configuration window opens.

16
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Viewing CAS results and changing a file

Uempty
6. In Enter Value for Monitored Item, change the value from % (all items) to %bashrc% (the file you
touched) and click OK.

7. Now observe the Last_Modified column. It reflects that you touched the file.

8. Observe the sample time. In a production environment, you might need to wait up to 10
minutes to observe this change.

This concludes the exercises.

17
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
© Copyright IBM Corp. 2023