Scribd
Upload
211 views20 pages

IBM Security Discover and Classify-V4.0.0-Integrations-Guardium Data Protection Integration Admin Guide

Uploaded by

ABHISHEK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
211 views20 pages

IBM Security Discover and Classify-V4.0.0-Integrations-Guardium Data Protection Integration Admin Guide

Uploaded by

ABHISHEK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

GUARDIUM DATA

PROTECTION
INTEGRATION ADMIN
GUIDE

IBM SECURITY DISCOVER AND CLASSIFY

VERSION 3.10.0
GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 2

TABLE OF CONTENTS

Table of Contents 2
IBM Security Guardium Data Protection Integration 3
Chapter 1: Guardium Data Protection Installation 4
Prerequisites 4
Installation Instructions 4
Chapter 2: Guardium Data Protection Configuration 8
Chapter 4: Guardium Data Protection Usage 9
Guardium Data Protection Data Source Sync 9
Prerequisites 9
Workflow 9
Guardium Groups and Policies Sync 9
Prerequisites 9
Workflow 9
Reporting 9
Prerequisites 9
Workflow 10
API endpoints usage 17
Get import_repositories_data Task Status 17
Import Data Sources Data to ISDC 17
Get Data Sources Data from Database 18

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 3

IBM SECURITY GUARDIUM DATA PROTECTION INTEGRATION


IBM Security Guardium Data Protection supports a zero trust approach to security. It discovers and
classifies sensitive data from across the enterprise, providing real-time data activity monitoring and
advanced user behavior analytics to help discover unusual activity around sensitive data.
In the scope of ISDC for GDP project, the goal is to be able to pull and push data from and into Guardium to
ISDC and to provide context around data source inventory in the ISDC platform.
This project is the extension to original ISDC capabilities that extends the public APIs of the product to:
1. Import GDP datasources into ISDC for further scanning.
2. Automate Groups and Policies creation based on ISDC discovery results.
3. To aggregate data source discovery and vulnerabilities scan and send them to ISDC for reporting
capabilities.
The application can be deployed both on ISDC system and externally. We recommend using the docker
deployment procedure, which requires the .env.compose config file to input ISDC connection properties. A
specific set of rarely changeable properties are defined in the docker-compose.yml file. The API listens on
port 5005 by default, but the port can be changed in the compose file.

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 4

CHAPTER 1: GUARDIUM DATA PROTECTION INSTALLATION


PREREQUISITES
1. DC-Engine installed: version 3.8.x+.
2. Login at least once to update user password, or create a user with access to data source catalog.
3. Add kong routes for integration:
3.1. Edit kong-configuration configmap.

kubectl -n <yournamespace> edit cm kong-configuration

3.2. Add a new route under services section. Pay attention to spacing. Helm applies only spaces, so you
may need to remove all tabs and do spaces instead:

- name: guardium-data-protection
url: http://guardium-data-protection-app:8000
plugins:
routes:
- name: guardium-data-protection
paths:
- /integration/guardium-data-protection/*

3.3. Save changes and restart kong.

kubectl -n <yournamespace> delete pod kong-<pod id>

INSTALLATION INSTRUCTIONS
1. For ISO deployment, copy the installation tar into /home/admin directory or download it from the storage.

cp /opt/install/guardium-data-protection-0.0.1.tgz /home/admin/

2. Extract the archive using tar:

tar xvf guardium-data-protection-0.0.1.tgz

3. Change directory to guardium-data-protection chart data.

cd guardium-data-protection

4. Create values file or edit values-test.yaml and add/edit the content below:

guardium-data-protection-app:
global:
imageRegistry: "repo-docker.1touch.io"
appType: "subscription-plane-plane"
imagePullSecrets: [cm-docker-registry, control-plane-docker-registry]
kafka:
connectionCm: "cm-kafka-configuration"
credsSecretName: "kafka-cm-user"
tlsSecretName: "cm-cluster-ca-cert"

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 5

postgres:
connectionCm: "cm-postgres-configuration"
rootCredsSecret: "cm-postgres"
image:
repository: "integrations/guardium-data-protection"
tag: "0.0.2-18-g55994c17-mr"
pullPolicy: IfNotPresent

initContainers:
- name: init-db
image:
repository: "integrations/guardium-data-protection-init"
tag: "0.0.2-18-g55994c17-mr"
pullPolicy: IfNotPresent

env:
INVENTA_IP: <isdc_hostname>
INVENTA_LOGIN: <username>
INVENTA_PASSWORD: <password>

ITERATION: 1
REDIS_URL: "redis://int-redis-master.<k8s-namespace>.svc.cluster.local:6379"

POSTGRES_SCHEMA: guardium_data_protection
POSTGRES_DB: guardium_data_protection
POSTGRES_DB_NAME: guardium_data_protection
POSTGRES_POOL_MAX_CONN: 3
TASK_ENABLE: True
TASK_DELAY_IN_SECONDS: 3600

GUARDIUM_HOST: "10.192.191.43"
GUARDIUM_PORT: 8443
GUARDIUM_CLI_PASSWORD: guardium
GUARDIUM_CLIENT_ID: integration
GUARDIUM_CLIENT_SECRET: "06fae4c7-7b47-487d-b7c1-2c5e46d7d705"
GUARDIUM_USERNAME: admin
GUARDIUM_PASSWORD: guardium
GUARDIUM_SCHEME: "https"

APPLIANCEID: "7708f98b-77ad-437c-a832-492cbce74819"

5. Install the helm chart:

helm -n <yournamespace> upgrade --install guardium-data-protection . --values values-


test.yaml

5. Confirm the chart has been installed successfully:

[root@docker-desktop deploy]# kubectl -n yournamespace get pods guardium-data-protection-app-


85f5595678-4xk8l
NAME READY STATUS RESTARTS AGE
guardium-data-protection-app-85f5595678-4xk8l 1/1 Running 0 32m

6. In your browser, open the link below :

https://<cm_hostname>/integration/guardium-data-protection/docs

7. You will be redirected to the swagger documentation site:

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 6

Figure 1: Swagger documentation site


8. Expand and run the endpoint below. Confirm it passes connectivity to db and sftp storage:
Endpoint:

/connection_statuses

Sample response:

{
"database_connection_status": "Connected"
}

9. Run the endpoint below. Confirm you can see if any repos from GPD come through into ISDC:
Endpoint:

/get_repositories_data

10. Click Download File and confirm it contains data:

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 7

Figure 2: Getting data source data

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 8

CHAPTER 2: GUARDIUM DATA PROTECTION CONFIGURATION


Application configuration

DEBUG=false -- Debug mode


APP_PORT=8000 -- App port
APP_HOST=0.0.0.0 -- Application hostname
CSV_FILES_DIR=csv_files -- directory to put csv files to. Leave as is.
ENV=dev -- leave as is
CLIENT=guardium -- leave as is.
TASK_ENABLE=True -- Enable/disable the task of storing reports in smb/sftp storage
TASK_DELAY_IN_HOURS=3600 -- Delay between task start

ISDC configuration

INVENTA_IP=10.192.192.28 -- Product IP address


KEYCLOAK_PORT=8080 -- Keycloak admin service port
INVENTA_LOGIN=admin -- Product user login
INVENTA_PASSWORD=admin -- Product user password

SFTP/SMB configuration

STORAGE_TYPE=sftp -- ftp protocol


STORAGE_URL=192.168.0.173
STORAGE_USERNAME=storage_user
STORAGE_PASSWORD=user_pass
STORAGE_DIR=reports_share

PostgresSQL connection configuration

POSTGRES_PASSWORD=topology_user -- PostgresSQL password


POSTGRES_USER=topology_user -- PostgresSQL username
POSTGRES_DB=topology_db -- PostgresSQL DB name
POSTGRES_PORT=5433 -- PostgresSQL port
POSTGRES_HOST=integration_postgres -- PostgresSQL hostname. Leave as is.
POSTGRES_POOL_MAX_CONN=3 -- Max opened connections allowed in pool. Leave as is.

Guardium configuration

GUARDIUM_URL=guardium_url
GUARDIUM_CLIENT_ID=guardium_client_id
GUARDIUM_CLIENT_SECRET=guardium_client_secret
GUARDIUM_USERNAME=guardium_user
GUARDIUM_PASSWORD=guardium_pass

Redis connection configuration

REDIS_URL=redis://127.0.0.1:6379
REDIS_POOL_MAX_CONN=10
WR_REDIS_QUEUE_DB=1
WR_REDIS_TIMEOUT=5

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 9

CHAPTER 4: GUARDIUM DATA PROTECTION USAGE


GUARDIUM DATA PROTECTION DATA SOURCE SYNC

PREREQUISITES
TASK_ENABLED property is set to True.

WORKFLOW
The process is automated. It is triggered on app startup and is resynced once an hour (by default).
Controlled by TASK_DELAY_IN_HOURS parameter.
The process can also be triggered manually using Integration API. It checks the data sources supported by
ISDC and imports them into ISDC via Kafka API connection. Credentials are not imported, meaning that
after the data source is created, the credentials have to be set additionally.

GUARDIUM GROUPS AND POLICIES SYNC

PREREQUISITES
The properties listed below control the groups created based on ISDC discovery results. If a group with
such name exists, it will be updated, if not – it will created.

DB_VENDOR_GROUP_NAME=Inventa_db_vendor
HOST_GROUP_NAME=Inventa_hosts
DB_GROUP_NAME=Inventa_db_name
TABLENAME_GROUP_NAME=Inventa_db_tablename

WORKFLOW
The process is automated. It is triggered on app startup and is resynced once an hour (by default).
Controlled by TASK_DELAY_IN_HOURS parameter. In the next versions, it will be controlled via API.
Policies are installed based on the Policies templates from Guardium Data Protection. The integration
automatically assigns the required groups to those policies, which ensures that data imported into ISDC
related groups are monitored.

REPORTING

PREREQUISITES
Table 1: Prerequisites for security dashboard
PREREQUISITE DESCRIPTION
GDP instance up and running Prerequisites: Preconfigured Oauth2 app in Guardium CLI. See instructions in the
Guardium documentation.
Parameters to be shared with 1touch for integration:
• clientID
• clientSecret
• username/password of user with admin permissions (Guardium Data Protection
web UI)
Integration with ISDC Connecting GDP to ISDC requires setting up an extension, which is a set of python
containers orchestrated by docker-compose. Extension takes one config file as an
input.

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 10

PREREQUISITE DESCRIPTION
Config file contains mostly predefined values, but user has to specify Guardium
connection details (OAuth2 details, credentials), ISDC Kafka configuration
(host,port, security protocol etc) and app configs ( schedule etc).
Enabled and configured Report is an XML file generated manually in Security assessment GDP
reporting functionality. You can configure assessment, that contains a lot or all CVEs GDP
knows about. After running it, a user can click, view results, export those resuts as
an XML and upload the XML into Integration Extension API. This will generate a
DPS topic message, containing aggregated assessment results and all the info on
the data source, if there are policies or S-TAP associated with it.
To transfer info on data sources from GDP to ISDC:
1. On GDP side, configure and export an XML report on data sources.
2. In integration API UI, upload the xml report and execute POST/parse_xml_
report.
Data source analysis by ISDC Run the data source analysis in the ISDC Data Source Catalog (CM > Inventory >
Data source catalog).

WORKFLOW
1. Log into IBM GDP. Go to Harden > Vulnerability Assessment > Assessment Builder.

Figure 2: Assessment builder


2. Create a new assessment.

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 11

Figure 3: Assessment creation


3. In Security Assessment Builder, enter the new assessment description. Then click Add Datasource or
Add Datasource Group.

Figure 4: Adding data sources


4. In the Datasource Finder, add the data sources that must be assessed and later exported into ISDC
dashboards.

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 12

Figure 5: Data source finder


You can add all available datasouces in a bulk by clicking Add Datasource Group.

5. Once all datasources are added, click Apply.

Figure 6: Applying data sources


6. After applying the assessment, click Configure Tests.

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 13

Figure 7: Configuring tests


7. In the Assessment Test Selections, configure tests to be run against the selected datasources.

Figure 8: Assessment test selections


8. Return to Security Assessment Finder, select your assessment from the list and run the tests by clicking
Run Once Now.

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 14

Figure 9: Runnning tests


9. After running the tests, click View Results.

Figure 10: Viewing test results


10. A popup with assessment results will open. These results in XML format must be imported to ISDC
Dashboards. Click Download XML and select Export as AXIS/SCAP xml. The file will be downloaded
according to your browser settings.

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 15

Figure 11: Report export


11. On your deployed app host machine, execute the command below:

docker exec -it guardium_repositories_import_web_api make token

Output of this command is the token to authorize the requests in Integration API endpoint. Sample output:

python manage.py create-token


eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE2NjAyMDc0MTMsImlzcyI6Imd1YXJkaXVtLXJlcG9zaXRvcmllcy1pbXBvcn
QtYXBwIiwianRpIjoiM2FmNDlmNmEtYzMyNy00ODQzLTk1YmQtMDU0ODNmYTA1OTQzIn0.o1A90T8Y41S2ol
nmRIrYsVS9ECSsvgop0h6H1z-43Et8fo7HzZmSJMa0JiLKCHeaCx3RP3VJxLla6Nk8pgcrtA

12. Open the Integration API endpoint via link: https://hostname:5005/docs.

Figure 12: Integration API endpoint

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 16

13. Click the Authorize button on top right and copy-paste the token you generated in shell. Then click
Authorize.

Figure 13: Authorzation


14. Find the Parse XML request report and click Try it now.

Figure 14: Report parsing


15. Upload the XML report file by clicking Choose file and then Execute.

Figure 15: Report upload

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 17

16. After request is done, you'll see the JSON representation of XML report. The data has been moved to
ISDC kafka.

Figure 16: JSON representation of XML report

API ENDPOINTS USAGE

GET IMPORT_REPOSITORIES_DATA TASK STATUS

curl -X 'GET' \
'http://127.0.0.1:5005/import_repositories_data' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <jwt_token>'

Request URL

http://127.0.0.1:5005/import_repositories_data

Response
Response body:

{
"success": true,
"task_state": "done"
}

IMPORT DATA SOURCES DATA TO ISDC

curl -X 'POST' \
'http://127.0.0.1:5005/import_repositories_data' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <jwt_token>'

Request URL

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 18

http://127.0.0.1:5005/import_repositories_data

Response
Response body:

{
"success": true,
"task_state": "in progress"
}

GET DATA SOURCES DATA FROM DATABASE

curl -X 'GET' \
'http://127.0.0.1:5005/get_repositories_data' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <jwt_token>'

Request URL

http://127.0.0.1:5005/get_repositories_data

IBM Security Discover and Classify 4.0.0


GUARDIUM DATA PROTECTION INTEGRATION ADMIN GUIDE 19

IBM Security Discover and Classify 4.0.0


IBM, the IBM logo, and IBM Security Discover and Classify are trademarks or registered
trademarks of International Business Machines Corporation, in the United States and/or
other countries. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on ibm.com/trademark.

You might also like