IBM Guardium Studying Notes & Health Check Steps

Accessmgr account unlock / reset

Log in to the CLI and run the following command: support reset-password accessmgr<N>|random.

You can use <N> or random where <N> is a number in the range of 10000000 – 99999999. Random automatically generates a number in the range of 10000000 – 99999999. Open a PMR with IBM Guardium support and send the following output.

G10.ibm.com> support reset-password accessmgr random
Password for accessmgr account have been successfully reset using keyword:<passkey>
Please provide these number to Guardium Customer Service to receive actual account password.
ok

After you receive the new password, unlock the account.

1. Use the following command to unlock the account. unlock accessmgr.
2. Log in as accessmgr and edit the accessmgr details to enter a temporary password.
3. Log in again with the temporary password.
4. When you are prompted, enter a new password.

Unlock

login as: cli
Pre-authentication banner message from server:
IBM Guardium, Command Line Interface (CLI)
End of banner message from server
[email protected]'s password:
Last login: Fri Nov  1 01:30:01 2019
Welcome cli - your last login was Wed Sep 11 01:30:03 2019
Your password has expired.
Changing password for 'cli'.
Enter current password:
Enter new password:
Re-enter new password:
51sec-igcm01.itprosec.org> unlock accessmgr
ok
51sec-igcm01.itprosec.org>

Query Builder

Key Concepts:

• Domain –  a set of tables that is linked based on the purpose or function of the information in those tables
• Access Domain – Tables related to access of data on a monitored database
• Policy Violation domain – Tables related to policy violation events as defined by the policy
• Aggregation/Archive Domain – Tables related to aggregation processes running on the appliance
• Entity – a label for one table within a domain
• Attributes – one field within an entity
• Main Entity – the entity that is the focus of the query. That will be one row in the report for each row in the table corresponding to the main entity. 

Tips for creating a useful Query:

• “Access Rule Description” attribute
• Fill SQL Entity -> Access Rule Description 
• Policy violations Domain -> Policy Rule Violation Entity -> Access Rule Description
• “Session Ignored” attribute 
• Session Entity -> Session Ignored
• Export to CSV and filter from there
• useful with many results
• Predefined queries
• Search  in the main entity for predefined queries
• Clone existing queries

Troubleshooting Commands

itprosec-tor-igcm01.51sec.org> support show db-top-tables all
 Table Size (M) | I/D % |  Unused(M) | Est. Rows | Name
 -------------- | ----- |  --------- | --------- | ----------
          17431 |     5 |          0 |  28875494 | MESSAGE_TEXT
          10399 |    22 |          0 |  28875459 | GDM_POLICY_VIOLATIONS_LOG
           9520 |    32 |          0 |  34402643 | GDM_CONSTRUCT_TEXT
           4169 |    56 |          0 |  28875476 | MESSAGE
            682 |    87 |         65 |   2523707 | GDM_FIELD
            564 |   140 |          0 |   2284882 | GDM_CONSTRUCT_INSTANCE
            248 |    57 |          0 |    678447 | GDM_SESSION
            166 |   162 |          9 |    495964 | GDM_OBJECT
            145 |    40 |          0 |    512957 | GDM_EXCEPTION
            125 |    17 |         18 |    231925 | GDM_CONSTRUCT
            114 |    59 |         12 |    648703 | GDM_SENTENCE
             55 |    48 |          0 |    491064 | GDM_APP_EVENT
             34 |     0 |          6 |      1825 | TEST_RESULT
             24 |   116 |          0 |    187677 | MASTER_GROUP_MEMBERS
             19 |     0 |          0 |    104519 | DB_MAINT_LOG
             16 |    70 |          0 |    179925 | MEMBERS_REFERENCE
             14 |     6 |          4 |     11984 | REPORT_RESULT_DATA_ROW
              9 |    19 |          0 |     65494 | DB_ERROR_TEXT
              9 |    63 |          2 |     78140 | GROUP_MEMBER
              7 |     0 |          4 |     20288 | SNIFFER_BUFFER_USAGE

 No tables with more than 80% of free space used found.
ok

igcm01.51sec.org> stop system
Are you sure you want to stop the system (y/n)?
Stopping system

com db-stat
com db-top
com restart
com free

to restart inspect engine: restart inspection-core

Health Check

Check the Activity Report in custom report to make sure there are recent db activities. (Collector)

Check Deployment Health Table (Aggregator)

Check IBM Guardium Appliance DB Utilization / Hard Drive Space. (Both Collector and Aggregator)

Check STAP Status (Collector)

Check GIM Status – GIM Processes Monitor (Aggregator)

Check Archive Status from Logs
on Collector:

On Aggregator:

Check Scheduled Jobs:
On Aggregator;

On Collector:

Check Buff Usage Monitor

Pay attention to Flat log requests. It should be steady number. It can cleaned by restart inspection-core which is inspect engine.

References

• Guardium accessmgr password reset