Guardium Component Services

Identify Guardium components and the locations from which they are taken in a central management environment.

That unit can be used to monitor and control other Guardium units, which are referred to as managed units. Unmanaged units are referred to as stand-alone units.

Table 1. Guardium Component Services
Component Description
Users, Roles and Permissions

Central Manager controls the definition of users, roles, groups and datamart tables for all managed systems. The Central Manager exports the complete set of user, security role, group, and datamart tables definitions on a scheduled basis or on demand. The managed units update their internal databases on an hourly basis. As a result, there might be a delay of up to an hour between the time users, roles, permissions or datamart tables are added or modified on the Central manager and the time that the managed unit applies those updates.

Note: If you have Guardium® users or security roles that are defined on an existing stand-alone unit that is about to be registered for central management, those definitions will not be available after the system is registered, unless those users and security roles have also been defined on the Central Manager. You cannot administer users or security roles on a managed unit. Those definitions can be administered only when logged on to the Central Manager. When a unit is unregistered for central management, all added users and security roles are removed leaving only the default users (admin, accessmgr). When installing an Accelerator add-in product (PCI, SOX, etc.), in a Central Manager environment, install it first on the Central Manager and then on the managed unit. Add any roles and users as required for the Accelerator on the Central Manager (and those will be synchronized with the managed unit from there). Accelerator documentation is contained within the Accelerator module. See an overview of PCI Accelerator at the end of this Component Services table.
Aliases and Groups

On all processes that automatically generate aliases or groups, for example: import user groups from LDAP, group generation from queries, alias generation from queries, classifier, etc. if the same group or alias is automatically generated on more than one managed machine (managed by the same manager), then it might conflict with an existing group or alias, which will not be replaced.

Audit Processes

The definitions of the Audit Process itself and all of its corresponding tasks are saved to the Central Manager and available to all managed units. However, Schedules, Results, and To-Do lists are saved on the local machine.  This means that the same Audit Process tasks can be run on all Managed Units, plus the Central Manager. But it can be run at different times on different machines, which can be useful if the Managed Units have different peak load periods. Each machine has its own set of results, which are based on the data that the machine has collected; and each machine has its own set of To-Do lists for all users. Audit Process definitions are exported from the Central Manager to the managed units as part of the user synchronization process (see Synchronizing Portal User Accounts). When audit process results have been produced, the results are available to users, but on managed units, there might be a delay of up to an hour before reports or monitors such as Outstanding Audit Process Reviews are updated.

Queries

Each query can get only database information from a single machine. Queries that require access information including both Central Manager definitions and Managed Unit data show no data, or missing data.

Policies

Policy definitions are saved on the Central Manager. However, when you install a policy on a Managed Unit, a local copy is made and saved on the Managed Unit. The reason for that is that the Managed Unit is needed to keep on monitoring the database activity and using the policy even when the Central Manager is not available for any reason.

Note: Installing a policy on a managed node will not upload this policy to the Central Manager until the Refresh on the Central Manager is clicked. Versions must be the same between Central Manager and Managed Unit when installing policies else policies will not install and errors are generated.
Reports

Report definitions are saved on the Central Manager.

When regenerate portlet is called on a Central Manager, it also sends a management (https) request to all managed units to regenerate the portlet (with the report ID). When regenerate is called on a managed unit - if it is called from the screen (not the management request), then it should send a management request to the manager to refresh the portlet (this would also send it to all units). There is a persistence mechanism for management requests for the case a unit is down - see sections within this topic on registration and policy installation.

From the Central Manager, reports and audit processes can use data from a managed unit but not managed aggregators. The managed unit is selected as a run-time parameter, is referred to as a remote datasource, and presented as a filtered drop-down selection list containing only managed units. When an audit process references a remote datasource, that audit process can be run from the Central Manager only, so it will not appear in a list of audit processes that are displayed on a managed unit.

Note: Certain reports, on a Central Manager, of domain Sniffer Buffer Usage (for example, Request Rate, CPU Usage, Buffer Usage Monitor) will NOT display any data. The reports will be empty.
Security Assessment

Like the Audit Process, the definition of the Security Assessment itself is saved to the Central Manager. But the results are saved on the local machine. This means that the same Security Assessment can be run on all Managed Units, plus the Central Manager.

Comments

Comments can be saved on either the local machine or the Central Manager, depending on what the comment is associated with. If the Comment is associated with a definition that resides on the Central Manager, then it is also saved on the Central Manager. If the Comment is associated with a Result on the local machine, OR something specific to a Managed Unit (like an Inspection Engine), the Comment is also saved on the local machine.

Schedules

Schedules are always saved on the local machine, even when the definition is saved on the Central Manager.

Non-Central Manager Tasks

When a server is configured as a Central Manager, you must be aware of the tasks that cannot be performed on that unit, but rather must be performed on other (non-Central Manager) units. Inspection engines cannot be defined on the Central Manager and can be created only on the Managed Units. But Inspection engines can be viewed from the Central Manager.

Upgrade Considerations It is recommended to have your Central Manager and managed units on the same version. The Central Manager should be upgraded first and then the managed units should follow. Having a manager in a different version than its managed units should be a temporary thing and it is highly recommended to upgrade all managed units to the same version as the manager. Run Sync (Refresh) on all managed nodes after upgrading, in order for these managed nodes to recognize the proper software version that they are.
PCI Accelerator for Compliance

The PCI Data Security Standard consists of twelve basic requirements. Much of the requirements are focused on protecting physical infrastructure (for instance, Requirement 1: Install and maintain a firewall configuration to protect data) or implementing procedural best practices (for instance, Requirement 5: Use and regularly update anti-virus software). However, an extra emphasis is placed on real-time monitoring and tracking of access to cardholder data and continuous assessment of database security health status (for instance, Requirement 10: Track and monitor all access to network resources and cardholder data).

Guardium's PCI Accelerator for Database Compliance is tailored to simplify organizational processes that are needed to support these monitoring and tracking mandates and to allow for cardholder data security. The Accelerator report templates can be customized to directly reflect specific organizational and regulatory requirements. You can access these templates using the tabs that are provided:
  • PCI Data Security Standard overview
  • Plan and Organize
  • PCI Req. 10: Track and Monitor Access
  • PCI Req. 11: Regularly Test and Validate
  • PCI Policy Violations Monitoring
Other tools in the Guardium family of solutions are available to help meeting regulations include the following:
  • PCI Compliance Report Card - A detailed view of cardholder databases access security health that is used to automate the compliance processes with continuous real-time snapshots customized for user-defined tests, weights, and assessments. The Report Card can be generated using security assessment.
  • Full Audit Trail - The non-intrusive generation of a full audit trail for data usage and modifications that are required by regulatory compliance.
  • Automated Scheduling - Automated scheduling of PCI work flows, audit tasks, and dissemination of information to responsible parties across the organization.

The following table can help identify which components are taken from which location in a central management environment.

Table 2. Components and Location in Central Manager Environment
Central Manager Managed Unit

Users

System Configuration

Security Roles

Inspection Engines

Application Role Permissions

Alerter (configuration)

Queries

Anomaly Detection

Reports

Session Inference

Time Periods

IP-to-Hostname Aliasing

Alerts

System Backup

Security Assessments

Aggregation / Archiving

Audit Process Definitions

Custom Alerting

Privacy Sets

Custom Identification Procedures

Exported csv Output

Policies

Schedules

Groups

DB Auto-discovery Configurations

Aliases

Audit Process Results

Users, Security Roles, Audit Process Definitions, and Groups are exported from the Central Manager to all managed units on a scheduled basis, as described later.

From the Central Manager, the administrator can:

  • Register Guardium units for management
  • Monitor managed units (unit availability, inspection engine status, etc.)
  • View system log files (syslogs) of managed units
  • View reports using data on managed units
  • View main statistics for managed units
  • Install Guardium security policies on managed units
  • Restart managed units
  • Manage Guardium inspection engines on managed units
  • Maintain the complete set of Users, Security Roles, Groups, and Application Role Permissions that are used on all managed systems
  • Patch distribution
  • Distribute Uploaded JAR files
  • Distribute Patch Backup Settings
  • Distribute Authentication Config
  • Distribute Configurations
Note: Application Role Permissions can also be changed by the administrator from any managed unit. When this happens, the permissions are changed for all managed units.