Release notes - Guardium Insights Version 3.2.6

IBM Security Guardium Insights is a hybrid cloud data security hub that helps you improve visibility into user data activity and risk. Guardium Insights helps you protect data more efficiently, enhance information technology flexibility, and reduce operational costs as you embrace new business paradigms (such as moving data to the cloud). Guardium Insights helps reduce the cost and complexity related to collecting, managing, and retaining data security and compliance data. It provides new analytics to enhance threat investigations - and it provides quick reporting functionality (including pre-built reports). Risk scoring and alerting in Guardium Insights help you prioritize your activities.

IBM Security Guardium Insights is a powerful tool that can help you secure your data. Simple to use, Guardium Insights allows you to set up connections to your data sources.

Guardium Insights provides tools to help you analyze data:

  • Outlier mining: Detecting anomalies in activities and exceptions.
  • Risk events: Identifying assets at risk using broad data points.
  • Reports: Dive into the raw data for deep investigation.

Contents

Download Guardium Insights v3.2.6

Guardium Insights V3.2.6 can be downloaded as an archive file (2.2.6.tar.gz) from: https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-guardium-insights

You can install only the products for which your site is entitled.

For further instructions, read the README.md file located after unzipping the latest tar file.

The Quick Start Guide for this offering is available at Passport Advantage (https://www.ibm.com/software/passportadvantage) (search for Part Number “M07QWML”).

Install Guardium Insights v3.2.6

Before installing Guardium Insights, review the system requirements: http://ibm.com/docs/SSWSZ5_3.2.x/sys_req.html

Important: As of Version 3.2.5, Guardium Insights now checks for multiple tenants before allowing the product to be patched. If you have multiple tenants present when patching the product, the patch will fail. You can determine the number of tenants and remove invalid ones by following these instructions:
  1. Determine the number of tenants on the system by running the count_tenants.sh script that is located in the ibm-guardium-insights/inventory/install/files/support/ bundle:
    ./count_tenants.sh <hostname> <admin_user_id> <admin_password>
  2. If the above script returns echo "Successful tenant check", there are no extra tenants and you can proceed with patching the product.
  3. If the script returns Failed, multiple tenants on system, you will need to delete invalid tenants. To determine all of the tenants that are running on the system, run the get_tenants.sh script:
    ./get_tenants.sh <hostname> <admin_user_id> <admin_password>
  4. Use the list of returned tenants to determine which are invalid and can be removed - and then delete each invalid tenant using this command:
    ./delete_tenant.sh <hostname> <admin_user_id> <admin_password> <tenant_id>
  5. To verify that you can now install the patch, you can run count_tenants.sh again and confirm that you receive the echo "Successful tenant check" message.

This offering is deployed as a new installation of Guardium Insights – or as an in-place upgrade. Please follow these instructions:

Note: Support for Red Hat® OpenShift® Container Platform Version 4.8.x is deprecated. Guardium Insights supports OpenShift Container Platform Version 4.10.x.

Guardium Insights v3.2.x release notes

Bug and security fixes in Guardium Insights v3.2.6

Table 1. Bug fixes
Issue key Description
INS-26542 Data mart ingestion fails for large numbers of policy violation records.
INS-27138 Ingesting large data marts causes Db2® to fail because of the transaction log count limit.
INS-27648 Data mart ingestion does not work properly with certain network configurations.
INS-29322 When Guardium Insights attempts to ingest a file fromGuardium Data Protection and the file fails to decompress, the file is removed without ingesting it.
INS-29705 Guardium Insights overwrites the Guardium Data Protection CSV file when the ingestion data file type from multiple collectors fails during the same ingestion period.
INS-29774 When attempting to purge hot storage data, you receive this error: 
Incorrect "TenantID" provided. Please provide correct "TenantID"
INS-28484 Timeout when backing up larges amounts of data.
INS-28830 During ingestion, files end up in a persistent Awaiting Data state.
INS-29791 Reports missing Global ID column.
INS-30193 Data mart files are no longer ingested in LZ zone and marked as Complete.

Security fixes

Table 2. Security fixes
Issue key PSIRT Vulnerability ID
INS-28007
  • PVR0423827
  • PVR0423854
  • PVR0423932
  • CVE-2023-23919
  • CVE-2023-23920
  • CVE-2023-23918
INS-29313 PVR0430025 CVEID: CVE-2023-20861

Known limitations and workarounds for Guardium Insights v3.2.6

This patch of Guardium Insights carries forward the known limitations and workarounds from Guardium Insights Version 3.2. You can find the list of limitations in the release notes for that version.

In addition, this patch includes these known limitations:

Table 3. Known limitations and workarounds for Guardium Insights v3.2.6
Issue key Description
INS-25447 Cannot restore a backup of Guardium Insights Version 3.2.0 to Version 3.2.x.

Workaround: Restore the backup to Version 3.2.0 and then upgrade Guardium Insights from Version 3.2.0 to 3.2.x.
INS-28227 During an upgrade of Guardium Insights, data ingestion should be halted or kept to a minimum. This is due to a change in the Db2 operator.
INS-28766 Guardium Insights fails to install from a macOS terminal.

Workaround: Run the script from a Red Hat Enterprise Linux® terminal, or ssh into the cluster and then run the air gap process from the terminal of the cluster.
INS-28841 Db2 version update does not allow a restore from previous version.

Workaround: Perform a full backup after upgrade is complete. If you have not performed a full backup and have an incremental backup scheduled, a full backup of Db2 will be automatically performed instead of the scheduled incremental backup.
INS-29331 In rare cases, there are Db2 errors for services such as the reports and risk services. These may prevent report execution or risk event generation. When this occurs, these errors are seen in the logs for the related service:
SQLCODE=-1803, SQLSTATE=57056, SQLERRMC=NULLID.SYSSN200 0X5359534C564C3031, DRIVER=4.26.14
SQLCODE=-901, SQLSTATE=58004, SQLERRMC=Plan/Environment mismatch!, DRIVER=4.26.14

Workaround:

Use a bash shell to run these commands. If your are using Mac OSX (which defaults to zsh), access bash by running the bash command.

  1. Use oc to log into the cluster and then run these commands at the command line:
    echo '' > .previousGuardiumInsightsReplicas
    X=`oc get deployments,statefulsets -lproject=insights -oname`
    for i in $X; do 
        Y=`oc get $i -ogo-template='{{ .spec.replicas }}'`; 
        I=`echo $i | sed -e 's#[-\./]#_#g'`; 
        echo $I=$Y >> .previousGuardiumInsightsReplicas;
    done
    This will save the existing scaling factors for the existing stateful sets and pods to a temporary file.
  2. Inspect the .previousGuardiumInsightsReplicas file to see if it contains a list of stateful sets and deployments in the Guardium Insights environment:
    head .previousGuardiumInsightsReplicas

    The output of the above command should be similar to:

    deployment_apps_gisysqa_analytics_events=3
    deployment_apps_gisysqa_apigateway=3
    deployment_apps_gisysqa_audit=3
    deployment_apps_gisysqa_configuration=3
    deployment_apps_gisysqa_connections=3
    deployment_apps_gisysqa_cp_serviceability=1
    deployment_apps_gisysqa_dashboards=3
    deployment_apps_gisysqa_data_retention=1
    deployment_apps_gisysqa_datamart_processor=2
  3. Execute this command to scale the services down to zero pods:
    oc scale `oc get deployments,statefulsets -lproject=insights -oname` --replicas=0
  4. Log into the Db2 pod and run these commands:
    oc rsh c-<ns>-db2-db2u-0
su - db2inst1
db2stop force
db2start
db2rbind bludb -l /tmp/bind.log all
  5. After the rebind completes, exit the Db2 pod (exit) to take you back to the OpenShift command line and bring the application pods back up by scaling them out to the number they were previously scaled to:
    source .previousGuardiumInsightsReplicas
X=`oc get deployments,statefulsets -lproject=insights -oname`
for i in $X; do 
    I=`echo $i | sed -e 's#[-\./]#_#g'`; 
    echo $i
    oc scale $i --replicas=${!I};
done
INS-29634 The Guardium Insights restore process fails if you have previously restored a backup.

Workaround: This occurs because the restore process attempts to write to the restore.* files from the previous restore process. To work around this issue, move these restore.* files outside of the folder before attempting to restore - or change the permissions to 777.
INS-29711 When Db2 is upgraded as part of the update process, if the upgrade requires a large amount of time (which it may if there is a large amount of data inside Db2), the risk-analytics-controller service may attempt to connect to Db2 before it is ready, and then fail. If this happens, the risk-analytics-controller logs will report Db2 errors containing ERRORCODE=-4499, SQLSTATE=08001 and the service will not try to reconnect to Db2 once it is available.

Workaround: Once the Db2 pods have started, restart the risk-analytics-controller pods to allow them to reconnect.

Resources

IBM Security Guardium Insights documentation: http://ibm.com/docs/SSWSZ5_3.2.x/

System requirements: http://ibm.com/docs/SSWSZ5_3.2.x/sys_req.html

IBM Security Learning Academy: https://www.securitylearningacademy.com