Release notes - Guardium Insights Version 3.3.1

IBM Guardium Insights is a hybrid cloud data security hub that helps you improve visibility into user data activity and risk. Guardium Insights helps you protect data more efficiently, enhance information technology flexibility, and reduce operational costs as you embrace new business paradigms (such as moving data to the cloud). Guardium Insights helps reduce the cost and complexity related to collecting, managing, and retaining data security and compliance data. It provides new analytics to enhance threat investigations - and it provides quick reporting functionality (including prebuilt reports). Risk scoring and alerting in Guardium Insights help you prioritize your activities.

Version 3.3.x This content only applies to Guardium Insights Version 3.3.x.

Guardium Insights is a powerful tool that can help you secure your data. Simple to use, Guardium Insights allows you to set up connections to your data sources.

Guardium Insights provides tools to help you analyze data:

  • Outlier mining: Detecting anomalies in activities and exceptions.
  • Risk events: Identifying assets at risk using broad data points.
  • Reports: Dive into the raw data for deep investigation.

Contents

Download Guardium Insights v3.3.1

Guardium Insights V3.3.1 can be downloaded as an archive file (2.3.1.tar.gz) from: https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-guardium-insights

You can install only the products for which your site is entitled.

For further instructions, read the README.md file located after unzipping the latest tar file.

The Quick Start Guide for this offering is available at Passport Advantage (https://www.ibm.com/software/passportadvantage) (search for Part Number “M0H7GML”).

Install Guardium Insights v3.3.1

Before installing Guardium Insights, review the system requirements: Guardium Insights v3.3.x system requirements and prerequisites

This offering is deployed as a new installation of Guardium Insights – or as an in-place upgrade. Please follow these instructions:

Guardium Insights v3.3.x release notes

What's new in IBM Guardium Insights Version 3.3.1

Data retention
You can now specify Data retention settings in the Guardium Insights user interface. With this setting, you can specify how long data is retained before it is removed from the system.
Reports enhancements
You can now activate table join optimization and queries that use pipeline plans for individual reports.
Technical debt
MongoDB has been updated to v5.

Bug and security fixes in Guardium Insights v3.3.1

Table 1. Bug fixes
Issue key Description
INS-38687 After choosing to download all results in a report, a Report export to file failed to generate file error was displayed and the report could not be downloaded.
  • INS-37360
  • INS-37822
After creating an unhealthy universal connector connection, the Status information was empty.
INS-37038 Notifications for an SFTP/SMB integration with 1touch import wrongly indicated that Run details - Data import and ingestion completed without errors. when no new files were found for import.
INS-35876 There was a known issue for compliance reports when filtering with very large groups (performance is degraded when groups defined for compliance have greater than 2000 members).

Security fixes

Table 2. Security fixes
Issue key Vulnerability ID
INS-35722

Known limitations and workarounds for Guardium Insights v3.3.1

Issue key Description
INS-45231 After upgrading from Guardium Insights version 3.2.x, risk events are not generated and the risk-analytics-classification log includes this error:
java.lang.StackOverflowError

Workaround: Connect to the MongoDB pod, select the relevant database, and run these commands:

db.system_data_versions.deleteOne({"_id": "risk-analytics-classification"}) 
db.classification_type.drop()

After issuing these commands, restart all risk-analytics-classification pods.

INS-39477 After upgrading from Guardium Insights version 3.2.1 and later, risk events are not generated and the risk-analytics-engine log includes this error:
Could not create violation lead generator, an error occurred: Failed to load query to collect leads from violation.

Workaround: Connect to the MongoDB pod, select the relevant database, and run these commands:

db.system_data_versions.deleteOne( {"_id": "risk-analytics-engine"})
db.leads_configuration.drop()
db.leads_generators.drop()
db.leads_weights.drop()
db.features_configuration.drop()
db.queries.drop()
INS-38008 Upgrading Guardium Insights fails with non-zero return code error when the length of the spec.guardiumInsightsGlobal.ingress.hostname value in your custom resource (CR) file is longer than 58 characters.

Workaround: Before upgrading, ensure that the length of the spec.guardiumInsightsGlobal.ingress.hostname value in your custom resource (CR) file is 58 characters or fewer.

  • INS-37656
  • INS-37829
An additional cp-serviceability pod is in the ContainerCreating state. This prevents the Guardium Insightsmustgather tool from working, as documented.

Workaround: Choose one of these options:

  • Delete the additional ReplicaSet that is creating the additional pod:
    1. Find the cp-serviceability replicasets:
      [root@bastion ~]# oc get replicasets | head -n 1
      NAME                                               DESIRED   CURRENT   READY   AGE
      [root@bastion ~]# oc get replicasets | grep cp-
      staging-cp-serviceability-645ddf7ffd               1         1         0       6d1h
      staging-cp-serviceability-9b7bb5684                1         1         1       6d1h
    2. Remove the replicaset that is marked as READY = 1. In the above example, this is staging-cp-serviceability-9b7bb5684:
      [root@bastion ~]# oc delete replicaset staging-cp-serviceability-9b7bb5684
      replicaset.apps "staging-cp-serviceability-9b7bb5684" deleted
    3. Wait until additional cp-serviceability pod is terminated:
      [root@bastion ~]# oc get pods | grep cp-
      staging-cp-serviceability-645ddf7ffd-7w4kl                        0/1     ContainerCreating   0              97m
      staging-cp-serviceability-9b7bb5684-n4nx7                         1/1     Terminating         0              100m
      
      [root@bastion ~]# oc get pods | grep cp-
      staging-cp-serviceability-645ddf7ffd-7w4kl                        1/1     Running     0              100m
    4. You will now be able to use the documented mustgather commands.
  • When using mustgather commands that refer to a cp-serviceability pod, use the pod that is in the Running state. You can refer to https://www.ibm.com/support/pages/node/6832174. In this document, extra verification is required:
    • For step ii, check which pod is Running by issuing this command:
      oc get pods | grep cp-serviceability
    • For step v, use the pod in Running state to download files with oc cp commands.
INS-37724 When working with compliance milestones, you can Refine alerts with the Configure alert recipients action. When you choose this action and refine alerts, you can elect to send emails for actions. When you click the Send email to action and then click Invite users, the resulting landing page includes an Add users button that does not work.

Workaround: Go to the user management screen and add the user. Then return to the Refine alerts page to add the user to the list.

INS-37352 When there are very large amounts of data, the Data mart ingestion page displays this error:
Data mart unavailable Cannot load data mart statistics. Refresh the page to try again

Workaround: If the Data mart ingestion page displays this error, you can access the data mart ingestion information by opening the Data mart ingestion status report. This report includes data marts collected from both collectors and aggregators. To open the reports page, select Reports in the main menu. Open this menu by clicking the main menu icon (main menu))

INS-37220 After upgrading , the datamart-processor may not be able to write files to storage. As a result, data ingestion no longer takes place (the files are not ingested, but they are preserved).

Workaround: To re-upload the files that have been preserved - and to resume ingestion - restart ssh-service.

INS-36860 In Guardium Insights Version 3.3, support for the Universal Connector plugin for Amazon Neptune is temporarily paused. New versions of some of the dependencies required for this plugin could introduce security vulnerabilities and stability issues. Remediation of these dependencies is in progress and full support for Neptune will resume in the future. Customers who rely on the Universal Connector to monitor Amazon Neptune are advised to remain on Guardium Insights Version 3.2.x until Version 3.3.x support is fully available.
INS-29331 In rare cases, there are Db2® errors for services such as the reports and risk services. These may prevent report execution or risk event generation. When this occurs, these errors are seen in the logs for the related service:
SQLCODE=-1803, SQLSTATE=57056, SQLERRMC=NULLID.SYSSN200 0X5359534C564C3031, DRIVER=4.26.14
SQLCODE=-901, SQLSTATE=58004, SQLERRMC=Plan/Environment mismatch!, DRIVER=4.26.14

Workaround: See Db2 errors for reports and risk services.

Resources

IBM Guardium Insights documentation: http://ibm.com/docs/SSWSZ5_3.3.x/

System requirements: Guardium Insights v3.3.x system requirements and prerequisites

IBM Security Learning Academy: https://www.securitylearningacademy.com