Release notes - Guardium Insights Version 3.4.2

IBM® Guardium® Insights is a hybrid cloud data security hub that helps you improve visibility into user data activity and risk. Guardium Insights helps you protect data more efficiently, enhance information technology flexibility, and reduce operational costs as you embrace new business paradigms (such as moving data to the cloud). Guardium Insights helps reduce the cost and complexity related to collecting, managing, and retaining data security and compliance data. It provides new analytics to enhance threat investigations - and it provides quick reporting functionality (including prebuilt reports). Risk scoring and alerting in Guardium Insights help you prioritize your activities.

Version 3.4.x This content only applies to Guardium Insights Version 3.4.x.

Guardium Insights is a powerful tool that can help you secure your data. Simple to use, Guardium Insights allows you to set up connections to your data sources.

Guardium Insights provides tools to help you analyze data:

  • Outlier mining: Detecting anomalies in activities and exceptions.
  • Risk events: Identifying assets at risk using broad data points.
  • Reports: Dive into the raw data for deep investigation.

Contents

Download Guardium Insights v3.4.2

Guardium Insights V3.4.2 can be downloaded as an archive file (2.4.2.tar.gz) from: https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-guardium-insights

You can install only the products for which your site is entitled.

For further instructions, read the README.md file located after unzipping the latest tar file.

The Quick Start Guide for this offering is available at Passport Advantage (https://www.ibm.com/software/passportadvantage) (search for Part Number “M0H7GML”).

Install Guardium Insights v3.4.2

Before installing Guardium Insights, review the system requirements: Guardium Insights v3.4.x system requirements and prerequisites

This offering is deployed as a new installation of Guardium Insights – or as an in-place upgrade. Please follow these instructions:

Important: See Preparing to patch or upgrade Guardium Insights to learn how to upgrade Guardium Insights for OpenShift Container Platform (OCP) and OpenShift Data Foundation (ODF) Version 4.14 support.

Guardium Insights v3.4.x release notes

Bug fixes in Guardium Insights v3.4.2

Table 1. Bug fixes
Issue key Description
INS-49266 After upgrading several times from previous versions of Guardium Insights, the push and pull mode of exporting data mart bundles from Guardium Data Protection failed.
INS-48771 Reports log files exposed the Kafka username and password. In addition, the ssl.truststore.password password was exposed in the log files.
INS-48686 The gi-lab-tenant-create pod exposed the cpadmin credentials within the log files.
INS-47185 Interrupting a report by stopping it or changing its parameters did not stop the report query execution in the database back end.
INS-46736 When MongoDB only had two replicas, the backup exited after failing to copy files.
INS-44090 When too many data marts were sent at once, the ssh-service stopped sending notifications in some cases. This lead to data marts appearing with an awaiting for data state.

Known limitations and workarounds for Guardium Insights v3.4.2

Table 2. Known limitations and workarounds for Guardium Insights v3.4.2

Known limitations and workarounds for Guardium Insights v3.4.2
Issue key Description
INS-29331 In rare cases, there are Db2® errors for services such as the reports and risk services. These may prevent report execution or risk event generation. When this occurs, these errors are seen in the logs for the related service: 
SQLCODE=-1803, SQLSTATE=57056, SQLERRMC=NULLID.SYSSN200 0X5359534C564C3031, DRIVER=4.26.14
SQLCODE=-901, SQLSTATE=58004, SQLERRMC=Plan/Environment mismatch!, DRIVER=4.26.14

Workaround: See Db2 errors for reports and risk services.

Draft comment: jcalder@ca.ibm.com
Bug is marked as fixed in Jira only because it is documented here. I assume that this needs to stay in release notes for good.
INS-37220 After upgrading Guardium Insights, the datamart-processor may not be able to write files to storage. As a result, data ingestion no longer takes place (the files are not ingested, but they are preserved).

Workaround: To re-upload the files that have been preserved - and to resume ingestion - restart ssh-service.

Draft comment: jcalder@ca.ibm.com
Purvil confirms in the Jira that this is not fixed and it is to remain in release notes as a known limitation.
  • INS-37007
  • INS-42808
 After upgrading Guardium Insights from version 3.2.x to version 3.3.x and then to version 3.4.0, universal connector connections do not work due to a certificate error.

Workaround: See Existing universal connector certificate does not work in a restored environment.
INS-37352 When there are very large amounts of data, the Data mart ingestion page displays this error: 
Data mart unavailable Cannot load data mart statistics. Refresh the page to try again

Workaround: If the Data mart ingestion page displays this error, you can access the data mart ingestion information by opening the Data mart ingestion status report. This report includes data marts collected from both collectors and aggregators. To open the reports page, select Reports in the main menu. Open this menu by clicking the main menu icon (main menu)
INS-37724 When working with compliance milestones, you can Refine alerts with the Configure alert recipients action. When you choose this action and refine alerts, you can elect to send emails for actions. When you click the Send email to action and then click Invite users, the resulting landing page includes an Add users button that does not work.

Workaround: Go to the user management screen and add the user. Then return to the Refine alerts page to add the user to the list.
INS-38008 Upgrading Guardium Insights fails with non-zero return code error when the length of the spec.guardiumInsightsGlobal.ingress.hostname value in your custom resource (CR) file is longer than 58 characters.

Workaround: Before upgrading, ensure that the length of the spec.guardiumInsightsGlobal.ingress.hostname value in your custom resource (CR) file is 58 characters or fewer.

Draft comment: jcalder@ca.ibm.com
Bug is marked as fixed in Jira only because it is documented here. I assume that this needs to stay in release notes for good.
INS-39694 After modifying data retention settings, the new settings do not take effect until you restart the data retention pod.

Workaround: Restart the data retention pod after changing the settings.
INS-41777 Guardium Insights upgrade becomes stuck because CSV does not update

Workaround: See Guardium Insights upgrade becomes stuck because CSV does not update.
INS-41829 The schedule for data marts v5 is missing after upgrading Guardium Insights.

Workaround: Before upgrading to Guardium Insights v3.4.0, you must stop streaming.

When you start data mart streaming after upgrade completion, enter a new date for v5 data marts. The initial start date can be set in the Schedule managed units export wizard in the page for the central manager. This date should be earlier than the date on which you stopped streaming data marts.
INS-42573 Guardium Insights displays a 500 Internal Server Error when opening a compliance milestone.

Workaround: Reset user configurations for the environment before opening compliance milestones.
INS-42575 After upgrading Guardium Insights, logging in to the application takes several seconds.

Workaround: Restart the Service Pod before logging in to the application.
INS-42659 AWS streams appear as unhealthy after upgrading Guardium Insights.

Workaround: Ensure that you have installed Tenant Minisnif and Tenant GUC Custom Resources Version 3.3.4 or later (see this step).
INS-42701 After connecting to DynamoDB with the universal connector, traffic for the connection is not captured in reports.

Workaround: Download the Dynamo Db plug-in and upload it to Guardium Insights (see Connecting to data sources by using the universal connector).
INS-42822 After upgrading Guardium Insights and restoring a backup, newly-created universal connections appear as Unhealthy and pods are stuck in a Pending state.

Workaround: Increase the storage volume count or contact IBM Cloud support.
INS-42885

Guardium Insights v3.4 changes the data model from v3.3 in order to improve report and ingestion performance. Shortly after upgrade, you may see scheduled reports running longer than usual or, in some circumstances, failing. The reason behind this may be that the data in the old data model and the new data model are being joined into a single result set in an attempt to minimize disruption. If you encounter longer than normal scheduled report execution times, this should be temporary and subsequent runs should be much faster.

Workaround: If scheduled reports are failing, inspect the reports-runner pod logs. If you encounter an SQLCODE=-4712, SQLSTATE=5U026 error, consider turning on the Table join optimization feature in the Tenant settings. If the problem persists or if you are encountering ERRORCODE=-1224, SQLSTATE=55032 instead, consider temporarily splitting the report into smaller time frames. These issues should only occur if the scheduled report includes a date range both prior to and after the v3.4 upgrade. Future reports should not encounter these issues.
INS-42890 Reports in the Active report categories (for example, Active Full SQL, Active Exception, and Active Policy Violation) can be used to debug issues with traffic capture, policy rule configuration, and for instantaneous confirmation of traffic capture for direct-streamed data sources in Guardium Insights.

These reports may contain duplicate data. The duplicates will not appear in the main reporting categories on the audit data (for example, DB Activity, Full SQL, and Policy Violation) as the processing of the active data to the permanent data consolidates and removes the duplication.

Workaround: None for the Active report categories. You can use the main report categories instead.
INS-42960 After restoring a backup to Guardium Insights, Guardium Data Protection connections can become red and data marts are not pulled from Guardium Data Protection. This occurs rarely.

Workaround: See Existing data mart pull configuration does not work in a restored environment.
INS-43003 After upgrading Guardium Insights from version 3.3.0 to 3.4.0, some of the universal connector connections became unhealthy.

Workaround: Reconfigure the unhealthy universal connector connections..
INS-43004 After upgrading Guardium Insights, existing Guardium Data Protection connections do not ingest v4 data marts.

Workaround: Re-register the Guardium Data Protection connections to update existing certificates.
INS-43127 Asset inventory page does not load after upgrading Guardium Insights.

Workaround: Manually delete the collections (assets_filter_template, assets_filter_template_mapping, asset_policy, asset_rule) from MongoDB and then launch the Asset inventory page again.
INS-43135 After running systest-preupgrade-validationGuardium Insights, the log contains this warning: 
[WARNING] File MONGO_USER is not available.

Workaround: See MongoDB warning in pre-upgrade validation script.
INS-43179 After restoring a backup to Guardium Insights, data marts are not pulled from Guardium Data Protection and the guard_filetransfer_log file contains a Permission denied, please try again error.

Workaround: See Existing data mart pull configuration does not work in a restored environment.
INS-43190 After backing up Guardium Insights version 3.4.0 from cluster A - and then restoring onto cluster B with a different domain name (FQDN) - Filebeat/syslog universal connector connections do not work.

Workaround: Reconfigure the Filebeat/syslog universal connector connections.
INS-52199 After you upgrade from 3.4.1 to 3.4.2, the SSH service pod does not get upgraded to the new version.
Workaround: Scale the SSH service pod down to 0. 
oc scale deploy <GI-instance-name>-ssh-service --replicas=0
After the SSH service pod disappears, scale it back up to 1. 
oc scale deploy <GI-instance-name>-ssh-service --replicas=1

Resources

IBM Guardium Insights documentation: http://ibm.com/docs/SSWSZ5_3.x/

System requirements: Guardium Insights v3.4.x system requirements and prerequisites

IBM Security Learning Academy: https://www.securitylearningacademy.com