IBM Support

Conflict between InfoSphere Guardium and TAMOS

Product Documentation


Abstract

Here is a third-party software application that conflicts with the Guardium application.

Content

The following identifies third-party applications that interfere with the installation or running of Guardium and how to work around these conflicts.

TAMOS

(3) TAMOS (Tivoli Access Manager) - Bug 33006, Bug 32286 - Disable TAMOS during a Guardium S-TAP installation. To avoid potential hangs of processes or server, TAMOS and STAP must NOT be run together until ALL of the following conditions are met.

Note: When using TAMOS, turn Storage Keys to OFF when using AIX.

(a) Disable TAMOS (rc.osseal stop).

(b) Make sure to install S-TAP version v9 r46961 or higher. Configure STAP inspection engines.

(c) The TAMOS process must be added to the shmid_blocklist parameter in the STAP guard_tap.ini:

shmid_blocklist=<full path to tamos binary>

For example, shmid_blocklist=/opt/pdos/bin/pdosd

(d) Disable STAP.

(e) Enable TAMOS (rc.osseal start).

(f) Make sure guard_stap process has been made immune in the TAMOS policy:

Use the immunity feature of TAMOS to avoid conflicts between Guardium and TAMOS.

Immunity of Guardium is accomplished by using the Immune-Programs policy by


creating the following policy object:

/OSSEAL/<branch>/TCB/Immune-Programs/usr/local/guardium/guard_stap (customer
may need to change this to reflect actual location of guard_stap binary)

Further information can be found in the TAMOS 6.0 Administration Guide, Chapter on Policy, Subsection Trusted Computing Base resources located at

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamos.doc/amos60_admin22.htm?path=5_3_3_4_2#tcbstuff

(g) Any database being monitored by Guardium must also be made immune in the TAMOS policy:

An additional use of TAMOS immunity is required for the database application which Guardium is monitoring. Due to database applications use of child processes the pdosexempt command must be used to make the database application immune to TAMOS.



To make the database application immune to TAMOS, the command
"/usr/bin/pdosexempt -i $$" needs to be inserted at the beginning of the startup script for the database application.

The TAMOS 6.0 Administration Guide, Chapter Commands, Subsection pdosexempt contains a description of the pdosexempt command. The TAMOS 6.0 Administration Guide is located at

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamos.doc/amos60_admin124.htm?path=5_3_9_8#pdosexemptcli

(h) Enable STAP.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1;9.0;8.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 July 2018

UID

swg27042118

Page Feedback