Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Using the Query Builder to Troubleshoot EffectivelyIBM® Security Guardium™IBM SECURITY SUPPORT OPEN MIC
NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR
IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT
YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH
RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS
ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.Apr 27 2017
To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device.
Once connected (on PC), you should see this in the bottom right corner:
For more information, visit:http://ibm.biz/WebExOverview_SupportOpenMic
2 IBM Security
Panelists
Presenter: Avi Walerius – Guardium Technical Support
Panelists:Greg Holmes, Guardium Technical SupportJack Kerbert, Guardium Technical SupportLisette Contreras, Guardium Technical SupportChris Beaney, Technical Support Manager
Moderator: Andrew McCarl, IBM Security eSupport
3 IBM Security
Goal of session
Understand how query builder uses domains, entities, attributes and a main entity to display data in the internal database
Use that knowledge to define useful queries for troubleshooting and reporting
4 IBM Security
Agenda
• What is the query builder?
• Structure of a query Domains Entities Attributes Main entity
• Troubleshooting examples
• Adding conditions
• Steps for creating a troubleshooting query
• Extra tips
• Useful links
5 IBM Security
What is the Query Builder?
• The Guardium internal database contains a lot of information Audit data from agents Configuration settings Self monitoring information
• Support show db-top-tables all
• We want to be able to use and access this data
• We don’t want to give users unlimited permission to it. It includes audit data that should not be tampered with.
• The solution is the query builder
6 IBM Security
What is the Query Builder?
• The query builder is an interface for the user to access most of the underlying data
• Once the query is built it can be used in a report to display the results retrieved from the query
Select GDM_ACCESS.CLIENT_IP STR_DATA1, GDM_ACCESS.SERVER_IP STR_DATA2 From GDM_ACCESS Where ( (GDM_ACCESS.TIMESTAMP >= '?QUERY_FROM_DATE') AND (GDM_ACCESS.TIMESTAMP <= '?QUERY_TO_DATE') ) AND ( (GDM_ACCESS.CLIENT_IP in ( '1.2.3.4'!!1.2.3.4^^12!!)) )
7 IBM Security
Structure of a Query
• There are too many tables in the internal database to give one simple interface to all of them
• Instead the interface is split into smaller, linked areas
• Key concepts: Domain Entity Attribute Main Entity
• Understanding this will help you create good queries
8 IBM Security
Structure of a Query - Domains
A domain is a set of tables that is linked based on the purpose or function of the information in those tables.
Access Domain – Tables related to access of data on a monitored database
Policy Violations Domain – Tables related to policy violation events as defined by the policy
Aggregation/Archive Domain – Tables related to aggregation processes running on the appliance
9 IBM Security
Structure of a Query – Entities• Entity is a label for one table within a domain
• An Entity may be in multiple domains. For example session information is useful for both Access and Policy Violations domains.
Entities in the Access Domain Entities in the Policy Violations Domain
Entities in the Aggregation/Archive Domain
10 IBM Security
Structure of a Query - Attributes• An attribute is one field within an entity
• Attributes with the same name in different entities are not the same. E.g. Timestamp
Attributes in the Session Entity Attributes in the Policy Rule Violation Entity
Attributes in the Agg/Archive Log Entity
11 IBM Security
Structure of a Query – Main Entity• Main entity should be the entity that is the focus of the query
Timestamp runtime parameters will use timestamp defined by the main entity There will be one row in the report for each row in the table corresponding to the main entity:
• Session main entity – One row for every session• SQL main entity – One row for every SQL• Object main entity – One row for every object
• Values are not available for attributes in entities below the main entity.
12 IBM Security
Structure of a Query – Summary
Domain - Group of tables
Access domain:GDM_ACCESSGDM_SESSION
GDM_CONSTRUCTGDM_CONSTRUCT_
TEXT…
Entity - One table in the group
Session Entity:GDM_SESSION
Attribute - One field in the table
Session Start Attribute:GDM_SESSION.SESSI
ON_START
Main Entity - Main focus of your query
Session Main Entity:GDM_SESSION
13 IBM Security
Troubleshooting Examples
• Simple recreations of real life cases
1. Where using the right main entity can be the difference between understanding your problem and not.
2. Where using the wrong main entity makes it seem like there is a problem, when in fact there is not.
14 IBM Security
Troubleshooting Example 1 – Full SQL vs Client/Server
• Problem: Missing DB User
• Initial query to troubleshoot with:
15 IBM Security
What troubleshooting information can we get from this report?
Are there some missing Db Users? – YesHow many sessions are missing user? – Don’t know
Are all S-TAPs affected? –Hard to tell
When did the problem start? – Hard to tell
16 IBM Security
• DB User Name is an attribute in the client/server entity
• To troubleshoot initially, we want information about the client/servers that are missing DB User
• Use Client/Server as the main entity. Better query to troubleshoot with:
• Choose appropriate attributes from other entities with count/min/max
• Use Order-by to sort the results
Troubleshooting Example 1 – Full SQL vs Client/Server
17 IBM Security
What troubleshooting information can we get from this report?
Only one server IP is missing user.
Both local and remote traffic is missing user from that server.
Not all sessions from that server are missing user.
Problem seems to start around 16.00 on April 19
Could be performance problem on S-TAP.
Possible next steps:Check sessions report for this server.
Get S-TAP diags.
18 IBM Security
• Problem: Duplicate SQLs captured?
• Initial query to troubleshoot with:
Troubleshooting Example 2 – Command vs Full SQL
19 IBM Security
Is my SQL being logged twice?
20 IBM Security
Troubleshooting Example 2 – Command vs Full SQL
• Remember that there is one row in the report for each occurrence of the main entity. In this report command is the main entity
• Is my SQL being logged twice?
• No, there are two commands in the SQL, so it appears twice in report with command as the main entity.
• General lesson – not adding an attribute from the main entity can cause confusing results
Added Command attribute
21 IBM Security
• This problem is about SQL, so make a query with SQL (or Full SQL) as the main entity.
• Add Full SQL ID to see if the values are unique
• Add count of Command to see how many there are per SQL.
Troubleshooting Example 2 – Command vs Full SQL
22 IBM Security
Troubleshooting Example 2 – Command vs Full SQL
• One Full SQL with 2 commands associated with it
• Each Full SQL row has a unique Full SQL ID
• Is this SQL being logged twice? No
23 IBM Security
Adding Conditions
• Be careful adding specific conditions when starting troubleshooting. Try and start with as few as possible.
• Mistaken understanding of what the values will be leads to confusion. You think your server IP is 1.2.3.4 but in fact it is appearing differently in reports. If you make a condition where server ip = 1.2.3.4 the report will be blank.
• Using ‘like parameter’ gives flexibility
24 IBM Security
Steps for creating a troubleshooting query
1. Choose the right domain. If it is related to access of your DB Server it is likely the access domain. Policy Violations and Exceptions domain
are also common.
2. Choose the right main entity. There will be one line in the report for each row in the main entity. Think about the problem you are troubleshooting, what is it “about”? Choose the main entity based on that
3. Choose useful attributes. No need to add many attributes that you wont look at Choose the right timestamp - http://www-01.ibm.com/support/docview.wss?uid=swg21989895 Consider if some count/min/max attributes would be helpful
4. Start with no conditions and then add. Only apply conditions once you are sure they do what you expect.
5. Refine the query as you go. Add or change attributes and conditions to focus on the problem. Reduce the timestamp parameters if it helps
25 IBM Security
Extra tips• “Access Rule Description” attribute
Full SQL Entity -> Access Rule Description (v10 only) Policy violations Domain -> Policy Rule Violation Entity -> Access Rule Description
• “Session Ignored” attribute Session Entity -> Session Ignored
• Export to csv and filter there Useful with many results
26 IBM Security
Extra tips
• Predefined queries Sometimes the query you need
already exists. Search in the main entity for
predefined queries.
• Clone existing queries Clone predefined queries or your own ones to save work.
27 IBM Security
Useful links
• How can I check if the correct data is being logged on my Guardium Appliance? Queries about session and Full SQL information http://www-01.ibm.com/support/docview.wss?uid=swg21699711
• Understanding timestamps in Guardium reports Meaning of timestamp attributes from different entities. How to use the correct timestamp http://www-01.ibm.com/support/docview.wss?uid=swg21989895
• Unexpected results in Guardium reports due to SQL object and command depth Reporting on complex or nested SQL statements with objects and commands at different depths. http://www-01.ibm.com/support/docview.wss?uid=swg21672451
• Guardium data distributions dashboard and reports Analyze spikes in database and system space usage http://www-01.ibm.com/support/docview.wss?uid=swg22001191 Open mic replay - http://www-01.ibm.com/support/docview.wss?uid=swg27049532
28 IBM Security
Questions on this or other topics can be directed to the product forum:https://developer.ibm.com/answers/topics/guardium/
Get started with IBM Security SupportIBM Support Portal | Sign up for “My Notifications”
Follow us:
29 IBM Security
Questions for the panel
Now is your opportunity to ask questions of our panelists.
To ask a question now:
Raise your hand in the WebEx session to ask a question live
or
Type your question into the WebEx chat
To ask a question after this presentation:
You are encouraged to participate in our Forum on this topic -https://developer.ibm.com/answers/topics/guardium/
https://www.facebook.com/IBM-Security-Support-221766828033861/
xforce.ibmcloud.com
@askibmsecurity
youtube/user/ibmsecuritysupport
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
securityintelligence.com