Lab guide

Getting started with Guardium Database

Entitlement Reports
Course code ZDL0100X
September 2020 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties
in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All names and references for organizations and other
business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.
All names and associated information for people in this deliverable’s scenarios are fictional. Any match with a real person is
coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world­wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware
vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are
trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.

© Copyright International Business Machines Corporation 2020.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 1 Manual configuration of database entitlement report for Oracle . . . . . . . . . . . . . . . . . . . . . . . . . 2
Exercise 2 Oracle entitlement report review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Exercise 3 Automating entitlement reports configuration with Guardium API . . . . . . . . . . . . . . . . . . . . . . . 9

© Copyright IBM Corp. 2020 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Exercises
You can use IBM Security Guardium Database Entitlement Reports to verify that users have
access only to the appropriate data. Your Guardium system includes predefined database
entitlement reports for several database types.

The predefined entitlement reports are listed as follows. They appear as domain names in the
Custom Domain Builder/Custom Domain Query/ Custom Table Builder selections:
• Oracle DB Entitlements Domains
• MYSQL DB Entitlements Domains
• DB2 DB Entitlements Domains
• DB2 for i 6.1 and 7.1 DB Entitlements Domains
• SYBASE DB Entitlements Domains
• Informix DB Entitlements Domains
• Microsoft SQL Server Entitlements Domains
• Netezza DB Entitlements Domains
• Teradata DB Entitlements Domains
• PostgreSQL DB Entitlements Domains

In this lab, you configure a database entitlement report for Oracle, and use the Guardium API to
automate the entitlement report configuration for Db2.

Important: These exercises are presented in a virtual lab format. A virtual lab is an interactive
simulation of the original virtual machines. A virtual lab is not an actual virtual machine.
Therefore, your interaction opportunities are restricted to the exercise steps with some minor
variance. You use this lab guide, which walks you through usage and responses for the
components that are taught.

You can run the virtual lab multiple times without restriction.

© Copyright IBM Corp. 2020 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Manual configuration of database entitlement report for Oracle

Uempty
Exercise 1 Manual configuration of database
entitlement report for Oracle
In this exercise, you configure the ORA Accounts of ALTER SYSTEM entitlement report. These
steps are the same for any database entitlement report you need to set up.
1. Log in to the Guardium GUI with user pot and password guardium.

The Welcome page opens.

2
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Manual configuration of database entitlement report for Oracle

Uempty
2. Go to the Custom Table Builder page:
a. Click the Comply icon .

b. Go to Custom Reporting > Custom Table Builder.

The Custom Table Builder page opens and displays predefined entitlement reports. In this
view, you can upload database entitlement data to custom tables that the entitlement
reports use to display data.

Attention: DB Entitlements Reports are optional components that are enabled by product key. If
these components are not enabled, the choices that are listed do not appear in the Custom
Domain Builder, Custom Domain Query, or Custom Table Builder selections.

Hint: The report associated with this table (ORA Accounts of ALTER SYSTEM), displays accounts
with ALTER SYSTEM and ALTER SESSION privileges.

3
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Manual configuration of database entitlement report for Oracle

Uempty
3. Open the ORA Account of ALTER SYSTEM custom table:
a. Scroll down.

b. Select ORA Account of ALTER SYSTEM.

c. Click Upload Data.

The Upload Data view opens and you can upload database entitlement data to it. You do
this with the assignment of a data source. In dynamic environments, it is recommended to
schedule this upload.

4
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Manual configuration of database entitlement report for Oracle

Uempty
4. Assign a data source to populate the table with data:
a. Click Add Datasource.
The Datasource Finder view opens and lists all of the defined data sources. If none of the
data sources meet your needs, you can create a new one with the New icon . In this
case, the data source is already set up.

Important: The user ID and password that is used for the data source must have the
appropriate privileges to access the entitlement-reporting data from the target database. To do
this, Guardium provides a set of SQL scripts (one script for each database type) that creates
users and roles in the database to be used by Guardium. In this lab, the scripts were already run.

Provide these scripts to your database administrator to deploy. The template scripts are
available on the Guardium system after it is built. You can find and download them via fileserver
at the following path: /log/debug-logs/gdmmonitor_scripts/. More information is
available in the README.txt file in the directory.

b. Select osprey_oracle_ORACLE(Classifier).

c. Click Add.

d. Scroll down.

e. Click Verify Datasource.

f. To close the success confirmation message, click OK.

5
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Manual configuration of database entitlement report for Oracle

Uempty

Hint: Although not a requirement, the data source verification test is recommended because it
assures you that the chosen data source can communicate with the database. This step validates
only that the data source can communicate with the database, not that the credentials used have
the appropriate privileges.

5. Save the configuration:

a. Scroll down.

b. Click Apply.

c. Click OK.

6. To upload the entitlement data to the custom table, click Run Once Now.

A confirmation message opens and displays the data source (osprey_oracle) and the number
of records from the database that were inserted into the custom table. In this case, the
number of records that were inserted into the table is 46.

7. To close the confirmation window, click OK.

6
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Oracle entitlement report review

Uempty

Important: If the number of inserts is zero, ensure the applicable entitlement report SQL scripts
were run. These scripts set up the correct privileges within the database for entitlement data
extraction. Ensure that you are using the correct credentials in the data source definition.

Exercise 2 Oracle entitlement report review

Entitlement reviews validate and ensure that users have the privileges they require to perform
only their duties.

In this exercise, you validate the setup from Exercise 1 with a review of the ORA Accounts of
ALTER SYSTEM report.
1. View Oracle entitlement reports:
a. Click the Discover icon .

b. Go to Database Entitlements > Oracle.

The Oracle page opens and displays all of the predefined entitlement reports for Oracle.
Notice that the ORA Accounts of ALTER SYSTEM report displays data.

2. To review the various predefined reports titles on this page, scroll down.
Note that all the other reports are empty. What is the reason for this difference? Each report is
backed by a custom table, which needs to be populated with data. In Exercise 1, you set up
and uploaded data to the custom table that the ORA Accounts of ALTER SYSTEM report uses.
To see data for these reports and other database types entitlement reports, you perform the
same steps as in Exercise 1.

3. To get back to the ORA Accounts of ALTER SYSTEM report, scroll up.

7
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Oracle entitlement report review

Uempty

Hint: You can find details of what each predefined report contains at the following URL:
https://www.ibm.com/support/knowledgecenter/en/SSMPHH_11.2.0/com.ibm.guardium.doc/r
eports/predefined_database_entitlement_reports.html

4. To expand the view of the report with data, click the Maximize icon .

Hint: The view expands and displays the complete report of DB user accounts with ALTER
SYSTEM and ALTER SESSION privileges. This information is useful to determine whether
privileges for these users need adjustment based on business requirements. Also, recall when
you uploaded the data to the table, 46 inserts were made. This number matches the number of
records that are shown in the report.

8
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Automating entitlement reports configuration with Guardium API

Uempty
5. Complete the review of the report:
a. To display the second page of the report, click 2.

b. To display the third page of the report, click 3.

Exercise 3 Automating entitlement reports

configuration with Guardium API
Because you can use many database entitlement reports, and you might want to link them to
multiple data sources, now is a good time to introduce a powerful scripting capability. Guardium
offers a powerful capability to automate routine processes through its extensive library of
command-line features. The command-line API interface in Guardium streamlines many tasks
that would otherwise take significant time to complete through the GUI.

In this exercise, you run a script that automatically populates the entitlement data for an IBM Db2
data source.

This step requires that a data source is defined in the Guardium collector for the Db2 database.

Hint: You can use the same procedure, with modifications to the data source names and custom
tables, to set up any other entitlement reports for different databases. The procedure itself is the
same regardless of the database you want to configure entitlements reports for.

1. Validate that a classifier data source exists for Db2:

a. Click the Harden icon .

b. Go to Vulnerability Assessment > Datasource Definitions.

The Datasource Definitions page opens and displays all of the defined data sources. The
Db2 data source this exercise requires is already configured and shows Connection
successful for the status.

9
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Automating entitlement reports configuration with Guardium API

Uempty
c. To validate what collector the data source is connected to, hover over the Status column
for OSPREY_DB2_SAMPLE_DRDA_DB2INST1_50000.

2. Go to the database server terminal:

a. Click the Start icon .

b. Click PuTTY.
The PuTTY Configuration window opens with the host name and port that is already set up.

c. Click Open.

10
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Automating entitlement reports configuration with Guardium API

Uempty
d. For the password, type guardium.

e. Press Enter.
After logging in to the database server osprey terminal, you run the script to automate the
setup of all predefined entitlement reports for Db2.

3. Locate the script:

a. type ls Lab3*.

b. Press Enter.

c. Run the script Lab3-PopulateEntitlements.

This script logs in to the Guardium collector, and runs another script
(Lab3-PopulateEntitlements.DB2.GrdAPI), which creates and lists the data source
bindings, and uploads the entitlement data to the appropriate custom table.

11
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Automating entitlement reports configuration with Guardium API

Uempty

Hint: The following text is the content of the Lab3-PopulateEntitlements script:

# Populate Entitlement Reports
ssh cli@g11machine < Lab3-PopulateEntitlements.DB2.GrdAPI

Get a better sense of all the steps that the Lab3-PopulateEntitlements.DB2.GrdAPI script
runs. See the contents of the script in the following image.

Run the script:

a. Type ./Lab3-PopulateEntitlements.

b. Press Enter.
Before the automation starts, you must supply the Guardium appliance password.

c. For the password, type guardium.

d. Press Enter.
The script runs and completes in about 20 seconds. Recall that the script creates and lists
the data source bindings, and uploads the entitlement data to those bindings for nine
predefined Db2 entitlement reports. If you use the GUI, these tasks take much longer.

12
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Automating entitlement reports configuration with Guardium API

Uempty

Hint: The Guardium API is useful for automation of repetitive tasks and also reduces human
error.

4. To go back to the Guardium GUI, click anywhere outside the terminal window.

5. View Db2 entitlement reports:

a. Click the Discover icon .

b. Go to Database Entitlements > DB2.

The Db2 entitlement reports page opens and displays the nine predefined reports. The
first report is empty because there is no entitlement data for this report in the database.
The other reports contain the expected data.

13
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Automating entitlement reports configuration with Guardium API

Uempty

6. To review all of the reports, scroll down.

Hint: You might want to share these reports with your line of business and database teams.
They can determine if the privileges are correct or whether any action needs to take place to
remediate exposure.

14
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
© Copyright IBM Corp. 2020