IBM Security Guardium

 View Only

Guardium Windows Agent Must Gather V3.0 - Part 1 - What's new in Guardium V11.5

By SATOSHI KAWASE posted Mon September 19, 2022 09:42 PM

  

About Windows Agent Must Gather V3.0

Guardium Windows Agent Must Gather V3.0 (a.k.a. Windows S-TAP Must Gather) is the latest must gather script, which is released in Guardium V11.5.

It's included in all Guardium Windows agents (GIM, S-TAP, GAM, CAS, FAM monitor, FAM crawler, FDEC for NAS/SP, FAM for NAS/SP) in V11.5, and will be back-ported to all supported versions.

Index

  1. What's new in V3.0? (Guardium V11.5)
  2. S-TAP mode and STANDALONE mode
  3. How to run Must Gather V3.0?
  4. Must Gather V3.0 command options
  5. Where is the output of Must Gather?
  6. What files are collected?
  7. What if Must Gather doesn't generate output?

NOTE: This blog article covers only the first section. Click links to read other sections.

1. What's new in V3.0? (Guardium V11.5)

1.1 Developed from scratch. Written by Power Shell script.

Must Gather (diag.bat) is written by Windows Batch script in V1. The script was written from scratch in V2, and it gathers so many diagnostic files from Windows S-TAP. Also, it detects all installed Guardium products on Windows and gathers diagnostic files from other Guardium Windows agents such as GIM, CAS, FAM monitor, FAM crawler, FDEC for SP/NAS, FAM for SP/NAS, etc... 

The next requirement/expectation to Must Gather is to create a summary, which will parse diagnostic files such as Guard_Tap.ini, conf, etc... and collect some major information. It'll also do some connectivity tests and more. In order to parse documents, Must Gather V3.0 script is written in Windows PowerShell. So, it's written from scratch again.

NOTE: PowerShell script file has a special file extension (.ps1). In order to keep the backward compatibility, Must Gather V3.0 has two files.

  • diag.ps1 ... This is the main script of Must Gather V3.0.
  • diag.bat ... This is a simple launcher of diag.ps1. It's provided for backward compatibility and ease of use.

 

1.2 Summary feature

Must Gather V3.0 has a parser that can retrieve properties and the values from Guard_Tap.ini, conf, and more files, and create a summary.txt. Most of all important information are in the file, so you no longer need to open each file one by one.

The summary.txt contains the following information:

  • The script version info
    • Script version
    • Script running user
    • Script start date/time with TimeZone 
  • OS information
    • OS Name / Build
    • Recent OS reboot dates/times (see later section for details)
    • Resource information (CPU, Memory, Disk)
  • Installed Guardium agents information (GIM, S-TAP, GAM, CAS, FAM Monitor, FAM crawler, FDES for SP/NAS, FAM for SP/NAS)
    • Version
    • Installed directory
    • Installed date
    • Major configuration parameters (from Guard_Tap.ini, conf, etc, see later section for details)
    • Connectivity test results (see later section for details)
    • Windows Services running status (see later section for details)

1.3 Details in summary.txt

1.3.1 Recent OS reboot date/times

Must Gather V2.1 and older versions have LAST REBOOT information in system.txt, but we sometimes want to know one or more former reboot information. It's in Windows Event log with Event ID=12.

Must Gather V3.0 gathers recent reboot information (up to 10 events) from Windows Event log and stored the information to summary.txt. It's easier for users to know the recent reboot incidents.

Here is an example of Recent System Reboot info in summary.txt.

================================================================
2. OS Information
================================================================
OS Name                   : Microsoft Windows Server 2019 Standard
OS Version                : 10.0.17763
PowerShell Version        : 5.1
System Drive              : C:

----------------------------------------------------------------
2.1 Recent system reboot events from Windows Event Log (EventID=12)

TimeCreated           Message                                                                         
-----------           -------                                                                         
8/30/2022 8:11:20 PM  The operating system started at system time ‎2022‎-‎08‎-‎31T00:11:17.500000000Z.
7/15/2022 2:26:59 AM  The operating system started at system time ‎2022‎-‎07‎-‎15T06:26:58.500000000Z.
7/15/2022 1:26:02 AM  The operating system started at system time ‎2022‎-‎07‎-‎15T05:26:01.500000000Z.
7/15/2022 12:59:41 AM The operating system started at system time ‎2022‎-‎07‎-‎15T04:59:38.500000000Z.
6/28/2022 12:06:23 AM The operating system started at system time ‎2022‎-‎06‎-‎28T04:06:22.500000000Z.
6/24/2022 4:22:04 AM  The operating system started at system time ‎2022‎-‎06‎-‎24T08:21:59.500000000Z.
...

1.3.2 Major configuration parameters

Must Gather V3.0 gathers major configuration parameters from Windows S-TAP Guard_Tap.ini and Windows GIM conf file, and put them to summary.txt, so that you can quickly check major settings.

================================================================
3. IBM Security Guardium - Windows GIM
================================================================

Windows GIM is installed.

----------------------------------------------------------------
3.1 Installation info (Windows registry):
Version                   : 11.5.0.143
Directory                 : C:\Program Files (x86)\Guardium\Guardium Installation Manager
InstallerLogLocation      : c:\
InstallDate               : 20220904

----------------------------------------------------------------
3.2 Major settings in conf file:
GIM_URL                   : collector06.xxx.xxx.com
GIM_FAILOVER_URL          : GIM_FAILOVER_URL
GIM_CLIENT_IP             : dbserver02.xxx.xxx.com
GIM_USE_SSL               : 1
GIM_DEBUG                 : 0
GIM_VERSION               : 11.5_r110500143_1

...

================================================================
4. IBM Security Guardium - Windows S-TAP
================================================================

Windows S-TAP is installed.

----------------------------------------------------------------
4.1 Installation info (Windows registry):
Version                   : 11.5.0.143
Directory                 : C:\Program Files\IBM\Windows S-TAP
InstallerLogLocation      : c:\
InstallDate               : 20220904

----------------------------------------------------------------
4.2 Network configuration (Guard_Tap.ini):
PROTOCOL_VERSION          : 8.0.0
USE_TLS                   : 0
TAP_IP                    : dbserver02.xxx.xxx.com
SOFTWARE_TAP_HOST         : dbserver02.xxx.xxx.com
SSL_BANNED_PROTOCOLS      : SSL2.0,SSL3.0,TLS1.0,TLS1.1
ALL_CAN_CONTROL           : 0

...
​

1.3.3 Connectivity test results

Must Gather V3.0 parses GIM conf file and gets the value of GIM_URL and GIM_FAILOVER_URL, and attempts to connect to both IP's port 8081, 8444, and 8446. These ports should be reachable from the GIM client.

Must Gather V3.0 also parses Guard_Tap.ini and gets all SQLGUARD_IP values, and attempts to connect to all these collector's port 8443, 8444, 9500, 9501, 9800, and 9801, and stores the test result to summary.txt. As you know,

  • Port 8443 must be reachable if you logon to the Guardium GUI from this
  • Port 8444 must be reachable if you use file upload (i.e. UPLOAD_FEATURE=1 or UPLOAD_FEATURE=2)
  • Port 9500 must be reachable if you use V7 protocol with USE_TLS=0
  • Port 9501 must be reachable if you use V7 protocol with USE_TLS=1
  • Port 9800 must be reachable if you use V8 protocol with USE_TLS=0
  • Port 9801 must be reachable if you use V8 protocol with USE_TLS=1

The following example shows the it's reachable to collector01 as a GIM server and a collector.

----------------------------------------------------------------
3.3 GIM Server (GIM_URL, GIM_FAILOVER_URL) connectivity test results:


name        : collector01.xxx.xxx.com
timestamp   : 2022-09-04 22:13:37
8081        : Connected
8444        : Connected
8446        : Connected
TESTED_TIME : 2022-09-04T22:35:31

...

----------------------------------------------------------------
4.3 SQLGUARD sections with connectivity test results:


name        : SQLGUARD_COLLECTOR01.XXX.XXX.COM
PRIMARY     : 1
SQLGUARD_IP : collector01.xxx.xxx.com
8443        : Connected
8444        : Connected
9500        : Connected
9501        : Connected
9800        : Connected
9801        : Connected
TESTED_TIME : 2022-09-04T22:35:24

...
​

1.3.4 Windows Services running status

Must Gather V3.0 gets a list of Windows services of all Guardium Windows agents such as S-TAP, GIM, GAM, etc, and stores the information to summary.txt with the status of each service.

----------------------------------------------------------------
3.4 Windows GIM service(s):

Status  Name DisplayName                               
------  ---- -----------                               
Running gim  IBM Security Guardium Installation Manager

...

----------------------------------------------------------------
4.5 Windows S-TAP service(s):

Status  Name          DisplayName                                                    
------  ----          -----------                                                    
Running Correlator    IBM Security Guardium Correlator Driver                        
Running DbMonitorx64  IBM Security Guardium Database Monitor Service x64             
Running DbMonitorx86  IBM Security Guardium Database Monitor Service x86             
Running GUARDIUM_STAP IBM Security Guardium S-TAP                                    
Running NmpMonitor    IBM Security Guardium Named Pipes Monitor Driver               
Running NmpProxy      IBM Security Guardium Named Pipes Proxy Driver                 
Running PrcMonitor    IBM Security Guardium Prcoess Monitor Driver                   
Running WfpMonitor    IBM Security Guardium Windows Filtering Platform Monitor Driver

...

----------------------------------------------------------------
5.2 Guardium Agent Montior service(s):

Status  Name                      DisplayName                                   
------  ----                      -----------                                   
Stopped Guardium Resource Monitor IBM Security Guardium Resource Monitor Service

...


You'll find more info in summary.txt.

What's next?

The next blog will explain 2. S-TAP mode and STANDALONE mode.

Questions?

If you have any questions, please feel free to comment on this blog article. You can also ask questions to IBM Security Guardium discussion in IBM Security Community or open a technical support ticket.

Reference

0 comments
19 views

Permalink