IBM Security Guardium

Expand all | Collapse all

Policy Changes Alert v11.2p250

  • 1.  Policy Changes Alert v11.2p250

    Posted Mon October 04, 2021 05:06 PM
    I currently have a collector running v11.2p250. I also have the Policy Changes Alert running for this collector. It seems in v11.2p250 the policy change alert catches an event from the "system" user (which is not a user that can be found) performing an insert on the policies. I have other appliances, 11.1 for example, where this does not occur. Is this a bug with the version, or is this new expected behavior? If it is expected, it creates a problem with the alert firing every specified interval. If it is a bug, is there any fix for this in a later release?

    ------------------------------
    Chase Walkup
    ------------------------------


  • 2.  RE: Policy Changes Alert v11.2p250

    Posted Tue October 05, 2021 05:03 PM

    Hi Chase,

    This is indeed working as designed, in the p250 release notes - https://delivery04.dhe.ibm.com/sar/CMA/IMA/09vdh/0/Guardium_v11_0_p250_patch_release_notes.pdf
    Its caused by "GRD-49593 Scheduled policy installation is not stored in GUARD_USER_ACTIVITY_AUDIT".

    GUARD_USER_ACTIVITY_AUDIT is the table that Policy alert changes alert is checking for changes.

    Behavior prior to p250:
    i) Manual policy installations by user are logged in GUARD_USER_ACTIVITY_AUDIT under the user who initiated the install 
    ii) Scheduled policy installations are not logged in GUARD_USER_ACTIVITY_AUDIT

    Behavior in p250 (Also in latest v10.6, v11.1 and v11.3 bundles and in v11.4):
    i) Manual policy installations by user are logged in GUARD_USER_ACTIVITY_AUDIT under the user who initiated the install 
    ii) Scheduled policy installations are logged in GUARD_USER_ACTIVITY_AUDIT under system user 

    The reason for the change is that some customers want to track every time the policy is reinstalled, even if this is run by the schedule. It's a more accurate picture of what is really happening on the appliance. And if we do track the information, there is always the option to filter it out in report conditions.

    Unfortunately for your use case it adds more noise to the alert. To reduce that you can make a new report in Guardium Activity domain, cloned from 'Policy Changes' report.  Add a condition User Name Not Equal to System. Then use your new cloned report in the Policy Changes Alert definition. 
    That will revert the alert to the same results as pre p250 

    Hope that helps,
    Avi



    ------------------------------
    Avram Walerius
    ------------------------------