IBM Security Guardium

Hello all experts,

I am Guardium Data Protection novice/beginner, currently in "phase" of learning & testing of Guardium V12.
My Guardium "topology" is very simple: one standalone collector (with applied latest patches) + two DB servers: Rocky Linux 8.6 with Informix V14.10FC8
and Ubuntu 22.04.4 with Informix V14.10FC10W2.

Unfortunately, I am faced with these issues/bad experiences:

1. Consolidated installer and CAS module.
   I can not find guard-bundle-CAS*.gim.sh installation script, so CAS module installation with using of consolidated installer seems to be impossible...
   
2. Ubuntu 22.04 and installation of custom K-TAP module.
   I have used consolidated installer with following installation scripts:

   guard-bundle-GIM-12.0.1.0_r116302_v12_0_1-ubuntu-22.04-linux-x86_64.gim.sh
   guard-bundle-STAP-12.0.0.0_r115418_v12_0_7-ubuntu-22.04-linux-x86_64.gim.sh
   
   The compilation of custom K-TAP module for 5.15.0-107-generic kernel finished with this error:

    /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/obj/x86_64-fentry-retpo-wrapper-hardened/.linux_ktap_export.o.cmd: No such file or directory
    make[2]: *** [scripts/Makefile.modpost:133: /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/Module.symvers] Error 1
    make[1]: *** [Makefile:1830: modules] Error 2
    make[1]: Leaving directory '/usr/src/linux-headers-5.15.0-107-generic'
    make: *** [Makefile:104: modules-kernels] Error 1
    Could not build KTAP
    ===================================================================
    We cannot provide a module for the running kernel and no close
    fitting combination was found.  Please contact IBM and provide the
    following information:
    uname: Linux ubuntu 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
    release: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS" PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy 
    kernel: 5.15.0-107-generic-x86_64-SMP
    The in-kernel functionality will now be disabled.
    ===================================================================
    ktap module not loaded for kernel: 5.15.0-107-generic

   More info - see attached ktap_install.log file...

   Installation of K-TAP on Rocky Linux 8.6 was done with no issues.

3. Informix IDS V14.10FC10W2 and Guardium inspection engine with INFX_EXIT configuration.
   Initial run of ifxguard utility (for creating $INFORMIXDIR/etc/ifxguard.$INFORMIXSERVER config file)
   is immediately finished with "core dumped" crash (an no ifxguard config file is created).
   IDS V14.10FC8: ifxguard -p ... -l ... does run without crash and ifxguard config file is created.

4. Informix IDS V14.10FC8, V14.10FC10W2 and Guardium inspection engine with INFX_EXIT configuration.
   Monitoring of "drsoctcp" interface/protocol does not set Guardium attribute "Records Afected" to correct value but to "-1".
   When "onsoctcp" or "onipcshm" communication protocol is monitored, correct value of "Records Afected" attribute is set.

Many thanks for your replies in advance

WBR Libor

------------------------------
Libor Hohos
------------------------------

Hi @Libor Hohos,

Welcome to the community!

There's a lot to unpackage here, but I'll do my best to help steer you in a direction, at least.

1. There's only one GIM. In other words, you will use the same GIM for S-TAP as you will for CAS.
2. Her are a some helpful resources/options for dealing with K-TAP:
   1. Use the S-TAP parameter KTAP_ALLOW_MODULE_COMBOS=Y
   2. Obtain a K-TAP module from Fix Central that contains a matching Kernel, use the following link: https://ibm.github.io/guardium-ktap/index.html
   3. Create your own K-TAP: https://www.ibm.com/docs/en/guardium/11.5?topic=tap-linux-unix-s-compilation-k
   4. Request a K-TAP from IBM: https://www.ibm.com/docs/en/guardium/11.5?topic=tap-linux-unix-requesting-k-module

I don't have a lot of experience with Informix and I'm not sure at what point these errors are appearing. Here's a help document that may help: https://www.ibm.com/docs/en/guardium/11.5?topic=libraries-linux-unix-configuring-informix-exit

------------------------------
Wendy Zemba
Sr. Consultant, Data Protection
wendy.zemba@convergetp.com
Converge Technology Solutions

Need help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.
------------------------------

Original Message:
Sent: Wed May 22, 2024 09:00 AM
From: Libor Hohos
Subject: Guardium 12 troubles

Hello all experts,

I am Guardium Data Protection novice/beginner, currently in "phase" of learning & testing of Guardium V12.
My Guardium "topology" is very simple: one standalone collector (with applied latest patches) + two DB servers: Rocky Linux 8.6 with Informix V14.10FC8
and Ubuntu 22.04.4 with Informix V14.10FC10W2.

Unfortunately, I am faced with these issues/bad experiences:

1. Consolidated installer and CAS module.
   I can not find guard-bundle-CAS*.gim.sh installation script, so CAS module installation with using of consolidated installer seems to be impossible...
   
2. Ubuntu 22.04 and installation of custom K-TAP module.
   I have used consolidated installer with following installation scripts:

   guard-bundle-GIM-12.0.1.0_r116302_v12_0_1-ubuntu-22.04-linux-x86_64.gim.sh
   guard-bundle-STAP-12.0.0.0_r115418_v12_0_7-ubuntu-22.04-linux-x86_64.gim.sh
   
   The compilation of custom K-TAP module for 5.15.0-107-generic kernel finished with this error:

    /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/obj/x86_64-fentry-retpo-wrapper-hardened/.linux_ktap_export.o.cmd: No such file or directory
    make[2]: *** [scripts/Makefile.modpost:133: /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/Module.symvers] Error 1
    make[1]: *** [Makefile:1830: modules] Error 2
    make[1]: Leaving directory '/usr/src/linux-headers-5.15.0-107-generic'
    make: *** [Makefile:104: modules-kernels] Error 1
    Could not build KTAP
    ===================================================================
    We cannot provide a module for the running kernel and no close
    fitting combination was found.  Please contact IBM and provide the
    following information:
    uname: Linux ubuntu 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
    release: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS" PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy 
    kernel: 5.15.0-107-generic-x86_64-SMP
    The in-kernel functionality will now be disabled.
    ===================================================================
    ktap module not loaded for kernel: 5.15.0-107-generic

   More info - see attached ktap_install.log file...

   Installation of K-TAP on Rocky Linux 8.6 was done with no issues.

3. Informix IDS V14.10FC10W2 and Guardium inspection engine with INFX_EXIT configuration.
   Initial run of ifxguard utility (for creating $INFORMIXDIR/etc/ifxguard.$INFORMIXSERVER config file)
   is immediately finished with "core dumped" crash (an no ifxguard config file is created).
   IDS V14.10FC8: ifxguard -p ... -l ... does run without crash and ifxguard config file is created.

4. Informix IDS V14.10FC8, V14.10FC10W2 and Guardium inspection engine with INFX_EXIT configuration.
   Monitoring of "drsoctcp" interface/protocol does not set Guardium attribute "Records Afected" to correct value but to "-1".
   When "onsoctcp" or "onipcshm" communication protocol is monitored, correct value of "Records Afected" attribute is set.

Many thanks for your replies in advance

WBR Libor

------------------------------
Libor Hohos
------------------------------

  Hello Wendy,

thank you for welcoming me and trying to help me.
Unfortunately, you are wrong when you think I don't read documentation. I am not that ignorant... ;-)

"Consolidated installer" issue:
===============================
- look at https://www.ibm.com/docs/en/guardium/12.x?topic=iuugclus-installing-gim-other-packages-linux-servers-by-using-consolidated-installer

- look into consolidated_installer.sh file (*) at line 397 (what is BUNDLE_CAS from consolidated_installer.sh view point ?):
  cas_installer=`ls  guard-bundle-CAS*.sh 2> /dev/null`;

  (*) for example, Guardium_12.0.3.0_GIM_Ubuntu_r117209.zip file contains consolidated_installer.sh shell script file ...

- download latest CAS ZIP archive from FixCentral (for example for Ubuntu): Guardium_12.0.0.0_CAS_Ubuntu_r115418.zip

- show list of files in CAS ZIP archove file:

unzip -l Guardium_12.0.0.0_CAS_Ubuntu_r115418.zip
Archive:  Guardium_12.0.0.0_CAS_Ubuntu_r115418.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2023-11-30 22:10   Guardium_12.0.0.0_CAS_Ubuntu_r115418/
        0  2023-09-15 07:28   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/
146492994  2023-09-15 02:44   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-14.04-linux-x86_64.gim
146499154  2023-09-15 02:14   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-18.04-linux-x86_64.gim
146494265  2023-09-15 03:01   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-16.04-linux-x86_64.gim
146503204  2023-09-15 02:01   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-20.04-linux-x86_64.gim
146503454  2023-09-15 02:08   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-22.04-linux-x86_64.gim
     1170  2023-09-15 08:10   Guardium_12.0.0.0_CAS_Ubuntu_r115418/MD5SUMS
        0  2023-09-15 07:29   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/
146379028  2023-09-14 21:25   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-16.04-linux-x86_64.sh
146386593  2023-09-14 21:22   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-20.04-linux-x86_64.sh
146386181  2023-09-14 21:24   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-22.04-linux-x86_64.sh
146376899  2023-09-14 21:25   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-14.04-linux-x86_64.sh
146382599  2023-09-14 21:25   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-18.04-linux-x86_64.sh
   460092  2023-11-30 21:10   Guardium_12.0.0.0_CAS_Ubuntu_r115418/ustap_release_notes_12.0.pdf
---------                     -------
1464865633                     15 files

A file with name matching the guard-bundle-CAS*.sh pattern does not exist in given zip archive => consolidated installer cannot install CAS module.
Yes, I can install it another way, but in the case of the "consolidated installer" method, the documentation is incorrect.

Howgh.;-)

"Custom K-TAP" issue
====================
- I have downloaded latest K-TAP module from FixCentral, of course: Guardium_KTAP_12.0_ubuntu-22-linux-x86-64_r115418_2024-05-10.zip
- I have used parameter "--ktap_allow_module_combos" with consolidated_installer.sh
  Unfortunately, the K-TAP installation process finished with message (you can find it in attachment of my first post... near to end of ktap_install.log file):
  "We cannot provide a module for the running kernel and no close fitting combination was found."

- GNU C compiler, make utility and kernel headers are installed, of course...
  Unsuccessful process of custom K-TAP module creation does finish with error (also mentioned in my first post...):
  /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/obj/x86_64-fentry-retpo-wrapper-hardened/.linux_ktap_export.o.cmd: No such file or directory

  where /opt/IBM/Guardium12 is Guardium modules installation (root) directory.

  The reason of non-existence ".linux_ktap_export.o.cmd" file is unknown to me... and what about it the author of "custom K-TAP module" build process?
 
"ifxguard" issue
================
- unfortunately, the "Segmentation fault (core dumped)" message is just consequence of a programmer "awkward" error.
  The author of ifxguard source code should look for uninitialized variable or access into unallocated memory.
  This is not about Guardium 12 documentation reading...

    WBR "no-cost tester" Libor ;-)

------------------------------
Libor Hohos
------------------------------

Original Message:
Sent: Fri May 24, 2024 02:24 PM
From: Wendy Zemba
Subject: Guardium 12 troubles

Hi @Libor Hohos,

Welcome to the community!

There's a lot to unpackage here, but I'll do my best to help steer you in a direction, at least.

1. There's only one GIM. In other words, you will use the same GIM for S-TAP as you will for CAS.
2. Her are a some helpful resources/options for dealing with K-TAP:
   1. Use the S-TAP parameter KTAP_ALLOW_MODULE_COMBOS=Y
   2. Obtain a K-TAP module from Fix Central that contains a matching Kernel, use the following link: https://ibm.github.io/guardium-ktap/index.html
   3. Create your own K-TAP: https://www.ibm.com/docs/en/guardium/11.5?topic=tap-linux-unix-s-compilation-k
   4. Request a K-TAP from IBM: https://www.ibm.com/docs/en/guardium/11.5?topic=tap-linux-unix-requesting-k-module

I don't have a lot of experience with Informix and I'm not sure at what point these errors are appearing. Here's a help document that may help: https://www.ibm.com/docs/en/guardium/11.5?topic=libraries-linux-unix-configuring-informix-exit

------------------------------
Wendy Zemba
Sr. Consultant, Data Protection
wendy.zemba@convergetp.com
Converge Technology Solutions

Need help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.

Original Message:
Sent: Wed May 22, 2024 09:00 AM
From: Libor Hohos
Subject: Guardium 12 troubles

Hello all experts,

I am Guardium Data Protection novice/beginner, currently in "phase" of learning & testing of Guardium V12.
My Guardium "topology" is very simple: one standalone collector (with applied latest patches) + two DB servers: Rocky Linux 8.6 with Informix V14.10FC8
and Ubuntu 22.04.4 with Informix V14.10FC10W2.

Unfortunately, I am faced with these issues/bad experiences:

1. Consolidated installer and CAS module.
   I can not find guard-bundle-CAS*.gim.sh installation script, so CAS module installation with using of consolidated installer seems to be impossible...
   
2. Ubuntu 22.04 and installation of custom K-TAP module.
   I have used consolidated installer with following installation scripts:

   guard-bundle-GIM-12.0.1.0_r116302_v12_0_1-ubuntu-22.04-linux-x86_64.gim.sh
   guard-bundle-STAP-12.0.0.0_r115418_v12_0_7-ubuntu-22.04-linux-x86_64.gim.sh
   
   The compilation of custom K-TAP module for 5.15.0-107-generic kernel finished with this error:

    /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/obj/x86_64-fentry-retpo-wrapper-hardened/.linux_ktap_export.o.cmd: No such file or directory
    make[2]: *** [scripts/Makefile.modpost:133: /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/Module.symvers] Error 1
    make[1]: *** [Makefile:1830: modules] Error 2
    make[1]: Leaving directory '/usr/src/linux-headers-5.15.0-107-generic'
    make: *** [Makefile:104: modules-kernels] Error 1
    Could not build KTAP
    ===================================================================
    We cannot provide a module for the running kernel and no close
    fitting combination was found.  Please contact IBM and provide the
    following information:
    uname: Linux ubuntu 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
    release: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS" PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy 
    kernel: 5.15.0-107-generic-x86_64-SMP
    The in-kernel functionality will now be disabled.
    ===================================================================
    ktap module not loaded for kernel: 5.15.0-107-generic

   More info - see attached ktap_install.log file...

   Installation of K-TAP on Rocky Linux 8.6 was done with no issues.

3. Informix IDS V14.10FC10W2 and Guardium inspection engine with INFX_EXIT configuration.
   Initial run of ifxguard utility (for creating $INFORMIXDIR/etc/ifxguard.$INFORMIXSERVER config file)
   is immediately finished with "core dumped" crash (an no ifxguard config file is created).
   IDS V14.10FC8: ifxguard -p ... -l ... does run without crash and ifxguard config file is created.

4. Informix IDS V14.10FC8, V14.10FC10W2 and Guardium inspection engine with INFX_EXIT configuration.
   Monitoring of "drsoctcp" interface/protocol does not set Guardium attribute "Records Afected" to correct value but to "-1".
   When "onsoctcp" or "onipcshm" communication protocol is monitored, correct value of "Records Afected" attribute is set.

Many thanks for your replies in advance

WBR Libor

------------------------------
Libor Hohos
------------------------------