IBM Guardium

IBM Guardium

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Guardium 12 troubles

    Posted Wed May 22, 2024 11:23 AM
      |   view attached

    Hello all experts,

    I am Guardium Data Protection novice/beginner, currently in "phase" of learning & testing of Guardium V12.
    My Guardium "topology" is very simple: one standalone collector (with applied latest patches) + two DB servers: Rocky Linux 8.6 with Informix V14.10FC8
    and Ubuntu 22.04.4 with Informix V14.10FC10W2.

    Unfortunately, I am faced with these issues/bad experiences:

    1. Consolidated installer and CAS module.
       I can not find guard-bundle-CAS*.gim.sh installation script, so CAS module installation with using of consolidated installer seems to be impossible...
       
    2. Ubuntu 22.04 and installation of custom K-TAP module.
       I have used consolidated installer with following installation scripts:

       guard-bundle-GIM-12.0.1.0_r116302_v12_0_1-ubuntu-22.04-linux-x86_64.gim.sh
       guard-bundle-STAP-12.0.0.0_r115418_v12_0_7-ubuntu-22.04-linux-x86_64.gim.sh
       
       The compilation of custom K-TAP module for 5.15.0-107-generic kernel finished with this error:

        /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/obj/x86_64-fentry-retpo-wrapper-hardened/.linux_ktap_export.o.cmd: No such file or directory
        make[2]: *** [scripts/Makefile.modpost:133: /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/Module.symvers] Error 1
        make[1]: *** [Makefile:1830: modules] Error 2
        make[1]: Leaving directory '/usr/src/linux-headers-5.15.0-107-generic'
        make: *** [Makefile:104: modules-kernels] Error 1
        Could not build KTAP
        ===================================================================
        We cannot provide a module for the running kernel and no close
        fitting combination was found.  Please contact IBM and provide the
        following information:
        uname: Linux ubuntu 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
        release: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS" PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy 
        kernel: 5.15.0-107-generic-x86_64-SMP
        The in-kernel functionality will now be disabled.
        ===================================================================
        ktap module not loaded for kernel: 5.15.0-107-generic

       More info - see attached ktap_install.log file...

       Installation of K-TAP on Rocky Linux 8.6 was done with no issues.

    3. Informix IDS V14.10FC10W2 and Guardium inspection engine with INFX_EXIT configuration.
       Initial run of ifxguard utility (for creating $INFORMIXDIR/etc/ifxguard.$INFORMIXSERVER config file)
       is immediately finished with "core dumped" crash (an no ifxguard config file is created).
       IDS V14.10FC8: ifxguard -p ... -l ... does run without crash and ifxguard config file is created.

    4. Informix IDS V14.10FC8, V14.10FC10W2 and Guardium inspection engine with INFX_EXIT configuration.
       Monitoring of "drsoctcp" interface/protocol does not set Guardium attribute "Records Afected" to correct value but to "-1".
       When "onsoctcp" or "onipcshm" communication protocol is monitored, correct value of "Records Afected" attribute is set.

    Many thanks for your replies in advance

    WBR Libor



    ------------------------------
    Libor Hohos
    ------------------------------

    Attachment(s)

    zip
    ktap_install.zip   3 KB 1 version


  • 2.  RE: Guardium 12 troubles

    Posted Fri May 24, 2024 02:24 PM

    Hi @Libor Hohos,

    Welcome to the community!

    There's a lot to unpackage here, but I'll do my best to help steer you in a direction, at least.

    1. There's only one GIM. In other words, you will use the same GIM for S-TAP as you will for CAS.
    2. Her are a some helpful resources/options for dealing with K-TAP:
      1. Use the S-TAP parameter KTAP_ALLOW_MODULE_COMBOS=Y
      2. Obtain a K-TAP module from Fix Central that contains a matching Kernel, use the following link: https://ibm.github.io/guardium-ktap/index.html
      3. Create your own K-TAP: https://www.ibm.com/docs/en/guardium/11.5?topic=tap-linux-unix-s-compilation-k
      4. Request a K-TAP from IBM: https://www.ibm.com/docs/en/guardium/11.5?topic=tap-linux-unix-requesting-k-module

    I don't have a lot of experience with Informix and I'm not sure at what point these errors are appearing. Here's a help document that may help: https://www.ibm.com/docs/en/guardium/11.5?topic=libraries-linux-unix-configuring-informix-exit



    ------------------------------
    Wendy Zemba
    Sr. Consultant, Data Protection
    wendy.zemba@convergetp.com
    Converge Technology Solutions

    Need help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.
    ------------------------------



  • 3.  RE: Guardium 12 troubles

    Posted Wed May 29, 2024 04:15 AM

      Hello Wendy,

    thank you for welcoming me and trying to help me.
    Unfortunately, you are wrong when you think I don't read documentation. I am not that ignorant... ;-)

    "Consolidated installer" issue:
    ===============================
    - look at https://www.ibm.com/docs/en/guardium/12.x?topic=iuugclus-installing-gim-other-packages-linux-servers-by-using-consolidated-installer

    - look into consolidated_installer.sh file (*) at line 397 (what is BUNDLE_CAS from consolidated_installer.sh view point ?):
      cas_installer=`ls  guard-bundle-CAS*.sh 2> /dev/null`;

      (*) for example, Guardium_12.0.3.0_GIM_Ubuntu_r117209.zip file contains consolidated_installer.sh shell script file ...

    - download latest CAS ZIP archive from FixCentral (for example for Ubuntu): Guardium_12.0.0.0_CAS_Ubuntu_r115418.zip

    - show list of files in CAS ZIP archove file:

    unzip -l Guardium_12.0.0.0_CAS_Ubuntu_r115418.zip
    Archive:  Guardium_12.0.0.0_CAS_Ubuntu_r115418.zip
      Length      Date    Time    Name
    ---------  ---------- -----   ----
            0  2023-11-30 22:10   Guardium_12.0.0.0_CAS_Ubuntu_r115418/
            0  2023-09-15 07:28   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/
    146492994  2023-09-15 02:44   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-14.04-linux-x86_64.gim
    146499154  2023-09-15 02:14   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-18.04-linux-x86_64.gim
    146494265  2023-09-15 03:01   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-16.04-linux-x86_64.gim
    146503204  2023-09-15 02:01   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-20.04-linux-x86_64.gim
    146503454  2023-09-15 02:08   Guardium_12.0.0.0_CAS_Ubuntu_r115418/GIM_Packages/guard-bundle-CAS-12.0.0.0_r115418_v12_0_1-ubuntu-22.04-linux-x86_64.gim
         1170  2023-09-15 08:10   Guardium_12.0.0.0_CAS_Ubuntu_r115418/MD5SUMS
            0  2023-09-15 07:29   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/
    146379028  2023-09-14 21:25   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-16.04-linux-x86_64.sh
    146386593  2023-09-14 21:22   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-20.04-linux-x86_64.sh
    146386181  2023-09-14 21:24   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-22.04-linux-x86_64.sh
    146376899  2023-09-14 21:25   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-14.04-linux-x86_64.sh
    146382599  2023-09-14 21:25   Guardium_12.0.0.0_CAS_Ubuntu_r115418/Shell_Installers/guard-cas-12.0.0.0_r115418_v12_0_1-ubuntu-18.04-linux-x86_64.sh
       460092  2023-11-30 21:10   Guardium_12.0.0.0_CAS_Ubuntu_r115418/ustap_release_notes_12.0.pdf
    ---------                     -------
    1464865633                     15 files

    A file with name matching the guard-bundle-CAS*.sh pattern does not exist in given zip archive => consolidated installer cannot install CAS module.
    Yes, I can install it another way, but in the case of the "consolidated installer" method, the documentation is incorrect.

    Howgh.;-)

    "Custom K-TAP" issue
    ====================
    - I have downloaded latest K-TAP module from FixCentral, of course: Guardium_KTAP_12.0_ubuntu-22-linux-x86-64_r115418_2024-05-10.zip
    - I have used parameter "--ktap_allow_module_combos" with consolidated_installer.sh
      Unfortunately, the K-TAP installation process finished with message (you can find it in attachment of my first post... near to end of ktap_install.log file):
      "We cannot provide a module for the running kernel and no close fitting combination was found."

    - GNU C compiler, make utility and kernel headers are installed, of course...
      Unsuccessful process of custom K-TAP module creation does finish with error (also mentioned in my first post...):
      /opt/IBM/Guardium12/modules/KTAP/12.0.0.0_r115418_7-1715874936/custom/obj/x86_64-fentry-retpo-wrapper-hardened/.linux_ktap_export.o.cmd: No such file or directory

      where /opt/IBM/Guardium12 is Guardium modules installation (root) directory.

      The reason of non-existence ".linux_ktap_export.o.cmd" file is unknown to me... and what about it the author of "custom K-TAP module" build process?
     
    "ifxguard" issue
    ================
    - unfortunately, the "Segmentation fault (core dumped)" message is just consequence of a programmer "awkward" error.
      The author of ifxguard source code should look for uninitialized variable or access into unallocated memory.
      This is not about Guardium 12 documentation reading...


        WBR "no-cost tester" Libor ;-)



    ------------------------------
    Libor Hohos
    ------------------------------