GBDI 4.2

Configuring Guardium Appliances

This section provides scripts to configure Guardium appliances. This section does NOT replace the instructions available in the Guardium release notes; follow the release notes instructions, which are more complete.

The instructions shown here are a summary only, and provide scripts that you can use as grdapi scripts to use with an ssl session and CLI. You can also use this procedure to move files to a third Linux server from which GBDI will pull data.

To enable data transfers between Guardium appliances and GBDI, there are two scripts that need to be executed on a one time basis in order to configure the appropriate data marts, and to schedule the ongoing export of these data marts to GBDI. The config_script.formanager is executed on the CM and responsible for configuring the data marts. The config_script.formanaged is to be run on each collector to set the export schedules for the collectors to push data to the target location.

To push directly to GBDI:

  1. Login to the Guardium appliance using the CLI account and copy to that directory using the following grdapi command (replacing the host, username, pwd and directory location):

    grdapi datamart_validate_copy_file_info destinationHost="<host>" destinationPassword="<pwd>" destinationPath="<full path to directory>" destinationUser="<username>" transferMethod="SCP"

    Successful execution will result in an OK message.

  2. Change the attached scripts to include this host, username, path and password

  3. Run the two modified scripts in the CLI using the following command:

    ssh cli@<guardium CM appliance> < config_script.forManager

    Enter the CLI password when requested; all should return OK.

    Next, execute the following:

    ssh cli@<guardium collector appliance> < config_script.forManaged

    Enter the CLI password when requested; all should return OK

  4. Files will begin to be written to the directory after two hours, and will be delivered hourly after this initiation.

To push directly to a third Linux server (and later configure GBDI using remote mode):

  1. Identify a Linux server with SSH installed to be used as the staging target where all the extract files will be created.

  2. Secure a username/password to that server and identify a directory that this user has write permissions to. Execute an SCP file copy to this directly to validate access.

  3. Login to the Guardium appliance using the CLI account and copy to that directory using the following grdapi command (replacing the host, username, pwd and directory location):

    grdapi datamart_validate_copy_file_info destinationHost="<host>" destinationPassword="<pwd>" destinationPath="<full path to directory>" destinationUser="<username>" transferMethod="SCP"

    Successful execution will result in an OK message.

  4. Change the attached scripts to include this host, username, path and password

  5. Run the two modified scripts in the CLI using the following command:

    ssh cli@<guardium CM appliance> < config_script.forManager

    Enter the CLI password when requested; all should return OK.

    Next, execute the following:

    ssh cli@<guardium collector appliance> < config_script.forManaged

    Enter the CLI password when requested; all should return OK

  6. The initial file copy will take approximately two hours to complete; files will be delivered hourly thereafter.

Sample Scripts – V1.x through V2.1

Sample scripts for GBDI V1.x-V2.1, or when GBDI is used only for audit data:

Note

Change the path to your specific path; for a standalone system, run both scripts.

config_script.forManager:

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Exception Log" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Session Log Ended" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Session Log" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Access Log" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Full SQL" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Outliers List" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Outliers Summary by hour" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Export Extraction Log" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Group Members" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Policy Violations" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Buff Usage Monitor" transferMethod="SCP"

grdapi schedule_job jobType=dataMartExtraction cronString="0 20 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Group Members"

config_script.forManaged:

grdapi schedule_job jobType=dataMartExtraction cronString="0 10 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Outliers List"

grdapi schedule_job jobType=dataMartExtraction cronString="0 10 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Outliers Summary by hour"

grdapi schedule_job jobType=dataMartExtraction cronString="0 01 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Exception Log"

grdapi schedule_job jobType=dataMartExtraction cronString="0 20 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Export Extraction Log"

grdapi schedule_job jobType=dataMartExtraction cronString="0 05 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Policy Violations"

grdapi schedule_job jobType=dataMartExtraction cronString="0 33 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Session Log"

grdapi schedule_job jobType=dataMartExtraction cronString="0 34 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Session Log Ended"

grdapi schedule_job jobType=dataMartExtraction cronString="0 32 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Access Log"

grdapi schedule_job jobType=dataMartExtraction cronString="0 30 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Full SQL"

grdapi schedule_job jobType=dataMartExtraction cronString="0 05 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Policy Violations"

grdapi schedule_job jobType=dataMartExtraction cronString="0 0 8 ? * 1,2,3,4,5,6,7" objectName="Export: VA Results"

Sample scripts – V2.2 and up

Sample scripts for GBDI V2.2 and up:

Note

Change the path to your specific path; for a standalone system, run both scripts.

config_script.forManager:

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Exception Log" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Session Log Ended" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Session Log" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Access Log" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Full SQL" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Outliers List" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Outliers Summary by hour" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Export Extraction Log" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Group Members" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Policy Violations" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Buff Usage Monitor" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: VA Results" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: STAP Status" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Classifier Results" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Discovered Instances" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Databases Discovered" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Datasources" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: Installed Patches" transferMethod="SCP"

grdapi datamart_update_copy_file_info destinationHost="yourhosthere" destinationPassword="yourpwdhere" destinationPath="/local/raid0/sonargd/incoming" destinationUser="sonargd" Name="Export: System Info" transferMethod="SCP"

grdapi schedule_job jobType=dataMartExtraction cronString="0 20 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Group Members" 

grdapi schedule_job jobType=dataMartExtraction cronString="0 21 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Datasources"

config_script.forManaged:

grdapi schedule_job jobType=dataMartExtraction cronString="0 40 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Access Log" 

grdapi schedule_job jobType=dataMartExtraction cronString="0 45 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Session Log" 

grdapi schedule_job jobType=dataMartExtraction cronString="0 46 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Session Log Ended"

grdapi schedule_job jobType=dataMartExtraction cronString="0 25 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Exception Log" 

grdapi schedule_job jobType=dataMartExtraction cronString="0 30 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Full SQL" 

grdapi schedule_job jobType=dataMartExtraction cronString="0 10 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Outliers List" 

grdapi schedule_job jobType=dataMartExtraction cronString="0 10 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Outliers Summary by hour"

grdapi schedule_job jobType=dataMartExtraction cronString="0 50 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Export Extraction Log" 

grdapi schedule_job jobType=dataMartExtraction cronString="0 15 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Group Members"

grdapi schedule_job jobType=dataMartExtraction cronString="0 5 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Policy Violations" 

grdapi schedule_job jobType=dataMartExtraction cronString="0 12 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Buff Usage Monitor"

grdapi schedule_job jobType=dataMartExtraction cronString="0 20 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: VA Results"

grdapi schedule_job jobType=dataMartExtraction cronString="0 0/5 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: STAP Status"

grdapi schedule_job jobType=dataMartExtraction cronString="0 22 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Discovered Instances"

grdapi schedule_job jobType=dataMartExtraction cronString="0 23 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Databases Discovered"

grdapi schedule_job jobType=dataMartExtraction cronString="0 24 0/1 ? * 1,2,3,4,5,6,7" objectName="Export: Classifier Results"

grdapi schedule_job jobType=dataMartExtraction cronString="0 0 5 ? * 1,2,3,4,5,6,7" objectName="Export: Installed Patches"

grdapi schedule_job jobType=dataMartExtraction cronString="0 0 5 ? * 1,2,3,4,5,6,7" objectName="Export: System Info"

Using Bundles and DMv2 (GBDI Version v2.7 and up)

Guardium DMv2 (Data Mart Protocol v2) introduced two changes:

  1. COMPLETE files are replaced with checksums, and therefore only data files are copied over.

  2. Bundles are supported. This is important especially for the SFE bundle – sessions, full sql and exceptions.

When using DMv2, multiple DMs can be packaged together as a single file, as an alternative to send several individual DMs. When determining a set of DMs to be packaged together as a bundle, it is important to note that each bundle must contain a "main DM". The main DM determines where the files will be copied (i.e. its copy file determines the location) as well as the schedule. Also, when there are many DMs in the bundle, the bundle will be created when the main DM fires; it is important that the main DM be scheduled last.

It is recommended to always include the SFE bundle, which packages SESSION, SESSION_END, FULL_SQL and EXCEPTION together into a single bundle.

To setup the bundle:

grdapi datamart_copy_file_bundle action="create" bundle_name="SFE_BUNDLE" main_datamart_name="Export:Session Log Ended" 
grdapi datamart_copy_file_bundle action="include" bundle_name="SFE_BUNDLE" datamart_name="Export:Session Log" 
grdapi datamart_copy_file_bundle action="include" bundle_name="SFE_BUNDLE" datamart_name="Export:Exception Log"
grdapi datamart_copy_file_bundle action="include" bundle_name="SFE_BUNDLE" datamart_name="Export:Full SQL"

To delete a bundle:

grdapi datamart_copy_file_bundle action="delete" bundle_name="SFE_BUNDLE"

To get bundle info:

grdapi datamart_copy_file_bundle action="info" bundle_name="SFE_BUNDLE"

To exclude from a bundle:

grdapi datamart_copy_file_bundle action="exclude" bundle_name="SFE_BUNDLE" datamart_name="Export:Session Log Ended"

The main DM has been chosen to be Session Log Ended since under normal schedules it runs last.