InfoSphere® Guardium® Tech Talk - IBM · and Informix on Linux Exit mechanism is alternative...
Transcript of InfoSphere® Guardium® Tech Talk - IBM · and Informix on Linux Exit mechanism is alternative...
© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
InfoSphere® Guardium® Tech TalkManaging Your Linux K-TAPs
John Haldeman, Practice Lead, Information Insights, LLC
Rich Jerrell, Lead Developer, IBM
© 2015 IBM Corporation
IBM Security
2
This tech talk is being recorded. If you object, please hang up andleave the webcast now.
We’ll post a copy of slides and link to recording on the Guardiumcommunity tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.
We’ll try to answer questions in the chat or address them atspeaker’s discretion.
– If we cannot answer your question, please do include your emailso we can get back to you.
When speaker pauses for questions:– We’ll go through existing questions in the chat
Logistics
© 2015 IBM Corporation
IBM Security
3
Link to more information about this and upcoming tech talks can be found on the InfoSphereGuardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: Overview of InfoSphere Guardium Encryptionfor DB2 and IMS Databases
Speaker: Ernie Mancill
Date/Time: Thursday, February 12 at 830PT, 1130ET
Register: https://ibm.biz/BdELhg
Reminder: Next InfoSphere Guardium Tech Talk
© 2015 IBM Corporation
IBM Security
4
Guardium community on developerWorks
bit.ly/guardwiki
Right nav
© 2015 IBM Corporation
IBM Security
5
STAP Architecture
Differences in Linux and UNIX Kernels
Deployment – Getting Your KTAPs to Load
Maintenance – Preventing your KTAPs from getting Kicked Out (Kernel Updates)
(Time Permitting) Tips on Sandboxing for RHEL if you need to
Agenda
This is Kernel TAP
© 2015 IBM Corporation
IBM Security
6
How Database Traffic Gets Audited
STAP
Database Server
Database Client
GuardiumCollector
Sniffer
Client requestsinformation from DBServer
DB Server responds withappropriate information
STAP makes a copy ofinformation and sends toGuardium collector
Sniffer analyzes, parsesthen logs appropriate data tothe internal repository
Today’sfocus
© 2015 IBM Corporation
IBM Security
7
User space
Kernel space
DB configured forEncrypted Traffic
STAP
ATAP
OS Libraries
OS KernelKernel Modules
(KTAP)
PCAP
UnencryptedDB
OS
Applications
Architecture
© 2015 IBM Corporation
IBM Security
8
Standard system library used by tcpdump
Only captures TCP traffic
Configured via devices= line in guard_tap.ini
Advantages
• No kernel component
Disadvantages
• Cannot capture non-TCP traffic
• May not be able to capture local traffic
• Higher performance impact than KTAP
• Does not support firewall, terminate, or redaction
PCAP- Packet Capture
DB configured forEncrypted Traffic
STAP
ATAP
OS Libraries
OS KernelKernel Modules
(KTAP)
PCAP
UnencryptedDB
© 2015 IBM Corporation
IBM Security
9
Enables capturing shmem traffic for DB2
and Informix on Linux
Exit mechanism is alternative solution
for DB2
Intercepts decrypted traffic
Needs to be configured and activated for
each database individually
Activate and deactivate can only be done
with the instance down
Communicates to STAP via KTAP
ATAP – Application TAP
DB configured forEncrypted Traffic
STAP
ATAP
OS Libraries
OS KernelKernel Modules
(KTAP)
PCAP
UnencryptedDB
© 2015 IBM Corporation
IBM Security
10
Kernel module that enables capturing
multiple types of database traffic
Lower system impact than PCAP
Module is tightly coupled to the kernel
version
Flex loading permits one module to fit
multiple kernel versions when the internal
changes between versions are not
significant
Local linking of the KTAP is now possible
with version 9, significantly reducing time
to support a new kernel
KTAP- Kernel TAP
DB configured forEncrypted Traffic
STAP
ATAP
OS Libraries
OS KernelKernel Modules
(KTAP)
PCAP
UnencryptedDB
© 2015 IBM Corporation
IBM Security
11
User space daemon
Normally runs as root
Reads data from KTAP and sends to the
appliance
Uses PCAP library, if configured, for TCP
traffic
Handles requests from KTAP about UID
chains, firewall verdicts, ports, etc.
STAP- Software TAP
DB configured forEncrypted Traffic
STAP
ATAP
OS Libraries
OS KernelKernel Modules
(KTAP)
PCAP
UnencryptedDB
© 2015 IBM Corporation
IBM Security
12
KTAP loader Runs during installation and at boot
If a kernel is running that hasn’t loaded the KTAP before, it searches for
a matching module and loads it
© 2015 IBM Corporation
IBM Security
13
© 2015 IBM Corporation
IBM Security
14
UNIX (AIX, HP-UX, Solaris)
– Kernel relatively stable between versionlevel updates of the OS
– Once the STAP is installed, your KTAPsare probably safe unless you perform amajor update (eg: from AIX 6.1 to 7.1)
Linux
– Kernel updates frequently
– There are a lot of kernel versions
– Which KTAP is used depends on thekernel version installed
– This dependency in Linux is what thispresentation is all about
UNIX/Linux Differences
http://www.unix.org/license-plate.html
This presentation focusses on Guardium’sRHEL and SLES support
© 2015 IBM Corporation
IBM Security
15
1. KTAPs are a Very Important Part of the STAP
2. Different KTAPs are used for Different Kernel Versions
3. New Kernel Versions Get Released All the Time
New KTAPs are released all the time. Use the latest KTAP bundles to help maximize yourchances of success. Each bundle contains the KTAPs but also, conveniently, an installer scriptand a GIM package for you to use
Deployment
Most RecentKTAPs for RHEL5
Most RecentKTAPs for RHEL6
CSV/Text file containinglist of all current KTAPS
© 2015 IBM Corporation
IBM Security
16
Standalone Install:
Deployment Failure – No KTAP for Kernel
© 2015 IBM Corporation
IBM Security
17
GIM Install:
Deployment Failure – No KTAP for Kernel
© 2015 IBM Corporation
IBM Security
18
Flex Loading loads a KTAP that is not the exact match of your Kernel Version
It loads an untested kernel/KTAP combination which works almost all of the time –but not guaranteed
The KTAP is only loaded if a “Close Fitting Module” is found
It happens to be extremely helpful to know ahead of time if the KTAP is going toload or not
– Nobody likes failed scheduled changes
– You may need to know sooner rather than later so that you can request a KTAP or arrangefor one to be compiled
What to do Next: Check to Make Sure You Enabled Flex Loading(AKA Module Combos)
© 2015 IBM Corporation
IBM Security
19
How to Enable Flex Loading:
– Standalone Installs: add “--ktap_allow_module_combos” to installer options. For example:
./guard-stap-9.0.0_r64382_v90_1-rhel-5-linux-x86_64.sh -- --ni -k --dir /usr/local --tapip192.168.140.131 --sqlguardip 192.168.140.101 --ktap_allow_module_combos
– GIM Installs: Set the Parameter during Install/Update
Note: If your forgot these flags originally, it is easy enough just to reinstall the STAPat this point as the component that requires you to reboot the machine, the KTAP, isnot loaded. So, if your KTAP did not load, go ahead and uninstall/reinstall if you like
– It should not require a reboot
– Always check to make sure that the KTAP is not loaded with “lsmod | grep tap” before youuninstall and force a reboot unintentionally!
What to do Next: Check to Make Sure You Enabled Flex Loading(AKA Modules Combos)
© 2015 IBM Corporation
IBM Security
20
Step 1: The Price is Right Rule
– Find The Closest Matching KTAP for Your KernelWithout Going Over
– To Find Your Kernel Version Execute: uname -a (oruname -r)
– The List of Currently Available KTAPs can be Found onFix Central
Step 2: The Connect Four Rule
– If the first four numbers of the kernel version for themodule you picked in step 1 matches the kernelversion for your kernel, the guard_ktap_loader willattempt to load that KTAP into the kernel
RHEL: Will It Load!?!? (with Flex Loading)
© 2015 IBM Corporation
IBM Security
21
Step 1: Closest Without Going Over
– Running uname -a on the database server outputs:
Linux kernel.infoinsightsllc.com 2.6.18-400.el5 #1 SMP Thu Dec 4 12:48:38 EST2014 x86_64 x86_64 x86_64 GNU/Linux
– Looking in the CSV File That Contains the KTAPs:
RHEL: Will It Load!?!? Example
SUPPORTED OS KERNEL LEVEL (uname -r) KTAP MODULE……..
2.6.18-348.6.1.el5 2.6.18-348.el5-x86_64-SMP.ko2.6.18-348.el5 2.6.18-348.el5-x86_64-SMP.ko2.6.18-371.1.2.el5 2.6.18-371.el5-x86_64-SMP.ko2.6.18-371.3.1.el5 2.6.18-371.3.1.el5-x86_64-SMP.ko2.6.18-371.3.1.el5 2.6.18-371.el5-x86_64-SMP.ko2.6.18-371.6.1.el5 2.6.18-371.6.1.el5-x86_64-SMP.ko2.6.18-371.8.1.el5 2.6.18-371.6.1.el5-x86_64-SMP.ko2.6.18-371.9.1.el5 2.6.18-371.6.1.el5-x86_64-SMP.ko2.6.18-371.el5 2.6.18-371.el5-x86_64-SMP.ko2.6.18-53.1.13.el5 2.6.18-53.1.13.el5-x86_64-SMP.ko2.6.18-53.1.14.el5 2.6.18-53.1.14.el5-x86_64-SMP.ko2.6.18-53.1.19.el5 2.6.18-53.1.19.el5-x86_64-SMP.ko
……..
© 2015 IBM Corporation
IBM Security
22
Step 2: Connect Four
– Compare the First Four Numbers in Your Kernel:
• 2.6.18-400
– To the Closest Match You found (without going over):
• 2.6.18-371
– Do They Match? NO!
– Flex Loading Will Not Load a KTAP and Your Options Are:
1. Open a PMR and request a new KTAP or
2. Compile Your Own
RHEL: Will It Load!?!? Example
© 2015 IBM Corporation
IBM Security
23
SLES Has a Simpler Rule:
Find the original kernel version of the SLES version and service packyou are running – Load into all kernels in the service pack with thatKTAP
– https://wiki.novell.com/index.php/Kernel_versions
For example, if you are running SLES 11 SP3, look for a KTAPcorresponding to 3.0.76-0.11.1
– For any kernel in SLES11 SP3, load that KTAP
SLES: Will It Load!?!? (with Flex Loading)
© 2015 IBM Corporation
IBM Security
24
Make sure you are comparing apples to apples. For example, thefollowing kernel versions need different ktaps because xen kernels aredifferent from regular SMP kernels, even though they seem to be sosimilar:– kernel-2.6.18-348.3.1.0.1.el5xen Needs Different KTAPs than
– kernel-2.6.18-348.3.1.0.1.el5
These rules changes often. For example up until sometime in 2013 flex loadingwas disabled for teradata (specialized suse) linux kernels – now it is availableand follows the same rules as regular SLES kernels
When in doubt, sandbox it or make sure you have the pre-requisites to compileinstead (tips on that provided later)
Will It Load!?!? Special Notes
© 2015 IBM Corporation
IBM Security
25
What the Manual Says You Need:
– The gcc Compiler
– Make v3.81+
– Kernel Development Packages
For RHEL, you can find out if you have using yum:
– yum list gcc
– yum list make
– yum list kernel-devel
For Either RHEL or SLES:
– rpm -qa | grep 'gcc-\|make-\|kernel-.*-devel'
Or Without the Packages Utilities (in case of manual installation of this stuff):
– gcc -v
– make -v
– ls /usr/src/kernels or ls /usr/src/linux-*
Compiling Your Own KTAP – Prerequisites
© 2015 IBM Corporation
IBM Security
26
Compiling Your Own KTAP – Prerequisites – RHEL
© 2015 IBM Corporation
IBM Security
27
Compiling Your Own KTAP – Prerequisites – Either RHEL or SLES(Teradata SLES instance example below)
© 2015 IBM Corporation
IBM Security
28
Compiling Your Own KTAP – Prerequisites – No rpm/yum/yast
© 2015 IBM Corporation
IBM Security
29
Compiling Your Own KTAP – Compilation
The Pre-requisites are the hard part (more on that later). Compiling is easy –just run the regular installer or deploy through the GIM changing nothing
Standalone Install:
GIM Install Will Work but Will Show No Indication Custom Compilation hasoccurred – Check <install_dir>/KTAP/current/ktap_install.log
© 2015 IBM Corporation
IBM Security
30
Taking Your New KTAP to Other Systems
Standalone Install:– Run guard_ktap_append_modules and take the new *.tgz file that results and feed it into the
command:
• guard_ktap_loader retry <tgz_file>
© 2015 IBM Corporation
IBM Security
31
Taking Your New KTAP to Other Systems
GIM Install:– You Create Your Very Own GIM Package:
© 2015 IBM Corporation
IBM Security
32
Taking Your New KTAP to Other Systems: GIM
1) Install GIM as Normal with Option STAP_UPLOAD_FEATURE=1
2) KTAP is Compiled Behind the Scenes
3) STAP Sends new KTAP to Collector
© 2015 IBM Corporation
IBM Security
33
Taking Your New KTAP to Other Systems: GIM
4) Package New .gim File With grdapi call:
sha256sum:
grdapi call (make_bundle_with_uploaded_kernel_module)
© 2015 IBM Corporation
IBM Security
34
Taking Your New KTAP to Other Systems: GIM
5 a) SCP New GIM Modules to a Server You Have Access To
Find the new GIM package file: diag System Interactive Queries ListFolder /var/dump
© 2015 IBM Corporation
IBM Security
35
Taking Your New KTAP to Other Systems: GIM
5 b) SCP New GIM Modules to a Server You Have Access To:Use “export file” cli command
6) Retrieve the GIM file, upload to your gim server, and deploy to other servers
© 2015 IBM Corporation
IBM Security
36
If the kernel of the database serveryou are monitoring gets updated, anew KTAP needs to be loaded
After a kernel update, you will seeyour STAPs suddenly convert fromKTAP STAPs to TEE STAPs:
Recovery:
– Standalone installs: useguard_ktap_loader or reinstall (noreboot required for reinstall since KTAPis not loaded)
– GIM Installs: Redeploy the KTAPthrough the GIM
Kernel Updates
© 2015 IBM Corporation
IBM Security
37
The KTAP gets kicked out on kernel update, but the STAP processes will also tryand reload itself at the first boot of that kernel
This self-reloading after kernel update relies on there being a KTAP moduleavailable to load into the new kernel version
Best way you can help ensure a reduction in service disruptions – When newKTAP modules are released onto fix central, update your KTAPs even thoughthey might currently be loaded – it will make the new KTAPs available on theserver in case of a future update
OR, even better if it’s possible, get gcc, make, and ask that the kerneldevelopment packages for each new kernel be deployed prior to the update –the KTAP will automatically compile and load on the new kernel version
Kernel Updates – Avoiding Disruption
© 2015 IBM Corporation
IBM Security
38
Before you deploy!
– Get the Kernel Version
– Figure out if you have a KTAP that will load with Flex Loading
If there is not KTAP for your kernel, try:
– See if you can get the pre-requisites installed on the target server, or failingthat on a less critical server that has the same kernel version
– Consider Sandboxing in Your Own Environment
If there is no way to do that, open a PMR and get one compiled
– Expect a 2 week delay
For maintenance
– Keep your KTAP bundles up-to-date
– Try and find out ahead of time when kernel updates are your to occur
Summary
© 2015 IBM Corporation
IBM Security
39
Installing Compilers and Kernel Development packages can becontroversial for security reasons – even in UAT (might be able to get itdone in a dev. env.)
The good news is, because these are relatively open platforms,sandboxing is possible
For instance, you can build a RHEL Server-Like environment locally onyour machine
– Installing a Hypervisor
– Creating a CentOS VM at the Version You are Looking for
– Installing gcc and make
– Pulling down the right kernel and kernel-dev rpms from the CentOS packagelibraries
– Installing the STAP and having it compile the KTAP
(Time Permitting) Notes on Sandboxing in RHEL
© 2015 IBM Corporation
IBM Security
40
Good, free, hypervisors are available:
– Windows: Virtual Box or VMWare Player
– Linux: kvm, xen
Then you just need RHEL, but CentOS will also work and should provide fullycompatible KTAPs and doesn’t require a license – great for sandboxing
After you have the OS layed down, you just need to download the pre-requisitesand install a new STAP
All the software you need for all RedHat/Centos versions is at:
– http://vault.centos.org and/or
– http://mirror.centos.org
Sandboxing Example (2.6.18-400.1.1.el5.x86_64):
© 2015 IBM Corporation
IBM Security
41
Installing make (but it’s already on most installs by default)
Sandboxing Example (2.6.18-400.1.1.el5.x86_64) cont’:
© 2015 IBM Corporation
IBM Security
42
Installing gcc
Sandboxing Example (2.6.18-400.1.1.el5.x86_64) cont’:
© 2015 IBM Corporation
IBM Security
43
Kernel Development Packages
Sandboxing Example (2.6.18-400.1.1.el5.x86_64) cont’:
© 2015 IBM Corporation
IBM Security
44
The Kernel Itself
Sandboxing Example (2.6.18-400.1.1.el5.x86_64) cont’:
© 2015 IBM Corporation
IBM Security
45
Sandbox!
Sandboxing Example (2.6.18-400.1.1.el5.x86_64) cont’:
© 2015 IBM Corporation
IBM Security
46
For more information
InfoSphere Guardium YouTube Channel – includes overviews and technical demos
developerWorks forum (very active)
Guardium DAM User Group on Linked-In (very active)
Community on developerWorks (includes content and links to a myriad of sources, articles, andannouncements of future tech talks)
Guardium Knowledge Center
InfoSphere Guardium Virtual User Group.Open, technical discussions with other users.
Send a note to [email protected] ifinterested.
© 2015 IBM Corporation
IBM Security
47
Link to more information about this and upcoming tech talks can be found on the InfoSphereGuardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: Overview of InfoSphere Guardium Encryptionfor DB2 and IMS Databases
Speaker: Ernie Mancill
Date/Time: Thursday, February 12 at 830PT, 1130ET
Register: https://ibm.biz/BdELhg
Reminder: Next InfoSphere Guardium Tech Talk
© 2015 IBM Corporation
IBM Security
48
GraciasMerci
Grazie
ObrigadoDanke
Japanese
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Thai
TackSwedish
Danke
DziękujęPolish