infosphere® guardium® tech talk - ibm · and informix on linux exit mechanism is alternative...

© 2015 IBM Corporation

IBM Security

1© 2015 IBM Corporation

InfoSphere® Guardium® Tech TalkManaging Your Linux K-TAPs

John Haldeman, Practice Lead, Information Insights, LLC

Rich Jerrell, Lead Developer, IBM


IBM Security

2

This tech talk is being recorded. If you object, please hang up andleave the webcast now.

We’ll post a copy of slides and link to recording on the Guardiumcommunity tech talk wiki page: http://ibm.co/Wh9x0o

You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.

We’ll try to answer questions in the chat or address them atspeaker’s discretion.

– If we cannot answer your question, please do include your emailso we can get back to you.

When speaker pauses for questions:– We’ll go through existing questions in the chat

Logistics


IBM Security

3

Link to more information about this and upcoming tech talks can be found on the InfoSphereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Overview of InfoSphere Guardium Encryptionfor DB2 and IMS Databases

Speaker: Ernie Mancill

Date/Time: Thursday, February 12 at 830PT, 1130ET

Register: https://ibm.biz/BdELhg

Reminder: Next InfoSphere Guardium Tech Talk


IBM Security

4

Guardium community on developerWorks

bit.ly/guardwiki

Right nav


IBM Security

5

STAP Architecture

Differences in Linux and UNIX Kernels

Deployment – Getting Your KTAPs to Load

Maintenance – Preventing your KTAPs from getting Kicked Out (Kernel Updates)

(Time Permitting) Tips on Sandboxing for RHEL if you need to

Agenda

This is Kernel TAP


IBM Security

6

How Database Traffic Gets Audited

STAP

Database Server

Database Client

GuardiumCollector

Sniffer

Client requestsinformation from DBServer

DB Server responds withappropriate information

STAP makes a copy ofinformation and sends toGuardium collector

Sniffer analyzes, parsesthen logs appropriate data tothe internal repository

Today’sfocus


IBM Security

7

User space

Kernel space

DB configured forEncrypted Traffic

STAP

ATAP

OS Libraries

OS KernelKernel Modules

(KTAP)

PCAP

UnencryptedDB

OS

Applications

Architecture


IBM Security

8

Standard system library used by tcpdump

Only captures TCP traffic

Configured via devices= line in guard_tap.ini

Advantages

• No kernel component

Disadvantages

• Cannot capture non-TCP traffic

• May not be able to capture local traffic

• Higher performance impact than KTAP

• Does not support firewall, terminate, or redaction

PCAP- Packet Capture


STAP

ATAP

OS Libraries


(KTAP)

PCAP

UnencryptedDB


IBM Security

9

Enables capturing shmem traffic for DB2

and Informix on Linux

Exit mechanism is alternative solution

for DB2

Intercepts decrypted traffic

Needs to be configured and activated for

each database individually

Activate and deactivate can only be done

with the instance down

Communicates to STAP via KTAP

ATAP – Application TAP


STAP

ATAP

OS Libraries


(KTAP)

PCAP

UnencryptedDB


IBM Security

10

Kernel module that enables capturing

multiple types of database traffic

Lower system impact than PCAP

Module is tightly coupled to the kernel

version

Flex loading permits one module to fit

multiple kernel versions when the internal

changes between versions are not

significant

Local linking of the KTAP is now possible

with version 9, significantly reducing time

to support a new kernel

KTAP- Kernel TAP


STAP

ATAP

OS Libraries


(KTAP)

PCAP

UnencryptedDB


IBM Security

11

User space daemon

Normally runs as root

Reads data from KTAP and sends to the

appliance

Uses PCAP library, if configured, for TCP

traffic

Handles requests from KTAP about UID

chains, firewall verdicts, ports, etc.

STAP- Software TAP


STAP

ATAP

OS Libraries


(KTAP)

PCAP

UnencryptedDB


IBM Security

12

KTAP loader Runs during installation and at boot

If a kernel is running that hasn’t loaded the KTAP before, it searches for

a matching module and loads it


IBM Security

13


IBM Security

14

UNIX (AIX, HP-UX, Solaris)

– Kernel relatively stable between versionlevel updates of the OS

– Once the STAP is installed, your KTAPsare probably safe unless you perform amajor update (eg: from AIX 6.1 to 7.1)

Linux

– Kernel updates frequently

– There are a lot of kernel versions

– Which KTAP is used depends on thekernel version installed

– This dependency in Linux is what thispresentation is all about

UNIX/Linux Differences

http://www.unix.org/license-plate.html

This presentation focusses on Guardium’sRHEL and SLES support


IBM Security

15

1. KTAPs are a Very Important Part of the STAP

2. Different KTAPs are used for Different Kernel Versions

3. New Kernel Versions Get Released All the Time

New KTAPs are released all the time. Use the latest KTAP bundles to help maximize yourchances of success. Each bundle contains the KTAPs but also, conveniently, an installer scriptand a GIM package for you to use

Deployment

Most RecentKTAPs for RHEL5

Most RecentKTAPs for RHEL6

CSV/Text file containinglist of all current KTAPS


IBM Security

16

Standalone Install:

Deployment Failure – No KTAP for Kernel


IBM Security

17

GIM Install:

Deployment Failure – No KTAP for Kernel


IBM Security

18

Flex Loading loads a KTAP that is not the exact match of your Kernel Version

It loads an untested kernel/KTAP combination which works almost all of the time –but not guaranteed

The KTAP is only loaded if a “Close Fitting Module” is found

It happens to be extremely helpful to know ahead of time if the KTAP is going toload or not

– Nobody likes failed scheduled changes

– You may need to know sooner rather than later so that you can request a KTAP or arrangefor one to be compiled

What to do Next: Check to Make Sure You Enabled Flex Loading(AKA Module Combos)


IBM Security

19

How to Enable Flex Loading:

– Standalone Installs: add “--ktap_allow_module_combos” to installer options. For example:

./guard-stap-9.0.0_r64382_v90_1-rhel-5-linux-x86_64.sh -- --ni -k --dir /usr/local --tapip192.168.140.131 --sqlguardip 192.168.140.101 --ktap_allow_module_combos

– GIM Installs: Set the Parameter during Install/Update

Note: If your forgot these flags originally, it is easy enough just to reinstall the STAPat this point as the component that requires you to reboot the machine, the KTAP, isnot loaded. So, if your KTAP did not load, go ahead and uninstall/reinstall if you like

– It should not require a reboot

– Always check to make sure that the KTAP is not loaded with “lsmod | grep tap” before youuninstall and force a reboot unintentionally!

What to do Next: Check to Make Sure You Enabled Flex Loading(AKA Modules Combos)


IBM Security

20

Step 1: The Price is Right Rule

– Find The Closest Matching KTAP for Your KernelWithout Going Over

– To Find Your Kernel Version Execute: uname -a (oruname -r)

– The List of Currently Available KTAPs can be Found onFix Central

Step 2: The Connect Four Rule

– If the first four numbers of the kernel version for themodule you picked in step 1 matches the kernelversion for your kernel, the guard_ktap_loader willattempt to load that KTAP into the kernel

RHEL: Will It Load!?!? (with Flex Loading)


IBM Security

21

Step 1: Closest Without Going Over

– Running uname -a on the database server outputs:

Linux kernel.infoinsightsllc.com 2.6.18-400.el5 #1 SMP Thu Dec 4 12:48:38 EST2014 x86_64 x86_64 x86_64 GNU/Linux

– Looking in the CSV File That Contains the KTAPs:

RHEL: Will It Load!?!? Example

SUPPORTED OS KERNEL LEVEL (uname -r) KTAP MODULE……..

2.6.18-348.6.1.el5 2.6.18-348.el5-x86_64-SMP.ko2.6.18-348.el5 2.6.18-348.el5-x86_64-SMP.ko2.6.18-371.1.2.el5 2.6.18-371.el5-x86_64-SMP.ko2.6.18-371.3.1.el5 2.6.18-371.3.1.el5-x86_64-SMP.ko2.6.18-371.3.1.el5 2.6.18-371.el5-x86_64-SMP.ko2.6.18-371.6.1.el5 2.6.18-371.6.1.el5-x86_64-SMP.ko2.6.18-371.8.1.el5 2.6.18-371.6.1.el5-x86_64-SMP.ko2.6.18-371.9.1.el5 2.6.18-371.6.1.el5-x86_64-SMP.ko2.6.18-371.el5 2.6.18-371.el5-x86_64-SMP.ko2.6.18-53.1.13.el5 2.6.18-53.1.13.el5-x86_64-SMP.ko2.6.18-53.1.14.el5 2.6.18-53.1.14.el5-x86_64-SMP.ko2.6.18-53.1.19.el5 2.6.18-53.1.19.el5-x86_64-SMP.ko

……..


IBM Security

22

Step 2: Connect Four

– Compare the First Four Numbers in Your Kernel:

• 2.6.18-400

– To the Closest Match You found (without going over):

• 2.6.18-371

– Do They Match? NO!

– Flex Loading Will Not Load a KTAP and Your Options Are:

1. Open a PMR and request a new KTAP or

2. Compile Your Own

RHEL: Will It Load!?!? Example


IBM Security

23

SLES Has a Simpler Rule:

Find the original kernel version of the SLES version and service packyou are running – Load into all kernels in the service pack with thatKTAP

– https://wiki.novell.com/index.php/Kernel_versions

For example, if you are running SLES 11 SP3, look for a KTAPcorresponding to 3.0.76-0.11.1

– For any kernel in SLES11 SP3, load that KTAP

SLES: Will It Load!?!? (with Flex Loading)


IBM Security

24

Make sure you are comparing apples to apples. For example, thefollowing kernel versions need different ktaps because xen kernels aredifferent from regular SMP kernels, even though they seem to be sosimilar:– kernel-2.6.18-348.3.1.0.1.el5xen Needs Different KTAPs than

– kernel-2.6.18-348.3.1.0.1.el5

These rules changes often. For example up until sometime in 2013 flex loadingwas disabled for teradata (specialized suse) linux kernels – now it is availableand follows the same rules as regular SLES kernels

When in doubt, sandbox it or make sure you have the pre-requisites to compileinstead (tips on that provided later)

Will It Load!?!? Special Notes


IBM Security

25

What the Manual Says You Need:

– The gcc Compiler

– Make v3.81+

– Kernel Development Packages

For RHEL, you can find out if you have using yum:

– yum list gcc

– yum list make

– yum list kernel-devel

For Either RHEL or SLES:

– rpm -qa | grep 'gcc-\|make-\|kernel-.*-devel'

Or Without the Packages Utilities (in case of manual installation of this stuff):

– gcc -v

– make -v

– ls /usr/src/kernels or ls /usr/src/linux-*

Compiling Your Own KTAP – Prerequisites


IBM Security

26

Compiling Your Own KTAP – Prerequisites – RHEL


IBM Security

27

Compiling Your Own KTAP – Prerequisites – Either RHEL or SLES(Teradata SLES instance example below)


IBM Security

28

Compiling Your Own KTAP – Prerequisites – No rpm/yum/yast


IBM Security

29

Compiling Your Own KTAP – Compilation

The Pre-requisites are the hard part (more on that later). Compiling is easy –just run the regular installer or deploy through the GIM changing nothing

Standalone Install:

GIM Install Will Work but Will Show No Indication Custom Compilation hasoccurred – Check <install_dir>/KTAP/current/ktap_install.log


IBM Security

30

Taking Your New KTAP to Other Systems

Standalone Install:– Run guard_ktap_append_modules and take the new *.tgz file that results and feed it into the

command:

• guard_ktap_loader retry <tgz_file>


IBM Security

31

Taking Your New KTAP to Other Systems

GIM Install:– You Create Your Very Own GIM Package:


IBM Security

32

Taking Your New KTAP to Other Systems: GIM

1) Install GIM as Normal with Option STAP_UPLOAD_FEATURE=1

2) KTAP is Compiled Behind the Scenes

3) STAP Sends new KTAP to Collector


IBM Security

33


4) Package New .gim File With grdapi call:

sha256sum:

grdapi call (make_bundle_with_uploaded_kernel_module)


IBM Security

34


5 a) SCP New GIM Modules to a Server You Have Access To

Find the new GIM package file: diag System Interactive Queries ListFolder /var/dump


IBM Security

35


5 b) SCP New GIM Modules to a Server You Have Access To:Use “export file” cli command

6) Retrieve the GIM file, upload to your gim server, and deploy to other servers


IBM Security

36

If the kernel of the database serveryou are monitoring gets updated, anew KTAP needs to be loaded

After a kernel update, you will seeyour STAPs suddenly convert fromKTAP STAPs to TEE STAPs:

Recovery:

– Standalone installs: useguard_ktap_loader or reinstall (noreboot required for reinstall since KTAPis not loaded)

– GIM Installs: Redeploy the KTAPthrough the GIM

Kernel Updates


IBM Security

37

The KTAP gets kicked out on kernel update, but the STAP processes will also tryand reload itself at the first boot of that kernel

This self-reloading after kernel update relies on there being a KTAP moduleavailable to load into the new kernel version

Best way you can help ensure a reduction in service disruptions – When newKTAP modules are released onto fix central, update your KTAPs even thoughthey might currently be loaded – it will make the new KTAPs available on theserver in case of a future update

OR, even better if it’s possible, get gcc, make, and ask that the kerneldevelopment packages for each new kernel be deployed prior to the update –the KTAP will automatically compile and load on the new kernel version

Kernel Updates – Avoiding Disruption


IBM Security

38

Before you deploy!

– Get the Kernel Version

– Figure out if you have a KTAP that will load with Flex Loading

If there is not KTAP for your kernel, try:

– See if you can get the pre-requisites installed on the target server, or failingthat on a less critical server that has the same kernel version

– Consider Sandboxing in Your Own Environment

If there is no way to do that, open a PMR and get one compiled

– Expect a 2 week delay

For maintenance

– Keep your KTAP bundles up-to-date

– Try and find out ahead of time when kernel updates are your to occur

Summary


IBM Security

39

Installing Compilers and Kernel Development packages can becontroversial for security reasons – even in UAT (might be able to get itdone in a dev. env.)

The good news is, because these are relatively open platforms,sandboxing is possible

For instance, you can build a RHEL Server-Like environment locally onyour machine

– Installing a Hypervisor

– Creating a CentOS VM at the Version You are Looking for

– Installing gcc and make

– Pulling down the right kernel and kernel-dev rpms from the CentOS packagelibraries

– Installing the STAP and having it compile the KTAP

(Time Permitting) Notes on Sandboxing in RHEL


IBM Security

40

Good, free, hypervisors are available:

– Windows: Virtual Box or VMWare Player

– Linux: kvm, xen

Then you just need RHEL, but CentOS will also work and should provide fullycompatible KTAPs and doesn’t require a license – great for sandboxing

After you have the OS layed down, you just need to download the pre-requisitesand install a new STAP

All the software you need for all RedHat/Centos versions is at:

– http://vault.centos.org and/or

– http://mirror.centos.org

Sandboxing Example (2.6.18-400.1.1.el5.x86_64):


IBM Security

41

Installing make (but it’s already on most installs by default)

Sandboxing Example (2.6.18-400.1.1.el5.x86_64) cont’:


IBM Security

42

Installing gcc



IBM Security

43

Kernel Development Packages



IBM Security

44

The Kernel Itself



IBM Security

45

Sandbox!



IBM Security

46

For more information

InfoSphere Guardium YouTube Channel – includes overviews and technical demos

developerWorks forum (very active)

Guardium DAM User Group on Linked-In (very active)

Community on developerWorks (includes content and links to a myriad of sources, articles, andannouncements of future tech talks)

Guardium Knowledge Center

InfoSphere Guardium Virtual User Group.Open, technical discussions with other users.

Send a note to [email protected] ifinterested.


IBM Security

47

Link to more information about this and upcoming tech talks can be found on the InfoSphereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Overview of InfoSphere Guardium Encryptionfor DB2 and IMS Databases

Speaker: Ernie Mancill

Date/Time: Thursday, February 12 at 830PT, 1130ET

Register: https://ibm.biz/BdELhg

Reminder: Next InfoSphere Guardium Tech Talk


IBM Security

48

GraciasMerci

Grazie

ObrigadoDanke

Japanese

French

Russian

German

Italian

Spanish

Brazilian Portuguese

Arabic

Traditional Chinese

Simplified Chinese

Thai

TackSwedish

Danke

DziękujęPolish

infosphere® guardium® tech talk - ibm · and informix on linux exit mechanism is alternative...

Documents