Lab guide

Guardium database vulnerability

assessment
Course code LDL0062X
March 2022 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties
in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All names and references for organizations and other
business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.
All names and associated information for people in this deliverable’s scenarios are fictional. Any match with a real person is
coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world­wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
Firefox is a trademark of the Mozilla Foundation in the US and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware
vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are
trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.

© Copyright International Business Machines Corporation 2022.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Virtual lab environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 1 Grant appropriate permissions to create and run security assessments . . . . . . . . . . . . . . . . . . . 2
Exercise 2 Create and run a security assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Exercise 3 Use the report to harden database and validate assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Exercise 4 Creating a test exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

© Copyright IBM Corp. 2022 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Exercises
Guardium Vulnerability Assessment helps organizations identify and address database
vulnerabilities. The assessment process evaluates and suggests actions to improve the health of
your database environment. Guardium vulnerability assessment can perform the following tasks:
• Assess system configuration, finding potential threats, including configuration and behavioral
risks. Examples include identifying default accounts that are not disabled, checking public
privileges, and checking authentication methods.
• Find inherent vulnerabilities such as missing security fixes.
• Create results reports that provide recommendations and show progress in an action plan.

Guardium vulnerability assessment uses multiple information sources, including direct scanning
and integration with the configuration audit system agent. Guardium provides predefined tests to
selectively add to security assessments, and users can define custom tests as well.

Virtual lab environment

This virtual lab simulates a Guardium environment that contains the following assets:
• Central manager, MA170.example.com
• Collector, C175.example.com
• Db2 database server, osprey.example.com

Important: These exercises are presented in a virtual lab format. A virtual lab is an interactive
simulation of the original virtual machines. A virtual lab is not an actual virtual machine.
Therefore, your interaction opportunities are restricted to the exercise steps with some minor
variance. You use this lab guide, which walks you through usage and responses for the
components that are taught.

You can run the virtual lab multiple times without restriction.

© Copyright IBM Corp. 2022 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Grant appropriate permissions to create and run security assessments
Uempty
Exercise 1 Grant appropriate permissions to
create and run security
assessments
To create and run security assessments, a Guardium user must have the vulnerability-assess role.
In an environment with multiple managed units and a central manager, the user role must be
granted on the central manager.

In this exercise, you verify that the admin user has the vulnerability assessment role and access to
the vulnerability assessment tools.
1. To start the Guardium GUI, double-click the Firefox icon on the desktop.

A web browser opens with two tabs: One for the central manager, MA170, and one for the
collector, C175. You must change the roles on the central manager.

2. To access the Guardium GUI, log in to MA170 as user accessmgr with password guardium.
The welcome center opens.

3. Click Access > Access Management.

2
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Grant appropriate permissions to create and run security assessments
Uempty
The User Browser opens.

4. To view the roles for user labadmin, click Roles.

The Roles for labadmin are displayed.

3
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Grant appropriate permissions to create and run security assessments
Uempty
5. To enable vulnerability assessment for user labadmin, select the vulnerability-assess role,
and click Save.

6. To log out as user accessmgr, locate the account menu and click Sign Out.

4
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
Exercise 2 Create and run a security
assessment
After you verify that the Guardium user has the correct role, you create, configure, and run a
security assessment. A security assessment is associated with a datasource or a group of
datasources. Each datasource contains the connection information that Guardium needs to
access and run tests on a database. Add Guardium predefined tests to control what the
assessment checks.

Generally, an assessment is an iterative process. You develop an action plan that prioritizes which
vulnerabilities to concentrate on. The assessment is run periodically, and assessment results
detail the progress in remediating vulnerabilities. After you fix the highest priority problems, you
can address the lower priority tests.

In this exercise, you log in to the collector to create and use the assessment.
1. In the browser, click the IBM Guardium (C175) tab.

The user console for the C175 collector opens.

2. Log in to the Guardium console as user labadmin with password guardium.

3. To begin the assessment, in the left navigation menu, go to Harden > Vulnerability
Assessment > Assessment Builder.

5
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
The Security Assessment Finder window opens.

4. To add a test, click the Add icon ( ).

6
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
The Security Assessment Builder window opens.

5. For Description, type Lab_VA and click Apply.

6. To add a classification datasource, click Add Datasource.

7
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
The Select datasource window opens.

You now create a new datasource for this vulnerability assessment. The datasource provides
Guardium with information to create the database connection that is used to run the
assessment. You must create the datasource even if an S-TAP agent is on the database server.

7. Click the Add icon ( ).

8
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
The Create datasource dialog opens.

8. Name the datasource osprey_db2inst1.

9. Select Database type DB2.

9
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
The Create datasource dialog displays more options.

10. Type the following information:

– User name: db2inst1
– Password: guardium
– Host name/IP: 192.168.42.179
– Database name: Sample
– Schema: db2inst1
Leave Port as the default value of 50000

10
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
11. Scroll down and click Save.

12. Click Test connection.

The dialog shows the Connection Successful message.

13. Click Close.

11
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
The new datasource is displayed in the Select datasource dialog.

14. To select the new datasource, select the checkbox on the left side of osprey_db2inst1 and
click Save.
The datasource is added to the security assessment.

The datasource is listed but Configure Tests is not enabled.

15. To enable Configure Tests, click Apply.

You set up a security assessment and created a datasource for it to use. Now, you specify
which tests the assessment runs.

16. To configure the tests, click Configure Tests.

12
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
The Assessment Test Selections window opens.

Vulnerability assessment is an iterative process. Generally, only a subset of high-priority tests

is chosen. After you resolve the security concerns for these tests, you can incorporate lower
priority tests into the assessment. Because this instance is the first time you are running a
vulnerability assessment, you decided to focus on critical tests, and also to not include CAS
tests presently.

17. To filter the tests, select severity Critical and deselect Include CAS.

18. Select the DB2 tab and scroll down.

13
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
Critical tests for the IBM Db2 Database are displayed.

19. To select all critical tests, click the first test in the list, scroll down, press the Shift key, and
click the last test on the list.
All of the selected tests are highlighted.

20. Click Add Selections.

14
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
The tests are added to the Security Assessment.

21. To return to the Security Assessment Finder window, scroll down and click Return.
The new assessment opens.

15
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
22. To run the security assessment, click Run Once Now.

23. On the confirmation window that indicates the test is in the Guardium job queue, click OK.

24. In the left navigation menu, go to Harden > Vulnerability Assessment > Guardium Job
Queue.
The Guardium Job Queue opens.

25. If the job does not have a status of completed, click the Refresh icon ( ).

Note: In a production environment, it might take a few minutes for the job queue to run.

26. View a comprehensive report available through the Security Assessment Builder.
a. In the left navigation menu, go to Harden > Vulnerability Assessment >
Assessment Builder.

b. Lab_VA is auto-selected. Click View Results.

16
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
A new window opens with the assessment results.

27. Maximize the window

17
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Create and run a security assessment
Uempty
28. Explore the various features of the report.
a. Click Filter / Sort Control.

b. In the Show only window, select Fail from the Score column, and click Apply.

Note that the results are filtered to show only assessment failures.

c. To clear the filter, click Reset Filtering.

18
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Use the report to harden database and validate assessment
Uempty
d. To download a PDF of the security assessment, click Download PDF and click OK to close
the open window. Then, select Open with Document viewer (default) and click OK.

29. To return to the browser version of the report, close the PDF.

Exercise 3 Use the report to harden database

and validate assessment
Fixing vulnerabilities is an iterative process. The report provides not only a picture of which tests
failed, but a set of suggested actions to fix the vulnerabilities revealed by the failed tests. After
you apply recommendations, you run the report again to determine which vulnerabilities remain,
repeating the process until your environment complies with organizational standards.

19
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Use the report to harden database and validate assessment
Uempty
In this exercise, you use the report to harden your database.
1. In the security assessment report, scroll through the assessment test results.

2. Notice that the tests that failed have recommendations, including suggested commands, to fix
the vulnerability.

3. Locate the third and fourth assessment tests with the following names:
– No PUBLIC access to SYSCAT.AUDITPOLICIES and SYSIBM.SYSAUDITPOLICIES
– No PUBLIC access to SYSCAT.AUDITUSE and SYSIBM.SYSAUDITUSE
Note the cause of failure and the recommendations, which include the database commands to
remediate the failures.

4. To access the database server, select the console window.

5. To start a Secure Shell session to the database server, use the following command:
ssh [email protected]

6. For the password, type guardium.

The Secure Shell session starts.

20
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Use the report to harden database and validate assessment
Uempty
7. To enter the Db2 command environment, use the db2 command.

8. To connect to the database, use the following command:

connect to sample

9. Apply the recommendations from the two tests in step 3. Recommendations often contain two
commands to run, separated by a period. In this case, run them as two separate commands.
This example shows one long command:
REVOKE ALL ON SYSCAT.AUDITPOLICIES FROM PUBLIC. REVOKE ALL ON
SYSIBM.SYSAUDITPOLICIES FROM PUBLIC

21
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Use the report to harden database and validate assessment
Uempty
Instead, run each command separately and remove the periods at the end:
REVOKE ALL ON SYSIBM.SYSAUDITPOLICIES FROM PUBLIC
REVOKE ALL ON SYSCAT.AUDITPOLICIES FROM PUBLIC
REVOKE ALL ON SYSCAT.AUDITUSE FROM PUBLIC
REVOKE ALL ON SYSIBM.SYSAUDITUSE FROM PUBLIC

Now you run the security assessment again to see how your remediation efforts affect the
assessment results.

10. To return Guardium, select the IBM Guardium (C175) tab in the taskbar.
The Security assessment Finder opens.

11. To begin the second assessment, click Run Once Now.

12. On the confirmation window that indicates the test is in the Guardium job queue, click OK.

13. In the left navigation menu, go to Harden > Vulnerability Assessment > Guardium Job
Queue.

14. To view the results, go to Harden > Vulnerability Assessment > Assessment Builder.
The Security Assessment Finder opens.

15. To view the results of the assessment, click View Results.

22
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Use the report to harden database and validate assessment
Uempty
The new security assessment report opens.
\

The result summary shows an improvement in the pass rate. The Assessment Result History
graph displays the progress.

16. To filter the results to show only tests that have a status of Pass, click Filter / Sort Controls.

The Show only page opens.

17. To configure the filter, from the Score column, select Pass, and click Apply.

23
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Creating a test exception
Uempty
18. Scroll down and view the details of the vulnerabilities you addressed.

19. To show all results, scroll up and click Reset Filtering

Exercise 4 Creating a test exception

Sometimes you want an assessment test to apply generally to your environment, but you want to
create an exception. For example, the test might require that no database users have a particular
role, but some users need or require that role. In this situation, you can create a test exception.
The test runs, but allows the exception. The exception is documented in the test results.

In this exercise, you create an exception and view the results.

1. In the Assessment Test Results section, scroll down and locate Db2 Roles granted to PUBLIC
test.

2. Click Db2 Roles granted to PUBLIC.

24
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Creating a test exception
Uempty
A new window opens with the test details.

3. Click Create Test Details Exception.

The Add to test details exception list dialog opens.

4. Select SYSTS_USR.

25
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Creating a test exception
Uempty
The Add Exception link is enabled.

5. Click Add exception.

The Add exception for selected test details dialog opens.

6. Click the End date calender icon and choose the date 2/28/2025

26
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Creating a test exception
Uempty
7. For End date time, choose 1 :00 AM

8. For Justification, type Demonstration.

9. Click Save.

10. Close the confirmation dialog.

11. In the Add to test details exception list, click Close.

27
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Creating a test exception
Uempty
The Db2 Roles granted to PUBLIC report details window now displays the test exception.

12. Close the Db2 Roles granted to PUBLIC details window.

This concludes the lab exercises.

28
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
© Copyright IBM Corp. 2022