[Type here]

IBM Security
Guardium Data Encryption v3.0
Hands-on lab

Lab 1: Standard File Encryption

IBM Security IBM Security Guardium

Table of Contents
1. Guardium Data Encryption (GDE) 8
1.1 Overview 8
1.2 Introduction 8
GDE Agent 8
GDE server 8
1.3 Requirements 9
GDE Server 9

2. Hands-on Lab Objectives 9

2.1 Skytap Sharing Portal 9
2.2 VM Credentials 10
2.3 Connectivity check from Agent VM to DSM VM 10
2.4 Connectivity check from DSM VM to Agent VM 10
3. DSM Management 11
3.1 Domain and User Configuration 11
Default Admin User 12
Domain administrator 14
Security administrator 15
Domains and Domain-User Mapping 16
Add secadmin to the demodom security domain 17
Testing the Security Administrator login 19
3.2 GDE Agent Registration 19
Registration Shared Secret 20
Agent Registration – Adding the agent host 20
Start the GDE agent service 24
Agent Registration – Verification 24
3.3 Policy Overview 25
3.4 Key Overview 25
Create an encryption key to be used for a policy 25

4. Create a policy for file encryption 26

4.1 File Encryption Policy for sensitive files 28
4.2 Adding Security Rules in a Policy 29
Adding a catch-all rule to the policy 29
Scenario 1: Adding a rule that governs the VI editor 31
Scenario 2: Adding a rule to govern the cat process 34
Alter policy to add a rule for root user 38
Reordering the rules in a policy 42
Selecting an Encryption Key for a Policy 42

5. Encrypting data – the basics 44

5.1 Create a guard point and apply a policy 45

Guardium Data Encryption (GDE) Hands-on Lab Page 6

IBM Security IBM Security Guardium

5.2 Test policy actions 48

Accessing the guard point on the Agent Host 49
Verify the audit records on GDE Server 51
Preventing unauthorized accesses via su connection sessions 51

Guardium Data Encryption (GDE) Hands-on Lab Page 7

IBM Security IBM Security Guardium

1. Guardium Data Encryption (GDE)

1.1 Overview
The goal of this hands-on-lab is to be a guide to getting started with IBM Security Guardium Data
Encryption (GDE). This lab will demonstrate how to setup a GDE policy and encrypt any files on a file
system.

1.2 Introduction
The GDE solution is composed of two software components, the GDE server and the GDE agent. The
GDE agent is installed on the server where the sensitive data is hosted and is responsible for encryption
as well access control to the data. (Refer to the licensing section for details on GDE server and agent
licensing) The GDE Server is the central management piece of the solution and is responsible for
managing the application of security policies, keys, audit logs, and administration roles of the overall
solution. (Note: The GDE Server may also be referred to as the Data Security Manager, DSM)

GDE Agent

In GDE 3.0, there is only one agent type, the file system (FS) agent. It is used for encrypting files as well
as volumes (block devices). It can also be used for controlling access to files or the file system of the
protected host, including database backing stores. Fine-grained controls over file operations is possible
and allows for both specificity as well as flexibility while designing encryption and access control policies
for protecting a given environment based on its set of security requirements.

GDE agents come in different installation binaries depending on the target host operating system. At the
time of writing, GDE 3.0 agents are supported on RHEL6.x and RHEL 7.x, 64-bit; SLES 11 SP2+ and
SLES12, 64- bit and Windows: 32-bit and 64-bit. For most updated support compatibility matrix and GDE
downloads, visit https://support.vormetric.com/gde.
The GDE agent resides on the host, protecting data on the host. The agent receives policies and keys as
defined by the security administrator from the GDE Server and enforces those policies on the host it is
protecting.

Note:

GDE agent installation is not covered in this lab. The Skytap environment that we use for this lab has
GDE agent binaries pre-installed. This lab however, will perform an agent registration with a GDE DSM
server and establish the client-server communication.

GDE server

The GDE Server (aka DSM – Data Security Manager) creates, stores and manages the policies that
protect data residing on host servers. It also centrally manages encryption keys that are being used to
encrypt data. The GDE Server is managed by administrators who access it through a browser-based
user interface called the Management Console. Policies are created, stored and managed by GDE

Guardium Data Encryption (GDE) Hands-on Lab Page 8

IBM Security IBM Security Guardium

Appliance administrators. GDE Appliance administrators specify data access policies, create new
administrators and administrative domains, generate usage reports, register new hosts, and access
security logs.

1.3 Requirements
The following GDE server and agent installation requirements are based upon version v3.0. Any previous
version of the product 1.1.x to 2.x has reached product end of support.

GDE Server

The GDE Server is delivered as a virtual appliance in the .ova format (e.g. vDSM_dsm-6.0.1.####.ova).
This is deployed to a hypervisor. The default configuration of the appliance is:
• OS: hardened OS based on CentOS Linux • 4 CPU
• 4GB RAM
• 250 GB disk space

The actual amount of disk space required to install the Security Server software is considerably less
when thin-provisioned. However, if plenty of space is available, the “Thick Provisioned Lazy Zeroed”
option is more useful. The extra space is used to accommodate log files, which can quickly proliferate
and consume large amounts of disk space. This requirement comprises all the directories used by the
Security Server, including /opt/vormetric, /var/log and /tmp.

The hypervisor should have enough resources to be able to deploy the virtual appliance for the expected
agent capacity. Some features require more memory (e.g. Luhn checksumming for tokenization) and are
not covered in this lab. See the Notes section below for specifics and caveats for this lab's environment.

2. Hands-on Lab Objectives

In this lab, you will learn:
1. How to log onto Guardium Data Encryption (GDE) server
2. How to create users and security domains on GDE server
3. Overview of encryption keys and policies
4. Standard file encryption
5. Add an agent server to GDE to be protected
6. How to create encryption policies for protecting data at rest
7. Verifying encrypted files scenario

2.1 Skytap Sharing Portal

This lab works with the following Skytab Lab Environment:
• GDE v3 Standard File Encryption || 002 || INSTANCE

Please make sure you have access to the Skytap Environment before starting the lab.

Guardium Data Encryption (GDE) Hands-on Lab Page 9

IBM Security IBM Security Guardium

2.2 VM Credentials
Login credentials to the VMs involved in this hands-on lab are listed as follows:
VM IP address Username Password
gde3-dsm-vm (GDE 10.10.9.240 (CLI) cliadmin Skyt@p123
Server / DSM)
(GUI) admin Skyt@p123
osprey (agent server) 10.10.9.56 root guardium
vip guardium
gdeuser guardium

Before starting the lab, it is advised that you do a connectivity test between both the GDE Server and
GDE agent VMs. To do so, login to each VM and do a ping test of each other.

2.3 Connectivity check from Agent VM to DSM VM

1. Login to data server osprey (10.10.9.56) with username root and password guardium.

2. Right click on desktop and select Open Terminal to launch Terminal window.

3. Ping DSM VM using the following command. Press Ctrl+c to stop. Make sure at least one
packet is received.
[root@osprey ~]# ping gde3-dsm-vm
PING gde3-dsm-vm (10.10.9.240) 56(84) bytes of data.
64 bytes from gde3-dsm-vm (10.10.9.240): icmp_seq=1 ttl=64 time=3.79 ms
64 bytes from gde3-dsm-vm (10.10.9.240): icmp_seq=2 ttl=64 time=0.268 ms
64 bytes from gde3-dsm-vm (10.10.9.240): icmp_seq=3 ttl=64 time=2.06 ms
^C
--- gde3-dsm-vm ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.268/2.044/3.799/1.442 ms

2.4 Connectivity check from DSM VM to Agent VM

1. Log in to GDE DSM VM command line interface using username cliadmin and password
Skyt@p123.

2. Enter network for network command options. Optionally, enter “?” at any time on the DSM
server for a list of available command options.
Welcome to the Vormetric Data Security Manager.

gde3-dsm-vm login: cliadmin

Password: Skyt@p123

Guardium Data Encryption (GDE) Hands-on Lab Page 10

IBM Security IBM Security Guardium

Last login: Fri Mar 1 14:20:29 2019

0000:dsm$ network
0001:network$ ?
ip Interface configuration
dns Set the DNS servers
host Configure /etc/hosts file
ssh Enable SSH port
ping Ping ip address or hostname
traceroute Trace route to ip address or hostname
rping Send ARP request to a neighbour host
arp Manipulate the system ARP
checkport Check port with nc
nslookup DNS lookup
up Return to previous menu
exit Exit

3. Ping the GDE agent server VM (osprey) using the ping command. Make sure at least one
network packet is received.
0001:network$ ping osprey
PING osprey (10.10.9.56) 56(84) bytes of data.
64 bytes from osprey (10.10.9.56): icmp_seq=1 ttl=64 time=1.66 ms
64 bytes from osprey (10.10.9.56): icmp_seq=2 ttl=64 time=0.245 ms
64 bytes from osprey (10.10.9.56): icmp_seq=3 ttl=64 time=0.270 ms
64 bytes from osprey (10.10.9.56): icmp_seq=4 ttl=64 time=0.261 ms
64 bytes from osprey (10.10.9.56): icmp_seq=5 ttl=64 time=0.302 ms
64 bytes from osprey (10.10.9.56): icmp_seq=6 ttl=64 time=0.308 ms

--- osprey ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 5001ms
rtt min/avg/max/mdev = 0.245/0.508/1.665/0.518 ms
ping SUCCESS
0002:network$

3. DSM Management

3.1 Domain and User Configuration

Security domains are silos of security administration. It allows for large organizations that may desire or
need separation of security administration to configure different users to have security roles only within
their participating domain of security.

In this section, we will create a domain as a logical entity to separate a set of administrators, policies,
and hosts for this lab exercise. In this new domain, we will assign two administrators: Domain

Guardium Data Encryption (GDE) Hands-on Lab Page 11

IBM Security IBM Security Guardium

Administrator who grants users access to this domain, and a Security Administrator who can manage
policies, keys, and hosts within this domain.

Default Admin User

GDE DSM Server comes with a default admin user. The default admin user al

Prerequisite

At this point, all VMs in the GDE Skytap Environment

should have been started up.

1. Switch back to the DataServer osprey RHEL7 VM (if you got logged out, the credentials are root /
guardium).

2. Open Firefox browser from the desktop (or Applications → Favorites → Firefox).

3. In Firefox browser, go to the GDE DSM GUI page at https://gde3-dsm-vm/.

Important!

The URL uses https for secure communication. Be

sure to include the “s” when typing the URL.

4. If prompted with a security certificate warning, select Advanced → Add Exception → Confirm
Security Exception to continue.

The warning message

The browser warning message can be ignored

because there is not external Certificate Authority that
can verify the certificate that was generated during the
generate certificate process. All agent certificates are
validated against the GDE Server which is its own
certificate authority.

Guardium Data Encryption (GDE) Hands-on Lab Page 12

IBM Security IBM Security Guardium

5. At the DSM GUI login screen, login using admin / Skyt@p123.

Guardium Data Encryption (GDE) Hands-on Lab Page 13

IBM Security IBM Security Guardium

6. The default DSM GUI starting page is the Dashboard. Depending on the security administration role
being logged in, a different set of tabs across the top of the page may be displayed.

There are three administrator types System, Domain, and Security.

• System administrators are responsible for adding administrator IDs to the system, configuring the
system’s logging and high availability, and creating domains.
• Domain administrators are responsible for assigning roles to IDs within a domain
• Security administrator are responsible for implementing their assigned roles (i.e. creating keys, creating
polices, managing hosts).

Security administrators perform the more regular routines of implementing encryption on managed
systems.

This section provides sample administrator account names and passwords for illustration purposes.
These IDs and passwords should be changed per organization identity and security requirements.

Domain administrator

7. If you have not yet logged in, log in to the GDE Server GUI as admin / Skyt@p123.

8. Select the Administrators tab, click the Add button to add a new administrator.

9. Create the domain administrator account with the following details and click Ok.
Login = domadmin
Description = domain administrator
Password = Temp@123
User Type = Domain Administrator

Guardium Data Encryption (GDE) Hands-on Lab Page 14

IBM Security IBM Security Guardium

Security administrator

10. Select the Administrators tab and click the Add button.

11. Create the security administrator account with the following details and click Ok
Login = secadmin
Description = Security administrator
Password = Temp@123
User Type = Security Administrator

12. The list of users should be as follows:

Guardium Data Encryption (GDE) Hands-on Lab Page 15

IBM Security IBM Security Guardium

Domains and Domain-User Mapping

13. Click the Domains tab and click the Add button to add a domain for this lab.

14. Enter the following domain information and click the Apply button to create the domain.
Domain Name = skytap
Description = Skytap Lab Domain

15. While still in the Add Domain screen, click the Assign Admin tab, select the radio button for the
domadmin user and click Ok.

Guardium Data Encryption (GDE) Hands-on Lab Page 16

IBM Security IBM Security Guardium

16. The admin account in GDE has the ability to manage users and domains. But it does not have the
privileges to configure policies and data encryption. This enforces the separation of duties. Log out
the admin account by clicking the Log Out link on the top right corner.

Add secadmin to the demodom security domain

The domain administrator domadmin has the responsibility of adding security administrators to the
security domain and assigning them a security role. In this section secadmin will be granted all the
security roles which is not necessarily a model for separation of duties in real life, but will allow for
evaluation of all the security roles.

17. Login as the domain administrator

ID = domadmin
Password = Temp@123

18. Change the password as required

Old Password = Temp@123
New Password = Skyt@p123
Confirm New Password = Skyt@p123

19. Click the Administrators tab to add users to a domain.

Change in tabs
Note the change in number of tabs. As the security
roles changes these tabs will very based upon role.

Guardium Data Encryption (GDE) Hands-on Lab Page 17

IBM Security IBM Security Guardium

20. Click the Add to Domain button.

21. Select secadmin user and select the Audit, Key, Policy, Host, Challenge & Response roles and
click Ok. This provides the secadmin user to have access to the Skytap domain, and with the
privileges to view audit logs, manage keys, policies, hosts, and challenges for the Skytap domain.

Guardium Data Encryption (GDE) Hands-on Lab Page 18

IBM Security IBM Security Guardium

22. Log out by clicking the Log Out link.

Testing the Security Administrator login

23. Login as the security administrator

ID= secadmin
Password = Temp@123

24. Change the password as required.

Old password = Temp@123
New password = Skyt@p123
Confirm New Password = Skyt@p123

3.2 GDE Agent Registration

By now we have all the necessary GDE domains and administrators ready on the GDE Server (aka DSM
appliance) to create policies and keys for encryption on agent hosts. Before we can start the encryption
exercise, we need to register the GDE agent on the data server host with the GDE Server.

The server where the files are being encrypted is called a host. To encrypt files, a GDE agent has to be
installed on a host. Each host that communicates with the GDE DSM Server must be registered. The
registration process produces a digital certificate and exchanges certificates with the host. Digital
certificates have two functions: they allow for encrypted communication between the host and agent and
also provide assurances that the communication is coming from this host.

Before any file encryption can be performed, the file system agent must be installed on the agent host
server. During the installation the agent will attempt to register itself with the GDE DSM server.

There are two methods to register GDE Agents on hosts with the GDE DSM servers – using Fingerprint
registration or Shared Secret Registration. In this lab, we will use the Shared Secret method. Before
registering GDE agent with the host, we will need to create a shared secret to be used first.

Guardium Data Encryption (GDE) Hands-on Lab Page 19

IBM Security IBM Security Guardium

Registration Shared Secret

25. From the GDE DSM GUI, (still logged in as secadmin), go to Hosts → Registration Shared Secret
from the top menu panel to create the shared secret for the registration of the agents.

26. Enter Skyt@p123 as the shared secret, enter a date for the expiration date for the secret and click
Ok.

Agent Registration – Adding the agent host

27. Under the Hosts page, click Add to add a new agent host.

Guardium Data Encryption (GDE) Hands-on Lab Page 20

IBM Security IBM Security Guardium

28. On the Add Host page, enter the following to add the data server (hostname = osprey) to be the
GDE agent host. In this exercise, we are adding osprey as a FS (filesystem encryption) agent host.
Check the communication enabled checkbox to ensure that communication between DSM and GDE
Agent host is enabled.

Hostname = osprey
Description = osprey data server
License Type = TERM
FS = checked
Communication Enabled = checked

29. On the Hosts page, the osprey server is shown as Unknown. The OS Type will be picked up after
the registration is completed on the agent side.

30. Open a Terminal on the agent VM (osprey). On this osprey VM, the GDE agent v3.x is already
installed locally. However, the registration with the DSM has not been done. This is what we will do
in the next step.

31. In the terminal window, change to the GDE directory and enter the following command to register
the osprey data server with the DSM server.
[root@osprey ~]# cd /opt/vormetric/DataSecurityExpert/agent/vmd/bin/
[root@osprey bin]# ./register_host

32. When prompted, enter Y or click Enter to accept the default Y value to continue the registration.
Do you want to continue with agent registration? (Y/N) [Y]: Y

Guardium Data Encryption (GDE) Hands-on Lab Page 21

IBM Security IBM Security Guardium

33. Next, you will be prompted for the primary Security Server hostname. Enter the hostname of the
DSM server and continue.
Please enter the primary Security Server host name: gde3-dsm-vm

You entered the host name gde3-dsm-vm

Is this host name correct? (Y/N) [Y]: Y

34. When prompted to verify the hostname of the data server, verify the osprey hostname matches the
host we added on the DSM previously, and continue with the registration.
Please enter the host name of this machine, or select from the following
list. If using the "fingerprint" registration method, the name you provide must
precisely
match the name used on the "Add Host" page of the Management Console.

[1] osprey
[2] 192.168.122.1
[3] 10.10.9.56

Enter a number, or type a different host name or IP address in manually:

What is the name of this machine? [1]: 1

35. When asked, “Would you like to register to the Security Server using a registration shared secret (S)
or using fingerprints (F)? Enter “S”
You selected "osprey".

Would you like to register to the Security Server using

a registration shared secret (S) or using fingerprints (F)? (S/F) [S]: S

Guardium Data Encryption (GDE) Hands-on Lab Page 22

IBM Security IBM Security Guardium

36. When prompted, enter the same registration shared secret as we setup previously on the DSM.
Registration shared secret = Skyt@p123
Domain name = skytap (the same domain we created previously on DSM)
Host group name = <leave empty> (we did not set up a host group name)
Description of host = osprey data server

What is the registration shared secret? Skyt@p123

Please enter the domain name for this host: skytap
Please enter the host group name for this host, if any:
Please enter a description for this host: osprey data server

Shared secret : *********

Domain name : skytap
Host Group : (none)
Host description : osprey data server
Are the above values correct? (Y/N) [Y]: Y

37. Lastly, when the registration wizard prompts to associate hardware, select N to disable the
functionality as we are using a virtual environment. Complete the registration with the following
responses.
You should see the successful registration messages at the end of the host registration.

It is possible to associate this installation with the hardware of this

machine. If selected, the agent will not contact the DSM or use any
cryptographic keys if any of this machine's hardware is changed. This
can be rectified by running this registration program again.
Do you want to enable this functionality? (Y/N) [Y]: N

Do you want this host to have docker support enabled on the server? (Y/N) [N]: N

Do you want this host to have LDT support enabled on the server? (Y/N) [N]: Y

Generating certificate signing request for the kernel component...done.

Signing certificate...done.
Generating EC certificate signing request for the vmd...done.
Signing certificate...done.
Generating EC certificate signing request for the vmd...done.
Signing certificate...done.
Successfully registered the Vormetric Encryption Expert File System Agent with the
primary
Vormetric Data Security Server on gde3-dsm-vm.

[root@osprey bin]#

Guardium Data Encryption (GDE) Hands-on Lab Page 23

IBM Security IBM Security Guardium

Start the GDE agent service

Before we are able to start encrypting files on the GDE host system, the GDE file system agent service
should be started. Start the GDE file system agent service using the following command as root user:
[root@osprey ~]# systemctl start secfs
[root@osprey ~]# systemctl status secfs
● secfs.service - LSB: secfs
Loaded: loaded (/etc/rc.d/init.d/secfs; bad; vendor preset: disabled)
Active: active (exited) since Mon 2019-03-04 13:04:23 EST; 8s ago
Docs: man:systemd-sysv-generator(8)
Process: 15071 ExecStart=/etc/rc.d/init.d/secfs start (code=exited,
status=0/SUCCESS)

Mar 04 13:04:16 osprey secfs[15071]: Initializing the Vormetric Encryption Expert

File System Agent.
Mar 04 13:04:22 osprey secfs[15071]: Encryption Expert File System Agent
initialized.
Mar 04 13:04:22 osprey secfs[15071]: Starting the Vormetric Encryption Expert File
System Agent.
Mar 04 13:04:22 osprey secfs[15071]: Stopping the secfsd.../etc/rc.d/init.d/secfs:
line 242: stop: command not found
Mar 04 13:04:22 osprey secfs[15071]: done
Mar 04 13:04:22 osprey secfs[15071]: Starting the secfsd...already running
Mar 04 13:04:22 osprey secfs[15071]: Restarting the vmd.../etc/rc.d/init.d/secfs:
line 187: restart: command not found
Mar 04 13:04:22 osprey secfs[15071]: done
Mar 04 13:04:23 osprey secfs[15071]: Vormetric Encryption Expert File System Agent
started.
Mar 04 13:04:23 osprey systemd[1]: Started LSB: secfs.

The configuration of the GDE file system agent software is now complete. The GDE file system agent
needs to be explicitly allowed to communicate with the GDE Server before security administration can
take place. In the next section, we will verify the agent communication.

Agent Registration – Verification

At this point, GDE agent on the agent data server/host is registered with the DSM server. To verify, log
back into the DSM GUI page as the Security Administrator and navigate to the hosts menu. The host
entry should have picked up the OS type instead of showing Unknown previously.
38. Log out of the current user on the DSM GUI page (https://gde3-dsm-vm/) and log back in as
secadmin / Skyt@p123.

39. Navigate to the Hosts page to see the list of registered agent hosts.

Guardium Data Encryption (GDE) Hands-on Lab Page 24

IBM Security IBM Security Guardium

40. Note that the OS type for osprey agent host is now showing as Linux instead of ‘Unknown’ from step
29.

3.3 Policy Overview

Hosts, policies, and keys are the foundational components for implementing encryption. Most
administration tasks involve creating, managing, or monitoring these components.

Policies are composed of rules which govern the I/O activity at the Guard Point. Rules are composed of
five attributes and an effect. Rules are tested in a top-down sequence and when all the attributes of a
policy rule are met, the policy rule effect is triggered. No other subsequent rules are executed for the
same action.

3.4 Key Overview

Create an encryption key to be used for a policy

Key management is an essential part of any encryption solution. Keeping the keys secure is as important
or more important that the strength of the encryption algorithm. Within the GDE solution the key security
is maintained by the GDE Server. The encryption keys are never exposed to any administrator or user.
All transmission and persistence of the keys themselves are encrypted. In short, the keys are known by
name only and the key’s value is never exposed.

Encryption keys are required and will be created in the following section of the lab.

41. If you aren’t already logged in as secadmin, login as the security administrator using: secadmin /
Skyt@p123

42. Click on the Keys tab to create an encryption key.

Guardium Data Encryption (GDE) Hands-on Lab Page 25

IBM Security IBM Security Guardium

43. Click the Add keys button to add a new key.

44. From the Symmetric tab, add the following key definition. We are creating an AES256 encryption
key to use in our lab.
Name: demo-aes256-key
Description: Demo AES256 Key
Algorithm: AES256
Encryption Mode: CBC
Key Type: Cached on Host

45. The new encryption key is shown on the agent key page.

4. Create a policy for file encryption

Policies are the central component for security administration. Polices are composed of rules which
govern the I/O activity at the Guard Point as well as a key. A security rule defines the users or user

Guardium Data Encryption (GDE) Hands-on Lab Page 26

IBM Security IBM Security Guardium

groups authorized to have specified access to specific files or directory paths for a designated period of
time. In short, it defines who is accessing data (User), what they can do with the data (Action), which
applications or executables have access to the data (Process), where the data is located (Resource), the
time frame that the 'Security Rule' is applicable (When), and how the data can be accessed (Effect), and
if it can be viewed from the GDE Appliance (Browsing).

Rules are tested in a top-down sequence and when all the attributes of a policy rule are met, the policy
rule effect is triggered. No other subsequent rules are executed for the same action.

Guardium Data Encryption (GDE) Hands-on Lab Page 27

IBM Security IBM Security Guardium

4.1 File Encryption Policy for Sensitive Files

46. If you aren’t already logged in as the security administrator, log in using secadmin / Skyt@p123.

47. Open the policy editor, click Policies.

48. Click the Add button to add a new encryption policy.

49. Choose Standard as the Policy Type.

50. In the Policy editor, name the Policy as VIPFilesPolicy. Give the description as VIP Sensitive
Files Policy. Click the Apply button.

There are two main sections in an online policy, the Security Rules section includes a set of ordered
security policy rules. The second Key Selection Rules section includes encryption key(s) to be used
in this policy.

Guardium Data Encryption (GDE) Hands-on Lab Page 28

IBM Security IBM Security Guardium

4.2 Adding Security Rules in a Policy

51. Under Security Rules, click Add to add a new security rule.

Adding a catch-all rule to the policy

52. First, we add a catch-all rule.

We always place a catch-all rule as the last rule in a policy. This is to ensure that if none of the
other specified rules / scenarios match, this rule is guaranteed to match. In this catch-all rule, we
will leave all attributes empty, and use Deny and Audit as the effect. This means, if the scenario
does not match any of the previous rule, this rule is hit and as a default effect, the access is denied
and logged in the audit logs.

In the Add Security Rule page, leave everything else empty and click the Select button next to
Effect.

Guardium Data Encryption (GDE) Hands-on Lab Page 29

IBM Security IBM Security Guardium

53. In the Select Effect page, select deny and audit. Then click Select Effect.

54. Click the Ok button to add the empty rule with the Deny and Audit effects.

55. Note that the blanks in a rule definition mean “any” or could be considered wildcards. A pseudo
reading of this rule is, “For every Resource (file), for every executing User, for every executing
Process, for every IO Action, deny and audit the IO. The When attribute is relatively to time and it
is not commonly used.

Guardium Data Encryption (GDE) Hands-on Lab Page 30

IBM Security IBM Security Guardium

Scenario 1: Adding a rule that governs the VI editor

In our lab example, we demonstrate different behavior of policy rule effects. We will configure the policy
such that users are only allowed to read/change the sensitive files using VI-editor. When the file is
opened using an unauthorized program, reading of the file content is prohibited.

First, we create a policy rule that permits accesses of files using VI-editor processes.
56. Click Add to add a new security rule to the policy.

57. On the next screen, click on the Select button beside Process, to add a process attribute. We will
add VI process in as part of our criteria for this rule.
The value of the Process attribute is a set of processes (executables). There are no defined
process sets.

58. In the Select Process Set page, click the Add button to add a new set of processes.

59. Add in the name and description for the new Process Set.
Name = VI-editor
Description = VI editor processes

Guardium Data Encryption (GDE) Hands-on Lab Page 31

IBM Security IBM Security Guardium

60. Click the Add button to add a new process in this process set.

This allows us to group multiple processes in a set to be used in an encryption policy. In this lab, we
will create a process set with only VI editors to demonstrate the possible behaviors for one process
set versus another when accessing encrypted data.

Add these three processes in the same VI-Editor process set:

File
vi
view
vim

61. When all above processes are added, click Ok to continue.

62. Now that we have a process set, select the VI-editor radio button and click Select Process Set to
add this newly configured process set into the rule.

Guardium Data Encryption (GDE) Hands-on Lab Page 32

IBM Security IBM Security Guardium

63. Now, click the Select button beside Effect to configure an effect for this rule.

64. Change the Effect to have permit and apply key, then click the Select Effect button. This will allow
the selected criteria in this rule to have permission to read the encrypted directory and the
encryption key to decrypt/access the data.

Info: Policy Rule Effects

Permit Permit access to data
Deny Deny access to data
Apply Key Encrypt data written to guardpoint with key specified in the same policy. Decrypt data
that is accessed using the same key
Audit Create message log entry about what/how data was being accessed and policy rule that
matched

Guardium Data Encryption (GDE) Hands-on Lab Page 33

IBM Security IBM Security Guardium

65. In this rule, any accesses by VI-editor processes are permitted and are decrypted with the key.
Click Ok to continue.

Scenario 2: Adding a rule to govern the cat process

As a second scenario, we will add a rule that demonstrates when a cat process is being used to open a
sensitive file, it is permitted but it will not have the key to decrypt the content. In other words, when such
effect is in place, the file can still be opened but only crypto data is being shown on screen.
66. In the Security Rules section, click the Add button to add another rule that governs the cat process.

67. Click on the Select button beside Process, to add a process attribute.
The value of the Process attribute is a set of processes (executables).

68. In the Select Process Set page, click Add to add a new process set.

Guardium Data Encryption (GDE) Hands-on Lab Page 34

IBM Security IBM Security Guardium

69. In the Add Process Set page, enter name and description of the new process set. Then click Add.
Name: cat-process
Description: cat process

70. Enter the following Add Process objects fields and click Ok.
Directory = /bin/
File = cat

71. Click OK when we finish adding the processes and quit the Add Process Set page.

Guardium Data Encryption (GDE) Hands-on Lab Page 35

IBM Security IBM Security Guardium

72. The new cat-process set has been added. Select the new cat-process set and click Select Process
Set to select the process set to use for this rule.

73. Click Select beside Effect to change the Effect of this rule.

74. In the Select Effect page, select Permit, then click Select Effect. This time, we are only selecting
Permit effect for cat processes. The permit effect grants the access to access the directory
metadata, but without the “apply key” effect, this rule does not have the encryption key to access
encrypted data in clear text.

Guardium Data Encryption (GDE) Hands-on Lab Page 36

IBM Security IBM Security Guardium

Guardium Data Encryption (GDE) Hands-on Lab Page 37

IBM Security IBM Security Guardium

Important!
Do not include the apply_key effect for this rule. The
point of this rule is to demonstrate reading files
without unencrypting the data with cat process.

75. The new rule should look as follows. In this rule, for any access to the sensitive files using the cat-
processes, the access is permitted but no key is applied to decrypt the data contents. The expected
behavior is that user will see crypto text when they open a sensitive file with the cat process.
Click Ok to continue.

Alter policy to add a rule for root user

76. Under Security Rules, click Add to add a new rule for root user activities.

Guardium Data Encryption (GDE) Hands-on Lab Page 38

IBM Security IBM Security Guardium

77. Click the Select button beside User to create a new user set for root authority users.

Guardium Data Encryption (GDE) Hands-on Lab Page 39

IBM Security IBM Security Guardium

78. Click the Add button to add a new User Set.

79. Name the new User Set as follows.

Name: root-user
Description: root user
Click the Add button to start adding a new process set for root authority users.
(You can optionally use the Browse Users button to browse a list of local available users on the
agent host).

80. On the Add User page, type in the uname (OS user name) as root. Click Ok to continue.

81. Click Ok to finish defining the root-user user set.

Guardium Data Encryption (GDE) Hands-on Lab Page 40

IBM Security IBM Security Guardium

82. Select the newly created root-user user set, then click Select User Set button to continue.

83. After selecting the root-users set, select Permit, Audit Effect of this policy rule. In this scenario,
since a lot of system processes use root-user to do system backups or other activities, root-user
should have the permission to access metadata of the files. This allows system backups and other
OS system activities to complete. However, root-user as a privileged user does not necessarily
need to view the contents of VIP sensitive files. Therefore we will define a permit action to access
file metadata, but we do not apply key to decrypt the file contents.

Click Ok to continue after selecting the effects.

Guardium Data Encryption (GDE) Hands-on Lab Page 41

IBM Security IBM Security Guardium

Reordering the rules in a policy

Once we have created all rules in a policy, we can reorder the rules in a sequential order. When an
access to a sensitive file take place, the agent will check with the policy rules in a top-down order. The
first rule that matches the condition will be applied. The rest of the rules are ignored for this particular
access.

84. Check the VI-editor rule and click the Up button to move the rule to the top of the list.

85. Check the cat-process rule and click the Up button to move the rule to the top of the list. Place the
root-user rule below both processes rule.
The policy should look as follows:

86. Verify the policy rules are in a correct order.

Selecting an Encryption Key for a Policy

87. From the Key Section Rules section, click the Add button to add a new encryption key to use for
this rule.

88. In the Add Key Rule page, click the Select button beside Key to select an encryption key to use for
this rule.

89. Select the demo-aes256-key, then click Select Key.

Guardium Data Encryption (GDE) Hands-on Lab Page 42

IBM Security IBM Security Guardium

90. You will be brought back to the Add Key Rule page. The demo-aes256-key key is selected. Click
Ok to proceed.

91. By now, when this policy is installed to guard files in a guardpoint (file directory), all files in a
guardpoint are encrypted with this demo-aes256-key selected for this policy. Files will get decrypted
when a condition meets a policy rule with permit and apply-key effects.

92. Click the OK button at the bottom of the screen to save the policy.

Guardium Data Encryption (GDE) Hands-on Lab Page 43

IBM Security IBM Security Guardium

93. The VIPFilesPolicy configuration is completed and is ready to be applied to a guard point.

5. Encrypting data – the basics

Encrypting data is a function of applying the encryption key to clear text data to produce encrypted text.
This is accomplished with GDE by applying a security policy to a guard point. A guard point is directory

Guardium Data Encryption (GDE) Hands-on Lab Page 44

IBM Security IBM Security Guardium

within the file system where an encryption policy is applied. Once the policy is applied, all I/Os to that
directory and all subdirectories are evaluated according to the policy rules.

5.1 Create a guard point and apply a policy

In this section, we will configure a file directory on the Linux server as a guard point, and will apply a
security policy to protect this guard point. All accesses to the files in this guard point will be evaluated
against the policy rules.
94. From the GDE GUI, login as secadmin / Skyt@p123 (if not already logged in). Then click the
Hosts tab.

95. Click the osprey host. This is the file server we are working with for encrypting data.

96. Click the Guard FS tab. This is where we specify all the guard points of a host server.

Guardium Data Encryption (GDE) Hands-on Lab Page 45

IBM Security IBM Security Guardium

97. Click on the Guard button to define a new guard point on this agent file system.

98. For the Policy field, select VIPFilesPolicy from the drop-down list. This is the policy we defined in
the last section and this is the policy we will use to protect the new guard point. Then click the
Browse button to select a file system directory to be the guard point.

Guardium Data Encryption (GDE) Hands-on Lab Page 46

IBM Security IBM Security Guardium

99. Select the /GUARD/GDEGUARD/VIPFiles directory. Scroll to the bottom on the page and click the
OK button.

100. Ensure VIPFilesPolicy is the chosen policy and /GUARD/GDEGUARD/VIPFiles/ path is

displayed, click the OK button.

101. The policy will be pushed to the selected host.

Click the Refresh button until the /GUARD/GDEGUARD/VIPFiles/ guard point status light turns
green. It may take a couple of minutes.
When the Policy status turns green for the guard point, it means the policy is enabled and in place to
protet the guard point.

Guardium Data Encryption (GDE) Hands-on Lab Page 47

IBM Security IBM Security Guardium

The new guard point is now protected with the VIPFilesPolicy.

Additional Authenticators for Hosts

In the hosts section, the Host Settings tab allows you to set authentication options for applications
running on the host. Application such as su, sshd, and login that authenticate a user’s identity before a
child process executes. By default, the common Linux authentication mechanisms are automatically
added to a Linux host. In our lab environment where gnome GUI runs, we would like to add a couple
more authenticators as they might be used by the gnome GUI background processes.
102. While still on the osprey host page, click on Host Settings. Add the following two authenticators to
the list:
|authenticator|/usr/bin/bash
|authenticator|/usr/bin/su

103. Click Ok button to continue.

The guardpoint is now ready for testing.

5.2 Test policy actions

The directory /GUARD/GDEGUARD/VIPFiles is now an active guard point. All I/O activity to this directory
is now governed by the VIPFilesPolicy. The VI editor will be able to read and write encrypted data within
the guard point. The cat program can only read files but cannot unencrypt the data. No other activities
should be possible within the guard point.

Guardium Data Encryption (GDE) Hands-on Lab Page 48

IBM Security IBM Security Guardium

Accessing the guard point on the Agent Host

104. If you are still logged in as root user on osprey VM, click the power button in the right-upper corner
of the screen and Log Out as root.

105. On osprey VM (10.10.9.56), the linux agent host, login as:

Login: vip
Password: guardium

106. Open a new terminal. Create and edit a file with the VI editor.
Open and create a new file, testfile, within the guard point we just defined.

vi /GUARD/GDEGUARD/VIPFiles/testfile

107. Enter some text like “Hello this data is encrypted.”

Enter i to start inserting data in the file.
Type in your text – Hello this data is encrypted.
Press [Esc] key on your keyboard to stop entering data
Save the file and exit vi-editor by entering :wq! and press enter.

108. Once the data has been saved, try viewing the data with view. VIEW command is part of the vi-
processes group that we defined earlier. According to the policy rule we created, it has
permit,allow key effect to decrypt the data with the encryption key.

view /GUARD/GDEGUARD/VIPFiles/testfile

Guardium Data Encryption (GDE) Hands-on Lab Page 49

IBM Security IBM Security Guardium

109. Exit view by typing in :q and press enter.

110. Now, try viewing the same file with cat. The displayed data is in crypto text because according to
the policy rule, the cat process is with permit effect, which means it is permitted to access the data
but without the encryption key, the process can only read crypto text straight from the disk.

cat /GUARD/GDEGUARD/VIPFiles/testfile

111. Optionally, test creating or edit files with other processes.

All access is denied to all other processes except for vi/view/vim and cat.

$ tail -f /GUARD/GDEGUARD/VIPFiles/testfile

$ echo “hello” > /GUARD/GDEGUARD/VIPFiles/newfile

Guardium Data Encryption (GDE) Hands-on Lab Page 50

IBM Security IBM Security Guardium

Verify the audit records on GDE Server

112. From the browser, go back to https://gde3-dsm-vm/ then log in as secadmin / Skyt@p123. Then
click the Log tab.

113. Note the audit records show how the GDE agent DENIED the IO. Other information is displayed like
what the name of the Policy was [VIPFilesPolicy], what was the name of the User [vip], what
was the name of the Process [/usr/bin/tail], what was the IO type (Action) [read_attr].
The log Code specifies which policy rule was triggered for the particular IO action and is helpful for
troubleshooting purposes. In this example:
1P Rule 1 – Process does not match
2P Rule 2 – Process does not match
3U Rule 3 – User does not match
4M Rule 4 – found a Match (this policy rule was triggered)

Preventing unauthorized accesses via su connection sessions

User authentication and management is a crucial when dealing with data security. On Linux systems,
internal users have the ability to change user session using the su command from within a connection
session. This may allow users to cover their tracks by performing the illegal accesses using another user
account.

In GDE, the su command is also used as an authenticator by default. Therefore, when an end-user
attempts to su into another user account within a session, the GDE policy will still validate the rules with
the original user name. This prevents malicious users’ attempts’ to cover their tracks by executing the
accesses su-ing into another user account.

Feel free to test out the su scenario (for example vip user su into root) at your own pace.

You have now successfully completed the Proof of Technology lab.

Guardium Data Encryption (GDE) Hands-on Lab Page 51

IBM Security IBM Security Guardium

Thank You

Guardium Data Encryption (GDE) Hands-on Lab Page 52

IBM Security IBM Security Guardium

2019/03 of publication edition

obligation to you. Information concerning non-IBM products
NOTICES was obtained from the suppliers of those products, their
published announcements or other publicly available
This information was developed for products and services offered
sources. IBM has not tested those products and cannot
in the USA.
confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to
IBM may not offer the products, services, or features discussed
the suppliers of those products.
in this document in other countries. Consult your local IBM
representative for information on the products and services
currently available in your area. Any reference to an IBM This information contains examples of data and reports used in
product, program, or service is not intended to state or imply daily business operations. To illustrate them as completely as
that only that IBM product, program, or service may be used. possible, the examples include the names of individuals,
Any functionally equivalent product, program, or service that companies, brands, and products. All of these names are
does not infringe any IBM intellectual property right may be fictitious and any similarity to the names and addresses used by
used instead. However, it is the user's responsibility to evaluate an actual business enterprise is entirely coincidental.
and verify the operation of any non-IBM product, program, or
service. TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered
IBM may have patents or pending patent applications trademarks of International Business Machines Corp., registered
covering subject matter described in this document. The in many jurisdictions worldwide. Other product and service
furnishing of this document does not grant you any names might be trademarks of IBM or other companies. A
license to these patents. You can send license inquiries, current list of IBM trademarks is available on the web at
in writing, to: “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml.
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119 Adobe, the Adobe logo, PostScript, and the PostScript logo are
Armonk, NY 10504-1785 either registered trademarks or trademarks of Adobe Systems
United States of America Incorporated in the United States, and/or other countries. Cell
Broadband Engine is a trademark of Sony Computer
The following paragraph does not apply to the United Kingdom or Entertainment, Inc. in the United States, other countries, or both
any other country where such provisions are inconsistent with and is used under license therefrom. Intel, Intel logo, Intel Inside,
local law: INTERNATIONAL BUSINESS MACHINES Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel
CORPORATION PROVIDES THIS PUBLICATION "AS IS" Xeon, Intel Speed Step, Itanium, and Pentium are trademarks or
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR registered trademarks of Intel Corporation or its subsidiaries in the
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED United States and other countries. IT Infrastructure Library is a
WARRANTIES OF Registered Trade Mark of AXELOS Limited. ITIL Is a Registered
Trade Mark of AXELOS Limited. Java and all Java-based
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS trademarks and logos are trademarks or registered trademarks of
FOR A PARTICULAR PURPOSE. Some states do not allow Oracle and/or its affiliates. Linear Tape-Open, LTO, the LTO
disclaimer of express or implied warranties in certain Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM
transactions, therefore, this statement may not apply to you. Corp. and Quantum in the U.S. and other countries. Linux is a
registered trademark of Linus Torvalds in the United States, other
countries, or both. Microsoft, Windows, Windows NT, and the
This information could include technical inaccuracies or Windows logo are trademarks of Microsoft Corporation in the
typographical errors. Changes are periodically made to the United States, other countries, or both. UNIX is a registered
information herein; these changes will be incorporated in new trademark of The Open Group in the United States and other
editions of the publication. IBM may make improvements
countries.
and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
© Copyright International Business Machines
Corporation 2019. This document may not be reproduced in
Any references in this information to non-IBM websites are
whole or in part without the prior written permission of IBM.
provided for convenience only and do not in any manner
serve as an endorsement of those websites. The materials
at those websites are not part of the materials for this IBM US Government Users Restricted Rights - Use, duplication or
product and use of those websites is at your own risk. IBM disclosure restricted by GSA ADP Schedule Contract with IBM
may use or distribute any of the information you supply in Corp.
any way it believes appropriate without incurring any

Guardium Data Encryption (GDE) Hands-on Lab Page 53