®

Lab Exercises
Guardium session-level policy
Course code LDL0202X

IBM Training
October 2019 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.

© Copyright International Business Machines Corporation 2019.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 1 Create a session-level policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 2 Test the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

© Copyright IBM Corp. 2019 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Exercises
Session-level policies are a new feature of Guardium in version 10.6 that make validation of some
policies more efficient.

Standard (non-session-level) policy validation occurs at the end of the sniffer process and takes
significant time. However, some policies that have only session-level criteria do not use criteria that
relates to SQL Objects. Therefore, these policies can be evaluated at the beginning of the sniffer
process when session-level information is received. Session-level policies can be used for just
these cases.

With session-level rules, you can validate session-level policies much faster. This efficiency is
especially important when you use the Guardium firewall. In this case, login information can be
found at the beginning of the session. The decision about whether to continue in firewall mode or
even to stop the session can be made before any SQL statements are sent to logger. This
enhances performance.

In this virtual lab, you create, configure, and test a session-level policy.

Exercise 1 Create a session-level policy

In this exercise, you create a session-level policy that modifies the client host name. The scenario
is that you want to modify how activity for privileged users is displayed in the overview table. You
modify the client host name when privileged users establish a database session.

1. Open a web browser and log in to the Guardium interface as user labadmin with password
guardium.
The Welcome page opens.

© Copyright IBM Corp. 2019 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Create a session-level policy

Uempty

Note: Disregard any notifications about login information or updates.

2. To build your new policy, go to Protect > Security Policies > Policy Builder for Data.

You see that there is already one policy that is installed, Log Full Details. This policy logs all
activity. In general, a production environment does not have such a policy because it logs too
much data, but this policy is installed for instructional purposes and helps you test your new
session-level policy.

3. To create the policy, click the New icon .

The Create New Policy window opens

© Copyright IBM Corp. 2019 2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Create a session-level policy

Uempty
You see a Type field where you can select Data security policy or Session level policy. Data
security policies are the standard policies supported before version 10.6. Session level policies
are new to version 10.6 and later, and you can use them to create a policy that validates quicker
because it relies on data that is available only at the beginning of the session, before the
database user runs any commands to access an SQL object. However, session level policies
are limited to a subset of the options available to a data security policies.

4. To select the type of policy, select Session level policy and name the policy
LabSessionPolicy.

5. To continue the configuration, click Edit in the Rules pane.

6. To add a new rule, click the New icon in the Rules pane.
The Create New Rule window opens.

You see that Rule type is set to Session and cannot be changed. Session-level policies have
session rules that cause the policy to validate without waiting for information about the SQL
objects or commands.

© Copyright IBM Corp. 2019 3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Create a session-level policy

Uempty
7. In the Rule name field, enter Check Database User and click Edit in the Rule criteria pane.

The fields provide a quick and easy way to add criteria to your rule.

8. For the first rule's session level criteria, select the following values:
– Parameter name: Database user
– Operator: In Group
– Group: Lab Privileged Users
In the Entities and Attributes table, select Entity: Client/Server, Attribute: Client IP.

9. To view the members of the group, click the Edit group icon by the group, and click the
Members tab.

You see that DB2INST1, JOE, and JOAN are members of this group, which means that the rule
is triggered whenever one of these users starts a database session.

© Copyright IBM Corp. 2019 4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Create a session-level policy

Uempty
10. To close the Edit group window, scroll down and click Close.

11. To continue to the Rule action pane, click Edit in the Rule action pane.

12. To associate a rule action to your rule, click the New icon .
A list of actions opens.

13. To add the rule action, select TRANSFORM CLIENT HOST NAME.
The Add New Action pane opens.

– For the transformation to match any client host name, set Match pattern to . *
– Set Output format to PRIVUSER_HOST.

© Copyright IBM Corp. 2019 5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Create a session-level policy

Uempty
14. To save the action, click OK.
You return to the Create New Rule window, which shows your new rule action.

15. To save the new rule, scroll down and click OK.
You return to the Create New Policy window.

16. To save your policy, scroll down and click OK.

© Copyright IBM Corp. 2019 6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Create a session-level policy

Uempty
17. To close the Success Message that says Policy LabSessionPolicy saved
successfully, click OK.

You see that your new policy is not yet installed.

18. To install the new policy, click the Install menu at the top and select Install.

19. To define an Installation action, select Install first and click OK.

20. To dismiss the confirmation window, click OK.

You see that now both the Log Full Details policy and the LabSessionPolicy session-level policy
are installed. The session-level policy is the first in the installation order.

© Copyright IBM Corp. 2019 7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Test the policy

Uempty
Exercise 2 Test the policy
In the previous exercise, you created a session-level policy that checks whether the session user is
a privileged user, and if they are, it transforms the host name. In this exercise, you log in as user
JOE, who is a member of the privileged users group, perform SQL commands to generate data,
and view the results.
1. To open a terminal on the database server desktop, double-click on the Terminal icon.

2. To switch from user root to user db2inst1, enter the command:

su - db2inst1

3. To start a DB2 command session, enter the command:

db2

© Copyright IBM Corp. 2019 8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Test the policy

Uempty
4. To start a database session as user JOE, enter the command:
connect to sample user joe using guardium

5. To generate data on the database, run the following commands:

select * from db2inst1.ssn
select * from db2inst1.creditcard

6. To view the results, go back to the Guardium GUI. On the system task bar, click the Firefox
task.

7. At the top, locate User Interface Search and select Data from the list.

The search mode changes to Data.

8. To open the Quick Search Overview, click the Search icon .

© Copyright IBM Corp. 2019 9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Test the policy

Uempty
The Overview window opens.
I

9. To view the Activity table, scroll down.

You see the activity ge

© Copyright IBM Corp. 2019 10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Test the policy

Uempty
10. To only show activity for user JOE, go to the left Active filters pane and select DB User > Joe.

You see the activity generated by user JOE. The client host name was changed from OSPREY
to PRIVUSER_HOST. You might see the pattern several times.

© Copyright IBM Corp. 2019 11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 ®

© Copyright IBM Corporation 2019. All Rights Reserved.