Global profile
The Global Profile page defines defaults that apply to all users.
Getting started with the global profile
To open the Global Profile page, browse to .
Use the Global Profile page to set defaults for your Guardium®
system. You can add your own header and footer to reports, upload your company logo, create a
default message template, and much more.
Note: Whenever you change information on the Global
Profile, you need to scroll to the end of the page and click Apply for the
change to take effect.
Changing settings for aliases and PDFs
You can change the following settings for aliases and PDF footers:
- Use aliases in reports unless otherwise specified: An alias provides a
synonym that substitutes for a stored value of a specific attribute type. Aliases are commonly used
to display a meaningful or user-friendly name for a data value. For example, Financial Server might
be defined as an alias for IP address 192.168.2.18.
When selected, Guardium uses available aliases for all reports.
- PDF footer text: PDF files created by various Guardiumcomponents (such as audit tasks) have a standard page footer. To customize the footer, enter your text into the PDF footer text box. PDF footer text that you define on a central manager or aggregator is not distributed to managed units.
Managing alert message templates
Message templates determine the content of alerts. You can create multiple message templates from the Global Profile, and use them with different rules as needed.
There are three types of message templates available, which define the following types of messages:
- Audit process: Publish in audit process reports.
- Real-time Alerts: Send an alert immediately when Guardium detects a problem.
- Threshold Alerts: Send an alert when Guardium detects that a specified threshold is met or exceeded.
You can use the filtering checkboxes to filter the types of templates to view.
Several predefined message templates are available for ArcSight, enVision, and IBM QRadar (in LEEF format) security information and event management (SIEM) solutions. Guardium includes two certified (agreed upon) templates to integrate with these SIEM solutions.
Creating or updating named messages
To add, modify, or delete named message templates:
- Click Edit to open the Named Template Finder window.
- Click
to
open the Modify Named Template window. The current default message template
displays in the Default message template text box. Alternatively, select one of the existing named templates and click
to clone that template. You can then rename and edit your new
template. - Enter a name and template type for your new template. Then, add or delete the message template
variables to meet your requirements. For more information about the available message template
variables, see Table 1.
Select No wrap to see where the line breaks appear in the message.
- Click Save when you are done.
- Changes take effect after you restart the inspection engines from the managed unit. Note: To restart the inspection engines, browse to and then click Restart Inspection Engines.
Formatting real-time alerts
- Customizing email for real-time alerts
-
Use the store alerter email append_name_subject and store alerter email append_subject_body CLI commands to customize emails from real-time alerts as follows:
- Control the appearance of the Prefix email subject with Guardium appliance name.
- Control the appearance of the email subject in the email body.
- Add naming template parameter %%applianceHostName to add the appliance hostname to Name Templates (in either the subject or the body).
- Setting sender encoding
-
To encode outgoing messages (email and SNMP traps) in an encoding scheme other than UTF8, use the store sender_encoding CLI command, as described in store sender_encoding.
Alert message template variables
| Variable | Description |
|---|---|
| %%analyzedClientIP | A client IP field populated by the Guardium Analyzer. Corresponds to
GDM_ACCESS.ANALYZED_CLIENT_IP. If the Analyzed Client IP is not available when the SQL event is processed:
|
| %%AppEventType | The type of application event. |
| %%AppUserName | Application username. |
| %%AuthorizationCode | Authorization code. |
| %%BindVarVal | Available for Db2 z/OS systems only. The bind variable value, which is replaced with the values from the "FULL SQL"."Bind Variables Values" in the FULL SQL entity. For more information, see the Attributes for Full SQL Entity (Db2 for z/OS) table. |
| %%category | Category from the rule definition. |
| %%CICSUser | Available for Db2 z/OS systems only. %%CICSUser is either:
|
| %%classification | Classification from the rule definition. |
| %%ClientAcctng | Available for Db2 z/OS systems only. Contains information from the Db2 z/OS CURRENT CLIENT_ACCTNG special register. For more information, see the Special registers documentation for your version of Db2 for z/OS. |
| %%ClientApplname | Available for Db2 z/OS systems only. Contains information from the Db2 z/OS CURRENT CLIENT_APPLNAME special register. For more information, see the Special registers documentation for your version of Db2 for z/OS. |
| %%clientHostname | Client hostname. |
| %%clientIP | Client IP address. |
| %%clientPort | Client port number. |
| %%ClientWrkstn | Available for Db2 z/OS systems only. Contains information from the Db2 z/OS CURRENT CLIENT_WRKSTNNAME special register. For more information, see the Special registers documentation for your version of Db2 for z/OS. |
| %%compressed_uid_chain | For Linux or UNIX systems only, the compressed UID chain that tracks a chain
of users. Messages that include this variable are delayed for 5 minutes by default. For more information, see the store alerter delay CLI command. The value is then replaced with the "Session"."Uid Chain Compressed" values from Guardium report attributes. For more information, see UID chains. Note: This variable does not return a value when used with a message template,
which uses an alert only policy rule action that specifies the
syslog notification type. For more information, see Alerting
rule actions.
|
|
%%ConstructID |
Construct ID in the SQL request associated with the alert message. |
| %%CurrentDBUser | Available for Db2 for IBM® i only. %%CurrentDBUser is the name of the current Db2 for i user. |
| %%DBName | Database name. |
| %%DBProtocol | Database protocol. |
| %%DBProtocolVersion | Database protocol version. |
| %%DBUser | Database username. |
| %%EndUser | Available for Db2 z/OS systems only. %%EndUser is either:
|
| %%EventDate | The date of the App Event. |
| %%EventValueNum | The App Event value number. |
| %%EventValueStr | The App Event value string. |
| %%IMSPartArea | Available for IMS only. Corresponds to "FULL SQL"."IMS PART/AREA". Can be either a HALDB partition name or a DEDB AREA name. |
| %%lastError | Last error description: Available only when an SQL error request that triggers an exception rule contains a last error description field. |
| %%netProtocol | Network protocol, for K-TAP on Oracle, which can display as either IPC or BEQ. |
| %%Object | A list of objects matching the rule. Lists up to 10 objects. |
| %%objectType | The type of each object returned by the list of objects in %%Object. |
| %%OSUser | Session information. (OS_USER in GDM_ACCESS). |
| %%Program | Available for Db2 for IBM® i only. The program schema/program. |
| %%ProcessID | Available for Db2 for IBM® i only. The job number. |
| %%receiptTime | Timestamp representing the time when the alert occurred. %%receiptTime displays in either seconds or milliseconds, based on the value of the store alert_timestamp_unit CLI command. The default is seconds. |
| %%receiptTimeMills | Number representing the time when the alert occurred, in milliseconds, since the fixed date of Jan 1 1900. |
| %%RecordsAffected | Records affected. Messages that include this variable are delayed for 5 minutes by default. For more information, see the store alerter delay CLI command. Note: This variable does not return a value when used with a message template,
which uses an alert only policy rule action that specifies the
syslog notification type. For more information, see Alerting
rule actions.
|
| %%requestType | Request type. |
| %%ResponseLength | Response length. Not supported for Db2 z/OS systems. Messages that include this variable are delayed for 5 minutes by default. For more information, see the store alerter delay CLI command. Note: This variable does not return a value when used
with a message template, which uses an alert only policy rule action that
specifies the syslog notification type. For more information, see Alerting
rule actions.
|
| %%ReturnedDataCount | The returned data count for extrusion rules. Requires that the Inspect Returned Data flag is on. |
| %%ruleDescription | The rule description from the policy rule definition. |
| %%ruleID | The rule number from the rule definition. |
| %%SenderIP | The S-TAP IP address of the connection to which the S-TAP sends traffic. Corresponds to "Session"."Sender IP". |
| %%serverHostname | Server hostname. |
| %%serverIP | Server IP address. |
| %%serverPort | Server port number. |
| %%serverType | The database server type. |
| %%serviceName | Service name. |
| %%SessionID | Session ID. The Session_id is the same as the MySQL auto-generated ID in GDM_SESSION on the collector. |
| %%sessionStart | Session start time (login time). |
| %%sessionStartMills | Number representing the start of the session where the alert occurred, in milliseconds since the fixed date of Jan 1 1900. |
| %%severity | Severity from the rule definition. |
| %%SourceProgram | Source program name. For Db2 for IBM i, the %%SourceProgram returns job_user/job_name. |
| %%SQLNoValue | SQL string with masked values. The value of SQL is replaced by a question mark (?) in the syslog. |
| %%SQLString | SQL string (if any). |
| %%SQLTimestamp | The time on the packet or request. |
| %%Subject[ ] | If you specify this variable, all of the text between the square brackets ([
]), such as file name, email sender, or description, is included in the subject line of the email
that is sent to the user. Note: You cannot define a custom subject line by using
the %%Subject[] variable with the default message template that is specified in
. To
create a message with a custom subject line, use the %%Subject[] variable in a
named template.
|
| %%succeeded | Messages that include this
variable are delayed for 5 minutes by default. For more information, see the store alerter delay CLI command. The value is
replaced with the "FULL SQL"."Succeeded" value from Guardium report attributes. Note: This variable does not return a value when used with a message template,
which uses an alert only policy rule action that specifies the
syslog notification type. For more information, see Alerting
rule actions.
|
| %%uid_chain | For Linux or UNIX systems only, the UID chain that tracks a chain of
users. Messages that include this variable are delayed for 5 minutes by default. For more information, see the store alerter delay CLI command. The value is then replaced with the "Session"."Uid Chain" value from Guardium report attributes. For more information, see UID chains. Note: This variable does not return a value when used with a message template,
which uses an alert only policy rule action that specifies the
syslog notification type. For more information, see Alerting
rule actions.
|
| %%UnitOfWork | Computed attribute that contains the CICS Unit of Work ID in hex to correlate CICS traffic across multiple S-TAP Entities (IMS, data sets, and Db2). |
| %%Verb | The SQL verbs that are relevant to the triggered rules in the alert messages. You can set the number of SQL verbs to include by setting the ALERT_VERB_NUM_LIMIT parameter from the modify_guard_param command. The default is 10. For more information, see Alerter parameters |
| %%violationID | Numeric representing the POLICY_VIOLATION_LOG_ID of this alert in GDM_POLICY_VIOLATION_LOG (this is the same as the Violation Log ID in the Policy Violations / Incident Management report). |
- Default message template: Displays the default message template for alerts.
- No wrap: Select to remove word wrap from the message template. Use this feature to see where the line breaks appear in the message.
- Named template: Click Edit to create new templates and manage or edit existing named templates. .
Specifying a CSV separator
Specify a CSV separator for all CSV output (such as audit processes):
- CSV separator: Select Comma, Semicolon, Tab, or click Other to define your own separator.
Adding text to the Guardium window
- HTML - left and HTML - right: Enter HTML-formatted
text to include at the bottom of the Guardium
window.
To verify that your HTML displays as you expect, click
. - Create a login message and other elements to display when (or before) a user logs in:
- Show login message: Select to display the login message (or clear to disable the display).
- Login message: Add a plain text message to display each time that a user logs in.
- Pre-login message (HTML): Add an HTML-formatted message that displays
after a user opens the Guardium
window but before they log in.Note: If you include an image, the image also displays in the pre-login message. For more information, see Upload logo image.
- Header and footer banner (HTML): Add HTML-formatted banners to the Guardium login page. By default, the header and footer display at the top and the lower left of the Guardium UI. However, you can use HTML to change the alignment, color, and other elements for your requirements.
Managing other Guardium properties
- Concurrent login from different IP: By default, the same Guardium user
can log in to an appliance from multiple IP addresses. Use this feature to disable concurrent logins
from the same user. When disabled, each user can log in from only one IP address at a time. If a
user closes their browser without logging out, the connection times out due to inactivity, so the
user account is not blocked for long. Note: When this feature is enabled, Unlock displays. For support purposes, you can unlock the account to allow a second user to log in with this user account from a different IP address.
- Data level security filtering: Enable
this feature when specific Guardium users
are responsible for specific databases. Use data-level filtering to filter results system-wide so
that each user can see only the information from databases for which that user is responsible.
Note: If data level security at the observed data level is enabled, then audit process escalation is allowed only to users at a higher level in the user hierarchy.
- Default Filtering: If data-level security filtering is enabled, you can
set the default filtering options for the logged-in viewer.
- Show all: The logged-in viewer can see all of the rows in the result regardless of who these rows belong to. When used with the datasec-exempt role, allows an override of the data level security filtering.
- Include indirect records: The logged-in viewer can see the rows that belong to the logged-in user, and all rows that belong to users in the user hierarchy under the logged-in user.
Note: The datasec-exempt role is activated when data level security is enabled and the datasec-exempt role is assigned to a user. For more information, see Understanding Roles.Restriction: Data Level Security and the Investigation Dashboard cannot be enabled concurrently.
- Escalate result to all users: When enabled (the default), audit process results (and PDF versions) are escalated to all users, even if data level security at the observed data level is enabled. If not enabled, then audit process escalation is allowed only to users at a higher level in the user hierarchy and to users with the datasec-exempt role. If disabled (cleared), and no user hierarchy is available, then no escalation is allowed.
- Custom database table maximum size (MB): Set the size of the custom
database table (in MB). The Default value is 4000 MB. In addition, click Current
Usage to display the current values for InnoDB, MyISAM, and the combined total.
Note: The custom size limit is tested before data is imported. If a data import exceed the new limit, Guardium prevents the next import.
- FTP/SCP Ports Export: Change a port to send files over FTP or Secure Copy
Protocol (SCP). You can change the ports for export and patch backup. The default port for FTP is
21. The default port for SSH/SCP/SFTP is 22. Note: A zero indicates that Guardium uses the default port.
- Encrypt Must Gather output: Guardium
collects certain data (MustGather information) that IBM support uses if something goes wrong. Select
to encrypt MustGather output. Clear to compress, but not encrypt the output.
You can also turn MustGather encryption on and off from the CLI. For more information, see store encrypt_must_gather.
- Check for Guardium updates: When selected, information about relevant ad
hoc Guardium patches, GPUs, CFPs, bundles, Sniffer patches, and security patches display when you
click the
icon.Note: After you install a patch, it is removed from the list. - Datasource connection timeout (seconds): Set the datasource connection timeout. The default is 60 seconds.
When you are done making changes, click Apply to save your changes to the global profile.
Uploading a new logo
You can add or delete a graphic on the Guardium window.
- To delete the current logo, click Delete.
- To add a file, click Browse to select a file to upload to theGuardium appliance. Then, click Upload.
- When you refresh your browser window, the new image is scaled to 60 x 54 pixels and displays in
the upper right corner of the Guardium UI. If you have a pre-login message, the image also displays
in the message.Note: The file name cannot include any of the following characters: Single quotation mark ('), double quotation mark ("), less than sign (<), or greater than sign (>).