IBM Support

IBM Security Guardium V10 – Unknown Traffic on Guardium - "SYSIBM.SYSDUMMY1"

Troubleshooting


Problem

Guardium is reporting multiple events from the object "SYSIBM.SYSDUMMY1" 

 

Symptom

On the Report for " Full SQL By DB User " or " Full SQL By Client IP "

Under  the Full SQL column we see the values as "SELECT ?, ? , ? FROM SYSIBM.SYSDUMMY1"

 

Cause

These transactions are the internal calls (internal to the Guardium appliance) .The sniffer creates these false Select statements against the SYSIBM.SYSDUMMY1 table ,so we can pass across the mainframe user attributes ,that are unique to the mainframe S-TAP and therefore don't fall into any existing normal Entity and Attribute.

- such as: Workstation User, Workstation Type, etc..

These calls are not actual commands generated against your DB2 database on the mainframe, but rather generated by the sniffer (inspection-core) against the logger ,so it can be logged into the mainframe attributes on the FULL_SQL Entity.

For detailed information on this please refer "The InfoSphere Guardium Application Event API" Section of given link. http://www.ibm.com/developerworks/data/library/techarticle/dm-1105fivemethods/

 

Environment

Guardium V10

Diagnosing The Problem

To check if you are capturing the SYSIBM.SYSDUMMY1   events then

1) Navigate to Reports > Report Configuration Tools > Report Builder

2) Select a report which is having Attribute "SQL" like "Hourly Access Details" because this report produces a highly detailed listing for each DB User Name seen in the reporting period, which is one hour by default for this report. Each row of the report lists a DB User Name, Client IP, Server IP, Period Start, Source Program, SQL (from the SQL entity), and a count of occurrences during the access period.

you can check the list for predefined reports on :-

https://www.ibm.com/support/knowledgecenter/en/SSMPHH_10.1.0/com.ibm.guardium.doc/reports/predefined_user_reports.html

3) On the SQL column check for activitys like " SELECT ?, ? , ? FROM SYSIBM.SYSDUMMY1 "

Resolving The Problem

The workaround is to use a Logging rule to filter these events out. There are 2 ways to ignore those events:

  1. Add a rule for skipping events with %.SYSDUMMY% in the object field.image-20181101134045-1
  2. Add a clause to the report to filter out the events, Full Sql NOT LIKE %GuardAppEvent%

In the Query Builder, add a rule:

Entity Attribute

FULL SQL  NOT LIKE Value %GuardAppEvent:Start%

image-20181101134236-2

 

Related Information

info on SYSIBM.SYSDUMMY1

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"Guardium STAP for DB2 on z\/OS","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
29 November 2018

UID

ibm10737887

Page Feedback