CAS Hosts

Once you have defined one or more CAS template sets, and have installed CAS on a database server, you are ready to configure CAS on that host. A CAS host configuration defines one or more CAS instances. Each CAS instance specifies a CAS template set, and defines any parameters needed to connect to the database. For each database server on which CAS is installed, there is a single CAS host configuration, which typically contains multiple CAS instances - for example, one CAS instance to monitor operating system items, and additional CAS instances to monitor individual database instances.

 

Define a CAS Instance

  1. Open the CAS Configuration Navigator

The Hosts box lists all database servers where CAS has been installed and this server has been configured as the primary host.

  1. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering the host list and finding the host you would like to modify.

  2. Highlight the Host you wish to modify and click on the Modify button to open the CAS Host Configuration panel.

  3. Click on the Add button to open the CAS Instance Configuration panel and add a template set.

  4. See CAS Instance Configuration Panel for filling in the required fields

  5. Click Save to save the CAS instance configuration.

 

Finding the Guardium CAS Panel

Access to CAS Configuration Functions, by default, are restricted to the admin user, and available to users who have been assigned the cas role.

  1. Click on the Assess/Harden tab.

You will be taken to another panel where a new lower set of tabs will be displayed for the Assess/Harden process flow.

  1. Click on the Config. Change Control tab.

A process flow for CAS will be displayed.

 

Open the CAS Configuration Navigator

The CAS Configuration Navigator panel is the starting point for creating or modifying CAS Hosts.

To open the CAS Configuration Navigator panel:

  1. Open the CAS panel.

See Finding the Guardium CAS panel for assistance.

  1. Select Configure CAS hosts or CAS host config.

 

Modify a CAS Instance

  1. Open the CAS Configuration Navigator

The Hosts box lists all database servers where CAS has been installed and this server has been configured as the primary host.

  1. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering the host list and finding the host you would like to modify.

  2. Highlight the Host you wish to modify and click on the Modify button to open the CAS Host Configuration panel.

A list of defined CAS instances associated with the selected host configuration will be displayed with the following information and editing options:

Component

Description

Edit Icon

Click the edit icon to modify the CAS instance description for a row.

See CAS Instance Configuration Panel for more information

Instance

The CAS instance name

Type

The database type taken from the template set used, or N/A if the template set is an operating system template set

Monitored Items

A count of items currently monitored by the instance. Click on the link to open the CAS Monitored Items panel which displays the list of all items currently monitored

See Viewing Monitored Items Lists

Template Set

Identifies the CAS template set used by the instance. You can click this link to open the CAS Template Set Definition panel to view or modify the template set definition.

See Modify a Template Set for more information

  1. Click on the Edit Icon to modify a CAS instance configuration.

  2. Click on the Done button after modifying the CAS instance configuration and you are done with this CAS host configuration.

 

Delete a CAS Instance

  1. Open the CAS Configuration Navigator

The Hosts box lists all database servers where CAS has been installed and this server has been configured as the primary host.

  1. Use the List Filtering drop down lists for OS Type or DB Type to aid in filtering the host list and finding the host you would like to modify.

  2. Highlight the Host you wish to modify and click on the Modify button to open the CAS Host Configuration panel.

  1. Click on the Edit Icon to modify a CAS instance configuration.

  2. Click on the Delete button to delete the CAS instance for this CAS host configuration.

 

CAS Instance Configuration Panel

For Assessment tests it is crucial that the information entered here match with what is entered in the Datasource for the assessment. If it does not match, all of the tests requiring CAS data will have the error message "Datasource cannot be found". It is suggest that you use the IP address rather than the hostname when specifying the Datasource. Also make sure that the IP address shown at the top of the form matches the value entered in the Datasource.

 

CAS Instance Configuration - DB2

Component

Description

Instance Name

The name of this CAS host; free-form text.  Doesn't need to name the CAS host. Can be anything. Not used to find the Datasource.

Type

Drop-down list; select "DB2" (Not used to find Datasource) or select N/A for an operating system instance

Template Set

Drop-down list; unless you have cloned the standard Guardium template sets to create your own custom sets, select "Guardium Unix/DB2 Assessment:  UNIX - DB2" for Unix or "Guardium Windows/DB2 Assessment: WIN - DB2" for Windows.  For Unix and Linux, DB2 require two template set.  When you finished setting up this template, you will need to setup a second one.  Everything will be the same, except for Template set you choose "Guardium Unix/DB2 File Scan : UNIX - DB2" and instance name you can call it DB2 File Scan.

OS User

The name of the DB2 instance owner.  "db2inst1" (case-sensitive) for Unix and "db2admin" for Windows.   "db2cmd.exe" must be in $DB2_HOME/bin where $DB2_HOME is the DB home directory entered below, or on the system path.

DB Instance Name

The database name, in this case "sample".  This field must match the value in the Datasource.

DB User

The name of the DB2 user CAS will use.  This must be the same user as the DB user set up for the assessment datasource.

DB Password

The DB2 password for the DB User specified above.  This field should match the Datasource, but is not used in finding the correct Datasource.

Retype Password

Re-enter the database password for verification

DB Home Directory

The home directory for db2 instance owner.  For Unix: /home/db2inst1, for Windows this is the SQLLIB directory for the DB2 database server; for example, with DB2 version 9.1 it is: C:\Program Files\IBM\SQLLIB\.  

DB Port

The port on which connections to the DB2 database will be made.  This can be found in /etc/services for Unix or C:\WINDOWS\system32\drivers\etc\services for Windows.  This field must match exactly the value in the datasource. This is particularly important if there are two different database instances with the same name.

Test Connection

(The "Test Connection" is intended for use in verifying that the database information entered is accurate.)

Enable

Indicates whether or not CAS instance will be used.

Cancel

Cancel the addition or modifications

Delete

Delete the instance from the host configuration

Save

Saves changes

 

CAS Instance Configuration - Informix

Component

Description

Instance Name

The name of this CAS host; free-form text.  Doesn't need to name the CAS host. Can be anything. Not used to find the Datasource.

Type

Drop-down list; select "Informix"  (Not used to find Datasource) or select N/A for an operating system instance

Template Set

Drop-down list; unless you have cloned the standard Guardium template sets to create your own custom sets, select "Guardium Unix/Informix Assessment:  UNIX - INFRMX" for Unix or "Guardium Windows/Informix Assessment: WIN - INFRMX" for Windows.

OS User

The name of the Informix instance owner.  "Informix" (case-sensitive) for Unix and blank for Windows.  "<servicename>.cmd" must be on the system path where <servicename> is the value entered in DB instance name below

DB Instance Name

The name of the Informix instance, can be found from variable $INFORMIXSERVER.  This field must match the value in the Datasource.  

DB User

The name of the Informix user CAS will use.  This must be the same user as the DB user set up for the assessment datasource.

DB Password

The Informix password for the DB User specified above.  This field should match the Datasource, but is not used in finding the correct Datasource.

Retype Password

Re-enter the database password for verification

DB Home Directory

The directory where Informix instance is installed.   For Example if the Informix bin folder is /opt/IBM/informix/bin then use this value "/opt/IBM/informix", for Windows this can be left blank.

DB Port

The port on which connections to the Informix database will be made.  This can be found in /etc/services for Unix or C:\WINDOWS\system32\drivers\etc\services for Windows.  You can also find this information in the SQLHOST.* file.  This field must match exactly the value in the datasource. This is particularly important if there are two different database instances with the same name.

Test Connection

(The "Test Connection" is intended for use in verifying that the database information entered is accurate.)

Enable

Indicates whether or not CAS instance will be used.

Cancel

Cancel the addition or modifications

Delete

Delete the instance from the host configuration

Save

Saves changes

 

CAS Instance Configuration - Oracle

Component

Description

Instance Name

The name of this CAS host; free-form text (Doesn't need to name the CAS host. Can be anything. Not used to find the Datasource.)

Type

Drop-down list; select "Oracle" (Not used to find Datasource) or select N/A for an operating system instance

Template Set

Drop-down list; unless you have cloned the standard Guardium template sets to create your own custom sets, select "Guardium Unix/Oracle Assessment" or "Guardium Windows/Oracle Assessment" as appropriate

OS User

For Unix, the name of the OS user who owns the Oracle directory tree (case-sensitive); for Windows, leave blank (<- No. If Windows Authentication is being used for MSSQL, there must be an entry of the form DOMAIN/Username. Otherwise you will not have access to the database.) (CAS needs to access utility programs to collect database configuration data. On Unix access is through the path of the Oracle user account. If OS user is not set correctly, you will see "No CAS data available" messages for tests where the utility programs could not be found. On Windows, there are requirements on the system configuration. For Oracle, environment variables PERL5LIB and ORACLE_HOME must be defined, and "opatch.bat" must be on the system path. For Informix, "<servicename>.cmd" must be on the system path where <servicename> is the value entered in DB instance name below. For DB2, "db2cmd.exe" must be in $DB2_HOME/bin where $DB2_HOME is the DB home directory entered below, or on the system path.)

DB Instance Name

The Oracle SID.  You can determine your Oracle SID in a number of ways; if you have DBA privileges, the most reliable is to issue the query, "select INSTANCE_NAME from V$INSTANCE"; alternatively, you can use the value of the INSTANCE_NAME parameter in your INIT.ORA or SPFILE. from v$database; (This field must match the value in the Datasource.)

DB User

The name of the Oracle user CAS will use.  This must be the same user as the DB user set up for the assessment datasource (This field should match the Datasource, but is not used in finding the correct Datasource.)

DB Password

The Oracle password for the DB User specified above (This field should match the Datasource, but is not used in finding the correct Datasource.)

Retype Password

Re-enter the database password for verification

DB Home Directory

The directory under which the Oracle directory tree (In Oracle 10g and above, usually headed by a "product" directory) is located; e.g., if your Oracle directory tree is /home/oracle10/product, then your DB Home Directory is /home/oracle10.  For Oracle 8 and 9i, the Oracle directory tree is usually headed by a directory named for the Oracle "home" you designated on installation; e.g., if your Oracle directory tree is /home/oracle9/OraHome1, then you DB Home Directory is /home/Oracle9 (This field should match the value of $ORACLE_HOME if it has been defined for the Oracle account. This is often different from the home directory of the Oracle account. Indeed, the value shown in the sample form above is incorrect. The result will be that files cannot be found, or the wrong files are found. There may be messages "No CAS data available" for tests in this case.)

DB Port

The port on which connections to the Oracle database will be made.  This can be found in Oracle’s listener.ora configuration file. (This field must match exactly the value in the datasource. This is particularly important if there are two different database instances with the same name.)

Test Connection

(The "Test Connection" is intended for use in verifying that the database information entered is accurate.)

Enable

Indicates whether or not CAS instance will be used.

Cancel

Cancel the addition or modifications

Delete

Delete the instance from the host configuration

Save

Saves changes

 

CAS Instance Configuration - SQL Server

Component

Description

Instance Name

The name of this CAS host; free-form text.  Doesn't need to name the CAS host. Can be anything. Not used to find the Datasource.

Type

Drop-down list; select "MS-Sql".  (Not used to find Datasource)  or select N/A for an operating system instance

Template Set

Drop-down list; unless you have cloned the standard Guardium template sets to create your own custom sets, select "Guardium Windows/MSSQL Assessment:  WIN - MSSQL".

OS User

Can be blank.  If Windows Authentication is being used for MSSQL, there must be an entry of the form DOMAIN/Username. Otherwise you will not have access to the database.

DB Instance Name

The name of the SQL Server instance, can also be blank.  We can use the port number for connection to the server.  This field must match the value in the Datasource.

DB User

The name of the SQL Server user CAS will use.  This must be the same user as the DB user set up for the assessment datasource.

DB Password

The SQL Server password for the DB User specified above.  This field should match the Datasource, but is not used in finding the correct Datasource.

Retype Password

Re-enter the database password for verification

DB Home Directory

This can be left blank.  

DB Port

The port on which connections to the SQL Server database will be made.  This can be found in SQL Server configuration Manager for SQL Server 2005 and beyond.  For SQL Server 2000 use server network utility.  field must match exactly the value in the datasource. This is particularly important if there are two different database instances with the same name.

Test Connection

(The "Test Connection" is intended for use in verifying that the database information entered is accurate.)

Enable

Indicates whether or not CAS instance will be used.

Cancel

Cancel the addition or modifications

Delete

Delete the instance from the host configuration

Save

Saves changes

 

CAS Instance Configuration - Sybase

Component

Description

Instance Name

The name of this CAS host; free-form text.  Doesn't need to name the CAS host. Can be anything. Not used to find the Datasource.

Type

Drop-down list; select "Sybase" Not used to find Datasource) or select N/A for an operating system instance

Template Set

Drop-down list; unless you have cloned the standard Guardium template sets to create your own custom sets, select "Guardium Unix/Sybase Assessment:  UNIX - SYBASE" for Unix or "Guardium Windows/Sybase Assessment: WIN - SYBASE" for Windows.

OS User

The name of the Sybase installation owner.  "sybase" for Unix and blank for Windows.

DB Instance Name

The name of the Sybase instance, can be found in the interfaces file for Unix or sql.ini for Windows.  This field must match the value in the Datasource.

DB User

The name of the Sybase user CAS will use.  This must be the same user as the DB user set up for the assessment datasource.

DB Password

The Sybase password for the DB User specified above.  This field should match the Datasource, but is not used in finding the correct Datasource.

Retype Password

Re-enter the database password for verification

DB Home Directory

The directory where Sybase software is installed.   For Example if the Sybase bin folder is /home/sybase/ASE-12_5/bin then use this value "/home/sybase" ($SYBASE) for Windows this can be left blank.  

DB Port

The port on which connections to the Sybase database will be made.  This can be found in interfaces file.  This field must match exactly the value in the datasource. This is particularly important if there are two different database instances with the same name.

Test Connection

A quick test to verify database connectivity for the definition of the instance defined

 

(The "Test Connection" is intended for use in verifying that the database information entered is accurate.)

Enable

Indicates whether or not CAS instance will be used.

Cancel

Cancel the addition or modifications

Delete

Delete the instance from the host configuration

Save

Saves changes

CAS Instance Configuration - MySQL

Component

Description

Instance Name

The name of this CAS host; free-form text.  Doesn't need to name the CAS host. Can be anything. Not used to find the Datasource.

Type

Drop-down list; select "MySQL"

Template Set

Drop-down list; unless you have cloned the standard Guardium template sets to create your own custom sets, select "Guardium Unix/MySQL Assessment" or "Guardium Windows/MySQL Assessment" as appropriate

OS User

For Unix, the name of the OS user who owns the MySQL directory tree (case-sensitive); for Windows, leave blank

DB Instance Name

"mysql", the name of the database containing the MySQL data dictionary

DB User

The name of the MySQL user CAS will use.  This must be the same user as the DB user set up for the assessment datasource

DB Password

The MySQL password for the DB User specified above

Retype Password

Re-enter the database password for verification

DB Home Directory

The directory under which the MySQL directory tree (usually headed by a "mysql" directory) is located; e.g., if your MySQL directory tree is /home/mysql50/mysql, then your DB Home Directory is /home/mysql50

DB Port

The port on which connections to the MySQL database will be made.  This can be found in MySQL’s my.cnf configuration file.

Test Connection

A quick test to verify database connectivity for the definition of the instance defined

 

(The "Test Connection" is intended for use in verifying that the database information entered is accurate.)

Enable

Indicates whether or not CAS instance will be used.

Cancel

Cancel the addition or modifications

Delete

Delete the instance from the host configuration

Save

Saves changes

 

Viewing Monitored Item Lists

On the CAS Host Configuration panel, when you click on a Monitored Items link, the complete list of items monitored opens in the CAS Monitored Items panel. The following table describes the components seen on the CAS Monitored Items Panel for this Host Configuration.

Component

Description

Edit Icon

Click on the edit icon to modify the item definition

See Modify a Template Set Item

Item

The name of the monitored item from the description in the CAS Item Template Definition Panel

Type

OS Script or SQL Script: The actual text or the path to an operating system or SQL script, whose output will be compared with the output produced the next time it runs

Environment Variable or Registry Variable: An environment variable or a (Windows) registry variable

File or File Pattern: A specific file or a pattern to identify a set of files

Script content or Variable name or       File name or             File pattern

Depending on the type selected, this box is labeled as shown to the left and contains the OS or SQL script, environment or registry variable, a file name, or a file name pattern. Enter the script, variable name, file name, or file pattern as appropriate for this type

Period

The average interval between tests, specified as a number of seconds(s), minutes(m), hours(h), or days(d).

Keep Data

If marked a copy of the actual data is saved with each change. For example, for a file item, a copy of the file is saved. If marked but the size of the raw data for the item is greater than the Raw Data Limit configured for this CAS host, no data will be saved

Use MD5

Indicates whether or not the comparison is done by calculating a checksum using the MD5 algorithm and comparing that value with the value calculated the last time the item was checked. The default is to not use MD5. If MD5 is used but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. Regardless of whether or not MD5 is used, both the current value of the last modified timestamp for the item and the size of the item are compared with the values saved the last time the item was checked.