CAS Registry Variable Monitoring - Windows

Instructions – CAS Registry Variable Monitoring on Windows
(Additional Information: assess_and_harden_help_book manual)
Requirements:
1) CAS Installer (may be combined with S-STAP installer); Also contains 32-bit JVM
2) Guardium Collector Hardware or Software Appliance with CAS Installed
Assumptions:
1) We will assume that CAS has been installed and is running

2) We will assume that a V8.0.x Collector Virtual Machine (VM) is running
3) We will assume that the IP Address of the Collector VM is: 10.10.9.248
4) We will assume that the IP Address of your Windows Host is: 10.10.9.240
5) We will assume that the following account exists on the VM: poc/guardium
6) We will assume that we want to monitor the following registry variable:
Variable: DB2COMM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\DB2\PROFILES\DB2
Monitoring Steps:
1) Launch a Browser Window and navigate to the Collector VM Web Interface:

URL: https://10.10.9.248:8443
2) Login using the account information specified above: (i.e. user: poc password: guardium)
3) Navigate to: Assess/Harden → Config. Change Control → Configure CAS Templates
4) Create a new CAS Template as follows (then click apply when finished):
5) Click Add To Set.. once the option becomes available to add a template item.
6) Create the new CAS Template Item as follows (then click apply when finished)
Note: Variable Names should be entered as: <Key>\<Variable>

Key = HKEY_LOCAL_MACHINE\SOFTWARE\IBM\DB2\PROFILES\DB2
Variable = DB2COMM
Variable Name = HKEY_LOCAL_MACHINE\SOFTWARE\IBM\DB2\PROFILES\DB2\DB2COMM
7) Return to the Assess/Harden → Config. Change Control screen in STEP 3 and select the
Configure CAS Hosts option.
8) Select your Windows CAS host from the list box (click modify when finished).
9) Select the template we created in STEP 4 (WinRegistryVarTest) and Click Add Datasource
10) Click Add to ensure the template items are included for monitoring
11) You should now see template added to the list as shown below
12) To inspect the results, proceed to Assess/Harden → Change Reports → Changes

13) Click the runtime parameter report Customize Icon for CAS Change Details as follows:
Note: This is the same process that was used in the Labs, as the date filters are incorrect.
14) Change the QUERY_FROM and QUERY_TO Dates (click update when finished):
15) Repeat STEP 13 and 14 above for the CAS Saved Data Report
16) You should now see an entry in the CAS Change Details report as follows:
Note: You may see additional entries so be sure to scan to the end of the record set
17) Similarly, you should now see an entry in the CAS Saved Data Report as follows:
Note: The value in the registry for DB2COMM is actually TCPIP. However, since the author
has run this on a 64-bit system, it appears that additional details have been added related to the
WOW64 subsystem (WoW6432NodeTCPIP) – No Problem.
18) Let us now change the DB2COMM value. Open a command prompt (cmd) and type regedit.
Navigate to the Key shown in the window below and change the DB2COMM value from
TCPIP to NPIPE.
19) To inspect the results, proceed to Assess/Harden → Change Reports → Changes, and observe
a new entry in the CAS Saved Data report.
Note: Please click refresh at the bottom of the report if the entry does not appear automatically.
Please keep in mind that in our item template CAS will check for changes every 1 minute.
Note: The value in the registry for DB2COMM is actually NPIPE. However, since the author
has run this on a 64-bit system, it appears that additional details have been added related to the
WOW64 subsystem (WoW6432NodeTCPIP) – No Problem.
Troubleshooting:
Q: CAS does not appear to be running?
CAS is installed as a Windows service called: casclient

The name of the service is listed in: C:\<Program Files>\Guardium\GUARDIUM_STAP\cas\cas.cfg
1) Ensure the CAS Service is running (execute: sc query casclient) on the command prompt:
2) If the service is not running, (execute: net start casclient) on the command prompt
3) Check the \cas\Logs\ directory to ensure that the service started; Log files should now have
been created and entries should have been added (i.e. size > 0).
4) Ensure that the CAS client version (host) <= CAS server version (collector). It is easy to
verify this by opening the cas.log file once the service has been started.
Note: If the CAS client version > CAS server version (CAS will NOT work correctly)

CAS Registry Variable Monitoring - Windows

Uploaded by

Copyright:

Available Formats

CAS Registry Variable Monitoring - Windows

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CAS Registry Variable Monitoring - Windows

Uploaded by

Copyright:

Available Formats

Instructions – CAS Registry Variable Monitoring on Windows

(Additional Information: assess_and_harden_help_book manual)

1) We will assume that CAS has been installed and is running

1) Launch a Browser Window and navigate to the Collector VM Web Interface:

Note: Variable Names should be entered as: <Key>\<Variable>

12) To inspect the results, proceed to Assess/Harden → Change Reports → Changes

Q: CAS does not appear to be running?

CAS is installed as a Windows service called: casclient

You might also like