ServiceNow modules, Vulnerability Response and Configuration Compliance, are closely related to the IBM Guardium Vulnerability Assessment (VA) application. IBM Guardium customers have requested a certified ServiceNow "plug-in" app, available via the ServiceNow Store, that will synchronize Guardium VA data with ServiceNow to facilitate centralized management and tracking of database and configuration vulnerabilities.

• IBM Guardium version 12.x, 11.5 + Patch 525, or 11.4 + Patch 441 (available in August 2022).
  • Patch v11.4-460 (or greater) adds ability to query the Central Manager for version information.
  • Patch v11.5-525 (or greater) contains several performance fixes.
• IBM Guardium "service" user with Guardium vulnerability-access role (or Guardium admin role) so that the ServiceNow app can use the Guardium REST-API to import data
• (Optional) Apply vulnerability-access role to all existing Guardium data sources to permit the ServiceNow app the ability to update and delete existing data sources which result from changes to ServiceNow CMDB

• Tested on ServiceNow releases: Rome, San Diego, Tokyo, Utah, Vancouver, Washington
• ServiceNow Vulnerability Response module
• (Optional) ServiceNow Vulnerability Response Integration with NVD module
• (Optional) ServiceNow Configuration Compliance module

• You can install this plug-in in one of three ways:
  1. From ServiceNow Store as a certified app
  2. Import from source control (this entire github project)
  3. Update Set: follow instructions in Installation and Test document

• I want to aggregate, view, track, and manage vulnerability scan results in ServiceNow
• I want to track and manage database vulnerability change requests in ServiceNow
• I want to initiate vulnerability scans from ServiceNow

• Integrating IBM Guardium with ServiceNow lets customers enjoy the power of ServiceNow's workflow with IBM Guardium's ability to discover, test, and monitor databases

• GRD-57828: Integration Application for Guardium in ServiceNow for VA content

The "plug-in" on ServiceNow will:

• Provide synchronization of Guardium data source records with ServiceNow data source records. An attempt will be made to find a matching CI (cmdb_ci_db_instance) using a predefined CI Lookup Rule (sn_sec_cmn_ci_lookup_rule)
• Import Guardium managed units (Collectors and Aggregators) into ServiceNow Guardium Server (x_ibmrt_gdpva_server) entries as related items to the Central Manager
• Import Guardium vulnerability tests into ServiceNow as Third Party Vulnerability (sn_vul_third_party_entry) and Configuration Compliance Test (sn_vulc_test) entries
• Import Guardium test result summary data into ServiceNow Guardium Test Result Summary (x_ibmrt_gdpva_test_result_summary)
• Import Guardium test result details into ServiceNow as Vulnerable Item Detection (sn_vul_detection) and Configuration Compliance Test Result (sn_vulc_result) entries
• Link the Vulnerable Item Detection (sn_vul_detection) to the Third Party Test (sn_vul_third_party_entry) performed and to the affected CMDB Database Instance or Catalog (cmdb_ci_db_instance)
• Link the Configuration Compliance Test Result (sn_vulc_result) to the Configuration Compliance Test (sn_vulc_test) performed and to the affected CMDB Database Instance or Catalog (cmdb_ci_db_instance)
• Import Guardium assessment tests (a group of vulnerability tests that run on a group of data sources) which can be triggered manually by ServiceNow UI
• Run selected Assessment Test on selected Managed Unit (Stand-alone, Collector, Aggregator, Central Manager)

Release v1.2.x Scenarios:

• I can view Guardium vulnerability assessment results within ServiceNow Vulnerabilty Response and Configuration Compliance modules
• I can adjust ServiceNow scheduled jobs (IBM Guardium Security > Integrations) to synchronize Guardium data with ServiceNow data and can run scheduled job on demand (Execute Now)
• I can create a Test Exception, re-run Assessment Test, synchronize Test Result Details, and see an open Vulnerable Item (sn_vul_vulnerable_item) automatically closed due to the active Test Exception
• I can run Assessment Test from ServiceNow UI to verify a fix for a failed Test Result
• I can add a script in Database Export to modify the exported Database entry before being added to the Guardium Data Source export queue. For example, it may be desired to add credentials to the Guardium Data Source
• I can adjust the appropriate CI Lookup Rule to match IBM Guardium data source entries to ServiceNow Configuration (cmdb_ci) Items

Overview

GET /restAPI/assessment

• No parameters

PUT /restAPI/execute_assessment

• Body

  {
    "assessmentDescription":"assessment test name",
    "api_target_host":"managed unit host name"
  }

GET /restAPI/managed_units

• Parameters:
  • verbose=1

GET /restAPI/unit_data

• No parameters

GET /restAPI/datasource

• Parameters
  • id="data source id"
  • name="data source name"

POST /restAPI/online_report

• Body

  {
    "reportName":"Data-Sources" | "DataSource Change" | "Available VA tests - detailed" | "Assessment summary" | "Security Assessment Export",
    "reportParameter": {
      "QUERY_FROM_DATE": "NOW -7 DAY", // number of days since last successful import
      "QUERY_TO_DATE": "NOW +1 HOUR",
      "REMOTE_SOURCE": "%",            // managed unit host name
      "SHOW_ALIASES": "no",
    }
    "indexFrom":1,      // or the next page start, like 3001
    "fetchSize":3000,   // configured in Guardium > Settings
    "sortColumn":"column name",
    "sortType":"asc" | "desc"
  }

Managed Units

• "Managed Units" are IBM Guardium application servers often called Collectors and Aggregators. These records will be inserted into a new ServiceNow Guardium Servers (x_ibmrt_gdpva_server) table. They can be seen as a Related List on the Central Manager entry.
• Guardium REST-API: restAPI/managed_units
• The IBM Guardium Field in the table below represents the data received from the Guardium REST-API response. Any {brace notation} represents a calculated value.

Guardium Data Sources

• Guardium Data Source Records

  • Synchronized with ServiceNow Guardium Data Source (x_ibmrt_gdpva_datasource) records
  • Guardium REST-API: restAPI/online_report?reportName=Data Sources
  • The IBM Guardium Field in the table below represents the data received from the Guardium REST-API response. Any brace notation represents a calculated value.

• Fields Used on the "Data-Sources" Report (First-time import)

• Fields Used on the "DataSource Changes" Report

• Database Instance and Catalog Matching
  • If there are existing Guardium data sources upon synchronization with ServiceNow, the application will make best effort to match the Guardium data source with a ServiceNow Database Instance or Database Catalog. FQDN, TCP Port, and information from ServiceNow Database Instance Transform Map will be used to link to the appropriate ServiceNow Database Instance or Catalog. For example, Oracle database_name and sid fields, along with Oracle instance class (ci_cmdb_db_ora_instance), the FQDN, and TCP Port are used to match with an existing ServiceNow Database Instance entry using CI Lookup Rules (sn_sec_cmn_ci_lookup_rule).
  • If no match is found (a database exists in Guardium but not in ServiceNow CMDB), a record is created in the Discovered CI (sn_sec_cmn_src_ci) table and Unmatched CI (sn_sec_cmn_unmatched_ci) table to ensure Vulnerable Item (VIT) and Configuration Compliance (CTR) records can be linked to a CI record. This new record will be referenced in ServiceNow Configuration Compliance Test Result (sn_vulc_result) and Vulnerable Item (sn_vul_vulnerable_item) entries.

• Database Instance Transform Maps
  • A ServiceNow table, Database Instance Transform Maps (x_ibmrt_gdpva_db_instance_transform_map), enhances matching of supported Guardium database types to ServiceNow Database Instance classes and provides custom mapping of DB Instance fields to Guardium Data Source.
  • Used in import of Guardium data sources and export of ServiceNow Database Instances
  • The Database Instance classes shown below are the ones supported by ServiceNow as of "Rome" release and are in common with supported Guardium database types

• Database Export
  • A ServiceNow table, Database Export (x_ibmrt_gdpva_database_export_target), allows customization of the exported Database Instance or Database Catalog record that is about to be inserted into IBM Guardium Security > Data Source list
  • For example, JavaScript code could be added to append credentials to an exported data source record since Guardium requires valid credentials to test, discover, and monitor the data source
  • Once in the IBM Guardium Security > Data Source list, the Data Sources can be exported to Guardium by selecting the rows and choosing "Run Action" from the list actions

Guardium Vulnerability Tests

• Guardium tests will be imported into SericeNow Third-Party Vulnerability Test (sn_vul_third_party_entry) and Configuration Compliance Test (sn_vulc_test) entries

• Guardium REST-API: restAPI/online_report?reportName=Available VA tests - detailed

• The IBM Guardium Field in the table below represents the data received from the Guardium REST-API response. Any brace notation represents a calculated value.

• Fields Used on the "Available VA tests - detailed" Report

Guardium Assessment Tests

• Guardium Assessment Tests are imported into a new ServiceNow table (x_ibmrt_gdpva_assessment_test)
• Last Scan Rating and Last Scan Date are populated by Guardium Test Result Summary data
• Guardium REST-API: restAPI/assessment_test
• The IBM Guardium Field in the table below represents the data received from the Guardium REST-API response. Any brace notation represents a calculated value.

Guardium Test Results

• Assessment Test Result Summary entries are imported into a new ServiceNow table (x_ibmrt_gdpva_test_result_summary)

• The summary information is used in the Test Result Dashboard

• Guardium REST-API: restAPI/online_report?reportName=Assessment summary

• The IBM Guardium Field in the table below represents the data received from the Guardium REST-API response. Any brace notation represents a calculated value.

• Fields Used on the "Assessment summary" Report

• Assessment Test Result Details are imported into Vulnerable Item (sn_vul_vulnerable_item) and Configuration Compliance Test Result (sn_vulc_result) depending on the IBM Guardium Security > Settings field: Test failure type (test_failure_type)

  • (APAR) Authorized programming analysis report
  • (CAS) Configuration Auditing System
  • (CIS) Center for Internet Security
  • (STIG) Security Technical Implementation Guide
  • CIS and STIG
  • (CVE) Common Vulnerabilities and Exposures
  • Guardium Test
  • Reference Manual

• The IBM plug-in makes use of ServiceNow’s sn_vul.DetectionBase "Script Include" library which will record all incidents of a test result: pass, fail, deprecated, and error as ServiceNow Vulnerable Item Detections (sn_vul_detection). If the failed test meets the preferred severities, the DetectionBase script will open a ServiceNow Vulnerable Item (sn_vul_vulnerable_item) record. If the test failed but does not match preferred severities, any open Vulnerable Item (sn_vul_vulnerable_item) will be closed with a "proof" that the severity does not meet preferences.

• The IBM plug-in also makes use of ServiceNow's sn_vulc.ComplianceTestResult "Script Include" library, if available, which will record all incidents of a test result: pass, fail, deprecated, and error as ServiceNow Configuration Compliance Test Results (sn_vulc_result)

• Guardium REST-API: restAPI/online_report?reportName=Security Assessment Export

• The IBM Guardium Field in the table below represents the data received from the Guardium REST-API response. Any brace notation represents a calculated value.

• Fields Used on the "Security Assessment Export" Report

IBM Guardium Security > Test Result Dashboard:

• Last 30 days test results summary
• Last 30 days average CIS test failures
• Last 30 days average CVE test failures
• Last 30 days average STIG test failures

**IBM Guardium Security > Settings **

• Test Result Import
  • Test result score: controls which test scores are considered passed or failed
  • Test result severity: controls which test severities to ignore
  • Report for Vulnerability Tests: you can use a custom report if "Available VA Tests" is not sufficient
  • Report for Test Result Details: you can use a custom report if "Security Assessment Export" is not sufficient
  • Report for Test Result Summary: you can use a custom report if "Assessment summary" is not sufficient
• Database Import
  • Monitor: can be set on database instance, if allowed to create a database instance
  • When a database is discovered: how to handle a Guardium data source that cannot be matched to a ServiceNow Database Instance
• Database Export
  • See Database Export, Database Instance Transform Maps, and Database Catalog Transform Maps for controlling how a ServiceNow database instance is exported to IBM Guardium
  • Report for Data Sources: you can use a custom report if "Data-Sources" is not sufficient
  • Report for Data Source Changes: you can use a custom report if "DataSource Changes" is not sufficient
• Performance Tuning
  • Number of days: control number of previous days of test results to fetch on first synchronization. A smaller number will result in faster import.
  • Guardium REST-API maximum entries: process entries when the number of imported objects meets this number. A greater number may cause a slowdown in ServiceNow instance performance. A smaller number will cause slower performance when importing data.
  • Guardium REST-API page size: how many objects to request per page of a report. A greater number may cause a timeout issue. A smaller number causes more requests.
  • HTTP Outbound Asynchronous Request: Set to true for Tokyo and newer versions. Set to false for Rome and San Diego as async requests coupled with a MID server does not work.
• Other Properties:
  • Maximum attempts: controls how long to wait for an integration to complete when running "Daily" integration
  • HTTP Outbound Request Maximum Timeout: set to 60 seconds
  • HTTP Outbound Request Maximum Timeout Enabled: set to false

ServiceNow Tables Inserted By Plug-in:

• IBM Guardium Assessment Test (x_ibmrt_gdpva_assessment_test)
• IBM Guardium Central Manager (x_ibmrt_gdpva_central_manager)
• IBM Guardium Custom Property (x_ibmrt_gdpva_custom_property)
• IBM Guardium Data Source (x_ibmrt_gdpva_datasource)
• IBM Guardium Data Source Group (x_ibmrt_gdpva_datasource_group) Unused
• IBM Guardium Data Source Group Member (x_ibmrt_gdpva_datasource_group_member) Unused
• IBM Guardium Database Catalog Transform Map (x_ibmrt_gdpva_db_catalog_transform_map) Unused
• IBM Guardium Database Export (x_ibmrt_gdpva_database_export_target)
• IBM Guardium Database Instance Transform Map (x_ibmrt_gdpva_db_instance_transform_map)
• IBM Guardium Log (x_ibmrt_gdpva_log)
• IBM Guardium Settings (x_ibmrt_gdpva_preference)
• IBM Guardium Server (x_ibmrt_gdpva_server)
• IBM Guardium Synchronization (x_ibmrt_gdpva_central_manager_sync)
• IBM Guardium Synchronization Dependency (x_ibmrt_gdpva_sync_dependency) Unused
• IBM Guardium Synchronization Integration Run (x_ibmrt_gdpva_sync_integration)
• IBM Guardium Test Definition (x_ibmrt_gdpva_test_definition)
• IBM Guardium Test Exception (x_ibmrt_gdpva_test_exception) Unused
• IBM Guardium Test Result Summary (x_ibmrt_gdpva_test_result_summary)
• IBM Guardium Vulnerability Integration (x_ibmrt_gdpva_vul_integration)

Modified Tables:

• None

Actions:

• Export Database to Guardium

  • It may be desired to export selected database entries to a different Guardium Central Managers
  • A new ServiceNow Database Instance record will be linked to corresponding Guardium Data Source entry after export
  • Field mapping is the same as the above Guardium Data Sources field map
  • A Business Rule monitors for any new or changed Database Instance. The Database Instance will be immediately copied to the corresponding IBM Guardium Security > Data Source but not exported to Guardium
  • You can manually export the change to Guardium by choosing Run Action list action

• Run Assessment Test

  • Run selected Assessment Test on specified Managed Unit (Collector)

Properties used by the application and their use

• x_ibmrt_gdpva.admin > administrative tables and actions
• x_ibmrt_gdpva.user > user tables and actions
• IBM Guardium user with at least role: vulnerability-assess
• IBM Guardium client ID and client secret
• Oauth 2.0 authentication with IBM Guardium

• Custom tables and role access

• All important information is logged to System Log > Application Logs
• All errors are logged to System Log > Errors
• A preference setting (Verbose, Informational, Error) determines verboseness of the log

• First time database synchronization may take a long time. The code retrieves 200 entries per page, by default.
• If there are more than 5,000 Data Source entries in IBM Guardium, IBM Guardium may be slow to respond to REST-API requests from ServiceNow.
• Set the following properties in ServiceNow to avoid any issue from a slow response:

    glide.http.outbound.max_timeout=60
    glide.http.outbound.max_timeout.enabled=false

Project License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.