InfoSphere® Guardium® Hands-On I Security Policy and Reporting InfoSphere Guardium & Optim Technology Ecosystem Contents Table of Contents 1.PREREQUISITES............................................................................................................ 3 2.SQL AUDITING – INTRODUCTION................................................................................3 2.1Scenario Overview.....................................................................................................3 2.2Scenario Objectives....................................................................................................4 3.CREATING AND INSTALLING THE POLICY.................................................................5 3.1Creating a Security Policy...........................................................................................6 3.1.1Defining the Sensitive Tables Rule.....................................................................9 3.1.2Defining the Test Database Rule......................................................................15 3.1.3Reviewing the Policy Settings...........................................................................18 3.2Installing the Policy...................................................................................................19 3.3Reporting on SQL Constructs...................................................................................20 3.3.1Building the Query and the Report....................................................................20 3.3.2Viewing the Report............................................................................................27 3.4Reporting on SQL with Values..................................................................................32 3.5Creating the Base Query and Tabular Report...........................................................36 4.APPENDIX A: POLICY RULE ACTIONS FOR AUDITING...........................................42 5.APPENDIX B: SAMPLE SQL SCRIPT.........................................................................43 2 1. Prerequisites IMPORTANT This lab requires the completion of the Setup Guardium Using VMware Workstation guide to establish Guardium VM connectivity. 2. SQL Auditing – Introduction Database auditing means monitoring and recording all the SQL statements, configuration changes, and other transactions run against the data server for reference later on. Auditing the data server is often a compliance requirement and is also a best practice to help keep the data server secure. Without data server auditing, it would be nearly impossible to confirm who is performing what functions on a data server. Guardium has an extensive set of functions to help with data server auditing. These functions can help organizations comply with legal mandates, and can also help keep the data well governed and secure. This lab concerns auditing the SQL statements run against the database. Further labs will explain and demonstrate the other auditing functions. 2.1 Scenario Overview A DVD store has recently been made aware that in order to comply with regulatory requirements, and ensure that the data in the database is being used appropriately, they need to implement an auditing system for their data servers. You have been charged with using Guardium to implement this system. There are three databases you are concerned with. The first is a DB2 database named orders that is the production system. The second is a mirror of the first, an Oracle XE database. The third database is a DB2 database named test used for application testing purposes. After consulting with the appropriate subject matter expert and with the customer's help, you define the following requirements: 1. Sensitive tables should be audited at the level of parameter values. Sensitive tables are tables that have columns that involve credit card numbers or other sensitive personal information (eg: Social Security Numbers). For our scenario, the only table with sensitive information is the GUARD.CUSTOMERS table 2. Ignore all SQL run against the test database. The test database is a DB2 database named TEST. We do not need to audit this data because the confidential information located inside it has been masked (ie: deidentified or anonymized) 3. SQL construct should be logged for all other database activity. 3 As you can see, we will not be logging the complete value information for all the objects in the environment. By only logging the data we need, it reduces the performance and storage requirements for the Guardium collector. It is a general best practice that you only audit the information you need to audit, and no more, in order to help keep the system healthy and keep total cost of ownership low. 2.2 Scenario Objectives Objective: To fulfil the SQL auditing requirements listed in Section 2.1 using Guardium SQL statement auditing involves the following basic functions: 1. Using Policies to specify what should be recorded by the Guardium Collector 2. Installing those policies 3. Using Queries to access the data that has been recorded by the appliance 4. Using Reports to define how the data in a query is displayed 5. Placing those reports on a Portlet page for ease of access During this lab you will be performing all these tasks in order to fulfil the requirements. 4 3. Creating and Installing the Policy This section outlines the steps necessary for creating and installing the security policies. Policies are one of the most important components in Guardium. With policies, you can adjust what kind of information is recorded in the Guardium Collector. Policies also allow you to create an additional layer of security using termination and alerting functions. Later presentations and labs will deal specifically with those other functions. This lab concentrates on how policies relate to auditing. Our requirements specify a need to capture differing levels of auditing information depending on what information is being accessed. In Guardium, this translates into setting up a rule for each type of information and selecting an appropriate action for the level of logging desired. Security policies contain rules which specify a grouping of statements and then an action to take. A complete listing of actions can be found in Appendix A. The table below summarizes how our requirements map to those actions. Object Group Business Requirement Rule Action Sensitive Objects (GUARD.CUSTOMERS) Log full SQL statement Log Full Details Test Database (TEST) Do not log Ignore S-TAP Session Others Log only SQL construct Default logging behavior for security policies that do not use selective audit trail. 5 3.1 Creating a Security Policy Policies are just sets of rules. The rules are what determine archiving behaviour. Log in and create a security policy. 1. At the bottom left corner of the “Dataserver” virtual machine, click Computer, then click Firefox. 2. The Firefox homepage is the Guardium GUI, so you should be directed there automatically. If you get a Security Error message, click OK. 6 3. Enter the username: poc and the password: guardium. Click Login 4. Select the Protect tab and then click on Create a new Policy with no Baseline. Baselines are a used to build policies based on previously observed traffic to help identify unusual situations. 7 5. For the new policy enter the information specified below. Policy Description – BC Auditing Reports This is a long form name of the auditing policy Policy Category – CC Data Auditing Categories are just useful organizational mechanisms to help you keep track of the objects you create in Guardium. They do not affect the behaviour of the policy Selective Audit Trail – Not Checked This setting means we will be logging everything unless we specify rules that doesn't log certain database activities. We will ignore the “Flat” options as they are special options used only if you would like to log the audit data to flat files instead of the Guardium relational database. We will also ignore the Audit Pattern field which can also be used to limit what audit data is logged when Selective Audit Trail is selected. Rules can be used to override the default logging behavior, whether it is selective audit trail, which does not log anything by default and requires rules to be defined for any logging to take place, or non-selective audit trail, which by default logs the SQL construct even if a rule is not defined. We will be creating a non-selective audit trail and defining rule to increse the logging level when sensitive object is accessed, and also defining rule to ignore the database session and not log any acticity if it is a session with the test database: 6. Click Apply 7. Click OK at the dialogue that informs you that the policy has been saved. 8 8. Now that we have our policy, we need to define it's behaviour. That is done with rules. Click Edit Rules.... 3.1.1 Defining the Sensitive Tables Rule In this section we will create the rule that fulfills the following requirement: • Sensitive Tables: Log full SQL including parameter values There are three kinds of rules you can add: ▪ ▪ ▪ Access Rules apply to the SQL statements run against the database. Exception Rules apply to SQL errors that are returned by the database such as a failed login attempts. Extrusion Rules apply to data being returned by the database to a client. For our requirements, we only need to define Access Rules. 9 1. Start by clicking Add Access Rule... 10 2. This rule will be designed to fulfil the requirement of auditing the SQL with values for sensitive objects. In the Access Rule Definition page that appears, leave everything blank except for the Rule # 1 Description field. For this field enter Sensitive Objects - Log With Values. We are concerned with tables that have sensitive information contained inside them. As such, let's create a group of those objects. Click on the Group Button ( ) next to the Object field. 11 3. In the popup window, enter the following under the Create New Group section. Group Description – Tables with Sensitive Objects This is the name of the group Group Type Description – OBJECTS This is the type of group. This is important because it defines where the group can be selected from. We choose OBJECTS here because that is the field we were concerned with in the Policy window Group Sub Type Description – TABLES This is an optional field to help you organize your groups. Because the type or object we are listing is tables, it makes sense to put this name here Category – CC Data Auditing This again is an optional field. To help organize things, we give it the same category as we did for our policy 4. Then click Add 5. In the field named Create and add a new Member type GUARD.CUSTOMERS 6. Then click Add 12 7. Also add the Member name without the creator id, so enter CUSTOMERS. 8. Then click Add. 9. Click Back Please Note: One of the features of Guardium is to be able to populate these groups automatically based on their contents. This is explained in the other labs. 10.Next, select your newly created group, Tables with Sensitive Objects, in the Object group drop down menu 13 11.Now, scroll down to the Action section and click add action ( ). 12.Once the add action button is clicked the following appears on the page, 13. On this click on the drop down, and select the field LOG FULL DETAILS 14.Our first rule is set! This should log SQL for all members of our newly created group. Now, click Apply. 14 15.Now click on Save button ( 3.1.2 ). Defining the Test Database Rule In this section, we will create the rule that fulfils the following requirement: • Test Database: Ignore Monitoring 1. Click the Add Access Rule... 2. Enter Test DB – Ignore Monitoring for the description, and TEST for the DB Name. 15 3. Click on Add Action and select IGNORE S-TAP SESSION. This will turn of all the monitoring and logging of the activities performed on the Test Database. 4. Click Apply and then Click Save. 5. We now have two rules set up. It's important to note that both rules will never be applied to one statement in our current setup. If that was our goal, we would have selected the “Continue to Next Rule” option inside the rules. Fortunately, stopping at a rule once satisfied is exactly what our requirements call for. This being said, because we are not continuing on to the next rule, the order of our rules matter for any statement that overlaps any two rules. For our example any statement that uses the GUARD.CUSTOMERS table inside the TEST database. So, we have a decision to make about which rule should apply first to any such 16 statement. Our requirements say that the test data is already masked, so the information inside it does not need to be audited including the statements run against the GUARD.CUSTOMERS table. As such, our Test Database – Ignore Monitoring rule should be applied to those statements first. To do this click the order up button ( ) next to our Test Database – Ignore Monitoring. It should look like the following once ordered: Congratulations! You have now created a policy that has rules that fulfils all the requirements that were specified. 17 3.1.3 Reviewing the Policy Settings That was quite a few steps, so let's take a look at all of the settings to confirm that we have built the rules correctly. The policy page has a convenient method to help you do that. 1. At the policy window, click view the rule settings by clicking the expand buttons ( ) The expanded rules should look like the picture below. The changes we made have been highlighted for a quicker comparison. 2. Once reviewed, click on Protect Tab ( lab. ) to continue with the remaining steps in the 18 3.2 Installing the Policy Once you have created a policy, you need to install it for it to take effect. Installing a Policy applies it to the currently registered inspection engines. 1. Click in Protect tab ( ) and then click the Install Policy icon. 2. Select BC Auditing Requirements from the Policy Installer section and select the Install & Override from the drop down list. 19 3. Click OK at the confirmation box warning you that a new policy is about to be applied 4. You can see the installed policy on the right of the screen as such. You have now successfully created and applied the policy to all currently active inspection engines. An important part of data server auditing is creating reports to easily view the audit data once it is collected. In Guardium you use two mechanisms called Queries and Reports to accomplish the task. Queries draw data from the Guardium Collector, while reports define how to display the data drawn from a query. 3.3 Reporting on SQL Constructs In the previous sections we created a policy that included a rule that dictated that we should log the SQL statement information for all objects except those in the test database. In this section we will build a simple query and report to view that data. 3.3.1 Building the Query and the Report In this section of the lab you will build the report 1. Start by switching to the Monitor/Audit tab and then click on the Build Reports sub-tab and then click on the Track Data Access icon. 20 2. Click on the New... button in the Query Finder view that appears 3. Type All SQL Constructs as the query name because we are most interested in SQL statements, 4. Select SQL as the Main Entity 5. Now, click the Next button 6. In the query editor screen on your new query, expand the Client/Server entity, click on Server Type and then click Add Field 21 7. Follow the same previous steps to add Server IP and DB User Name fields. 8. Scroll down in the entity list and expand Session. Add Timestamp and Database Name 22 9. Scroll down and expand the SQL entity and add the Sql field 10. We have all the fields we need for the report, but the ordering of them could be confusing. Sometimes it's easier if they are organized in terms of a hierarchy. Use the check boxes ( ) and reorder buttons ( ) to reorder the fields Keep reordering until the fields are in the following order: 23 11. We will now add a parameter for a filter based on DB User Name. This can help users of the report to focus on what they are concerned about, filtering out the information they do not need. Scroll back up to the Client/Server entity, click on DB User Name, and select Add Condition 12. In the new Query Condition that appears in the second window, enter the following values: Operator: LIKE Runtime Param.: Parameter DB_Username Note: “DB_Username” is the parameter name not the value that is placed in the condition 24 13. Finally, to again to help the reader of the report, specify that the report be sorted on the timestamp by default. Select the Order-by option, enter 1 for Sort Rank, and select the Descend option. Also Select the Add Count checkbox which allows you to group the same constructs together rather then get the same type of sql constructs recorded on every entry. For example, this would allow you to view how many select statements were made, rather then see an entry for each select statement made. 14. Finally, click the Save button and then the Generate Tabular button 15. We have now built the query. The next steps will create a default tabular report on top of the query just created, this report will be added to the My New Reports portlet. This distinction between queries and reports will be highlighted later. Select OK at the prompt that warns that you will be creating a report and portlet 25 16. Click Ok 17. Click on Add To My New Reports button 18. Click Ok, to add an instance of the report to the My New Reports pane 19. Click Ok 20. We now need to refresh the page, so click on the My New Reports. 26 3.3.2 Viewing the Report In this section we will specify the report parameters and generate some data to view. 1. Click on the newly created All SQL Constructs report on the left. Notice that the report is empty. 2. The report is empty because we have not specified our parameters yet. To do that click on the edit button. 3. Specify GUARD for the DB_Username parameter and click the Update button Note: Normally the QUERY_FROM_DATE and QUERY_TO_DATE parameters are also very important and require changing. In our example, this is not necessary because we are about to execute a series of SQL statements in the next hour 4. Notice that still no data comes up, this is because the no statements have been run using the GUARD user recently 27 5. Let's change that situation. Minimize the Guardium Interface 6. Open a Gnome Terminal window from the Desktop and type the following: cd Scripts/ gedit RunToAudit.sql & 7. This is the script we will be running. Scroll through it and briefly familiarize yourself with it's contents. We will run it on three databases: The DB2 ORDERS database, meant to act as a production environment for our scenario. The ORACLE XE database instance, meant to act as a mirror of the DB2 ORDERS database. And the DB2 TEST database meant to act as a test environment that isn't being audited. We will run the same script on all three databases. A complete copy of the script has also been provided in Appendix B for your reference. 28 8. Type the following commands into the terminal: db2 connect to orders db2 -tvf RunToAudit.sql 9. Wait for the SQL commands to finish executing then enter the following command into the console: db2 terminate 29 10. Now. Lets do the same thing for the TEST database. Enter the following commands into the Terminal: db2 connect to test db2 -tvf RunToAudit.sql 30 11. Wait for the SQL to finish executing. Afterwards, execute the same script on the Oracle database by typing the following into the terminal: db2 terminate sqlplus guard/password @RunToAudit.sql 12. Wait for the SQL to finish executing and close the window 13. Open the Guardium interface back up by clicking on Firefox at the bottom of the screen 14. Click on the All SQL Constructs report again to reload it. 15. Notice that all the SQL statements have been recorded, but no parameter values show. They are instead replaced with question marks (?). This is the result of creating a report with the SQL column. Also note that the statements refer to two databases, the ORACLE XE instance and the DB2 ORDERS database. Now, click on the next page button ( ) 31 Congratulations! You have just created a report that shows SQL constructs being logged for ORDERS database, and the same SQL command executed against the TEST database is not being logged. In the next section, you'll prove that the first requirement has been satisfied. 3.4 Reporting on SQL with Values In this section, we will create a report that displays all the collected data that includes SQL parameter values. 1. Start by clicking on the Monitor/Audit tab and then click on the Build Reports sub-tab and then click on the Track Data Access icon 32 2. Use the Query Name drop down box to select All SQL Constructs 3. We are going to clone this query to help us save time in creating a new one. Click on the Clone button 4. Enter All SQL With Values as the name of the new Query 5. Select the Timestamp and Sql attributes ( ) and then click the delete button ( ) 33 6. Expand the Full SQL Entity. Add the Timestamp and Full Sql fields to the query. 7. Select the Timestamp field ( ) and move it to the front of the report using the up order button ( ). Once moved the order of attributes should be as follows: 8. For the Timestamp field, select Order-by, set Sort Rank to 1, and set Descend 34 9. Now, click Save button, then click Generate Tabular button and then Add to My New Reports button to create a new report to be added to My New Reports list. 10. Select OK at the prompts that warns that you will be creating a report and portlet 11. Click OK 12. Click the My New Reports tab to refresh the report list and click on the All SQL With Values report. Notice it returns no results. Again, this is because we have not yet defined the parameter values for our new report. Click on the Edit button to set the parameters 35 13. Enter GUARD for the DB_Username parameter, then click Update 14. The Report showing SQL with values is now displayed. Three things to notice: 1) The parameters in the report have values, not the question marks that we saw in the previous report. 2) Only the tables named CUSTOMERS are shown, because the policy specifies to Log Full Detail for only those tables 3) Although statements were run against the CUSTOMERS and other tables in the DB2 TEST database, nothing appears as per our requirements 36 Congratulations! You have now created two reports that show that our three requirements have been satisfied: Object Group Business Requirement Selective Audit Action Sensitive Log all SQL with values Objects(GUARD.CUSTOMERS) Log Full Details With Values Test Database (TEST) Ignore Monitoring DB Activity Ignore S-Tap Session Others Log only SQL construct Default logging behavior for security policies that do not use selective audit trail. 3.5 Creating the Base Query and Tabular Report In this section you will create a base query and you will also create a simple tabular report that uses that base query to outline the commands that are run against the database. 1. Click on Build Reports sub-tab and then click on Track Data Access icon 37 2. Click on New... 3. Enter the following values for each on the fields and click the Next button Query Name: Commands Run Against Table Main Entity: Command 4. Expand the Command entity and add the SQL Verb field to the report 38 5. Under Client/Server add DB User Name as a condition. 6. Under Object entity, add Object Name field as a condition. 7. Enter the following values for the two new conditions DB Username: Operator: LIKE Runtime Param.: Parameter DB_Username Object Name: Operator: LIKE Runtime Param.: Parameter Object_Name 8. Select the Add Count and Sort by Count check box at the top of the page. This will sort by the Total Access field that is automatically included in the report that will result from this process 39 9. Click Save to save the query and then click Generate Tabular and then click on Add to My New Reports to create a report from the query and add it to My New Reports portlet. 10. Click OK at the prompts that warns that you will be creating a report and portlet 11. Click OK. 12. Click the My New Reports tab to refresh the report list and click on the Commands Run Against Table report. Now, click on the Edit button in order to set it's parameters 13. Enter the parameters as follows and click Update -DB_Username: -Object_Name: GUARD CUSTOMERS 40 14. This report shows the kinds of SQL requests that were run against all tables named CUSTOMERS that are being audited. 15. A great feature about Guardium is that it allows you to drill down through audit information. To drill down, Double click on the Update row. Now click Show SQL with Values 41 16. The SQL appears. Notice that there are only 6 entries. This is because each statement was run twice, once against the Oracle XE database, and once against the DB2 ORDERS database. In Guardium, it's possible to create and modify your own drill down reports. That topic, however, is out of the scope of this lab. Congratulations! You have just completed Guardium Auditing Lab 1. In this lab you performed the following tasks: 1. Created a non-selective audit policy with two rules that applied to two different classes of SQL statements 2. Installed that policy 3. Created two queries and reports that showed that your policy was correctly configured 4. Create one query and a reports off of it showing the data in tabular format and allowing you to drill down to the details of them. 42 4. Appendix A: Policy Rule Actions for Auditing These actions control the level of logging based on the observed traffic. You define these actions inside rules that are included in a selective audit trail policy. The description of these rules can also be found in the Guardium help documents. 1. Audit Only: Available for a Selective Audit Trail policy only. Log the construct that triggered the rule. For a Selective Audit Trail policy, no constructs are logged by default, so use this command to indicate what does get logged. 2. Log only: Log the policy violation only. Except for the Allow action, a policy violation is logged each time a rule is triggered (unless that action suppresses logging). 1. Log masked details: Log the full SQL for this request, replacing values with question marks (???). 2. Log full details: Log the full SQL, including values, for this request. 3. Log Full Details With Values: Like the above, but in addition, each value will stored as a separate element. This takes more time and space, but speeds searching and reporting tasks later. 4. Log Full Details Per Session: Log the full SQL (including values) for this request and for the remainder of the session 5. Log Full Details Per Session With Values: Like the above, but in addition, each value will stored as a separate element. This takes more time and space, but speeds searching and reporting tasks later. 6. Skip Logging: When matched, do not log a policy violation, and stop logging constructs. This is similar to the Allow action, but it additionally stops the logging of constructs. This action is used to eliminate the logging of constructs for requests that are known to be of no interest. 7. Ignore Responses Per Session: Responses for the remainder of the session will be ignored. This action is useful in cases where you know the database response will be of no interest. 8. Ignore Session: The current request and the remainder of the session will be ignored. This action might be useful if, for example, the database includes a test region, and there is no need to apply policy rules against that region of the database. 9. Ignore S-TAP Session: This action will send the ignore message to the S-TAP just like the standard 'Ignore Session' action but will keep track of this session on the appliance in case another 'Ignore' command should be sent. Using this action will promise that the ignore lists are up to date and in sync with the current policy definitions. 10.Ignore SQL Per Session: No SQL will be logged for the remainder of the session, except when an exception occurs, in which case all exception data (including the SQL causing the exception) will be logged. 11.Quick Parse: For access rules only, for the remainder of the session, WHERE clauses will not be parsed. This reduces parsing time. In this mode all objects accessed can be determined (since objects appear before the WHERE clause), but the exact object instances affected will be unknown, since that is determined by the WHERE clause. 43 5. Appendix B: Sample SQL Script This script is run during the lab on three databases in the environment in order to demonstrate auditing reports and policies. -- 20 Random Select Statements on CUSTOMERS SELECT * FROM CUSTOMERS WHERE CUST_ID='10000'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10006'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10028'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10496'; SELECT * FROM CUSTOMERS WHERE CUST_ID='13519'; SELECT * FROM CUSTOMERS WHERE CUST_ID='18128'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10000'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10006'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10028'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10496'; SELECT * FROM CUSTOMERS WHERE CUST_ID='13519'; SELECT * FROM CUSTOMERS WHERE CUST_ID='18128'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10000'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10006'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10028'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10496'; SELECT * FROM CUSTOMERS WHERE CUST_ID='13519'; SELECT * FROM CUSTOMERS WHERE CUST_ID='18128'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10000'; SELECT * FROM CUSTOMERS WHERE CUST_ID='10006'; -- 6 Random UPDATE Statements on CUSTOMERS UPDATE CUSTOMERS SET CITY='SOUTHBOROUGH' WHERE CUST_ID='10000'; UPDATE CUSTOMERS SET CITY='WESTBOROUGH' WHERE CUST_ID='10000'; UPDATE CUSTOMERS SET CITY='CAMBRIDGE' WHERE CUST_ID='10000'; UPDATE CUSTOMERS SET CITY='ROME' WHERE CUST_ID='10099'; UPDATE CUSTOMERS SET CITY='VENICE' WHERE CUST_ID='10099'; UPDATE CUSTOMERS SET CITY='CORLEONE' WHERE CUST_ID='10099'; -- 3 Random DELETE FROM DELETE FROM DELETE FROM DELETE Statements on CUSTOMERS CUSTOMERS WHERE CUST_ID='10033'; CUSTOMERS WHERE CUST_ID='10036'; CUSTOMERS WHERE CUST_ID='10064'; -- 1 Random INSERT Statement on CUSTOMERS INSERT INTO CUSTOMERS VALUES('13520', 'Vito Corleone', '3840 Byers Lane', NULL, NULL, 'Las Vegas', 'NV', 'US', '02110', '0000', '[email protected]', '951-3776099', 904.86, 'SE331', 'IT', '8297790B', '3088000354660030', 'JCB', '0709', '9597', NULL, NULL); -- 12 Random Select SELECT * FROM ITEMS SELECT * FROM ITEMS SELECT * FROM ITEMS SELECT * FROM ITEMS SELECT * FROM ITEMS SELECT * FROM ITEMS Statements on ITEMS WHERE ITEM_ID='AD100'; WHERE ITEM_ID='AD101'; WHERE ITEM_ID='AD102'; WHERE ITEM_ID='AD103'; WHERE ITEM_ID='AD104'; WHERE ITEM_ID='AD105'; 44 SELECT SELECT SELECT SELECT SELECT SELECT * * * * * * FROM FROM FROM FROM FROM FROM ITEMS ITEMS ITEMS ITEMS ITEMS ITEMS WHERE WHERE WHERE WHERE WHERE WHERE ITEM_ID='AD100'; ITEM_ID='AD101'; ITEM_ID='AD102'; ITEM_ID='AD103'; ITEM_ID='AD104'; ITEM_ID='AD105'; -- 2 Random Update Statement on ITEMS UPDATE ITEMS SET UNIT_PRICE = UNIT_PRICE * 1.1; UPDATE ITEMS SET UNIT_PRICE = UNIT_PRICE - 0.10; -- 9 Random DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE FROM DELETE Statements on DETAILS/ORDERS DETAILS WHERE ITEM_ID='HR170'; ITEMS WHERE ITEM_ID='HR170'; DETAILS WHERE ITEM_ID='HR171'; ITEMS WHERE ITEM_ID='HR171'; DETAILS WHERE ITEM_ID='HR172'; ITEMS WHERE ITEM_ID='HR172'; DETAILS WHERE ITEM_ID='HR173'; ITEMS WHERE ITEM_ID='HR173'; DETAILS WHERE ITEM_ID='HR174'; ITEMS WHERE ITEM_ID='HR174'; DETAILS WHERE ITEM_ID='HR175'; ITEMS WHERE ITEM_ID='HR175'; DETAILS WHERE ITEM_ID='HR176'; ITEMS WHERE ITEM_ID='HR176'; DETAILS WHERE ITEM_ID='HR177'; ITEMS WHERE ITEM_ID='HR177'; DETAILS WHERE ITEM_ID='HR178'; ITEMS WHERE ITEM_ID='HR178'; -- 9 Random INSERT INTO INSERT INTO INSERT INTO INSERT INTO INSERT INTO INSERT INTO INSERT INTO INSERT INTO INSERT INTO INSERTS Statements on ITEMS VALUES('HR170', ITEMS VALUES('HR171', ITEMS VALUES('HR172', ITEMS VALUES('HR173', ITEMS VALUES('HR174', ITEMS VALUES('HR175', ITEMS VALUES('HR176', ITEMS VALUES('HR177', ITEMS VALUES('HR178', ITEMS 'Rocky 1', 'Drama', 'R', 31.00, 28); 'Rocky 2', 'Drama', 'R', 31.00, 28); 'Rocky 3', 'Drama', 'R', 31.00, 28); 'Rocky 4', 'Drama', 'R', 31.00, 28); 'Rocky 5', 'Drama', 'R', 31.00, 28); 'Rocky 6', 'Drama', 'R', 31.00, 28); 'Rocky 7', 'Drama', 'R', 31.00, 28); 'Rocky 8', 'Drama', 'R', 31.00, 28); 'The Running Man', 'Action', 'R', 32.00, 28); 45 © Copyright IBM Corporation 2011 All Rights Reserved. IBM Canada 8200 Warden Avenue Markham, ON L6G 1C7 Canada Printed in Canada 11-01 IBM, IBM (logo), Optim, and DB2 are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both UNIX is a registered trademark of The Open Group in the United States, other countries, or both Windows is a trademark of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. The information in this publication is provided AS IS without warranty. Such information was obtained from publicly available sources, is current as of January 2011, and is subject to change. Any performance data included in the paper was obtained in the specific operating environment and is provided as an illustration. Performance in other operating environments may vary. More specific information about the capabilities of products described should be obtained from the suppliers of those products. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. 46