Linux-UNIX: Installing the S-TAP client by using the shell installer

Use the shell installer, either in interactive mode or non-interactive mode, to install the S-TAP client on Linux, Solaris, HPUX, and AIX database servers.

Before you begin

  • Verify all Linux-UNIX: S-TAP installation prerequisites.
  • Obtain the correct S-TAP installer script, from either Fix Central, or your Guardium representative. (The installation fails if the version is incorrect.) The script name identifies the database server operating system. The S-TAP package name is in the format: guard-stap-10.6.0.0_r123456_1-rhel-5-linux-x86_64.sh, where the first three numbers are the release number, followed by the revision number, in this example r123456.
  • Alternately, download the consolidated installer that contains support for all versions for a particular operating system. For example, guard-stap-11.4.0.0_r110473_trunk_1-suse.sh can install any suse system of any version or CPU. These packages are much larger than the version-specific packages, though.

About this task

Interactive mode must be run individually on each system, and is therefore recommended for individual S-TAPs. It provides validation at each step, which means less chance of errors. It is useful for smaller deployments or whenever a guided, step-by-step installation experience is required. The system prompts for the basic configuration, and verifies your input immediately, so that the installation does not result in errors.

By default, K-TAP is installed automatically during S-TAP installation. The S-TAP installer checks if the K-TAP is available for the kernel version. If the installation process does not find a matching K-TAP, it attempts to build one to match your Linux kernel. If the K-TAP cannot be installed or does not start, a query is presented to the user whether to continue installation. See Linux-UNIX: Working with K-TAP.

If /tmp is mounted with the noexec option, you can set the shell variable TMPDIR to some other directory that is not mounted noexec (typically ~/tmp). For example, TMPDIR=~/tmp /var/tmp/guard-stap-11.1.0.0_r107068_trunk_1-ubuntu-18.04-linux-x86_64.sh.

If any stage of the installation fails, undo all of the steps up to that point. Do not leave the S-TAP partially installed.

Procedure

  1. Log on to the database server using the root account. (S-TAP must always be installed by root.)
  2. Designate an installation directory and verify it has sufficient disk space, approximately 400 MB - 500 MB total.
  3. Copy the S-TAP installer to the local disk on the database server, typically to /tmp.
  4. For interactive mode, run the installer script.
    ./guard-stap-guard-<release number>_<revision number>_1-rhel-5-linux-x86_64.sh
    The only value that you must enter is the IP address of your Guardium collector, or the collector name. All other values can be left at their defaults. The installer typically prompts as follows.
    Enter the path prefix [/usr/local]?
    Directory /usr/local/guardium/guard_stap does not exist, would you like to create it? [Y/n] 
    System library path [/usr/lib]?
    Run STAP as root, or as user 'guardium'? [R/u] 
    Install STAP as root, or as user 'guardium'? [r/U] 
    Would you like to run guard_discovery? [Y/n] 
    Do you want to configure load balancer functionality? [y/N] 
    IP address of the SQL Guard unit: 
    Do you want to edit the parameters file? [y/N]
    
    If you later update your kernel to another version, we can
    try to load the closest fitting delivered module.  This
    feature is not enabled by default, but we recommend enabling
    it to reduce delays in support.  Note that if all the
    packages require to build natively are installed, a local
    build to generate an exact matching module will be attempted
    prior to looking for non-exact matches.
    Do you wish to enable this feature (y/N/h)?
    
    Iif you choose yes to the prompt Would you like to run guard_discovery? [Y/n], then it runs the guard_discovery once with the --update-tap-flag to initially configure inspection engines. No matter what, it configures guard_discovery --send-to-sqlguard-flag to run once every 24 hours.
  5. For non-interactive mode, enter a command similar to this one, which uses the minimum parameters:
    ./guard-stap-guard-<release number>_<revision number>_1-rhel-5-linux-x86_64.sh -- --ni --dir <guardium_installation_directory>   --tapip <tap_ip or host_name>  --sqlguardip < sqlguard_ip or host_name>
    See the parameter description in Linux-UNIX: S-TAP install script parameters.

What to do next

Verify that the row of the S-TAP has a green status (first column) in Monitor > Maintenance > S-TAP Logs > S-TAP Status