Prerequisites, installing and running CAS on a Linux, UNIX server

Learn about the Configuration Auditing System (CAS) prerequisites for Linux® and UNIX servers, and how to install the CAS agent on your database server.

Prerequisites for Linux or UNIX servers

  • CAS works with the following Java™ distributions: IBM®, OpenJDK, or Sun.
  • The CAS server must be a Guardium® collector. The CAS server parameter (CAS_SQLGUARD_IP to install CAS with GIM, or sqlguard_ip if you install CAS from the command line) is required.
Table 1. Disk Space Requirements for Linux or UNIX servers
Disk Space Description

CAS Program files, including Java

AIX® - 309 MB, HP-UX - 630 MB, Linux - 405 MB, Solaris - 390 MB

Java runtime environment (JRE) 1.8 or later is required for CAS. You must obtain and install a JRE yourself (due to licensing constraints).

Table 2. Port Requirements for Linux, UNIX servers
Port Protocol Guardium connection to ...

16017

TCP

Clear CAS

16019

TLS

Encrypted CAS

Installing CAS with GIM

You can install CAS as a bundle with the Guardium Installation Manager (GIM), in the same way you install any other module. Use the following process, which is described in detail in Set up by client, to install CAS with GIM:
  1. Browse to Manage > Module Installation > Set up by Client.
  2. Select the server where you want to install CAS and then click Next.
  3. Select the CAS bundle and click Next.
  4. Enter the Java home parameter for CAS. For more information, see Locating the Java home directory and version.
  5. Click Install to install the CAS bundle.
Note: If your site installed CAS using GIM in v10.6 or earlier, and then you upgrade CAS using GIM, delete and then re-create the Template/Datasource mapping after you upgrade. For more information, see CAS hosts.

Installing CAS client from the command line

Take the following steps to install the CAS client from the CLI:

  1. Log on to the database server system with the root account.
  2. Run the install command:
    <guard-cas-setup>.sh  -- install --java-home <JAVA_HOME> [--install-path <INSTALL_PATH>]
    {--stap-conf <FULL_PATH_TO_GUARD_TAP_INI> | --sqlguard_ip <IP_OF_GUARDIUM_COLLECTOR>}
    
    Where:
    • <guard-cas-setup> - Identifies the name of the script file.
    • -- install - Indicates an installation of CAS.
    • --java-home - Identifies the JAVA_HOME directory.
    • --install-path - Identifies the installation path. You can specify the directory where you want to install the CAS client. Create the directory from root (make sure that the permissions are set to 755). If you do not include a directory in the installation path, Guardium automatically creates the directory for you.
      Note: If you install CAS on an AIX server, make sure that enough space is available to process the data segments (as defined in the data parameter of the AIX /etc/security/limits file). The default, and recommended value, for the data parameter is -1 (unlimited). However, if your site requires an actual value, Guardium suggests that you set this limit to at least 1 GB.

      If you modify /etc/security/limits, you might need to restart your server.

    • You must include one of the following parameters:
      • --stap-conf - Use when the guard_tap.ini file is located in the specified stap-conf directory. The installer uses the guard_tap.ini file as-is.
      • --sqlguard_ip- Use the default .ini file provided by the installer. In this case, the installer modifies the sqlguard_ip key inside the .ini file with the value that is provided by the --sqlguard_ip parameter.
    Note: You must specify either --stap-conf or --sqlguard_ip.
Note: For more information about modifying the guard_tap.ini file, see Editing the S-TAP® configuration parameters

Uninstall a CAS client

Enter the following command to uninstall a CAS client.
Note: To ensure that the CAS client is completely uninstalled, call uninstall from a directory that is above the <INSTALL_PATH>. The CAS files are not removed if you run the command from the <INSTALL_PATH> or any directory underneath it.
<INSTALL_PATH>/bin/guard-cas-setup uninstall

Start and stop CAS from the command line

Depending on your install or uninstall scenario, you might need to start and stop CAS from the command line.

To start or stop CAS, log on to the database server system with the root account. Depending on your operating system, use one of the following methods.
  • For Red Hat® Enterprise Linux 6: Stop or start CAS with the stop cas or start cas commands.
  • For Red Hat Enterprise Linux 7: Stop or start CAS with the systemctl stop guard_cas or systemctl start guard_cas commands.
  • For other operating systems:
    1. Comment out (to stop CAS) or undo the comment (to start CAS) for the CAS agent entry in the /etc/inittab file. By default, the statement is as follows:
      cas:<nnnn>::respawn:/usr/local/guardium/guard_stap/cas/bin/run_wrapper.sh /usr/local/guardium/guard_stap/cas/bin
    2. Save the /etc/inittab file.
    3. Run the init q command
  • To validate whether CAS is running, enter the ps -fe | grep cas command.