Linux-UNIX: Before you start installing S-TAP

Read these notes before you start to install an S-TAP.

When you install an S-TAP agent, the installation program checks whether the guardium group exists. If the group does not exist, the installation program creates it. If you use certain components or features, such as A-TAP or Db2 Exit, you must add users to this group to ensure proper functioning. These requirements are described in the relevant sections.

The installation process creates log files for the entire S-TAP package (S-TAP, K-TAP, A-TAP, PCAP, and Discovery). The log files are good for troubleshooting failed installations. Locations include /var/tmp, /tmp, and /var/log.

The installation process updates inittab, upstart, and rc scripts.

S-TAP installs into /usr/local/guardium.

When you define the Linux-UNIX: S-TAP install script parameters, Guardium® suggests that you keep the default settings (--userinst and --root). These choices install the files with the guardium user as the owner, but keeps the appropriate privileges when the S-TAP runs.

When you define the installation script parameters, you can specify the installer user as either root (-–rootinst) or the guardium user (-–userinst). When the installer populates the files, it can populate them so they are owned by either the root user or by the guardium user. When the S-TAP runs, it always starts as the user root, but if you specify --user, then the S-TAP drops privileges to the guardium user level after it starts running.

Note: You cannot specify --rootinst with ---user because the privileges don't line up. In this case, the installer returns an error and exits.

Additionally, if the files are owned by root, you cannot run as user.

If you choose to run the S-TAP as the guardium user (and not root), you might encounter some issues and limitations. Running S-TAP as the guardium user can cause some databases or protocols to stop working because of permission levels. Verify that the database path or exec file has permission that allows the user guardium to read. Depending on your environment, limitations can include,
  • Discovery has limited functionality.
  • Database on AIX® WPAR and Solaris Zones might not work, check the permission to access the installation path or exec file.
  • For Oracle BEQ, restart S-TAP after you start or restart the database.
  • For Informix® shared memory, restart S-TAP after you start or restart the database.
  • For Db2 shared memory,
    • When ktap_fast_shmem is set to 0, if shmctl fails because of permission issues, then in most cases, change the S-TAP to run as root.
    • When ktap_fast_shmem is set to 1, if shared memory segment has read permission by group, then make sure that the Db2 instance is added to user (Guardium) group. On each server, only one Db2 configuration is supported.
    • If shared memory segment has read permission by Db2 user only, then S-TAPmust run as root. (Open a Db2 shared memory session, run the command ipcs -ma, and check MODE on the output.)