Linux-UNIX: Using automation tools with the S-TAP and sample scripts
Guardium UNIX S-TAP has many script based interfaces to assist in the installation, configuration, and maintenance of the UNIX S-TAP agents. The following links provide you with the information necessary to create the automation scripts that work in your environment.
The following Ansible playbooks can be used as examples for install, activation of A-TAP, deactivation of A-TAP, and unintall.
Install S-TAP sample
---
- hosts: all
vars:
guardium_appliance: my-collector.example.com
installer_dir: ./
installer: guard-stap-11.2.0.0_r108838_v11_2_1-rhel-8-linux-x86_64.sh
destination: /var/tmp
install_dir: /usr/local
tasks:
- name: Check for previous installation
block:
- name: Look for KTAP
shell: lsmod | grep ktap
register: lsmod_out
ignore_errors: yes
- name: Look for existing installation directory
stat:
path: "{{ install_dir }}/guardium"
register: guardium_dir
- name: Installation
block:
- name: Copy shell installer
copy:
src: "{{installer_dir}}/{{ installer }}"
dest: "{{ destination }}"
owner: root
group: root
mode: 0755
become: yes
- name: Do shell installation
block:
- name: Run shell installer
shell: "{{ destination }}/{{ installer }} --ni -k --dir {{ install_dir }} --tapip {{ ansible_hostname }} --sqlguardip {{ guardium_appliance }} --ktap_allow_module_combos"
register: installer_output
become: yes
- debug:
msg: "{{ installer_output.stderr }}"
- debug:
msg: "{{ installer_output.stdout }}"
when: guardium_dir.stat.exists == false and lsmod_out.stdout == ""
- name: Check KTAP
shell: lsmod | grep ktap
register: lsmod_out
- debug:
msg: "{{ lsmod_out.stdout }}"
Uninstall S-TAP sample
---
- hosts: all
vars:
install_dir: /usr/local
tasks:
- name: Check if STAP is installed
stat:
path: "{{ install_dir }}/guardium/guard_stap/uninstall"
register: uninstall_script
- name: Do uninstall
block:
- name: Run uninstall
shell: "{{ install_dir }}/guardium/guard_stap/uninstall"
register: uninstall_output
become: yes
- debug:
msg: "{{ uninstall_output.stderr }}"
- debug:
msg: "{{ uninstall_output.stdout }}"
when: uninstall_script.stat.exists == true
- name: Check if KTAP is loaded
shell: lsmod | grep ktap
register: lsmod_ktap
ignore_errors: yes
- name: Reboot
reboot:
reboot_timeout: 3600
become: yes
when: lsmod_ktap.rc == 0
- name: Verify no KTAP
shell: lsmod | grep ktap
register: result
failed_when:
- result.rc == 0
Activate A-TAP sample
---
- hosts: all
vars:
install_dir: /usr/local
db_user: oracle11
db_base: /opt/oracle11
db_home: "{{ db_base }}/product/11.1.0/db_1"
db_version: 11
db_type: oracle
db_instance: oracle11
restart_db: false
stop_db: false
tasks:
- name: Check if ATAP is already active
shell: "{{ install_dir }}/guardium/guard_stap/guardctl list-active | grep \"root/{{ db_instance }}\""
ignore_errors: yes
register: atap_grep
- name: ATAP is not already active
block:
- name: Verify DB is in IEs
block:
- name: Grep for DB_HOME in IEs
shell: "{{ install_dir }}/guardium/guard_stap/guard-config-update --show-ies | grep \"db_install_dir[ ]*=[ ]*{{db_base}}\""
ignore_errors: yes
register: ie_grep
- name: Run discovery and re-check IEs
block:
- name: Check if DB is running
shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
register: oracle_ps
ignore_errors: yes
- name: DB is not running, needs to be started
block:
- name: Run startup command
shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
ignore_errors: yes
register: cmd_output
become: yes
- debug:
msg: "{{ cmd_output.stdout }}"
- debug:
msg: "{{ cmd_output.stderr }}"
- set_fact:
stop_db: true
when: oracle_ps.rc != 0
- name: Run discovery
shell: "{{ install_dir }}/guardium/guard_stap/guard_discovery {{ install_dir }}/guardium/guard_stap/guard_tap.ini --update_tap"
become: yes
- name: Grep for DB_HOME in IEs
shell: "{{ install_dir }}/guardium/guard_stap/guard-config-update --show-ies | grep \"db_install_dir[ ]*=[ ]*{{db_base}}\""
when: ie_grep.rc != 0
- name: Leave DB down if it wasn't started
block:
- name: Run shutdown command
shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
ignore_errors: yes
register: cmd_output
become: yes
- debug:
msg: "{{ cmd_output.stdout }}"
- debug:
msg: "{{ cmd_output.stderr }}"
when: stop_db == true
- name: Check if DB is running
shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
register: oracle_ps
ignore_errors: yes
- name: Shut down database
block:
- name: Run shutdown command
shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
ignore_errors: yes
register: cmd_output
become: yes
- debug:
msg: "{{ cmd_output.stdout }}"
- debug:
msg: "{{ cmd_output.stderr }}"
- set_fact:
restart_db: true
when: oracle_ps.rc == 0
- name: Activate ATAP
shell: "{{ install_dir }}/guardium/guard_stap/guardctl --db-user={{ db_user }} --db-type={{ db_type }} --db-instance={{ db_instance }} --db-base={{ db_base }} --db-home={{ db_home }} --db-version={{ db_version }} activate"
become: yes
- name: Restart DB
block:
- name: Run startup command
shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
register: cmd_output
become: yes
- debug:
msg: "{{ cmd_output.stdout }}"
- debug:
msg: "{{ cmd_output.stderr }}"
when: restart_db == true
when: atap_grep.rc != 0
Deactivate A-TAP sample
---
- hosts: all
vars:
install_dir: /usr/local
db_user: oracle11
db_base: /opt/oracle11
db_instance: oracle11
restart_db: false
stop_db: false
tasks:
- name: Check if ATAP is active
shell: "{{ install_dir }}/guardium/guard_stap/guardctl list-active | grep \"root/{{ db_instance }}\""
ignore_errors: yes
register: atap_grep
- name: ATAP is active
block:
- name: Check if DB is running
shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
register: oracle_ps
ignore_errors: yes
- name: Shut down database if is up
block:
- name: Run shutdown command
shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
ignore_errors: yes
register: cmd_output
become: yes
- debug:
msg: "{{ cmd_output.stdout }}"
- debug:
msg: "{{ cmd_output.stderr }}"
- set_fact:
restart_db: true
when: oracle_ps.rc == 0
- name: Deactivate ATAP
shell: "{{ install_dir }}/guardium/guard_stap/guardctl --db-instance={{ db_instance }} deactivate"
become: yes
- name: Restart DB
block:
- name: Run startup command
shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
register: cmd_output
become: yes
- debug:
msg: "{{ cmd_output.stdout }}"
- debug:
msg: "{{ cmd_output.stderr }}"
when: restart_db == true
when: atap_grep.rc == 0