Linux-UNIX: Using automation tools with the S-TAP and sample scripts

Guardium UNIX S-TAP has many script based interfaces to assist in the installation, configuration, and maintenance of the UNIX S-TAP agents. The following links provide you with the information necessary to create the automation scripts that work in your environment.

The following Ansible playbooks can be used as examples for install, activation of A-TAP, deactivation of A-TAP, and unintall.

Install S-TAP sample

---
- hosts: all
  vars:
    guardium_appliance: my-collector.example.com
    installer_dir:      ./
    installer:          guard-stap-11.2.0.0_r108838_v11_2_1-rhel-8-linux-x86_64.sh
    destination:        /var/tmp
    install_dir:        /usr/local
  tasks:
    - name: Check for previous installation
      block:
        - name: Look for KTAP
          shell: lsmod | grep ktap
          register: lsmod_out
          ignore_errors: yes
        - name: Look for existing installation directory
          stat:
            path: "{{ install_dir }}/guardium"
          register: guardium_dir
    - name: Installation
      block:
        - name: Copy shell installer
          copy:
            src:    "{{installer_dir}}/{{ installer }}"
            dest:   "{{ destination }}"
            owner:  root
            group:  root
            mode:   0755
            become: yes
        - name: Do shell installation
          block:
            - name: Run shell installer
              shell:    "{{ destination }}/{{ installer }} --ni -k --dir {{ install_dir }} --tapip {{ ansible_hostname }} --sqlguardip {{ guardium_appliance }} --ktap_allow_module_combos"
              register: installer_output
              become:   yes
            - debug:
                msg: "{{ installer_output.stderr }}"
            - debug:
                msg: "{{ installer_output.stdout }}"
      when: guardium_dir.stat.exists == false and lsmod_out.stdout == ""
    - name: Check KTAP
      shell: lsmod | grep ktap
      register: lsmod_out
    - debug:
        msg: "{{ lsmod_out.stdout }}"

Uninstall S-TAP sample

---
- hosts: all
  vars:
    install_dir:        /usr/local
  tasks:
    - name: Check if STAP is installed
      stat:
        path: "{{ install_dir }}/guardium/guard_stap/uninstall"
      register: uninstall_script
    - name: Do uninstall
      block:
        - name: Run uninstall
          shell:    "{{ install_dir }}/guardium/guard_stap/uninstall"
          register: uninstall_output
          become:   yes
        - debug:
            msg: "{{ uninstall_output.stderr }}"
        - debug:
            msg: "{{ uninstall_output.stdout }}"
      when: uninstall_script.stat.exists == true
    - name: Check if KTAP is loaded
      shell: lsmod | grep ktap
      register: lsmod_ktap
      ignore_errors: yes
    - name: Reboot
      reboot:
        reboot_timeout: 3600
      become: yes
      when: lsmod_ktap.rc == 0
    - name: Verify no KTAP
      shell: lsmod | grep ktap
      register: result
      failed_when:
        - result.rc == 0

Activate A-TAP sample

---
- hosts: all
  vars:
    install_dir: /usr/local
    db_user:     oracle11
    db_base:     /opt/oracle11
    db_home:     "{{ db_base }}/product/11.1.0/db_1"
    db_version:  11
    db_type:     oracle
    db_instance: oracle11
    restart_db:  false
    stop_db:     false
  tasks:
    - name: Check if ATAP is already active
      shell: "{{ install_dir }}/guardium/guard_stap/guardctl list-active | grep \"root/{{ db_instance }}\""
      ignore_errors: yes
      register: atap_grep
    - name: ATAP is not already active
      block:
        - name: Verify DB is in IEs
          block:
            - name:  Grep for DB_HOME in IEs
              shell: "{{ install_dir }}/guardium/guard_stap/guard-config-update --show-ies | grep \"db_install_dir[ ]*=[ ]*{{db_base}}\""
              ignore_errors: yes
              register: ie_grep
        - name: Run discovery and re-check IEs
          block:
            - name: Check if DB is running
              shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
              register: oracle_ps
              ignore_errors: yes
            - name: DB is not running, needs to be started
              block:
                - name: Run startup command
                  shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
                  ignore_errors: yes
                  register: cmd_output
                  become: yes
                - debug: 
                    msg: "{{ cmd_output.stdout }}"
                - debug: 
                    msg: "{{ cmd_output.stderr }}"
                - set_fact:
                    stop_db:  true
              when: oracle_ps.rc != 0
            - name: Run discovery
              shell: "{{ install_dir }}/guardium/guard_stap/guard_discovery {{ install_dir }}/guardium/guard_stap/guard_tap.ini --update_tap"
              become: yes
            - name:  Grep for DB_HOME in IEs
              shell: "{{ install_dir }}/guardium/guard_stap/guard-config-update --show-ies | grep \"db_install_dir[ ]*=[ ]*{{db_base}}\""
          when: ie_grep.rc != 0
        - name: Leave DB down if it wasn't started
          block:
            - name: Run shutdown command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
              ignore_errors: yes
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
          when: stop_db == true
        - name: Check if DB is running
          shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
          register: oracle_ps
          ignore_errors: yes
        - name: Shut down database
          block:
            - name: Run shutdown command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
              ignore_errors: yes
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
            - set_fact:
                restart_db:  true
          when: oracle_ps.rc == 0
        - name: Activate ATAP
          shell: "{{ install_dir }}/guardium/guard_stap/guardctl --db-user={{ db_user }} --db-type={{ db_type }} --db-instance={{ db_instance }} --db-base={{ db_base }} --db-home={{ db_home }} --db-version={{ db_version }}  activate"
          become: yes
        - name: Restart DB
          block:
            - name: Run startup command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
          when: restart_db == true
      when: atap_grep.rc != 0

Deactivate A-TAP sample

---
- hosts: all
  vars:
    install_dir: /usr/local
    db_user:     oracle11
    db_base:     /opt/oracle11
    db_instance: oracle11
    restart_db:  false
    stop_db:     false
  tasks:
    - name: Check if ATAP is active
      shell: "{{ install_dir }}/guardium/guard_stap/guardctl list-active | grep \"root/{{ db_instance }}\""
      ignore_errors: yes
      register: atap_grep
    - name: ATAP is active
      block:
        - name: Check if DB is running
          shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
          register: oracle_ps
          ignore_errors: yes
        - name: Shut down database if is up
          block:
            - name: Run shutdown command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
              ignore_errors: yes
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
            - set_fact:
                restart_db:  true
          when: oracle_ps.rc == 0
        - name: Deactivate ATAP
          shell: "{{ install_dir }}/guardium/guard_stap/guardctl --db-instance={{ db_instance }} deactivate"
          become: yes
        - name: Restart DB
          block:
            - name: Run startup command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
          when: restart_db == true
      when: atap_grep.rc == 0