Linux-UNIX: S-TAP guard-config-update parameters for RPM installation and update
Learn about the guard-config-update parameters used for installing an S-TAP agent, and updating its configuration.
You can use the guard-config-update script to update your S-TAP configuration (without using the GUI), whether S-TAP was installed with GIM, RPM, or shell. See Linux-UNIX: Configure S-TAP with guard-config-update
Parameter | Description |
---|---|
--stap-dir | S-TAP install directory if not default (default: /usr/local/guardium). |
--migrate-to-insights [tenant ID] [routeName] | Migrate an S-TAP to Guardium®
Insights. Parameters:
Note: Before migrating the S-TAP, Guardium
Insights must have a
signed, trusted certificate that the S-TAP can locate. Store the certificate either in the default
location (INSTALL_DIR/etc/pki/certs/trusted/ca.cert.pem, where
INSTALL_DIR is the Guardium Data
Protection
installation directory or configure a different location in the guard_tap.ini
by using the guardium_ca_path parameter. If you specify a custom location, you
must manually store the certificate (that is, you cannot use the push_insights_trust API).
You can also use the migrate_stap_config API to migrate S-TAPs. |
--set-tap-ip [IP or hostname] | Set tap_ip in S-TAP config file //usr/local/guardium/guard_stap/guard_tap.ini (default: rh5u9x64t.guard.swg.usma.ibm.com). |
--set-sqlguard-ip [IP or hostname] | Set sqlguard_ip in SQLGuard_0 section in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini (default: 127.0.0.1). |
--add-sqlguard [ID] [IP or hostname] |
Add SQLGuard_ID section to S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini. |
--remove-sqlguard [ID] |
Remove SQLGuard_ID section from theS-TAP config file. /usr/local/guardium/guard_stap/guard_tap.ini. |
--modify-sqlguard [ID] [parameter] [value] |
Set SQLGuard_ID section parameter to value in S-TAP config file
/usr/local/guardium/guard_stap/guard_tap.ini. Parameters:
|
--modify-tap [parameter] [value] |
Set TAP section parameter to value in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini. For the list of guard_tap.ini parameters, see guard_tap.uni parameters. |
--help-config [option] | Show information about an option in the ini, if available (show all available if none specified). |
--set-flexload [0 or 1] | Controls the K-TAP FlexLoad mechanism: 0: disable, 1: enable. |
--retry-ktap-load | Retry K-TAP loading (useful after installing dev packages, updating after K-TAP request, or changing flexload; automatically restarts S-TAP). |
--discover-ies | Run discovery and replace all Inspection Engines with those discovered. |
--stop [service] | Stop service ( S-TAP, or monitor) temporarily (Solaris services and inittab treat this as permanent disable, does not auto-start on boot until re-enabled). |
--start [service] | Start service ( S-TAP, or monitor) if not already running (implies enable). |
--restart [service] | Restart service (S-TAP, or monitor) if already running. |
--disable [service] | Prevent service (S-TAP, or monitor) from running again. |
--enable [service] | Configure service (S-TAP, or monitor) for automatic start. |
--status | Show which services are started and if they are configured to start automatically. |
--show-tap [option] | Shows the value that is currently stored for a parameter in the TAP section of the guard_tap.ini file. |
--show-ies | Shows the currently configured inspection engines in the guard_tap.ini file. |
--set-ktap-prevent-exact-match-build |
Enable or disable the K-TAP local build. It is recommended to leave the KTAP local build enabled, which is the default setting when installing. |
Parameter | Description |
---|---|
all_can_control | Defines which Guardium system controls this S-TAP. Valid values:
|
tap_debug_output_level | Set debugging level (must be an integer >= 0, but not 2 or 3). See tap_debug_output_level. |
participate_in_load_balancing | Set participate in load balancing (values: 1, 2, 3, 4). (See Linux-UNIX: S-TAP load-balancing models and configuration guidelines). |
use_tls | Enable TLS (0: no, 1: yes). |
hunter_trace | Enable UID chain reporting (0: no, 1: yes). |
buffer_file_size | Buffer file size in MB. |
alternate_ips | Comma-separated list of alternate IPs/hostnames for S-TAP |
firewall_installed | Enable firewall (0: no, 1: yes). |
firewall_fail_close | Action to take when there is no verdict (for example, SQLGuard unreachable or timeout reached) (0: do nothing, 1: block connection) |
firewall_default_state | Set default state (0: not watched, 1: watched) |
firewall_timeout | Set firewall timeout in seconds. |
firewall_force_watch | Comma-separated list of IP/masks to watch even with firewall_default_state=0. |
firewall_force_unwatch | Comma-separated list of IP/masks to unwatch even with firewall_default_state=1. |
qrw_installed | Enable or disable the query rewrite feature. When set to 0, all other parameters in this
group are ignored. Valid values:
|
qrw_default_state | Sets the query rewrite activation trigger. Must be 0 if firewall_default_state=1. Valid
values:
|
qrw_force_watch | Comma-separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to watch automatically. Valid when qrw_installed is 1, and qrw_default_state is 0. Cannot be configured to the same IP range as firewall_force_watch. |
qrw_force_unwatch | Comma-separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to exclude from watching. Valid when qrw_installed is 1, and qrw_default_state is 1. Cannot be configured to the same IP range as firewall_force_unwatch. |
server_side_masking_installed | Enables the server-side masking feature. Valid values:
|
server_side_masking_default_state | Sets the server-side masking activation trigger. Valid values:
|
server_side_masking_default_state | Sets the server-side masking activation trigger. Valid values:
|
server_side_masking_force_watch | Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) whose
sessions are watched automatically. Valid when server_side_masking_installed=1 and
qrw_default_state=0. Cannot be configured to the same range as firewall_force_watch. |
server_side_masking_force_unwatch | Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) whose
sessions are not watched. Valid when server_side_masking_installed is 1 and firewall_default_state
is 1. Cannot be configured to the same range as firewall_force_unwatch. |
db_request_handler_enable | Allow the database to access K-TAP without manual configuration (requires a defined db_user
in the IE section). Valid values:
|
fam_enable | Global enable/disable for FAM. Valid values:
FAM rules must be defined in order for FAM to run. If rules are not defined, enabling this parameter opens a connection to the Guardium system on port 16022 (or 16023 if using encryption), but FAM remains essentially disabled. |
kafka_reader_enabled | Enables Cloudera Navigator integration using Kafka publish and consume. Valid values:
|
kafka_bootstrap_servers | Required. The comma separated list of host name:port pairs are used to establish the initial connection to the Kafka cluster. After the initial connection is established, all servers in the cluster are used. Consider specifying more than one bootstrap in case one is down. Example: hostnameofbroker1:9092,hostnameofbroker2:9092. |
kafka_topic_name | Required. The topic name in the Kafka cluster that Cloudera publishes audits to, and that S-TAP reads audits from. |
kafka_group_name | Required. Assigns the S-TAP to this Kafka consumer group. |
kafka_ssl_ca_location | Required if kafka_use_tls = 1. Path to the certificate authority (CA) for verifying the Kafka cluster certificate. |
kafka_debug | |
kafka_extra_config | |
force_server_ip | Forces the reported server IP of the database to be the value stored in
tap_ip. Valid values:
|
tenant_id | To use an S-TAP with Guardium Insights, the Guardium Insights tenant ID is required,
including the TNT_ prefix. For
example:
|
enable_dynamic_ring_buffers | Dynamically adds and removes S-TAP buffers for each main connection during peak traffic to
prevent an overflow in the S-TAP buffer. If S-TAP failover happens, data in all buffers is moved to
the new buffers. Valid values:
|
enable_ktap_dynamic_ring_buffers | Dynamically adds and removes K-TAP buffers for each main connection during peak traffic, to
prevent an overflow in the K-TAP buffer. If K-TAP failover happens, data in all buffers is moved to
the new buffers. Valid values:
|
enable_stap_soft_restart | |
buffer_percentage_for_priority_packet | Allows you to adjust the buffer percentage for priority packets. Increasing the value
reserves more space for priority packets. When Guardium reaches the buffer usage maximum (that is, 100% - buffer_percentage_for_priority_packet, non-priority packets are dropped to help ensure that priority packets get through. The range is 1 (1%, the default) to 5 (5%). |
use_exit_db_type | Allows database auto-discovery to discover any databases that have Exit protocols and add
those instances to Discovered Instances report. Valid values:
|
db_exit_list |
Discover databases that are supported with Exits. When an Exit database type is discovered, K-TAP is automatically disabled. When use_db_exit is set to 0, this parameter is ignored. Valid values (when use_db_exit is set to 1):
|
stap_buf_mem_percent | |
load_balancer_node_affinity | Whether the S-TAP connects to more than one managed unit, for enterprise load balancing. Some
scenarios need all traffic to go to the same collector. With Oracle ATAP, for example, the analyzed
client IP only shows if both the encrypted and unencrypted sessions go to the same managed unit.
Valid values:
|
guardium_ca_path | Location of the Certificate Authority certificate. |
sqlguard_cert_cn | The common name to expect from the Sqlguard certificate |
initial_balancer_mu_group | The managed unit group name to associate with this S-TAP (by the central manager load balancer) when installing an S-TAP. The group name is sent with each request. |
initial_balancer_tap_group | The S-TAP group name to associate with this S-TAP (by the central manager load balancer) when installing an S-TAP. The group name is sent with each request. |
load_balancer_recheck_interval | |
transmit_session_losses_metadata | Determines whether to create a SessionLossesMetadata message that report metadata if packets
are dropped for a given session. Valid values:
|
discovery_ora_use_port_ranges | Enable S-TAP discovery of
Oracle databases to combine discovered instances based on port ranges. This setting works with a
single unix_domain_socket_marker. Multiple
unix_domain_socket_marker configurations require separate
instances. Valid values:
|
global_session_key | |
internal_load_balancer_time_interval |