Linux-UNIX: S-TAP guard-config-update parameters for RPM installation and update

Learn about the guard-config-update parameters used for installing an S-TAP agent, and updating its configuration.

You can use the guard-config-update script to update your S-TAP configuration (without using the GUI), whether S-TAP was installed with GIM, RPM, or shell. See Linux-UNIX: Configure S-TAP with guard-config-update

Table 1. guard-config update parameters
Parameter Description
--stap-dir S-TAP install directory if not default (default: /usr/local/guardium).
--migrate-to-insights [tenant ID] [routeName] Migrate an S-TAP to Guardium® Insights. Parameters:
tenant ID
The Guardium Insights tenant ID, including the TNT_ prefix.
routeName
The DNS hostname for the Guardium Insights deployment. The DNS hostname is the same as the URL for the UI (without the https:// prefix).
Note: Before migrating the S-TAP, Guardium Insights must have a signed, trusted certificate that the S-TAP can locate. Store the certificate either in the default location (INSTALL_DIR/etc/pki/certs/trusted/ca.cert.pem, where INSTALL_DIR is the Guardium Data Protection installation directory or configure a different location in the guard_tap.ini by using the guardium_ca_path parameter. If you specify a custom location, you must manually store the certificate (that is, you cannot use the push_insights_trust API).

You can also use the migrate_stap_config API to migrate S-TAPs.

--set-tap-ip [IP or hostname] Set tap_ip in S-TAP config file //usr/local/guardium/guard_stap/guard_tap.ini (default: rh5u9x64t.guard.swg.usma.ibm.com).
--set-sqlguard-ip [IP or hostname] Set sqlguard_ip in SQLGuard_0 section in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini (default: 127.0.0.1).
--add-sqlguard [ID] [IP or hostname]
Add SQLGuard_ID section to S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini.
--remove-sqlguard [ID]
Remove SQLGuard_ID section from theS-TAP config file. /usr/local/guardium/guard_stap/guard_tap.ini.
--modify-sqlguard [ID] [parameter] [value]
Set SQLGuard_ID section parameter to value in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini. Parameters:
sqlguard_ip
IP address or hostname of SQLGuard unit
sqlguard_port
Port used to connect to SQLGuard unit (default: 16016)
primary
Order of preference (1=primary, 2=secondary, 3=tertiary, and so on)
num_main_thread
Number of main connections to use for this SQLGuard, used with participate_in_load_balancing = { 1, 4 } (default: 1)
connection_pool_size
Number of data connections per main connection to SQLGuard unit (default: 0)
--modify-tap [parameter] [value]
Set TAP section parameter to value in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini. For the list of guard_tap.ini parameters, see guard_tap.uni parameters.
--help-config [option] Show information about an option in the ini, if available (show all available if none specified).
--set-flexload [0 or 1] Controls the K-TAP FlexLoad mechanism: 0: disable, 1: enable.
--retry-ktap-load Retry K-TAP loading (useful after installing dev packages, updating after K-TAP request, or changing flexload; automatically restarts S-TAP).
--discover-ies Run discovery and replace all Inspection Engines with those discovered.
--stop [service] Stop service ( S-TAP, or monitor) temporarily (Solaris services and inittab treat this as permanent disable, does not auto-start on boot until re-enabled).
--start [service] Start service ( S-TAP, or monitor) if not already running (implies enable).
--restart [service] Restart service (S-TAP, or monitor) if already running.
--disable [service] Prevent service (S-TAP, or monitor) from running again.
--enable [service] Configure service (S-TAP, or monitor) for automatic start.
--status Show which services are started and if they are configured to start automatically.
--show-tap [option] Shows the value that is currently stored for a parameter in the TAP section of the guard_tap.ini file.
--show-ies Shows the currently configured inspection engines in the guard_tap.ini file.
--set-ktap-prevent-exact-match-build

Enable or disable the K-TAP local build. It is recommended to leave the KTAP local build enabled, which is the default setting when installing.

Table 2. guard._tap.ini parameters
Parameter Description
all_can_control Defines which Guardium system controls this S-TAP. Valid values:
  • 0: S-TAP is controlled by the primary Guardium system only.
  • 1: S-TAP can be controlled by any Guardium system.
tap_debug_output_level Set debugging level (must be an integer >= 0, but not 2 or 3). See tap_debug_output_level.
participate_in_load_balancing Set participate in load balancing (values: 1, 2, 3, 4). (See Linux-UNIX: S-TAP load-balancing models and configuration guidelines).
use_tls Enable TLS (0: no, 1: yes).
hunter_trace Enable UID chain reporting (0: no, 1: yes).
buffer_file_size Buffer file size in MB.
alternate_ips Comma-separated list of alternate IPs/hostnames for S-TAP
firewall_installed Enable firewall (0: no, 1: yes).
firewall_fail_close Action to take when there is no verdict (for example, SQLGuard unreachable or timeout reached) (0: do nothing, 1: block connection)
firewall_default_state Set default state (0: not watched, 1: watched)
firewall_timeout Set firewall timeout in seconds.
firewall_force_watch Comma-separated list of IP/masks to watch even with firewall_default_state=0.
firewall_force_unwatch Comma-separated list of IP/masks to unwatch even with firewall_default_state=1.
qrw_installed Enable or disable the query rewrite feature. When set to 0, all other parameters in this group are ignored. Valid values:
  • 0: Disabled
  • 1: Enabled
qrw_default_state Sets the query rewrite activation trigger. Must be 0 if firewall_default_state=1. Valid values:
  • 0: QRW activated per session when triggered by a rule in the installed policy
  • 1: QRW activated for every session regardless of the installed policy
  • 2: All traffic is watched by default for QRW policy violations, but if no event triggers the watch in the first PRIORITY_COUNT packets, query rewrite is turned off for the session.

    When set to 2, the QRW operation can be modified by the commands: Watch, Drop, Watch & Drop and Unwatch. When a watch command is received while state 2 is in effect, it changes the state from 2 to 1 so that the connection is permanently subject to firewall or query rewrite operations. When a Drop or Watch & Drop is received, the connection is immediately terminated. When an unwatch command is received while state 2 is in effect, it changes the state from 2 to 0 so the connection is no longer subject to firewall or query rewrite operations.

qrw_force_watch Comma-separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to watch automatically. Valid when qrw_installed is 1, and qrw_default_state is 0. Cannot be configured to the same IP range as firewall_force_watch.
qrw_force_unwatch Comma-separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to exclude from watching. Valid when qrw_installed is 1, and qrw_default_state is 1. Cannot be configured to the same IP range as firewall_force_unwatch.
server_side_masking_installed Enables the server-side masking feature. Valid values:
  • 0=No
  • 1=Yes
server_side_masking_default_state Sets the server-side masking activation trigger. Valid values:
  • 0=SSM activated per session when triggered by a rule in the installed policy.
  • 1=SSM activated for every session regardless of the installed policy.
server_side_masking_default_state Sets the server-side masking activation trigger. Valid values:
  • 0=SSM activated per session when triggered by a rule in the installed policy.
  • 1=SSM activated for every session regardless of the installed policy.
server_side_masking_force_watch Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) whose sessions are watched automatically. Valid when server_side_masking_installed=1 and qrw_default_state=0.

Cannot be configured to the same range as firewall_force_watch.

server_side_masking_force_unwatch Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) whose sessions are not watched. Valid when server_side_masking_installed is 1 and firewall_default_state is 1.

Cannot be configured to the same range as firewall_force_unwatch.

db_request_handler_enable Allow the database to access K-TAP without manual configuration (requires a defined db_user in the IE section). Valid values:
  • 0: Disabled
  • 1: Enabled
fam_enable Global enable/disable for FAM. Valid values:
  • 0: Disabled
  • 1: Enabled

FAM rules must be defined in order for FAM to run. If rules are not defined, enabling this parameter opens a connection to the Guardium system on port 16022 (or 16023 if using encryption), but FAM remains essentially disabled.

kafka_reader_enabled Enables Cloudera Navigator integration using Kafka publish and consume. Valid values:
  • 0: Disabled
  • 1: Enabled
kafka_bootstrap_servers Required. The comma separated list of host name:port pairs are used to establish the initial connection to the Kafka cluster. After the initial connection is established, all servers in the cluster are used. Consider specifying more than one bootstrap in case one is down. Example: hostnameofbroker1:9092,hostnameofbroker2:9092.
kafka_topic_name Required. The topic name in the Kafka cluster that Cloudera publishes audits to, and that S-TAP reads audits from.
kafka_group_name Required. Assigns the S-TAP to this Kafka consumer group.
kafka_ssl_ca_location Required if kafka_use_tls = 1. Path to the certificate authority (CA) for verifying the Kafka cluster certificate.
kafka_debug
kafka_extra_config
force_server_ip Forces the reported server IP of the database to be the value stored in tap_ip. Valid values:
  • 0: Disabled
  • 1: Enabled
tenant_id To use an S-TAP with Guardium Insights, the Guardium Insights tenant ID is required, including the TNT_ prefix. For example:
tenant_id=TNT_N5YBRAPBWRYAPFLQWABCDE
enable_dynamic_ring_buffers Dynamically adds and removes S-TAP buffers for each main connection during peak traffic to prevent an overflow in the S-TAP buffer. If S-TAP failover happens, data in all buffers is moved to the new buffers.

Valid values:

  • 0: Disabled
  • 1: Enabled
enable_ktap_dynamic_ring_buffers Dynamically adds and removes K-TAP buffers for each main connection during peak traffic, to prevent an overflow in the K-TAP buffer. If K-TAP failover happens, data in all buffers is moved to the new buffers.

Valid values:

  • 0: Disabled
  • 1: Enabled
enable_stap_soft_restart
buffer_percentage_for_priority_packet Allows you to adjust the buffer percentage for priority packets. Increasing the value reserves more space for priority packets.

When Guardium reaches the buffer usage maximum (that is, 100% - buffer_percentage_for_priority_packet, non-priority packets are dropped to help ensure that priority packets get through.

The range is 1 (1%, the default) to 5 (5%).

use_exit_db_type Allows database auto-discovery to discover any databases that have Exit protocols and add those instances to Discovered Instances report.

Valid values:

  • 0: Do not autodiscover databases that have Exit protocols.
  • 1: Discover databases that have Exit protocols. For more information, see Using Exit discovery.
db_exit_list

Discover databases that are supported with Exits. When an Exit database type is discovered, K-TAP is automatically disabled.

When use_db_exit is set to 0, this parameter is ignored.

Valid values (when use_db_exit is set to 1):
  • All - Discovery discovers databases supported with Exit along with other non-Exit databases.
  • None: Discovery does not discover any databases with Exits.
  • <DB type> : Discovery discovers only the specified database. DB type can be: DB2, INFORMIX, NETEZZA, or TERADATA
stap_buf_mem_percent
load_balancer_node_affinity Whether the S-TAP connects to more than one managed unit, for enterprise load balancing. Some scenarios need all traffic to go to the same collector. With Oracle ATAP, for example, the analyzed client IP only shows if both the encrypted and unencrypted sessions go to the same managed unit. Valid values:
  • 0: Disabled. The S-TAP traffic goes to, at a maximum, the number of managed units specified by oad_balancer_num_mus.
  • 1: Enabled. The S-TAP traffic goes to one managed unit, and has, at a maximum, the number of connections (to that managed unit) specified by load_balancer_num_mus

See load_balancer_num_mus.

guardium_ca_path Location of the Certificate Authority certificate.
sqlguard_cert_cn The common name to expect from the Sqlguard certificate
initial_balancer_mu_group The managed unit group name to associate with this S-TAP (by the central manager load balancer) when installing an S-TAP. The group name is sent with each request.
initial_balancer_tap_group The S-TAP group name to associate with this S-TAP (by the central manager load balancer) when installing an S-TAP. The group name is sent with each request.
load_balancer_recheck_interval
transmit_session_losses_metadata Determines whether to create a SessionLossesMetadata message that report metadata if packets are dropped for a given session.
Valid values:
  • 0 (disabled). Do not send the SessionLossesMetadata message.
  • 1 (enabled). Send the SessionLossesMetadata, but only when a new collector is found.
discovery_ora_use_port_ranges Enable S-TAP discovery of Oracle databases to combine discovered instances based on port ranges. This setting works with a single unix_domain_socket_marker. Multiple unix_domain_socket_marker configurations require separate instances.
Valid values:
  • 0: disabled
  • 1: enabled
global_session_key
internal_load_balancer_time_interval