Linux-UNIX: S-TAP Control: Details

These parameters define basic properties of the S-TAP. This topic lists the full set of parameters that can display under Details. Not all parameters display for every type of database server.

Table 1. S-TAP Control: Details parameters
Name Default value Description
Version   Read only. The S-TAP version that is installed on the DB server, added to the file during installation or upgrade only.
Devices none Which interfaces to listen on. Use ifconfig to find the correct interface.
Load balancing 0 Controls load balancing to Guardium® systems. Valid values:
  • 0: No load balancing.
  • 1: Load balancing. Traffic is balanced between the primary and secondary servers, which are defined in the SQLGuard section.
  • 2: Redundancy. Fully mirrored S-TAP sends all traffic to all primary and secondary servers, which are defined in the SQLGuard section.
  • 3: Hardware load balancing. Guardium uses a load balancer such as F5 or Cisco. S-TAP sends the traffic to the load balancer, which forwards it to one of the collectors in the pool.
  • 4: Multiple KTAP buffer and S-TAP threads are used to split the traffic.
Use the primary parameter in the SQLGUARD section to specify primary, secondary, tertiary or more, servers. If this parameter is set to 0, and you have more than one Guardium system monitoring traffic, then the non-primary Guardium systems are available for failover.
This parameter is also used in enterprise load balancing. For more information, see Enabling enterprise load balancing and associating an S-TAP with a central manager.
Messages remote   Send messages to the active Guardium host.
  • check mark: enabled.
  • X mark: disabled.
Messages syslog   Send messages to syslog.
  • X mark: Disabled.
  • check mark: Enabled.
Trace files dir   The directory in which access tracer files are stored.
Alternate ips NULL Comma-separated list of alternate or virtual IP addresses used to connect to this database server. The alternate_ips parameter is only used when your server has multiple network cards with multiple IPs, or virtual IPs. S-TAP only monitors traffic when the destination IP matches either the S-TAP Host IP defined for this S-TAP, or one of the specified alternate IPs. It's recommended that you specify all virtual IPs.
App. Server User Identification   Valid values:
  • 0 S-TAP acts as normal
  • 1: S-TAP is set in 'client mode', switches S2C and C2S packets to reflect S-TAP being installed on client, not the DB server. Checks if the other appserver_* parameters are specified. If they are defined, examines HTTP packets on the supplied port to take session information about the end user of the java-application that is installed on the client system.
Default: 0
TLS   Select the checkbox to use SSL to encrypt traffic between the S-TAP and the Guardium system. This adds ~15% of CPU usage to the sniffer's S-TAP server but does not affect the sniffer's other modules.

Guardium recommends encrypting network traffic between the S-TAP and the collector whenever possible: only in cases where the performance is a higher priority than security should this be disabled. If unencrypted, the traffic between the S-TAP agent and Guardium system is in clear text.

Compres. Level 0 Increase the compression level to lower the number of bytes between the S-TAP and the collector. Changing the compression level is recommended where latency is high between the data centers, to reduce travel time. Compression might impact performance on both ends (S-TAP and collector (sniffer)). The disk usage is not affected by compression. Valid values:
  • 0: No compression
  • 1: Best speed
  • 9: Highest compression
All can control X mark Defines which Guardium system control this S-TAP. Valid values:
  • X mark: S-TAP is controlled by the primary Guardium system only.
  • check mark: S-TAP can be controlled by any Guardium system.
Load balancer host name or IP address   Required for enterprise load balancing. If blank, enterprise load balancing is disabled.
The IP address or hostname of the central manager or managed unit this S-TAP uses for load balancing.
Managed Units 1 The number of managed units the enterprise load balancer allocates for this S-TAP.
Include client IP in UID chain for SSH daemon X mark Add an SSH client IP:port pair to the UID chain when SSH is identified as one of the processes in the chain. Valid values:
  • X mark: Disabled.
  • check mark: Enabled.
OS type   Read only. Software version running on the database.
DB request handler X mark Allow the database to access K-TAP without manual configuration (requires a defined DB user in the Inspection Engines section).
  • X mark: Disabled.
  • check mark: Enabled.
Cassandra audit X mark Create a file appender pipe for Cassandra/Datastax with native audit logging. Valid values:
  • X mark: Disabled.
  • check mark: Enabled.
Cassandra audit delimiter GUARD_DELIM Cassandra audit reader delimiter. Valid values:
  • printable ASCII characters a-z A-Z 0-9 - _ ! @ # $ % ^ & * ( )
Restricted logging 0 Controls restricted logging on the collector. Use this to evaluate the number of records affected by an SQL command, while masking the actual query. This parameter can only be set by user root on the DB server. Valid values:
  • 0: Unrestricted.
  • 1: Log with masking. Only logins are allowed (sent packets are flagged with LOGALWAYSMASK). Forces encryption to be on in the S-TAP regardless of any other settings; traffic is sent to the collector only after the collector has indicated that it is aware of the parameter value. Otherwise, the S-TAP logs a message that traffic can't be sent, and its status is red in the S-TAP Control page.
  • 2: All packets are allowed (sent packets are flagged with LOGACCESSONLY)
SQL configuration properties directory   Relevant for Oracle Unified Auditing. The path to the tnsnames.ora file that describes the connections to the database to be monitored.
LD library paths   Relevant for Oracle Unified Auditing. The path to the Oracle Instant Client libraries installed on the system.
Discovery interval   The interval at which the S-TAP reports database instance discovery results to the collector. Select only if you want to change the discovery interval from its default of 24 hours. When you select this option, the UI updates with two radio buttons: Hour and Minute. Type in any positive integer to set the discovery interval in either hours or minutes.
Clear the Enable discovery interval checkbox to disable.
Wait for DB exec   When S-TAP restarts, either from a system reboot or user initiated S-TAP stop / start commands, S-TAP polls all databases that have been configured to be monitored and begins monitoring all valid configurations. Any configuration anomalies (either on the database side or the S-TAP side) that limits S-TAP ability to monitor a database does not limit the S-TAP from monitoring other databases with valid configurations. This parameter determines the S-TAP response, and its status in the S-TAP Control page, if a DB instance is not available (db_install_dir or db_exec_file is not accessible) during IE validation, after an S-TAP or DB restart.
  • 0 and less: S-TAP logs an event message with the event type CONF_ERROR when a DB instance is detected as unavailable for certain DB(PROTOCOL) during the S-TAP starting time. S-TAP also logs a CONF_ERROR if a DB changes its status from available to unavailable during the periodic check (every 15 minutes). These event messages change the S-TAP status in the GUI to yellow with the instruction to correct the parameter or set WAIT_FOR_DB_EXEC > 0. When a DB instance status changes from unavailable to available, a WARNING message is sent to the sniffer, but the GUI status does not change automatically. You need to click info icon to open the S-TAP event log and click Accept.
  • greater than 0: A WARNING is logged for any unavailable database during S-TAP startup time or during a periodic check. The time interval of the periodic check is the value of wait_for_db_exec, in minutes. A warning message is also sent when an unavailable DB instance becomes available. Since the periodic check needs to get status of the database file configured for each inspection engine, and it consumes the CPUs, the value should not be less than the number of inspection engines.
Kerberos plugin directory   Location of the Kerberos file.
Force server IP   Forces the reported server IP of database to be the S-TAP Host value. Valid values:
  • X mark: Disabled.
  • check mark: Enabled.
Private tap IP   If this parameter is defined, the database uses it for the S-TAP communication. (Relevant when the S-TAP is deployed in a private network; the external, public IP address of the S-TAP is defined by tap_ip. See Linux-UNIX: Configure a public and private address for an S-TAP.
Dynamic ring buffers X mark Dynamically adds and removes S-TAP buffers for each main connection during peak traffic, to prevent an overflow in the S-TAP buffer. If S-TAP failover happens, data in all buffers is moved to the new buffers.
Valid values:
  • X mark: Disabled.
  • check mark: Enabled.
KTAP fast TCP verdict 1 For TCP connections. Valid values:
  • 0: slow verdict. K-TAP sends information about the session to STAP to ask whether or not the traffic should be intercepted.
  • 1: fast verdict. K-TAP decides on its own.
In both cases, the network/exclude network parameters are checked against the incoming IP. From 10.1.4, the value is 1 after upgrade.
KTAP fast file verdict 1 Push file information to K-TAP for determining if pipe traffic should be intercepted. For TLI connection, K-TAP sends ioctl to the S-TAP to confirm that the session is the database connection configured in the IE by checking ports and IPs, when ktap_fast_file_verdict is set to 1, then K-TAP does not send the request to the S-TAP as long as the session's ports are in the range. Valid values:
  • 0: No
  • 1: Yes
KTAP fast shmen check mark Push shmem information to K-TAP to determine if shmem traffic should be intercepted. Valid values
  • X mark: Disabled.
  • check mark: Enabled.
KTAP local TCP X mark This parameter is used for TCP connections.
  • X mark: Intercept all connections.
  • check mark: Only intercept local connections (although previously intercepted connections are still captured)
QRW installed 0 Enable or disable the query rewrite feature. When set to 0, all other parameters in this group are ignored. Valid values:
  • 0: Disabled
  • 1: Enabled
QRW default state 0 Sets the query rewrite activation trigger. Must be 0 if firewall_default_state=1. Valid values:
  • 0: QRW activated per session when triggered by a rule in the installed policy
  • 1: QRW activated for every session regardless of the installed policy.
  • 2: All traffic is watched by default for QRW policy violations, but if no event triggers the watch in the first PRIORITY_COUNT packets, query rewrite is turned off for the session.

    When set to 2, the QRW operation can be modified by the following commands: Watch, Drop, Watch & Drop and Unwatch. When a Watch command is received while state 2 is in effect, it changes the state from 2 to 1 so that the connection is permanently subject to firewall or query rewrite operations. When a Drop or Watch & Drop is received, the connection is immediately terminated. When an Unwatch command is received while state 2 is in effect, it changes the state from 2 to 0 so the connection is no longer subject to firewall or query rewrite operations.

QRW force watch NULL Comma-separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to watch automatically. Valid when qrw_installed is 1, and qrw_default_state is 0. Cannot be configured to the same IP range as firewall_force_unwatch.
QRW force unwatch NULL Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to exclude from watching. Valid when qrw_installed is 1, and qrw_default_state is 1. Cannot be configured to the same IP range as firewall_force_unwatch.
Hunter trace X mark Turns on the collection of UID chains. When enabled, captures the UID but without IP in the string. Use this setting for local TCP/IP connections including Solaris zones and AIX WPARs, and remote TCP/IP connections when appserver_installed = 1.
  • X mark: Disabled.
  • check mark: Enabled.
See more information in Linux-UNIX: UID chains.
Load balancer node affinity X mark Whether the S-TAP connects to more than one managed unit, for enterprise load balancing. Some scenarios need all traffic to go to the same collector. With Oracle ATAP, for example, the analyzed client IP only shows if both the encrypted and unencrypted sessions go to the same managed unit.
  • X mark: Disabled. The S-TAP traffic goes to, at a maximum, the number of managed units specified by Managed Units.
  • check mark: Enabled. The S-TAP traffic goes to one managed unit, and has, at a maximum, the number of connections (to that managed unit) specified by Managed Units.