Linux and UNIX systems: Installing and updating S-TAP using RPM

You can install, uninstall, and update S-TAP on a Linux server using the RPM. The advantage of installing by RPM is that you install and maintain STAP using the same method that you manage all other software on the database server.

Before you begin

About this task

RPM names have the format: guard-stap-10.1.0.89165-1-rhel-6-linux-x86_64.x86_64.rpm, where the first three numbers are the release number of STAP (10.0.0, 10.1.2, etc) and the fourth number is the code revision (89165). The number immediately following is the package iteration which would increment in the case of adding KTAP modules to the RPM.

There is a single RPM for the 32-bit S-TAPs and two RPMs for the 64-bit S-TAPs so that the 64-bit S-TAP does not have a dependency on 32-bit libraries if 32-bit exit libraries are not required. The extra RPM looks like guard-stap-32bit-exit-libs-10.1.0.89165-1-rhel-6-linux-x86_64.x86_64.rpm and has a dependency on the main RPM.

By default, the installation process checks the Linux kernel to determine whether a K-TAP module has been created to work with that kernel. If it exists, it installs (sets ktap_installed = 1). If there is none, K-TAP does not install unless you have enabled Loader Flexibility, which aids in the installation of currently built modules when an exact match does not exist. When Loader Flexibility is enabled, it attempts to build a K-TAP to match your Linux kernel.

v10.12 and higher: RPM installs S-TAP to /opt/guardium; this location cannot be changed. tap_ip is set automatically to the hostname of the system. sqlguard_ip is set to 127.0.0.1 as a placeholder for proper configuration. Complete the configuration after the installation, as described in this procedure.

v10.12 and higher: RPM logs are saved to /opt/guardium/rpm_logs

v10.12 and higher: You can run the guard-config-update script as root user or a non-root user. Use the help command to see your permitted functions.

Procedure

  1. Unzip the S-TAP package and copy the RPM to /tmp of the database server.
  2. v10.12 and higher: To enable Loader Flexibility, set the Linux environment variable NI_ALLOW_MODULE_COMBOS="Y"
  3. Install the RPM.
    1. To get the RPM name, run: rpm -qa | grep guard_stap
    2. Run the command: rpm -i <RPM_NAME>.
      The S-TAP installs.
    3. v10.1.2 and higher: Complete the configuration by running the script guard-config-update using the parameters described in 4.
    4. v10.1: Complete the configuration by updating S-TAP parameters in the UI. See Linux and UNIX systems: Configure S-TAP from the GUI.
    The S-TAP shell installer does not install if there is already an RPM installed (preventing double installation).
  4. v10.1.2 and higher: To configure or update: log in to the system as root, change directory to /opt/guardium and run the script guard-config-update using the relevant options and actions from the following list:
    [--stap-dir] S-TAP install directory if not default (default:/usr/local/guardium)
    [--set-tap-ip [IP or hostname]] Set tap_ip in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini (default: rh5u9x64t.guard.swg.usma.ibm.com)
    [--set-sqlguard-ip [IP or hostname]] Set sqlguard_ip in SQLGuard_0 section in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini (default: 127.0.0.1)
    [--add-sqlguard [ID] [IP or hostname]]
    (V10.1.4 and higher)    		 Add SQLGuard_ID section to S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini
    [--remove-sqlguard [ID]]
    (V10.1.4 and higher)    		 Remove SQLGuard_ID section from S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini
    [--modify-sqlguard [ID] [parameter] [value]]
    (V10.1.4 and higher)    		 Set SQLGuard_ID section parameter to value in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini. Parameters:
    sqlguard_ip
    IP address or hostname of SQLGuard unit
    sqlguard_port
    Port used to connect to SQLGuard unit (default: 16016)
    primary
    Order of preference (1=primary, 2=secondary, 3=tertiary and so on)
    num_main_thread
    Number of main connections to use for this SQLGuard, used with participate_in_load_balancing = { 1, 4 } (default: 1)
    connection_pool_size
    Number of data connections per main connection to SQLGuard unit (default: 0)
    [--modify-tap [parameter] [value]]
    (V10.1.4 and higher)    		 Set TAP section parameter to value in S-TAP config file /usr/local/guardium/guard_stap/guard_tap.ini. Parameters:
    tap_debug_output_level
    Set debugging level (must be an integer >= 0, but not 2 or 3)
    participate_in_load_balancing
    Set participate in load balancing (values: 1, 2, 3, 4). (See Linux and UNIX systems: S-TAP Load Balancing models and configuration guidelines)
    use_tls
    Enable TLS [ 0, 1 ]
    failover_tls
    TLS connections failover to non-TLS [ 0, 1 ]
    hunter_trace
    Enable UID chain reporting [ 0, 1 ]
    buffer_file_size
    Buffer file size in MB
    alternate_ips
    Comma-separated list of alternate IPs/hostnames for STAP
    firewall_installed
    Enable firewall [ 0, 1 ]
    firewall_fail_close
    Action to take when there is no verdict (e.g. SQLGuard unreachable or timeout reached) [ 0 : do nothing, 1 : block connection ]
    firewall_default_state
    Set default state [ 0 : not watched, 1 : watched ]
    firewall_timeout
    Set firewall timeout in seconds
    firewall_force_watch
    Comma-separated list of IP/masks to watch even with firewall_default_state=0
    firewall_force_unwatch
    Comma-separated list of IP/masks to unwatch even with firewall_default_state=1
    [--help-config [option]] Show information about an option in the ini, if available (show all available if none specified)
    [--set-flexload [0 or 1]] Enable or disable K-TAP flex loading
    [--retry-ktap-load] Retry KTAP loading (useful after installing dev packages, updating after KTAP request, or changing flexload; automatically restarts S-TAP)
    [--discover-ies] Run discovery and replace all Inspection Engines with those discovered
    [--stop [service]] Stop service ( S-TAP, tee, or monitor) temporarily (Solaris services and inittab treat this as permanent disable, does not auto-start on boot until re-enabled)
    [--start [service]] Start service ( S-TAP, tee, or monitor) if not already running (implies enable)
    [--restart [service]] Restart service (stap, tee, or monitor) if already running
    [--disable [service]] Prevent service (stap, tee, or monitor) from running again
    [--enable [service]] Configure service (stap, tee, or monitor) for automatic start
    [--status] Show which services are started and if they are configured to start automatically
  5. To upgrade, copy the RPM package to /opt/guardium and run the command: rpm -U <RPM_NAME>
  6. To uninstall:
    1. To get the RPM name, run: rpm -qa | grep guard_stap
    2. Run rpm -e <RPM_NAME>

    After un-install, the directory /opt/guardium still exists, but should only contain /opt/guardium/guard_stap/guard_tap.ini.rpmsave and /opt/guardium/rpm_logs

What to do next

After installation completes, verify S-TAP status:
  • Verify that the row of the S-TAP has a green status (first column) in Monitor > Maintenance > S-TAP Logs > S-TAP Staus
Parent topic: Linux and UNIX systems: Install the S-TAP agent