Linux and UNIX systems: Informix Exit integration with UNIX S-TAP

The Informix Exit ifxguard utility (Informix 12.10 and higher) monitors connections to your Informix databases.

About this task

With Informix Exit, Guardium v.10 and higher can audit all protocols of Informix SQL activities. This includes TCP, Shared Memory and Named Pipe protocols. It supports all Guardium features (S-gate, UID chain, Redaction, query-rewrite, etc). On Linux platforms, you can use Informix Exit instead of ATAP to capture shared memory traffic. Informix exit captures encrypted traffic.

A shared library, Informix Exit, is part of the Guardium Unix S-TAP installation. S-TAP includes 32bit and 64bit.so. They are located under <guardium_installation_directory>/guard_stap, for example:
/usr/local/guardium/guard_stap /usr/local/guardium/guard_stap/libguard_informix_exit_32.so
/usr/local/guardium/guard_stap/libguard_informix_exit_64.so.

Note: When changing tap_identifier in the inspection engine, in order for the change to take effect with Informix exit or DB2 exit, the database must be restarted. With ATAP enabled, the database has to be stopped, ATAP deactivated, reactivated, and finally the database started again. To make tap_identifier work for DB2 exit and Informix exit, make sure db_install_dir is exactly the same with $HOME value in the database. Also, the database needs to restart to pick up the tap_identifier value. For Informix exit, stop ifxguard, then restart the database, then start ifxguard.

Procedure

  1. Login as user informix to the database and locate its instance name (INFORMIXSERVER) and its installation directory (INFORMIXDIR) by running these Unix commands:
    $ echo $INFORMIXSERVER
    INFORMIXSERVER=test117
    $ echo $INFORMIXDIR
    INFORMIXDIR=/home/informix
  2. Install and start up the S-TAP in the db host. See Linux and UNIX systems: Install the S-TAP agent.
  3. As user root, make sure the user informix is in the guardium group, for example,
    /usr/local/guardium/bin/guardctl authorize-user informix
    or with unix
    # chgroup users=informix guardium (AIX only).
  4. Login as user informix and enter:
    $ iduid=501(informix) gid=205(informix) groups=215(guardium)
  5. As user informix, copy the correct informix exit library from the guard_stap directory to the informix user's lib directory, for example,
    cp /usr/local/guardium/guard_stap/libguard_informix_exit_64.so
    $INFORMIXDIR/lib/libguard_informix.so
  6. Set up ifxguard. Create a config file under $INFORMIXDIR/etc/ifxguard.$INFORMIXSERVER with these lines:
    NAME ol_informix1210
    WORKERS 2
    LIBPATH /home/informix/12.10.FC6/lib/libguard_informix.so
    DEBUG 1
    LOGFILE /home/informix/12.10.FC6/etc/ifxguard.msg.txtg.txt
    Note: INFORMIXDIR=/home/informix/12.10.FC6
  7. Bring up ifxguard as user informix
    1. Make sure Informix database server is online (onstat -).
      $ id 
uid=501(informix) gid=205(informix) groups=215(guardium) $ onstat - 
IBM Informix Dynamic Server Version 12.10.FC6 -- On-Line -- Up 6 days 00:22:25 -- 253104 Kbytes
    2. If the ifxguard config file is setup as described above, bring up ifxguard with: 
      $ ifxguard 
15:20:17 ifxguard set instance name ol_informix1210 
Starting ifxguard ol_informix1210 ... 
check log file: /home/informix/12.10.FC6/etc/ifxguard.msg.txt

      You should not see any errors. In case of error, check the file indicated in LOGFILE.

    3. If the ifxguard config file is not under $INFORMIXDIR/etc, specify the file's full path with -c option, - for example 
      $ ifxguard -c /mnt/conf/ifxguard.ol_informix1210
    4. If ifxguard config file is not set up at all, you can still bring up the agent but must specify the .so library using full-path with -p option and message log file with -l option, for example
      $ ifxguard -p /home/informix/12.10.FC6/lib/libguard_informix.so -l  home/informix/12.10.FC6/etc/ifxguard.msg.txt
    5. If there are errors, check the log file indicated in LOGFILE.
  8. Make sure ifxguard and S-TAP is up running using ps -ef:
    $ ps -ef|grep guard
    root 15401210 1 1 15:14:11 - 0:00
    /usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini
    informix 22609968 1 0 15:20:17 - 0:00 ifxguard

    You should see the following msg in /home/informix/12.10.FC6/etc/ifxguard.msg.txt.

    Wed Feb  3 15:20:17 2016 
15:20:17 INFORMIX-ESQL Version 12.10.FC6 
15:20:17 Build Number:  N253 
15:20:17 Build Host:    cxp01007 
15:20:17 Build OS:      AIX 6.1 
15:20:17 Build Date:    Wed Nov 4 21:55:13 CST 2015 
15:20:17 GLS Version:   glslib-6.00.FC7 
15:20:17 
15:20:17 Starting ifxguard ol_informix1210 ... 
15:20:17 DEBUG[TID1]:Password File /home/informix/12.10.FC6/etc/ passwd_file failed error:No 
such file or directory [2] [onguard_main.c:onguard_pw_init:518] 
15:20:17 DEBUG[TID1]:ifxguard ol_informix1210 connect to trusted host, Password Manager is i 
gnored. [onguard_main.c:onguard_run:2391] 
15:20:17 pcbms = 110023688, spt_fn=ffffffffffff300 

15:20:17 CBMS: cbms_initialize() 
15:20:17 Attached /.guard_writer0 shmem[0] 8001000a0000de8 
15:20:17 Attached /.guard_writer1 shmem[1] 8001000a0000eb8 
15:20:17 Attached /.guard_writer2 shmem[2] 8001000a0000f88 
15:20:17 Attached /.guard_writer3 shmem[3] 8001000a0001058 
15:20:17 Attached /.guard_writer4 shmem[4] 8001000a0001128 
15:20:17 Attached /.guard_writer5 shmem[5] 8001000a00011f8 
15:20:17 Attached /.guard_writer6 shmem[6] 8001000a00012c8 
15:20:17 Attached /.guard_writer7 shmem[7] 8001000a0001398 
15:20:17 Attached /.guard_writer8 shmem[8] 8001000a0001468 
15:20:17 Attached /.guard_writer9 shmem[9] 8001000a0001538 
15:20:17 Attached to /.guard_reader 
15:20:17 guard_conf_message=70000000149b000: my_ip=96eb8b7, intercept_type=1c, debug_level=0 
, ignore_response_db_list=NONE 
15:20:17 comm exit shm initialization successful 
15:20:17 DEBUG[TID1]:new daemon pid is 22609968 [onguard_main.c:onguard_daemonize:2350] 
15:20:17 ifxguard ol_informix1210 started 
15:20:17 The connection attempt from  ifxguard ol_informix1210 to server ol_informix1210 suc 
ceeded. Process id: 22609968:258 
15:20:17 Attached to /.guard_reader 
15:20:17 The connection attempt from  ifxguard ol_informix1210 to server ol_informix1210 succeeded. Process id: 22609968:515

    You can ignore the password file error. It's a debug message. You can define one password file and run 'onpassword' to encrypt it. Ifxguard reads user informix's password from the encrypted file and connects to Informix Dynamic Server (IDS). If the password file is not defined, then ifxguard connects to IDS as trusted host connection (no password).

  9. Add the INFX_EXIT inspection engine either via GRDAPI (create_stap_inspection_engine) or the GUI (Manage > Activity Monitoring > S-TAP Control) with these specific Informix values:
    Parameter in GUI Parameter in GRDAPI Value
    Protocol protocol Informix Exit
    DB Install Dir dbInstallDir /home/informix
    Process Name procName /INFORMIXTMP/.inf.sqlexec
    Intercept Types interceptTypes <blank or null>
    Identifier ieIdentifier <blank or null>
      informixVersion Informix version
  10. Restart the S-TAP.
  11. To disable libguard, run: ifxguard -kill $INFORMIXSERVER
Parent topic: Linux and UNIX systems: Using Exit libraries