Linux and UNIX systems: General parameters

These parameters define basic properties of the S-TAP running on a DB server and the server on which it is installed, and do not fall into any of the other categories.

These parameters are stored in the [TAP] section of the S-TAP properties file.
Table 1. S-TAP configuration parameters in the [TAP] section
GUI GIM guard_tap.ini Default value Description
    tap_type   The type of installed S-TAP agent:

stap=UNIX
ztap=Z/OS

Version   tap_version   Read only. The S-TAP version that is installed on the DB server, added to the file during installation or upgrade only.
S-TAP Host STAP_TAP_IP tap_ip   Read only. IP address or hostname for the database server system on which S-TAP is installed
Devices STAP_DEVICES devices none Which interfaces to listen on. Use ifconfig to find the correct interface.
All can control STAP_ALL_CAN_CONTROL all_can_control 0 0=S-TAP can be controlled only from the primary Guardium system. 1=S-TAP can be controlled from any Guardium system.
Load balancing STAP_PARTICIPATE_IN_LOAD_BALANCING participate_in_load_balancing 0 Controls load balancing to Guardium systems:
  • 0: No load balancing.
  • 1: Load balancing. Traffic is balanced between the primary and secondary servers, defined in the SQLGuard section.
  • 2: Redundancy. Fully mirrored S-TAP sends all traffic to all primary and secondary servers, defined in the SQLGuard section.
  • 3: Hardware load balancing. Guardium uses a load balancer such as F5 or Cisco. S-TAP sends the traffic to the load balancer, which forwards it to one of the collectors in the pool.
  • 4: Multiple KTAP buffer and S-TAP threads are used to split the traffic.
Use the primary parameter in the SQLGUARD section to specify primary, secondary, etc. servers. If this parameter is set to 0, and you have more than one Guardium system monitoring traffic, then the non-primary Guardium systems are available for failover.
Note: Guardium does not support failover with a v10.x S-TAP and a v9.x collector.
    connection_timeout_sec 10 Number of seconds after which the S-TAP considers a Guardium server to be unavailable. It can have any integer value.
TLS Use STAP_USE_TLS use_tls 0

1=use SSL to encrypt traffic between the agent and the Guardium system.

0=do not encrypt.
Warning: The traffic between the agent and Guardium system is in clear text.

Guardium recommends encrypting network traffic between the S-TAP and the collector whenever possible, only in cases where the performance is a higher priority than security should this be disabled.

Decrypting login packets isn't supported when TLS is enabled. This means that DB_USER is not populated and failed logins are not associated with an access.

TLS Failover STAP_FAILOVER_TLS failover_tls 0
1= If ssl connection is not possible for any reason, fail over to using non-secure connection.
0=use only secure connections.
  STAP_WAIT_FOR_DB_EXEC wait_for_db_exec -1

Specifies how the S-TAP starts monitoring its databases after a restart.

1 and greater: When S-TAP restarts, either from a system reboot or user initiated S-TAP stop / start commands, S-TAP polls all databases that have been configured to be monitored and begins monitoring them when available. Any configuration anomalies (either on the database side or the S-TAP side) that limits S-TAP ability to monitor a database does not limit S-TAP from monitoring other databases with valid configurations. Instead, S-TAP starts successfully, monitors all valid configurations, and continues to poll other databases until they become available and then starts monitoring them as well. It is recommended to use existing alerts and reports to monitor and report on any failed S-TAP status.

For example, after relinking Oracle, Oracle BEQ traffic is not logged for 15 minutes, this is the time it takes for S-TAP to run periodically and check if an Oracle device node has been changed.

0 and less: S-TAP exits with error message if it cannot access the db_install_dir. If the STAP has multiple IEs, it exits at the first occurrence of not reaching a DB.

  STAP_RUN_AS_ROOT tap_run_as_root TAPUSER To allow S-TAP to run as regular user. 0 = runs as guardium user, 1= runs as root

In some cases you need to run the S-TAP as guardium (and not root). This can cause other issues and should only be used when necessary. Running S-TAP as the guardium user can cause a database or protocol to stop working because of permission levels. Verify that the database path or exec file gives the Guardium user read permission. Depending on your environment, typical limitations are:

  • wait_for_db_exec might not work. For cluster, check the database path or exec file for Guardium user read permission.
  • Database on AIX® WPAR and Solaris Zones may not work, check the permission to access the install path or exec file
  • For Oracle BEQ, restart S-TAP after starting or restarting the database.
  • For Informix® shared memory, restart S-TAP after starting or restarting the database.
  • For DB2 shared memory, if shmctl failed because of permission issue, then in most cases S-TAP® should be changed to run as root.
    • If shared memory segment has read permission by group, then make sure the DB2 instance has been added to user (Guardium) group. But still on each server, only one set of configuration of DB2® can be supported.
    • If shared memory segment has read permission by db2 user only, then S-TAP has to run as root. (open a DB2 shared memory session, run command ipcs -ma, check MODE on the output)
    tap_buf_dir NULL Location of S-TAP buffer file. Default location is $inidir/buffers
    tap_log_dir NULL Location of S-TAP log files: guard_stap.stdout.tx, guard_stap.stderr.txt, guard_stap.fam.txt. By default log files are written in /tmp.
Alternate ips STAP_ALTERNATE_IPS alternate_ips NULL Comma-separated list of alternate or virtual IP addresses used to connect to this database server. This is used only when your server has multiple network cards with multiple IPs, or virtual IPs. S-TAP only monitors traffic when the destination IP matches either the S-TAP Host IP defined for this S-TAP, or one of the alternate IPs listed here, so it's recommend that you list all virtual IPs here.
  TEE_ENABLED tee_installed 0 1=Tee is in use. 0=Tee is not used.
  tee_msg_buf_len 128 Size of the buffer for Tee in MB. It can take any integer value.
  STAP_BUFFER_FILE_SIZE buffer_file_size 50 Advanced. Size in MB of the buffer allocated for the packets queue. If the buffer size is set too large, the S-TAP might not be able to start. Files larger than 2560 MB are known to cause this problem.
  buffer_mmap_file 0 1=memory mapped file option. 0=virtual memory allocation
Trace files dir tracefiles_dir   The Directory in which access tracer files will be stored. The default is INSTALLDIR.
Compres. Level STAP_COMPRESSION_LEVEL compression_level 0 Advanced. Compression level. 1-9.

0: no compression
1: best speed
9: best compression
0: no compression
-1: default compression

  min_bytes_to_compress 500 Advanced. Minimum size of message to compress.
    tap_min_heartbeat_interval 180 Number of seconds after which the S-TAP should fail over.
  msg_aggregate_timeout 100 time in milliseconds at which K-TAP sends the packets accumulated in its buffer to the S-TAP. Can be any integer value.
  msg_count_watermark 64 Number of packets at which K-TAP sends the packets accumulated in its buffer to S-TAP. Can be any integer value.
  log_program_name 0 To boost performance you may consider disabling getting the sourceprogram name, in doing so you won't be able to tell which program name was using the connection (but all other connection information like user and client address will be available). 0 = don't send source_program name to Guardium system, 1=send source_program name to Guardium system.
  max_server_write_size 16384 The maximum number of bytes that the S-TAP sends to the Guardium system at once. Can be any integer value.
  guardium_ca_path NULL Location of the Certificate Authority certificate.
  sqlguard_cert_cn NULL The common name to expect from the Sqlguard certificate.
  guardium_crl_path NULL The path to the Certificate Revocation list file or directory.
  tap_failover_session_size 1024 The maximum number of failover sessions in the list per Guardium system. 0=failover feature is disabled. Can be any integer value.
  tap_failover_session_quiesce 60 The number of minutes after S-TAP failover, when unused sessions in the failover list from the previous active servers are removed from the current active server. This includes cleaning the session's policy and removing the session from the firewalled and scrubbed lists.
  STAP_KERBEROS_PLUGIN_DIR kerberos_plugin_dir NULL Location of Kerberos files
  STAP_DB_IGNORE_RESPONSE db_ignore_response NULL Comma-separated list of db types to be response-ignored. If it is set to none, no response is ignored; if it is set to all, the responses from all DBs are ignored. Note: If using db_ignore_response=all to set the Oracle database response to be ignored (not captured to reduce traffic load), then be aware that more than just database server responses are involved. Database server responses can also contain important database protocol metadata information used by the application for following database requests interpretation.
  STAP_STATISTIC stap_statistic 0 Interval at which S-TAP sends statistic information about S-TAP/K-TAP to sniffer ; 0=do not send. Specify a positive integer for hours or a negative integer for minutes.
  stap_statistic_version 1

STAP statistics are version specific to the collector

1: Guardium V10 and higher

0 - Guardium V9
  STAP_UPLOAD_FEATURE upload_feature 1 If=1, when a new K-TAP is built, upload it automatically to the Guardium system to which this S-TAP reports.
  STAP_UPLOAD_SNAPSHOTS upload_snapshots 1 Upload snapshots using file upload mechanism
  add_to_verification schedule 0

Add the Inspection Engines defined in guard_tap.ini to S-TAP Verification schedule. STAP Verification will test traffic capture. 0=OFF, 1=ON, default is 0.

  STAP_DB_IGNORE_BYPASS_BYTES db_ignore_response_bypass_bytes 4096

Integer of bytes size of the result set, that when a result set is greater than the size to ignore the response.

  STAP_DB_IGNORE_RESETS_PER_REQUEST db_ignore_response_resets_per_request 0 The db_ignore_response_bypass_bytes is reset on each request.

0=no; 1=yes

  STAP_DB_IGNORE_RESPONSE_FILTER db_ignore_response_filter 0.0.0.0/0.0.0.0 Comma separated list of IP/MASKs to be response-ignored, by default it filters all traffic

Any DB responses of the type specified by DB_IGNORE_RESPONSE to the specified IP/MASKs are ignored.

0=no filtering of responses occurs

0.0.0.0/0.0.0.0=all IPs are filtered
  STAP_DB_IGNORE_RESPONSE_LOCAL db_ignore_response_local 1 Filtering of local db responses. TCP traffic is not considered local traffic for this parameter.

0=no

1=yes

  debug_snapshot 0 Advanced. Collects a debug dump from a STAP. Should be triggered from the GUI (S-TAP Control > S-TAP commands). After triggering a dump from the GUI, the parameter reverts to its default of 0.
  debug_snapshot_level 1 Advanced. The value of tap_debug_output_level that is run for the debug dump:
  • 1: basic debug
  • 4: verbose debug
  debug_snapshot_time 60

Advanced. The time interval, in seconds, for which the diagnostic runs. The value can be any integer value.

  force_log_limited 0

Controls sending certain types of information to the collector. Useful when you are concerned about the possibility of storing private data on the Guardium collector.

0=unrestricted. Default

1=restricted logs. Private data is removed.

  hunter_trace 0

Enable UID_CHAIN

0: Disable.

1: Enable. For local TCP/IP connections including Solaris zones and AIX WPARS; or remote TCP/IP connection when appserver_installed = 1

Load Balancer IP STAP_LOAD_BALANCER_IP load_balancer_ip   IP address of the load balancer unit. If not defined, S-TAP does not use Enterprise Load Balancing.
Managed Units STAP_LOAD_BALANCER_NUM_MUS load_balancer_num_mus 1 Number of managed units to request from load balancer
  merge_with_template 0 Specifies whether or not the configuration from the collector is merged with the template config file when it is pushed to STAP.

0=no

1=yes

  shmid_blacklist NULL Comma separated list of shared memory IDs that KTAP filters.
  shmid_blacklist_wait 0 Wait to activate interception until shmid_blacklist items are discovered 0: no, 1: yes (0)
  blacklist_shmem_ops_by_proc NULL ktap uses blacklist_shmem_ops_by_proc to filter the shmem interception for the specified processes (comma separated list)
  STAP_FAM_ENABLED fam_enable See description for defaults Global enable/disable for FAM monitor (crawler).

0: disabled
1: enabled

In GIM installations from v10.1.4, the default is disabled, and in earlier versions it is enabled by default. In shell installations, the default is enabled in all 10.0 and 10.1 version.

Include client IP in UID chain for SSH daemon STAP_UID_CHAIN_TRACE uid_chain_sshd_ip 0 Introduced in v10.1.4. Encode the client IP into the UID chain when ssh is identified as one of the processes in the chain.

0=disabled, 1=enabled