Linux-UNIX: S-TAP Control: Inspection engine parameters
These parameters affect the behavior of the inspection engine that the S-TAP® uses to monitor a data repository on a DB server. You can define up to 50 inspection engines on each S-TAP.
Required. The type of
data repository that is monitored.
ASTERDB, Cassandra, CockroachDB, CouchDB, DB2®, DB2 Exit, ElasticSearch, exclude IE, FTP, GreenplumDB, HADOOP, HIVE, HP-Vertica, HTTP, HUE, IMPALA, Informix®, Informix Exit, KERBEROS, MariaDB, MemSQL, MongoDB, Mysql, Netezza®, Oracle, PostgreSQL, REDIS, SAP Hana, Sybase, Teradata, Teradata Exit, WebHDFS, Windows File Share
If Protocol is one of the Exit libraries, only DB Install Dir and Intercept Types are needed.
|Port range||For monitoring network traffic only, the port range over which to listen for database
traffic. For a Kerberos inspection engine, set the start and end values to 88-88. If a range is
used, do not include extra ports in the range, as this might result in excessive resource
consumption while the S-TAP attempts to analyze unwanted traffic.
To monitor range 1521-1525 (5 ports) with no port forwarding:
|DB Real Port||4100||With K-TAP and PCAP, identifies the database port or range of ports to be monitored. For exit libraries, use its value for db_home.|
|Client Ip/Mask||Restricts S-TAP to monitor traffic only from the specified
sets of IP address and mask pairs, by using a list of addresses in IP address/mask format:
n.n.n.n/m.m.m.m. If an improper IP address/mask is entered, the S-TAP does not start. Valid values:
|Exclude Client Ip/Mask||A list of client IP addresses and corresponding masks that are excluded from monitoring. Use this option to configure the S-TAP to monitor all clients, except for a certain client or subnet (or a collection thereof). Client Ip/Mask (networks) and Exclude Client Ip/Mask (exclude networks) cannot be specified simultaneously.|
|Connect To Ip||127.0.0.1,::1||IP address for S-TAP to use to connect to the database. When K-TAP is enabled, this parameter is used for Solaris Zones and AIX WPARs and it should be the zone IP address in order to capture traffic.|
|DB User||NULL||OS username (case-sensitive) of the owner of the DB server process (for example, oracle). This parameter specifies which user is allowed to use the atap_request_handler socket. It is required if you are not using the user root. If set to an invalid value, A-TAP cannot access the socket to retrieve permission for accessing K-TAP. In this case, it requires authorization with a group membership to log decrypted traffic to K-TAP (by using the guardctl authorize-user command).|
|DB Install Dir||NULL||Db2, Informix, and Oracle: Enter the full path name for the database installation directory. For example: /home/oracle10. All other database types enter: NULL. For Db2 exit and Informix exit, db_install_dir must be exactly the same as the $HOME value in the database (or $DB2_HOME for Db2 Exit); otherwise tap_identifier does not function properly.|
|Process Name||NULL||The value of this parameter depends on whether it's in
an exit, and whether there is A-TAP.
|DB2 Shared Mem. Adjust||20||Required when Db2® is selected as the database type, and shared memory connections are monitored. The offset to the server's portion of the shared memory area. Offset to the beginning of the Db2 shared memory packet, depends on the Db2 version: 32 in pre-8.2.1, and 80 in 8.2.1 and higher.|
|DB2 Sh. Mem. Client pos.||61440||The offset to the client's portion of the shared memory area. Required when Db2 is selected as the database type, and shared memory connections are monitored. Use the script find_db2_shmem_parameters.sh to find the value. The script is located in stap_directory/bin, and outputs what the Db2 shared memory parameters that are defined in the Inspection Engines should be. Run it either as root or Db2 user, by using the syntax: find_db2_shmem_parameters.sh <instance name>. You can run it from any directory.|
|DB2 Shared Mem. Size||131072||Db2 shared memory segment size. Required when Db2 is selected as the database type, and shared memory connections are monitored.|
|Encryption||0|| Valid values:
Activate ASO or SSL encrypted traffic for Oracle (versions 11 and 12) and Sybase on Solaris, HPUX, and AIX®.
For Oracle, specify db_version in the guard_tap.ini file (for example, db_version=12)
For Oracle12 SSL, instrument on all platforms. For Oracle11 SSL, instrument on AIX.
For any Oracle requiring instrumentation, if you are using encryption=1 in the guard_tap.ini (which is not supported on Linux), you must instrument before setting that parameter.
Some DBs require restart after enabling encryption.
When using GIM to configure the S-TAP, GIM_ROOT_DIR must be set to the absolute path to the modules, for example /usr/local/guardium/modules
|Intercept Types||NULL||DO NOT change this parameter unless it is
absolutely necessary. Protocol types that are intercepted by the IE. Valid values:
|Identifier||NULL||Used to distinguish inspection engines from one another. If unspecified, Guardium® auto-populates the field with a unique name that uses the database type and sequence number.|
|DB Version||9||The database version. The string must start with a numeral and not a letter.|
|Unix Socket Marker||Null||Specifies UNIX domain sockets marker for Oracle, MySQL, and Postgres. Usually the default is correct, but when the named pipe or UNIX domain socket traffic does not work then you need to make sure that this value is set correctly. For example, for Oracle, set unix_domain_socket_marker to the KEY of IPC defined in tnsnames.ora. If it is NULL or not set, the S-TAP uses defined default markers identified as: * MySQL - "mysql.sock" * Oracle - "/.oracle/" * Postgres - ".s.PGSQL.5432"|