Linux-UNIX: S-TAP Control: Inspection engine parameters

These parameters affect the behavior of the inspection engine that the S-TAP® uses to monitor a data repository on a DB server. You can define up to 50 inspection engines on each S-TAP.

Name Default value Description
Protocol   Required. The type of data repository that is monitored.
ASTERDB, Cassandra, CockroachDB, CouchDB, DB2®, DB2 Exit, ElasticSearch, exclude IE, FTP, GreenplumDB, HADOOP, HIVE, HP-Vertica, HTTP, HUE, IMPALA, Informix®, Informix Exit, KERBEROS, MariaDB, MemSQL, MongoDB, Mysql, Netezza®, Oracle, PostgreSQL, REDIS, SAP Hana, Sybase, Teradata, Teradata Exit, WebHDFS, Windows File Share

If Protocol is one of the Exit libraries, only DB Install Dir and Intercept Types are needed.

Port range   For monitoring network traffic only, the port range over which to listen for database traffic. For a Kerberos inspection engine, set the start and end values to 88-88. If a range is used, do not include extra ports in the range, as this might result in excessive resource consumption while the S-TAP attempts to analyze unwanted traffic.
To monitor range 1521-1525 (5 ports) with no port forwarding:
  • Port range = 1521-1525
  • DB Real Port =1521
To monitor range 2000-2004 (5 ports) where network port 2000 is mapped to local port 1521:
  • Port range = 2000-2004
  • DB Real Port = 1521
DB Real Port 4100 With K-TAP and PCAP, identifies the database port or range of ports to be monitored. For exit libraries, use its value for db_home.
Client Ip/Mask   Restricts S-TAP to monitor traffic only from the specified sets of IP address and mask pairs, by using a list of addresses in IP address/mask format: n.n.n.n/m.m.m.m. If an improper IP address/mask is entered, the S-TAP does not start. Valid values:
  • User-defined list
  •,::/0: select all clients.
  •,::1/0: local traffic only
Client Ip/Mask (networks) and Exclude Client Ip/Mask (exclude networks) cannot be specified simultaneously.
Exclude Client Ip/Mask   A list of client IP addresses and corresponding masks that are excluded from monitoring. Use this option to configure the S-TAP to monitor all clients, except for a certain client or subnet (or a collection thereof). Client Ip/Mask (networks) and Exclude Client Ip/Mask (exclude networks) cannot be specified simultaneously.
Connect To Ip,::1 IP address for S-TAP to use to connect to the database. When K-TAP is enabled, this parameter is used for Solaris Zones and AIX WPARs and it should be the zone IP address in order to capture traffic.
DB User NULL OS username (case-sensitive) of the owner of the DB server process (for example, oracle). This parameter specifies which user is allowed to use the atap_request_handler socket. It is required if you are not using the user root. If set to an invalid value, A-TAP cannot access the socket to retrieve permission for accessing K-TAP. In this case, it requires authorization with a group membership to log decrypted traffic to K-TAP (by using the guardctl authorize-user command).
DB Install Dir NULL Db2, Informix, and Oracle: Enter the full path name for the database installation directory. For example: /home/oracle10. All other database types enter: NULL. For Db2 exit and Informix exit, db_install_dir must be exactly the same as the $HOME value in the database (or $DB2_HOME for Db2 Exit); otherwise tap_identifier does not function properly.
Process Name NULL The value of this parameter depends on whether it's in an exit, and whether there is A-TAP.
DB2 Shared Mem. Adjust 20 Required when Db2® is selected as the database type, and shared memory connections are monitored. The offset to the server's portion of the shared memory area. Offset to the beginning of the Db2 shared memory packet, depends on the Db2 version: 32 in pre-8.2.1, and 80 in 8.2.1 and higher.
DB2 Sh. Mem. Client pos. 61440 The offset to the client's portion of the shared memory area. Required when Db2 is selected as the database type, and shared memory connections are monitored. Use the script to find the value. The script is located in stap_directory/bin, and outputs what the Db2 shared memory parameters that are defined in the Inspection Engines should be. Run it either as root or Db2 user, by using the syntax: <instance name>. You can run it from any directory.
DB2 Shared Mem. Size 131072 Db2 shared memory segment size. Required when Db2 is selected as the database type, and shared memory connections are monitored.
Encryption 0 Valid values:
  • 0: Unencrypted
  • 1: Encrypted
Default = 0 (false)

Activate ASO or SSL encrypted traffic for Oracle (versions 11 and 12) and Sybase on Solaris, HPUX, and AIX®.

For Oracle, specify db_version in the guard_tap.ini file (for example, db_version=12)

For Oracle12 SSL, instrument on all platforms. For Oracle11 SSL, instrument on AIX.

For any Oracle requiring instrumentation, if you are using encryption=1 in the guard_tap.ini (which is not supported on Linux), you must instrument before setting that parameter.

Some DBs require restart after enabling encryption.

When using GIM to configure the S-TAP, GIM_ROOT_DIR must be set to the absolute path to the modules, for example /usr/local/guardium/modules

Intercept Types NULL DO NOT change this parameter unless it is absolutely necessary. Protocol types that are intercepted by the IE. Valid values:
  • NULL: auto intercepts all protocols the Database supports
  • Comma-separated list: IE intercepts these protocol types only.
Identifier NULL Used to distinguish inspection engines from one another. If unspecified, Guardium® auto-populates the field with a unique name that uses the database type and sequence number.
DB Version 9 The database version. The string must start with a numeral and not a letter.
Unix Socket Marker Null Specifies UNIX domain sockets marker for Oracle, MySQL, and Postgres. Usually the default is correct, but when the named pipe or UNIX domain socket traffic does not work then you need to make sure that this value is set correctly. For example, for Oracle, set unix_domain_socket_marker to the KEY of IPC defined in tnsnames.ora. If it is NULL or not set, the S-TAP uses defined default markers identified as: * MySQL - "mysql.sock" * Oracle - "/.oracle/" * Postgres - ".s.PGSQL.5432"