Linux-UNIX: Using automation tools with the S-TAP and sample scripts

Edit online

Guardium UNIX S-TAP has many script based interfaces to assist in the installation, configuration, and maintenance of the UNIX S-TAP agents. The following links provide you with the information necessary to create the automation scripts that work in your environment.


A-TAP management	Linux-UNIX: A-TAP management
Using guardctl for A-TAP	Linux-UNIX: guardctl utility commands for A-TAP
Return codes for guardctl	Linux-UNIX: guardctl return codes
Installing S-TAP with GIM	Linux-UNIX: Installing the S-TAP client with GIM Setup by Client
Modifying S-TAP configuration with GIM	Set up by Client and Linux-UNIX: Editing the S-TAP configuration parameters
Uninstalling S-TAP with GIM	Linux-UNIX: Uninstalling S-TAP agent with GIM Setup by Client
Upgrading S-TAP with GIM	Linux-UNIX: Upgrading an S-TAP agent with GIM Setup by Client
GIM S-TAP parameters	Linux-UNIX: S-TAP GIM installation parameters
Using guard-config-update	Linux-UNIX: Using guard-config-update to start, restart, and stop S-TAP, and view status
Configuring S-TAP with guard-config-update	Linux-UNIX: Configure S-TAP with guard-config-update
Installing the S-TAP using the shell installer	Linux-UNIX: Installing the S-TAP client by using the shell installer
Uninstalling S-TAP with the shell installer	Linux-UNIX: Uninstalling S-TAP agents using the shell installer
Upgrading S-TAP with the shell installer	Linux-UNIX: Upgrading the S-TAP agent using the shell installer
Install script parameter for S-TAP	Linux-UNIX: S-TAP install script parameters

The following Ansible playbooks can be used as examples for install, activation of A-TAP, deactivation of A-TAP, and unintall.

Install S-TAP sample

---
- hosts: all
  vars:
    guardium_appliance: my-collector.example.com
    installer_dir:      ./
    installer:          guard-stap-11.2.0.0_r108838_v11_2_1-rhel-8-linux-x86_64.sh
    destination:        /var/tmp
    install_dir:        /usr/local
  tasks:
    - name: Check for previous installation
      block:
        - name: Look for KTAP
          shell: lsmod | grep ktap
          register: lsmod_out
          ignore_errors: yes
        - name: Look for existing installation directory
          stat:
            path: "{{ install_dir }}/guardium"
          register: guardium_dir
    - name: Installation
      block:
        - name: Copy shell installer
          copy:
            src:    "{{installer_dir}}/{{ installer }}"
            dest:   "{{ destination }}"
            owner:  root
            group:  root
            mode:   0755
            become: yes
        - name: Do shell installation
          block:
            - name: Run shell installer
              shell:    "{{ destination }}/{{ installer }} --ni -k --dir {{ install_dir }} --tapip {{ ansible_hostname }} --sqlguardip {{ guardium_appliance }} --ktap_allow_module_combos"
              register: installer_output
              become:   yes
            - debug:
                msg: "{{ installer_output.stderr }}"
            - debug:
                msg: "{{ installer_output.stdout }}"
      when: guardium_dir.stat.exists == false and lsmod_out.stdout == ""
    - name: Check KTAP
      shell: lsmod | grep ktap
      register: lsmod_out
    - debug:
        msg: "{{ lsmod_out.stdout }}"

Uninstall S-TAP sample

---
- hosts: all
  vars:
    install_dir:        /usr/local
  tasks:
    - name: Check if STAP is installed
      stat:
        path: "{{ install_dir }}/guardium/guard_stap/uninstall"
      register: uninstall_script
    - name: Do uninstall
      block:
        - name: Run uninstall
          shell:    "{{ install_dir }}/guardium/guard_stap/uninstall"
          register: uninstall_output
          become:   yes
        - debug:
            msg: "{{ uninstall_output.stderr }}"
        - debug:
            msg: "{{ uninstall_output.stdout }}"
      when: uninstall_script.stat.exists == true
    - name: Check if KTAP is loaded
      shell: lsmod | grep ktap
      register: lsmod_ktap
      ignore_errors: yes
    - name: Reboot
      reboot:
        reboot_timeout: 3600
      become: yes
      when: lsmod_ktap.rc == 0
    - name: Verify no KTAP
      shell: lsmod | grep ktap
      register: result
      failed_when:
        - result.rc == 0

Activate A-TAP sample

---
- hosts: all
  vars:
    install_dir: /usr/local
    db_user:     oracle11
    db_base:     /opt/oracle11
    db_home:     "{{ db_base }}/product/11.1.0/db_1"
    db_version:  11
    db_type:     oracle
    db_instance: oracle11
    restart_db:  false
    stop_db:     false
  tasks:
    - name: Check if ATAP is already active
      shell: "{{ install_dir }}/guardium/guard_stap/guardctl list-active | grep \"root/{{ db_instance }}\""
      ignore_errors: yes
      register: atap_grep
    - name: ATAP is not already active
      block:
        - name: Verify DB is in IEs
          block:
            - name:  Grep for DB_HOME in IEs
              shell: "{{ install_dir }}/guardium/guard_stap/guard-config-update --show-ies | grep \"db_install_dir[ ]*=[ ]*{{db_base}}\""
              ignore_errors: yes
              register: ie_grep
        - name: Run discovery and re-check IEs
          block:
            - name: Check if DB is running
              shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
              register: oracle_ps
              ignore_errors: yes
            - name: DB is not running, needs to be started
              block:
                - name: Run startup command
                  shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
                  ignore_errors: yes
                  register: cmd_output
                  become: yes
                - debug: 
                    msg: "{{ cmd_output.stdout }}"
                - debug: 
                    msg: "{{ cmd_output.stderr }}"
                - set_fact:
                    stop_db:  true
              when: oracle_ps.rc != 0
            - name: Run discovery
              shell: "{{ install_dir }}/guardium/guard_stap/guard_discovery {{ install_dir }}/guardium/guard_stap/guard_tap.ini --update_tap"
              become: yes
            - name:  Grep for DB_HOME in IEs
              shell: "{{ install_dir }}/guardium/guard_stap/guard-config-update --show-ies | grep \"db_install_dir[ ]*=[ ]*{{db_base}}\""
          when: ie_grep.rc != 0
        - name: Leave DB down if it wasn't started
          block:
            - name: Run shutdown command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
              ignore_errors: yes
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
          when: stop_db == true
        - name: Check if DB is running
          shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
          register: oracle_ps
          ignore_errors: yes
        - name: Shut down database
          block:
            - name: Run shutdown command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
              ignore_errors: yes
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
            - set_fact:
                restart_db:  true
          when: oracle_ps.rc == 0
        - name: Activate ATAP
          shell: "{{ install_dir }}/guardium/guard_stap/guardctl --db-user={{ db_user }} --db-type={{ db_type }} --db-instance={{ db_instance }} --db-base={{ db_base }} --db-home={{ db_home }} --db-version={{ db_version }}  activate"
          become: yes
        - name: Restart DB
          block:
            - name: Run startup command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
          when: restart_db == true
      when: atap_grep.rc != 0

Deactivate A-TAP sample

---
- hosts: all
  vars:
    install_dir: /usr/local
    db_user:     oracle11
    db_base:     /opt/oracle11
    db_instance: oracle11
    restart_db:  false
    stop_db:     false
  tasks:
    - name: Check if ATAP is active
      shell: "{{ install_dir }}/guardium/guard_stap/guardctl list-active | grep \"root/{{ db_instance }}\""
      ignore_errors: yes
      register: atap_grep
    - name: ATAP is active
      block:
        - name: Check if DB is running
          shell: ps -ef | grep -v grep | grep oracle11 | grep tnslsnr
          register: oracle_ps
          ignore_errors: yes
        - name: Shut down database if is up
          block:
            - name: Run shutdown command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/STOP.sh\""
              ignore_errors: yes
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
            - set_fact:
                restart_db:  true
          when: oracle_ps.rc == 0
        - name: Deactivate ATAP
          shell: "{{ install_dir }}/guardium/guard_stap/guardctl --db-instance={{ db_instance }} deactivate"
          become: yes
        - name: Restart DB
          block:
            - name: Run startup command
              shell: "su - {{ db_user }} -c \"{{ db_base }}/START.sh\""
              register: cmd_output
              become: yes
            - debug: 
                msg: "{{ cmd_output.stdout }}"
            - debug: 
                msg: "{{ cmd_output.stderr }}"
          when: restart_db == true
      when: atap_grep.rc == 0