Linux-Unix: Inspection engine parameters
These parameters affect the behavior of the inspection engine that the S-TAP uses to monitor a data repository on a DB server.
GUI | guard_tap.ini | Default value | Description |
---|---|---|---|
Protocol | db_type | The type of data repository being monitored (case is ignored). Valid values: ORACLE,SYBASE,DB2,INFORMIX, FTP, MYSQL, MEMSQL, PGSQL, NETEZZA, HADOOP, DB2_EXIT, CASSANDRA, MONGODB, GREENPLUMDB, ASTERDB, HANA, MARIADB, COUCH, INFX_EXIT, VERTICADB, COUCHBASE, NEO4J, IGNORE If DB_type is one of the Exit libraries, only db_install_dir and intercept_types are needed. |
|
Port range | port_range_start | For monitoring network traffic only, the lowest numbered port on which to listen for database traffic. Together with port_range_enddefines the range of ports monitored for this database instance. There is usually only a single port in the range. For a Kerberos inspection engine, set the start and end values to 88-88. If a range is used, do not include extra ports in the range, as this could result in excessive resource consumption while the S-TAP attempts to analyze unwanted traffic. | |
Port range | port_range_end | For monitoring network traffic only, the highest numbered port on which to listen for database traffic. | |
KTAP DB Real Port | real_db_port | 4100 |
With K-TAP and PCAP, identifies the database port or range of ports to be monitored. For exit libraries, use its value for db_home |
Client Ip/Mask | networks | 127.0.0.1 | Restricts S-TAP to monitor traffic only from the specified
sets of IP address and mask pairs, using a list of addresses in IP address/mask format:
n.n.n.n/m.m.m.m. If an improper IP address/mask is entered, the S-TAP does not start. Valid values:
If the IP address is the same as the IP address for the database server, and a mask of 255.255.255.255 is used, only local traffic will be monitored. An address/mask value of 1.1.1.1/0.0.0.0 monitors all clients. |
Exclude Client Ip/Mask | exclude_networks | A list of client IP addresses and corresponding masks that are excluded from monitoring. This option allows you to configure the S-TAP to monitor all clients, except for a certain client or subnet (or a collection of these). Client Ip/Mask (networks) and Exclude Client Ip/Mask (exclude networks) cannot be specified simultaneously. | |
TEE Listen Port-Real Port | tee_listen_port | Deprecated. Replaced by the parameter real_db_port when the K-TAP monitoring mechanism is used. | |
Connect To Ip | connect_to_ip | 127.0.0.1 | IP address for S-TAP to use to connect to the database. When K-TAP is enabled, this parameter is used for Solaris Zones and AIX WPARs and it should be the zone IP address in order to capture traffic. |
DB User | db_user | NULL | OS username (case-sensitive) of the owner of the DB server process (for example, oracle). This parameter specifies which user is allowed to use the atap_request_handler socket. It is required if you are not using the user root. If not set to a valid value, A-TAP cannot access the socket to retrieve permission for accessing K-TAP, and would therefore require authorization via group membership to log decrypted traffic to K-TAP (using the guardctl authorize-user command). Restart the S-TAP after modifying this parameter. |
DB Install Dir | db_install_dir | NULL | Db2, Informix, and Oracle: Enter the full path name for the database installation directory. For example: /home/oracle10. All other database types enter: NULL. For Db2 exit and Informix exit, db_install_dir must be exactly the same as the $HOME value in the database (or $DB2_HOME for Db2 Exit); otherwise tap_identifier does not function properly. |
Process Name | db_exec_file | NULL |
For a Db2, Oracle, or Informix database, enter the full path name for the
database executable. For example:
|
Encryption | encryption | 0 | Valid values:
Activate ASO or SSL encrypted traffic for Oracle (versions 11 and 12) and Sybase on Solaris, HPUX and AIX. For Oracle, specify db_version in the ini file (e.g. db_version=12) For Oracle12 SSL, instrument on all platforms. For Oracle11 SSL, instrument on AIX. For any Oracle requiring instrumentation, if you are using encryption=1 in the guard_tap.ini (which is not supported on Linux), you must instrument prior to setting that parameter. Some DBs require restart after enabling encryption. When configuring using GIM, GIM_ROOT_DIR must be set to the absolute path to the modules, for example /usr/local/guardium/modules |
load_balanced | 1 | Valid values:
|
|
priority_count | 20 | At session creation the first priority_count packets are
marked with a high priority flag and are transferred to a special high priority queue on the
collector. Valid values:
|
|
Intercept Types | intercept_types | NULL | DO NOT change this parameter unless it is absolutelu necessary. Protocol types
that are intercepted by the IE. Valid values:
|
Identifier | tap_identifier | NULL | Optional. Used to distinguish inspection engines from one another. If you do not provide a value for this field, Guardium auto-populates the field with a unique name using the database type and GUI display sequence number. |
DB Version | db_version | 9 | The database version. |
Unix Socket Marker | unix_domain_socket_marker | Null | Specifies UNIX domain sockets marker for Oracle, MySQL and Postgres. Usually the default value is correct, but when the named pipe or UNIX domain socket traffic does not work then you need to make sure this value is set correctly. For example, for Oracle, unix_domain_socket_marker should be set to the KEY of IPC defined in tnsnames.ora. If it is NULL or not set, the S-TAP uses defined default markers identified as: * MySQL - "mysql.sock" * Oracle - "/.oracle/" * Postgres - ".s.PGSQL.5432" |
These additional parameters are used with IBM Db2 databases.
The script find_db2_shmem_parameters.sh, located in stap_directory/bin, outputs what the Db2 shared memory parameters defined in the Inspection Engines should be. Execute it either as root or Db2 user, using the syntax: find_db2_shmem_parameters.sh <instance name>. You can run it from any directory.
GUI | guard_tap.ini | Default value | Description |
---|---|---|---|
DB2 Shared Mem. Adjust. | db2_fix_pack_adjustment | 20 | Required when Db2 is selected as the database type, and shared memory connections are monitored. The offset to the server's portion of the shared memory area. Offset to the beginning of the Db2 shared memory packet, depends on the Db2 version: 32 in pre-8.2.1, and 80 in 8.2.1 and higher. |
DB2 Sh. Mem. Client Pos. | db2_shmem_client_position | 61440 | The offset to the client's portion of the shared memory area. Required when Db2 is selected as the database type, and shared memory connections are monitored. Use the script find_db2_shmem_parameters.sh to find the value. |
db2bp_path | Null | Only used when using ATAP on Db2. If the program 'db2bp' (part of Db2) is in the standard location, this does not need to be set. If it is non-standard, then this parameter points to its location. The value of this parameter should be the full path of the relevant db2bp as seen from the global zone/wpar. For example, if the file is /data/db2inst1/sqllib/bin/db2bp and the zone is installed in /data/zones/oracle2nd/root/ then the full path to db2bp that should be set in the db2bp_path parameter is /data/zones/oracle2nd/root/data/db2inst1/sqllib/bin/db2bp | |
DB2 Shared Mem. Size | db2_shmem_size | 131072 | Db2 shared memory segment size. Required when Db2 is selected as the database type, and shared memory connections are monitored. |