The default S-Tap configuration file contains extensive comments, explaining each of the configuration file properties. Each comment begins with a semi-colon (;) character. In the actual configuration file, all or some of the comments may be stripped out during the process of updating the configuration.
If you need to edit the S-TAP configuration file on the database server, we suggest that you use the default version of the file (reproduced below) as a reference. There is an unused copy of the default S-TAP configuration file installed on the database server. When you make changes, be sure that you make your changes to the actual configuration file, and not to the default version.
; STap Protocol Version = 4
; SqlGuard Internal Version = Borzoi
; STap Official Version = 7.0
; Guardium guard_tap.ini file example.
; Guardium version 7.0
; Unix database server version.
; Lines starting with ";" are comments.
; Default values are in parentheses in the comments.
; Section and property names are not case-sensitive.
; List values are comma separated with no blanks allowed.
; TAP Section
; There must be exactly one TAP section.
; TAP Section Properties
; devices
; Which interfaces to listen on.
; Enter "none" to use TEE for local traffic only.
; Otherwise, use ifconfig to find the right interface. (eth0)
; tap_ip
; IP address for the database server system on which
; S-TAP is installed. (no default)
; alternate_ips
; Additional IP addresses for the database server system
; on which S-TAP is installed (no default). If there are
; no additional IP addresses, enter the property exactly
; as shown (with no values) -- DO NOT remove the statement.
; connection_timeout_sec
; Number of seconds after which S-TAP will consider a Guardium
; server to be unavailable. (20)
; tee_msg_buf_len
; Number of TEE buffers. (128)
; buffer_file_size
; Size of STap's buffer file (100MB)
; tracefiles_dir
; Directory in which access tracer files will be stored (INSTALLDIR).
; remote_messages
; Send messages to the active Guardium host: 0=NO, 1=YES (1).
; syslog_messages
; Send messages to syslog: 0=NO, 1=YES (1).
; tee_installed
; Monitor via the TEE: 0=NO, 1=YES 0).
; Use zero to monitor network traffic only (ktap_installed=1 will handle local traffic).
; ktap_installed
; Is Kernel Monitor module installed: 0=NO, 1=YES (1)
; ktap_installed and tee_installed are mutual exclusive, only one can be set on
; participate_in_load_balancing
; Controls load balancing to Guardium servers: 0=NO, 1=YES (0).
; When enabled, S-TAP balances traffic to all primary servers
; by client IP. (All traffic from a specific client must be
; viewed by the same Guardium unit.) To designate a Guardium
; server as a primary server, use the primary property in the
; SQLGUARD section (see below).
; Hunter is a mechanism that reports on and optionally kills
; processes that are circumventing the S-TAP. There can be only
; one Hunter section. By default, the entire section is commented.
; When used, all properties are required.
; NOTE: If the Hunter feature is used, Perl version 5.8.0 or later
; must be installed in the /usr/bin directory.
; HUNTER Properties
; hunter_sleep_time
; Factor used to conttrol time between checks - input to a random generator
; hunter_debug
; Send debug messages to syslog: 0=NO, 1=YES (0).
; hunter_trace
; Generate trace files in tracefiles_dir: 0=NO, 1=YES (1).
; hunt
; A comma separated list terminated with a semi-colon (;)
; identifying the processes to be killed.
; All processes will be reported, whether or not a kill is issued.
; Each entry is in the form database:comm, where database values
; are: FTP,ORACLE,SYBASE,INFORMIX or DB2, and comm values are as described
; below.
; The default is an empty list (hunt=;).
; Comm Descrption
; ----- ----------
; SHM Shared memory
; IPv4 Internet Protocol version 4
; IPv6 Internet Protocol version 6
; FIFO A named pipe IPC mechanism
; PIPE A simple (unnamed) pipe IPC
; INET Internet protocol (HPUX)
;
; Note 1: Do not include blanks or any other white-space characters
; in the comma separated list
; Note 2: This list must be terminated with a semi-colon (;).
; Note 3: For an empty list, enter a semi-colon only (;).
; hunter_dbs
; A comma separated list with the databases to be checked. Same values as
; hunt for the databases, with the addition of DB2REMOTE for remote
; connections (network) to DB2
[TAP]
alternate_ips=NULL
; cas_ parameters are used by the CAS product, all files are saved under the <installation dir>/cas/bin
;cas_task_baseline = <filename> (task_baseline): -- deprecated
;cas_client_baseline = <filename> (client_baseline): -- deprecated
;cas_task_checkpoint = <filename> (task_checkpoint): internal handle program machine state in case of host failiur
;cas_client_checkpoint = <filename> (client_checkpoint): internal handle program machine state in case of host failiur
;cas_checkpoint_period = <time in sec> (60): interval time for the above check
;cas_fail_over_file = <filename> (fail_over_file): outgoing messages to appliance buffer file
;cas_fail_over_file_size_limit = <size in kb> (50000): buffer size
;cas_max_reconnect_attempts = <number retrial> (5000): when connection is lost how many reconnect attempts are tried
;cas_reconnect_interval = <time in sec> (60): wait time before next reconnect attempt
;cas_raw_data_limit = <size in kb> (1000): limit on size of sent raw_data file to the appliance
;cas_md5_size_limit = <size in kb> (1000): dont try calculating md5sum on files bigger then this
cas_task_baseline = task_baseline
cas_task_checkpoint = task_checkpoint
cas_client_baseline = client_baseline
cas_client_checkpoint = client_checkpoint
cas_checkpoint_period = 60
cas_fail_over_file = fail_over_file
cas_fail_over_file_size_limit = 50000
cas_max_reconnect_attempts = 5000
cas_reconnect_interval = 60
cas_raw_data_limit = 1000
cas_md5_size_limit = 1000
connection_timeout_sec=60
;debug_file_name - windows only debug log file
debug_file_name=st.log
devices=none
hunt=NULL
hunter_debug=0
hunter_dbs=NULL
hunter_sleep_time=60
hunter_trace=0
participate_in_load_balancing=0
remote_messages=1
tap_ip=NULL
syslog_messages=1
tap_debug_output_level=0
tap_hb_udp_port=-1
tap_min_heartbeat_interval=20
tee_installed=0
tee_msg_buf_len=128
time_differential=0
tracefiles_dir=INSTALLDIR
buffer_file_size=100
ktap_installed=0
; ktap_clients_whitelist -for future use
ktap_clients_whitelist=
; tap_type = <stap|wtap|ztap> (stap): define what kind of agent is used stap=UNIX, wtap=WINDOWS,ztap=Z/OS
tap_type=stap
;appserver_installed= 1 if on, 0 if not
;appserver_ports= which port is the app server threads on
;appserver_login_pattern = How to recognize a login POST/GET
;appserver_username_prefix= Where is the username in that post/get
;appserver_username_postfix= Where does the username end in that post/get
;appserver_session_pattern= How to recognize a "new session" reply
;appserver_session_prefix= where is the session id ....
;appserver_session_postfix= And where does it end
;appserver_usersess_pattern= How to recognize an existing session
;appserver_usersess_prefix= where is the session id ...
;appserver_usersess_postfix= And where does it end
appserver_installed=0
appserver_ports=8080
appserver_login_pattern=X
appserver_username_prefix=X
appserver_username_postfix=X
appserver_session_pattern=X
appserver_session_prefix=X
appserver_session_postfix=X
appserver_usersess_pattern=X
appserver_usersess_prefix=X
appserver_usersess_postfix=X
; use_tls
; use ssl to encrypt traffic between agent and appliance: 0=NO, 1=YES (1).
; failover_tls
; If ssl connection is not posiable for any reason, failover to using none secure connection
; 1=Yes use none secure connection,0=No only use secure connections (1).
use_tls=0
failover_tls=1
;The firewall feature works this way:
;1. It is per session so when enabled it will only effect the specific user
;and not everyone connected to the database.
;2. It is usually not enabled, moving into active mode is done by a triggering
;event (for example a specific user groups was used to connect)
;3. If the firewall is in active mode, any firewall actions like DROP session rules will start to take
;effect (should their rule be triggered) without the starting of the
;firewall these rules will never fire, they can only go to work when the
;firewall is enabled for that session.
; firewall_installed
; should the firewall feature be enabled at all 0=No,1=Yes (0)
;firewall_fail_close
; what is the default action when verdict can not be set by the policy rules (e.g. timeout reached)
; 0=let connection through 1=block connection (0)
; firewall_default_state
; What triggers the start of the firewall mode
; 0=event triggering a rule in the installed policy happens
; 1=start in firewall mode enabled regardless of a triggering event (0)
;We have this flag to force the watch (or enabling) of the firewall
;regardless of any rule, the specific actions (DROP etc) will still
;happen only when triggered by a rule
; firewall_timeout
; time (in seconds) to wait on a verdict from the appliance
; if timed out look at firewall_fail_close value to know whether
; to block or allow the connection (10 seconds)
firewall_installed=0
firewall_fail_close=0
firewall_default_state=0
firewall_timeout=10
; to bost performance you may consider disabling getting the source_program name, In doing so you wont we able to tell which program was using the connection (but all other connection information like user and client address will be avilable)
;log_program_name =< 0|1> (0): 0=don't send source_program name to appliance,1=send source_program name
log_program_name=0
; SQLGUARD Sections
; There must be one SQLGuard section for each SQL Guard server that will
; act as a host for this S-TAP. The section name must be in the form
; "SQLGuard_x" where "x" is a meaningful string to identify the unit.
; This string will be used in all messages.
; SQLGUARD Section Properties
; sqlguard_ip
; IP address of the Guardium unit (no default).
; sqlguard_port
; Port used to connect to the above unit(16016).
; primary
; Indicates if the server is a primary server: 0=NO, 1=YES (1).
; If participate_in_load_balancing=1, there must be at least one primary server.
; If participate_in_load_balancing=0, there must be exactly one primary server.
[SQLGuard_0]
sqlguard_ip=NULL
sqlguard_port=16016
primary=1
; connect_to_ip
; IP address for S-TAP to use to connect to the database.
; Some databases accept local connection on 127.0.0.1, while
; others accept local connection only on the 'real' IP of the
; machine and NOT on the default (127.0.0.1).
; DB Sections
; There must be at least one DB section. The section name must be in the
; form "DB_x" where "x" is a meaningful string to identify the database.
; This string will be used in all messages.
; DB Section Properties
; DB_type
; Database type: ORACLE,SYBASE,DB2,INFORMIX, FTP,MYSQL
;networks
; Restricts S-TAP to monitor traffic only from the specified sets
; of IP address and mask pairs.
; Use 127.0.0.1/255.255.255.255 to monitor local clients.
; Use 0.0.0.0/0.0.0.0 to monitor all clients on the network.
; (Default is 127.0.0.1, local clients only.)
; tee_listen_port
; Port on which the TEE will accept DB client connections. Use zero
; to not use the TEE (12344).
; real_db_port
; Port onto which the TEE will forward all DB client traffic.
; port_range_start
; For monitoring network traffic only, the lowest numbered port on which
; to listen for database traffic (4100).
; port_range_end
; For monitoring network traffic only, the highest numbered port on which
; to listen for database traffic (4100).
;[DB_tHat]
;db2_fix_pack_adjustment=20
;db2_shmem_client_position=0
; for Informix only this param is used to define the informix version and not the shmem size
; in that case
; db2_shmem_size= <7|9|10|11>
;db2_shmem_size=131072
;port_range_start=4100
;port_range_end=4100
;tee_listen_port=12344
;connect_to_ip=127.0.0.1
;DB_type= SYBASE
;neTWORks=192.168.0.0/255.255.0.0
;exclude_networks=192.168.1.115/255.255.255.255,192.168.1.16/255.255.255.255
;real_db_port=4100
;db_install_dir=NULL
;db_exec_file=NULL