Default Unix S-TAP configuration file

The default S-Tap configuration file contains extensive comments, explaining each of the configuration file properties. Each comment begins with a semi-colon (;) character. In the actual configuration file, all or some of the comments may be stripped out during the process of updating the configuration.

If you need to edit the S-TAP configuration file on the database server, we suggest that you use the default version of the file (reproduced below) as a reference. There is an unused copy of the default S-TAP configuration file installed on the database server. When you make changes, be sure that you make your changes to the actual configuration file, and not to the default version.

; STap Protocol Version = 4

; SqlGuard Internal Version = Borzoi

; STap Official Version = 7.0

; Guardium guard_tap.ini file example.

; Guardium version 7.0

; Unix database server version.

; Lines starting with ";" are comments.

; Default values are in parentheses in the comments.

; Section and property names are not case-sensitive.

; List values are comma separated with no blanks allowed.

; TAP Section

; There must be exactly one TAP section.

; TAP Section Properties

; devices

;   Which interfaces to listen on.

;   Enter "none" to use TEE for local traffic only.

;   Otherwise, use ifconfig to find the right interface. (eth0)

; tap_ip

;   IP address for the database server system on which

;   S-TAP is installed. (no default)

; alternate_ips

;   Additional IP addresses for the database server system

;   on which S-TAP is installed (no default). If there are

;   no additional IP addresses, enter the property exactly

;   as shown (with no values) -- DO NOT remove the statement.

; connection_timeout_sec

;   Number of seconds after which S-TAP will consider a Guardium

;   server to be unavailable. (20)

; tee_msg_buf_len

;   Number of TEE buffers. (128)

; buffer_file_size

;   Size of STap's buffer file (100MB)

; tracefiles_dir

;   Directory in which access tracer files will be stored (INSTALLDIR).

; remote_messages

;   Send messages to the active Guardium host: 0=NO, 1=YES (1).

; syslog_messages

;   Send messages to syslog: 0=NO, 1=YES (1).

; tee_installed

;   Monitor via the TEE: 0=NO, 1=YES 0).

;   Use zero to monitor network traffic only (ktap_installed=1 will handle local traffic).

; ktap_installed

;       Is Kernel Monitor module installed: 0=NO, 1=YES (1)

;       ktap_installed and tee_installed are mutual exclusive, only one can be set on

; participate_in_load_balancing

;   Controls load balancing to Guardium servers: 0=NO, 1=YES (0).

;   When enabled, S-TAP balances traffic to all primary servers

;   by client IP. (All traffic from a specific client must be

;   viewed by the same Guardium unit.) To designate a Guardium

;   server as a primary server, use the primary property in the

;   SQLGUARD section (see below).

; Hunter is a mechanism that reports on and optionally kills

; processes that are circumventing the S-TAP. There can be only

; one Hunter section. By default, the entire section is commented.

; When used, all properties are required.

; NOTE: If the Hunter feature is used, Perl version 5.8.0 or later

; must be installed in the /usr/bin directory.

; HUNTER Properties

; hunter_sleep_time

;    Factor used to conttrol time between checks - input to a random generator

; hunter_debug

;   Send debug messages to syslog: 0=NO, 1=YES (0).

; hunter_trace

;   Generate trace files in tracefiles_dir: 0=NO, 1=YES (1).

; hunt

;   A comma separated list terminated with a semi-colon (;)

;   identifying the processes to be killed.

;   All processes will be reported, whether or not a kill is issued.

;   Each entry is in the form database:comm, where database values

;   are: FTP,ORACLE,SYBASE,INFORMIX or DB2, and comm values are as described

;   below.

;   The default is an empty list (hunt=;).

;   Comm   Descrption

;   -----  ----------

;   SHM    Shared memory

;   IPv4   Internet Protocol version 4

;   IPv6   Internet Protocol version 6

;   FIFO   A named pipe IPC mechanism

;   PIPE   A simple (unnamed) pipe IPC

;   INET   Internet protocol (HPUX)

;

;   Note 1: Do not include blanks or any other white-space characters

;           in the comma separated list

;   Note 2: This list must be terminated with a semi-colon (;).

;   Note 3: For an empty list, enter a semi-colon only (;).

; hunter_dbs

;   A comma separated list with the databases to be checked. Same values as

;   hunt for the databases, with the addition of DB2REMOTE for remote

;   connections (network) to DB2

[TAP]

alternate_ips=NULL

; cas_ parameters are used by the CAS product, all files are saved under the <installation dir>/cas/bin

;cas_task_baseline = <filename> (task_baseline): -- deprecated

;cas_client_baseline = <filename> (client_baseline): -- deprecated  

;cas_task_checkpoint = <filename> (task_checkpoint):  internal handle program machine state in case of host failiur

;cas_client_checkpoint = <filename> (client_checkpoint): internal handle program machine state in case of host failiur

;cas_checkpoint_period = <time in sec> (60): interval time for the above check

;cas_fail_over_file = <filename> (fail_over_file): outgoing messages to appliance buffer file

;cas_fail_over_file_size_limit = <size in kb> (50000): buffer size

;cas_max_reconnect_attempts = <number retrial> (5000): when connection is lost how many reconnect attempts are tried  

;cas_reconnect_interval = <time in sec> (60): wait time before next reconnect attempt

;cas_raw_data_limit = <size in kb> (1000): limit on size of sent raw_data file to the appliance

;cas_md5_size_limit = <size in kb> (1000): dont try calculating md5sum on files bigger then this

cas_task_baseline = task_baseline

cas_task_checkpoint = task_checkpoint

cas_client_baseline = client_baseline

cas_client_checkpoint = client_checkpoint

cas_checkpoint_period = 60

cas_fail_over_file = fail_over_file

cas_fail_over_file_size_limit = 50000

cas_max_reconnect_attempts = 5000

cas_reconnect_interval = 60

cas_raw_data_limit = 1000

cas_md5_size_limit = 1000

connection_timeout_sec=60

;debug_file_name - windows only debug log file

debug_file_name=st.log

devices=none

hunt=NULL

hunter_debug=0

hunter_dbs=NULL

hunter_sleep_time=60

hunter_trace=0

participate_in_load_balancing=0

remote_messages=1

tap_ip=NULL

syslog_messages=1

tap_debug_output_level=0

tap_hb_udp_port=-1

tap_min_heartbeat_interval=20

tee_installed=0

tee_msg_buf_len=128

time_differential=0

tracefiles_dir=INSTALLDIR

buffer_file_size=100

ktap_installed=0

; ktap_clients_whitelist -for future use

ktap_clients_whitelist=

; tap_type = <stap|wtap|ztap> (stap): define what kind of agent is used stap=UNIX, wtap=WINDOWS,ztap=Z/OS

tap_type=stap

;appserver_installed= 1 if on, 0 if not

;appserver_ports= which port is the app server threads on

;appserver_login_pattern = How to recognize a login POST/GET

;appserver_username_prefix= Where is the username in that post/get

;appserver_username_postfix= Where does the username end in that post/get

;appserver_session_pattern= How to recognize a "new session" reply

;appserver_session_prefix= where is the session id ....

;appserver_session_postfix= And where does it end

;appserver_usersess_pattern= How to recognize an existing session

;appserver_usersess_prefix= where is the session id ...

;appserver_usersess_postfix= And where does it end

appserver_installed=0

appserver_ports=8080

appserver_login_pattern=X

appserver_username_prefix=X

appserver_username_postfix=X

appserver_session_pattern=X

appserver_session_prefix=X

appserver_session_postfix=X

appserver_usersess_pattern=X

appserver_usersess_prefix=X

appserver_usersess_postfix=X

; use_tls

;   use ssl to encrypt traffic between agent and appliance: 0=NO, 1=YES (1).

; failover_tls

;       If ssl connection is not posiable for any reason, failover to using none secure connection

;       1=Yes use none secure connection,0=No only use secure connections (1).

use_tls=0

failover_tls=1

;The firewall feature works this way:

;1. It is per session so when enabled it will only effect the specific user

;and not everyone connected to the database.

;2. It is usually not enabled, moving into active mode is done by a triggering

;event (for example a specific user groups was used to connect)

;3. If the firewall is in active mode, any firewall actions like  DROP session rules will start to take

;effect (should their rule be triggered) without the starting of the

;firewall these rules will never fire, they can only go to work when the

;firewall is enabled for that session.

; firewall_installed

;       should the firewall feature be enabled at all 0=No,1=Yes (0)

;firewall_fail_close

;       what is the default action when verdict can not be set by the policy rules (e.g. timeout reached)

;       0=let connection through 1=block connection (0)

; firewall_default_state

;       What triggers the start of the firewall mode

;       0=event triggering a rule in the installed policy happens

;   1=start in firewall mode enabled regardless of a triggering event (0)

;We have this flag to force the watch (or enabling) of the firewall

;regardless of any rule, the specific actions (DROP etc) will still

;happen only when triggered by a rule

; firewall_timeout

;       time (in seconds) to wait on a verdict from the appliance

;       if timed out  look at firewall_fail_close value to know whether

;       to block or allow the connection (10 seconds)

firewall_installed=0

firewall_fail_close=0

firewall_default_state=0

firewall_timeout=10

; to bost performance you may consider disabling getting the source_program name, In doing so you wont we able to tell which program was using the connection (but all other connection information like user and client address will be avilable)

;log_program_name =< 0|1> (0): 0=don't send source_program name to appliance,1=send source_program name

log_program_name=0

; SQLGUARD Sections

; There must be one SQLGuard section for each SQL Guard server that will

; act as a host for this S-TAP. The section name must be in the form

; "SQLGuard_x" where "x" is a meaningful string to identify the unit.

; This string will be used in all messages.

; SQLGUARD Section Properties

; sqlguard_ip

;   IP address of the Guardium unit (no default).

; sqlguard_port

;   Port used to connect to the above unit(16016).

; primary

;   Indicates if the server is a primary server: 0=NO, 1=YES (1).

;   If participate_in_load_balancing=1, there must be at least one primary server.

;   If participate_in_load_balancing=0, there must be exactly one primary server.

[SQLGuard_0]

sqlguard_ip=NULL

sqlguard_port=16016

primary=1

; connect_to_ip

;   IP address for S-TAP to use to connect to the database.

;   Some databases accept local connection on 127.0.0.1, while

;   others accept local connection only on the 'real' IP of the

;   machine and NOT on the default (127.0.0.1).

; DB Sections

; There must be at least one DB section. The section name must be in the

; form "DB_x" where "x" is a meaningful string to identify the database.

; This string will be used in all messages.

; DB Section Properties

; DB_type

;   Database type: ORACLE,SYBASE,DB2,INFORMIX, FTP,MYSQL

;networks

;   Restricts S-TAP to monitor traffic only from the specified sets

;   of IP address and mask pairs.

;   Use 127.0.0.1/255.255.255.255 to monitor local clients.

;   Use 0.0.0.0/0.0.0.0 to monitor all clients on the network.

;   (Default is 127.0.0.1, local clients only.)

; tee_listen_port

;   Port on which the TEE will accept DB client connections. Use zero

;   to not use the TEE (12344).

; real_db_port

;   Port onto which the TEE will forward all DB client traffic.

; port_range_start

;   For monitoring network traffic only, the lowest numbered port on which

;   to listen for database traffic (4100).

; port_range_end

;   For monitoring network traffic only, the highest numbered port on which

;   to listen for database traffic (4100).

;[DB_tHat]

;db2_fix_pack_adjustment=20

;db2_shmem_client_position=0

;  for Informix only this param is used to define the informix version and not the shmem size

;  in that case

;  db2_shmem_size= <7|9|10|11>

;db2_shmem_size=131072

;port_range_start=4100

;port_range_end=4100

;tee_listen_port=12344

;connect_to_ip=127.0.0.1

;DB_type= SYBASE

;neTWORks=192.168.0.0/255.255.0.0

;exclude_networks=192.168.1.115/255.255.255.255,192.168.1.16/255.255.255.255

;real_db_port=4100

;db_install_dir=NULL

;db_exec_file=NULL