Guardium's S-TAP is an optional, lightweight software agent installed on a database server system. It monitors database traffic and forwards information about that traffic to a Guardium appliance, which can be deployed anywhere on the network.
Since it is installed on a database server system, S-TAP can monitor database traffic that is local to that system. This is important because local connections can provide "back door" access to the database - and all such access needs to be monitored and audited.
In addition to monitoring local connections, S-TAP can be used to monitor any network traffic that is visible from the database server on which it is installed. It can thus act as a collector on remote network segments, where it is not practical to install a Guardium appliance.
S-TAP can be installed remotely from the command line, on Windows or Unix servers. Upgrades can be configured to be applied at the next server reboot, and under Linux, S-TAP takes care of upgrading S-TAP kernel components at boot time, to adjust to kernel upgrades in Linux environments.
S-TAP collects and sends data to a Guardium host in near real time. S-TAP buffers the data, so that it can continue to work if the Guardium host is momentarily unavailable. If the primary host is unavailable for an extended period of time, S-TAP can fail over to a secondary Guardium Host. It will continue to send data to the secondary host until either that appliance becomes unavailable, or until the S-TAP is restarted, at which point it will attempt to connect to its primary Guardium host first.
If the Guardium appliance designated as the primary host for an S-TAP becomes unavailable, S-TAP can fail over to a secondary host. It remains connected to the secondary host until either that connection is lost or the S-TAP is restarted. Each time one of those events occurs, the S-TAP attempts to reconnect to its primary Guardium host.
S-TAP restarts under slightly different conditions, depending on the database server operating system:
Unix: S-TAP restarts each time configuration changes are applied from the active host.
Windows: S-TAP restarts only when the server restarts, or when the S-TAP service is restarted from the (Windows) Services control panel. Note: This means that on a Windows database server, if you change the primary host for the S-TAP, you will need to restart the S-TAP service before S-TAP will start using the new primary host.
Before designating a Guardium appliance as a secondary host for S-TAP, verify the following:
The Guardium appliance must be configured to manage S-TAPS. To check this and re-configure if necessary, see Configure Guardium Appliance to Manage Agents.
The Guardium appliance must have connectivity to the database server on which the S-TAP is installed. When multiple Guardium appliances are used, they are often attached to disjointed branches of the network.
The Guardium appliance must not have a security policy that will ignore session data from the database server on which the S-TAP is installed. In many cases, a Guardium security policy is built to focus on a narrow subset of the observable database traffic, ignoring all other sessions. Either make sure that the secondary host will not ignore session data from the S-TAP, or modify the security policy on the Guardium appliance as necessary.
To define secondary hosts for an S-TAP, see Define Secondary Guardium Hosts for an S-TAP, under Configure S-TAPs from the GUI.
To install an S-TAP agent on a database server system, the only information you need is the IP address of the database server, and the IP address of the Guardium host to which it will send data. Once the S-TAP agent has connected to the Guardium host, all of the remaining S-TAP configuration parameters can be set from the Administration Console on the Guardium appliance.
Before installing an S-TAP agent, check the Supported Database Environments matrix below, to make sure that your database and operating system versions are supported, and that you have enough disk space on the database server.
There are two major tasks you need to perform to install and start using S-TAP.
Install the S-TAP agent on a database server. See one of the following topics, depending on the database server operating system type:
Once you have installed an S-TAP agent on the database
server, see the following topic to configure the agent to monitor the
appropriate traffic:
Complete the S-TAP configuration from the administrator portal
The following table describes operating system or database components that must be installed, at a certain release or patch level, or configured in a particular way to support S-TAP.
|
Component |
Prerequisite |
|
CAS under HPUX |
Java 1.5 or higher is required, see Get Java Information, in the Unix S-TAP book. |
|
CAS under any other Unix |
Java 1.4.2 or higher is required, see Get Java Information, in the Unix S-TAP book. |
|
CAS under Windows |
If CAS will monitor the MS SQL Server event log, the dumpel.exe program from the Microsoft Windows Resource Kit must be installed on the database server. Check if this program exists in the c:\Program Files\Resource Kit\ directory. If not, you can download it from Microsoft. |
|
S-TAP, all Unix |
If the Tee monitoring method is used, Perl 5.8.0 or later, see Get Perl Information, in the Unix S-TAP book. |
|
Oracle ASO, SSL |
|
|
Oracle ASO, |
LD_PRELOAD must be installed. It is installed by patch PHSS_28436 or later. |
|
TLS |
For S-TAP on a Unix server, either /dev/random or /dev/urandom must be present on the server. For both Unix and Windows servers, see Guardium Port Requirements, below, and check the TLS port requirements |
The following three tables provide S-TAP and CAS availability by operating system and database type and disk space requirements.
|
OS Type |
Version |
32-Bit & 64-Bit |
|
AIX |
5.1, 5.2, 5.3, 6.1 |
Both |
|
HPUX |
11.00, 11.11, 11.31 |
Both |
|
11.23 PA |
32-Bit | |
|
11.23 IA64 |
64-Bit | |
|
Red Hat Enterprise Linux2 |
21 |
Both |
|
3, 4, 5 |
Both4 | |
|
SUSE Linux2 Enterprise |
9, 10 |
Both |
|
Solaris - Sparc |
63, 8, 9,10 |
Both |
|
Solaris - Intel |
10 |
Both |
|
Tru641 |
5.1A, 5.1B |
64-Bit |
|
Windows |
NT |
32-Bit |
|
2000, 2003 |
Both4 |
1. K-Tap and Native Installers are not available for Red Hat Enterprise Linux version 2, and all versions of Tru64.
2. For versions of Linux (both Red Hat and SUSE) not listed above, Guardium can usually create a new K-Tap module in about two weeks.
3. K-Tap is not available for Solaris version 6.
4. Itanium version is also available.
|
Database |
Supported Versions |
Protocols |
|
DB2 |
8, 8.2, 9.1, 9.2, 9.5 |
Network/Local TCP, |
|
z/OS |
The following local attach facilities: Call Attach (CAF), Resource Recovery Services (RRSAF), CICS, TSO, IMS. Distributed connections - DRDA. | |
|
Informix |
7, 8, 9, 10, 11 |
Network/Local TCP, TLI, |
|
Oracle |
8i, 9i, 10g (r1, r2), 11g, 11i |
Network/Local TCP, |
|
9i, 10g (r1, r2), 11g, 11i |
ASO | |
|
Sybase ASE |
12, 15 |
Network/Local TCP, TLI |
|
Sybase IQ |
12.6 |
Network/Local TCP, TLI |
|
MS SQL Server |
2000, 2005, 2008 |
Network/Local TCP, |
|
Teradata |
6.01, 6.02 |
Network TCP (no S-TAP) |
|
MySQL |
4.1, 5.0, 5.1 |
Network/Local TCP, |
|
Disk Space |
Description |
|
S-TAP |
AIX: 115 MB |
|
CAS |
AIX: 309 MB |
|
Buffer file |
100 MB by default. S-TAP uses the buffer file to stage data for transmission to the Guardium appliance. The size is controlled by the buffer_file_size configuration file parameter. |
|
Java |
If CAS is used, Java is required. If Java is not installed on a Windows database server, it will be installed automatically. On a Unix server, you must obtain and install Java yourself (due to licensing constraints). In either case, installing Java will require a certain amount of disk space. For space requirements or to download Java, see Java.Sun.com. |
|
Perl |
Unix only. If the Tee data collection mechanism and its optional Hunter component is used, Perl is required. If it has not been installed previously, you must obtain and install it yourself. For space requirements or to download Perl, see the Perl Directory at Perl.org. |
|
|
Platform |
|||
|
Requirement Type |
HPUX |
SOLARIS |
AIX |
LINUX |
|
file exist |
/bin/sh |
/bin/sh |
/bin/sh |
/bin/sh |
|
file exist |
/bin/sed or /usr/bin/sed |
/bin/sed or /usr/bin/sed |
/bin/sed or /usr/bin/sed |
/bin/sed or /usr/bin/sed |
|
file exist |
tar, awk |
tar, awk |
tar, awk |
tar, awk |
|
file exist |
prealloc |
dd and /dev/zero |
dd and /dev/zero |
dd and /dev/zero |
|
file exist |
getconf |
isainfo |
bootinfo |
gcc or cc (only for x64 machines) |
|
file exist |
uudecode in /usr/bin or /tmp or perl exist |
uudecode in /usr/bin or /tmp or perl exist |
uudecode in /usr/bin or /tmp or perl exist |
uudecode in /usr/bin or /tmp or perl exist |
|
software ver |
sed >4.x |
|
|
|
|
Atap software ver |
/bin/sh is bash > 3.x |
|
|
|
If there is a firewall between Guardium components (for example, a Guardium appliance and an S-TAP or CAS agent on a database server), you must verify that the ports used for connections between those components are not being blocked. Referring to the table below, use your firewall management utility to check (and possibly open) the appropriate ports.
On a Unix system, you can check for connectivity using the nmap tool. See Check Network Address and Port (Unix), below.
|
Port |
Protocol |
Guardium appliance connection to... |
|
16016 |
TCP |
Clear Unix S-TAP |
|
16017 |
TCP |
Clear Unix CAS |
|
16018 |
TLS |
Encrypted Unix S-TAP |
|
16019 |
TLS |
Encrypted Unix CAS |
|
Port |
Protocol |
Guardium appliance connection to... |
|
8075 |
UDP |
Windows S-TAP heartbeat signal
|
|
9500 |
TCP |
Clear Windows S-TAP |
|
9501 |
TLS |
Encrypted Windows S-TAP |
|
16017 |
TCP |
Clear Windows CAS |
|
16019 |
TLS |
Encrypted Windows CAS |
When installing an S-TAP or CAS agent on a database server system, it is useful to verify that there is connectivity between the two systems. On a Unix system, you can use the nmap command to check for connectivity, using the following options:
nmap –p <port> <ip_address>
To check that port 16018 (the port Guardium uses for TLS) is reachable at IP address 192.168.3.104, you would enter the following command:
> nmap -p 16018 192.168.3.104
Starting nmap V. 3.00
Interesting ports on g4.guardium.com (192.168.3.104):
Port State Service
16018/tcp open unknown
>