IBM Guardium

IBM Guardium

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to tackle where RHEL OS frequently getting patch

    Posted Thu July 20, 2023 02:51 AM

    Dear Team,

    I would like to check whether is there any way to tackle with Redhat Linux is frequently getting patched which causing STAP/KTAP issues, Like, Data Capturing etc... the reason is kernel is getting upgraded. Pls see below STAP Events logs related to this scenario. 

    Pls note that, Agents are in "Synchronization" Status , while opening the STAP Event from STAP Control Page, I am getting below popup. 

    x.x.x.x

    7/20/2023 9:25

    LOG_CONF_ERR

    MSG(814) MODULE(1) SEV(6) COUNT(1) CONF_ERROR: Can not initialize PCAP, no data will be captured

    LOG_ERR         MSG(826) MODULE(1) SEV(4) COUNT(1) There is a configuration error, please check SOFTWARE_TAP_EVENT table/STAP log for CONF_ERROR event_type/message        2023-07-20 09:25:00.0

    LOG_WARNING            MSG(238) MODULE(1) SEV(3) COUNT(1) Connected to Primary Server 1.1.1.1    2023-07-20 09:25:00.0

    LOG_NOTICE    To enable FIPS 140-2 mode set use_tls=1          2023-07-20 09:25:00.0

    LOG_WARNING            MSG(311) MODULE(1) SEV(3) COUNT(1) ktap module not loaded for kernel: 4.18.0-477.13.1.el8_8.x86_64

    x.x.x.x

    7/20/2023 9:23

    LOG_WARNING

    MSG(311) MODULE(1) SEV(3) COUNT(1) ktap module not loaded for kernel: 4.18.0-477.13.1.el8_8.x86_64

    x.x.x.x

    7/20/2023 9:25

    LOG_WARNING

    MSG(311) MODULE(1) SEV(3) COUNT(1) ktap module not loaded for kernel: 4.18.0-477.13.1.el8_8.x86_64

    LOG_ERR    MSG(826) MODULE(1) SEV(4) COUNT(1) There is a configuration error, please check SOFTWARE_TAP_EVENT table/STAP log for CONF_ERROR event_type/message    2023-07-20 09:25:00.0
    LOG_WARNING    MSG(238) MODULE(1) SEV(3) COUNT(1) Connected to Primary Server 1.1.1.1    2023-07-20 09:25:00.0
    LOG_NOTICE    To enable FIPS 140-2 mode set use_tls=1    2023-07-20 09:25:00.0
    LOG_WARNING    MSG(311) MODULE(1) SEV(3) COUNT(1) ktap module not loaded for kernel: 4.18.0-477.13.1.el8_8.x86_64



    ------------------------------
    Akash Parmar
    ------------------------------


  • 2.  RE: How to tackle where RHEL OS frequently getting patch

    Posted Thu July 20, 2023 09:05 AM

    Akash,

    Please see the video at the link below as it will help you understand where to go and what to do. 

    This is a common issue when OS upgrades are frequent for RHEL.

    https://login.ibm.com/oidc/sps/auth?client_id=NzJiOTdhOTUtNDBmZi00&Target=https%3A%2F%2Flogin.ibm.com%2Foidc%2Fendpoint%2Fdefault%2Fauthorize%3FqsId%3D51655117-ee0a-485f-893c-26f9b8391625%26client_id%3DNzJiOTdhOTUtNDBmZi00

    Ibm remove preview
    View this on Ibm >



    ------------------------------
    Jennifer Dodson
    Brand Technical Specialist
    Global Sales, Financial Services
    1 469 796 8337 Mobile
    jennifer.dodson@ibm.com

    IBM
    ------------------------------

    Original Message


  • 3.  RE: How to tackle where RHEL OS frequently getting patch

    Posted Sat July 22, 2023 11:50 AM

    Thank you Jennifer !

    However, your shared URL is not opening. Are you referring to "Open Mic: How to Build Custom KTAP Linux STAP". 

     



    ------------------------------
    Akashkumar Parmar
    ------------------------------

    Original Message


  • 4.  RE: How to tackle where RHEL OS frequently getting patch

    Posted Mon July 24, 2023 09:41 AM

    Yes, the Open Mic recording will help you figure out how to get the appropriate KTAP. 

    Find the latest KTAP associated with your STAP version and dig into the ktaposmatch csv to find your match.  If there isn't one and you cannot compile one, then you will need to open a support ticket to get one created for you.



    ------------------------------
    Jennifer Dodson
    Brand Technical Specialist
    Global Sales, Financial Services
    1 469 796 8337 Mobile
    jennifer.dodson@ibm.com

    IBM
    ------------------------------

    Original Message


  • 5.  RE: How to tackle where RHEL OS frequently getting patch

    Posted Mon July 24, 2023 10:02 AM

    1- https://www.ibm.com/docs/en/guardium/11.5?topic=luiuusta-linux-unix-managing-rpm-shell-installed-s-tap-during-major-upgrade-database-server-operating-system
    2- https://www.ibm.com/docs/en/guardium/11.5?topic=luiuusta-linux-unix-managing-gim-rpm-shell-installed-s-tap-during-minor-kernel-upgrade-database-server-operating-system

    3- Open Mic: How to Build Custom KTAP Linux STAP (KTAP MODULE) 
    https://www.securitylearningacademy.com/enrol/index.php?id=2803

    One of these links should certainly help.


    Sincerely,
    -Sachin



    ------------------------------
    Sachin Marawar
    ------------------------------

    Original Message


  • 6.  RE: How to tackle where RHEL OS frequently getting patch

    Posted Tue July 25, 2023 07:06 AM

    Thanks Sachin for your responses. I will have a look on this. 



    ------------------------------
    Akash Parmar
    ------------------------------

    Original Message


  • 7.  RE: How to tackle where RHEL OS frequently getting patch

    Posted Tue July 25, 2023 02:33 AM

    Hi Akash, 

    I doing 2 things that can help you too:

    1. change the parameter "KTAP_ALLOW_MODULE_COMBOS" to Y. This parameter needs to match the KTAP to the kernel automatically if there is OS kernel version close to the new version.
    2. checking in IBM Fix Central if the last STAP & Ktap module specifically includes the OS kernel version. You can check it on the "ktaposmatch.csv" file. 

    Hope it helps you. 

    Best regards,

    Eden.



    ------------------------------
    Eden Amsalem
    ------------------------------

    Original Message


  • 8.  RE: How to tackle where RHEL OS frequently getting patch

    Posted Tue July 25, 2023 06:58 AM

    Hi Eden, Good Day!

    Thanks much for your responses. I already have set this parameter "KTAP_ALLOW_MODULE_COMBOS" to Y. But, still it did not help. since, i think the new kernel version is not close enough.

    1. checking in IBM Fix Central if the last STAP & Ktap module specifically includes the OS kernel version. You can check it on the "ktaposmatch.csv" file.   === I have checked on this, however, the kernel is not listed there, so, I have raised request for this. 

    I will update this post once I will get any resolution for this. 



    ------------------------------
    Akash Parmar
    ------------------------------

    Original Message