IBM Security Guardium

Reading Basic Environment Information from Windows S-TAP Must Gather

By SATOSHI KAWASE posted Mon June 29, 2020 09:24 AM

  
Guardium.jpg

We learned a couple of things about Windows S-TAP Must Gather V2 in the previous blog posts:

  1. Overview of Windows S-TAP Must Gather V2 
  2. Files collected by Windows S-TAP Must Gather V2 


The goal of this blog article is to find out the following information from Windows S-TAP Must Gather V2 output.

  1. Windows S-TAP Must Gather
    • version
  2. Windows Server information
    • version
    • number of processors
    • amount of physical memory
    • network bandwidth
    • IP addresses (IPv6, IPv4)
    • host name
    • time zone
    • last reboot time
  3. Windows S-TAP
    • version
    • installed directory
    • target collector(s)
    • Windows S-TAP service account
    • service status (running or stopped)
    • driver status (loaded or having any issue)


[NOTE] All files mentioned in this article are in Windows S-TAP Must Gather output zip file. For example, \diag\diag.log means the file diag.log is in the diag directory in the zip file.

We learned a couple of things about Windows S-TAP Must Gather V2 in the previous blog posts:

  1. Overview of Windows S-TAP Must Gather V2 
  2. Files collected by Windows S-TAP Must Gather V2 

The goal of this blog article is to find out the following information from Windows S-TAP Must Gather V2 output.

  1. Windows S-TAP Must Gather
    • version
  2. Windows Server information
    • version
    • number of processors
    • amount of physical memory
    • network bandwidth
    • IP addresses (IPv6, IPv4)
    • host name
    • time zone
    • last reboot time
  3. Windows S-TAP
    • version
    • installed directory
    • target collector(s)
    • Windows S-TAP service account
    • service status (running or stopped)
    • driver status (loaded or having any issue)

[NOTE] All files mentioned in this article are in Windows S-TAP Must Gather output zip file. For example, \diag\diag.log means the file diag.log is in the diag directory in the zip file.

1. Windows S-TAP Must Gather version

The Windows S-TAP Must Gather version is written in the top of \diag\diag.log. Here is an example:



In this case, the must gather version is V2.0.29. Note that diag.log is introduced in must gather V2, and it's available in Guardium V11.2. If you use an older one, you won't see diag.log and there is no version information.

If the must gather script is executed from Windows Command Prompt, you should see an admin account (e.g. Administrator) in the third line. If the script is executed from Guardium GUI, you should see the service account (e.g. NT Authority\Local Service) of Windows S-TAP service. So, the above example output is mostly generated by Guardium GUI, and the appliance address is COLLECTOR001.

2. Windows Server information


Windows Server information is mostly in \diag\system.txt

Here is an example:

image2.jpg

In this case,

  • version : Microsoft Windows Server 2016 Standard (10.0.14393 N/A Build 14393)
  • number of processors : 2
  • amount of physical memory: 16GB
  • network bandwidth : UNKNOWN (vmxnet3)
  • IP addresses (IPv6, IPv4) : 127.98.173.101, fe80::4119:ea47:952c:866d
  • host name : DBSERVER001
  • time zone : (UTC-05:00) Eastern Time (US & Canada)
  • last reboot time : 5/20/2020, 10:40:48 PM


The network bandwidth is not clearly displayed, but we could guess from the network card name. For example, it's something like "XXXX ethernet 10GB Adapter", it should be logically up to 10GB. In this example, the network card name is "vmxnet3 Ethernet Adapter", so, not sure about the bandwidth.

Capturing IPv6 traffic is supported since Guardium V11.1. You can verify if IPv6 address exists as above.

Time zone information is also useful. Many log files has timestamp but most of the logs use the local time, so the time zone information helps us the actual time in the world.

The last reboot time is essential in some troubleshooting case. Sometimes we need to know if DB server is rebooted after the install, uninstall, etc.

3. Windows S-TAP information

You can find Windows S-TAP configuration in \ini\Guard_Tap.ini  and \diag\reg.txt , and Windows S-TAP driver, service process status in \diag\tasks.txt.


image5.jpg
  • version : 11.2.0.152
  • installed directory : C:\Program Files\IBM\Windows S-TAP
  • target collector(s) : COLLECTOR001
  • Windows S-TAP service account : NT AUTHORITY\LOCAL SERVICE
  • service status (running or stopped) : RUNNING (S-TAP and Database Monitor Service)
  • driver status (loaded or having any issue) LOADED (WfpMonitor, NmpMonitor, NmpProxy, Correlator, Monitor Service Driver (DrvTrc))


Windows S-TAP version can be found in Guard_Tap.ini, Windows registry (\diag\reg.txt), also in Windows S-TAP install log (\install\IBM Windows S-TAP.ctl).

The installed directory can be found in the registry, and also in the install log.

The target collector(s) can be found in \ini\Guard_Tap.ini.

Windows S-TAP service account can be found in the registy. It's displayed in Windows Services > IBM Security Guardium S-TAP > Log On property if you can access to the database server.



Windows S-TAP used to run as Local System, but increase number of users are concerned about running Windows services as Local System due to security reason. Recent Windows trend is to use Local Service instead of Local System, and each service adds required priviledges if needed. This will run services with minimum priviledge, and this will minimize the security consideration. Windows S-TAP started using Local Service since V10.6.0.191. Database Monitor Services needs to have SeDebug priviledge but other services run without additional privilege.

Service status can be confirmed by reading \diag\tasks.txt. You should see GUARDIUM_STAP (Guardium_Stapr.exe) and GUARDIUM Database Monitor (svcTRC.exe) in the result of "tasklist /svc". If GIM client is used, gim (gimclient.exe) should be seen in there.

Driver status can also be confirmed by by reading \diag\tasks.txt. It's in the result of "driverquery" command. You should see WfpMontior, NmpMonitor, NmpProxy, Correlator and DrvTrc (Database Monitor Service driver).


0 comments
15 views

Permalink