Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.
We learned a couple of things about Windows S-TAP Must Gather V2 in the previous blog posts:
The goal of this blog article is to find out the following information from Windows S-TAP Must Gather V2 output.
[NOTE] All files mentioned in this article are in Windows S-TAP Must Gather output zip file. For example, \diag\diag.log means the file diag.log is in the diag directory in the zip file.
0 Likes
The Windows S-TAP Must Gather version is written in the top of \diag\diag.log. Here is an example:
In this case, the must gather version is V2.0.29. Note that diag.log is introduced in must gather V2, and it's available in Guardium V11.2. If you use an older one, you won't see diag.log and there is no version information.If the must gather script is executed from Windows Command Prompt, you should see an admin account (e.g. Administrator) in the third line. If the script is executed from Guardium GUI, you should see the service account (e.g. NT Authority\Local Service) of Windows S-TAP service. So, the above example output is mostly generated by Guardium GUI, and the appliance address is COLLECTOR001.
Windows Server information is mostly in \diag\system.txt Here is an example:
In this case,
The network bandwidth is not clearly displayed, but we could guess from the network card name. For example, it's something like "XXXX ethernet 10GB Adapter", it should be logically up to 10GB. In this example, the network card name is "vmxnet3 Ethernet Adapter", so, not sure about the bandwidth.Capturing IPv6 traffic is supported since Guardium V11.1. You can verify if IPv6 address exists as above.Time zone information is also useful. Many log files has timestamp but most of the logs use the local time, so the time zone information helps us the actual time in the world.The last reboot time is essential in some troubleshooting case. Sometimes we need to know if DB server is rebooted after the install, uninstall, etc.
You can find Windows S-TAP configuration in \ini\Guard_Tap.ini and \diag\reg.txt , and Windows S-TAP driver, service process status in \diag\tasks.txt.
Windows S-TAP version can be found in Guard_Tap.ini, Windows registry (\diag\reg.txt), also in Windows S-TAP install log (\install\IBM Windows S-TAP.ctl).The installed directory can be found in the registry, and also in the install log.The target collector(s) can be found in \ini\Guard_Tap.ini.Windows S-TAP service account can be found in the registy. It's displayed in Windows Services > IBM Security Guardium S-TAP > Log On property if you can access to the database server.
Windows S-TAP used to run as Local System, but increase number of users are concerned about running Windows services as Local System due to security reason. Recent Windows trend is to use Local Service instead of Local System, and each service adds required priviledges if needed. This will run services with minimum priviledge, and this will minimize the security consideration. Windows S-TAP started using Local Service since V10.6.0.191. Database Monitor Services needs to have SeDebug priviledge but other services run without additional privilege.Service status can be confirmed by reading \diag\tasks.txt. You should see GUARDIUM_STAP (Guardium_Stapr.exe) and GUARDIUM Database Monitor (svcTRC.exe) in the result of "tasklist /svc". If GIM client is used, gim (gimclient.exe) should be seen in there.Driver status can also be confirmed by by reading \diag\tasks.txt. It's in the result of "driverquery" command. You should see WfpMontior, NmpMonitor, NmpProxy, Correlator and DrvTrc (Database Monitor Service driver).
Copy
By
SATOSHI KAWASE
posted