WINSTAP (S-TAP, FS-TAP) installation and configuration – Guardium 10

WINSTAP architecture

Guardium 10 introduced new architecture and functionality into agent used to monitor data access (databases and files) on Windows platforms (well-known as a WINSTAP). The most interesting are:

  • Integrated installer for 32- and 64- bit platform
  • Redesigned TCP and SharedMemory drivers
  • File Activity Monitoring with blocking capability
  • File Discovery – integrated view on files stored on managed system
  • File Classification – sensitive data identification

The simplified view on WINSTAP architecture

WINSTAP architecture

WINSTAP architecture

shows that we have many different elements responsible for each data monitoring aspect:

  • GIM (Guardium Installation Manager) – service based on Perl responsible for installation, update and configuration all other elements working on monitored system (separate article here)
  • S-TAP service – communication with collector and data proxy for sniffer drivers (WFP, NPM) – DAM functionality
  • WFP – new sniffer driver for TCP/IP stack
  • NPM – new sniffer driver for shared memory
  • CAS (Change Audit System) – java based service responsible for identification the changes in the critical elements of database and operating system
  • FS-TAP (or STAPat) – service responsible for communication with collector and data proxy for I/O sniffer (FSMonitor) driver – FAM functionality
  • FSMonitor – I/O sniffer driver responsible for audit and blocking access to file operations
  • FAM – Feed service to collector from ICM (IBM Content Classification) infrastructure
  • file crawler – ICM process responsible for scan of file system and file metadata generation
  • analysis engine – rule based classification tool for files
  • ICM server – ICM process responsible for classification task management and configuration upload interface for ICM workbench
  • ICM workbench – Windows application to create own classification rules (decision plans)

This article focus on 2 functionalities – database and file activity monitoring. CAS and FAM (ICM) functions will be described in the separate articles.

GIM packages import

The GIM packages are located in the package available on IBM Fix Page, this same where we can find the GIM installer.

New: In G10 the CAS module is separated from WINSTAP and it has to be installed separately. It is separate archive.

Starting from version 10 we have 3 GIM modules:

  • STAP for Database and File Activity Monitoring (GIM-Kit-Windows archive)
  • FAM ICM analysis and classification tools (GIM-Kit-FAM archive)
  • CAS for Windows (CAS archive)

Extract GIM modules and import them on GIM manager appliance (Manage->Module Installation->Upload Modules). Using Browse button to select files and upload them:

Module upload

Module upload

Then import the uploaded modules – click on small “Import this module” icon and confirm this operation. After a while you will be notified that module has been imported.

Note: In this article I assume that GIM is installed on monitored system – GIM installation is described here.

Now we are able to configure modules (Manage->Module Installation->Setup by Client) on your managed system

GIM agents list

GIM agents list

To see all available modules for managed Windows system you need to uncheck “Display Only Bundles” flag

Modules list

Modules list

Now we are ready to install.

S-TAP and FS-TAP installation and configuration

WINSTAP installation

Module configuration screen has not been changed in the G10. The “Common Module Parameters” section contains the preselected parameters (the assumption most widely used). In the comparison to G9 we can notice 4 new fields for Query/Rewrite feature (firewall parameters still unavailable).
However I prefer fewer options in this section than putting them all, what we see in Linux S-TAP configuration.

Common Module Parameters” section is used to simplify module configuration. The “Apply to Selected” button saves data from this form to marked systems inside “Client Modules Parameters” section. It is useful in case when you configure 2 or more managed systems together.

WINSTAP module configuration

WINSTAP module configuration

Minimum information required to install WINSTAP module:

  • WINSTAP_INSTALL_DIR – installation directory of this module in backslash notation (i.e. C:/Guardium/WINSTAP)
  • WINSTAP_SQLGUARD_IP – collector IP assigned to this WINSTAP as a primary
  • WINSTAP_TAP_IP – only if your managed system has many network interfaces (option has to be set directly for particular agent)

Please notice that most parameters have default value and you do not need set them.

Now parameters from “Client Module Parameters” should be assigned to monitored system – Apply to Clients button. Finally installation process can be invoked using Install/Update (define when the process will start or order immediate execution – insert “Now”)

Module installation setup

Module installation setup

Check out installation status using “i” icon

Installation statusStatus “INSTALLED” confirms successful installation of WINSTAP

Installation status

Installation status


It is available by using the WINSTAP_CMD_LINE parameter. You can put here any values in format <parameter>=<value> which are corresponds to TAP section of guard_tap.ini. Below example of installation with 3 additional parameters

Parameters in WINSTAP_CMD_LINE

Parameters in WINSTAP_CMD_LINE

and guard_tap.ini content after installation



New: WINSTAP 10 changed the location of guard_tap.ini from c:\Windows\System to <WINSTAP_INSTALL_DIR>\Bin


Standard STAP modification form is available under Manage->Activity Monitoring->S-TAP Control and provides limited manageability

STAP configuration

STAP configuration

but Guardium API delivers interface to manage most existing WINSTAP parameters

grdapi update_stap_config stapHost= updateValue=SECTION.PARAMETER:VALUE waitForResponse=<0|1>

the updateValue parameter can point many WINSTAP configuration changes


This method can work with 3 sections of guard_tap.ini

  1. TAP
  2. DB_<inspection_engine_number>
  3. SQLGUARD_<collector_ip>

And here is an example that sets the same three parameters that I used in  WINSTAP_CMD_LINE method

grdapi update_stap_config stapHost= updateValue=TAP.FIREWALL_INSTALLED:1&TAP.FIREWALL_DEFAUL_STATE:1&TAP.KRB_MSSQL_DRIVER_INSTALLED:1 waitForResponse=1

Do not forget restart S-TAP after change

grdapi restart_stap stapHost=<stap_ip>

Default installation enables database instance discovery. Current version of S-TAP discoveries installed on monitored system instances of DB2, Couch DB, Informix, Mongo DB, MSSQL and Oracle. If you would like to monitor other supported databases you need add inspection engine manually (edit S-TAP configuration in portal and “Add Inspection Engine” definition. Then push Add and Apply buttons

Inspection engine definition

Inspection engine definition

It is possible to disable instance discovery during WINSTAP installation process. The -NOAUTODISCOVERY flag has to be set in CMD_COMMAND_LINE parameter.

New in G10: Database Instance Discovery does not use Java longer

Instance discovery can be ordered manually from portal. In S-TAP Control view click on “Send Command” icon

S-TAP Control

S-TAP Control

then select “Run Database Instance Discovery” command

Send Command window

Send Command window

Be aware that “Replace Inspection Engines” flag clears all existing IE definitions. Use it if you are running the initial instance scan or intentionally you would like to replace them. Results of instance discovery are stored in “Discovered Instances” report

Discovered instances report

Discovered instances report

To compare discovered instances to actually defined in S-TAP you can use grdapi call from report. In the report bar expand Action menu and select list_inspection_engines command

API invocation from report

API invocation from report

Select one row and insert your S-TAP host IP address

list_inspection_engines call

Now output from grdapi can be compared with the last scan

grdapi output

New in 10: Action menu in the report allows to invoke Guardium API calls for all results in the related report. Very useful feature.

Instance discovery process can be executed periodically using DISCOVERY_INTERVAL=<time_in_hours> parameter. This parameter cannot be modified by grdapi and you should remember to set it during installation or later change it manually.
Base on this refreshed information we can create Audit Process to identify changes of the existing instances or detect new ones available on the host.

Tip: If S-TAP configuration parameter from TAP section cannot be changed remotely by API or does not exist form field in GIM  you always can modify it using CMD_COMMAND_LINE.

Do not forget set up the DAM policy on the collector. Default policy installed on appliance after installation – “Ignore Data Activity for Unknown Connections” – ignores all traffic.

DAM policy creation and installation available at:
Policy Builder – Protect->Security Policies->Policy Builder for Data & Applications
Policy Installer – Protect->Security Policies->Policy Installation

New in 10: Redefined S-TAP architecture in G10 allows monitor database traffic without restart machine or database.

Database activity report

Database activity report

Now you are able to monitor database traffic.


Info: I use here FAM acronym as a reference to FS-TAP functionality. The FAM ICM features are not a part of this article

File Activity Monitoring is separately licensed. Standard installation of WINSTAP activates this feature as default. To prevent its installation put in the CMD_COMMAND_LINE the flag “-FAM OFF” (the guard_tap.ini syntax reference FSM_DRIVER_INSTALLED=0 does not work)

Important: If you do not posses FAM license, please remember switch this feature off to avoid compliance issue

Installed FAM is visible in the “S-TAP Control” list (S-TAP host with “-FAM” suffix)

FAM in S-TAP Control

FAM in S-TAP Control

Important: Default FAM settings switch off the monitoring of Administrator account. FAM policies can block access to particular files or whole file system and to protect against accidentally mistakes the files activity monitoring ignores super-users (root, Administrator). You can enable this functionality using TAP flag in guard_tap.iniFAM_PROTECT_PRIVILEGED=1. Use it on production only when your policies were tested, incorrect use can lead to crash and irreversible damage of the monitored system

FAM does not require any inspection engine definition. File monitoring is defined by separate FAM policy installed parallel to DAM.

FAM policy builder

FAM policy builder (Protect->Security Policies->Policy Builder for Files) delivers new application to create and modify the file monitoring polices. Use + icon to add new policy

FAM policy builder

FAM policy builder

Insert policy name. “Show Templates” option allows use the rules created in the other FAM policies. Add new rule using + icon

New FAM policy

New FAM policy

The rule definition screen uses a new interface logic incorporated in G10 – “End to End scenario”. In this case we are able create rule in 4 steps with the clear context of this task. Now we need insert rule name and go Next

New FAM rule - Rule Name

FAM rule – Rule Name

We define systems where rule will be evaluated. We can select particular system with FAM feature enabled

FAM rule - Datasource

FAM rule – datasource

or select/create group of systems

FAM rule - datasource group

FAM rule – datasource group

Next step defines the action type:

  1. Audit (put event to Access audit domain)
  2. Alert and Audit (1 and additional Guardium Alert event)
  3. Log As Violation and Audit (1 and mark event in the Quick Search as a violation)
  4. Block, Log As Violation and Audit (1, 3 and block I/O operation)
  5. Ignore (do nothing)
FAM rule - action

FAM rule – action

Last step defines rule criteria. We can use maximum 3 of them:

  • File path (required, defines single or group of paths, wildcards allowed)
  • User (not required, one or group of users)
  • File operation (not required, single or set of available operations)

Available qualifiers for File path:

  • = this path
  • != everything except this path
  • In Group – all paths in the group
  • Not In Group – everything except paths in this group
FAM rule - criteria - File Path

FAM rule – criteria – File Path qualifiers

This is example a file path group definition

FAM rule - criteria - file path group defintion

FAM rule – criteria – file path group definition

Criterion for User uses this same four qualifiers but related to user names. If User criterion is not appear in the rule or has no value, each user is monitored.

Access command criterion can refer to one selected operation (=) or their group (In Group). If this criterion has been removed from rule or has no value, all operations are monitored.

FAM rule - criteria - file operations

FAM rule – criteria – file operations

Tip: If you want to see all file system operations including directory structure modification leave Access command criterion empty

Two exclusive options are available in the criteria section:

  • Monitor subdirectories in file path – very useful but consider it influence on performance
  • Removable media – disables File path criterion in the rule and refers to all files on the attached media (pen drive, CD/DVD, etc.)

    FAM rule - Removable media monitoring

    FAM rule – Removable media monitoring

Rules evaluation in FAM policy is similar to DAM. Rules are evaluated from top to down. If rule matches the analyzed file event all the other rules are ignored (you cannot force the evaluation process to next rule). Use arrows icon to reorder rules in your policy

FAM policy - rule order

FAM policy – rule order

FAM policy installation

FAM policy has to be installed on collector. It is completely independent to DAM and must be installed parallel.

In the Protect->Security Policies->Policy Installation point your FAM policy in the Policy Installer section. Then select action

Policy installation

Policy installation

which is executed immediately

DAM and FAM policy installed together

DAM and FAM policy installed together

Tip: When FAM and DAM coexist together you need to manage minimum 2 polices on your collector. Use the names of easy to distinguish policies (DAM- and FAM- prefixes, for example).

Install & Override action used before G10 most frequently is not longer an option in DAM and FAM environments.

Important: Modified policy is not installed automatically on collector, you need reinstall it after change. To avoid policy deinstalation/installation use Run Once Now button in Policy Installer section (installed policy refresh)

FAM reporting

All FAM audited events are stored in the Access domain. It is example of query to provide full information about file access events

Query for FAM

Query for FAM

and report based on it

FAM Report

FAM Report

FAM QuickSearch

QuickSearch for FAM is separated from DAM. You need enable this option using grdapi:

grdapi enable_fam_crawler activity_schedule_units=<MINUTE|HOUR> activity_schedule_interval=<INTERVAL> entitlement_schedule_units=<MINUTE|HOUR> entitlement_schedule_interval=<INTERVAL>

activity_* parameters are related to events audited by policy
entitlement_* parameters are related to metadata gathered by ICM

The FAM and DAM quicksearch window can be invoked from menu bar

QuickSearch type selection

QuickSearch type selection

FAM quicksearch

Guardium 10 introduced a lot new features and improvements for monitoring of Windows environment:
– simple installation
– wider support for instance discovery
– no reboots and restarts after agent installation
– remote configuration and management
– file activity monitoring and blocking
– file content analysis and classification

It is significant step to build integrated data governance platform