IBM Support

Uninstall Guardium UNIX S-TAP and GIM manually

Technote (troubleshooting)


Problem(Abstract)

We'd like to uninstall Guardium S-TAP and GIM, but there is an issue with our network and therefore we can't do it via GIM. In this situation, how do we uninstall Guardium S-TAP and GIM directly on the DB server?

Symptom

There is a problem between the S-TAP on DB server and the Guardium appliance, such that we can't un-install the S-TAP from the Guardium GUI console using GIM.


Resolving the problem

The steps differ on different operating systems because there are different methods of ensuring that services/processes begin with the system startup. A list of these can be found here:

How the Guardium S-TAP Process is handled throughout OS versions

The above technote is referenced here so these steps can be applied to any UNIX OS. In addition this technote contains walkthrough examples for Red Hat Linux 5, 6 and 7 . If you are using AIX, please refer to How to uninstall Guardium S-TAP manually if the uninstaller gets problems - AIX.

The following steps will clean up Guardium modules from the DB server.

1. Attempt an un-install of S-TAP via GIM.
See the following manual page for details. Using IBM Guardium Installation Manager 
Proceed to the next step even if the above doesn't work.

2 Uninstall GIM client 

2.1 Logon to the DB server as user root 

2.2 Issue the following to uninstall the GIM client.
<installation_directory> /modules/GIM/current/uninstall.pl 

Refer to the following manual page for more details. IBM Guardium Installation Manager

NOTE<installation_directory> is something like this:
/usr/local/guardium/


3 (Optional) The following steps are workaround to be taken only if the S-TAP uninstaller in step 1 didn't work. 

3.1 Unload the ktap module:
<installation_directory> /modules/KTAP/current/guard_ktap_loader stop 


3.2 Stop the GIM and STAP service/processes. See start/stop methods of each facility here for general instructions for any UNIX OS.

3.2.1 For RHEL 5:

If you installed the agent through GIM:

    i) Find the inittab - /etc/inittab
    ii) Delete the line beginning "gim:..."
    iii) Delete the line beginning "gsvr:..."
    Here are examples of GIM and Guardium Supervisor processes in the inittab:
    gim:2345:respawn:/usr/opt/perl5/bin/perl
    /opt/IBM/GIM/modules/GIM/8.2.00_r38049_1-1362445863/gim_client.pl

    gsvr:2345:respawn:/opt/IBM/GIM/modules/perl
    /opt/IBM/GIM/modules/SUPERVISOR/9.0.0_r43212_1-13624464/guard_supervisor


If you installed the agent through command line:
    i) Find the inittab - /etc/inittab
    ii) Delete the line beginning "utap:..."
    Here is an example of the STAP process in the inittab:
    utap:2345:respawn:/usr/local/guardium_v82_r57354/guardium/guard_stap/guard_stap  /var/guard_tap.ini
After the above, be sure that you run the below command to ensure that the changes take place:
init q
    After the changes have taken place, kill the processes. For example, if I have installed the STAP through command line:
    ps -ef | grep guard_stap

    This would provide the process ID for this process:
    root     22598 22582  0 May06 ? /usr/local/guardium_v82_r57354/guardium/guard_stap/guard_stap  /var/guard_tap.ini

    Once the process ID has been found (the first number out of the two above), kill the process:
    kill -9 22598

    The equivalent must be done for a GIM installation.


    3.2.2 For RHEL 6:

    If you installed the agent through GIM:
      ls -ltr /etc/init | grep gim
      ls -ltr /etc/init | grep gsv r

    If you installed the agent through command line:
      ls -ltr /etc/init | grep utap

      For each service, do stop [service name] where [service name] is the result of the above ls -ltr results in /etc/init.

    3.2.3 For RHEL 7:

    If you installed the agent through GIM:

    systemctl is-active guard_gim.service
    systemctl is-active guard_gsvr.service

    Stop the services:

    systemctl stop guard_gim.service
    systemctl stop guard_gsvr.service

    If you installed the agent through command line:

    Check service status:

    systemctl is-active guard_utap.service

    Stop the service:

    systemctl stop guard_utap.service


    3.3 Remove the KTAP device file: /dev/ktap_  <some_number> 

    3.4 Remove the Guardium install directory  <installation_directory> including all the files under the directory. 


    4. Reboot the system and make final checks
    Reboot will unload K-TAP completely. It will also reload upstart (RHEL 6) and systemd (RHEL 7) - which is used to control processes and services that are started on system start.

    4.1 Ensure K-TAP is not loaded any more by issuing
    lsmod | grep tap 

    4.2 Ensure the services that were stopped in section 3.2 above are stopped based on the startup facility for your OS noted here.

    4.2.1 For RHEL 5:
    Check /etc/inittab to ensure that the lines are gone.

    4.2.2 For RHEL 6:
    Check the service list produced by the command below to ensure the services are "stopped" or not appearing.

    initctl list

    4.2.3 For RHEL 7:
    Check the service list produced by the command below to ensure the STAP service is "activating" (which means its stopped). This is because it is set to auto restart, but will not activate.

    systemctl -t service -a | grep guard_utap

    Command to check if all services are stopped:

    systemctl list-units --type service

    5. Reset GIM Client from Guardium GUI 

    5.1 Navigate to Administration Console > Module Installation > Setup By Client > Search 

    5.2 Check the checkbox of the DB server where you un-installed GIM, then press "  Reset Client". 

    Related information

    Installing IBM Guardium Installation Manager
    Installing STAP with Guardium Installation Manager
    How should I uninstall the Guardium GIM agent
    How to uninstall Guardium S-TAP manually
    How Guardium S-TAP Process is handled in OS versions
    Installing an S-TAP on UNIX

    Document information

    More support for: IBM Security Guardium
    Guardium Appliances

    Software version: 8.2, 9.0, 9.1, 9.5, 10.0, 10.0.1, 10.1

    Operating system(s): AIX, HP-UX, Linux, Solaris

    Reference #: 1982923

    Modified date: 11 May 2016


    Translate this page: