When entering a command, enter a question mark at any point to display the arguments.
<partial_command> ?
g4.guardium.com> show account strike ?
USAGE: show account strike <arg>, where arg is:
?, count, interval, max
ok
g4.guardium.com>
Use this command to clear one or more unit type attributes. Note that not all unit type attributes can be cleared using this command. See the Unit Type Attributes table, below, for more information.
clear unit type [manager | standalone] [aggregated] [inline] [load-balancer] [netinsp] [stap] [mainframe] [ztap]
Displays an alphabetical listing of all CLI commands.
commands
Enable/disable debug mode. Without an argument, it toggles the debug state. Optionally, a state argument can be passed.
debug <on | off>
Enables or disables the sending of a special email notification to a specific user. DSAA is an acronym for Database Security Audit and Analysis. This notification includes two numeric amounts: a count of requests and a count of sessions. These counts begin when the inspection engine core was last started.
dsaa mail sender state [off | on <customer name> <email address>]
off – Disables or enables the sending of mail.
customer name – The name of the customer to receive email; should contain no spaces.
email address – The email address to which the message is to be sent.
This command dismounts and ejects the CD ROM, which is useful after upgrading or re-installing the system, or installing patches that were distributed via CD ROM.
eject
When the support-state option is enabled (which it is by default), this command sets the email address to receive system alerts. The default support email address is support@guardium.com.
forward support email to <email address>
show support-email
Use this command to generate PGP keys for cli, tomcat and grdapi. Use the show command to display the key (which you can then copy and paste, as appropriate for your needs).
generate-keys
show system public key [ cli | tomcat | grdapi ]
IPTraf is a network statistics utility distributed with the underlying operating system. It gathers a variety of information such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts. The IPTraf User’s Manual is available on the internet at the following location (it may be available at other locations if this link does not work):
http://iptraf.seul.org/2.7/manual.html
iptraf
Indicates if the installed license if valid. Use this command after installing a new license key.
license check
Sends ICMP ping packets to a remote host. This command is useful for checking network connectivity. host can be an IP address or host name.
ping <host>
Exits the command line interface.
quit
Registers the appliance for management by the specified Central Manager. The pre-registration configuration of this appliance will be saved, and that configuration will be restored later if the unit is unregistered.
register management <manager ip> <port>
manager ip is the IP address of the Central Manager.
port is the port number used by the Central Manager (usually 8443).
Restarts the Guardium Web interface.
restart gui
Reboots the Guardium appliance. The system will completely shut down and restart (which means that the cli session will be terminated).
restart system
This command displays a report of buffer use for the inspection engine process. If you are experiencing load problems, Guardium Support may ask you to run this command.
show buffer
Displays build information for the installed software.
show build
Displays the GUI port number, status, or both.
show gui <all | port | state>
Displays the list of security policies.
show security policies
Displays the S-TAP netfilter buffer size. 65536 by default.
show system netfilter_buffer_size
Displays the public key for cli or tomcat. If none exists, this command creates one.
show system public key <cli | tomcat>
Stops the Web user interface.
stop gui
Stops and powers down the appliance.
stop system
Use this command to restore defragmentation defaults, or to set the defragmentation size. After entering this command, you will need to issue the restart inspection-core command for the changes to take effect .
store defrag [default | size <s> interval <i> trigger <t> release <r>]
show defrag
default - Restore the default size.
s - The packet size in bytes, up to a maximum of 217 (131072)
i - The time interval
t -The trigger level
r - The release level specified as a number of seconds, up to a maximum of the 31st power of two (2147483648).
This command controls what the appliance (not S-TAP) does with messages in inline mode, which is enabled or disabled using the store firewall command (see below). There are two operational modes for the firewall that can be set with this command, as follows:
open allows traffic unless told otherwise. Regardless of whether or not an inspection engine is defined for the traffic, the traffic will pass.
close blocks messages unless told otherwise. If an inspection engine is defined for the traffic, the traffic will pass. If no inspection engine is defined, the traffic will be blocked.
store fail-policy <open | close>
show fail-policy
This command turns the database firewall on or off. When the database firewall is enabled, special access blocking Drop rule actions are available in security policies. See the description of policy rule actions for more information about using Drop actions.
Setting the firewall option on automatically adds the inline attribute to the system’s unit type. See store unit type.
When changing the database firewall setting, be sure to check the fail-policy setting (see store fail-policy, above) and change it if necessary.
store firewall <on | off>
show firewall
This command is intended for emergency use only, when traffic is being unexpectedly blocked by the Guardium appliance. When on, all network traffic passes directly through the system, and is not “seen” by the Guardium appliance.
When using this command, you will be prompted for the admin user password.
store full-bypass <on | off>
Sets the TCP/IP port number on which the Guardium appliance management interface accepts connections. The default is 8443. n must be a value in the range of 1024 and 65535.
store gui port <n>
show gui port
Sets the security policy named policy-name as the installed security policy.
store installed security policy <policy-name>
show installed security policy
Stores a new license key. We suggest you save the old license key before storing a new one, in the event you decide to disable whatever features are being enabled by the license key change. The "?" help for this command shows three options for the store license command: console, FD, or USB, but only the console option is supported. When the command is entered, the system will prompt for the license.
store license console
show license
When using the store license console command, you will be prompted to paste the new license key:
supp1.guardium.com> store license console
Please paste the string received from Guardium Inc, press Enter.
Copy and paste the new license key at the cursor location, and then press Enter. The license key contains no line breaks or white space characters, and it always ends with (and includes) a trailing equal sign. A series of messages will display, ending with:
…. We recommend that the machine be rebooted at the earliest opportunity in order to complete the license updating process.
ok
supp1.guardium.com>
You should enter restart system command at this time.
The show license command and its output should look something like this (line breaks have been added for readability - there must be no line break characters in an actual license key):
supp1.guardium.com> show license
Host MAC: 00:C0:9F:41:CE:16
License:hrKXsOL0i2Ri1+RMF1/uUD1exdbqxWQ9cEnwCBBlz
oj2vv3hmzb7LKgy4jXH45n2o8Qmw6s5e7PMLLb7GIRNE+8GKZ
kR/JQSB26xBvgpYyS5GtX/0mdoZNzXxy7z85PuQH0EEHB0eGG
cChO0MCDHAuq+YQXmrw6ReIC7kVTaHSg=
ok
The actual license key begins following the colon (:) after the word License, and always ends with (and includes) an equal sign. There are no line breaks or other white space characters in the key, so if you are saving the key to a text file, be sure not to introduce any. (The line breaks in the sample above were added for readability.)
This command controls whether or not this Guardium appliance will capture and use Kerberos traffic to decode Kerberos-encrypted database user names. This applies to MS SQL traffic only. If you enable this feature, be sure that the Guardium appliance sees all Kerberos traffic, which will be from (and to) the Windows Domain Controller.
Note: This is not the preferred way to decode Kerberos names - it is usually more effective to have an S-TAP perform this function. See the S-TAP help book for more information.
When ON, Kerberos-encrypted database user names are decoded. When OFF, Kerberos-encrypted database user names display as a string of hexadecimal characters.
After entering the store local-stap on command, a message displays asking you to check that the unit type includes stap. To use this feature, the unit type for the system must include the stap option. See store unit type for more information.
If you change the unit type to include stap, be sure to issue the restart inspection-core command and then the restart inspection-engines command.
store local-stap <on | off>
Sets the debugging level for the classifier, to one of the values shown below.
store log classifier level DEBUG|INFO|WARN|ERROR|FATAL
Sets the maximum number of seconds for a query to the value specified by n. The default is 60. We recommend that you do not set this value above the default, because doing so increases the chances of overloading the system with query processing. This value can also be set from the Running Status Monitor panel on the administrator portal.
store maximum query duration <n>
show maximum query duration
Sets the stored unique product GID value.
store product gid <n>
show product gid
Sets the age (in days) at which non-essential objects will be purged. Use the show purge objects age command to display a table showing the index, object name, and age for each object type for which a purge age is maintained. Then use the appropriate index from that table in the command below to set the purge age (see the example, below).
store purge object <index> age <days>
show purge objects age
Assume you want to keep the S-TAP Event Log for 30 days. First issue the show purge objects age command to determine the index (do not use the table below, your list may be different). Then enter the store purge object command.
g4.guardium.com> show purge objects age
Index Name Age
1 Central Management Persistant Operations 7
2 S-Tap Event Log 14
4 Assessment Tests 7
5 Central Management Temporary Policies 7
6 S-Tap Change History 14
7 Kerberos Authentication Info. 1
8 Comment History 60
9 Comment Local History 60
10 Call Graph History 90
11 CAS Host Event History 7
12 Unused CAS Access Names 7
13 Unused CAS Access Name Templates 7
14 Custom Table Operations Log 7
15 table in custom db without def 7
16 Custom Table Upload Log 7
17 Baseline entries referred to user 30
18 Classification Process Results 7
19 Sniffer Buffer Usage 14
20 Secure Map 1
21 GDM Access 30
ok
g4.guardium.com> store purge object 2 age 30
ok
Controls the use of remote logging. In addition to system messages, statistical alerts and policy rule violation messages can be written to syslog (optionally). For each facility.priority combination (see the lists under Parameters, below), messages can be directed to a specific host.
If you enable remote logging, be sure that the receiving host has enabled this capability (see the Notes, below).
store remotelog [help|add|clear] facility.priority host
help - Displays supported facilities and priorities.
add - adds the specified facility.priority combination (see below) to the list of messages to be sent to the specified remote host.
clear - clears the specified facility.priority combination (see below) from the list of messages being sent to the specified host.
facility - May be one of the following: all, auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, mark, news, security, syslog, user, uucp. The majority of messages issued by the Guardium appliance will be from the daemon facility.
priority - May be one of the following: alert, all, crit, debug, emerg, err, info, notice, warning. The standard Guardium severity codes for alerts and violations map as follows:
|
Guardium |
syslog |
|
INFO |
info |
|
LOW |
warning |
|
MED |
err |
|
HIGH |
alert |
host - identifies the host to receive this facility.priority combination.
To configure the receiving system to accept remote logging, edit /etc/sysconfig/syslog on that system to include the ‘-r’ option. For example:
SYSLOGD_OPTIONS="-r -m 0”
Then restart the syslog daemon:
/etc/init.d/syslog restart
The standard syslog file in Linux is named:
/var/log/messagesOne
Stores a certificate from the S-Tap host (usually a database server), on the Guardium appliance. This command functions exactly like the store certificate console command, described later.
store stap certificate
You will be prompted as follows:
Please paste your new server certificate, in PEM format.
Include the BEGIN and END lines, then press CTRL-D.
If you have not done so already, copy the server certificate to your clipboard. Paste the PEM-format certificate to the command line, then press CRTL-D. You will be informed of the success or failure of the store operation.
When you are done, use the restart gui command to restart the Guardium GUI.
Adds or deletes a storage system type for archiving or system backup.
store storage-system <Centera | TSM> <backup | archive> <on | off>
show storage-system
Assume you are currently using Centera for system backups, but want to switch to a TSM system. You must turn off the Centera backup option (unless you want to leave that as another option), and turn on the TSM backup option. The commands to do this are highlighted in the example below. The show commands are not necessary, but are for illustration only.
g4.guardium.com> show storage-system
NETWORK :
CENTERA : backing-up
TSM :
SCP : archiving and backing-up
FTP : archiving and backing-up
ok
g4.guardium.com> store storage centera backup off
ok
g4.guardium.com> store storage tsm backup on
ok
g4.guardium.com> show storage-system
NETWORK :
CENTERA :
TSM : backing-up
SCP : archiving and backing-up
FTP : archiving and backing-up
ok
g4.guardium.com>
Enables (on) or disables (off) the sending of email alerts to the support email address, which can be configured using the forward support email command. By default, the support state is enabled (on), and the default support email address is support@guardium.com.
store support state <on | off>
show support state
When enabled, all syslog messages will be sent to the SNMP server configured for the appliance (see show alerter snmp traphost).
store syslog-trap<on | off>
Use this command to configure automatic powering down options when a UPS is attached. Note that the UPS must be attached to a USB connecter (serial connections for a UPS are not supported).
Sets the minimum charge percent (0-100) before powering down, or the number of seconds to run on battery power before powering down. The defaults are 25 and zero, respectively.
store system apc [battery-level <percent> | timeout <seconds>]
show system apc [battery-level | timeout ]
Sets the number of seconds for the interval at which the system writes to the Sniffer Buffer domain. There is no corresponding show command.
store system buffer interval <seconds>
Sets the system clock’s date and time to the specified value, where YYYY is the year, mm is the month, dd is the day, hh is the hour (in 24-hour format), mm is the minutes, and ss is the seconds. The seconds portion is required, but will always be set to 00.
store system clock datetime <YYYY-mm-dd hh:mm:ss>
show system clock <all |datetime>
store system clock datetime 2003-10-03 12:24:00
Lists the allowable time zone value (list option), or sets the time zone for this system to the specified timezone. Use the list option first to display all time zones, and then enter the
store system clock timezone <list | timezone>
show system closk <all | timezone>
Use the command first with the list option to display all time zones. Then enter the command a second time with the appropriate zone.
g4.guardium.com> store system clock timezone list
Timezone: Description:
--------- -----------
Africa/Abidjan:
Africa/Accra:
Africa/Addis_Ababa:
...
...output deleted
...
g4.guardium.com> store system clock timezone America/New_York
Sets the system domain name to the specified value.
store system domain <value>
show system domain
Sets the system's host name to the specified value.
store system hostname <value>
show system hostname
Sets the host name of up to three NTP (Network Time Protocol) servers. Note that to enable the use of an NTP server, you must use the store system ntp state on command (below). To define a single NTP server, enter its host name or IP address. To define multiple NTP servers, enter the command with no arguments, an you will be prompted to supply the NTP server host names.
store system ntp server [hostname]
show system ntp <all |server>
Enables or disables use of an NTP (Network Time Protocol) server.
store system ntp state <on | off>
show system ntp <all |state>
Installs a single patch. The ftp and scp options copy a compressed patch file from a network location to the Guardium appliance. Note that a compressed patch file may contain multiple patches, but only one patch can be installed at a time. The last option (sys) is for use when installing a second or subsequent patch from a compressed file that has been copied to the Guardium appliance using this command previously. Each option is described in more detail in the Notes section, below.
To display a complete list of applied patches, see the Installed Patches report on the Guardium Monitor tab of the administrator portal.
store system patch install <cd | ftp | scp | sys>
Regardless of the option selected (see below), you will be prompted to select a patch to apply:
Please choose one patch to apply (1-n,q to quit):
cd – To install a patch from a CD, insert the CD into the Guardium CD ROM drive before executing this command. A list of patches contained on the CD will be displayed.
ftp or scp – To install a patch from a compressed patch file located somewhere on the network, use the ftp or scp option, and respond to the prompts shown below. Be sure to supply the full path name for the patch, including the filename:
Host to import patch from:
User on hostname:
Full path to the patch, including name:
Password:
The compressed patch file will be copied to the Guardium appliance, and a list of patches contained on file will be displayed.
sys – Use this option to apply a second or subsequent patch from a patch file that has been copied to the Guardium appliance by a previous store system patch execution.
Removes a system patch previously stored on the appliance. (This command does not back out a patch.) You will be prompted to select a patch to be removed.
store system patch remove
Sets the system’s shared secret value to the specified value. This key must be the same for a Central Manager and all of the appliances it will manage; or an Aggregator, and all of the appliances from which it aggregates data. After an appliance has registered for management by a Central Manager, the shared secret on that unit is no longer used. (You cannot “unregister” a unit from central management by changing this value.)
store system shared key <value>
Stores the email address for the snmp contact (syscontact) for the Guardium appliance. By default it is info@guardium.com.
store system snmp contact <email-address>
show system snmp contact
Stores the snmp system location (syslocation) for the Guardium appliance. By default it is Unknown.
store system snmp location <string>
show system snmp location
Stores the snmp system query community for the Guardium appliance. By default it is guardiumsnmp.
store system snmp query community <string>
show system snmp query community
Stores the throttle parameters (see below). After entering this command, you must issue the restart inspection-core command for the changes to take effect.
store throttle [default | size <s> interval <i> trigger <t> release <r>]
show throttle
default - Enter the keyword default to restore the system defaults (no other parameters are used).
s - The packet size in bytes, up to a maximum of 217 (131072).
The remaining parameters are in seconds, up to a maximum of 231 (2147483648):
i - The time interval
t - The trigger level
r- The release level
To restore the throttle defaults, use the store throttle default command.
Sets the file transfer method used for CSV/CEF export.
store transfer-method <ftp | scp>
show transfer-method
Files sent from one Guardium appliance to another (from a collector to an aggregator, for example) are always sent using SCP.
Sets most unit type attributes for the Guardium appliance. See the Unit Type Attributes table below for a description of all unit type attributes that can be displayed by this command.
store unit type [manager | standalone] [aggregated] [inline] [load-balancer] [netinsp] [stap] [mainframe] [ztap]
show unit type
Some attributes listed are set using the store unit type command, and cleared using the clear unit type command. Others are set by the store fail-policy command or the store firewall command. One attribute (aggregator) is set only when the Guardium software is installed, and cannot be modified except by re-installing the Guardium software.
The Guardium appliance unit type attributes that can be displayed by the show unit type command are described in the table below. Except where noted, these attributes can be set using the store unit type command, and cleared using the clear unit type command.
|
Attribute |
Description |
|
aggregated |
Unit collects data and sends it to an aggregator. |
|
aggregator |
This property is set only during installation of the Guardium software on the appliance. When configured as an Aggregator, it cannot inspect network traffic, provide database firewall protection, or serve as an S-TAP host. An Aggregator can (and often does) serve as a Central Manager. |
|
fail-closed |
If the inspection engine is down, all messages will be blocked. This attribute is set by the store fail-policy command. |
|
fail-open |
If the inspection engine is down, all messages will be passed. This attribute is set by the store fail-policy command. |
|
inline |
Port forwarding (messages are read on one port and forwarded onto another). This attribute is added automatically when the firewall option is enabled (see store firewall). When inline mode is enabled, the fail-policy setting becomes important (see store store fail-policy). |
|
load-balancer |
Unit manages load balancing for other units. A Central Manager cannot also function as a load balancer. (The CLI will allow this attribute on a Central Manager, but the functionality will not be allowed.) |
|
mainframe |
The unit is a mainframe (z/OS) network inspection appliance. |
|
manager |
Central manager functions are enabled for this unit. |
|
netinsp |
Inspection of network traffic is enabled. |
|
standalone |
Local management (independent of a central manager) |
|
stap |
The unit can receive data from and manage S-TAP and CAS agents. |
|
ztap |
The unit can receive data from and manage Z-TAP agents. |
The unregister command restores the configuration that was saved when the appliance was registered for central management. If that happened under a previous release of the Guardium software, restoring that configuration without first applying a patch to bring the saved configuration to the current software release level will disable the appliance, potentially causing the loss of all data stored there. Accordingly, do not unregister a unit until you have verified that the pre-registration configuration is at the current software release level. If you are unsure about how to verify this, contact Guardium Support before unregistering the unit.
unregister management
This command is intended for emergency use only, when the Central Manager is not available.
After unregistering using this command, you should also unregister from the Central Manager (from the Administration Console), since that is the only way the count of managed units will be reduced. The count of managed units is authorized by the license key.