Configuration and control CLI commands
Use the following CLI commands for configuration and control.
? (question mark)
To find more information about a command, enter a question mark at any point to display the arguments.
Syntax
<partial_command> ?
CLI> show account strike ?
USAGE: show account strike <arg>, where arg is: ?, count, interval, max ok CLI>
commands
Displays an alphabetical listing of all CLI commands.
Syntax
commands
debug
Enable or disable debug mode. Without an argument, it toggles the debug state. Optionally, you can include a state argument (on or off)
Syntax
debug <on | off>
clean load_balance_inactive_stap_queue
Use this command to manually clear an inactive S-TAP and its corresponding collector from the inactive S-TAPs queue in the load balancer.
Syntax
clean load_balance_inactive_stap_queue <stapHost> <collectorName>
delete scheduled-patch
To delete a patch installation request, use the delete scheduled-patch CLI command.
For more information about installing patches, see the store system patch install CLI command.
delete ssl_gui_ciphers and restore ssl_gui_ciphers
Use these commands to select and delete out-of-date GUI ciphers, and, if necessary, restore deleted ciphers.
delete ssl_gui_ciphers
Guardium returns a list of ciphers. Specify the number of the cipher to delete. Use a comma to separate multiple cipher numbers.
Click q to quit without deleting any ciphers.
If you accidentally delete the wrong cipher, use restore ssl_gui_ciphers to restore it.
restore ssl_gui_ciphers [ last | list ]
- last: Restores one or more last deleted ciphers.
- list: Restores all deleted ciphers.
Before you restore ciphers, Guardium warns that restoring the certificates can affect the connectivity of GUI and GIM-TLS. Make sure that when you restore deleted ciphers, the results that are returned are expected.
show ssl_gui_ciphers
For more information about supported ciphers, see Cipher suites.
delete unit type
Use this command to clear one or more unit type attributes. Note that this command cannot clear all unit type attributes. For more information, see store unit type.
Syntax
delete unit type [manager | standalone] [aggregated] [netinsp] [network routes static] [stap] [mainframe]
eject
This command dismounts and ejects the CD ROM, which is useful after you upgrade or reinstall the system, or after you install patches that were distributed on a CD ROM.
Syntax
eject
forward support email
When the support-state option is enabled (which it is by default), this command sets the email address to receive system alerts.
Syntax
forward support email to <email address>
Show command
show support-email
import jproxy_files
Use this command, along with store jproxy_config ssh_key_file to upload the GBDI SSH key file (in .pem format) and configure the SSH target host to communicate with GBDI. For more information, see store jproxy_config ssh_key_file.
iptraf
IPTraf is a network statistics utility that is distributed with the underlying operating system. It gathers information such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts. For more information, see the IPTraf User Manual at the following location (it might also be available at other locations):
http://iptraf.seul.org/2.7/manual.html
Syntax
iptraf
license check
Indicates whether the installed license if valid. Use this command after you install a new product key.
Syntax
license check
license clear
Removes product licenses. After running this command, you will need to reapply base and append license keys and accept their terms and conditions. For more information about applying licenses, see License keys and Install license keys.
Syntax
license clear
ping
Sends ICMP ping packets to a remote host. This command is useful for checking network connectivity. The value of host can be an IP address or host name.
Syntax
ping <host>
quit
Exits the command-line interface.
Syntax
quit
recover failed
Command to restore failed CSV/CEF/PDF transfer files, placing the files back into the export folder for another export attempt.
Syntax
recover failed [csv|cef|pdf]
register management
Registers the Guardium system for management by the specified central manager. The pre-registration configuration of this Guardium system is saved, and that configuration is restored later if the unit is unregistered.
Syntax
register management <manager ip> <port>
Parameters
manager ip is the IP address of the central manager.
port is the port number used by the central manager (usually 8443).
reset luks keys
Clears all stored tang keys in the Linux Unified Key Setup (LUKS) and removes all connections to the tang server.
Syntax:
reset luks keys
restart datastreams
Use this command to restart stopped AWS database activity-monitoring data streams. For more information, see Cloud database service protection with data streams.
restart datastreams
restart datastreams [--yes]
Where
--yes causes the command to run automatically.restart gui
Restarts the IBM® Guardium Web interface. To optionally schedule a restart of the GUI once a day or once a week, use additional parameters. HH is hours 01-24. MM is minutes 01-60. W is the day of the week, 0-6, Sunday is 0. If HHMM is listed twice, only the last entry is used. The parameter clear deletes the scheduled time.
In order to restart the classifier and security assessments processes, run the restart gui command from the CLI (not from the GUI).
Running restart GUI from the GUI only restarts the web services. It is necessary to run the restart GUI command from the CLI to fully restart all processes, including Classifier and Security Assessments processes. It is necessary to run the restart GUI command from the CLI for each managed unit to restart the Classifier listener.
restart gui [HHMM|HHMMW|clear]
restart gui [HHMM|HHMMW|clear] [--yes]
Where
--yes causes the command to run automatically.restart rds_monitoring
Restart the AWS RDS monitor for Oracle. For more information, see Cloud database service protection with native audit.
restart rds_monitoring
restart sniffer_buffer_usage
Restarts the sniffer buffer.monitor.
restart sniffer_buffer_usage
For more information about using restart sniffer_buffer_usage, see Performance issue: buffer usage process not running.
restart stopped_services
Use this CLI command to restart services previously stopped with the store auto_stop_services_when_full CLI command.
restart stopped_services
restart system
Reboots the Guardium system. The system will completely shut down and restart, which means that the cli session will be terminated.
Syntax
restart system
restart system [--yes]
Where
--yes causes the command to run automatically.restart ticket_service
Restarts the external ticketing service. For more information, see Configure an external ticketing system.
You can also stop and start the ticketing service from the CLI.
restart ticket_service
restart ticket_service --yes
Where --yes causes the command to run automatically.restore rsyslog
Compares the current remotelog (rsyslog) on your system with an rsyslog that is restored from a CONFIG backup file, if one is available. You can then choose to override the existing rsyslog with the backed-up rsyslog.
restore rsyslog
setup hyper-v-tools
Syntax
setup hyper-v-tools [install | uninstall]
show buffer
This command displays a report of buffer use for the inspection engine process. If you are experiencing load problems, IBM Technical Support may ask you to run this command.
Syntax
show buffer <log | snif>
Examples
To display the buffer usage of the inspection engine process:
show buffer log
To display the buffer usage of the sniffer:
show buffer snif
show build
Displays build information for the installed software (build, release, snif version).
Syntax
show build
show load_balance_inactive_stap_queue
This command shows the list of inactive S-TAPs and corresponding collectors that have accumulated in the load balancer's inactive S-TAP queue.
Syntax
show load_balance_inactive_stap_queue
show network routes static
Permit the user to have only one IP address per appliance (through the primary interface) and direct traffic through different routers using static routing tables. List the current static routes, with IDs.
Syntax
show network routes static
Delete command
delete network routes static
show remotelog
Displays information about the rsyslog program that runs syslog. For information about adding and configuring remote logs, see the store remotelog commands, beginning with store remotelog add.
show remotelog <escape_control_characters_on_receive | host | max_message_size| status | test>
- escape_control_characters_on_receive - Displays the value of the rsyslog $EscapeControlCharactersOnReceive directive.
- host - Displays the name of any remote hosts.
- max_message_size - Displays the value of the rsyslog $MaxMessageSize directive.
- status - Displays the status of the rsyslog.
- test - Verifies the configuration of a configured rsyslog,
as follows:
- If the remote log is configured: The configuration displays. The test message sent to syslog
targets the configured facility.priority. If the facility is ALL, then the message is sent using the
daemon facility. If the priority is ALL, then the message is sent using
info. You can verify that the messages are sent.
To confirm, gather a tcpdump targeting the hosts, ports, and protocols and verify that rsyslog is transmitting the messages to the SIEM system. For more information, see Facility and priority of syslog messages.
- If a remote log is not configured, then a test message is sent to syslog without a specific facility or priority.
- If the remote log is configured: The configuration displays. The test message sent to syslog
targets the configured facility.priority. If the facility is ALL, then the message is sent using the
daemon facility. If the priority is ALL, then the message is sent using
info. You can verify that the messages are sent.
Syntax
show remotelog escape_control_characters_on_receive
show remotelog host
show remotelog max_message_size
show remotelog status
show remotelog test
Examples
show remotelog host
Remote syslog is in non-encrypted mode. Remote syslog format is default. user.=warning @@9.30.252.111 user.=alert @@myhost.mycompany user.=alert @@myhost.mycompany
show remotelog status
show remotelog test
show remotelog status test
The following receivers are configured
Messages will be written to syslog targeting these.
Please verify that the messages were received.
The tests could take several minutes
Facility Priority Protocol Host:port
daemon info TCP 9.30.252.192:514
user info UDP 9.30.252.192:514
user alert TCP 9.30.252.192:5514
Sending message: daemon.info: Guardium test message
Sending message: user.info: Guardium test message
Sending message: user.alert: Guardium test message
Test message 'Guardium test message' successfully sent to syslog
Analyzing tcpdump. If a message is found in the tcpdump
output, but not in the syslog receiver, please consult your
administrator for the syslog receiver.
Message to 9.30.252.192:514 sent
Message to 9.30.252.192:514 sent
Message to 9.30.252.192:5514 sent
ok
show security policies
Displays the list of security policies.
Syntax
show security policies
show ticket update interval
View the interval for updating the status of records from external ticketing systems like Service Now. For more information, see Configure an external ticketing system.
Set the value using store ticket update interval <n>.
Show command
show ticket update interval
start datastreams
Use this command to start existing AWS database activity-monitoring data streams. For more information, see Cloud database service protection with data streams.
Syntax
start datastreams
start rds_monitoring
Start the AWS RDS monitor for Oracle. For more information, see Cloud database service protection with native audit.
start rds_monitoring
start ticket_service
Starts the external ticketing service. The ticketing service synchronizes external tickets (such as Service Now tickets) that are stored in local system. When the ticketing service is running, the synchronization runs once an hour. For more information, see Configure an external ticketing system.
You can also stop or restart the ticketing service from the CLI.
start ticket_service
stop datastreams
Use this command to stop running AWS database activity-monitoring data streams. For more information, see Cloud database service protection with data streams.
Syntax
stop datastreams
stop gui
Stops the Web user interface.
Syntax
stop gui
stop rds_monitoring
Stop the AWS RDS monitor for Oracle. For more information, see Cloud database service protection with native audit.
stop rds_monitoring
stop system
Stops and powers down the appliance.
Syntax
stop system
stop ticket_service
Stops the external ticketing service. For more information, see Configure an external ticketing system.
You can also start or restart the ticketing service from the CLI.
start ticket_service
store aes_256_cbc_encryption
store aes_256_cbc_encryption [ on | off ]
show aes_256_cbc_encryption
store apply_user_hierarchy
Use this CLI command to apply user hierarchy to audit receiver.
If ON, the non-audit group receiver (the receiver other than the audit group receiver (normal or role) will only see audit results with a group IP beneath the receiver's hierarchy, including the receiver.
Syntax
store apply_user_hierarchy [ON | OFF]
Show command
show apply_user_hierarchy
store alert_timestamp_unit
Controls the timestamp unit for syslog alerts. Default is seconds.
Syntax
store alert_timestamp_unit [millisecond | second]
Show command
show alert_timestamp_unit
store alert_object_num_limit
Sets the maximum number of objects to show in the Alert log with the %%Object or %%objectType variables.
Syntax
store alert_object_num_limit <n>
Where n is a positive integer between 1 and 50. The default is 10.
Show command
show alert_object_num_limit
store alert_verb_num_limit
Sets the maximum number of SQL verbs to show in the Alert log. You can also set this parameter from the GuardAPI or REST API. For more information, see modify_guard_param.
Syntax
store alert_verb_num_limit <n>
Where n is a positive integer between 1 and 50. The default is 10.
Show command
show alert_verb_num_limit
store allow_simulation
Enables (on) or disables (off) the ability to run the Policy Simulation on the appliance.
To run the simulation, the original traffic must be replayed through the rules engine (with the policy needing to be tested). This requires some of the original SQL on the appliance to be saved with their values. The enable or disable of allow_simulation instructs IBM Guardium to save or NOT save any SQL or values whatsoever.
Syntax
store allow_simulation [on|off]
Show command
show allow_simulation
store alp_throttle
Use this CLI to determine the amount of data logged by the Analyzer into the GDM_FLAT_LOG table.
- The incoming packet rate is too high.
- The parser is too slow for some complex or long SQL statements.
- The analyzer is too slow for some database packets.
Use store alp_throttle to choose how much data to log into the GDM_FLAT_LOG table.
Syntax
store alp_throttle <n>
Where
n can be 0 or a positive integer. - If n = 0 (the default), report without logging any SQL statements.
- If n is a positive integer, report and log every nth SQL statement in GDM_FLAT_LOG.
Examples
To report and log all SQL statements (100%):
store alp_throttle = 1
To report and log every 2nd SQL statement (50%):
store alp_throttle = 2
store alp_throttle = 1000
store analyzer
This command sets the value of the timeout of the ignore session and sets the duration of the ignore session.
Ignore session: The current request and the remainder of the session will be ignored. This action does log a policy violation, but it stops the logging of constructs and will not test for policy violations of any type for the remainder of the session. This action might be useful if, for example, the database includes a test region, and there is no need to apply policy rules against that region of the database.
Syntax
store analyzer [ignore_sess_timeout | max_open_sess]
Show command
show analyzer
store auto_stop_services_when_full
When ON, stops internal services if the database exceeds the 90% full threshold.
Inspection Engine, Classification and other Collection-related services will stop. Also, Aggregation import/restore will not process any new files.
To remediate, use the various Support commands (support clean audit_task, support clean log_files, support clean DAM_data, support show large_files) to analyze and manually purge large tables.
Syntax
store auto_stop_services_when_full [ON | OFF]
Show command
show auto_stop_services_when_full
store connect oracle_parser
Use this command to connect and disconnect the Oracle parser from the DB2 parser. The default is OFF (disconnect).
Syntax
store connect oracle_parser [ON | OFF]
Show command
show connect oracle_parser
store csv_fetch_size
This command is used by the report REST service to control total number of records. Guardium reports can be downloaded in CSV file format.
store csv_fetch_size and store csv_max_size are GLOBAL_PROFILE parameters that can only be modified via CLI.
Syntax
show csv_fetch_size <num>
Where <num> is a number is greater than 0
Show command
store csv_fetch_size
store csv_max_size
This command controls the size of the CSV downloads that are retrieved when you click Download all records from the report export menu. The default value is 30,000.
Syntax
store csv_max_size <num>
Where <num> is a number is greater than 0.
Show command
show csv_max_size
store cyberark config_failover
Use this command to configure standby CyberArk vault servers on your Guardium system.
Syntax
store cyberark config_failover
store cyberark install
Use this command to install CyberArk on your Guardium system.
Syntax
store cyberark install
You are prompted to enter the vault host name or IP address, vault user name and vault password.
Show command
Use the show command to verify if CyberArk is installed on your Guardium system.
show cyberark status
store cyberark service [start | stop]
Use this command to start or stop the CyberArk service on your Guardium system.
Syntax
store cyberark service start
store cyberark service stop
store cyberark uninstall
Use this command to uninstall CyberArk from the Guardium system.
Before uninstalling, you must remove the reference to the Guardium system from the CyberArk vault server first. For more information, see Uninstalling CyberArk.
Syntax
store cyberark uninstall
store cyberark upgrade_parameter
Before installing the CyberArk SDK upgrade patch on your Guardium system, run this command to enter the CyberArk upgrade parameters. The upgrade parameters are the CyberArk vault hostname or IP address, the vault username, and the vault password.
Syntax
store cyberark upgrade_parameter
Show command
show cyberark upgrade_parameter
store default_queue_size
Use this command to control the ADMINCONSOLE_PARAMETER.DEFAULT_QUEUE_SIZEconfiguration parameter. The default is 25. The range is 25-300.
The sniffer must be restarted after a change in value.
Syntax
store default_queue_size <N>, where N is the number in range of 25 to 300
Show command
show default_queue_size 25
store defrag
Use this command to restore defragmentation defaults, or to set the defragmentation size. After entering this command, you must issue the restart inspection-core command for the changes to take effect. The defrag is relevant only for network sniffing through SPAM or a TAP device.
Syntax
store defrag [default | size <s> interval <i> trigger <t> release <r>]
Where:
- default: Restore the default size.
- S: The packet size in bytes, up to a maximum of 217 (131072)
- I: The time interval
- T: The trigger level
- R: The release level specified as a number of seconds, up to a maximum of the 31st power of two (2147483648).
Show command
show defrag
Identify fragmented packets and attempt to reconstruct the packets before they get to the network sniffing process. Defrag is relevant only for network sniffing through SPAM or a TAP device.
store delayed_firewall_correlation
Use this CLI command to hold a user connection until the decryption correlation has taken place.
Syntax
store delayed_firewall_collection [on | off]
Show command
show delayed_firewall_correlation
store disk_space_reserved
Use this command to change the amount of disk space to reserve on a Guardium aggregator or collector. Reserving disk space allows you to customize the percentage of free space to preserve on the data partition.
store disk_space_reserved [ custom <pct> | reset ]
store disk_space_reserved [ custom <pct> | reset [-- yes ]]
- custom <pct> - The percentage of available disk space to reserve, from 0 to 100.
- reset - Reset the amount of reserved disk space to the default.
When you run store disk_space_reserved reset the reserved disk space is reset to the default percentage based on the type of the machine (25% for an aggregator, 50% for a collector).
Show command
show disk_space_reserved
store dump_data_for_forensics
This command dumps full SQL details into the local Kafka server for forensic and analysis purposes.
store dump_data_for_forensics <ON | OFF>
store dump_data_for_forensics <ON | OFF> [--yes]
Where
--yes causes the command to run automatically.Show command
show dump_data_for_forensicsstore encrypt_must_gather
Guardium collects certain data (must gather information) that IBM support uses if something goes wrong. This command determines whether must gather data is encrypted (on) or compressed, but not encrypted (off).
Syntax
store encrypt_must_gather <on |off>
Show command
show encrypt_must_gatherstore full-bypass
This command is intended for emergency use only, when traffic is being unexpectedly blocked by the Guardium system. When on, all network traffic passes directly through the system, and is not seen by the Guardium system.
When using this command, you will be prompted for the admin user password.
Syntax
store full-bypass <on | off>
store gdm_analyzer_rule
Analyzer rules - Certain rules can be applied at the analyzer level. Examples of analyzer rules are: user-defined character sets, source program changes, and firewall watch or firewall unwatch modes. Rules applied at the analyzer level means decisions can be made at an earlier stage.
Syntax
store gdm_analyzer_rule [active_flag | new ]
store gdm_analyzer_rule active_flag <id> <on|off>
Where <id> is the rule ID.
Show command
Use the CLI command, show gdm_analyzer_rule, to see a list of GDM analyzer rules.
show gdm_analyzer_rule
store gdm_analyzer_rule new
Use the Guardium CLI to add an analyzer rule for a direct regular expression to Mask UID Chain pattern.
Syntax
store gdm_analyzer_rule new
Enter rule description (optional):
Enter rule type (required):
Example
store gdm_analyzer_rule new Please enter rule description: new rule 4 Rule type 1. Change source program 2. Set alternate character set 3. Send verdict 4. HADOOP exclude 5. Define protocol and port 6. Ignore session after packets 7. Set empty Oracle DB user when login information is missed 8. Force MS SQL login 9. Transform string Please select rule type (required): 9 Please enter pattern (required, regex string): (.*)(-ppassword)(.*) Please enter format (required, regex string): \\\\1-p****\\\\3 Do you want to activate the rule now? (Yes/No) Y ok
store gdm_http_session_template
Use this CLI command to set the template for the HTTP session.
Usage
store gdm_http_session_template [activate] [add] [deactivate] [remove]
Show command
show gdm_http_session_template
Attempting to retrieve the template information. It may take time. Please wait.
ID# | Active URL Regex | Session Regex | Username Regex | Login_Session Regex | Comment | Logout_Session_ID | Logout_URL_Regex |
---|---|---|---|---|---|---|---|
1 | 1 | Cookie.*PHPSESSID=([[:a | .*user_name=([[:alnum:] | Set-Cookie:.*PHPSESSID= | example of HTTP session deleted | ||
2 | 1 | Cookie.*PSJSESSIONID=([ | .*SignOnDefault=([[:aln | example of HTTP session | cmd=logout | ||
3 | 1 | Cookie.*JSESSIONID=([0- | .*username=([[:alnum:]] | Set-Cookie:.*JSESSIONID | example of HTTP session | Logout.jsp |
store log external
Use this command to set file size, flush period, gdm error and state of the log external. This rule displays only if the following CLI command is executed:
store log external state on
Then log external shows up as a policy action.
CLI command to check the state:
show log external state
CLI command to enable and disable this action:
store log external state on/off
Usage
store log external [file_size] [flush_period] [gdm_error] [state]
Syntax
store log external gdm_error <state>
Where state is on or off. 'on' is to enable and 'off' is to disable.
store log external file_size <num>
Where <num> is the size of the file. Default is 4096 bytes.
store log external flush_period <num>
Where <num> is the flush period. Default is 60 seconds.
store log external state <state>
Where state is on or off. 'on' is to enable and 'off' is to disable.
Show command
show log external [file_size] [flush_period] [gdm_error] [state]
store monitor gdm_statistics
Use this CLI command to get information about the Unit Utilization. Default is 1 (run the script every hour).
Syntax
store monitor gdm_statistics
USAGE: store monitor gdm_statistics <hour>, where hour is a value from 0 to 24. Default value is 1, means to run the script every hour. Value 0, means not to run the script.
Show command
show monitor gdm_statistics
Disable command
Disable gdm_statistics monitor
store gui
Sets the TCP/IP port number on which the IBM Guardium appliance management interface accepts connections. The default is 8443.
n must be a value in the range of 1024 to 65535. Be sure to avoid the use of any port that is required or in use for another purpose.
Set session timeout: Sets the length of time (in seconds) with no activity before timeout. After the no-activity-timeout has been reached, it is necessary to log on again to Guardium. The default length is 900 seconds (15-minutes).
Enable or disable the Cross-site Request Forgery (CSRF) status. Trying to use certain web browser functions (for example, F5/CTRL-R/Refresh/Reload, Back/Forward) results in a 403 Permission Error message.
The new session timeout value will take effect only after the next GUI restart.
Syntax
store gui port <n>
store gui session_timeout <n>
store gui csrf_status [on | off]
Show command
Displays the GUI port number, state, session timeout (in seconds) and/or CSRF status.
show gui [port | state | all | session_timeout | csrf_status ]
store gui cache
Use this CLI command to turn web browser caching ON or OFF (Enable or Disable).
The response is:
The parameter has been changed. Restarting gui Changing to port 8443 Stopping....... Safekeeping xregs ok
The default setting for browser caching is enabled.
The act of changing the cache setting will automatically restart the Guardium web server.
For Firefox, you must clear the browser cache for the setting to take effect.
Syntax
store gui cache [ON | OFF]
Show command
show gui cache
store gui hsts_status
Use this CLI command to enable or disable the HSTS (HTTP Strict Transport Security Filter). This option is disabled by default on upgraded systems and is recommended to be turned on after valid certificates are installed. See the topic, How to install an appliance certificate to avoid a browser SSL certificate challenge, for further reference.
Syntax
store gui hsts_status [ on | off ]
Show command
show gui hsts_status
store gui xss_status
Use this CLI command to enable or disable the Cross-Site Scripting (XSS) status. This option is enabled by default on upgraded systems.
Syntax
store gui xss_status [ on | off ]
Show command
show gui xss_status
store installed security policy
Sets the security policy named policy-name as the installed security policy.
Syntax
store installed security policy <policy-name>
Show command
show installed security policy
store jproxy_config flush_at_size/store jproxy_config flush_timeout_sec
Use these commands to configure the streaming interval for transporting the JSON document data from Guardium to Guardium Big Data Intelligence ( GBDI). Whenever Guardium hits either threshold, jProxy sends the data to GBDI. For more information, see Big Data Intelligence with data streaming.
store jproxy_config flush_at_size <bytes>
store jproxy_config flush_timeout_sec <seconds>
The default is 60 seconds.
Show commands
show jproxy_config flush_at_size <bytes>
show jproxy_config flush_timeout_sec <seconds>
store jproxy_config ssh_key_file
Use this command, along with import jproxy_files to upload the GBDI SSH key file (in .pem format) and configure the SSH target host to communicate with GBDI. For more information, see Big Data Intelligence with data streaming
import jproxy_files
store jproxy_config ssh_key_file <key_file_name>
- Use import jproxy_files to import the signed certificate (the SSH key file).
- Use store jproxy_config ssh_key_file <key_file_name> to store the SSH key file in the keystore.
store keep_psmls
Use this CLI command to retain the current layouts/profiles/portlets created the users of the Guardium application. Set this CLI command to ON before an upgrade, and the psmls from the previous version will be retained.
Syntax
store keep_psmls [ON | OFF]
Show command
show keep_psmls
store ldap-mapping
Store LDAP-mapping parameters - allow a custom mapping for the LDAP server schema. This command permits customized mapping to the LDAP server schema for email, firstname and lastname attributes. The paging parameter is used to facilitate transfer between any LDAP server type (Active Directory, Novell Directory, Open LDAP, Sun One Directory, Tivoli® Directory). If the paging parameter is set to on, but paging is not supported by the server, the search is performed without paging.
Example for paging. If the CLI command, ldap-mapping paging is set to ON, then Microsoft Active Directory will download the maximum number users defined under the limit value on the LDAP Import configuration screen. If CLI command, ldap-mapping paging is set to OFF, then Active Directory will download up to only 1000 users not matter what the limit value is set to. All other LDAP server configurations must use the CLI command, ldap-mapping paging off in order to download users up to the set limit value.
Note: Each time you change the CLI ldap-mapping attributes you also need to select Override Existing Changes on the LDAP Import configuration screen in IBM Guardium GUI before updating. This action must occur each time you change the CLI ldap-mapping email, firstname or lastname attributes and import LDAP users.
Show commands
show ldap-mapping [email] [firstname][lastname] <name>
show ldap-mapping paging ON|OFF
A GUI restart of the CLI is required for new parameters to take effect.
Examples
store ldap-mapping firstname name
store ldap-mapping lastname sn
store ldap-mapping email mail
store ldap-mapping paging on
- Values for firstname attribute: gn,givenName,name
- Values for lastname: attribute: sn,surname,name
- Values for email attribute: userPrincipalName,mail,email,emailAddress,pkcs9email,rfc822Mailbox
- Values for paging: on, off
store license
This command applies a new license key to the appliance.
A license key may be of one of two kinds: override type or append type; an override type replaces the currently installed license while the append type license will be appended to the currently installed license. Append-type licenses can only add functionality; new functions may be enabled and when relevant - updates expiration dates, the remaining number of scans, the number of datasources, or might replace certain numeric fields in the license, such as the number of managed units.
Syntax
store license
Example
CLI> store license
Please paste the string received from customer services. Then press <ENTER> to continue.
Copy and paste the new product key at the cursor location, and then press Enter. The product key
contains no line breaks or white space characters, and it always ends with (and includes) a trailing
equal sign. A series of messages will display, ending with:
>We recommend that the machine be rebooted at the earliest opportunity in order to complete the
license updating process.
ok
CLI>
Run the restart gui command at this time.
Show command
show license
- License - A single license that includes the base license merged with information from any older licenses and append licenses. For central managers, this license key is sent to any associated managed units when the managed unit is registered or the system is refreshed.
- Number of Licenses - Specifies the number of managed units that can be associated with a central manager. This value cannot be changed after the license is installed.
- Metering - If this appliance has a metered license, then you can run only a certain number of vulnerability assessment scans. A value of -1 means there is no limit. For a metered license, Guardium checks this value each time you run a security assessment or classifier process. ,The process runs only if the number of datasources in the security assessment or classifier is less than or equal to the metering value. When a process runs, the metering value is updated by subtracting the number of datasources from the metering.
- Number of Datasources - The maximum number of datasources for which the appliance has license
for. A value of -1 means there is no limit. This value cannot be changed after license installation.
If your site has a limited license, the value is decremented each time you add or import a
datasource.
A datasource, for this purpose, is a database server that you add either from the Datasource Definition page of the Guardium UI, by using the create_datasource GRDAPI command.
- Valid until - The expiration date for this license.
- Licensed Applications - The Guardium applications that this appliance can access under this license.
- Licensed Product Types - The Guardium add-on products that this appliance can access under this license.
store log classifier level
Sets the debugging level for the classifier, to one of the values shown.
Syntax
store log classifier level TRACE|DEBUG|INFO|WARN|ERROR|FATAL
Show command
show log classifier level
store log exception sql
When on, logs the entire SQL command when logging exceptions.
Syntax
store log exception sql <on | off>
Show command
show log exception sql
store log_general_response_length
Use this CLI to enable or disable logging the response length. When enabled, controls whether the sniffer logs the response length for every SQL instance.
store log_general_response_length is disabled by default. Enabling response length logging can impact sniffer performance.
Syntax
store log_general_response_length [ enable | disable ]
- enable - Always log the response length. The responseLength value is logged for all entities.
- disable - Do not log the response length (default).
Show command
show log_general_response_length
store log object_join_info
Sets the logging of object_join.
A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.
Syntax
store log object_join_info [ on | off]
Show command
show log object_join_info
store log object_join_info
Sets the logging of object_join.
A join table is a way of implementing many-to-many relationships. Use join entity to join tables in a SELECT SQL statement.
Syntax
store log object_join_info [ on | off]
Show command
show log object_join_info
store log session_info
This command enables or disables storing sniffer log session information.
Syntax
store log session_info [ on | off]
Show command
show log session_info
store log sql parser_errors
Sets the logging of syntactically wrong SQL commands.
Syntax
store log sql parser_errors [on|off]
Show command
show log sql parser_errors
store logger_data_destination_config
Use the following CLI commands to optionally configure information for Guardium Big Data Intelligence (GBDI) data streaming such as logger destination, Mongo client authentication (username, auth, database, and mechanism).
store logger_data_destination_config type <database type>
store logger_data_destination_config database_name <db name>
store logger_data_destination_config destination [hostname | port] <value>
store logger_data_destination_config [auth_username | auth_database_name | mechanism] <value>
store logger_data_destination_config data <collection type> [on|off]
Where the collection types are:- session
- instance
- full_sql
- policy_violations
- exception
Show command
show logger_data_destination_config <parameter>
store logging granularity
Sets the logging granularity to the specified number of minutes. You must use one of the minute values shown in the syntax. The default is 60.
Syntax
store logging granularity <1, 2, 5, 10, 15, 30 or 60>
Show command
show logging granularity
store max_audit_reporting
Displays the audit report threshold in days. The default is 32. When defining reports in audit process, the number of days of the report (defined by the FROM-TO fields) should not exceed a certain threshold (one month by default). For more information, see Audit processing notes.
Syntax
store max_audit_reporting <days>
Show command
show max_audit_reporting
store max_result_set_packet_size
Store the max_result_set_packet_size, default value is 32 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for packet size in response. This parameter works for any type of database. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.
Syntax
store max_result_set_packet_size <size>
Show command
show max_result_set_packet_size
store max_result_set_size
Store the max_result_set_size, default value is 100 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for total result set size. This parameter works for any type of database. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.
Syntax
store max_result_set_size <size>
Show command
show max_result_set_size
store max_tds_response_packets
Store the max_tds_response_packets, default value is 5 (size is between 1 and 65535) and aids in tuning the inspection engine when observing returned data. This command sets the limitation for number of packets in response. This parameter works for MS SQL only. If the value is beyond the defined threshold, the analyzer will not retrieve data to calculate records affected value.
Syntax
store max_tds_response_packets <size>
Show command
show max_tds_response_packets
store maximum query duration
Sets the maximum number of seconds for a query to the value specified by n. The default is 180. We recommend that you do not set this value greater than the default, because doing so increases the chances of overloading the system with query processing. This value can also be set from the Running Status Monitor panel on the administrator portal.
Syntax
store maximum query duration <n>
Show command
show maximum query duration
store monitor
Use the store monitor buffer CLI command to
Syntax
store monitor [buffer | custom_db_usage [state <hour>] | gdm_statistics <hour> ]
- buffer - Set the interval of how often to run the script that retrieves the information shown in the Buffer Usage Monitor report of the IBM Guardium Monitor tab.
- custom_db_usage [state][hour] - Set the state and specify a time to run
this job.
When state = on, specify the hour (0 - 23) to run.
- gdm_statistics <hour> - Get information about the Unit Utilization, where hour is a value from 0 to 24. Default = 1 (run the script every hour).
Show commands
show monitor buffer
show monitor custom_db_usage
show monitor gdm_statistics
store mysql_utf8mb4
Enable support for 4-byte UTF-8 encoding (utf8mb4).
This command modifies Guardium sniffer processes and internal databases to correctly capture and store 4-byte UTF-8 characters. Enabling utf8mb4 may be useful if datasources in your environment contain 4-byte characters, for example as used for Chinese, Japanese, and Korean ideographs.
-
The additional processing required to capture and store 4-byte characters will negatively impact the performance of your Guardium system. For this reason, do not enable utf8mb4 unless you require 4-byte character support in your environment.
-
If support for 4-byte UTF-8 encoding is required in an aggregated or centrally managed environment, utf8mb4 should be enabled on all Guardium systems in the environment. Enabling utf8mb4 on only some systems in the environment may create problems, such as failed aggregation or incorrectly displayed reports.
-
Data collected or aggregated before enabling utf8mb4 will still be available and function correctly after enabling utf8mb4.
12.0 Syntax
store mysql_utf8mb4
store mysql_utf8mb4 [--yes]
Where
--yes causes the command to run automatically.Show command
show mysql_utf8mb4
Examples
> show mysql_utf8mb4
mysql configuration NOT set with UTF8MB4. ok
>store mysql_utf8mb4
Attempting to change the mysql config file. It may take time. Please wait. Start to modify mysql config file Restarting mysql Mysql has been restarted. Please exit CLI and log back on. The parameter IS_UTF8MB4 has been changed to 1.
> show mysql_utf8mb4
mysql configuration set with UTF8MB4. ok
store packet max-size
Limit the maximum size of packets from the sniffer.
Syntax
store packet max-size 1536
Show command
show packet max-size
store pdf-config
Use this command to change the font size and orientation of the PDF image body content (excluding header/footer).
Size unit ranges from 1 (smallest) to 10 (largest) with default value of 6.
Orientation unit is 1 (for landscape orientation) or 2 (for portrait). The default value is 1.
The change takes effect immediately after typing the CLI command and pressing the Enter key.
Syntax
store pdf-config [ orientation | size ]
Show command
show pdf-config [ orientation | size ]
store pdf-config multilanguage_support
There are different static PDF generator config files for English (Used on English version) and language C/J (Used on Chinese/Japanese). Use this CLI command to define the fonts in the PDF generator. Default is English. Multilanguage is language C/J.
Syntax
CLI> store pdf-config multilanguage_support
Current setting is Default 1 Default 2 Multi-language Please select the option (1,2, or q to quit)
Show command
show pdf-config multilanguage_support
store populate_from_query_maxrecs
Sets the maximum number of records that can be used to populate groups and aliases from a query.
Use caution when setting a maximum records value via this CLI command. Setting it too high may result in incomplete populate group from query processes. The maximum threshold is dynamic and dependent on the system load and memory utilization. The default value is 20,000 records. The maximum configurable value is 200,000 records.
Syntax
store populate_from_query_maxrecs 100000
Show command
show populate_from_query_maxrecs
store product gid
Sets the stored unique product <n> GID value.
Syntax
store product gid <n>
Show command
show product gid
store purge object
Sets the age (in days) at which non-essential objects will be purged. Use the show purge objects age command to display a table showing the index, object name, and age for each object type for which a purge age is maintained. Then use the appropriate index from that table in the command to set the purge age.
Note: The value of number of days will be set to the default (90 days) when the unit type changes between managed unit/Manager/standalone unit.
Syntax
store purge object age <index> <days>
Show command
show purge object age
Example
Assume you want to keep an Event Log for 30 days. First issue the show purge objects age command to determine the index (do not use the table; your list may be different). Then enter the store purge object command.
>show purge objects age
Index Name, Age
... purge objects
>store purge object age 2 30
store quartz_thread_num
This CLI command is for use by Technical Support.
The Java™ Virtual Machine allows the application to have multiple threads. Thread is a piece of the program execution.
Use the store quartz_thread_num CLI command to set the number of threads that can run at the same time.
Use this command to ease conflict between too many threads running at the same time.
The show quartz_thread_num CLI command displays the number of Quartz scheduler threads that run at the same time.
Syntax
store quartz_thread_num <number>
store quartz_thread_num [number [--yes]]
Where
--yes causes the command to run automatically.Where number is in range 3 to 15. Default value = 5.
Show command
show quartz_thread_num
org.quartz.threadPoll.threadCount= 5
store remotelog add
Controls the use of remote logging. In addition to system messages, statistical alerts and policy rule violation messages can be written to syslog. For each host and port combination, you can direct messages from the syslog to a remote host. This command works with any syslog implementation that supports TCP or UDP protocol.
If you enable remote logging, be sure that the receiving host can accept the log information.
Syntax
store remotelog add <encrypted | non_encrypted> <facility.priority> <host[:port]> <protocol> [format]
- <encrypted | non_encrypted> - Specify whether the connection to the remote
host is encrypted. Guardium suggests that you encrypt all communications to a remote syslog server.
Note: To add an encrypted log, you must provide a signed certificate. For more information, see Encrypting syslog.
- facility - Required. The service routed to the remote logger. To see the available facilities, enter store remotelog add encrypted ? in the CLI.
- priority - Required. The log priority, which can be:
- alert - Guardium severity code HIGH
- all
- crit
- debug
- emerg
- err - Guardium severity code MED
- info - Guardium severity code INFO
- notice
- warning - Guardium severity code LOW
Note: Both facility and priority are required, in the format facility.priority. - host (required) and port - The remote host name or IP address and optional port to send syslog messages. The default port is 514.
- protocol - Required. The protocol to use to connect to the remote host.
Protocol can be either:
- tcp
- udp
Note: Only TCP supports encrypted connections to the remote host. - format - Some SIEM products process IETF RFC 5424 style syslog messages
better than the default messages. This parameter changes the syslog format for this remote logger
only to one of the following options:
- default - rsyslog default format.
- rfc5424 - rsyslog RFC 5424 format.
Note: To use RFC 5425 format, the syslog receiver must be configured to accept RFC 5424 format. Otherwise, it receives the log in the default format.
cli> store remotelog add encrypted user.info 9.30.252.111 tcp
cli>store remotelog add non_encrypted user.warning myhost.mycompany.com tcp
tcp forwarder to myhost.mycompany.com added to rsyslog configuration:
user.=warning @@myhost.mycompany.com
Restarting remote logger...
Remote logger restarted successfully
ok
cli> store remotelog clear myhost.mycompany.com
Remote logger configuration updated.
Restarting remote logger...
Remote logger restarted successfully
store remotelog clear
Use this command to clear the specified facility.priority combination from the list of messages to send to the specified host.
store remotelog clear host
Example
cli> store remotelog clear myhost.mycompany.com
Remote logger configuration updated.
Restarting remote logger...
Remote logger restarted successfully
store remotelog escape_control_characters_on_receive
Use this command to escape the control characters if your system mangles messages that include control characters. The default is on (escape control characters).
Syntax
store remotelog escape_control_characters_on_receive <on|off>
Run restart remotelog to apply the new configuration.
store remotelog format
Sets the default syslog format in the rsyslog configuration (in the global directive $Undoable-in-transactional).
- default - rsyslog default format.
- rfc5424 - rsyslog RFC 5424 format.
Run restart remotelog to apply the new configuration.
store remotelog max_message_size
Use this command to set the maximum message size from 5k to 64k. Specify the maximum message size with a single number, as follows:
- 1 = 5k
- 2 = 10k
- 3 = 15k
- 4 = 20k
- 5 = 32k
- 6 = 64k
Syntax
store remotelog max_message_size <1|2|3|4|5|6>
Run restart remotelog to apply the new configuration.
Show command
Use this command to display the current value of the $MaxMessageSize parameter.
- Configuring remotelog receivers
- To configure a receiving system to accept remote logging, edit
/etc/sysconfig/syslog
on the system to include the-r
option. For example:SYSLOGD_OPTIONS=-r -m 0
Then restart the syslog:
/etc/init.d/syslog restart
- To send the encrypted remote log message to the server, the rsyslog configuration in the server needs to accept encrypted messages.
- TCP protocol is required to use the encrypted setting on client and server.
- If you change from one mode to another, you need to modify the configuration file to sync with the designated mode and restart the remote service.
- Encrypting syslog
-
Alerts and other messages can be forwarded to a remote syslog receiver, such as a SIEM system. This message traffic can be encrypted from the collector or aggregator to the remote syslog receiver.
Note: Encryption only works in TCP mode. By default, syslog forwarding uses UDP, so if encryption is required, specify TCP.You need the certificate used by the remote syslog receiver. Store that certificate on the Guardium system.
store runtime_sensitive_object_identifier
This command enables or disables the real-time sensitive-object identifier.
store runtime_sensitive_object_identifier <on|off>
Show command: show runtime_sensitive_object_identifier
store runtime_sensitive_object_identifier_hits
This command defines the threshold for real-time sensitive-object identification patterns that do not use a verification method. For more information, see Real-time sensitive-object identification.
store runtime_sensitive_object_identifier_hits <1-64>
Default value: 3
Show command: show runtime_sensitive_object_identifier_hits
store runtime_sensitive_object_identifier_hits_with_signature
This command defines the threshold for real-time sensitive-object identification patterns that use a verification method.
store runtime_sensitive_object_identifier_hits_with_signature <1-64>
Default value: 1
Show command: show runtime_sensitive_object_identifier_hits_with_signature
store s2c
Sets several configurable parameters for ADMINCONSOLE. These parameters are used for throttling server-to-client (S2C) traffic.
- ANALYZER_S2C_IGNORE = {0,1,2,3}
- MAX_S2C_VELOCITY (K bytes/sec) - number >=0 and <= 2147483647
- MAX_S2C_INTERVAL (sec) - number >=1 and <= 2147483647
See also the CLI command Store Throttle.
Syntax
store s2c
USAGE: store s2c ignore I maxrate M maxinterval T where 0<=I<=3 (level), 0<=M<=2147483647 (K/sec), and 1<=T<=2147483647 (seconds) OR store throttle default.
>store s2c ignore 3 maxrate 300 maxinterval 5007
The new configuration will take effect after you run the restart inspection-core,CLI command.
Show command
show s2c
Throttle S2C parameters (defaults):
Ignore: 0
Max rate: 999999
Max interval: 30
-------------------
ANALYZER_S2C_IGNORE (0,1,2,3) - Switch s2c throttling mechanisms on/off based on scenarios. This flag is based on bits. 0 = the s2c throttling mechanism is OFF. 1 = turns on the function described in scenario 1, 2 = turns on the function described by scenario 2. 3 = turns both on.
MAX_S2C_VELOCITY - maximal rate (K bytes/sec). If this rate is exceeded, then analyzer should send CLI commands, ignore session, or ignore session reply, request to S-TAP® or sniffer.
MAX_S2C_INTERVAL - time interval in seconds (default 30 sec.) between possible CLI commands, ignore session, or ignore session reply, requests.
Scenario 1
The sniffer starts to receive traffic from S-TAP or network in the middle of large query. Since all incoming packets are DB server responses, no new session will be created by the analyzer and therefore no information will be sent to logger and rules engine. This type of traffic is useless for the sniffer. From the other side, this type of traffic can create additional S-TAP and sniffer loads.
A throttling mechanism helps to decrease S-TAP and network sniffer load by sending an ignore session message from the analyzer, if the S2C velocity is greater than MAX_S2C_VELOCITY. If, for some reason, S-TAP or network sniffer were not affected, then the analyzer sends ignore session request again after MAX_S2C_INTERVAL seconds. In order to switch this throttling mechanism on, set ANALYZER_S2C_IGNORE flag to 1.
Scenario 2
If the incoming traffic has a high S2C rate (>MAX_S2C_VELOCITY), then a throttling mechanism sends a ignore session reply request to S-TAP for local database connections in the case when S2C velocity is greater than MAX_S2C_VELOCITY. If from some reason S-TAP was not affected, then analyzer will send the ignore session reply request again after MAX_S2C_INTERVAL seconds. In order to switch this throttling mechanism on, set ANALYZER_S2C_IGNORE flag to 2.
store save_result_max_size
This CLI command modifies the GLOBAL_PROFILE field SAVE_RESULT_MAX_SIZE to set the amount of data in reports that are generated from the GUI that reflect the maximum number of result records in the reports.
Syntax
store save_result_max_size <num>
Where <num> is a number greater than 0.
Show command
show save_result_max_size
store sender_encoding
Use this CLI command to encode outgoing messages (email and SNMP traps) in different encoding schemes, where previously everything is encoded in UTF8.
For example, a Guardium customer wanted to encode all of the outgoing SNMP messages in SJIS - an alternative Japanese encoding.
Syntax
store sender_encoding <str>,
where str is the encoding with maximum length 16
Show command
show sender_encoding
store set_informix_driver_property
Use this command to set the connection property IFX_USE_STRENC=true on all Informix® datasources.
12.0 Syntax
store set_informix_driver_property
store set_informix_driver_property [--yes]
Where --yes causes the command to run automatically.store set_partitions_for_queries
Use this CLI command to enable or disable partition selection on queries.
Syntax
store set_partitions_for_queries <on|off>
show snif_alert_only_syslog_with_subject
Use this command to determine whether the subject of alerts displays in the syslog. Set to OFF to hide the subject of alert messages. The default is ON, which displays the alert subject in the syslog.
Syntax
store snif_alert_only_syslog_with_subject on|off
Show command
show snif_alert_only_syslog_with_subject
store snif_double_quote_literal
Use this command to control whether the sniffer handles double-quoted strings as literals and replaces them with question marks when generating masked SQL. By default, the sniffer assumes that double-quoted strings are literals and masks accordingly. The setting is available for several database types. Upon running the command, you are asked to select the database type from a list and define whether quoted strings are treated as literals. Use restart inspection-core to restart the inspection engine core after changing snif_double_quote_literal settings.
> store snif_double_quote_literal
This command controls whether or not snif will consider double quoted strings literals, and replace them
with question marks when generating masked sql.
USAGE: store snif_double_quote_literal
DB type:
1. MySql
2. MemSql
3. MsSql
4. Sybase
5. Informix
0. Quit
Please select DB type to modify (required) 1
Consider double quoted strings literals?
(y/n)? n
The parameter has been changed.
Please restart the inspection core for this change to take effect:
restart inspection-core
ok
show snif_double_quote_literal
> show snif_double_quote_literal
Database types in which snif considers double quoted strings as literals
Mysql: No (default Yes)
MemSql: Yes (default Yes)
MsSql: Yes (default Yes)
Sybase: Yes (default Yes)
Informix: No (default No)
ok
store snif_log_level
Use this command to set the logging level for the sniffer.
store snif_log_level [TRACE | DEBUG | DEFAULT]
Where DEFAULT is the
default log level, INFO. show snif_log_level
store snif_logger_destination_type
Use this command to control the sniffer logger destination for Guardium Big Data Intelligence ( GBDI) data streaming.
store snif_logger_destination_type [LOCAL | REMOTE]
- LOCAL (default) sets the logger destination to the local database on the Guardium collector.
- REMOTE sets the logger destination to the intermediate database used by GBDI.
For more information, see Big Data Intelligence with data streaming.
store snif_mask_sql_value
'literal123'
is a literal, as shown by the
single quotation marks, and is masked.
identifier123
is an identifier, and
displays in the table in clear text.
Syntax
store snif_mask_sql_value on|off
Show command
show snif_mask_sql_value
store snif_db2z_alert_use_client_ip_for_host_name
For Db2 z/OS systems only, use this command to enable using the client IP address as the host name for Alert messages. When enabled, the %%clientHostName variable displays the host IP address.
Syntax
store snif_db2z_alert_use_client_ip_for_host_name [on|off]
Show command
show snif_db2z_alert_use_client_ip_for_host_name
store snif_max_db2z_bind_variable_value_size
For Db2 z/OS systems only, use this command to control the length, in KB, of bind variable values. The default length is 2 KB (2047 characters). The maximum length is 4096 KB.
Syntax
store snif_max_db2z_bind_variable_value_size <n>
Where <n> is a number between 2 and 4096, which is the maximum length of the bind variable values in KB.
Show command
show snif_max_db2z_bind_variable_value_size
store snif_use_feed_analyzer_thread
When Guardium processes S-TAPs on multiple ports, you can encounter issues in which multipleS-TAPs use the same queue and buffer. Specifically, if your site uses ports 16016 or 16018 (for UNIX S-TAPs) and ports 16022 (feed protocol) or 16023 (encrypted S-TAP TLS) the S-TAPs default to a shared queue, which can lead to unexpected issues.The store snif_use_feed_analyzer_thread command allows you to have sniffer use a separate internal queue for these S-TAPs.
The default for store snif_use_feed_analyzer_thread is OFF. If you expect traffic on both ports (that is 16016 or 16018 and 16021 or 16022), set store snif_use_feed_analyzer_thread to ON before the S-TAPs start.
In addition, if the sniffer detects traffic from both ports, sniffer sets the parameter to ON, causing sniffer to use separate queues after the next restart.
store snif_use_feed_analyzer_thread [ON | OFF ]
Show command
show snif_use_feed_analyzer_thread
store ssl_ciphers
store ssl_ciphers [custom]
For store ssl_ciphers
without the custom option, Guardium
returns a list of ciphers. Specify the number of the cipher (or ciphers) to use. Use a comma to
separate multiple cipher numbers.
Click q to quit without making changes.
For store ssl_ciphers [custom]
, you can enter a comma-separated list of ciphers
to add.
These changes take effect only after the inspection core is restarted . Use restart inspection-core to restart.
For example:
store ssl_ciphers custom
>You have chosen to configure custom ciphers for the sniffer.
it is your responsibility to ensure that the ciphers are of
acceptable strength and that a common cipher exists between
these ciphers and the ciphers used by the STAPs.
Do you want to continue? [Yes/n] yes
The current list of configured ciphers is:
AES256-SHA,AES128-SHA
Please enter a comma separated ciphers that you wish to use
Hit enter to exit: AES256-SHA256,AES256-SHA,AES128-SHA,DHE-RSA-AES256-SHA256
SSL Ciphers set to AES256-SHA256,AES256-SHA,AES128-SHA,DHE-RSA-AES256-SHA256
These changes will only take effect after the inspection core is restarted ('restart inspection-core')
ok
delete ssl_ciphers
Guardium returns a list of current ciphers. Specify the number of the cipher to delete.
show ssl_ciphers
For more information about supported ciphers, see Cipher suites.
store stop approval
Use this function to block unauthorized S-TAPs from connecting to the Guardium appliance.
If ON, then S-TAPs can not connect until they are specifically approved.
If an unapproved S-TAP connects, it is immediately disconnected until the specific authorization of the IP Address of that S-TAP.
A pre-defined report for approved clients, Approved TAP clients, is available on the Daily Monitor tab.
A valid IP address is required, not the host name.
The CLI command, store stap approval, does not work within an environment where there is an IP load balancer.
Within a central manager environment, after adding the IPs to approved S-TAPs, there is a wait time associated with synchronization that might take up to an hour. After synchronization is complete the approved S-TAP status will appear green in GUI.
Syntax
store stap approval ON | OFF
Show command
show stap approval
GuardAPI command
grdapi store_stap_approval
The new configuration takes effect after running the CLI command, restart
inspection-core.
store stap certificate
Stores a certificate from the S-TAP host (usually a database server), on the IBM Guardium appliance. This command functions exactly like the store certificate console command, described later.
Syntax
store stap certificate
You will be prompted as follows:
Please paste your new server certificate, in PEM format.
Include the BEGIN and END lines, then press CTRL-D.
If you have not done so already, copy the server certificate to your clipboard. Paste the PEM-format certificate to the command line, then press CRTL-D. You will be informed of the success or failure of the store operation.
When you are done, use the restart gui command to restart the IBM Guardium GUI.
store stap network_latency
S-TAP verification is a feature by which customers can verify if a S-TAP is monitoring database traffic or not. The verification feature is affected by the customer's network traffic/latency. Since latency is different for each customer, there is a need for a way to list and change the default value that the verification feature uses.
Syntax
store stap network_latency
USAGE: store stap network_latency <N>
where N is the number greater than 0 seconds.
The default value is 5 seconds.
If the number goes higher the S-TAP verification process will become slower.
Show command
show stap network_latency
store storage-system
store storage-system
Adds or deletes a storage system type for archiving or system backup.
Syntax
store storage-system <NETWORK | Amazon_S3 | Centera | IBMCloud | IBMCOS | NFS | TSM> <backup | archive> <on | off>
Show command
show storage-system
Example
Assume you are currently using Centera for system backups, but want to switch to a TSM system. You must turn off the Centera backup option (unless you want to leave that as another option), and turn on the TSM backup option. The commands to do this are highlighted in the example. The show commands are not necessary, but are for illustration only.
CLI> show storage-system
show storage-system NETWORK : CENTERA : TSM : SCP : archiving and backing-up SFTP (formerly FTP) : archiving and backing-up AMAZON S3 : archiving and backing-up IBMCloud : archiving and backing-up IBM COS (formerly Cleversafe) : archiving and backing-up NFS : backing-up
store support state
Enables (on) or disables (off) the sending of email alerts to the support email address, which can be configured using the forward support email command. By default, the support state is enabled (on), and the default support email address is support@guardium.com.
Syntax
store support state <on | off>
Show command
show support state
store tang server
Sets up the initial connection between the clevis client on a machine to a remote tang server.
You can enter the IP addresses of one or more tang servers. The IP address that is entered first is the primary server, the rest are backup servers. You can change the order of the tang servers by clearing the keys using the CLI command reset luks keys and then reentering the tang server addresses by running the store tang server command.
Syntax:
store tang server
Show command:
show tang server
Shows the most recent tang server to which the Guardium system is connected. The command also displays the backup servers, if any.
store throttle
This CLI command stores the throttle parameters. After entering this command, you must issue the CLI command, restart inspection-core for the changes to take effect.
This command is used to filter out (ignore) large packets. Throttling has two modes: Thresholds, per session - ignore sessions when identifying a long enough burst (duration configurable) of large packets (size configurable) and stop ignoring the session when traffic goes under a certain threshold (also configurable); and, Overall - ignore all packets larger than a certain size (configurable) in all sessions. This throttling mode completely ignores long and excessive non-database packets smaller than a predefined size (useful for VNC clients and other types of white-noise traffic). Use for network traffic through SPAM port or hardware TAP. For S-TAP traffic, only network TCP traffic picked up by PCAP. See also the CLI command, store s2c.
Syntax
store throttle [default | size <s> interval <i> trigger <t> release <r>]
USAGE: store throttle size S interval I trigger T release R
where 0<=S<=2^17 (bytes), 1<=I,T,R,<=2^31 (seconds)
OR store throttle default
Show command
show throttle
Throttle parameters: Packet size: 228000 Time interval: 604800 Trigger level: 10000000 Release level: 10000000
Parameters
- default - Enter the keyword default to restore the system defaults (no other parameters are used). The default throttling parameters are never throttle.
- s - The packet size in bytes, up to a maximum of 217 (131072).
The remaining parameters are in seconds, up to a maximum of 231 (2147483648):
- i - The time interval
- t - The trigger level
- r- The release level
store timeout
Sets the timeout value of a CLI session and or file server session. The default value is 600 seconds. A timeout will also close the CLI session.
If the file server is stopped because of a timeout, a message will appear, Warning : Fileserver stopped because of timeout. The file upload may not be complete. Stopping the process.
Use the CLI commands, show timeout db_connection, to show the socketTimeout value in the conf file, and store timeout db_connection, to set the value of the timeout. The value should be greater than 0. The default value is 25000 seconds. These CLI commands are used in managing the communications between the central manager and the managed unit when DNS is not configured.
Syntax
store timeout cli_session <n>
store timeout fileserver_session <n>
store timeout db_connection <n>
Show command
show timeout cli_session 600
show timeout fileserver_session 600
show timeout db_connection 25000
store timeout classifier
Sets the number of seconds (0 - 9999) to run classifier queries.
Syntax
store timeout classifier <count_query n | sample_query n>
- count_query n - The number of seconds (n) to run a query that determines how many rows are an a particular table.
- sample_query n - The number of seconds (n) to run a query that creates a sample set on which to run the classifier rules. The classifier determines if the table has sensitive data as defined by the rule.
Show syntax
show timeout classifier <count_query | sample_query>
store transfer-method
Sets the file transfer method. Specify FTP protocol for SFTP.
Syntax
store transfer-method <FTP | SCP>
Show command
show transfer-method
store uid_chain_polling_interval
Set the interval for UID Chain polling with this CLI command. UID chain is a mechanism which allows S-TAP (by way of K-Tap) to track the chain of users that occurred prior to a database connection.
Set the interval to 0 to turn off the UID Chain processing, in order to improve database performance. If the UID Chain processing is turned off, then calculating the UID Chain and updating children sessions are skipped.
Syntax
store uid_chain_polling_interval <n>
Where n is time in minutes (>= 1 minute; default is 2 minutes). Set N = 0 to turn off the UID Chain processing
Show command
show uid_chain_polling_interval
store upd_session_end
This CLI command adds an option to skip the update for the session_end time using Session Inference. For more information, see Session Inference.
Syntax
store upd_session_end <on | off>
Show command
show upd_session_end
store unit type
Use this CLI command to set unit type attributes for the Guardium appliance. See Table 2 for a description of all unit type attributes you can display with this command.
Syntax
store unit type [manager | standalone] [netinsp] [stap] [mainframe] [sink]
Use store unit type sink
to switch collected DRDA traffic timestamp granularity
from 1 millisecond to 1 microsecond.
Show command
show unit type
Attribute | Description |
---|---|
mainframe |
The unit is a mainframe (z/OS®) network inspection appliance. |
manager |
Central manager functions are enabled for this unit. |
netinsp |
Inspection of network traffic is enabled. |
network route static |
Removes one line off the static routing table |
standalone |
Local management (independent of a central manager) |
stap |
The unit can receive data from and manage S-TAP and CAS agents. |
Unit type attributes
store update_success_value
This CLI command enables or disables the success value flag. When enabled, Guardium updates the SUCCESS field in the GDM_CONSTRUCT_TEXT table for each SQL record.
Syntax
store update_success_value [ enable | disable ]
Show command
show update_success_value
store va max_detail
This CLI command helps to regulate the maximum detail records for running query based security assessment tests.
Syntax
store va max_detail [on <num> | off]
- on<num> enables the record with a value.
- <num> is a number within the range 10 and 2147483647. The default record value is 20000.
- off disables this functionality.
Show command
show va max_detail
store wkc_configuration
Use this CLI command to integrate and configure IBM Knowledge Catalog with Guardium on managed units. For more information, see Integrating with IBM Knowledge Catalog for federated data protection. If enabled, the CLI requires the IBM Knowledge Catalog URI, user name, and password.
Syntax
store wkc_configuration
A list of the available parameters displays,
- wkc_enabled - false (not enabled)
- wkc_persistent_cache_enabled - Default = false (disabled).
- wkc_action_on_unsupported - Default = 1 (deny).
If Guardium receives an unexpected response (or no response) from IBM Knowledge Catalog, you can choose to allow (0) or deny (1) the user access to IBM Knowledge Catalogdata assets. The default is 1, that is, treat access to the assets as if the IBM Knowledge Catalog policy rule action
Deny access to data
is triggered. Specify 0 to allow access to data assets, which treats the connection as approved. - wkc_cache_ttl - The time-to-live (in minutes) for each decision in the primary cache. Default = 60. Maximum = 1440.
- wkc_persistent_cache_ttl - The time-to-live (in days) for each decision in the persistent cache. Default = 7. Maximum = 30.
- wkc_cache_size - Maximum number of cache entries. Default = 1000.
- wkc_persistent_cache_size - The maximum size of the persistent cache. Default = 100000.
- wkc_log_level - Default = 4. Log levels range from 1 (FATAL) to 8 (TRACE),
with the following meanings,
Log level Type Meaning 1 FATAL The application is likely to terminate. 2 CRITICAL The application might not continue to run successfully. 3 ERROR An operation did not complete successfully, but the application as a whole is not affected. 4 WARNING An operation completed with an unexpected result. 5 NOTICE An informational message, but with a higher priority. 6 INFORMATION An informational message, usually denotes that an operation completed successfully. 7 DEBUG A debugging message. 8 TRACE A trace message. The lowest priority. - wkc_log_max_files - Default = 10. Maximum = 100.
- wkc_log_max_file_size - Default = 10 MB. Maximum = 50 MB.
- wkc_dps_uri - The URI of the IBM Knowledge Catalog service.
- wkc_asset_user - The owner of this asset. Can be either dbuser or appuser. Default = dbuser
- wkc_server_auth_username - The IBM Knowledge Catalog user name.
- wkc_server_auth_password - The password for the associated IBM Knowledge Catalog user.
- wkc_column_alias - Available with patch 110p525 and
later releases. Specify whether to use an alias for the column name, and if so, what type of
alias. Specify one of the following, or click Return to use the default (Column_name).
- C - Column-name: Default. Use the original COLUMN_NAME as the alias for the full UDF.
- N - None. Do not use any alias for UDFs.
- S - Short_udf. Use the short form of the UDF signature.
For more information, see Column alias parameter in Setting up a transformation integration.
Store each element of the IBM Knowledge Catalog configuration separately, and then select 0 (zero) to end and Yes to confirm.
- 1. wkc_enabled
- 12. wkc_dps_uri
- 14. wkc_server_auth_username
- 15. wkc_server_auth_password
You can use the defaults for the remaining parameters.
show wkc_configuration
traceroute
This command is a diagnostic tool that follows the route packets across an IP network.
Syntax
traceroute <host> <max hops> <wait time>
- host: A valid IP address or hostname
- max hops: The maximum number of hops (default is 30).
- wait time: The timeout to wait for a response to a probe in seconds (default is 5s)
unregister management
The unregister command restores the configuration that was saved when the appliance was registered for central management.
Syntax
unregister management
- This command is intended for emergency use only, when the central manager is not available.
- After unregistering using this command, you should also unregister from the central manager (from the Administration Console), since that is the only way the count of managed units will be reduced. The count of managed units is authorized by the product key.