System CLI Commands
Use these CLI commands to view and configure system settings.
show openssh version
Shows the OpenSSH version of the Guardium system.
Syntax
show openssh version
show openssl version
Shows the OpenSSL version of the Guardium system
Syntax
show openssl version
show os version
Shows the operating system version of the Guardium system.
Syntax
show os version
start ecosystem
Use this command to restart the entire set of ecosystem processes. This restart is necessary after you install patches, run upgrades and some other operations.
Syntax
start ecosystem
stop ecosystem
Use this command to temporarily and gracefully stop the entire set of ecosystem processes. You need to stop the ecosystem for patching, upgrades and some other operations.
Syntax
stop ecosystem
store allow_reinstall
When you install Guardium from CD or DVD media, due to host server settings, the media is not always ejected correctly. In this case, when the system is rebooted, it can cause the system to keep reinstalling from the media, rather than rebooting only.
"Already installed 11.3.0, continue to reinstall (c) or reboot with any other key: "
In this case, click c to reinstall, or any other key to reboot.
If allow_reinstall is set to on, the system reinstalls from the media without prompting.
Syntax
store allow_reinstall [on | off]
The default is off.
Show command
show allow_reinstall
store system apc
Use this command to configure automatic powering down options when a UPS is attached. The UPS must be attached to a USB connector (serial connections for a UPS are not supported).
Sets the minimum charge percent (0-100) before powering down, or the number of seconds to run on battery power before powering down. The defaults are 25 (percent) and zero (seconds).
The following commands start and stop the apc process. The apc process is disabled by default.
Syntax
store system apc [battery-level <percent> | timeout <seconds>]
store system apc start
store system apc stop
Show command
show system apc [battery-level | timeout ]
store system auditlog-passthrough
Use this command to enable or disable the passing-through of system audit log data from the auditd service to the local syslog. Because the system audit log is verbose, the auditlog-passthrough feature is best used along with remote logging. For more information about remote logging, see Configuration and control CLI commands .
The auditlog-passthrough feature is disabled by default.
Syntax: store system auditlog-passthrough [on | off]
> store sys aud on
Restarting auditd service to pick up the change.
Reloading configuration: [ OK ]
Auditd to syslog passthrough is enabled.
ok
Show command: show system auditlog-passthrough
store system banner
Use this CLI command to create a banner at the CLI login. You can use the banner to create your own welcome message, warn about unauthorized access, or provide other useful information.
store system banner [message | clear | default]
Syntax
store system banner clear: Remove an existing banner message.
store system banner message: Create a banner message. Enter the banner message and then press CTRL-D.
store system banner default: Reset the banner to the default message.
Show command
show system banner
store system classifier profile
Use this command to adjust the memory available for classification.
Syntax
store system classifier profile [default|small|medium|large|max]
- default - 4 GB (same as large)
- small - 1 GB
- medium - 2 GB
- large - 4 GB
- max - 8 GB
Show command
show system classifier profile
store system clock datetime
Use this CLI command to set the system clock's date and time to the specified value.
Syntax
store system clock datetime <YYYY-mm-dd hh:mm:ss>
- YYYY - year
- mm - month
- dd - day
- hh - hour (in 24-hour format)
- mm - minutes
- ss - seconds.
Show command
show system clock <all |datetime |timezone>
Example
store system clock datetime 2018-10-03 12:24:00
store system clock timezone
Use this CLI command to list the allowable time zone value (list option), or set the time zone for this system to the specified time zone. Use the list option first to display all available time zones, and then enter the appropriate time zone from the list.
IBM® Guardium® also logs the local time zone in the standard audit trail to address cases where data is used in (or aggregated with) data that is collected in other time zones.
Syntax
store system clock timezone <list | timezone>
Show command
show system clock <all | timezone | datetime>
Example
Use the command first with the list option to display all available time zones. Then enter the command a second time with the appropriate zone.
CLI> store system clock timezone list
Timezone: Description:
--------- -----------
Africa/Abidjan:
Africa/Accra
Africa/Addis_Ababa:
...
...output deleted
...
CLI> store system clock timezone America/New_York
store system conntrack
This CLI command sets the current status of the connection tracking subsystem of the Linux® kernel.
Syntax
store system conntrack <ON|OFF>
Show command
show system conntrack
store system cpu profile
Allow configuration of CPU scaling from a CLI command on hardware that supports CPU scaling.
Use this CLI command to set the appropriate CPU scaling policy for your needs:
- conservative - Less power usage, conservative scaling
- balanced - Medium power usage, fast scale up
- performance - Runs the CPUs at maximum clock speed
Guardium software sets the scaling policy to Performance upon installation.
Syntax
store system cpu profile [min|perf|max]
Show command
show system cpu profile
store system custom_db_size
Use this CLI command to set the maximum size of the custom database table (in MB). The Default value is 4000 MB.
Syntax
CLI> store system custom_db_max_size
USAGE: store system custom_db_max_size <N>
where N is number larger than 4000.
Show command
show system custom_db_size
store system domain
Sets the system domain name to the specified value.
Syntax
store system domain <value>
Show command
show system domain
store system fipsmode
Use this command to enable or disable Federal Information Processing Standard (FIPS) cryptographic standards.
Syntax
Show command
show system fipsmode
store system hostname
Sets the system's hostname to the specified value.
Syntax
store system hostname <value>
Show command
show system hostname
store system ipmode
Use this command to change the IP (Internet Protocol) mode of your Guardium system. For more information, see Internet Protocol modes.
store system ipmode[ipv4|ipv6|dual]
Show command
show system ipmode
store system issue
Use this CLI command with the message parameter to receive input from the console until CRTL-D and write it to /etc/motd after removing from the input any $,\, followed by single letter, and ` characters. Use this command to enter messages that make this system compliant with the security policies of customers.
Use this CLI command with the clear parameter to restore /etc/motd to the default version.
store system issue [message | clear]store system netfilter-buffer-size
Syntax
store system netfilter-buffer-size
Show command
Displays the S-TAP® netfilter buffer size. The default is 65536 packets.
show system netfilter-buffer-size
show system ntp diagnostics
Use this CLI command to run ntpq -p and ntptime and send the output directly to the screen. The Guardium system queries ntpd from localhost via udp.
Syntax
show system ntp diagnostics
Example
CLI> show system ntp diagnostics
Output from ntpq -p :
localhost.localdomain:
-------------------------------------------------------------------
Output from ntptime :
(Note that if you have just started the ntp server, it may report an 'ERROR' until it has synchronized.)
-------------------------------------------------------------------
ntp_gettime() returns code 5 (ERROR)
time d3443c21.47a46000 Thu, Apr 26 2012 17:26:57.279, (.279852),
maximum error 16384000 us, estimated error 16384000 us
ntp_adjtime() returns code 5 (ERROR)
modes 0x0 (),
offset 0.000 us, frequency 0.000 ppm, interval 1 s,
maximum error 16384000 us, estimated error 16384000 us,
status 0x40 (UNSYNC),
time constant 2, precision 1.000 us, tolerance 512 ppm,
store system ntp [all | server | state]
store system ntp server
Sets the hostname of up to three NTP (Network Time Protocol) servers. To enable the use of an NTP server, you must use the store system ntp state on command. To define a single NTP server, enter its hostname or IP address. To define multiple NTP servers, enter the command with no arguments, and you are prompted to supply the NTP server hostnames.
Syntax
store system ntp [ all | server | state ]
store system ntp serverUSAGE: store system ntp server For each server enter either ip or hostname Enter up to 3 NTP servers to store:
Show command
show system ntp <all |server>
Delete command
delete ntp-server
store system ntp stateEnables or disables use of an NTP (Network Time Protocol) server.
Syntax
store system ntp state <on | off>
Show command
show system ntp <all |state>
store system patch
The parameters for this command are cleanup, and install.
Store system patch cleanup
Deletes the patches that are selected from an itemized list.
> store system patch cleanup
Patches:
1. SqlGuard-11.0p118.tgz.enc.sig
2. SqlGuard-11.0p121.tgz.enc.sig
3. SqlGuard-11.0p123.tgz.enc.sig
4. SqlGuard-11.0p125.tgz.enc.sig
Please choose the patches to remove by item number (1 to 4)
Specify multiple patches with comma separated numbers
Specify ALL for all
q to quit
Patch item number(s): all
SqlGuard-11.0p118.tgz.enc.sig removed
SqlGuard-11.0p121.tgz.enc.sig removed
SqlGuard-11.0p123.tgz.enc.sig removed
SqlGuard-11.0p125.tgz.enc.sig removed
Ok
store system patch preservation [on | off]
When patch preservation is turned on, Guardium patches are not automatically deleted after an installation failure. You can attempt reinstallation after fixing issues, if any.
Store system patch install
Installs a single patch or multiple patches as a background process. The ftp and scp options copy a compressed patch file from a network location to the IBM Guardium appliance. A compressed patch file can contain multiple patches, but you can install only one patch at a time. To install more than one patch, choose all the patches that need to be installed, separated by commas. Internally the CLI submits requests for each patch on the list (in the order that is specified by the user). The first patch takes the request time that is provided by the user and each subsequent patch runs 3 minutes after the previous one. In addition, CLI checks to see whether any specified patches are already requested and does not allow duplicate requests.
Use the sys option when you install a second (or subsequent) patch from a compressed file that was copied to the IBM Guardium appliance by previously using this command.
To display a complete list of applied patches, see the Installed Patches report from the Guardium UI. Find this report from
, , or .In the store system patch install CLI command, you can choose multiple patches from the list.
Syntax
store system patch install <type> <date> <time>
type - The installation type - cd | ftp | scp | sys
date, time - The patch installation request time, date is formatted as YYYY-mm-dd, and time is formatted as hh:mm:ss
If no date and time are provided, or if you enter NOW, the installation request time is NOW.
Parameters
Regardless of the option selected, you are prompted to select a patch to apply, for example:
Please choose one patch to apply (1-n,q to quit):
cd - - To install a patch from a CD, insert the CD into the IBM Guardium CD ROM drive before you run this command. A list of patches that are contained on the CD are displayed.
ftp or scp - - To install a patch from a compressed patch file located somewhere on the network, use the ftp or scp option, and respond to the prompts shown. Be sure to supply the full path name for the patch, including the file name. For example:
Host to import patch from:
User on hostname:
Full path to the patch, including name:
Password:
For store system patch install scp, you can use a wildcard ( * ) for the patch file name.
The compressed patch file is copied to the Guardium appliance, and a list of patches contained on file displays.
sys - Use this option to apply a second or subsequent patch from a patch file that has been copied to the IBM Guardium appliance by a previous store system patch execution.
The store system patch install command does not delete the patch file from the IBM Guardium appliance after the installation. While you need not remove the patch file, as same patches can be reinstalled over existing patches and keeping patch files around can aid in analyze various problems, a user may remove patch files by hand or use the CLI command diag (Note, the CLI command diag is restricted to certain users and roles.)
To delete a patch install request, use the CLI command delete scheduled-patch.
Show command
show system patch <available | installed | preservation | staged | status >
- available - Displays the patches that are available for installation.
- installed - Displays the patches that are being installed or already installed.
- preservation - Displays the patch preservation status. When preservation is turned off, a patch is deleted after a failed installation attempt. When preservation is turned on, the patch is not deleted and you can attempt installation again.
- staged - Displays the patch files that are residing in the patches directory.
- status - Displays the status of a patch that is currently being installed.
store system public key
This command shows the outbound public SSH key for the standard users. The outbound SSH key pair is generated internally by the appliance, rather than stored from user input. If you adopt the public SSH key generated by the appliance, you can set up SSH export for the standard users: cli, grdapi, and tomcat All of the standard users use a common outbound SSH key.
store system public key <cli | grdapi| tomcat | reset>
store system public key <cli | grdapi| tomcat | reset [--yes]>
- cli, grdapi, or tomcat - Stores an existing public SSH key in the respective path.
- reset - Regenerates the outbound SSH Keys for the standard users.
Where --yes causes the command to reset automatically.
Show command
Displays an existing system public key for the CLI, GuardAPI, or Tomcat. If the public key does not yet exist, use show system public key to generate new outbound SSH keys. The SSH key pair is associated with the standard users: cli, grdapi, tomcat, and root.
show system public key < cli | grdapi | tomcat >
store system public key authorized
This command allows users to connect to the Guardium appliance by using SSH keys instead of passwords.
Syntax
store system public key authorized
Show command
Display the contents of an existing authorized public key.
show system public key authorized
- Connect to the Guardium appliance as the
cli
user:ssh cli@guardium_host
- Add the newly created public key:
store system public key authorized
- At the prompt, paste the contents of the public key:
The following message displays if the key is added:Please paste the SSH public key content here. Then press <ENTER> to continue.
Key for your_email@example.com is added ok
- Run the following command to make sure that the key is
available.
show system public key authorized your_email@example.com ok
- You can now connect to the Guardium appliance that uses public key authentication. For
example:
ssh cli@guardium_host
Note: If you specify a file name (rather than using the default id_rsa), then use the -i option when you run the ssh command and specify the location of the private key. For example,ssh -i ~/.ssh/different_key_name cli@guardium_host IBM Guardium, Command Line Interface (CLI)
Delete command
delete system public key authorized
Displays a list of available public keys. Specify the number of the key that you want to delete.
store system public-transfer-key
Creates, deletes, and regenerates the transfer ssh-key pair for transferring data to a remote host by using the ssh-key pairs. For more information, see Enabling ssh-key pairs for data archive, data export, data mart.
Syntax
store system public-transfer-key <create | delete | regenerate >
Where:
create - Create the ssh-key pair.
delete - Delete the ssh-key pair.
regenerate - Delete the existing ssh-key pair and then creates a new ssh-key pair.
Show command
show system public-transfer-key
store system remote-root-login
Enable/disable SSH (root access). Secure Shell or SSH is a network protocol that allows data to be exchanged by using a secure channel between two networked devices.
Syntax
store system remote-root-login ON|OFF
Show command
show system remote-root-login
Returns the public part of the transfer key.
store system ssh
This command sets the security options on the ssh service for the system.
store system ssh <secure|default>
- secure - Improves the SSH key exchange algorithm (KEX).
- default - Turns secure KEX off.
After you run this CLI, the SSH service restarts.
store system scp-ssh-key-mode
Enable/disable the scp-ssh-key-mode, for enabling ssh-key pairs for data archive, data export, and data mart, without passwords. For more information, see Enabling ssh-key pairs for data archive, data export, data mart.
store system scp-ssh-key-mode on|off
Show command
show system scp-ssh-key-mode
store system serialtty
In some environments, the serial TTY is not available so it cannot ever be started successfully. Potentially, this can appear in the system log and be forwarded to SIEM. This is enabled by default to permit connectivity, but can be disabled later if it is determined that serial consoles are unavailable to the system.
Syntax
store system serialtty <on, off>
Show command
show system serialtty
Reports whether or not serial TTYs are enabled on the system.
Reports either:
Serial TTY consoles are enabled on this system.
Serial TTY consoles are disabled on this system.
store system scheduler
Scheduling is managed by a timing mechanism within the IBM Guardium application. If the timing function is disrupted, it will restart after the restart interval designated by this CLI command.
Use store system scheduler restart_interval [5 to 1440 or -1] to restart the timing function after 5 minutes to 1440 minutes. The default is -1, which means the timing restart mechanism is not installed.
Use store system scheduler wait_for_shutdown [ON | OFF] to restart the scheduler after all jobs currently running finish. The parameters are ON or OFF.
Syntax
store system scheduler restart_interval [5 to 1440 or -1]
store system scheduler wait_for_shutdown [ON | OFF]
Show command
show system scheduler
store system service_status
Syntax
store system service_status [enable | disable] <service-name>
- enable, disable - Specify whether to enable or disable a specified service.
- service-name - The name of a Guardium service that you can start or stop.
Show command
Syntax
show system service_status [ all | <service-name> ]
Display the status of all available Guardium appliance services or specify a service to view. Run show system service_status with no parameters to see the list of services that you can view.
store system signature [on | off]
When turned off, enables deployment of apps that do not have signatures. Turn off store system signature when you are testing an app on your Guardium system; otherwise the app is blocked. In production this parameter should be on since you are using certified apps from the App Exchange.
Syntax
store system signature [on | off]
store system snif-alerts-facility
This parameter allows the user to configure the facility for snif generated alerts. Previously alerts directly generated by snif used the user facility while indirect alerts used the daemon facility (via the guard_sender utility).
Syntax
store system snif-alerts-facility <facility>
USAGE: store snif-alerts-facility <facility>
facility is one of: daemon ftp local0 local1 local2 local3 local4 local5 local6 local7 lpr user
The default facility is daemon.
Show command
show system snif-alerts-facility
store system snif-buffers-reclaim
Use this CLI command only when directed by IBM Guardium Technical Services.
The new configuration takes effect after you run the restart inspection-core CLI command.
Syntax
store system snif-buffers-reclaim [ON | OFF]
Show command
show system snif-buffers-reclaim
store system snif-thread-number
Use this CLI command to specify how many threads are running.
The new configuration takes effect after you run the restart inspection-core CLI command.
Syntax
store system snif-thread-number [new | default]
Show command
show system snif-thread-number
Snif is running with 6 threads on the 32-bit system.
show system snmp engineid
Use this CLI command to display the SNMP engine ID for the IBM Guardium appliance.
Syntax
show system snmp engineid
store system snmp contact
Stores the email address for the SNMP contact (syscontact) for the IBM Guardium appliance. The default is info@guardium.com.
Syntax
store system snmp contact <email-address>
Show command
show system snmp contact
store system snmp location
Stores the SNMP system location (syslocation) for the IBM Guardium appliance. The default is Unknown.
Syntax
store system snmp location <string>
Show command
show system snmp location
store system snmp query community
Stores the SNMP system query community for the IBM Guardium appliance. The default is guardiumsnmp. This command is valid only for SNMP version 2c.
Syntax
store system snmp query community <string>
Show command
show system snmp query community
store system snmp update_user
Use this command to update an existing SNMP user account for an SNMP version 3 system.
store system snmp update_user
This command overwrites all the information for an existing SNMP user account. Similar to
store system snmp user create
, you need to provide a username,
authentication protocol and passphrase, and encryption protocol and passphrase.
store system snmp user
Use this command to create or remove an SNMP user account for an SNMP version 3 system. You can create only one SNMP user account. The default encryption protocol is AES-128.
store system snmp user [ create | delete ]
- create - Creates an SNMP user account for this machine. To create an SNMP
user account, you need to provide a username, authentication protocol and passphrase, and encryption
protocol and passphrase. The CLI walks you through the process. For
example,
> store system snmp user create Enter SNMPv3 user name: fred Enter authentication protocol < MD5 | SHA > or 'q' to quit. (Default authentication protocol is MD5) : md5 Create authentication passphrase (8 to 12 chars): ******** Re-enter authentication passphrase: ******** Enter Encryption protocol < DES | AES > or 'q' to quit. (Default encryption protocol is AES.): des Create encryption passphrase (8 to 20 chars): ******** Re-enter encryption passphrase: ******** ok
After you provide the required information, Guardium adds the SNMP user. For example:adding the following line to /var/lib/net-snmp/snmpd.conf: createUser fred MD5 "fred1234" DES 1234fred adding the following line to /etc/snmp/snmpd.conf: rouser fred ok
- delete - Removes the current SNMP user account.
show system snmp user
store system snmp version
Use this CLI command to switch between SNMP version 2c and SNMP version 3. The default is v2c. If your system uses SNMPv3, use this command to update Guardium.
Syntax
store system snmp version [v2c | v3]
- v2c: SNMP version 2c
- v3: SNMP version 3
show system snmp version
Examples
test.usma.ibm.com> show system snmp version
SNMP Version : v2c
ok
test.ibm.com> store system snmp version v3
snmp version v3 enabled
ok
test.usma.ibm.com> show system snmp version
SNMP Version: v3
ok
store system ssh-dsa state
This command enables or disables SSH DSA authentication.
Syntax
store system ssh-dsa state [ON | OFF ]
- ON: Activates the DSA host keys that are propagated from an upgrade. If no such keys exist, then DSA host keys are generated on SSH start-up.
- OFF: Inactivates any DSA host keys. DSA is inactivated on SSH start-up.
Show command
show system ssh-dsa state
store system sshd-max-connection
This command allows the maximum number of concurrent sshd connections to be configured. The range is between 100-500. The default value is 250.
Syntax
store system sshd-max-connection <value>
Show command
show sys sshd-max-connection
store system websmartcard
The command enables or disables smart card authentication. For more information, see Enabling Smart card authentication.
Syntax
store system websmartcard [on | off ]
Show command
show system websmartcard
store system admin-only
When smart card or SAML authentication is enabled, run the store system admin-only on command to allow the admin or accessmgr accounts to log in to the Guardium system by using a standard login and password screen.
When enabled, the admin or accessmgr access a separate login page by appending /admin to the URL of the Guardium system. Example URL: https://www.[your_guardium_system's_domain_name].com:[port_number]/admin.
For more information, see Enabling Smart card authenticationSyntax
store system admin-only [on | off ]
Show command
show system admin-only