secure_settings

12.1 and later This API command is used to manage the security commands in Guardium.

REST API syntax

This API is available as a REST service with the secureSettings method. Call this API as follows:
PUT https://[Guardium hostname or IP address]:8443/restAPI/secure_settings

GuardAPI syntax

secure_settings parameter=value

Parameters

Parameter Value type Description
component String Valid values are:
  • sshd
  • ciphers
  • services
api_target_host String

Specifies the target hosts where the API executes. Valid values:
  • all_managed: execute on all managed units but not the central manager
  • all: execute on all managed units and the central manager
  • group:<group name>: execute on all managed units identified by <group name>
  • host name or IP address of a managed unit: specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
  • host name or IP address of the central manager: specified from a managed unit to execute on the central manager. For example, api_target_host=10.0.1.123.

IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.

Secure settings for ssh
Parameter Value type Description
show String Valid values are:
  • all
  • dsa_state
  • max_connection
  • port_number
  • secure_state
  • ssh_key_mode
  • ssh_match_address
  • version
store String Valid values are:
  • dsa_state
  • max_connection
  • port_number
  • secure_state
  • ssh_key_mode
  • ssh_match_address
value String Options are:
  • on
  • off
  • secure
  • default
  • <number>
  • <address_expression>
Secure settings for ciphers
Parameter Value type Description
type String Valid values are:
  • java
  • inspection_core
delete String Valid value is:
  • <cipher_list>
disable String Valid values are:
  • <ciphers>
enable String Valid values are:
  • default
  • cbc
  • dhe
  • cipherlist
show String Valid values are:
  • currenr
  • disabled
show_like String Valid value is:
  • <pattern>
store String Valid values are:
  • default
  • cipherlist
Secure settings for services
Parameter Value type Description
disable String Valid value is:
  • <servicename>
enable String Valid value is:
  • <servicename>
status String Valid value is:
  • <servicename>

Examples

The following command lists the secure settings.

grdapi secure_settings
ID=0
Usage: grdapi secure_settings component={sshd|ciphers|services}
arguments as necessary for the components

The following command is used to manage the ssh daemon sshd component.

grdapi secure_settings component=sshd <options>
options:
   show=all
   show=dsa_state
   show=max_connection
   show=port_number
   show=secure_state
   show=ssh_key_mode
   show=ssh_match_address
   show=version

   store=dsa_state value={on|off}
   store=max_connection value=<number>
   store=port_number value=<number>
   store=secure_state value={secure|default}
   store=ssh_key_mode value={on|off}
   store=ssh_match_address value=<address_expression>

The following command is used to manage the ciphers component.

grdapi secure_settings component=ciphers <options>
options:
    type=java show={current|disabled}
    type=java show_like=<pattern>
    type=java disable=<ciphers>
    type=java enable={cbc|dhe|cipherlist}

    type=inspection_core show={default|all|current}
    type=inspection_core show_like=<pattern>
    type=inspection_core store={default|cipherlist}
    type=inspection_core delete=<cipherlist>

The following command is used to manage the services component.

grdapi secure_settings component=services

usage:
grdapi secure_settings component=services status=<service>
grdapi secure_settings component=services enable=<service>
grdapi secure_settings component=services disable=<service>

Possible services to view status:
        all
        cas (16019)
        classifier
        docker
        gim (8446)
        guard-insights (8586)
        guard-snifbufusage
        gui
        jproxyforwarder
        jproxytimer.timer
        nanny
        patch_installer
        readahead-disable-services
        sniffer
        snmpd
        sonarjproxyd
        stap_upload (8444)
These services can be enabled/disabled:
        cas (16019)
        docker
        gim (8446)
        guard-insights (8586)
        guard-snifbufusage
        patch_installer
        snmpd
        stap_upload (8444)