File handling CLI Commands

Use these commands to backup and restore system information. Many of these tasks can be performed from Guardium® user interface.

About Archived Data File Names

When Guardium data is archived (or exported to an aggregator), there is a separate file for each day of data. Depending on how your export/purge or archive/purge operation is configured, you may have multiple copies of data exported for the same day. Archive and export data file names have the same format:

<daysequence>-<hostname.domain>-w<run_datestamp>-d<data_date>.dbdump.enc

  • daysequence is a number representing the date of the archived data, expressed as the number of days since year 0. The same date appears in yyyy-mm-dd format in the data_date portion of the name.
  • hostname.domain is the host name of the Guardium appliance on which the archive was created, followed by a dot character and the domain name.
  • run_datestamp is the date that the data was archived or exported, in yyyymmdd.hhmmss format.
  • data_date is the date of the archived data, in  yyyy-mm-dd format.

For example: 732423-g1.guardium.com-w20050425.040042-d2005-04-22.dbdump.enc

backup config

These commands back up and restore configuration information from the internal administration tables. The backup config command stores data in the /media/backup directory. The backup config command removes license and other machine-specific information. The backup system command provides a more comprehensive backup of the configuration and the entire system.

Syntax

backup config

restore config

backup system

This topic applies to backup and restore operations for the Guardium internal database. You can back up or restore data, configuration information, or both. These commands stop all inspection engines and web services and restart them after the operation completes.

Use the restore backup command to restore a backup to the latest version of Guardium.
Note: The restore backup command can only restore files from Guardium V10.1.3 or later. For more information, see restore backup.

For all backup, import, and restore commands, you receive a series of prompts to supply some combination of the following items, depending on which storage systems are configured, and the type of restore operation. Respond to each prompt as appropriate for your operation. Table 1 describes the information for which you might be prompted.

Note:
  • One copy of the SCP/SFTP/TSM/Centera file transfer is saved, whether or not the transfer is successful. Certain files can take hours to regenerate (such as system backup), so having an available copy (in particular if the file transfer failed) can be a valuable time-saver. Only one copy of each type of file is retained (that is, one archive, one system backup, one configuration backup, and so on).
  • The backup system command copies the current license, metering and number of data sources, and then backs up the data. Use restore backup to restore the data and then restore the license, metering, and number of data sources.
  • When configuring backups, a value of zero '0' for the port number indicates that the default port is being used for that protocol.
Table 1. backup system parameters
Item Description
  • AmazonS3
  • Centera
  • IBM Cloud
  • IBM COS
  • SCP
  • SFTP
  • TSM
 Select the method to use to transfer the file. Storage methods display only if they are enabled. For more information, see the store storage-system command.
Data or Configuration Select Configuration to back up definitions and configuration information only, or select Data to back up data in addition to configuration information.
restore from archive or restore from backup Select restore from archive to restore archived data, or select restore from backup to restore configuration information.
normal or upgrade If restoring from the same software version of Guardium, select normal. If restoring configuration information following software  upgrade of the Guardium appliance, select upgrade.
host The remote host for the backup file.
remote directory The directory for the backup file. For SFTP, the directory is relative to the SFTP root directory for the SFTP user account used. For SSH, the directory path is a full directory path. For Windows SSH servers, use Unix-style path names with forward slashes, rather than Windows-style backslashes.
username The user account name to use for the operation (for backup operations, this user must have write/execute permission for the directory specified).
Note: For Windows, a domain user is accepted with the format of domain\user
password The password for the username.
file name The file name for the archive or backup file.

You can select multiple files by using the wildcard character (*) in the file name when using FTP, SCP, and Snapshot transfer methods. The wildcard character is not supported with TSM or Centera.
Centera server The Centera server name. If using PEA files, use the following  format:  <Host name/IP>? <full PEA file name>, for example:

128.221.200.56?/var/centera/us_profile_rwqe.pea.txt
Centera clipID For a Centera restore operation, the Content Address returned from the backup operation. For example:

6M4B15U4JM4LBeDGKCPF9VQO3UA

After you supply all of the information required for the backup or restore operation, a series of messages displays informing you of the results of the operation. For example, at the end of a successful restore backup operation, a message similar to the following is sent to the

/var/IBM/Guardium/log/diag/depot/upgrade_<TimeStamp>.log file:

2019-05-16-165208 Upgrade of v10.0 to v11.0.0 completed successfully

Prevent backup or archive scripts from filling up /var

The backup process will check for room in /var before running and fail. This process will also warn the user if there is insufficient space for backup.

The archive process will check the size of the static tables and make sure there is room in /var to create the archive.

An error is now logged in the logfile and GUI if the backup is over 50%

Example:

ERROR: /var backup space is at 60% used. Insufficient disk space for backup. CLI> backup system     1. DATA     2. CONFIGURATION  Please enter the number of your choice: (q to quit) 1      1. SCP     2. CONFIGURED DESTINATION  Enter the number of your choice: (q to quit) 2 Make sure destination is configured in the GUI under the System Backup option Please wait, this may take some time.

delete audit-data

Use this command only under the direction of Guardium Support. This command is used to remove compressed audit data files. You will be prompted to enter an index number to identify the file to be removed. See Archived Data File Names, for information about how archived data file names are formed.

You will be prompted to identify the file to be removed.

Syntax

delete audit-data

export audit-data

Exports audit data from the specified date (yyyy-mm-dd) from various internal Guardium tables to a compressed archive file. The data from a specified date will be stored in a compressed archive file, in the /var/dump directory. The file created will be identified in the messages produced by the system. See the example. Use this command only under the direction of Guardium Support.

Note: Only users with admin role may run this command .

Syntax

export audit-data <yyyy-mm-dd>

Example

export audit-data 2005-09-16 2005-09-16

Generates a set of messages similar to the following: 

Extracting  GDM_ACCESS  Data ... 
Extracting  GDM_CONSTRUCT  Data ... 
Extracting  GDM_SENTENCE  Data ... 
Extracting  GDM_OBJECT  Data ... 
Extracting  GDM_FIELD  Data ... 
Extracting  GDM_CONSTRUCT_TEXT  Data ... 
Extracting  GDM_SESSION  Data ... 
Extracting  GDM_EXCEPTION  Data ... 
Extracting  GDM_POLICY_VIOLATIONS_LOG  Data ... 
Extracting  GDM_CONSTRUCT_INSTANCE  Data ... 
Generating tar file ...  /var/csvGenerationTmp ~ 
GDM_ACCESS.txt 
GDM_CONSTRUCT.txt 
GDM_CONSTRUCT_INSTANCE.txt 
GDM_CONSTRUCT_TEXT.txt 
GDM_EXCEPTION.txt GDM_FIELD.txt 
GDM_OBJECT.txt 
GDM_POLICY_VIOLATIONS_LOG.txt 
GDM_SENTENCE.txt 
GDM_SESSION.txt ~ 
Generation completed, CSV Files saved to /var/dump/732570-supp2.guardium.com-w20050919110317-d2005-09-16.exp.tgz ok

The data from each of the named internal database tables is written to a text file, in CSV format. The name of the archive file ends with exp.tgz and the remainder of the name is formed as described in About Archived Data File Names.

You can use the export file command to transfer this file to another system.

export file

This command exports a single file named filename from the /var/IBM/Guardium/data/dump, /var/log or /var/IBM/Guardium/data/importdir directory.

Use this command only under the direction of Guardium Support. To export Guardium data to an aggregator or to archive data, use the appropriate menu commands on the Administration Console panel.

Syntax

export file </local_path/filename> <user@host:/path/filename>

local_path must be one of the following: /var/IBM/Guardium/data/dump, /var/log or /var/IBM/Guardium/data/importdir

export rotated_message_logs

Use this command to export message logs to a remote directory. Each log is created with a unique name.

When you specify this command, Guardium requests the following information:
  • Remote host username
  • Remote host: The IP address of the remote host
  • Remote host directory: The directory for the remote logs.
  • Password: The password for the host user (that is, the host username).
  • Scp port: To specify a special port, enter it when requested. To use the default port, enter 0 or press Enter.

Syntax

export rotated_message_logs

fileserver

Use this command to start an HTTPS-based file server running on the Guardium appliance. This facility is intended to ease the task of uploading patches to the unit or downloading debugging information from the unit. Each time this facility starts, it deletes any files in the directory to which it uploads patches.

Note: Any operation that generates a file that the fileserver will access should finish before the fileserver is started (so that the file is available for the fileserver).

Syntax

fileserver <IP address> <duration>
  • IP address - Allows access to a specified fileserver. IP address from the local computer you are using is required to retrieve the IP address that is used to bring up the fileserver. If an IP address is not your local computers IP address, the fileserver will not launch.
  • Duration - Specifies the number of seconds (60 - 3600) to keep the fileserver active. After the specified number of seconds, the fileserver shuts down automatically.

In case of a security setup where browser sessions are redirected through a proxy server, the IP address of the fileserver client will not be the same as the SSH client that started the fileserver. Instead, the fileserver client will have the IP address of the proxy server, and this address must pass the IP address parameter. To find the proxy IP address, check your browser settings or the client IP addresses shown in the Logins to Guardium report in the Guardium Monitor interface.

Example

fileserver 10.0.0.1 3600 
Starting the file server... 
The file server is ready at https://guardium.system.com:8445 
The timeout has been set to 3600 seconds and it may timeout during the uploading. 

The upload will only be accessible from the IP you are logged in from: 10.0.0.1 
Press ENTER to stop the file server.

Open the fileserver in a browser window, and do one of the following:

  • To upload a patch, click Upload a patch and follow the directions.
  • To download log data, click Sqlguard logs, navigate to the file you want and download as you would any other file.

When you are done, return to the CLI session and press Enter to terminate the session.

Access VA scripts using fileserver
  • From the Guardium CLI, run fileserver <your computer's IP address> 3600.
  • Using a browser, go to https://<IP address of your Guardium system>/log/debug-logs/gdmmonitor_scripts/.
  • Choose the file that matches your database type.

import file

Use this command to import a file.

Select the filetype from the list that displays when you run the command. You can use a wildcard (*) for the file name in the SCP, FTP, and snapshot methods.

Syntax 

import file

For more information, see backup config and restore config.

import session_rules

You can use a wildcard (*) for the file name in the SCP and FTP methods.

Syntax
import session_rules

import scanner_agent

Import a vulnerability scanner agent. You can import a scanner agent with either SCP or the Guardium fileserver. Guardium supports the following agents:
  • Nessus
  • Qualys

Syntax

import scanner_agent <scp <agent> | sys <agent> <filename>

Where:

agent - A supported CVE scanner agent, either nessus or qualys.

  • scp <agent> - Follow the prompts to indicate where you want to store the scanner agent.
  • sys <agent> <filename> - Follow the prompts to indicate where you want to store the scanner agent. Before you import the agent, it must be available on the Guardium fileserver. For more information, see fileserver.

    Required information:

    • Hostname - The hostname or IP address where the agent resides.
    • Username and password - The username and password to log into the host.
    • Full filepath - The full path, including the filename of the agent to import, for example, /site/a-support/scanner_tools/agents/NessusAgent/NessusAgent-10.4.2-es8.x86_64.rpm .
After you import the agent, then you need to configure it by using the setup scanner_agent CLI command.

For more information, see Configuring vulnerability scanner agents.

import tsm config

Uploads a TSM client configuration file to the Guardium appliance. You must do this before performing any archiving or backup operations using TSM. You will always need to upload a dsm.sys file, and if that file includes multiple servername sections, you will also need to upload a dsm.opt file. For information about how to create these files, check with your company’s TSM administrator.

You will be prompted for a password for the user account on the specified host.

Syntax

import tsm config <user@host:/path/[ dsm.sys | dsm.opt ]>

Parameters

user@host - User account to access the file on the specified host.

/path/[ dsm.sys | dsm.opt ] - Full path filename of the file to import.

Note: In setting up TSM on each collector, if the initial configuration fails, a notification error results which says the test file could not be sent. Logging into the collector as root, and then running a dsmc archive command to the TSM server, the TSM file, with the same credentials, now succeeds. Returning to the GUI, and configuring with the same options used before, the configuration now succeeds as well.  

If tsm config has passwordaccess=generate, the password stored in a local file, is sought. The root user needs to run the dsmc command once to create this local password file.

After uploading the tsm config file, if tsm config has a passwordaccess generate prompt, passwordaccess is set to be generated. 
Would you like to run a dsmc command now to ensure password is set locally (y/n)?     If the answer is y, run a "dsmc query options>>/dev/null" command, which will prompt user for password.

import tsm property

Use this CLI command to upload a file to /opt/tivoli/tsm/client/ba/bin/guard_tsm.properties.

The file size should be 1K.

Syntax

import tsm property user@host:file

This command will upload the input file to /opt/tivoli/tsm/client/ba/bin/guard_tsm.properties

restart scanner_agent

Restarts the specified CVE scanner agent.

Syntax

restart scanner_agent <agent>

Where:

agent - A supported CVE scanner agent, either nessus or qualys.

For more information, see Configuring vulnerability scanner agents.

restore backup

Note: As of Guardium V11.0, this CLI replaces the restore db-from-prev-version and restore system CLI commands.

With this command you can restore and upgrade Guardium data files, configuration files, or both from a previously installed system to a newer system. The restore backup command does not take any parameters, but provides a series of questions to determine which files you want to restore. In order for the command to work, restore backup needs to be called on the same type of machine on the same patch level.

For any restore, you can select one data backup (DATA) file, one configuration file (CONFIG), or one of each.

The restore backup command for CONFIG restores the following configuration information:
  • Two-factor authentication configuration
  • Authentication credentials for system users
  • Universal connector configuration
  • Aggregator keys
  • CA certificates and repository
  • PKI certificates
  • Repository of keys and certificates
  • Web server configuration and customization
  • FIPS enabled/disabled state
  • OCR configuration
  • Outlier configuration
  • Spectrum Protect configuration
  • GBDI configuration
  • Log rotate configuration
Note: The following data is overridden during a restore:
  • User information that is defined by the accessmgr user.
  • Information included in export definitions.
When you run restore backup, Guardium asks if you want to import backup files and then presents a series of questions to determine their location. Guardium suggests that you import the backup files before you call restore backup. Imported files are stored in the /var/dump/ directory.
Note: If you already have backup files on your Guardium system, restore backup lists those files. You can either select one of the available files to restore or import different files.
If you choose to import a backup file, then the script requests the following information:
  • The file transfer method required for the storage type, such as AMAZONS3, FTP, SCP, SOFTLAYER, or TSM.
  • The name of the backup host machine.
  • The backup host username.
  • The remote directory.
  • The remote file to restore. You can use a wildcard (*) to select one or more files. For example, if you know that you want to restore a file from 2022, you can specify 2022* to show all files that include 2022 in the filename. If more than 10 files meet the criteria, Guardium will list up to 10 files at a time. You can select the file you want to import or show the next set of files.
  • The password for the user on the host machine.
After you select the files to import and restore and specify the required information, Guardium restores the DATA, CONFIG, or both files to the latest supported version of Guardium.
Note: The restore backup command can only restore files from Guardium V10.1.3 or later. To restore a backup file prior to V10.1.3, first restore it to a V10.1.3 or higher appliance, take a backup from that appliance, then restore the new backup onto the latest release.

Syntax

restore backup

restore config

These commands back up and restore configuration information from the internal administration tables. The backup config command stores data in the /media/backup directory. The backup config command removes license and other machine-specific information. The backup system command provides a more comprehensive backup of the configuration and the entire system.

When restoring a configuration, you must restore a backup that is of the same version and patch level as the original appliance where the backup was created.

Syntax

backup config

restore config

restore keystore

Use this command only under direction from Technical Support.

Use this command to restore certifications and private keys used by the Web servlet container environment (Tomcat).

Syntax

restore keystore

restore pre-patch-backup

Use this command only under direction from Technical Support.

Use this command to recover the pre-patch-backup when the appliance database is up or down.

Syntax 

restore pre-patchbackup Please enter the information to retrieve the file: Is the file in the local system? (y/n) n Start to recover with the backup profile parameters. Please check the recovery status in the log /var/log/guard/diag/depot/patch_installer.log ok -------------------------------------- If answer 'n', abort the operation. If answer 'y', need to enter the file name.

set up vmware tools

Use this CLI command to install VMware that runs on the ESX infrastructure.

Syntax

setup vmware_tools [ install | uninstall ]

Step 1: Open the VM client/console and select the VM instance that contains the IBM® Guardium appliance. Right-click the instance, select (from the popup menu) Guest => Install/upgrade VMware tools. This enables the instance to access the VMware tools via a mount point.

Step 2: Run the CLI command (from within the VM client/console), setup vmware_tools install, to install VM tools.

setup scanner_agent

Set up a CVE scanner agent.

Syntax

setup scanner_agent <configure | enable | proxy | uninstall> <agent>

Where:

agent - A supported CVE scanner agent, either nessus or qualys.

  • configure <agent> - Configure the specified agent that you imported (with the import scanner_agent command), as follows:
    For a Nessus agent:
    • Linking key - Available from the Tenable Nessus agents dashboard.
    • Agent name - Default value is the Guardium system hostname.
    • Host - Tenable Nessus system hostname where the agent connects.
    • Port- Port number to connect to the Tennable Nessus system.
    For a Qualys agent:
    • Customer ID - Available from the Qualys agent management dashboard.
    • Activation ID - Available from the Qualys agent management dashboard.
    • Server URI - Qualys system hostname where the agent connects.
    • Proxy host - Proxy hostname, if needed.
  • enable <agent> - For a Qualys agent, enable the agent after you configure it. Nessus agents start automatically after configuration.
  • proxy <agent> - If you are using SSL with a proxy, then follow the prompts for your agent to enter proxy information.
  • uninstall<agent> - Uninstalls the specified agent (nessus or qualys).

For more information, see Configuring vulnerability scanner agents.

show audit-data

Use this command to display any files that were created by executing the CLI command, export audit-data. For more information about audit data files, see export audit-data.

Syntax

show audit-data <yyyy-mm-dd>

show scanner_agent

Syntax

ca_bundle | configuration <agent> | status <agent> | supported >

Where:

agent - A supported CVE scanner agent, either nessus or qualys.

  • ca_bundle - Show the certificate information to download with the store certificate scanner ca_bundle.
  • configuration <agent> - Shows configuration details for the specified agent.
  • status <agent> - Displays the status for the specified agent.
  • supported - Displays a list of supported CVE agents.

For more information, see Configuring vulnerability scanner agents.

start scanner_agent

Start the CVE scanner agent.

Syntax

start scanner_agent <agent>

Where:

agent - A supported CVE scanner agent, either nessus or qualys.

For more information, see Configuring vulnerability scanner agents.

stop scanner_agent

Stop the CVE scanner agent.

Syntax

stop scanner_agent <agent>

Where

agent - A supported CVE scanner agent, either nessus or qualys.

For more information, see Configuring vulnerability scanner agents.

store language

Initial installation of Guardium is always in English. Use the store language CLI command after installation to convert the database from English to the desired language. Setting the desired language is considered part of the initial system set up: changing the language on an established system will impact the information already captured, stored, customized, archived or exported on that system.
Important:
  • After switching from English to a desired language, it is not possible to revert back to English using this CLI command. The Guardium system must be reinstalled in English.
  • To prevent the system from displaying a mixture of languages, set a central manager and all its managed units to the same language.

Syntax

store language

Example
store language
The following languages are available on this appliance:
	1.	French
	2.	German
	3.	Italian
	4.	Japanese
	5.	Korean
	6.	Polish
	7.	Pseudo
	8.	Simplified Chinese
	9.	Spanish
	10.	Traditional Chinese
Please enter the number of the language you want or 0 to quit:

Show command

show language

store tsm authorization

When backupinitiationroot is set to ON in TSM servers, then only root and authorized users can perform backup/archive. When backupinitiationroot is set on and password access in DSM.SYS is set to “generate”, Guardium backup and archive to TSM will fail with the error message:

ANS1708E Backup operation failed. Only a root user can do this operation

Non-root users must be authorized to perform backup and archive.

This authorization is enabled by executing the CLI command

Store tsm authorization backupinitiationroot on

This authorization is disabled by executing the CLI command:

Store tsm authorization backupinitiationroot off

Syntax

store tsm authorization backupinitationiroot <on/off>

Show command

show tsm authorization backupinitationiroot <on/off>

This CLI command displays on, if non-root Guardium users are authorized to perform backup and archive when backupinitiationroot is set to ON in TSM servers. Otherwise, it displays off.

Vmware kernel panic after a reboot

VMware ESX 4.1 Virtual machine running Guardium might get a kernel panic after a reboot.

To correct this situation, VMware recommends: Install update 2 on ESX4.1 or Set CPU/MMU virtualization to Use software only instruction set and MMU Virtualization. This option is found under Settings/ Options/ CPU/MMU Use software for instruction set and MMU Virtualization.