Using the CLI

Learn how to access the CLI, and understand the command syntax, and the types of commands.

Documentation Conventions

All CLI command examples are written in courier text (for example, show system clock).

To illustrate syntax rules, some command descriptions use dependency delimiters. Such delimiters indicate which command arguments are mandatory, and in what context. Each syntax description shows the dependencies between the command arguments by using special characters:

Angle brackets (< >) denote a required argument.
Square brackets ([ ]) denote an optional argument.
A vertical bar ( | ) separates alternatives when only one can be selected. For example:
```
store full-bypass <ON | OFF>
```

CLI Command Usage

Commands and keywords can be abbreviated by entering enough characters so the commands are not ambiguous. For example, show can be abbreviated sho.
Most Guardium® CLI commands consist of a command word followed by one or more arguments. The argument can be a keyword or a keyword followed by a variable value (for example an IP address, subnet mask, or date).
Commands and keywords are not case-sensitive, but element names are.
To display command syntax and usage options, enter a question mark (?) as an argument that follows the command word.
Use quotation marks around words or phrases to precisely define search terms.

Accessing the CLI

An administrator can access the CLI through either:

A network connection that uses an SSH client.
A physically connected PC console or serial terminal.

Network SSH Access

Remote access to the CLI is available on the management IP address or domain name, by using an SSH client. SSH clients are freely or commercially available for most desktop and server platforms. A UNIX SSH connect command to log in as the cli user might look like this:

ssh -l cli 192.168.2.16

The SSH client might display a request to accept the cryptographic fingerprint of the Guardium appliance. Accept the fingerprint to proceed to the password prompt.

Note: If you are asked again for a fingerprint after the first connection, someone might be trying to induce you to log in to the wrong machine.

Physical Console Access

Interactive access to the Guardium appliance is through the serial port or the system console.

PC keyboard and monitor: A PC video monitor can be attached to either the front panel video connector or the video connector on the back of the appliance.
A PC keyboard with a USB keyboard can be connected to the USB connectors at the front or back of the appliance.
Serial port access: Use a NULL modem cable to connect a terminal or another computer to the 9-pin serial port at the back of the appliance. Set the terminal or a terminal emulator on the attached computer to communicate as 19200-N-1 (19200 baud, no parity, 1 stop bit).

A login prompt displays after the terminal is connected to the serial port, or the keyboard and monitor are connected to the console. Enter cli as the user name, and continue with CLI Login.

CLI Login

Access the CLI through the admin CLI account cli or one of the special guardcli accounts (guardcli1,...,guardcli5). The guardcli accounts are available to help you separate administrative duties.

Access to the GuardAPI requires that the access manager create a user (GUI username/guiuser) with either the admin or CLI role. To log into the CLI to use GuardAPI commands, the user must first log in with one of the CLI accounts (guardcli1,...,guardcli5 ) and then log in with their own user name to the guiuser by issuing the set guiuser command. For more information, see Using GuardAPI commands or Authenticating GuardAPI commands with set guiuser command.

In addition, if multi-factor authentication is set up for your site, an additional message displays after you log in.

Password Hardening

To meet various auditing and compliance requirements, the following password rules are in place for CLI accounts:

For the account cli either use the CLI password that is supplied or be sure to set a strong password to protect this account. If you rebuild the system, the Guardium cli user has a default password of guardium. Change the password immediately.
Passwords expire for the CLI and guardcli accounts every 90 days by default. Passwords for your site might be different, depending on the values of the store password_expiration CLI command. After a password expires, you must change the password when you next log in.
Passwords must be a minimum of 8 characters long. Depending on the value of the enable_strong_cli_password API command, the password minimum for the cli user might be 15 characters.
Passwords must contain at least one character from three of the following four categories:
- Any uppercase letter
- Any lowercase letter
- Any number (0,1,2,...)
- A non-alphanumeric (special) character as described in Special characters for Guardium passwords
After access is granted by using a separate GUI username (guiuser), the CLI audit trail shows the CLI_USER+GUI_USER pair that was used to log in.

Limited CLI commands during maintenance of internal database

CLI has three sets of commands - general commands, specialized support commands, and recovery commands. Technical support uses the support commands to analyze the system. Recovery commands help recover the system when the database is down.

The initial CLI login is:

Welcome to CLI - your last login was <date>

The welcome message will add further information if the internal database is down due to maintenance or during an upgrade.

In this case, the number of CLI commands available are limited.

The internal database on the appliance is currently down and CLI will be working
in "recovery mode";  only a limited set of commands will be available.

The following CLI commands are available for use during recovery mode:

support reset-password root
restart mysql
restart stopped_services
restart system
restore backup
restore pre-patch-backup