CLI Overview

The Guardium® command line interface (CLI) is an administrative tool that allows for configuration, troubleshooting, and management of the Guardium system.

Documentation Conventions

All CLI command examples are written in courier text (for example, show system clock).

To illustrate syntax rules, some command descriptions use dependency delimiters. Such delimiters indicate which command arguments are mandatory, and in what context. Each syntax description shows the dependencies between the command arguments by using special characters:

The < and > symbols denote a required argument.
The [ and ] symbols denote an optional argument.
The | (vertical bar) symbol separates alternative choices when only one can be selected. For example:
```
store full-bypass <ON | OFF>
```

CLI Command Usage Notes®

Commands and keywords can be abbreviated by entering enough characters so the commands are not ambiguous. For example, show can be abbreviated sho.
Most Guardium CLI commands consist of a command word followed by one or more arguments. The argument may be a keyword or a keyword followed by a variable value (for example an IP address, subnet mask, date, etc.
Commands and keywords are not case sensitive, but element names are.
To display command syntax and usage options, enter a question mark (?) as an argument following the command word.
Use quotation marks around words or phrases to precisely define search terms.

Accessing the CLI

An administrator can access the CLI though:

A physically connected PC console or serial terminal OR
A network connection using an SSH client

Physical Console Access

Interactive access to the Guardium appliance is through the serial port or the system console.

PC keyboard and monitor – A PC video monitor can be attached to either the front panel video connector or the video connector on the back of the appliance.

A PC keyboard with a PS/2 style connector can be attached to the PS/2 connector on the back of the appliance. Alternatively, a USB keyboard can be connected to the USB connectors located at the front or back of the appliance.

Serial port access – Using a NULL modem cable, connect a terminal or another computer to the 9-pin serial port at the back of the appliance. The terminal or a terminal emulator on the attached computer should be set to communicate as 19200-N-1 (19200 baud, no parity, 1 stop bit).

A login prompt displays once the terminal is connected to the serial port, or the keyboard and monitor are connected to the console. Enter cli as the user name, and continue with CLI Login.

Network SSH Access

Remote access to the CLI is available on the management IP address or domain name, using an SSH client. SSH clients are freely or commercially available for most desktop and server platforms. A Unix SSH connect command to log in as the cli user might look like this:

ssh –l cli 192.168.2.16

The SSH client may ask you to accept the cryptographic fingerprint of the Guardium appliance. Accept the fingerprint to proceed to the password prompt.

Note: If, after the first connection, you are asked again for a fingerprint, someone may be trying to induce you to log into the wrong machine.

CLI Login

Access to the CLI is either through the admin CLI account cli or one of the five CLI accounts (guardcli1,...,guardcli5). The five CLI accounts (guardcli1,...,guardcli5) exist to aid in the separation of administrative duties.

Access to the GuardAPI, which is a set of CLI commands to aid in the automation of repetitive tasks, requires the creation of a user (GUI username/guiuser) by access manager and giving those accounts either the admin or cli role. Proper login to the CLI for the purpose of using GuardAPI requires the login with one of the five CLI accounts (guardcli1,...,guardcli5) and an additional login with guiuser by issuing the 'set guiuser' command. See GuardAPI Reference Overview or Set guiuser Authentication for additional information.

Password Hardening

In order to meet various auditing and compliancy requirements the following password enforcements will be in effect for CLI accounts:

For the account cli either use the cli password supplied or be sure to set a strong password to protect this account. If you have just rebuilt the system from an installation DVD, the Guardium cli user has a default password of guardium. You should change that password immediately.
Enforcement of an expiration period for the CLI and five CLI accounts where the default is 90 days. When a password expires a required change of password will be invoked during the login process.
Passwords must be a minimum of eight characters in length.
Passwords must contain at least one character from three of the following four classes
- Any upper-case letter
- Any lower-case letter
- Any numeric (0,1,2,...)
- Any non-alphanumeric (special) character
Once access is granted through the use of a separate GUI username (guiuser) the CLI audit trail will show the CLI_USER+GUI_USER pair used for login.
CLI users cannot be authenticated through LDAP as these are considered administrative accounts and should be able to login regardless of connectivity to an LDAP server

Limited CLI commands during maintenance of internal database

CLI has three sets of commands - general commands, specialized support commands, and recovery commands. Support commands are to used by Technical Support to analyze the system. Recovery commands are to recover the system when the database is down.

The initial CLI login is:

Welcome to CLI - your last login was <date>

The welcome message will add further information if the internal database is down due to maintenance or during an upgrade.

If this is the case, the number of CLI commands available will be limited.

The internal database on the appliance is currently down and CLI will be working
in "recovery mode";  only a limited set of commands will be available.

The CLI commands that available for use during recovery mode are as follows:

support reset-password root
restart mysql
restart stopped_services
restart system
restore pre-patch-backup
restore system