Befehlszeile
Die SUSE® Security Kommandozeilenschnittstelle verwenden
Die SUSE® Security Lösung unterstützt eine begrenzte Anzahl von Funktionen über die Kommandozeilenschnittstelle. Die Kommandozeilenschnittstelle wird über den Manager unterstützt, der seinerseits eine RestAPI verwendet, um Befehle an den Controller zu senden. Der Controller verwaltet dann die Enforcer entsprechend. Ein vollständiger Satz von Operationen wird über die REST API unterstützt, die direkt vom Controller bereitgestellt werden kann. Sie können auf die SUSE® Security Kommandozeilenschnittstelle zugreifen, indem Sie den CLI-Befehl für den Manager oder Allinone eingeben, zum Beispiel:
kubectl exec -it neuvector-manager-pod-5bb76b6754-rlmnp -n neuvector -- clidocker exec -it allinone cliDabei ist ‘allinone’ der Container für den Controller. Möglicherweise müssen Sie anstelle des Namens die Container-ID verwenden.
Obwohl die Kommandozeilenschnittstelle über den Manager verfügbar ist, empfehlen wir, die REST API direkt im Controller für Abfragen und Automatisierung zu verwenden.
Beispiele für Befehle der Kommandozeilenschnittstelle
Hier sind einige der häufigsten Befehle der Kommandozeilenschnittstelle:
> login
> logoutVerwenden Sie denselben Benutzernamen/Passwort, den Sie für die Konsole verwenden.
> show policy -h
Usage: cli show policy [OPTIONS] COMMAND [ARGS]...> create policy rule -h
Usage: cli create policy rule [OPTIONS] FROM TO
> delete policy rule -h
Usage: cli delete policy rule [OPTIONS] ID> show log -h
Usage: cli show log [OPTIONS] COMMAND [ARGS]...> set system policy_mode -h
Usage: cli set system policy_mode [OPTIONS] MODE
Set system policy mode.
Options:
-h, --help Show this message and exit.
MODES:
learn=discover
evaluate=monitor
enforce=protect> set controller <leader_controller_id> debug -c cpath
Turn on debug mode.> set controller <leader_controller_id> debug
Turn off debug mdoe.Weitere Befehle der Kommandozeilenschnittstelle sind unten aufgeführt.
Referenz zur Kommandozeilenschnittstelle & Befehle
Anmelden/Abmelden
> login -h
Usage: cli login [OPTIONS]
Login and obtain an authentication token.
Options:
--username TEXT
--password TEXT
-h, --help Show this message and exit.> logout -h
Usage: cli logout [OPTIONS]
Clear local authentication credentials.
Options:
-h, --help Show this message and exit.> exit -h
Usage: cli exit [OPTIONS]
Exit CLI.
Options:
-h, --help Show this message and exit.Benutzer
> create user -h
Usage: cli create user [OPTIONS] USERNAME ROLE
Create user.
Options:
--email TEXT
--locale TEXT
--password TEXT
--password2 TEXT
-h, --help Show this message and exit.> set user -h
Usage: cli set user [OPTIONS] USERNAME COMMAND [ARGS]...
Set user configuration.
Options:
-h, --help Show this message and exit.
Commands:
local Set local user.
remote Set remote user.> unset user -h
Usage: cli unset user [OPTIONS] USERNAME COMMAND [ARGS]...
Unset user configuration.
Options:
-h, --help Show this message and exit.
Commands:
local Unset local user.
remote Unset remote user.> delete user -h
Usage: cli delete user [OPTIONS] USERNAME
Delete user.
Options:
-h, --help Show this message and exit.Richtlinie
> create group -h
Usage: cli create group [OPTIONS] NAME
Create group.
For --lable, use format: key,value. If the option value starts with @, the
criterion matches string with substring 'value'.
Options:
--image TEXT container image name.
--node TEXT node name.
--container TEXT container workload name.
--application TEXT container application name.
--label TEXT container label.
-h, --help Show this message and exit.> set group -h
Usage: cli set group [OPTIONS] NAME
Set group configuration.
For --lable, use format: key,value. If the option value starts with @, the
criterion matches string with substring 'value'.
Options:
--image TEXT container image name.
--node TEXT node name.
--container TEXT container workload name.
--application TEXT container application name.
--label TEXT container label.
-h, --help Show this message and exit.> delete group -h
Usage: cli delete group [OPTIONS] NAME
Delete group.
Options:
-h, --help Show this message and exit.> create policy rule -h
Usage: cli create policy rule [OPTIONS] FROM TO
Create and append policy rule, with unique rule id (< 10000).
Options:
--id INTEGER Policy rule ID. (Optional)
--ports TEXT Port list. eg: any or
80,8080,8500-8508,tcp/443,tcp/3306-3307,udp/53
--applications TEXT Application list. eg: http,kafka
--action [allow|deny]
--after INTEGER Specify policy rule ID that the new rule is inserted
after. Use 0 to insert to the first.
--comment TEXT
-h, --help Show this message and exit.> set policy rule -h
Usage: cli set policy rule [OPTIONS] ID
Configure policy rule.
Options:
--from TEXT
--to TEXT
--ports TEXT Port list. eg: any or
80,8080,8500-8508,tcp/443,tcp/3306-3307,udp/53
--applications TEXT Application list. eg: http,kafka
--action [allow|deny]
--after INTEGER Specify policy rule ID that the new rule is inserted
after. Use 0 to insert to the first.
--comment TEXT
-h, --help Show this message and exit.> delete policy rule -h
Usage: cli delete policy rule [OPTIONS] ID
Delete policy rule.
Options:
-h, --help Show this message and exit.> show service -h
Usage: cli show service [OPTIONS] COMMAND [ARGS]...
Show service
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
detail Show service detail.> set service -h
Usage: cli set service [OPTIONS] NAME COMMAND [ARGS]...
Set service configuration.
Options:
-h, --help Show this message and exit.
Commands:
policy_mode Set service policy mode [discover, monitor, protect]> set system new_service policy_mode -h
SEE System (below)Quarantäne
> set container
Usage: cli set container [OPTIONS] ID_OR_NAME COMMAND [ARGS]...
Set container configuration.
Options:
-h, --help Show this message and exit.
Commands:
quarantine Set container quarantine state.System
> set system -h
Usage: cli set system [OPTIONS] COMMAND [ARGS]...
Set system configuration.
Options:
-h, --help Show this message and exit.
Commands:
new_service policy_mode Set system policy mode.
syslog Set syslog server IP and port (1.2.3.4:514)> set system syslog -h
Usage: cli set system syslog [OPTIONS] COMMAND [ARGS]...
Set syslog settings
Options:
-h, --help Show this message and exit.
Commands:
category syslog categories...
level Set syslog level
server Set syslog server IP and port (1.2.3.4:514)
status Enable/disable syslog> set system new_service policy_mode -h
Usage: cli set system new_service policy_mode [OPTIONS] MODE
Set system new service policy mode.
Options:
-h, --help Show this message and exit.
MODES:
discover
monitor
protect> unset system
Usage: cli unset system [OPTIONS] COMMAND [ARGS]...
Unset system configuration.
Options:
-h, --help Show this message and exit.
Commands:
syslog_server Unset syslog server address.Schwachstellen-Scan
> set scan auto -h
Usage: cli set scan auto [OPTIONS] AUTO
Set scanner mode.
Options:
-h, --help Show this message and exit.
AUTO:
enable
disable> request scan container -h
Usage: cli request scan container [OPTIONS] ID_OR_NAME
Request to scan one container
Options:
-h, --help Show this message and exit.> request scan node -h
Usage: cli request scan node [OPTIONS] ID_OR_NAME
Request to scan one node
Options:
-h, --help Show this message and exit.> show scan container -h
Usage: cli show scan container [OPTIONS]
Show scan container summary
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
--node TEXT list scan result on a given node
--first INTEGER list the first n scan result, default is list all
-h, --help Show this message and exit.> show scan node -h
Usage: cli show scan node [OPTIONS]
Show scan node summary
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
--first INTEGER list the first n scan result, default is list all
-h, --help Show this message and exit.> show scan image -h
Usage: cli show scan image [OPTIONS]
Show scan image summary
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
--first INTEGER list the first n scan result, default is list all
-h, --help Show this message and exit.> show scan report container -h
Usage: cli show scan report container [OPTIONS] ID_OR_NAME
Show scan container detail report
Options:
-h, --help Show this message and exit.> show scan report image -h
Usage: cli show scan report image [OPTIONS] NAME
Show scan image detail report
Options:
-h, --help Show this message and exit.> show scan report node -h
Usage: cli show scan report node [OPTIONS] ID_OR_NAME
Show scan node detail report
Options:
-h, --help Show this message and exit.Befehle anzeigen/debuggen
> show container -h
Usage: cli show container [OPTIONS] COMMAND [ARGS]...
Show container.
Options:
-b, --brief brief output
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
detail Show container detail.
setting show container configurations.
stats Show container statistics.> show enforcer -h
Usage: cli show enforcer [OPTIONS] COMMAND [ARGS]...
Show enforcer.
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
counter Show enforcer counters.
detail Show enforcer detail.
setting show enforcer configurations.
stats Show enforcer statistics.> show conversation -h
Usage: cli show conversation [OPTIONS] COMMAND [ARGS]...
Show conversations.
Options:
-g, --group TEXT filter conversations by group
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
pair Show conversation detail between a pair of...> show controller -h
Usage: cli show controller [OPTIONS] COMMAND [ARGS]...
Show controller.
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
detail Show controller detail.
setting show controller configurations.> show group -h
Usage: cli show group [OPTIONS] COMMAND [ARGS]...
Show group.
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
detail Show group detail.> show log -h
Usage: cli show log [OPTIONS] COMMAND [ARGS]...
Log operations.
Options:
-h, --help Show this message and exit.
Commands:
event List events.
threat List threats.
violation List policy violations.> show node -h
Usage: cli show node [OPTIONS] COMMAND [ARGS]...
Show node.
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
bench Show node bench.
detail Show node detail.
ip_2_container Show node ip-container map.> show policy -h
Usage: cli show policy [OPTIONS] COMMAND [ARGS]...
Show policy.
Options:
-h, --help Show this message and exit.
Commands:
derived List derived policy rules
rule Show policy rule.> show session -h
Usage: cli show session [OPTIONS] COMMAND [ARGS]...
Show sessions.
Options:
-h, --help Show this message and exit.
Commands:
list list session.
summary show session summary.> show system -h
Usage: cli show system [OPTIONS] COMMAND [ARGS]...
System operations.
Options:
-h, --help Show this message and exit.
Commands:
setting Show system configuration.
summary Show system summary.> show user -h
Usage: cli show user [OPTIONS] COMMAND [ARGS]...
Show user.
Options:
-h, --help Show this message and exit.> set enforcer -h
Usage: cli set enforcer [OPTIONS] ID_OR_NAME COMMAND [ARGS]...
Set enforcer configuration.
Options:
-h, --help Show this message and exit.
Commands:
debug Configure enforcer debug.> delete conversation pair -h
Usage: cli delete conversation pair [OPTIONS] CLIENT SERVER
Delete conversations between a pair of containers.
Options:
-h, --help Show this message and exit.> delete session -h
Usage: cli delete session [OPTIONS]
clear session.
Options:
-e, --enforcer TEXT filter sessions by enforcer
--id TEXT filter sessions by session id
-h, --help Show this message and exit.Export/Import
> request export config -h
Usage: cli request export config [OPTIONS]
Export system configurations.
Options:
-s, --section [user|policy]
-f, --filename PATH
-h, --help Show this message and exit.> request import config -h
Usage: cli request import config [OPTIONS] FILENAME
Import system configurations.
Options:
-h, --help Show this message and exit.Packet-Sniffer
|
Sniffer-Dateien werden im Verzeichnis /var/neuvector/pcap im Enforcer-Container gespeichert. Stellen Sie sicher, dass Sie das Volume mit dem Verzeichnis Ihrer Gastmaschine oder dem lokalen Systemverzeichnis verknüpfen, um auf die Dateien zugreifen zu können. Fügen Sie beispielsweise in der docker-compose-Datei ‘- /var/neuvector:/var/neuvector’ in volumes hinzu. |
Um die Paketaufzeichnung auf einem Pod zu starten, müssen Sie die Container-ID kennen, die Sie in das Feld ID_OR_NAME eingeben. Sie können dies mit show container -c <container_name> tun. Starten Sie dann den Sniffer mit request sniffer start <container_id>. Beispiel:
admin#neuvector_svc_controller.neuvector> show container _c pos_test
+______________+_______________________________________________________________________+_____________+_______________________________________+__________+______________+______________________+________________________+
| id | name | host_name | image | state | applications | started_at | interfaces |
+______________+_______________________________________________________________________+_____________+_______________________________________+__________+______________+______________________+________________________+
| fc0b5458db1a | k8s_POD_pos_test_pos_test_bd3e2c9d_847a_4bcd_ac76_cb6fa651a8d2_0 | gtk8s_node2 | k8s.gcr.io/pause:3.2 | discover | [] | 2021-09-24T15:36:05Z | eth0:192.168.128.22/32 |
| 0f48441a21cd | k8s_POD_pos-test_pos-test_c405efe5-f767-4fbf-b424-ea3106d9ec62_0 | gtk8s-node1 | k8s.gcr.io/pause:3.2 | exit | [] | 2021-09-23T23:53:56Z | {} |
| 8ddb6052f2d1 | k8s_pos-test_pos-test_pos-test_bd3e2c9d-847a-4bcd-ac76-cb6fa651a8d2_0 | gtk8s-node2 | docker.io/garricktam/jmeter-pos:5.4.1 | discover | [] | 2021-09-24T15:36:40Z | eth0:192.168.128.22/32 |
+--------------+-----------------------------------------------------------------------+-------------+---------------------------------------+----------+--------------+----------------------+------------------------+
admin#neuvector-svc-controller.neuvector> request sniffer start 8ddb6052f2d1
admin#neuvector-svc-controller.neuvector> show sniffer -c 8ddb6052f2d1
Total sniffers: 2
+--------------------------------------------------------------------------+---------+--------------+--------------+------+-------------+
| id | status | enforcer_id | container_id | size | file_number |
+--------------------------------------------------------------------------+---------+--------------+--------------+------+-------------+
| 01119c164ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030 | stopped | 4ab9cc73178f | 8ddb6052f2d1 | 24 | 1 |
| 1f0702444ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030 | running | 4ab9cc73178f | 8ddb6052f2d1 | 24 | 1 |
+--------------------------------------------------------------------------+---------+--------------+--------------+------+-------------+
admin#neuvector-svc-controller.neuvector> request sniffer stop 1f0702444ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030
admin#neuvector-svc-controller.neuvector> show sniffer -c 8ddb6052f2d1
Total sniffers: 2
+--------------------------------------------------------------------------+---------+--------------+--------------+-------+-------------+
| id | status | enforcer_id | container_id | size | file_number |
+--------------------------------------------------------------------------+---------+--------------+--------------+-------+-------------+
| 01119c164ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030 | stopped | 4ab9cc73178f | 8ddb6052f2d1 | 24 | 1 |
| 1f0702444ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030 | stopped | 4ab9cc73178f | 8ddb6052f2d1 | 20165 | 1 |
+--------------------------------------------------------------------------+---------+--------------+--------------+-------+-------------+|
Wenn die Dauer nicht festgelegt ist, müssen Sie die Sniffer-ID finden, um den Sniffer zu beenden. Gehen Sie dazu |
Befehlsoptionen:
request sniffer start -h
Usage: cli request sniffer start [OPTIONS]
Start sniffer.
Options:
-e, --enforcer TEXT Add sniffer by enforcer
-c, --container TEXT Add sniffer by container
-f, --file_number INTEGER Maximum number of rotation files
-s, --file_size INTEGER Maximum size (in MB) of rotation files
-o, --options TEXT Sniffer filter
-h, --help Show this message and exit.show sniffer -h
Usage: cli show sniffer [OPTIONS] COMMAND [ARGS]...
Show sniffer.
Options:
-e, --enforcer TEXT Show sniffers by enforcer
-h, --help Show this message and exit.request sniffer stop -h
Usage: cli request sniffer stop [OPTIONS] ID
Stop sniffer. You may need to include both the enforcer ID and the container ID.
Options:
-e, --enforcer TEXT Delete sniffer by enforcer
-h, --help Show this message and exit.