命令行
使用SUSE® Security命令行
SUSE® Security解决方案通过CLI支持有限的功能集。CLI通过管理器支持,管理器又使用RestAPI向控制器发出命令。控制器随后适当地管理Enforcer。通过REST API支持完整的操作集,可以直接从控制器暴露。您可以通过输入管理器或Allinone的cli命令来访问SUSE® Security CLI,例如:
kubectl exec -it neuvector-manager-pod-5bb76b6754-rlmnp -n neuvector -- clidocker exec -it allinone cli其中'`allinone’是控制器的容器名称。您可能需要使用容器ID作为名称。
尽管CLI可通过管理器使用,我们建议直接使用REST API连接控制器以进行查询和自动化。
CLI命令示例
以下是一些最常见的CLI命令:
> login
> logout使用与控制台相同的用户/密码。
> show policy -h
Usage: cli show policy [OPTIONS] COMMAND [ARGS]...> create policy rule -h
Usage: cli create policy rule [OPTIONS] FROM TO
> delete policy rule -h
Usage: cli delete policy rule [OPTIONS] ID> show log -h
Usage: cli show log [OPTIONS] COMMAND [ARGS]...> set system policy_mode -h
Usage: cli set system policy_mode [OPTIONS] MODE
Set system policy mode.
Options:
-h, --help Show this message and exit.
MODES:
learn=discover
evaluate=monitor
enforce=protect> set controller <leader_controller_id> debug -c cpath
Turn on debug mode.> set controller <leader_controller_id> debug
Turn off debug mdoe.更多CLI命令列在下面。
命令行参考及命令
登录/注销
> login -h
Usage: cli login [OPTIONS]
Login and obtain an authentication token.
Options:
--username TEXT
--password TEXT
-h, --help Show this message and exit.> logout -h
Usage: cli logout [OPTIONS]
Clear local authentication credentials.
Options:
-h, --help Show this message and exit.> exit -h
Usage: cli exit [OPTIONS]
Exit CLI.
Options:
-h, --help Show this message and exit.用户
> create user -h
Usage: cli create user [OPTIONS] USERNAME ROLE
Create user.
Options:
--email TEXT
--locale TEXT
--password TEXT
--password2 TEXT
-h, --help Show this message and exit.> set user -h
Usage: cli set user [OPTIONS] USERNAME COMMAND [ARGS]...
Set user configuration.
Options:
-h, --help Show this message and exit.
Commands:
local Set local user.
remote Set remote user.> unset user -h
Usage: cli unset user [OPTIONS] USERNAME COMMAND [ARGS]...
Unset user configuration.
Options:
-h, --help Show this message and exit.
Commands:
local Unset local user.
remote Unset remote user.> delete user -h
Usage: cli delete user [OPTIONS] USERNAME
Delete user.
Options:
-h, --help Show this message and exit.策略
> create group -h
Usage: cli create group [OPTIONS] NAME
Create group.
For --lable, use format: key,value. If the option value starts with @, the
criterion matches string with substring 'value'.
Options:
--image TEXT container image name.
--node TEXT node name.
--container TEXT container workload name.
--application TEXT container application name.
--label TEXT container label.
-h, --help Show this message and exit.> set group -h
Usage: cli set group [OPTIONS] NAME
Set group configuration.
For --lable, use format: key,value. If the option value starts with @, the
criterion matches string with substring 'value'.
Options:
--image TEXT container image name.
--node TEXT node name.
--container TEXT container workload name.
--application TEXT container application name.
--label TEXT container label.
-h, --help Show this message and exit.> delete group -h
Usage: cli delete group [OPTIONS] NAME
Delete group.
Options:
-h, --help Show this message and exit.> create policy rule -h
Usage: cli create policy rule [OPTIONS] FROM TO
Create and append policy rule, with unique rule id (< 10000).
Options:
--id INTEGER Policy rule ID. (Optional)
--ports TEXT Port list. eg: any or
80,8080,8500-8508,tcp/443,tcp/3306-3307,udp/53
--applications TEXT Application list. eg: http,kafka
--action [allow|deny]
--after INTEGER Specify policy rule ID that the new rule is inserted
after. Use 0 to insert to the first.
--comment TEXT
-h, --help Show this message and exit.> set policy rule -h
Usage: cli set policy rule [OPTIONS] ID
Configure policy rule.
Options:
--from TEXT
--to TEXT
--ports TEXT Port list. eg: any or
80,8080,8500-8508,tcp/443,tcp/3306-3307,udp/53
--applications TEXT Application list. eg: http,kafka
--action [allow|deny]
--after INTEGER Specify policy rule ID that the new rule is inserted
after. Use 0 to insert to the first.
--comment TEXT
-h, --help Show this message and exit.> delete policy rule -h
Usage: cli delete policy rule [OPTIONS] ID
Delete policy rule.
Options:
-h, --help Show this message and exit.> show service -h
Usage: cli show service [OPTIONS] COMMAND [ARGS]...
Show service
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
detail Show service detail.> set service -h
Usage: cli set service [OPTIONS] NAME COMMAND [ARGS]...
Set service configuration.
Options:
-h, --help Show this message and exit.
Commands:
policy_mode Set service policy mode [discover, monitor, protect]> set system new_service policy_mode -h
SEE System (below)隔离
> set container
Usage: cli set container [OPTIONS] ID_OR_NAME COMMAND [ARGS]...
Set container configuration.
Options:
-h, --help Show this message and exit.
Commands:
quarantine Set container quarantine state.系统
> set system -h
Usage: cli set system [OPTIONS] COMMAND [ARGS]...
Set system configuration.
Options:
-h, --help Show this message and exit.
Commands:
new_service policy_mode Set system policy mode.
syslog Set syslog server IP and port (1.2.3.4:514)> set system syslog -h
Usage: cli set system syslog [OPTIONS] COMMAND [ARGS]...
Set syslog settings
Options:
-h, --help Show this message and exit.
Commands:
category syslog categories...
level Set syslog level
server Set syslog server IP and port (1.2.3.4:514)
status Enable/disable syslog> set system new_service policy_mode -h
Usage: cli set system new_service policy_mode [OPTIONS] MODE
Set system new service policy mode.
Options:
-h, --help Show this message and exit.
MODES:
discover
monitor
protect> unset system
Usage: cli unset system [OPTIONS] COMMAND [ARGS]...
Unset system configuration.
Options:
-h, --help Show this message and exit.
Commands:
syslog_server Unset syslog server address.漏洞扫描
> set scan auto -h
Usage: cli set scan auto [OPTIONS] AUTO
Set scanner mode.
Options:
-h, --help Show this message and exit.
AUTO:
enable
disable> request scan container -h
Usage: cli request scan container [OPTIONS] ID_OR_NAME
Request to scan one container
Options:
-h, --help Show this message and exit.> request scan node -h
Usage: cli request scan node [OPTIONS] ID_OR_NAME
Request to scan one node
Options:
-h, --help Show this message and exit.> show scan container -h
Usage: cli show scan container [OPTIONS]
Show scan container summary
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
--node TEXT list scan result on a given node
--first INTEGER list the first n scan result, default is list all
-h, --help Show this message and exit.> show scan node -h
Usage: cli show scan node [OPTIONS]
Show scan node summary
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
--first INTEGER list the first n scan result, default is list all
-h, --help Show this message and exit.> show scan image -h
Usage: cli show scan image [OPTIONS]
Show scan image summary
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
--first INTEGER list the first n scan result, default is list all
-h, --help Show this message and exit.> show scan report container -h
Usage: cli show scan report container [OPTIONS] ID_OR_NAME
Show scan container detail report
Options:
-h, --help Show this message and exit.> show scan report image -h
Usage: cli show scan report image [OPTIONS] NAME
Show scan image detail report
Options:
-h, --help Show this message and exit.> show scan report node -h
Usage: cli show scan report node [OPTIONS] ID_OR_NAME
Show scan node detail report
Options:
-h, --help Show this message and exit.显示/调试命令
> show container -h
Usage: cli show container [OPTIONS] COMMAND [ARGS]...
Show container.
Options:
-b, --brief brief output
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
detail Show container detail.
setting show container configurations.
stats Show container statistics.> show enforcer -h
Usage: cli show enforcer [OPTIONS] COMMAND [ARGS]...
Show enforcer.
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
counter Show enforcer counters.
detail Show enforcer detail.
setting show enforcer configurations.
stats Show enforcer statistics.> show conversation -h
Usage: cli show conversation [OPTIONS] COMMAND [ARGS]...
Show conversations.
Options:
-g, --group TEXT filter conversations by group
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
pair Show conversation detail between a pair of...> show controller -h
Usage: cli show controller [OPTIONS] COMMAND [ARGS]...
Show controller.
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
detail Show controller detail.
setting show controller configurations.> show group -h
Usage: cli show group [OPTIONS] COMMAND [ARGS]...
Show group.
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
detail Show group detail.> show log -h
Usage: cli show log [OPTIONS] COMMAND [ARGS]...
Log operations.
Options:
-h, --help Show this message and exit.
Commands:
event List events.
threat List threats.
violation List policy violations.> show node -h
Usage: cli show node [OPTIONS] COMMAND [ARGS]...
Show node.
Options:
--sort TEXT sort field.
--sort_dir [asc|desc] sort direction.
-h, --help Show this message and exit.
Commands:
bench Show node bench.
detail Show node detail.
ip_2_container Show node ip-container map.> show policy -h
Usage: cli show policy [OPTIONS] COMMAND [ARGS]...
Show policy.
Options:
-h, --help Show this message and exit.
Commands:
derived List derived policy rules
rule Show policy rule.> show session -h
Usage: cli show session [OPTIONS] COMMAND [ARGS]...
Show sessions.
Options:
-h, --help Show this message and exit.
Commands:
list list session.
summary show session summary.> show system -h
Usage: cli show system [OPTIONS] COMMAND [ARGS]...
System operations.
Options:
-h, --help Show this message and exit.
Commands:
setting Show system configuration.
summary Show system summary.> show user -h
Usage: cli show user [OPTIONS] COMMAND [ARGS]...
Show user.
Options:
-h, --help Show this message and exit.> set enforcer -h
Usage: cli set enforcer [OPTIONS] ID_OR_NAME COMMAND [ARGS]...
Set enforcer configuration.
Options:
-h, --help Show this message and exit.
Commands:
debug Configure enforcer debug.> delete conversation pair -h
Usage: cli delete conversation pair [OPTIONS] CLIENT SERVER
Delete conversations between a pair of containers.
Options:
-h, --help Show this message and exit.> delete session -h
Usage: cli delete session [OPTIONS]
clear session.
Options:
-e, --enforcer TEXT filter sessions by enforcer
--id TEXT filter sessions by session id
-h, --help Show this message and exit.导出/导入
> request export config -h
Usage: cli request export config [OPTIONS]
Export system configurations.
Options:
-s, --section [user|policy]
-f, --filename PATH
-h, --help Show this message and exit.> request import config -h
Usage: cli request import config [OPTIONS] FILENAME
Import system configurations.
Options:
-h, --help Show this message and exit.数据包嗅探器
|
嗅探器文件存储在Enforcer容器中的/var/neuvector/pcap目录。确保将卷映射到您的客户机目录或本地系统目录,以便能够访问文件。例如,在docker-compose文件中添加'`- /var/neuvector:/var/neuvector’到卷中。 |
要在pod上启动数据包捕获,您需要知道containerID以传递到ID_OR_NAME字段。您可以使用`show container -c <container_name>`来做到这一点。然后使用`request sniffer start <container_id>`启动嗅探器。例如,
admin#neuvector_svc_controller.neuvector> show container _c pos_test
+______________+_______________________________________________________________________+_____________+_______________________________________+__________+______________+______________________+________________________+
| id | name | host_name | image | state | applications | started_at | interfaces |
+______________+_______________________________________________________________________+_____________+_______________________________________+__________+______________+______________________+________________________+
| fc0b5458db1a | k8s_POD_pos_test_pos_test_bd3e2c9d_847a_4bcd_ac76_cb6fa651a8d2_0 | gtk8s_node2 | k8s.gcr.io/pause:3.2 | discover | [] | 2021-09-24T15:36:05Z | eth0:192.168.128.22/32 |
| 0f48441a21cd | k8s_POD_pos-test_pos-test_c405efe5-f767-4fbf-b424-ea3106d9ec62_0 | gtk8s-node1 | k8s.gcr.io/pause:3.2 | exit | [] | 2021-09-23T23:53:56Z | {} |
| 8ddb6052f2d1 | k8s_pos-test_pos-test_pos-test_bd3e2c9d-847a-4bcd-ac76-cb6fa651a8d2_0 | gtk8s-node2 | docker.io/garricktam/jmeter-pos:5.4.1 | discover | [] | 2021-09-24T15:36:40Z | eth0:192.168.128.22/32 |
+--------------+-----------------------------------------------------------------------+-------------+---------------------------------------+----------+--------------+----------------------+------------------------+
admin#neuvector-svc-controller.neuvector> request sniffer start 8ddb6052f2d1
admin#neuvector-svc-controller.neuvector> show sniffer -c 8ddb6052f2d1
Total sniffers: 2
+--------------------------------------------------------------------------+---------+--------------+--------------+------+-------------+
| id | status | enforcer_id | container_id | size | file_number |
+--------------------------------------------------------------------------+---------+--------------+--------------+------+-------------+
| 01119c164ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030 | stopped | 4ab9cc73178f | 8ddb6052f2d1 | 24 | 1 |
| 1f0702444ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030 | running | 4ab9cc73178f | 8ddb6052f2d1 | 24 | 1 |
+--------------------------------------------------------------------------+---------+--------------+--------------+------+-------------+
admin#neuvector-svc-controller.neuvector> request sniffer stop 1f0702444ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030
admin#neuvector-svc-controller.neuvector> show sniffer -c 8ddb6052f2d1
Total sniffers: 2
+--------------------------------------------------------------------------+---------+--------------+--------------+-------+-------------+
| id | status | enforcer_id | container_id | size | file_number |
+--------------------------------------------------------------------------+---------+--------------+--------------+-------+-------------+
| 01119c164ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030 | stopped | 4ab9cc73178f | 8ddb6052f2d1 | 24 | 1 |
| 1f0702444ab9cc73178f217ab7a6dc25075a6fe5869ab836eda172925fe7b068cd573030 | stopped | 4ab9cc73178f | 8ddb6052f2d1 | 20165 | 1 |
+--------------------------------------------------------------------------+---------+--------------+--------------+-------+-------------+|
如果未设置持续时间,您需要找到嗅探器ID以停止嗅探器。 要执行这一操作, |
命令选项:
request sniffer start -h
Usage: cli request sniffer start [OPTIONS]
Start sniffer.
Options:
-e, --enforcer TEXT Add sniffer by enforcer
-c, --container TEXT Add sniffer by container
-f, --file_number INTEGER Maximum number of rotation files
-s, --file_size INTEGER Maximum size (in MB) of rotation files
-o, --options TEXT Sniffer filter
-h, --help Show this message and exit.show sniffer -h
Usage: cli show sniffer [OPTIONS] COMMAND [ARGS]...
Show sniffer.
Options:
-e, --enforcer TEXT Show sniffers by enforcer
-h, --help Show this message and exit.request sniffer stop -h
Usage: cli request sniffer stop [OPTIONS] ID
Stop sniffer. You may need to include both the enforcer ID and the container ID.
Options:
-e, --enforcer TEXT Delete sniffer by enforcer
-h, --help Show this message and exit.