NDR Sensor CLI

All NDR Sensor-CLI Commands:

CLI Description Command

Clear security banner or message of the day


Clear the security banner or message of the day. The banner is reset to the system default banner.
 		clear banner

Clear/Delete all management interfaces in the system


Clears/Delete all management interfaces in the system. This only empties the management interface list and does not affect the underlying network interface.
clear management-interfaces

Clear all name servers


Clear all name servers from the DNS configuration.
 		clear name-servers

Resets configured password complexity requirements to default


Resets configured password complexity requirements to default.
 		clear password-complexity

Clear search domains


Remove all domain names from the DNS search list.
 		clear search-domains

Clear SSH service start on boot


Configure the SSH service to not start on boot.
 		clear service ssh start-on-boot

Clear/Delete all sniffing interfaces in the system


Clears/Delete all sniffing interfaces in the system. No packets will be captured after clearing the sniffing interfaces. This only empties the sniffing interface list and does not affect the underlying network interface.
clear sniffing-interfaces

Clear SSH Root login property


Disable SSH Root login property
 		clear ssh root-login

Disable password expiration for the user


Disable password expiration for the user.
 		clear user <node-all-username> password-expiration

Disable password expiration warning for the user


Disable password expiration warning for the user.
 		clear user <node-all-username> password-expiration-warning

Copy core dumps to remote file destination


Copy system generated core dumps to a remote destination.
 		copy core-dump <core-dump-file-arg> url <scp-file-url-arg>

Copy a local file to remote destination


Copy a local file to a remote destination.
 		copy file <existing-file-arg> url <scp-file-url-arg>

Copy a remote file to the local file store


Copy a remote file to the local file store. If no destination file is specified, the copied file has the same file name as the source file. You can use the file argument to specify a different destination file name.
To specify IPv6 remote addresses, url server should be enclosed between square brackets.
 		copy url <url> [file <filename>]

Copy a remote https url file with same filename


Copy a remote https url file to local file using same filename.
 		copy url <url> thumbprint <thumbprint> [file <filename>]

Delete core dump files in the system


Delete core dump files in the system.
 		del core-dump [all|<core-dump-file-arg>]

Delete local file


Delete a local file.
 		del file <existing-file-or-pattern-arg>

Delete a management interface from the system


Delete a set management interface from the system. This only removes the interface from the management interface list, and does not delete the network interface from the system.
del management-interface <management-interface-arg>

Delete name server


Delete the specified name server from the DNS configuration.
 		del name-server <name-server-arg>

Remove NTP server


Remove an existing NTP server.
 		del ntp-server <hostname-or-ip-address>

Delete IPv4 or IPv6 network route


Delete the specified network IPv4 or IPv6 route. Default value for the IPv6 route metric is 1024.
 		del route prefix <prefix> [gateway <gateway-ip>] [interface <interface-name>] [metric <ip-route-metric>]

Delete a domain name


Delete the specified domain name from the DNS search list.
 		del search-domains <search-domain-arg>

Delete a sniffing interface from the system


Delete a set sniffing interface from the system. This only removes the interface from the sniffing interface list, and does not delete the network interface from the system. Once removed from configuration, the sniffing on the interface will stop.
del sniffing-interface <sniffing-interface-arg>

Delete the IP address associated with the sniffing interface in the system


Delete the IP address associated with the sniffing interface in the system.
del sniffing-interface-ip <sniffing-interface-arg>

Delete SSH service known host


Delete the specified host entry from the SSH known hosts file.
 		del ssh-known-host <hostname-or-ip-address-optional-port-arg>

Delete SSH service keys from authorized_keys file for specified user


Delete any SSH key with specified label from specified user's authorized_keys file. If password is not provided in the command then you are prompted to enter it. Password is required only for users root and admin.
 		del user <username> ssh-keys label <key-label> [password <password>]

Exit the CLI


Exit the CLI.
 		exit

Show system arp cache


Display the ARP table (includes information about internal interfaces)
 		get arp-table

Get CLI account lockout period


Get the amount of time, in seconds, that an account will remain locked out of the CLI after exceeding the maximum number of failed authentication attempts.
get auth-policy cli lockout-period

Get CLI maximum authentication failures


Get the number of failed CLI authentication attempts that are allowed before the account is locked. If set to 0, account lockout is disabled.
get auth-policy cli max-auth-failures

Get minimum allowable password length


Get the minimum number of characters that passwords must have.
 		get auth-policy minimum-password-length

Show Sensor Certificate in the system


Show Sensor Certificate in the system.
 		get certificate <get-certificate-entity-arg>

Show status to display datetime stamp


Show status to display datetime stamp in command output.
 		get cli-output datetime

Show inactivity timeout


Show inactivity timeout in seconds.
 		get cli-timeout

Display system clock


Display the current date and time.
 		get clock

Display commands history


Display the commands history in command output.
To show all command history set size to 0.
 		get command history

Get core dump config


Get core dump generation and rotation configurations
 		get core-dump config

List core dump files in the system


Display information about the core dump files in the system.
 		get core-dumps

Show the system CPU status


Display the system CPU information.
 		get cpu-stats

List docker containers in the system


List all the docker containers in the system (equivalent of 'docker ps -a').
 		get docker-containers

List docker images in the system


List docker images in the system (equivalent of 'docker images').
 		get docker-images

List file in the filestore


Display information about the specified file in the filestore.
 		get file <existing-file-arg>

Display file thumbprint


Display the file thumbprint.
 		get file <existing-file-arg> thumbprint

List files in the filestore


Display information about the files in the filestore.
 		get files

Show the system storage capacity


Display the file system information.
 		get filesystem-stats

Display GRUB menu timeout


Display GRUB menu timeout.
 		get grub menu timeout

List home networks in the system


List all the home networks in the system.
 		get home-networks

Display system hostname


Display the system hostname.
 		get hostname

Display network interface properties


Display information about the specified network interface.
 		get interface <interface-name-arg>

Display all network interface properties


Display information about all network interfaces.
 		get interfaces

Show log file contents


Display the contents of the specified log file.
 		get log-file <log-file-arg>

Show log file contents


Display the last 10 lines of the specified log file and all new messages that are written to the log file.
 		get log-file <log-file-arg> follow

List management interfaces in the system


List all the network management interfaces in the system.
 		get management-interfaces

Show the system memory status


Display the system memory information.
 		get memory-stats

Get all name servers


Get all name servers in the DNS configuration.
 		get name-servers

Show the system network statistics for non-sniffing interfaces.


Display the system network statistics for non-sniffing interfaces.
 		get network-stats

Show NTP associations


Display the status of the NTP system. The delay, offset and dispersion values are in seconds.
 		get ntp-server associations

Show NTP servers


Display all NTP servers.
 		get ntp-servers

Get configured password complexity requirements


Get configured password complexity requirements.
 		get password-complexity

Display system processes


Display a snapshot of the system processes.
 		get processes

Display process monitor


Display information about processes that are running. The display is updated every few seconds.
 		get processes monitor

Display specific IPv4 or IPv6 routes for the prefix


Display specific IPv4 or IPv6 routes for the prefix.
 		get route prefix <cidr46-notation>

Display IPv4 and IPv6 routes


Display all configured IPv4 and IPv6 routes.
 		get routes

Display IPv4 or IPv6 routes


Display all configured IPv4 or IPv6 routes.
 		get routes <ip-address-type>

Get all search domains


Get all domain names in the DNS search list.
 		get search-domains

List all details specific to the sensor.


List all details specific to the sensor.
 		get sensor details

Display service properties


Display information about the specified service.
 		get service <service-name-arg>

Get the Rapid service logging level


Get the log level of the Rapid service. This service is responsible for analyzing files for malware threats
 		get service rapid logging-level

Get the sensor-container-orchestration service logging level


Get the log level of the sensor-container-orchestration service. This service is the central logic that manages the lifecycle of all the other containerized application services, making sure the sensor is always running the right components based on its current configuration and status.
 		get service sensor-container-orchestration logging-level

Get the sensor-health service logging level


Get the log level of the sensor-health service. This service detects the health of each of the core services.
 		get service sensor-health logging-level

Get the sensor-service service logging level


Get the log level of the sensor-service service. Sensor client service is responsible for communicating with Security Services Platform (SSP) and managing configuration of the sensor.
 		get service sensor-service logging-level

Get the sensor-uploading service component logging level.


Get the logging level of a component within sensor-uploading service. This service is responsible for processing and sending all critical security events (like IDS alerts, malware analysis results, and network flows) to the Security Services Platform (SSP).
 		get service sensor-uploading [[component <component>] logging-level]

Get the sensor-uploading service logging level


Get the log level of the sensor-uploading service. This service is responsible for processing and sending all critical security events (like IDS alerts, malware analysis results, and network flows) to the Security Services Platform (SSP).
 		get service sensor-uploading logging-level

Get the sniffing service logging level.


Get the log level of the sniffing service. Sniffing service is responsible for capturing network traffic.
 		get service sniffing [[component <component>] logging-level]

Get the sniffing service component logging level.


Get the logging level of a component within sniffing service. Sniffing service is responsible for capturing network traffic.
 		get service sniffing [[component <component>] logging-level]

Display service properties


Display information about all services.
 		get services

List sniffing interfaces in the system


List all the network sniffing interfaces in the system.
 		get sniffing-interfaces

Show active network connections


Display active network connections.
 		get sockets

Save support bundle in filestore


Display the contents of the tech support bundle. Specify the file argument to save the bundle to a file with the specified file name in the file store. This support bundle does not contain core or audit log files. To include those files, specify the all argument.

Core files contain system information and all information stored in memory at the time of the dump (this may include confidential, sensitive or personal information such as passwords and encryption keys, if they are being processed in memory at that time). If you choose to send the support bundle to VMware, it will be processed in accordance with VMware's standard processes and policies, to provide you with support, fix problems and improve the product and services.


 		get support-bundle [file <filename> [log-age <no-of-days>] [all]]

Display progress status of last upgrade step


Display the status of the upgrade steps run on the node and details of last upgrade step.
 		get upgrade progress-status

Display playbook contents


Display the contents of the specified playbook for the specified upgrade bundle.
 		get upgrade-bundle <bundle-name-arg> playbook <playbook-file-arg>

List all playbooks in the filestore


Display all playbooks in the file store.
 		get upgrade-bundle playbooks

Show the system uptime


Display the system uptime information.
 		get uptime

Get the number of days until user password expiration


Get number of days the user's password is valid after a password change and number of days before user receives password expiration warning message.
 		get user <node-all-username> password-expiration

Get user status for specified non-root user


Get user status for specified non-root user.
 		get user <node-all-username> status

Get SSH keys from authorized_keys file for specified user


Get SSH keys from authorized_keys file for specified user.
 		get user <node-username> ssh-keys

Display system version


Display the version of the NDR Sensor appliance.
 		get version

Display help information.


Display help information. See the example below.
 		help

List available commands


This command lists all available commands.
 		list

nslookup


Get DNS lookup information.
 		nslookup <hostname-or-ip-address>

Ping host


Ping a host or IP address. Use Control-C to stop the command. Optionally use the repeat argument to specify how many packets to transmit.
 		ping <hostname-or-ip-address> [repeat <number>]

Reboot system


Reboot the system. If you specify the force argument, the system will reboot immediately without prompting for confirmation.
 		reboot [force]

Register sensor with Security Services Platform (SSP)


Register sensor with Security Services Platform (SSP).
 		register sensor registration-manifest <registration-manifest-arg> sensor-name <sensor-name-arg>

Reset registration on sensor.


Register sensor with SSP portal
 		reset registration

Restart service


Restart the specified service.
 		restart service <restartable-service-name-arg>

Execute playbook resume action


Resume an upgrade after running the command start upgrade-bundle <bundle-name> playbook <playbook-file> and the system was rebooted.
 		resume upgrade-bundle <bundle-name-arg> playbook

Set CLI account lockout period


Sets the amount of time, in seconds, that an account will remain locked out of the CLI after exceeding the maximum number of failed authentication attempts. While the lockout period is in effect, additional authentication attempts restart the lockout period, even if a valid password is specified.
set auth-policy cli lockout-period <lockout-period-arg>

Set CLI maximum authentication failures


Set the number of failed CLI authentication attempts that are allowed before the account is locked. If set to 0, account lockout is disabled.
set auth-policy cli max-auth-failures <auth-failures-arg>

Set minimum allowable password length


Set the minimum number of characters that passwords must have. The smallest value that can be set is 8.
set auth-policy minimum-password-length <password-length-arg>

Set security banner or message of the day


Set the security banner or message of the day.
 		set banner

Update certificate


Update certificate for the given entity.
 		set certificate <set-certificate-entity-arg> <x509-encoded-certificate-arg>

Set status to display datetime stamp


Set status to display datetime stamp in command output.
 		set cli-output datetime <datetime-arg>

Set inactivity timeout


Set inactivity timeout in seconds. To disable the timeout, specify 0.
 		set cli-timeout <timeout-arg>

Set core dump file limit global config


Global limit for count to preserve latest core dump files generated for all processes or applications. By default latest 2 core dump files will be preserved. To disable this config, set value to 0.

Note, disabling config may consume higher disk space and can cause disk space exhaustion.


 		set core-dump global file-limit <core-dump-limit>

Set core dump frequency threshold global config


Global limit for setting threshold in seconds for frequency of generated core dump files for all processes or applications. Any application generating core dump within threshold seconds will be ignored and new core dump request will only be in effect after the threshold period has expired. By default processes generating core dump within threshold frequency of 600 seconds will be denied. To disable this config, set value to 0.

Note, disabling config may consume higher disk space and can cause disk space exhaustion.


 		set core-dump global frequency-threshold <core-dump-threshold-freq>

Set Core dump limit config per application


Limit for count to preserve latest core dump files generated per process or application. To disable this config, set value to 0.

Note, disabling config may consume higher disk space and can cause disk space exhaustion.


 		set core-dump process <process-name> file-limit <core-dump-limit>

Set GRUB menu timeout


Set GRUB menu timeout.
 		set grub menu timeout <grub-menu-timeout>

Set GRUB user password


Set GRUB user password.
 		set grub user <grub-username> password [<grub-password>]

Set commands history size


Set command history size.
 		set history limit <history-size>

Set system hostname


Set the system hostname. Changing the hostname changes the command line prompt.
 		set hostname <hostname-arg>

Configure the specified interface to use DHCP


Configure the specified interface to use DHCP. IPv6 based functionality is not supported in this release.
 		set interface <configurable-interface-name> dhcp

Set network IP address and netmask


Configure a static IP address and netmask. Make sure an appropriate network route is also configured. You can use the optional gateway argument, or set a route using the set route command. IPv6 based functionality is not supported in this release.
 		set interface <interface-name> ip <prefix-ipv46> [gateway <gateway-ip>]

Set management interfaces in the system


Set a specific management interface in the system. Once set, this interface can be used for managing the sensor. At least one management interface has to be set before configuring sniffing-interfaces.
set management-interface <available-for-management-interface-arg>

Set Sensor configuration through a single command in the system


Set Sensor configuration through a single command, which includes setting of sniffing and management interface, hostname, name-servers, ntp-server, timezone, search-domains.
set management-interface <available-for-management-interface-arg> sniffing-interface <available-for-sniffing-interface-arg> mode <sniffing-mode-arg> mtu <sniffing-mtu-arg> sniffing-interface-ip <sniffing-cidr46-notation-or-skip> hostname <hostname-arg-or-skip> name-servers <ip46-address-or-skip> ntp-server <hostname-or-ip-address-or-skip> timezone <timezone-arg-or-skip> search-domains <search-domain-arg-or-skip>

Add name server


Add a name server to the DNS configuration.
 		set name-servers <name-server-arg>

Add NTP server


Configure a new NTP server.
 		set ntp-server <hostname-or-ip-address>

Configure password complexity requirements


Configure password complexity requirements.
  • Minimum password length: minimum number of characters expected in password; user can not set their password of length lesser than this parameter. Default: 12, Minimum: 8, Maximum: 128

  • Maximum password length: maximum number of characters allowed in password; user can not set their password of length greater than this parameter. Default: 128, Minimum: 8, Maximum: 128

  • Lower characters: number of lower case characters (a..z) expected in user password.

    N < 0, to set minimum credit for having lower case character in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password.

    N > 0, to set maximum credit for having lower case character in the new password, i.e. per occurrence of lower case character in password will attribute additional credit of +1 towards meeting the current minimum password length value up to N lower case characters.

    N = 0, to disable the policy check.

    Default: -1, Minimum: -128, Maximum: 128

  • Upper characters: number of upper case characters (A..Z) expected in user password.

    N < 0, to set minimum credit for having upper case character in the new password, i.e. this is the minimum number of upper case characters that must be met for a new password.

    N > 0, to set maximum credit for having upper case characters in the new password, i.e. per occurrence of upper case character in password will attribute additional credit of +1 towards meeting the current minimum password length value up to N upper case characters.

    N = 0, to disable the policy check.

    Default: -1, Minimum: -128, Maximum: 128

  • Numeric characters: number of digits (0..9) expected in user password.

    N < 0, to set minimum credit for having digits in the new password, i.e. this is the minimum number of digits that must be met for a new password.

    N > 0, to set maximum credit for having digits in the new password, i.e. per occurrence of digit in password will attribute additional credit of +1 towards meeting the current minimum password length value up to N digits.

    N = 0, to disable the policy check.

    Default: -1, Minimum: -128, Maximum: 128

  • Special characters: number of special characters (!@#$&*..) expected in user password.

    N < 0, to set minimum credit for having special characters in the new password, i.e. this is the minimum number of special characters that must be met for a new password.

    N > 0, to set maximum credit for having special characters in the new password, i.e. per occurrence of special case character in password will attribute additional credit of +1 towards meeting the current minimum password length value up to N special case characters..

    N = 0, to disable the policy check.

    Default: -1, Minimum: -128, Maximum: 128

  • Minimum unique characters: number of character changes in the new password that differentiate it from the old password. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

  • Allowed similar consecutive characters: reject passwords which contain more than N same consecutive characters. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

  • Allowed monotonic sequence: reject passwords which contain more than N monotonic character sequences. Monotonic sequences can be '12345' or 'fedcb'. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

  • Hash algorithm: sets hash/cryptographic algorithm type for new passwords. Default: sha512. Enum: [ sha512, sha256 ]

  • Password remembrance: limit using a password that was used in past; users can not set the same password within the N generations. To disable the check, value should be set to 0. Default: 0, Minimum: 0

Note, passwords less than 8 characters are never allowed.


 		set password-complexity [<complexity-name> <complexity-value>]

Add IPv4 or IPv6 network route


Add IPv4 or IPv6 network route. You can also just set a gateway by specifying a prefix value of 0.0.0.0/0 for IPv4 and ::/0 for IPv6. Default value for the IPv6 route metric is 1024.
 		set route prefix <prefix> [gateway <gateway-ip>] [interface <interface-name>] [metric <ip-route-metric>]

Add a domain name


Add a domain name to the DNS search list.
 		set search-domains <search-domain-arg>

Set the Rapid service logging level


Set the log level of the Rapid service. This service is responsible for analyzing files for malware threats
 		set service rapid logging-level <sensor-type-2-logging-level-arg>

Set the sensor-container-orchestration service logging level


Set the log level of the sensor-container-orchestration service. This service is the central logic that manages the lifecycle of all the other containerized application services, making sure the sensor is always running the right components based on its current configuration and status.
 		set service sensor-container-orchestration logging-level <sensor-type-2-logging-level-arg>

Set the sensor-health service logging level


Set the log level of the sensor-health service. This service detects the health of each of the core services.
 		set service sensor-health logging-level <sensor-type-2-logging-level-arg>

Set the sensor-service service logging level


Set the log level of the sensor-service service. Sensor client service is responsible for communicating with Security Services Platform (SSP) and managing configuration of the sensor.
 		set service sensor-service logging-level <sensor-type-1-logging-level-arg>

Set the sensor-uploading service component logging level.


Set the logging level for a specific component within sensor-uploading service. This service is responsible for processing and sending all critical security events (like IDS alerts, malware analysis results, and network flows) to the Security Services Platform (SSP).
 		set service sensor-uploading [component <component>] logging-level <level>

Set the sensor-uploading service logging level


Set the log level of the sensor-uploading service. This service is responsible for processing and sending all critical security events (like IDS alerts, malware analysis results, and network flows) to the Security Services Platform (SSP).
 		set service sensor-uploading logging-level <sensor-type-2-logging-level-arg>

Set the sniffing service component logging level.


Set the logging level for a specific component within sniffing service. Sniffing service is responsible for capturing network traffic.
 		set service sniffing [component <component>] logging-level <level>

Set the sniffing service logging level.


Set the log level of the sniffing service. Sniffing service is responsible for capturing network traffic.
 		set service sniffing [component <component>] logging-level <level>

Set SSH service start on boot


Configure the SSH service to start on boot.
 		set service ssh start-on-boot

Set sniffing interfaces in the system


Set a specific sniffing interface in the system. Once set, the network traffic from the sniffing interface will be captured to identify and alert on potential security threats and malicious activity.
set sniffing-interface <available-for-sniffing-interface-arg> [mode <sniffing-mode-arg> mtu <sniffing-mtu-arg>]

Set sniffing interface IP address in the system


Set an IP address for an existing sniffing interface in the system. The IP address will enable the sniffing interface to just respond to basic ARP requests for both modes - NATIVE and COMPAT. Setting up of the IP address is required to do Encapsulated Remote Mirroring. IPv6 based functionality is not supported in this release.
set sniffing-interface-ip <sniffing-interface-arg> ip <sniffing-cidr46-notation>

Set SSH Root login property


Enable SSH Root login property
 		set ssh root-login

Set system timezone


Set the system timezone.
 		set timezone <timezone-arg>

Set number of days the user's password is valid after a password change


Set number of days the user's password is valid after a password change.
 		set user <node-all-username> password-expiration <password-expiration-arg>

Set number of days prior user receives warning message before password expires


Set number of days prior user receives warning message before password expires. Set 0 to disable warning messages for password expiry.
 		set user <node-all-username> password-expiration-warning <password-expiration-warn-arg>

Set new username for specified non-root user


Set new user name for the specified non-root user.
 		set user <node-all-username> username <new-node-username>

Set user password


Set the password for the specified user. If you do not specify the password on the command line, you will be prompted for it. For details on setting passwords during installation, see the NDR Sensor documentation.
set user <username> password [<password> [old-password <old-password>]]

Add SSH service key to authorized_keys file for specified user


Add SSH service key to authorized_keys file for specified user. If password is not provided in the command then you are prompted to enter it. Password is required only for users root and admin.
 		set user <username> ssh-keys label <key-label> type <key-type> value <key-value> [password <password>]

Shutdown system


Shut down the system. If you specify the force argument, the system will shut down immediately without prompting for confirmation.
 		shutdown [force]

Start service


Start the specified service.
 		start service <start-stoppable-service-name-arg>

Execute a playbook given a valid playbook file


Start an upgrade with the specified upgrade bundle and according to the specified playbook.
 		start upgrade-bundle <bundle-name-arg> playbook <playbook-file-arg>

Stop service


Stop the specified service.
 		stop service <service name> [force]

traceroute


Trace the route to the specified IPv4 address or host.
 		traceroute <hostname-or-ip-address>

Verify and extract bundle to default location


Verify and extract the specified upgrade bundle to the default location.
 		verify upgrade-bundle <bundle-name-arg>

Total commands: 142