...
| Table of Contents | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Help Text from CLI
For version 2.8.5+ there are two different operating modes for the CLI; "auto" and "legacy". Below is the basic help topic included with the CLI as well as separate "auto" and "legacy" help topics.
Ver. 2.8.5+
| Code Block |
|---|
ConfigOS CLI v2.8.5.0
Copyright (c) 2022 SteelCloud, LLC
Required Parameters:
Application Security Credentials (-sc, -sq, -creds)
-sc : Credentials are prompted, and password is hidden.
-sq : Credentials need to be entered as username and then password (not hidden). This uses the standard input.
-creds : Credentials are included in the arguments with a colon separating the username and password. Example: "username:password".
Type [auto][legacy]
auto : Pulls information from the database.
legacy : Uses the legacy CLI arguments.
Need more help?
--help auto : Prints the auto help
--help legacy : Prints the legacy help |
Ver. 2.8.5+ - Auto
| Code Block |
|---|
ConfigOS CLI v2.8.5.0
Copyright (c) 2022 SteelCloud, LLC
Required Parameters:
Application Security Credentials (-sc, -sq, -creds)
-sc : Credentials are prompted, and password is hidden.
-sq : Credentials need to be entered as username and then password (not hidden). This uses the standard input.
-creds : Credentials are included in the arguments with a colon separating the username and password. Example: "username:password".
Type [auto][legacy]
auto : Pulls information from the database.
legacy : Uses the legacy CLI arguments.
Required Parameters for Auto:
-c, --credmode [e][g:path]
Specifies what element to pull data from for the credentials and the policy container with defaults.
[e] : Uses the information for the target [-t] endpoint.
[g:path] : Uses the group information based on the path provided. Use \ between folder levels (see examples for more details).
-t, --target : The target endpoint IP address or hostname to run.
-p, --policyfile : The ConfigOS policy (.cxp) or rollback file (.exml) to use for scan or remediation.
Required For Auto rollback:
--mode remediate : Mode must be set at remediate.
--rollbackpolicyfile : Include the full path and filename to the rollback zip file.
Optional Parameters for Auto:
The parameters below are overrides, they will replace what has been saved in the database for preferences and policy defaults.
--policycontainer : Overrides the policy container path.
--mode : Overrides the default mode, set to either 'scan' or 'remediate'.
--rollbackpath : Overrides the location where rollback policy will be stored.
--reportpath : Overrides the location where reports are stored.
--processlog : Overrides the location for where the process log are stored.
--keyexchange : Overrides the SSH Key Exchange algorithms and is a comma separated list. Contact Support for detailed list.
--encryptioncipher : Overrides the SSH Encryption Cipher algorithms and is a comma separated list. Contact Support for detailed list.
--gpo : Overrides the GPO scan for conflicts (true/false).
--xccdf : Overrides the XCCDF report generation (true/false).
Usage Examples:
ConfigOS_CLI.exe -sc auto -c e -t "MyTargetIPAddress" -p "MyPolicy.cxp"
ConfigOS_CLI.exe -sc auto -c e -t "MyTargetIPAddress" -p "MyPolicy2.cxp" --policycontainer "C:\MyPolicyContainer2.csc2"
ConfigOS_CLI.exe -sc auto -c e -t "MyTargetIPAddress" -p "MyPolicyToRollback.exml" --mode "remediate" -rollbackpolicyfile "C:\My\Policy\Container\Location\Rollback.zip"
ConfigOS_CLI.exe -sq auto -c "g:TopGroup\LinuxBox" -t "MyTargetIPAddress" -p "MyLinuxPolicy.cxp" --keyexchange "SSH_KEX_RSA2048_SHA256" --xccdf true
ConfigOS_CLI.exe -creds "AppUser:Password" -t "MyTargetIPAddress" -p "MyPolicy.cxp" --mode remediate --gpo true --rollbackpath "C:\My\Rollback\Storage\Location" |
NOTE: When specifying that you would like to use the target endpoint in the “credmode” parameter “--credmode e” you need to use the “HostName/IP” field in the Command Center GUI and NOT the “Endpoint Name”.
Ver. 2.8.5+ - Legacy
| Code Block |
|---|
ConfigOS CLI v2.8.5.0
Copyright (c) 2022 SteelCloud, LLC
Required Parameters:
Application Security Credentials (-sc, -sq, -creds)
-sc : Credentials are prompted, and password is hidden.
-sq : Credentials need to be entered as username and then password (not hidden). This uses the standard input.
-creds : Credentials are included in the arguments with a colon separating the username and password. Example: "username:password".
Type [auto][legacy]
auto : Pulls information from the database.
legacy : Uses the legacy CLI arguments.
Required Parameters for Legacy:
-l, --login : The username to use when connecting to the targeted system.
-p, --password : The password to use when connecting to the targeted system.
-pc, --policycontainer : The location of the policy container (.csc2) or rollback container (.zip) to use when processing against the targeted system.
-pf, --policyfile : The ConfigOS policy (.cxp) or rollback file (.exml) inside of the specified container to use for scan or remediation.
[address][address:port] : The last parameters will be the targeted host IP address or hostname with optional port number.
Optional Parameters for Legacy:
-m, --mode : Sets the operation mode to either 'scan' or 'remediate' for the selected policy file. System will default to scan if invalid value or no mode is provided.
-R, --rollbackdir : Specifies the location where rollback policy will be saved. Defaults to the application install directory if not specified.
-P, --port : Connection port to connect to on the targeted system. This can also be included at the end of the arguments with the IP address as address:port.
-sl, --sulogin : Sudo login, an elevated user to use when executing commands on the targeted system. Linux only.
-sp, --supasswd : Sudo password to use when elevating to a sudo-credentialed user on the targeted system. Linux only.
-al, --applogin : The application username to use when connecting to an application on the targeted system.
-ap, --apppasswd : The application password to use when connecting to an application on the targeted system.
-K, --kex : Set the key exchange algorithm(s) to use in SSH handshake.
-E, --enc : Set the data encryption cipher algorithm(s) to use in SSH handshake.
-db, --database : Set the database name.
-dbp, --dbport : Set the database port.
-dbi, --dbinstance : Set the instance name for the database.
-r, --report : Sets the root folder location for scan or remediation reports. HTML report is generated by default.
-lg, --logs : Generates process logs and stores them at the specified location.
-xc, --xccdfreport : Stores an unencrypted version of our machine-readable JSON archive file alongside the encrypted one. Defaults to false.
-gp, --grouppolicy : Marks whether to attempt to scan for GPO conflicts at remediation time. Remediation mode only.
-h/-?, --help : Displays this help info.
Usage Examples:
ConfigOS_CLI.exe -sc legacy -m scan -l "MyUserName" -p "MyPassword" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc2" -pf "MyPolicy.cxp" "MyTargetIPAddress"
ConfigOS_CLI.exe -sc legacy -l "MyUserName" -p "MyPassword" -pc "C:\My\Policy\Container\Location\Rollback.zip" -pf "MyPolicyToRollback.exml" "MyTargetIPAddress"
ConfigOS_CLI.exe -sq legacy -l "MyUserName" -p "MyPassword" -r "C:\My\Report\Directory" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc2" -pf "MyPolicy.cxp" -xc true true "MyTargetHostname"
ConfigOS_CLI.exe -creds "AppUser:Password" legacy -l "MyUserName" -p "MyPassword" -m remediate -gp true -R "C:\My\Rollback\Storage\Location" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc2" -pf "MyPolicy.cxp" -xc true "MyTargetHostname" |
Ver. 2.8.3
| Code Block |
|---|
ConfigOS CLI v2.8.3.0
Copyright (c) 2021 SteelCloud LLC
ConfigOS Command Line Interface Help:
Required Parameters:
Login User Name (-l, --login): The user name to use when connecting to the targeted system.
Login User Password (-p, --password): The password to use when connecting to the targeted system.
Policy Container Location (-pc, --policycontainer): The location of the policy container (.csc) to use when processing against the targeted system.
Policy File (-pf, --policyfile): The ConfigOS policy (.cxp) inside of the specified container to use for scan or remediation.
Optional Parameters:
Force Job Mode (-m, --mode): Sets the operation mode to either 'scan' or 'remediate' for the selected policy file. System will default to scan if invalid value or no mode is provided.
Port (-P, --port): Connection port to connect to on the targeted system.
Sudo User Name (-sl, --sulogin): An elevated user to use when executing commands on the targeted system. Linux only.
Sudo Password (-sp, --supasswd): The password to use when elevating to a sudo-credentialed user on the targeted system. Linux only.
Application User Name (-al, --applogin): The application user name to use when connecting to an application on the targeted system.
Application User Password (-ap, --apppasswd): The application password to use when connecting to an application on the targeted system.
Database Name (-db, --database): The name of the database to target on the targeted system.
Report Location (-r, --report): Sets the root folder location for scan or remediation reports. HTML report is generated by default.
Unencrypted JSON Report (-u, --unencryptedReport): Stores an unencrypted version of our machine-readable JSON archive file alongside the encrypted one. Defaults to false.
Generate XCCDF Report (-xc, --xccdfreport): Stores an unencrypted version of our machine-readable JSON archive file alongside the encrypted one. Defaults to false.
Process Logs (-lg, --logs): Generates process logs and stores them at the specified location.
Rollback Storage Location (-R, --rollbackdir): Specifies the location where rollback policy will be saved. Defaults to the application install directory if not specified.
Scan for GPO Conflicts (-gp, --grouppolicy): Marks whether or not to attempt to scan for GPO conflicts at remediation time. Remediation mode only.
Scan for GPO Conflicts (-h/-?, --help): Displays this help info.
Usage Examples:
ConfigOS_CLI.exe -l "MyUserName" -p "MyPassword" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc" -pf "MyPolicy.cxp" "MyTargetIPAddress"
ConfigOS_CLI.exe -l "MyUserName" -p "MyPassword" -r "C:\My\Report\Directory" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc" -pf "MyPolicy.cxp" -xc true -u true "MyTargetHostname"
ConfigOS_CLI.exe -l "MyUserName" -p "MyPassword" -m remediate -gp true -R "C:\My\Rollback\Storage\Location" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc" -pf "MyPolicy.cxp" -xc true "MyTargetHostname"
|
Running a Remediation
When running remediation it is required to specify the mode as "remediate" and set a Rollback directory so ConfigOS can store the necessary rollback files.
...
| Code Block |
|---|
ConfigOS_CLI.exe -m remediate ..... -R "C:\Temp\Rollback\<HostName>" ..... |
Performing a Rollback
To perform a rollback you will need to set the CLI mode to "remediate" then place the full path for the rollback zip file that you would like to rollback to as the Policy Container value, then place the file name for the eXML file contained within the zip file as the Policy File value
...
| Code Block |
|---|
ConfigOS_CLI.exe -m remediate ...... -pc "C:\ConfigOS\Command Center\Rollback Container\EndpointName\Windows-10-Domain.zip" -pc "MS_Win_10_v1803up_V1R23_STIG_Domain_9-21-2020-16-09-01.exml" ..... |
Hidden flags
The debug flag
--DEBUG is a helpful hidden flag that may provide additional useful information not normally available during CLI scans
CLI Key-based authentication with Linux systems
You will need to generate a .pem or .ppk (version 2 not version 3), and add the -k flag preceding the quoted location of your key:
-k “C:\Users\<username>\.ssh\id_rsa.pem”