Help Text from CLI

For version 2.8.5+ there are two different operating modes for the CLI; "auto" and "legacy". Below is the basic help topic included with the CLI as well as separate "auto" and "legacy" help topics.

Ver. 2.8.5+

ConfigOS CLI v2.8.5.0
Copyright (c) 2022 SteelCloud, LLC

   Required Parameters:
       Application Security Credentials (-sc, -sq, -creds)
          -sc    :  Credentials are prompted, and password is hidden.
          -sq    :  Credentials need to be entered as username and then password (not hidden). This uses the standard input.
          -creds :  Credentials are included in the arguments with a colon separating the username and password. Example: "username:password".

       Type [auto][legacy]
          auto   :  Pulls information from the database.
          legacy :  Uses the legacy CLI arguments.


   Need more help?
       --help auto   : Prints the auto help
       --help legacy : Prints the legacy help

Ver. 2.8.5+ - Auto

ConfigOS CLI v2.8.5.0
Copyright (c) 2022 SteelCloud, LLC

   Required Parameters:
       Application Security Credentials (-sc, -sq, -creds)
          -sc    :  Credentials are prompted, and password is hidden.
          -sq    :  Credentials need to be entered as username and then password (not hidden). This uses the standard input.
          -creds :  Credentials are included in the arguments with a colon separating the username and password. Example: "username:password".

       Type [auto][legacy]
          auto   :  Pulls information from the database.
          legacy :  Uses the legacy CLI arguments.


   Required Parameters for Auto:
          -c, --credmode [e][g:path]
                Specifies what element to pull data from for the credentials and the policy container with defaults.
                   [e]       : Uses the information for the target [-t] endpoint.
                   [g:path]  : Uses the group information based on the path provided. Use \ between folder levels (see examples for more details).
          -t, --target      : The target endpoint IP address or hostname to run.
          -p, --policyfile  : The ConfigOS policy (.cxp) or rollback file (.exml) to use for scan or remediation.

   Required For Auto rollback:
          --mode remediate       : Mode must be set at remediate.
           --rollbackpolicyfile  : Include the full path and filename to the rollback zip file.

   Optional Parameters for Auto:
          The parameters below are overrides, they will replace what has been saved in the database for preferences and policy defaults.

          --policycontainer  : Overrides the policy container path.
          --mode             : Overrides the default mode, set to either 'scan' or 'remediate'.
          --rollbackpath     : Overrides the location where rollback policy will be stored.
          --reportpath       : Overrides the location where reports are stored.
          --processlog       : Overrides the location for where the process log are stored.
          --keyexchange      : Overrides the SSH Key Exchange algorithms and is a comma separated list. Contact Support for detailed list.
          --encryptioncipher : Overrides the SSH Encryption Cipher algorithms and is a comma separated list. Contact Support for detailed list.
          --gpo              : Overrides the GPO scan for conflicts (true/false).
          --xccdf            : Overrides the XCCDF report generation (true/false).

   Usage Examples:
          ConfigOS_CLI.exe -sc auto -c e -t "MyTargetIPAddress" -p "MyPolicy.cxp"
          ConfigOS_CLI.exe -sc auto -c e -t "MyTargetIPAddress" -p "MyPolicy2.cxp" --policycontainer "C:\MyPolicyContainer2.csc2"
          ConfigOS_CLI.exe -sc auto -c e -t "MyTargetIPAddress" -p "MyPolicyToRollback.exml" --mode "remediate" -rollbackpolicyfile "C:\My\Policy\Container\Location\Rollback.zip"
          ConfigOS_CLI.exe -sq auto -c "g:TopGroup\LinuxBox" -t "MyTargetIPAddress" -p "MyLinuxPolicy.cxp" --keyexchange "SSH_KEX_RSA2048_SHA256" --xccdf true
          ConfigOS_CLI.exe -creds "AppUser:Password" -t "MyTargetIPAddress" -p "MyPolicy.cxp" --mode remediate --gpo true --rollbackpath "C:\My\Rollback\Storage\Location"

NOTE: When specifying that you would like to use the target endpoint in the “credmode” parameter “--credmode e” you need to use the “HostName/IP” field in the Command Center GUI and NOT the “Endpoint Name”.

Ver. 2.8.5+ - Legacy

ConfigOS CLI v2.8.5.0
Copyright (c) 2022 SteelCloud, LLC

   Required Parameters:
       Application Security Credentials (-sc, -sq, -creds)
          -sc    :  Credentials are prompted, and password is hidden.
          -sq    :  Credentials need to be entered as username and then password (not hidden). This uses the standard input.
          -creds :  Credentials are included in the arguments with a colon separating the username and password. Example: "username:password".

       Type [auto][legacy]
          auto   :  Pulls information from the database.
          legacy :  Uses the legacy CLI arguments.


   Required Parameters for Legacy:
          -l, --login              : The username to use when connecting to the targeted system.
          -p, --password           : The password to use when connecting to the targeted system.
          -pc, --policycontainer   : The location of the policy container (.csc2) or rollback container (.zip) to use when processing against the targeted system.
          -pf, --policyfile        : The ConfigOS policy (.cxp) or rollback file (.exml) inside of the specified container to use for scan or remediation.
          [address][address:port]  : The last parameters will be the targeted host IP address or hostname with optional port number.

   Optional Parameters for Legacy:
          -m, --mode         : Sets the operation mode to either 'scan' or 'remediate' for the selected policy file. System will default to scan if invalid value or no mode is provided.
          -R, --rollbackdir  : Specifies the location where rollback policy will be saved. Defaults to the application install directory if not specified.
          -P, --port         : Connection port to connect to on the targeted system. This can also be included at the end of the arguments with the IP address as address:port.
          -sl, --sulogin     : Sudo login, an elevated user to use when executing commands on the targeted system. Linux only.
          -sp, --supasswd    : Sudo password to use when elevating to a sudo-credentialed user on the targeted system. Linux only.
          -al, --applogin    : The application username to use when connecting to an application on the targeted system.

          -ap, --apppasswd   : The application password to use when connecting to an application on the targeted system.

          -K, --kex          : Set the key exchange algorithm(s) to use in SSH handshake.
          -E, --enc          : Set the data encryption cipher algorithm(s) to use in SSH handshake.
          -db, --database    : Set the database name.
          -dbp, --dbport     : Set the database port.
          -dbi, --dbinstance : Set the instance name for the database.
          -r, --report       : Sets the root folder location for scan or remediation reports. HTML report is generated by default.
          -lg, --logs        : Generates process logs and stores them at the specified location.
          -xc, --xccdfreport : Stores an unencrypted version of our machine-readable JSON archive file alongside the encrypted one. Defaults to false.
          -gp, --grouppolicy : Marks whether to attempt to scan for GPO conflicts at remediation time. Remediation mode only.
          -h/-?, --help      : Displays this help info.

   Usage Examples:
          ConfigOS_CLI.exe -sc legacy -m scan -l "MyUserName" -p "MyPassword" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc2" -pf "MyPolicy.cxp" "MyTargetIPAddress"
          ConfigOS_CLI.exe -sc legacy -l "MyUserName" -p "MyPassword" -pc "C:\My\Policy\Container\Location\Rollback.zip" -pf "MyPolicyToRollback.exml" "MyTargetIPAddress"
          ConfigOS_CLI.exe -sq legacy -l "MyUserName" -p "MyPassword" -r "C:\My\Report\Directory" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc2" -pf "MyPolicy.cxp" -xc true true "MyTargetHostname"
          ConfigOS_CLI.exe -creds "AppUser:Password" legacy -l "MyUserName" -p "MyPassword" -m remediate -gp true -R "C:\My\Rollback\Storage\Location" -pc "C:\My\Policy\Container\Location\MyPolicyContainer.csc2" -pf "MyPolicy.cxp" -xc true "MyTargetHostname"

Ver. 2.8.3

Running a Remediation

When running remediation it is required to specify the mode as "remediate" and set a Rollback directory so ConfigOS can store the necessary rollback files.

You can do this with the following switch and syntax

Performing a Rollback

To perform a rollback you will need to set the CLI mode to "remediate" then place the full path for the rollback zip file that you would like to rollback to as the Policy Container value, then place the file name for the eXML file contained within the zip file as the Policy File value

Example:

Hidden flags

The debug flag

--DEBUG is a helpful hidden flag that may provide additional useful information not normally available during CLI scans

CLI Key-based authentication with Linux systems

You will need to generate a .pem or .ppk (version 2 not version 3), and add the -k flag preceding the quoted location of your key:
-k “C:\Users\<username>\.ssh\id_rsa.pem”

SteelCloud Customer Knowledge Base

ConfigOS Classic CLI

Analytics