1.5 Command Line Utilities

The command line utilities included with Sentinel are useful for managing and configuring many lower level functions of the system.

1.5.1 Managing the Sentinel Services

There is a command line utility included with Sentinel is useful for managing and configuring many lower level functions of the system. The utility is located in /usr/sbin/rcsentinel.

The utility has the following options to manage the Sentinel services:

rcsentinel -start: Starts the Sentinel service.

rcsentinel -stop: Stops the Sentinel service.

rcsentinel -status: Displays the status of the Sentinel service.

rcsentinel -restart: Restarts the Sentinel service.

rcsentinel -try-restart: Restarts the Sentinel service if the Sentinel service is running.

rcsentinel -force-reload: Forces the Sentinel service to reload the Sentinel configuration.

rcsentinel -startdb: Starts the PostgreSQL database.

rcsentinel -stopdb: Stops the PostgreSQL database.

rcesentinel -version: Displays the version of the Sentinel service.

rcsentinel -p, --priorty=<integer>: Specifies the process priority.

rcsentinel -h, --help: Displays all options for the rcsentinel utility.

rcsentinel -l, --log-flie=FILE: Sends log messages to a file.

rcsentinel -q, --quiet: Displays fewer messages.

rcsentinel -v, --verbose: Displays more messages.

rcsentinel –startSIdb: Starts the Security Intelligence database.

rcsentinel –stopSIdb: Stops the Security Intelligence database.

1.5.2 Sentinel Scripts

Sentinel provides operational scripts that are appropriate for use during normal operations. These scripts are located in the following directories:

  • /opt/novell/sentinel/bin

  • /opt/novell/sentinel/setup

For most scripts that require arguments, running the scripts without arguments provides details about how to use the arguments.

Table 1-3 Operational Scripts in /opt/novell/sentinel/bin

Script File

Description

backup_util.sh

Use this script to back up and restore Sentinel event data and configuration data. For more information, see Section A.0, Backing Up and Restoring Data.

db.sh

Allows you to manage the PostgreSQL database without Sentinel running. For more information, see Section 1.5.7, Managing the Internal Database.

clean_db.sh

Allows you to clean up data from the PostgreSQL database without Sentinel running. For more information, see Section 1.5.8, Cleaning Up the Internal Database.

softwarekey.sh

Use this script to add and view a license key through the command line. For more information, see License Information in the NetIQ Sentinel 7.0.1 Installation and Configuration Guide.

event_assoc_data.sh

Use this script to import or export the event association data. For more information, see Section 1.5.6, Importing or Exporting Event Association Data

server.sh

Use this script to manually manage the Sentinel server with this script. For more information, see Section 1.5.9, Managing the Sentinel Server.

report_dev_setup.sh

Use this utility to set up the report development environment. For more information, see Section 1.5.3, Running the Report Development Utility.

updateServerLocale.sh

This utility provides an option to change the language of Sentinel server process. The Sentinel server messages that are displayed on the user interface appear in the language selected by this script.

If the appliance language is changed through WebYast, you can use this script to change the language of the Sentinel process in the server.

versionreader.sh

Displays the version of the .jar files for Sentinel. For more information, see Section 1.5.4, Getting the .jar Version Information.

Table 1-4 Operational Scripts in /opt/novell/sentinel/setup

Script File

Description

configure.sh

This utility runs on a remote Correlation Engine or Collector Manager if your change the hostname of the Sentinel server. For more information, see Section 1.5.5, Changing the Hostname of a Sentinel Server.

ldap_auth_config.sh

This utility helps you configure Sentinel to receive LDAP authentications. For more information, see Section 3.0, Configuring LDAP Authentication.

ssl_certs

This utility helps with the certificate signing process to configure an SSL connection to the Sentinel server. For more information, see Section 4.3.7, Using CA Signed Certificates.

1.5.3 Running the Report Development Utility

You can use the /opt/novell/sentinel/bin/report_dev_setup.sh utility to set up the report development environment. This utility does the following:

  • Opens the PostgreSQL database port so that other systems can connect to the database.

  • Updates the firewall to allow connection on the PostgreSQL database port.

  • Modifies the database configuration files (postgresql.conf and pg_hba) so that other applications can connect to the database. The database configuration files are located at /var/opt/novell/sentinel/3rdparty/postgresql/data.

  • Changes the rptuser password, if necessary, and saves it in an encoded format in the obj-component.JasperReportingComponent.properties file. This password can also be changed in the database.

  • Collects the required Sentinel jar files, xml files, and the keystore file for report development and creates a tar file sentineljarsforireport.tar file in the /opt/novell/sentinel/bin directory.

To run this utility:

  1. Log in as novell user.

  2. Change to the following directory:

    cd /opt/novell/sentinel/bin/
    
  3. Run the following command:

    ./report_dev_setup.sh
    

    A warning message is displayed, indicating that the Sentinel server will be restarted after the script is executed.

  4. To continue running the script, press 1.

  5. Specify the root password when prompted.

    The script opens the database port, updates the firewall configuration files, and modifies the configuration files and database files.

  6. When you are prompted to change the rptuser password, continue without changing the password.

    or

    Specify a password for rptuser and reconfirm the password.

    The rptuser password is randomly generated during the installation of Sentinel. It is a recommended practice to change it here.

    The Sentinel server restarts.

For information or help on commands, use the following command:

./report_dev_setup.sh -h 

1.5.4 Getting the .jar Version Information

You can gather version information for Sentinel .jar files for troubleshooting purposes:

  1. Log in to the Sentinel server as a user in the administrator role.

  2. Go to the /opt/novell/sentinel/bin directory.

  3. At the command line, specify the ./versionreader.sh <path/jar file name>.

    Running the script without any arguments gives the version of the installed Sentinel server. For more information on the arguments that can be used, use the --help command.

1.5.5 Changing the Hostname of a Sentinel Server

If the hostname of the Sentinel server changes, you must update any remote Correlation Engines or Collector Managers to point to the updated hostname. To do this, you run the configure.sh script on each remote machine.

The configure.sh script is located in /opt/novell/sentinel/setup. Run this script on each remote machine to update the hostname and IP address of the Sentinel server in the remote machine’s configuration files.

The configure.sh file also allows you to change the password of the appuser. The appuser is an internal Sentinel identity that is used to establish a connection and interact with the PostgreSQL database.

1.5.6 Importing or Exporting Event Association Data

Sentinel provides the event_assoc_data.sh script that allows you to export event association data from the database to the file system, as well as import previously exported event association data from the file system back into the database. The script is event_assoc_data.sh located in the /opt/novell/sentinel/bin directory.

There are two types of event association data:

Incident events: There is a record in the database for every event that is associated with an incident, including what partition the event came from. When a partition is deleted, all incident events records for the partition are exported to a file on the file system, and the records are then deleted from the database. The file name is incidents_events.json.

Correlated events: There is a record in the database for every trigger event that is associated with a correlated event. The record also indicates what partition the correlated event belongs to. When a partition is deleted, all correlated event records for the partition are exported to a file on the file system, and the records are then deleted from the database. The file name is correlated_events.json.

When you export event association data, it is saved to the files in the following default directory structure /var/opt/novell/sentinel/data/eventdata/exported_associations/<partition name>/*.json

When a partition is restored from backup, the system automatically attempts to import the event association records for the partition. The .json file must be restored to the correct directory structure when the event association records are restored. If these files are not restored, the event association records are not imported, but the partitions are restored without this information. The event association records for the partitions are not available.

You can use the following options with for the event_assoc_data.sh file:

-i, --import: Imports event association data. This option works only on partitions that are currently in the restored state, but have not yet imported the event association data.

-x, --export: Exports event association data. This option works only on partitions that are currently in the deleted state, but have not exported their event association data.

-d, --days=<integer>: Specify the last number of days of the partitions.

-s, --startdate=<date>: Specify a start date and end date to select partitions in the specified date range.

-e, --enddate=<date>: Specify an end date and start date to select partitions in the specified date range.

--date=<date>: The utility selects the partitions with the specified date. You can use this option multiple times to select multiple dates.

-u, --user=<user name>: Specify the name of the user with administrative privileges to the Sentinel server.

-p, --password=<user password>: Specify the password of the administrative user.

--host=<host name>: Specify the host name or IP address of the Sentinel server.

--port=<port>: Specify the port number for communication to the Sentinel server. If this option isn’t specified, the default port of 8443 (HTTPS) or 8000 (HTTP) is used.

--https: If this option is used, the utility communicates over HTTPS.

--http: If this option is used, the utility communicates over HTTP.

-h, --help: Displays the help options.

-l, --log file=FILE: Logs messages from the utility to the file name specified in the parameter.

--no-banner: Suppresses banner messages.

-q, --quiet: Displays fewer messages.

-v, --verbose: Displays more messages.

1.5.7 Managing the Internal Database

Sentinel provides a db.sh script that allows you to manage the internal database. You can use this script if you need to start the database without starting Sentinel so you can perform maintenance tasks. You can also use this script to run SQL commands against the internal database.

The script db.sh is located in the /opt/novell/sentinel/bin directory. The script has commands and options. You must be logged in as the user that installed Sentinel for the script to work. The command must come first, followed by the option.

For example: ./db.sh status --log-file=sentinel_status.txt

This command writes the status of the internal database to the log file named sentinel_status.txt.

Commands

You can use the following commands with the db.sh script.

start: Starts the internal database without starting the Sentinel server.

stop: Stops the internal database.

force_stop: Forces the database to stop when the Sentinel service is still running.

status: Displays the status of the internal database.

sql <db name> <user name> <sql statement>: Allows you to send SQL commands to the internal database.

restart: Restarts the internal database.

force_restart: Forces the database to restart when the Sentinel service is still running.

try-restart: Tries to restart the internal database.

reload: Reloads the internal database.

force-reload: Forces a reload of the database.

Options

You can use the following options with the db.sh script. The options must start with a - or -- to be executed.

-w, --wait=<seconds>: Allows you to specify the amount of time to wait for the database to start or stop.

-h, --help: Displays help information for the script.

-l, --log-file=FILE: Logs messages to the specified file name.

--no banner: Suppresses banner messages.

-q, --quiet: Displays fewer messages.

-v, verbose: Displays more messages.

1.5.8 Cleaning Up the Internal Database

Sentinel provides a clean_db.sh script that allows you to clean up redundant data from the Sentinel database. You can delete data such as incidents, identities, assets, Advisor data, and vulnerabilities individually. You can run this script even without Sentinel running. For example, an improperly configured correlation rule might create hundreds of unwanted incidents in the database. Or, the identity information might encounter an error when someone attempts to delete the IdentityAccountMap.csv file. In such a situation, you can use this script to remove the unusable identity information.

The script clean_db.sh is located in the /opt/novell/sentinel/bin directory.

WARNING:Because this script is designed to delete information from your database, it should be used carefully and only after understanding the implications.

Prerequisites

  • Ensure that you have permission to run the script. Only the user who installed Sentinel has permission to run this script.

  • Ensure that the database is started and is running.

Using the clean_db.sh Script

  1. In the Terminal mode, log in to Sentinel by using the credentials that were used to install Sentinel.

    This script cannot be run by the root user.

  2. Go to <install_directory>/bin, then specify clean_db.sh to run the script.

    The following menu is displayed:

    Which objects would you like to cleanup?
    (1) Incidents
    (2) Identities
    (3) Assets
    (4) Advisor
    (5) Vulnerabilities
    (6) Incidents and Identities
    (7) All
    (q) Quit without action
    
  3. At the prompt, indicate which objects you want to remove from the database.

  4. Specify the following information to connect to the PostgreSQL database:

    Database server hostname (Press ENTER for default localhost)=>
    Database name (Press ENTER for default SIEM) => 
    Database username (press ENTER for default dbauser) =>
    

    The database connection is verified before proceeding to the next step. If the connection was not successful, the script exits.

  5. (Conditional) If you select 1 to delete Incidents data, several options are displayed. Select one of the options and specify the required information:

    • Delete Incidents By Query: Specify a custom SELECT query. For example:

      select inc_id from incidents where inc_id=500
      

      Ensure that SELECT statement does not include quotation marks.

    • Delete Incidents By Id: Specify the ID of the Incident that you want to delete. For example:

      101
      
    • Quit without action: Specify q to exit from the script.

  6. You are prompted to confirm data cleanup. Specify start to start the data cleanup or specify abort to quit without performing the data cleanup.

    The results of the data cleanup are written to the log file.You should review the log file for any errors and retry.

    If Identities data is being cleaned up, the script cleans up the Identities information from the database tables, and deletes the Identity Account Map file (identityAccountMap.csv).

    NOTE:If you have a distributed Sentinel install, you might need to manually connect to the main Sentinel server to delete the identityAccountMap.csv file.

1.5.9 Managing the Sentinel Server

You can use the server.sh script to manually manage the Sentinel server. This script is located in the default directory of /opt/novell/sentinel/bin. The script has commands and options. The command must come first, followed by the option.

Commands

You can use the following commands with the server.sh script:

start: Starts the Sentinel server.

stop: Stops the Sentinel server.

status: Displays the status of the Sentinel server.

restart: Restarts the Sentinel server.

try-restart: Tries to restart the Sentinel server.

force-reload: Forces a reload of the Sentinel server.

startdb: Starts the internal Sentinel database.

stopdb: Stops the internal Sentinel database.

force_stopdb: Forces the internal database to stop.

version: Displays the version of the Sentinel server.

Options

You can use the following options with the server.sh script:

-p, --priority=<integer>: Specifies the process priority for the Sentinel server.

-h, --help: Displays the help options.

-l, --log-file=FILE: Logs messages to a file you specify.

--no-banner: Suppresses banner messages.

-q, --quiet: Displays fewer messages.

-v, --verbose: Displays more messages.

1.5.10 Configuring Memory for the Sentinel Server

Sentinel provides a setmemory.sh script that allows you to change the default memory settings for the Sentinel server. The setmemory.sh script is located in the /etc/opt/novell/sentinel/bin directory.

To make changes to the default memory settings, you must create a setmemory.properties file. The default location for this file is /etc/opt/novell/sentinel/config/setmemory.properties.

You can set the following configuration parameters in the setmemory.properties file:

  • JAVA_MEM_SERVER: The maximum heap memory (Xmx in MB) allocated to the process.

  • JAVA_MEM_PERMGEN: The maximum permanent generation memory (in MB) allocated to the process.

  • JAVA_MEM_BROKER: The maximum amount of memory allocated for the message bus broker. This affects how many connections the message bus broker can accept.

  • BROKER_MAX_CON: The maximum number of connections the message bus broker can accept.

  • CORRELATION_INPUT_BUFFER_MAX_SIZE: The memory allocated to hold the Correlation events. By default, 10% of the memory is allocated to hold the Correlation events.

When the server starts these memory settings in the setmemory.properties file override the default settings.