The Cmd web app terminal helps you quickly explore the data Cmd collects from your servers. It appears throughout the web app to help you explore and understand your data.
This guide describes the terminal, it's features, and how to configure it.
Table of contents
Terminal components
You’ll find the Cmd terminal on the Sources, Alerts, and Reports tabs. In this example, the terminal displays a simple session that consists of a login. See below to learn more about each numbered component:
The search bar at the top enables plain-text search of currently-loaded data. The process tree expands to show results in context, enabling speedy investigations.
The details button toggles display of the details pane, which provides additional information about whichever command or session is selected (if any). In this example, the ‘pwd’ command is selected:
3. The data appears under the search bar. In general terms, it includes session and
execution activity (more details below).
4. Data export. In the bottom-right, click the downward arrow icon to open the data
export menu (Note: the maximum number of rows for a download is
500,000, and the default is 50,000):
5. Toggle fullscreen mode by clicking the outward-arrows icon in the bottom right.
6. The settings button (the gear in the bottom-right) opens the terminal settings
menu:
Terminal settings
On the terminal settings menu, you can customize the command template, and (on Cmd Control) decide whether to show or hide Bash built-in commands.
The settings window includes a terminal where you can preview your changes:
The command template controls which data appears to describe each command. You can choose one of the predefined templates, or create a custom template by adding or removing properties. The available properties are as follows:
cmd_date : The calendar date of command execution (MM/DD/YY). cmd_exec_path : The executed program's fullpath. For built ins, the command’s name. cmd_line : Exactly what was executed by the shell. cmd_parameters : The command switches and arguments. cmd_root : The executable’s basename. cmd_time : The time of day when the execution occurred (HH:MM:SS). cmd_working_directory : The directory from which the command executed. server_id : The server's Cmd ID (SVR-[32bit hexadecimal ID]) session_id : The session's Cmd ID (SES-[32bit hexadecimal ID]) session_login_user : The Linux user who initially logged in to the server (not the auth user).
Data collected
Expect the terminal to display:
SSH sessions, their descendant processes, and commands those processes execute
For those commands: stdout, parameters, and stderr, and the above command template properties
Do not expect the terminal to display:
Non-SSH sessions such as SFTP or local sessions, unless specifically configured
Display artifacts such as SSH banners
Display Features
Collapsed scripts
Scripts (i.e. shell startup) collapse into expandable buttons like this:
Highlighted events
The terminal calls attention to certain security-related events:
Privilege escalation
In this example, the sudo command caused an exec user change to root:
User authentication (2FA)
In this example, the user was prompted to authenticate on session connect, and successfully used 2FA:
The username on the left was used when starting the session. The other username is the one associated with the user's authenticated Cmd account.
Output / Outputs
Click the output button next to a command to show the command’s output:
If a command has children with multiple outputs, the button will say 'outputs', and expand to show all of the outputs.
User Summaries
When you hover over a username in the terminal, extra details appear to describe that user. You can follow the links in a user summary to see related data.
Known issues
Terminal search only works on loaded data.
Data is loaded into the terminal 1500 commands at a time, and to load more, you have to scroll to the end of the loaded data.