Managing Per-Agent CLI Password
search cancel

Managing Per-Agent CLI Password

book

Article ID: 286625

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to enable or disable the use of per-Agent CLI Passwords.

Environment

  • App Control Agents: All Supported Versions
  • App Control Console: All Supported Versions

Resolution

Warning: Carbon Black now recommends using the options in Agent Management instead, as per-Agent CLI Passwords are low entropy.

 

Enable/Disable per-Agent CLI:

These settings must be done while the Agent is Connected to the Console, or prior to Agent installation.

  1. Log in to the Console and navigate to https://ServerAddress/agent_config.php
  2. Add a filter for Value > begins with > accept_cli
  3. Edit (pencil icon) the relevant Agent Config and set the value accordingly:
    • Accept per-Agent CLI Password:
      accept_cli_password=1
    • Do not accept per-Agent CLI Password:
      accept_cli_password=0

Enable/Disable Showing per-Agent CLI:

  1. Log in to the Console and navigate to https://ServerAddress/shepherd_config.php
  2. Find defined property "ShowDascliPasswordInConsole"
  3. Set the Property Value accordingly:
    • Show the per-Agent Password in Console:
      true
    • Hide the per-Agent Password in Console:
      false

Obtaining the per-Agent CLI:

If the Agent is still shown in Assets > Computers:

  1. Log in to the Console and navigate to Assets > Computers > relevant Computer > Carbon Black App Control Agent tab.
  2. Click the hyperlink, "Click to Show" to reveal the CLI Password of the Agent.

If the Agent has already been deleted from Assets > Computers:

  1. Run SQL Server Management Studio as the Carbon Black Service Account
  2. Connect to the App Control Database and execute the following query:
    USE das;
    SELECT host_id, hostname, cli_code from dbo.hostmain (NOLOCK) WHERE hostname like '%HOSTNAMEHERE%';

Additional Information

  • Existing Agents must be in a Connected state to receive the necessary changes.
  • This feature was disabled by default beginning with the release of both Server and Agent version 8.1.4.
  • If the Agent has been deleted from the das database, there will be no way to recover the Local CLI password.