CLI Reference

Last modified on August 28, 2023

This article provides an overview of the command line interface (CLI) utility. It covers how to test the client’s configuration and explains some commonly used CLI commands. Although it doesn’t comprehensively cover each command available, it gives you a general idea of the flexibility and power available at your fingertips from the CLI.

Client Configuration Confirmation

As a reminder, to verify the client is working, type the following:

sdm --version

This should output something similar to the following:

sdm version 38.84.0 (99a5d1a71d4eccaf171449e33bc0826132b05165 #503)

If the output is not like this, you should revisit the installation guide for whichever operating system your local machine uses (Linux, macOS, or Windows) for details on installation and setup.

Login and Logout

Example:

$ sdm login
e-mail: letmein@strongdm.com
Please complete logging in at: https://app.strongdm.com/auth/XXXXXXXXXX
authentication successful
$ sdm logout

If your organization uses SSO, you are redirected to complete authentication via the web. The CLI will attempt to open the provided URL in your browser, or you can visit the URL directly.

Lock and Unlock the Client

If you have MFA enabled in your organization, you can manually lock and unlock the client from the CLI.

Example:

$ sdm lock
locked
$ sdm unlock
awaiting confirmation...
unlocked

When in awaiting confirmation... state you will receive an MFA push to complete the unlock process.

Check the Status of Datasources and Servers

Example:

$ sdm status
     DATASOURCE NAME           STATUS            PORT      TYPE
     ! mysql 5.6.39            not connected     13311     mysql
     !jsonb-test               not connected     15438     aurora-postgres
     Cache01                   not connected     16379     redis
     CacheM01                  not connected     21211     memcached
     Inventory DB (Heroku)     not connected     15434     postgres
     Marketing DB RW           not connected     15435     postgres
     MySQL 5.6                 not connected     13310     mysql
     Pricing DB RO             not connected     13306     mysql
     Users Profile DB RO       not connected     15436     postgres

     SERVER                    STATUS            PORT      TYPE
     RDP prod server           not connected     13389     rdp
     prod01 sudo               not connected     62609     ssh
     prod02                    not connected     62524     ssh

Connect/disconnect

Example:

$ sdm connect Marketing
connect successful
$ sdm status
     DATASOURCE NAME           STATUS            PORT      TYPE
     ! mysql 5.6.39            not connected     13311     mysql
     !jsonb-test               not connected     15438     aurora-postgres
     Cache01                   not connected     16379     redis
     CacheM01                  not connected     21211     memcached
     Inventory DB (Heroku)     not connected     15434     postgres
     Marketing DB RW           connected         15435     postgres
     MySQL 5.6                 not connected     13310     mysql
     Pricing DB RO             not connected     13306     mysql
     Users Profile DB RO       not connected     15436     postgres

     SERVER                    STATUS            PORT      TYPE
     RDP prod server           not connected     13389     rdp
     prod01 sudo               not connected     62609     ssh
     prod02                    not connected     62524     ssh
$ psql -h localhost -p 15435 -c 'select 42;'
?column?
----------
     42
(1 row)
$ sdm disconnect Marketing
disconnect successful

Connect to SSH

As described in the SSH connection guide there are several ways to connect to SSH servers. The easiest way is to use the sdm ssh aliases. Using this method it is not necessary to run sdm connect before opening the SSH connection.

Example:

$ alias|grep sdm
scp='scp -S'\''/usr/local/bin/sdm'\'' -osdmSCP'
ssh='/usr/local/bin/sdm ssh wrapped-run'
$ ssh prod02
Last login: Wed Mar 13 14:23:01 2019 from ip-xx-xx-xx-xx.us-west-2.compute.internal

     __|  __|_  )
     _|  (     /   Amazon Linux 2 AMI
     ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ops@ip-xx-xx-xx-xx ~]$ exit
logout
Connection to 127.0.0.1 closed.

Export User Activity Logs

In order to export user activity logs, run the following command with the start date for the logs you’re retrieving:

sdm audit activities --from YYYY-MM-DD

Example:

sdm audit activities --from 2023-04-26

Date/Time format

Our system can parse dates in a wide variety of formats. Examples of some accepted formats include the following:

  • 2023-04-26 22:43:00 UTC
  • 2023/04/26
  • 26 April 2023 22:43

An error message is returned if you are not using a valid format: Could not find format and will need to structure your date in a different way.

Output format

By default, the results of the command are in CSV format. If you want to change the output to JSON, you may add the -j flag.

Example:

sdm audit activities -j --from 2023-04-26

The default output is stdout; however, if you want the output to go to a file, you may use the -o flag. When using the -o flag, note that the flag must be the last flag invoked, followed by the name of the file you wish to create. Run the command from the directory where you want the file saved.

Example:

sdm audit activities --from 2023-04-26 -o example_logs_file.txt

The sdm Directory

By default, logs are written to ~/.sdm/sdm.log for both clients and relays.

There are also several authentication-related files in this directory. The *.key files serve as the private keys, which authenticate you and your machine..

Additional Information

You can find resources and information about the following StrongDM topics in this section: