I personaly believe OpenJDK approach for all systems is the best way forward, they support almost all architectures and OS, Z390 included. Yet to confirm what to do for AIX but need to solution something for this stat.
Also yes, more network types are good but this was something I was just testing with to start with and will cover probably high 90% of network shared drives
I’m a bit cautious about the ‘mount’ command working across all platforms, and only showing things currently mounted, where automount (or, apparently, CIFS shares) might only be mounted on-demand when the scanner tries to access them
This may be a problem indeed but not sure whats the “wisest of them all” move here? Linux is so non standard thats its hilarious. This approach may be still the best, I presume on the vast majority of servers things are static mounted, I could be wrong.
Any way to identify these problematic automounts apart from the non standard mount files
items 0 of (mount points of it, filesystem types of it, types of it) whose(item 2 of it != "DRIVE_FIXED" OR item 1 of it is contained by set of ("cgroup";"cifs";"nfs";"cgroup2";"sysfs";"proc";"cpuset")) of filesystems
Seems like you can get the full list of possible filesystems with cat /proc/filesystems
Hmm, dang! didnt even think to check if this was possible. Havent slept much since Saturday doesnt help.
Thats neat!
9.2+ besclient, which is good, i would use it for that, but may need to revert back to script for lesser versions
Looks like there may be different options that go back to 8.0+ very interesting! (type of)
Sorry everyone, been busy with Patch Tuesday tasks.
A manager that I work with wrote these powershell scripts that does the Method 2 on windows.
It has been tested by running manually on 10 servers. It has not been tested via deployment of BigFix. I have the fixlets created, just waiting for the clearance to go.
The script provides an output. You can also create a reg key if you want to keep track of which ones you updated.
if (not windows of operating system) then (names of drives whose (type of it != "DRIVE_FIXED")) else (names of drives whose (type of it = "DRIVE_FIXED"))
Tested on OEL, RHEL, AIX, Windows, SuSE and CentOS
This will nicely form the basis of the filesystem exclusions for NIX and drives to include in windows, goes down to 8.x
well there is 2 different things, you have to include drives on windows that are fixed, but on Linux you can’t use the drives command, you have to run against a path, so you would run against / but then you need to exclude paths that are mount points that you don’t want it to run on.
Basically 2 completely different approaches on Windows vs Linux.
Yeh sorry I should have been more specific but that’s exactly what I mean. This relevance will form the file for exclusion on nix and the drive list on windows to run scans on.
You’ll need to exclude macOS. Testing (type of it, name of it) of drives on my Big Sur system right now, everything is DRIVE_FIXED. The local NVMe storage, an external USB drive, an SMB mount…
(In fact, this is why I tend away from One Fixlet To Rule Them All. It’s tempting as heck, but sometimes the variations are too unwieldy to manage.)
To generate the exclude parameter for the log4j2-scan command on Linux, something like:
("--exclude " & it) of concatenations " --exclude " of unique values whose(it does not contain " ") of (it;"/mnt";"/dev";"/cdrom") of items 0 of (mount points of it, filesystem types of it, types of it) whose(item 2 of it != "DRIVE_FIXED" OR item 1 of it is contained by set of ("cgroup";"cifs";"nfs";"cgroup2";"sysfs";"proc";"cpuset")) of filesystems
This would go inside of:
run sh -c 'cd /tmp && ./log4j2-scan {_HERE_} / > "{parameter "ListFile"}"'
It is still possible some network shares are NOT excluded, but much more are excluded than before.
Example output:
Q: ("--exclude " & it) of concatenations " --exclude " of unique values whose(it does not contain " ") of (it;"/mnt";"/dev";"/cdrom") of items 0 of (mount points of it, filesystem types of it, types of it) whose(item 2 of it != "DRIVE_FIXED" OR item 1 of it is contained by set of ("cgroup";"cifs";"nfs";"cgroup2";"sysfs";"proc";"cpuset")) of filesystems
A: --exclude /cdrom --exclude /dev --exclude /mnt --exclude /proc --exclude /sys --exclude /sys/fs/cgroup/devices
Full command:
run sh -c 'cd /tmp && ./log4j2-scan {("--exclude " & it) of concatenations " --exclude " of unique values whose(it does not contain " ") of (it;"/mnt";"/dev";"/cdrom") of items 0 of (mount points of it, filesystem types of it, types of it) whose(item 2 of it != "DRIVE_FIXED" OR item 1 of it is contained by set of ("cgroup";"cifs";"nfs";"cgroup2";"sysfs";"proc";"cpuset")) of filesystems} / > "{parameter "ListFile"}"'
The tasks have also been updated to use 1.6.3 of the utility.
I think I made fixes after figuring things out manually. Not sure that I ran it through bigfix after making those changes. Let me go back to it. I’m also wondering what the upper limit in characters for a bash command is.
@jgstew appreciate your efforts … planning on a mass scan, didn’t envisage the nix scan wouldn’t work when executed by BigFix. All my checks would indicate no issues but something isn’t right.