Seems like maybe some other types could be excluded as well:
mount -l | grep 'type cgroup\|type proc\|type cifs\|type nfs' | sed 's/.* on \([^ ]*\) .*/\1/'
I don’t know enough about this to know what all types there are and which ones make the most sense to exclude.
I was also curious to do something similar to this, but wasn’t entirely sure how to go about it.
I personaly believe OpenJDK approach for all systems is the best way forward, they support almost all architectures and OS, Z390 included. Yet to confirm what to do for AIX but need to solution something for this stat.
Also yes, more network types are good but this was something I was just testing with to start with and will cover probably high 90% of network shared drives
From AIX 7.1 TL4, you could use Adoptium’s JRE at https://adoptium.net/releases.html?variant=openjdk11
I’m a bit cautious about the ‘mount’ command working across all platforms, and only showing things currently mounted, where automount (or, apparently, CIFS shares) might only be mounted on-demand when the scanner tries to access them
This may be a problem indeed but not sure whats the “wisest of them all” move here? Linux is so non standard thats its hilarious. This approach may be still the best, I presume on the vast majority of servers things are static mounted, I could be wrong.
Any way to identify these problematic automounts apart from the non standard mount files
I feel like there must be a generic bash script out there that can do this to exclude remote and other mounts that are not real filesystems.
Seems like you can do this in pure relevance since 9.2 client on *nix:
(mount points of it, filesystem types of it, types of it) of filesystems
Ones to exclude:
items 0 of (mount points of it, filesystem types of it, types of it) whose(item 2 of it != "DRIVE_FIXED" OR item 1 of it is contained by set of ("cgroup";"cifs";"nfs";"cgroup2";"sysfs";"proc";"cpuset")) of filesystems
Seems like you can get the full list of possible filesystems with cat /proc/filesystems
Hmm, dang! didnt even think to check if this was possible. Havent slept much since Saturday doesnt help.
Thats neat!
9.2+ besclient, which is good, i would use it for that, but may need to revert back to script for lesser versions
Looks like there may be different options that go back to 8.0+ very interesting! (type of)
Sorry everyone, been busy with Patch Tuesday tasks.
A manager that I work with wrote these powershell scripts that does the Method 2 on windows.
It has been tested by running manually on 10 servers. It has not been tested via deployment of BigFix. I have the fixlets created, just waiting for the clearance to go.
The script provides an output. You can also create a reg key if you want to keep track of which ones you updated.
if (not windows of operating system) then (names of drives whose (type of it != "DRIVE_FIXED")) else (names of drives whose (type of it = "DRIVE_FIXED"))
Tested on OEL, RHEL, AIX, Windows, SuSE and CentOS
This will nicely form the basis of the filesystem exclusions for NIX and drives to include in windows, goes down to 8.x
well there is 2 different things, you have to include drives on windows that are fixed, but on Linux you can’t use the drives command, you have to run against a path, so you would run against / but then you need to exclude paths that are mount points that you don’t want it to run on.
Basically 2 completely different approaches on Windows vs Linux.
Yeh sorry I should have been more specific but that’s exactly what I mean. This relevance will form the file for exclusion on nix and the drive list on windows to run scans on.
You’ll need to exclude macOS. Testing (type of it, name of it) of drives on my Big Sur system right now, everything is DRIVE_FIXED. The local NVMe storage, an external USB drive, an SMB mount…
(In fact, this is why I tend away from One Fixlet To Rule Them All. It’s tempting as heck, but sometimes the variations are too unwieldy to manage.)
yeah, I wouldn’t do them all together
To generate the exclude parameter for the log4j2-scan command on Linux, something like:
("--exclude " & it) of concatenations " --exclude " of unique values whose(it does not contain " ") of (it;"/mnt";"/dev";"/cdrom") of items 0 of (mount points of it, filesystem types of it, types of it) whose(item 2 of it != "DRIVE_FIXED" OR item 1 of it is contained by set of ("cgroup";"cifs";"nfs";"cgroup2";"sysfs";"proc";"cpuset")) of filesystems
This would go inside of:
run sh -c 'cd /tmp && ./log4j2-scan {_HERE_} / > "{parameter "ListFile"}"'
I updated the task here to exclude these: bigfix-content/fixlet/Logpresso log4j2-scan - Linux x64.bes at main · jgstew/bigfix-content · GitHub
It is still possible some network shares are NOT excluded, but much more are excluded than before.
Example output:
Q: ("--exclude " & it) of concatenations " --exclude " of unique values whose(it does not contain " ") of (it;"/mnt";"/dev";"/cdrom") of items 0 of (mount points of it, filesystem types of it, types of it) whose(item 2 of it != "DRIVE_FIXED" OR item 1 of it is contained by set of ("cgroup";"cifs";"nfs";"cgroup2";"sysfs";"proc";"cpuset")) of filesystems
A: --exclude /cdrom --exclude /dev --exclude /mnt --exclude /proc --exclude /sys --exclude /sys/fs/cgroup/devices
Full command:
run sh -c 'cd /tmp && ./log4j2-scan {("--exclude " & it) of concatenations " --exclude " of unique values whose(it does not contain " ") of (it;"/mnt";"/dev";"/cdrom") of items 0 of (mount points of it, filesystem types of it, types of it) whose(item 2 of it != "DRIVE_FIXED" OR item 1 of it is contained by set of ("cgroup";"cifs";"nfs";"cgroup2";"sysfs";"proc";"cpuset")) of filesystems} / > "{parameter "ListFile"}"'
The tasks have also been updated to use 1.6.3 of the utility.
I get a FAILED exit code 0 with the Linux Task ? Any ideas ??
If I run the binary manually it works and writes the results file out.
When running through an action, the results are not written.
@jgstew did this execute on your lab server ? Everything looks good when run locally but not executed via BigFix …
I think I made fixes after figuring things out manually. Not sure that I ran it through bigfix after making those changes. Let me go back to it. I’m also wondering what the upper limit in characters for a bash command is.
I was making changes after midnight, bad on me.
@jgstew appreciate your efforts … planning on a mass scan, didn’t envisage the nix scan wouldn’t work when executed by BigFix. All my checks would indicate no issues but something isn’t right.
Just be careful, I think I’m excluding network shares sufficiently on linux, but hard to be sure.
yup just need a working script to start my QA