Introduction
Software packages included with the installation of JS7 products can be enabled and disabled by use of the Package Management Script.
- Disabling software packages can be an immediate means for mitigation of vulnerabilities in 3rd-party components used by JS7.
- The JS7 products ship with a JS7 - Software Bill of Materials that can be used to identify vulnerable components and package dependencies.
- For environments with a larger number of JS7 products installed the management of software packages can be automated in a number of ways:
- Users can apply the Software Package Management Script that is described in this article.
- Users can apply the Software Package Management Script with their preferred tools such as Ansible®, Puppet®, Chef®.
Security
Secure rollout of JS7 products is critical. It is therefore recommended that the solution described here is adjusted to suit specific security needs.
- Rollout of JS7 products is considered critical as the software allows jobs to be executed on a larger number of servers.
- Vulnerabilities in 3rd-party components of JS7 products deserve attention.
- The solution provided for software package management is based on shell scripting by design:
- to provide readability and to rely on OS commands only,
- to deny the use of 3rd-party components and additional dependencies that require code to be executed.
- The Software Package Management Script can be integrated in a number of ways:
- by running the script directly on the related server.
- by running one's own SSH scripts for use with remote servers.
- by use with tools such as Ansible®, Puppet® that make use of an SSH Client,
- by use of JS7 workflow automation.
Software Package Management Script
The Software Package Management Script is provided for download and can be used with JS7 Agents, Controller and JOC Cockpit.
- The script is available for Linux, MacOS®, AIX® and Solaris® using bash, dash, ksh and zsh POSIX-compatible shells.
- The script can be used to
- disable software packages, i.e. to remove related files, such as *.jar files from the JS7 product.
- enable software packages, i.e. to restore related files from a backup directory.
- identify package dependencies if software packages are disabled.
- The script terminates with exit code 0 to signal success, with exit code 1 for command line argument errors and with other exit codes for non-recoverable errors.
- The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.
- Users might consider that installation, update and upgrade of JS7 products reverts disabled software packages.
Prerequisites
The Software Package Management Script requires the jq utility from the operating system, see https://stedolan.github.io/jq.
Version 1.6 of jq ships with the MIT license, see https://opensource.org/licenses/MIT.
Download
Find the Software Package Management Script for download from JS7 - Download.
Usage
Invoking the Software Package Management Script without arguments displays the usage clause:
Usage: js7_set_feature.sh [Options] [Switches] Options: --home=<directory> | required: directory to which the JS7 product is installed --features=<path> | optional: path to features.json file, default: <home>/features.json --sbom=<path> | optional: path to sbom.json file, default: <home>/sbom.json --enable=<package[,package]> | optional: enables one or more software packages --disable=<package[,package]> | optional: disables one or more software packages --backup-dir=<directory> | optional: backup directory for disabled software packages --log-dir=<directory> | optional: log directory for log output of the script Switches: -h | --help | displays usage --list | returns the list of disabled/enabled software packages --show-logs | shows log output of the script --make-dirs | creates the backup and logs directories if they do not exist --force | forces disabling packages without option for later enabling from a backup directory --confirm | confirms enabling or disabling of software packages
Options
--home
- Specifies the directory in which the JS7 product is installed.
--features
- Specifies the path to a file in .json format that stores information about enabled and disabled software packages. By default the
<home>/features.json
file is used. - The file does not exist by default but is automatically created when enabling and disabling packages.
- Specifies the path to a file in .json format that stores information about enabled and disabled software packages. By default the
--sbom
- Specifies the path to a file that holds the JS7 - Software Bill of Materials. The file ships with the respective JS7 products.
- For Controller and Agents the
<home>/sbom.json
file is used. For JOC Cockpit theJETTY_BASE/webapps/joc/sbom.json
file is used.
--enable
- Specifies software packages that should be enabled. A number of software packages can be specified separated by comma.
- As a prerequisite when disabling software packages
- the information is stored in the
features.json
file. This information is later on used to enable software packages. - the backup directory has to be specified, see
--backup-dir
option, that is used as the source when enabling software packages.
- the information is stored in the
- If a software package is not available from the backup directory then the software package cannot be enabled. Instead, the JS7 product has to be re-installed .
--disable
- Specifies software packages that should be disabled. A number of software packages can be specified separated by comma.
- The files related to a software package such as *.jar files will be removed from the JS7 product installation.
- To allow later enabling a backup directory is specified with the
--backup-dir
option. Users who do not want to use a backup directory can apply the--force
switch.
--backup-dir
- If a backup directory is specified when disabling software packages then the related files such as *.jar files are moved to this directory.
- The backup directory holds a
lib
sub-folder with related sub-folders of the JS7 product'slib
directory such aslib/sos
,lib/3rd-party
etc.
--log-dir
- If a log directory is specified then the Software Package Management Script will write information about processing steps to a log file in this directory.
- File names are created according to the pattern:
js7_features.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
js7_features.centostest_primary.2022-03-19T20-50-45.log
Switches
-h | --help
- Displays usage.
--list
- Specifies the list of software packages that have been disabled or enabled. This information is used from the
features.json
file, see--features
option.
- Specifies the list of software packages that have been disabled or enabled. This information is used from the
--show-logs
- Displays the log output created by the script if the
--log-dir
option is used.
- Displays the log output created by the script if the
--make-dirs
- If directories are missing that are indicated with the
--backup-dir
or--log-dir
options then they will be created.
- If directories are missing that are indicated with the
--force
- Specifies that a software package is disabled, i.e. its files are removed from the JS7 product installation, without use of a backup directory.
--confirm
- Specifies that the operation to enable or to disable a software package is confirmed. If this switch is omitted then a dry-run is performed that displays which software packages are affected by enabling or disabling.
Exit Codes
0
: success1
: argument errors2
: non-recoverable errors
Examples
The following examples illustrate typical use cases. Examples are provided for use with Agents, they can similarly be used for Controller and JOC Cockpit instances. The only difference being the location of the home directory of the JS7 product.
Disable Software Packages (dry-run)
./js7_set_feature.sh \ --home=/home/sos/agent \ --backup-dir=/home/sos/backup \ --disable=simple-xml,snakeyaml \ --make-dirs # displays candidate files for removal if the simple-xml and snakeyaml software packages are disabled in an Agent installation # performs a dry-run without effective removal of files as the --confirm switch is not specified
Output of the above example can look like this:
-- begin of log -------------- ./js7_set_feature.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --disable=simple-xml,snakeyaml --make-dirs -- begin of output ----------- .. checking to disable package: simple-xml .... candidate component files for removal in directory: /home/sos/agent ./lib/3rd-party/simple-xml-2.7.1.jar ..... recursing affected component reference: pkg:maven/org.simpleframework/simple-xml@2.7.1?type=jar ...... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2-simple@2.1.4?type=jar ....... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2@2.1.4?type=jar ........ recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-credentialstore@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-cli@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-hibernate@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar ........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-mail@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar ........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-vfs@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar ........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .. checking to disable package: snakeyaml .... candidate component files for removal in directory: /home/sos/agent ./lib/3rd-party/snakeyaml-2.0.jar ..... recursing affected component reference: pkg:maven/org.yaml/snakeyaml@2.0?type=jar ...... recursing affected component reference: pkg:maven/com.sos-berlin/sos-js7-loganonymizer@2.5.4-SNAPSHOT?type=jar ....... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar -- end of log ----------------
Explanation:
- The output suggests package dependencies. Consider that examples strictly depend on specific releases of JS7.
- The
simple-xml
package is used by theKeePassJava2-simple
package and respectively theKeePassJava2
package.- Further in the hierarchy users find the
sos-commons-credentialstore
package. The package implements the feature of the JS7 - Credential Store. - This translates to the fact that with removal of the
simple-xml
package a credential store can no longer be used in JS7.
- Further in the hierarchy users find the
- The
snakeyaml
package is used by thesos-js7-loganonymizer
package.- The later package implements the JS7 - Log Anonymization feature.
- With
snakeyaml
being removed the log anonymization feature can no longer be used in JS7.
- If users find vulnerabilities in 3rd-party components for which no immediate fixes are available then they can take the decision to disable related software packages and not to use affected JS7 features.
Disable Software Packages (permanently)
./js7_set_feature.sh \ --home=/home/sos/agent \ --backup-dir=/home/sos/backup \ --disable=simple-xml,snakeyaml \ --make-dirs \ --confirm # removes the simple-xml and snakeyaml software packages from an Agent installation # creates the backup directory if it does not exist # copies files of disabled packages to the backup directory # confirms removal of disabled packages
Output of the above example can look like this:
-- begin of log -------------- ./js7_set_feature.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --disable=simple-xml,snakeyaml --make-dirs --confirm -- begin of output ----------- .. checking to disable package: simple-xml .... creating copies of component files in backup directory: /home/sos/backup ./lib/3rd-party/simple-xml-2.7.1.jar .... removing component files: /home/sos/agent/lib/*/simple-xml*2.7.1.jar ..... recursing affected component reference: pkg:maven/org.simpleframework/simple-xml@2.7.1?type=jar ...... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2-simple@2.1.4?type=jar ....... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2@2.1.4?type=jar ........ recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-credentialstore@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-cli@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-hibernate@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar ........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-mail@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar ........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-vfs@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar ........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar ......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar .......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .. package disabled: simple-xml .. checking to disable package: snakeyaml .... creating copies of component files in backup directory: /home/sos/backup ./lib/3rd-party/snakeyaml-2.0.jar .... removing component files: /home/sos/agent/lib/*/snakeyaml*2.0.jar ..... recursing affected component reference: pkg:maven/org.yaml/snakeyaml@2.0?type=jar ...... recursing affected component reference: pkg:maven/com.sos-berlin/sos-js7-loganonymizer@2.5.4-SNAPSHOT?type=jar ....... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar .. package disabled: snakeyaml
Enable Software Packages
./js7_set_feature.sh \ --home=/home/sos/agent \ --backup-dir=/home/sos/backup \ --enable=simple-xml,snakeyaml \ --confirm # restores the simple-xml and snakeyaml software packages in an Agent installation # copies files of disabled packages from the backup directory
Output of the above example can look like this:
-- begin of log -------------- ./js7_set_feature.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --enable=simple-xml,snakeyaml --confirm -- begin of output ----------- .. checking to enable package: simple-xml .... restoring component files from backup directory: /home/sos/backup ./lib/3rd-party/simple-xml-2.7.1.jar .... removing component files from backup directory: /home/sos/backup/lib/*/simple-xml*2.7.1.jar .. package enabled: simple-xml .. checking to enable package: snakeyaml .... restoring component files from backup directory: /home/sos/backup ./lib/3rd-party/snakeyaml-2.0.jar .... removing component files from backup directory: /home/sos/backup/lib/*/snakeyaml*2.0.jar .. package enabled: snakeyaml -- end of log ----------------
List Software Packages
./js7_set_feature.sh \ --home=/home/sos/agent \ --list # displays the list of enabled or disabled software packages from an Agent installation
Output of the above example is available if software packages have previously been disabled and can look like this:
{ "group": "org.simpleframework", "name": "simple-xml", "version": "2.7.1", "enabled": false } { "group": "org.yaml", "name": "snakeyaml", "version": "2.0", "enabled": false }