Skip to main content
Matrix42 Self-Service Help Center

Collecting data for Java installations

Overview

This feature is relevant starting with the Matrix42 Oracle Compliance add-on version 3.0.

As of version 3.0, the Oracle Compliance add-on automatically collects information about Java installations by scanning the file system and by process detection. The file system scan is configurable.

A minimum of 32 MB memory needs to be free and available to run the M42DataCollection.

Settings for Java Data Collection

By default the settings for scanning Java installations are enabled both for Unix/Linux systems and Windows systems.
Mounted file systems are not being scanned per default. Certain directories are excluded in the default configuration.

Unix/Linux 

The M42DataCollection.env file (for Solaris: M42DataCollection_SunOS.env)  is located in the M42DataCollectionUnix\bin\config folder and contains the following settings:

#
# FileScan Settings
# Supported Filesystems: xfs,ext2,ext3,ext4,btrfs,zfs,reiserfs,vxfs,hfs
# Supported Shares: nfs,cifs
#

EnableFileScan=1
EnableFileScanCompression=1
EnableFileShareScan=0
ExcludedFileScanPaths="/proc:/dev"
  • Supported Filesystems lists all types of file systems that the tool can scan.
  • Supported Shares lists supported protocols for sharing directories and files.
  • EnableFileScan determines if the system should perform the scan or not.
  • EnableFileScanCompression indicates if the list of found files should be compressed.
  • EnableFileShareScan determines if mounted file shares should be scanned or not.
  • In ExcludedFileScanPaths you can add paths that must not be scanned.

Windows 

The M42DataCollection.env configuration file is located in the M42DataCollectionWin folder and contains the following settings:

# Settings for FileScan
FileScan=1
EnableFileShareScan=0
ExcludedDirs = "$env:windir","C:\PerfLogs"
IncludedFileTypes=".exe",".cfg",".conf",".json",".txt",".xml",".csv",".config", ".properties"
OnlyIncludedFileTypes=1
ResultFile="$env:TEMP\filelist.tmp"

#Java Settings
OracleJavaDetection=1
  • FileScan determines if the system should perform the scan or not.
  • EnableFileShareScan indicates if mounted file shares should be scanned or not.
  • In ExcludedDirs you can add directories that must not be scanned.
  • IncludedFileTypes lists file types that are relevant for scanning. It is not recommended to edit this setting.
  • OnlyIncludedFileTypes detemines if the scan should scan only included file types or all file types.
  • ResultFile is a path to the file that contains scan results.
  • OracleJavaDetection indicates if the scan should include Java installations or not.

Using a dedicated account for executing Java binaries:

This feature is available starting with Oracle Compliance version 3.9.

In order to gather all information about Java installations, it is necessary to execute the discovered java.exe binaries. Currently the execution is performed under the script user, meaning that usually an administrator will execute the Java binaries. To mitigate the risk of executing malicious binaries, under Windows a new Java execution method feature has been implemented.

For Linux and Unix a different approach is used, as in the current implementation, a switch user to the owner of the java binary will be performed before running the binary!

For this feature there are new configuration entries in the M42DataCollection.env file:

JavaExecutionMethod=<option>
JavaUser=<accountname>
JavaUserPassword=<password>

Setting JavaExecutionMethod can have values 1 or 2. 

  • Value "1": The security context of the user account that started the scan script is used to execute the Java binaries. 
  • Value "2": The domain user account specified in the JavaUser entry will be used to execute Java binaries. Prior to execution, the Java home will be copied to the user's temporary directory. In order to be able to execute the Java binary, the password for this user must be specified in the JavaUserPassword entry. Specify the dedicated user in the "domain\username" format. This domain user account must be member of the Remote Management Users group!
  • Value "3": This method creates a new local user with the username being defined in JavaUser on-the-fly. The password will be randomly generated. Same as in the method 2, the Java home will be copied to the user's temporary directory where it will be executed by the new user. After all Java binaries have been executed, the local user will be
    removed as well as its home directory.  This option is only available on UNIX and Linux machines.

In case of using option "2" Remote PowerShell must be enabled on all target machines with Windows operating system. How to configure target machines accordingly through a Group Policy is documented in the article How to enable Remote PowerShell for Oracle Java scanning on Windows.

Analyzing the results of Java inventory

The data collected from scanning Java installations is displayed as a dashboard under the Home > Java Product Deployment navigation item in the Oracle Compliance application.

Keep in mind that the Commercial Feature Usage chart includes only Java installations from the publisher Oracle whereas the Vendor chart displays Java installations from all vendors.

For details about Java installations, go to the Java Products navigation item. 

  • Was this article helpful?