Skip to main content
Matrix42 Self-Service Help Center

Collecting data for Java installations

  1. Last updated
  2. Save as PDF

Overview

This feature is relevant starting with the Matrix42 Oracle Compliance add-on version 3.0.

Oracle Compliance supports Oracle Java Data Collection Scripts that compiles information about all Java copies on hard-disks of scanned computers by searching through the entire file system and a process detection.

Scan results from Matrix42 Oracle Java Data Collection Scripts have been verified by Oracle Corporation and therefore accepted in any engagement (external link).

A valid result requires a thorough version verification by executing the Java-binary with special parameters. The standard output of this process is captured and stored in the scan results. It contains precise information about the publisher and the version. Executing the binary is a critical matter. However,  this is necessary to fulfill the requirements defined by Oracle.

The execution of the script requires extended local rights on the computer to be examined, as all areas of the hard disk must be checked for Java installations. The execution can be carried out, for example, with a local administrator or another user account that has the required rights. 

For the version check described above, Oracle Java Data Collections Scripts uses a procedure that increases the security of this step. This involves executing the Java.exe in a different user context. The authorizations of this user account can be severely restricted in order to increase security. However, there are different requirements and restrictions here, which are defined by the respective operating systems and described below. 

The scanning process can be illustrated schematically as follows:

ScanProcessIllustrated.png

A minimum of 32 MB memory needs to be free and available to run the M42DataCollection script.

Settings for Java Data Collection

By default the settings for scanning Java installations are enabled both for Unix/Linux systems and Windows systems.
Mounted file systems are not being scanned per default. Certain directories are excluded in the default configuration.

Unix/Linux 

The M42DataCollection.env file (for Solaris: M42DataCollection_SunOS.env)  is located in the M42DataCollectionUnix\bin\config folder and contains the following settings:

#
# FileScan Settings
# Supported Filesystems: xfs,ext2,ext3,ext4,btrfs,zfs,reiserfs,vxfs,hfs
# Supported Shares: nfs,cifs
#

EnableFileScan=1
EnableFileScanCompression=1
EnableFileShareScan=0
ExcludedFileScanPaths="/proc:/dev"
  • Supported Filesystems lists all types of file systems that the tool can scan.
  • Supported Shares lists supported protocols for sharing directories and files.
  • EnableFileScan determines if the system should perform the scan or not.
  • EnableFileScanCompression indicates if the list of found files should be compressed.
  • EnableFileShareScan determines if mounted file shares should be scanned or not.
  • In ExcludedFileScanPaths you can add paths that must not be scanned.

Windows 

The M42DataCollection.env configuration file is located in the M42DataCollectionWin folder and contains the following settings:

# Settings for FileScan
FileScan=1
EnableFileShareScan=0
ExcludedDirs = "$env:windir","C:\PerfLogs"
IncludedFileTypes=".exe",".cfg",".conf",".json",".txt",".xml",".csv",".config", ".properties"
OnlyIncludedFileTypes=1
ResultFile="$env:TEMP\filelist.tmp"

#Java Settings
OracleJavaDetection=1
  • FileScan determines if the system should perform the scan or not.
  • EnableFileShareScan indicates if mounted file shares should be scanned or not.
  • In ExcludedDirs you can add directories that must not be scanned.
  • IncludedFileTypes lists file types that are relevant for scanning. It is not recommended to edit this setting.
  • OnlyIncludedFileTypes detemines if the scan should scan only included file types or all file types.
  • ResultFile is a path to the file that contains scan results.
  • OracleJavaDetection indicates if the scan should include Java installations or not.

Using a dedicated account for executing Java binaries:

This feature is available starting with Oracle Compliance version 3.9.

In order to gather all information about Java installations, it is necessary to execute the discovered java.exe binaries. Currently the execution is performed under the script user, meaning that usually an administrator will execute the Java binaries. To mitigate the risk of executing malicious binaries, under Windows a new Java execution method feature has been implemented.

For Linux and Unix a different approach is used, as in the current implementation, a switch user to the owner of the java binary will be performed before running the binary!

For this feature there are new configuration entries in the M42DataCollection.env file:

JavaExecutionMethod=<option>
JavaUser=<accountname>
JavaUserPassword=<password>

Setting JavaExecutionMethod can have values 1 or 2. 

  • Value "1": The security context of the user account that started the scan script is used to execute the Java binaries. 
  • Value "2": The domain user account specified in the JavaUser entry will be used to execute Java binaries. Prior to execution, the Java home will be copied to the user's temporary directory. In order to be able to execute the Java binary, the password for this user must be specified in the JavaUserPassword entry. Specify the dedicated user in the "domain\username" format. This domain user account must be member of the Remote Management Users group!
  • Value "3": This method creates a new local user with the username being defined in JavaUser on-the-fly. The password will be randomly generated. Same as in the method 2, the Java home will be copied to the user's temporary directory where it will be executed by the new user. After all Java binaries have been executed, the local user will be
    removed as well as its home directory.  This option is only available on UNIX and Linux machines.

In case of using option "2" Remote PowerShell must be enabled on all target machines with Windows operating system. How to configure target machines accordingly through a Group Policy is documented in the article How to enable Remote PowerShell for Oracle Java scanning on Windows.

Analyzing the results of Java inventory

The data collected from scanning Java installations is displayed as a dashboard under the Home > Java Product Deployment navigation item in the Oracle Compliance application.

Keep in mind that the Commercial Feature Usage chart includes only Java installations from the publisher Oracle whereas the Vendor chart displays Java installations from all vendors.

For details about Java installations, go to the Java Products navigation item. 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Checked
    Checked
    Stage
    Final
    Target Group
    Customer
  2. Tags
    This page has no tags.