JS7 JobScheduler

Space shortcuts

Page tree

Introduction

Software packages included with the installation of JS7 products can be enabled and disabled by use of the Package Management Script.

  • Disabling software packages can be an immediate means for mitigation of vulnerabilities in 3rd-party components used by JS7.
  • The JS7 products ship with a JS7 - Software Bill of Materials that can be used to identify vulnerable components and package dependencies.
  • For environments with a larger number of JS7 products installed the management of software packages can be automated in a number of ways:
    • Users can apply the Software Package Management Script that is described in this article.
    • Users can apply the Software Package Management Script with their preferred tools such as Ansible®, Puppet®, Chef®.

Security

Secure rollout of JS7 products is critical. It is therefore recommended that the solution described here is adjusted to suit specific security needs.

  • Rollout of JS7 products is considered critical as the software allows jobs to be executed on a larger number of servers.
    • Vulnerabilities in 3rd-party components of JS7 products deserve attention.
  • The solution provided for software package management is based on shell scripting by design:
    • to provide readability and to rely on OS commands only,
    • to deny the use of 3rd-party components and additional dependencies that require code to be executed.
  • The Software Package Management Script can be integrated in a number of ways:
    • by running the script directly on the related server.
    • by running one's own SSH scripts for use with remote servers.
    • by use with tools such as Ansible®, Puppet® that make use of an SSH Client,
    • by use of JS7 workflow automation.

Software Package Management Script

The Software Package Management Script is provided for download and can be used with JS7 Agents, Controller and JOC Cockpit.

  • The script is available for Linux, MacOS®, AIX® and Solaris® using bash, dash, ksh and zsh POSIX-compatible shells.
  • The script can be used to
    • disable software packages, i.e. to remove related files, such as *.jar files from the JS7 product.
    • enable software packages, i.e. to restore related files from a backup directory.
    • identify package dependencies if software packages are disabled.
  • The script terminates with exit code 0 to signal success, with exit code 1 for command line argument errors and with other exit codes for non-recoverable errors.
  • The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.
  • Users might consider that installation, update and upgrade of JS7 products reverts disabled software packages.

Prerequisites

The Software Package Management Script requires the jq utility from the operating system, see https://stedolan.github.io/jq.

Version 1.6 of jq ships with the MIT license, see https://opensource.org/licenses/MIT.

Download

Find the Software Package Management Script for download from JS7 - Download.

Usage

Invoking the Software Package Management Script without arguments displays the usage clause:


Software Package Management Script
Usage: js7_set_feature.sh [Options] [Switches]

  Options:
    --home=<directory>                 | required: directory to which the JS7 product is installed
    --features=<path>                  | optional: path to features.json file, default: <home>/features.json
    --sbom=<path>                      | optional: path to sbom.json file, default: <home>/sbom.json
    --enable=<package[,package]>       | optional: enables one or more software packages
    --disable=<package[,package]>      | optional: disables one or more software packages
    --backup-dir=<directory>           | optional: backup directory for disabled software packages
    --log-dir=<directory>              | optional: log directory for log output of the script

  Switches:
    -h | --help                        | displays usage
    --list                             | returns the list of disabled/enabled software packages
    --show-logs                        | shows log output of the script
    --make-dirs                        | creates the backup and logs directories if they do not exist
    --force                            | forces disabling packages without option for later enabling from a backup directory
    --confirm                          | confirms enabling or disabling of software packages


Options

  • --home
    • Specifies the directory in which the JS7 product is installed.
  • --features
    • Specifies the path to a file in .json format that stores information about enabled and disabled software packages. By default the <home>/features.json file is used.
    • The file does not exist by default but is automatically created when enabling and disabling packages.
  • --sbom
    • Specifies the path to a file that holds the JS7 - Software Bill of Materials. The file ships with the respective JS7 products.
    • For Controller and Agents the <home>/sbom.json file is used. For JOC Cockpit the JETTY_BASE/webapps/joc/sbom.json file is used.
  • --enable
    • Specifies software packages that should be enabled. A number of software packages can be specified separated by comma.
    • As a prerequisite when disabling software packages
      • the information is stored in the features.json file. This information is later on used to enable software packages.
      • the backup directory has to be specified, see --backup-dir option, that is used as the source when enabling software packages.
    • If a software package is not available from the backup directory then the software package cannot be enabled. Instead, the JS7 product has to be re-installed .
  • --disable
    • Specifies software packages that should be disabled. A number of software packages can be specified separated by comma.
    • The files related to a software package such as *.jar files will be removed from the JS7 product installation.
    • To allow later enabling a backup directory is specified with the --backup-dir option. Users who do not want to use a backup directory can apply the --force switch.
  • --backup-dir
    • If a backup directory is specified when disabling software packages then the related files such as *.jar files are moved to this directory.
    • The backup directory holds a lib sub-folder with related sub-folders of the JS7 product's lib directory such as lib/sos, lib/3rd-party etc.
  • --log-dir
    • If a log directory is specified then the Software Package Management Script will write information about processing steps to a log file in this directory.
    • File names are created according to the pattern: js7_features.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
    • For example: js7_features.centostest_primary.2022-03-19T20-50-45.log

Switches

  • -h | --help
    • Displays usage.
  • --list
    • Specifies the list of software packages that have been disabled or enabled. This information is used from the features.json file, see --features option.
  • --show-logs
    • Displays the log output created by the script if the --log-dir option is used.
  • --make-dirs
    • If directories are missing that are indicated with the  --backup-dir or --log-dir options then they will be created.
  • --force
    • Specifies that a software package is disabled, i.e. its files are removed from the JS7 product installation, without use of a backup directory.
  • --confirm
    • Specifies that the operation to enable or to disable a software package is confirmed. If this switch is omitted then a dry-run is performed that displays which software packages are affected by enabling or disabling.

Exit Codes

  • 0: success
  • 1: argument errors
  • 2: non-recoverable errors

Examples

The following examples illustrate typical use cases. Examples are provided for use with Agents, they can similarly be used for Controller and JOC Cockpit instances. The only difference being the location of the home directory of the JS7 product.

Disable Software Packages (dry-run)

Example for use of Software Package Management Script
./js7_set_feature.sh \
    --home=/home/sos/agent \
    --backup-dir=/home/sos/backup \
    --disable=simple-xml,snakeyaml \
    --make-dirs

# displays candidate files for removal if the simple-xml and snakeyaml software packages are disabled in an Agent installation 
# performs a dry-run without effective removal of files as the --confirm switch is not specified


Output of the above example can look like this:

Example for output of Software Package Management Script
-- begin of log --------------
./js7_set_feature.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --disable=simple-xml,snakeyaml --make-dirs
-- begin of output -----------
.. checking to disable package: simple-xml
.... candidate component files for removal in directory: /home/sos/agent
./lib/3rd-party/simple-xml-2.7.1.jar
..... recursing affected component reference: pkg:maven/org.simpleframework/simple-xml@2.7.1?type=jar
...... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2-simple@2.1.4?type=jar
....... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2@2.1.4?type=jar
........ recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-credentialstore@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-cli@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-hibernate@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-mail@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-vfs@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.. checking to disable package: snakeyaml
.... candidate component files for removal in directory: /home/sos/agent
./lib/3rd-party/snakeyaml-2.0.jar
..... recursing affected component reference: pkg:maven/org.yaml/snakeyaml@2.0?type=jar
...... recursing affected component reference: pkg:maven/com.sos-berlin/sos-js7-loganonymizer@2.5.4-SNAPSHOT?type=jar
....... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
-- end of log ----------------


Explanation:

  • The output suggests package dependencies. Consider that examples strictly depend on specific releases of JS7.
  • The simple-xml package is used by the KeePassJava2-simple package and respectively the KeePassJava2 package.
    • Further in the hierarchy users find the sos-commons-credentialstore package. The package implements the feature of the JS7 - Credential Store.
    • This translates to the fact that with removal of the simple-xml package a credential store can no longer be used in JS7.
  • The snakeyaml package is used by the sos-js7-loganonymizer package.
    • The later package implements the JS7 - Log Anonymization feature.
    • With snakeyaml being removed the log anonymization feature can no longer be used in JS7.
  • If users find vulnerabilities in 3rd-party components for which no immediate fixes are available then they can take the decision to disable related software packages and not to use affected JS7 features.

Disable Software Packages (permanently)

Example for use of Software Package Management Script
./js7_set_feature.sh \
    --home=/home/sos/agent \
    --backup-dir=/home/sos/backup \
    --disable=simple-xml,snakeyaml \
    --make-dirs \
    --confirm

# removes the simple-xml and snakeyaml software packages from an Agent installation
# creates the backup directory if it does not exist
# copies files of disabled packages to the backup directory
# confirms removal of disabled packages


Output of the above example can look like this:

Example for output of Software Package Management Script
-- begin of log --------------
./js7_set_feature.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --disable=simple-xml,snakeyaml --make-dirs --confirm
-- begin of output -----------
.. checking to disable package: simple-xml
.... creating copies of component files in backup directory: /home/sos/backup
./lib/3rd-party/simple-xml-2.7.1.jar
.... removing component files: /home/sos/agent/lib/*/simple-xml*2.7.1.jar
..... recursing affected component reference: pkg:maven/org.simpleframework/simple-xml@2.7.1?type=jar
...... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2-simple@2.1.4?type=jar
....... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2@2.1.4?type=jar
........ recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-credentialstore@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-cli@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-hibernate@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-mail@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-vfs@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.. package disabled: simple-xml
.. checking to disable package: snakeyaml
.... creating copies of component files in backup directory: /home/sos/backup
./lib/3rd-party/snakeyaml-2.0.jar
.... removing component files: /home/sos/agent/lib/*/snakeyaml*2.0.jar
..... recursing affected component reference: pkg:maven/org.yaml/snakeyaml@2.0?type=jar
...... recursing affected component reference: pkg:maven/com.sos-berlin/sos-js7-loganonymizer@2.5.4-SNAPSHOT?type=jar
....... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.. package disabled: snakeyaml

Enable Software Packages

Example for use of Software Package Management Script
./js7_set_feature.sh \
    --home=/home/sos/agent \
    --backup-dir=/home/sos/backup \
    --enable=simple-xml,snakeyaml \
    --confirm

# restores the simple-xml and snakeyaml software packages in an Agent installation 
# copies files of disabled packages from the backup directory


Output of the above example can look like this:

Example for output of Software Package Management Script
-- begin of log --------------
./js7_set_feature.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --enable=simple-xml,snakeyaml --confirm
-- begin of output -----------
.. checking to enable package: simple-xml
.... restoring component files from backup directory: /home/sos/backup
./lib/3rd-party/simple-xml-2.7.1.jar
.... removing component files from backup directory: /home/sos/backup/lib/*/simple-xml*2.7.1.jar
.. package enabled: simple-xml
.. checking to enable package: snakeyaml
.... restoring component files from backup directory: /home/sos/backup
./lib/3rd-party/snakeyaml-2.0.jar
.... removing component files from backup directory: /home/sos/backup/lib/*/snakeyaml*2.0.jar
.. package enabled: snakeyaml
-- end of log ----------------

List Software Packages

Example for use of Software Package Management Script
./js7_set_feature.sh \
    --home=/home/sos/agent \
    --list

# displays the list of enabled or disabled software packages from an Agent installation


Output of the above example is available if software packages have previously been disabled and can look like this:

Example for output of Software Package Management Script
{
  "group": "org.simpleframework",
  "name": "simple-xml",
  "version": "2.7.1",
  "enabled": false
}
{
  "group": "org.yaml",
  "name": "snakeyaml",
  "version": "2.0",
  "enabled": false
}






  • No labels