Introduction

Software packages included with the installation of JS7 components can be enabled and disabled by use of the Package Management Script.

• Disabling software packages can be an immediate means for mitigation of vulnerabilities in 3rd-party components used by JS7.
  • Release Policy - Vulnerability Management
• The JS7 products ship with a JS7 - Software Bill of Materials that can be used to identify vulnerable components and package dependencies.
• For environments with a larger number of JS7 products installed the management of software packages can be automated in a number of ways:
  
  • Users can apply the Software Package Management Script that is described in this article.
  • Users can apply the Software Package Management Script with their preferred tools such as Ansible®, Puppet®, Chef®.

Security

Secure rollout of JS7 products is critical. It is therefore recommended that the solution described here is adjusted to suit specific security needs.

• Rollout of JS7 products is considered critical as the software allows jobs to be executed on a larger number of servers.
  • Vulnerabilities in 3rd-party libraries of JS7 products deserve attention.

• The solution provided for software package management is based on shell scripting by design:
  • to provide readability and to rely on OS commands only,
  • to deny the use of 3rd-party components and additional dependencies that require code to be executed.
• The Software Package Management Script can be integrated in a number of ways:
  • by running one's own SSH scripts,
  • by use with tools such as Ansible®, Puppet® that make use of an SSH Client,
  • by use of JS7 workflow automation.

Software Package Management Script

The Software Package Management Script is provided for download and can be used with JS7 Agents, Controller and JOC Cockpit.

• The script is available for Linux, MacOS®, AIX® and Solaris® using bash, dash, ksh and zsh POSIX-compatible shells.
• The script can be used to
  • disable software packages, i.e. to remove related files, such as *.jar files from the JS7 product.
  • enable software packages, i.e. to restore related files from a backup directory.
  • identify package dependencies if software packages are disabled.
• The script terminates with exit code 0 to signal success, with exit code 1 for command line argument errors and with other exit codes for non-recoverable errors.
• The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.
• Users might consider that installation, update and upgrade of JS7 products reverts disabled software packages.

Download

Find the Software Package Management Script for download from JS7 - Download.

Usage

Invoking the Software Package Management Script without arguments displays the usage clause:

Usage: js7_features.sh [Options] [Switches]

  Options:
    --home=<directory>                 | required: directory to which the product is installed
    --features=<path>                  | optional: path to features.json file, default: <home>/features.json
    --sbom=<path>                      | optional: path to sbom.json file, default: <home>/sbom.json
    --enable=<package[,package]>       | optional: enables one or more packages
    --disable=<package[,package]>      | optional: disables one or more packages
    --backup-dir=<directory>           | optional: backup directory for disabled packages
    --log-dir=<directory>              | optional: log directory for log output of this script

  Switches:
    -h | --help                        | displays usage
    --list                             | returns the list of disabled/enabled packages
    --show-logs                        | shows log output of the script
    --make-dirs                        | creates the backup and logs directories if they do not exist
    --force                            | forces disabling packages without later enabling from a backup directory
    --confirm                          | confirm enabling or disabling of packages

Options

• --home
  • Specifies the directory in which the JS7 product is installed.
• --features
  • Specifies the path to a file in .json format that stores information about enabled and disabled software packages.
  • By default the <home>/features.json file is used.
• --sbom
  • Specifies the path to a file that holds the JS7 - Software Bill of Materials.
  • For Controller and Agents the <home>/sbom.json file is used. For JOC Cockpit the JETTY_BASE/webapps/joc/sbom.json file is used.
• --enable
  • Specifies software packages that should be enabled. When disabling software packages then the information is stored in the features.json file and is used to enable a software package later on.
  • As a prerequisite when disabling software packages a backup directory has to be specified, see --backup-dir option, that is used as the source to enable software packages.
  • If a software package is not available from a backup then to enable the software package the JS7 product has to be re-installed or updated.
• --disable
  • Specifies software packages that should be disable. Technically the files related to a software package such as *.jar files are removed from the JS7 product.
  • To allow later enabling a backup directory is specified with the --backup-dir option. Users who do not want to use a backup directory can apply the --force switch.
• --backup-dir
  • If a backup directory is specified when disabling software packages then the related files such as *.jar files are moved to this directory.
  • The backup directory holds a lib sub-folder that holds related sub-folders of the JS7 products lib directory such as lib/sos, lib/3rd-party etc.
• --log-dir
  • If a log directory is specified then the Software Package Management Script will write information about processing steps to a log file in this directory.
  • File names are created according to the pattern: js7_features.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
  • For example: js7_features.centostest_primary.2022-03-19T20-50-45.log

Switches

• -h | --help
  • Displays usage.
• --list
  • Specifies the list of software packages that have been disabled or enabled. This information is used from the features.json file, see --features option.
• --show-logs
  • Displays the log output created by the script if the --log-dir option is used.
• --make-dirs
  • If directories are missing that are indicated with the  --backup-dir or --log-dir options then they will be created.
• --force
  • Specifies that a software package is disabled, i.e. its files are removed from the JS7 product, without using a backup directory.
• --confirm
  • Specifies that the operation to enable or disable a software package is confirmed. If this switch is omitted then a dry-run is performed that displays which software packages are affected by enabling or disabling.

Exit Codes

• 1: argument errors
• 2: non-recoverable errors

Examples

The following examples illustrate typical use cases.

Disable Software Packages

./js7_feature.sh \
    --home=/home/sos/agent \
    --backup-dir=/home/sos/backups \
    --disable=simple-xml,snakeyaml \
    --make-dirs \
    --confirm

# removes the simple-xml and snakeyaml software package from an Agent installation 
# copies files of disabled packages to the backup directory
# creates the backup directory if it does not exist
# confirms removal of disabled packages

Enable Software Packages

./js7_feature.sh \
    --home=/home/sos/agent \
    --backup-dir=/home/sos/backups \
    --enable=simple-xml,snakeyaml

# restores the simple-xml and snakeyaml software package in an Agent installation 
# copies files of disabled packages from the backup directory

List Software Packages

./js7_feature.sh \
    --home=/home/sos/agent \
    --list \
    --make-dirs

# removes the simple-xml and snakeyaml software package from an Agent installation 
# copies files of disabled packages to the backup directory
# creates the backup directory if it does not exist

Output of the above example is available if packages previously have been disabled and can look like this:

{
  "name": "simple-xml",
  "enabled": false
}
{
  "name": "snakeyaml",
  "enabled": false
}