Skip to main content

Configure the scanner

Configure the security level of the scanner

You can configure the security level of the scanner if it is executed with elevated permissions, that is, as Administrator (Windows) or root (Linux, Unix, and macOS). The configuration is made in the sijs.config file:

<Configuration>
    <SecurityLevel>HIGH</SecurityLevel>
    <ImpersonationUser>javascan</ImpersonationUser>
</Configuration>

Choose one of the following three security levels for the configuration (the default value is HIGH):

  • LOW – Every Java executable found during the file system search will be treated as a secure (admin) path and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan.

  • MEDIUM – The Java executables found that are part of the administrator/root’s “PATH” environment variable will be treated as secure (admin) paths, and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan. All the other Java executables will be treated as non-secure (non-admin) paths and the commands will be executed in a lower security context:

    • For Windows, the runas /trustlevel:0x20000 command will be used, which lowers the permissions to basic user.

    • For Unix, Linux, and macOS, the commands will be executed with the dedicated user defined in <ImpersonationUser>.

  • HIGH - The Java executables found that are part of the administrator/root’s “PATH” environment variable will be treated as secure (admin) paths, and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan. All the other Java executables will be treated as non-secure (non-admin) paths and will not be identified at this security level. The scanner's raw data will contain information that these installations are not identified due to the HIGH security level setting.

Schedule the scan in a Linux or Unix environment

In Linux and Unix environments, the scanner is triggered through a crontab job, which must be created by the user.

Example 28.

# run five minutes after midnight, every day

5 0 * * * $JAVA_HOME/bin/java -jar /opt/snow/sijs.jar



Schedule the scan in a Windows environment

In a Windows environment, the scanner is triggered by the Snow Inventory Java Scanner Launcher PowerShell script. The script must be included in the agent installation package.

To execute the scanner, run the following command:

$java -jar sijs.jar

Schedule the scan in a macOS environment

In a macOS environment, the scan schedule must be created by the user.

To execute the scanner, run the following command:

$java -jar sijs.jar

In this section: