Snow Inventory Java Scanner

Version 3.0

2022-07-07

Description

The Snow Inventory Java Scanner is a Java application and a component of Snow's Oracle Management Option.

The Snow Inventory Java Scanner is platform-independent, which enables it to run on a variety of operating systems. The scanner collects data related to Java Version 7 and higher.

Note

The inventory data collected by the scanner reflects a snapshot of the Java environment at the instant when the inventory scan is performed.

Prerequisites

  • Dependency on other Snow products

    The Snow Inventory Java Scanner is dependent on Snow Inventory Agents for Windows, Linux, and macOS version 6.0.0 or higher and Snow Inventory Agent for Unix version 7.0.0 or later, and compatible with Snow Inventory Server 6.0.2 or later.

  • Java runtime environment

    Snow Inventory Java Scanner requires Java Runtime Environment 8 (1.8), 11, or 17 installed on the target computer.

    Supported versions of Java Runtime Environments are Oracle Java SE and Oracle OpenJDK (versions 8, 11, and 17).

  • Permissions and environment variables

    The operating system user running the Snow Inventory Java Scanner needs the following permissions and environment variables, depending on the platform:

    Platform

    Permissions and environment variables

    macOS

    Write permissions to /Users/Shared/SnowSoftware/Inventory/Agent/script-output are required.

    Linux

    Write permissions to /var/run/SnowSoftware/Inventory/Agent/script-output are required.

    Unix

    Write permissions to /var/tmp/SnowSoftware/Inventory/Agent/script-output are required.

    Windows

    An admin user account (Local Admin on the server) should be used when running the Snow Inventory Java Scanner.

Deployment

The Snow Inventory Java Scanner can be packaged and deployed separately, or together with Inventory Agents. Snow recommends that you deploy this component using a Snow Inventory Agent installation package. Make sure that the sijs.config configuration file is included in the package. For Snow Inventory Agent for Windows, the PowerShell Launcher Script for the Snow Inventory Java Scanner must be included as well.

Files and locations scanned

The Snow Inventory Java Scanner searches for the following files to get information about the java installations:

Platform

Filenames

macOS/Linux/Unix

  • java

  • jcmd

Windows

  • java.exe

  • jcmd.exe

  • java*.msi

The file system search is performed in the same locations as for the Snow Inventory Agent and it is configured in the snowagent.config file, see Configuration of Snow Inventory Agents for more information.

Scanning active Java processes

If found in the scanned locations, the Snow Inventory Java Scanner will use JDK's JCMD utility in order to find active Java processes and detect the usage of the Java Flight Recorder commercial feature. The following JCMD commands are executed:

  • jcmd -l

  • jcmd {process_id} VM.system_properties

  • jcmd {process_id} VM.check_commercial_features

Identifying Java installations

In order to properly identify Java installations, for each Java executable that is found during the file system search, the following command is executed:

  • {path_to_java_exe} -XshowSettings:properties -version

Output

The data retrieved by the Snow Inventory Java Scanner is stored in JSON files and placed in one of the following designated locations, depending on the platform.

Platform

Output path

macOS

/Users/Shared/SnowSoftware/Inventory/Agent/script-output/<script_name>

Linux

/var/run/SnowSoftware/Inventory/Agent/script-output/<script_name>

Unix

/var/tmp/SnowSoftware/Inventory/Agent/script-output/<script_name>

Windows

%ProgramData%/SnowSoftware/Inventory/Agent/script-output/<script_name>

Snow Inventory Agents version 6 or higher search these designated locations for output from other Snow Inventory components such as Snow Inventory Java Scanner, or other scripts.

Security level of the scanner

If the scanner is executed with a dedicated user, every Java executable found during the file system search will be treated as a secure (admin) path and all the commands will be executed in the same security context as the user executing the scanner.

When executing the scanner with elevated permissions, that is, as Administrator (Windows) or root (Linux, Unix, and macOS), the security level at which the scanner will be executed can be configured, see Configure the security level of the scanner.

Install and schedule Snow Inventory Java scanner

Install Snow Inventory Java Scanner

The Snow Inventory Java Scanner is a component of Snow's Oracle Management Option. To install it:

  1. Specify that the Java Scanner Option needs to be included when requesting a Snow Inventory Agent deployment package.

  2. Install the Snow Inventory Agent, as described in the user guides for the Snow Inventory Linux, Unix, or Windows Agents, respectively.

Schedule the scan in a Linux or Unix environment

In Linux and Unix environments, the scanner is triggered through a crontab job, which must be created by the user.

  • Run the following crontab to schedule the execution of the scanner:

    # run five minutes after midnight, every day

    5 0 * * * $JAVA_HOME/bin/java -jar /opt/snow/sijs.jar

Schedule the scan in a Windows environment

In a Windows environment, the scanner is triggered by a PowerShell script. The script must be included in the Windows agent installation package.

  • To schedule the execution of the scanner, run the following command:

    $java -jar sijs.jar

Configure the security level of the scanner

You can configure the security level of the scanner if it is executed with elevated permissions, that is, as Administrator (Windows) or root (Linux, Unix, and macOS). The configuration is made in the sijs.config file:

<Configuration>
    <SecurityLevel>HIGH</SecurityLevel>
    <ImpersonationUser>javascan</ImpersonationUser>
</Configuration>

Choose one of the following three security levels for the configuration (the default value is HIGH):

  • LOW – Every Java executable found during the file system search will be treated as a secure (admin) path and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan.

  • MEDIUM – The Java executables found that are part of the administrator/root’s “PATH” environment variable will be treated as secure (admin) paths, and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan. All the other Java executables will be treated as non-secure (non-admin) paths and the commands will be executed in a lower security context:

    • For Windows, the runas /trustlevel:0x20000 command will be used, which lowers the permissions to basic user.

    • For Unix, Linux, and macOS, the commands will be executed with the dedicated user defined in the sijs.config file under the <ImpersonationUser> property.

  • HIGH - The Java executables found that are part of the administrator/root’s “PATH” environment variable will be treated as secure (admin) paths, and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan. All the other Java executables will be treated as non-secure (non-admin) paths and will not be identified at this security level. The scanner's raw data will contain information that these installations are not identified due to the HIGH security level setting.