A new Flexera Community experience is coming on November 18th, click here for more information.
How Flexera can help us on finding the servers which contains the Log4j on windows systems.
We see some in our Flexera application but not all.
We have tried on on system where we now a log4j file is present to run:
C:\Program Files (x86)\ManageSoft\Tracker>"C:\Program Files (x86)\ManageSoft\Tracker\ndtrack.exe" -o InventoryType=Machine -o UserInteractionLevel=Quiet -o IncludeDirectory=C:\\;D:\\
This command was not showing all the files. It was not showing: "log4j.jar"
We added an option:
"C:\Program Files (x86)\ManageSoft\Tracker\ndtrack.exe" -o InventoryType=Machine -o UserInteractionLevel=Quiet -o IncludeDirectory=C:\\;D:\\ -o IncludeExtension=jar
This option can only be set directly on the command and not on the application interface. (Don't know if it can be set on the beacon in the policy - don't have this knowledge)
The NDI file now contains the log4j file but not information on which version.
<Content MD5="NO_MD5" Size="489884">
<Instance Path="C:\xxxxxxxx\xxxx\agent\lib\log4j.jar" DateTime="20210727T061220"/>
</Content>
Is the FlexNet Agent able to read on the jar file the software version ? And what parameter to be set for this ?
Regards, Frank07
Dec 13, 2021 09:47 AM
Try the following as your query (the critical change is a correction to the join condition to SoftwareFileName):
SELECT c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path
FROM dbo.Computer c
LEFT JOIN dbo.SoftwareFile sf ON c.ComputerID = sf.ComputerID
LEFT JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
LEFT JOIN dbo.SoftwareFileName sfn ON sfn.SoftwareFileNameID = sf.SoftwareFileNameID
WHERE c.ComputerCN = 'xxx'
Dec 14, 2021 05:00 AM
After the reconcile the jar file is not visible in the inventory evidence of the file or in unrecognised evidence 😕. Reason ?
Dec 13, 2021 10:11 AM
Hi @Frank07 I think either the IncludeExtension flag is not working or the system overall/agent has a problem with these type of files. I had already raised call > 02510662 in terms of .jar recognition and that IncludeExension doesn't seem to work for this file type.
There is an idea already raised to include .jar as part of the automatic recognition from the agent here > https://flexerasfdc.ideas.aha.io/ideas/ITAM-I-170
Dec 13, 2021 10:37 AM
Indeed, I checked with the following SQL command directly in the FNMSInventory database
select c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path from Computer c
left join SoftwareFile sf on c.ComputerID = sf.ComputerID
left join SoftwareDetails sd on sd.SoftwareDetailsID = sf.SoftwareFileID
left join SoftwareFilePath sp on sp.SoftwareFilePathID = sf.SoftwareFilePathID
left join SoftwareFileName sfn on sfn.SoftwareFileNameID = sf.SoftwareID
where c.ComputerCN = 'xxx'
and receive the following
ComputerCN FileDescription Name Path
xxx NULL C:\MidServer\MID\agent\jre\lib\
I receive only the path which is not very helpful, I will try to check all the ndi file with powershell and try to generate a report
Dec 14, 2021 04:38 AM
Try the following as your query (the critical change is a correction to the join condition to SoftwareFileName):
SELECT c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path
FROM dbo.Computer c
LEFT JOIN dbo.SoftwareFile sf ON c.ComputerID = sf.ComputerID
LEFT JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
LEFT JOIN dbo.SoftwareFileName sfn ON sfn.SoftwareFileNameID = sf.SoftwareFileNameID
WHERE c.ComputerCN = 'xxx'
Dec 14, 2021 05:00 AM
Thank you @ChrisG , this solved the issue and now is reporting correctly at least I have a list with all installation that contain log4j and I can work with them.
Dec 14, 2021 05:14 AM
Under License compliance > All applications, I do see installations for log4j 1 showing Redhat as the publisher, from the device inventory I have extracted the affected devices. but when I run the above script using one of the affected device names the output is not showing any log4j pieces of evidence, under what name I should look at the output?
Also with this query, I can only target individual machines, with the application name (possibly answer from 1st question) is there an option to search and get the path of all affected devices for one particular application covering the entire estate.
Dec 14, 2021 06:27 AM
@raghuvaran_ram - I think you're mixing up different types of data a little here.
First of all, the SQL query that @adrian_ritz1 was working on above is to report on file details. You won't see details of *.jar files appearing in your query output unless you have take steps to configure and run the ndtrack inventory agent across your computers to gather those files.
This data is quite unrelated to recognized installations of log4j applications. I expect the installations you are seeing reported in the UI have been recognized based on installer evidence, not file details. You can see what evidence has been used to recognize a particular installation on a computer by looking in the "Evidence" tab when viewing the computer's inventory device record in the UI.
With that said, most applications that may be exposed to the Log4Shell vulnerability won't have "log4j" in their name: they will be arbitrary applications from other vendors that internally include the log4j component. So while looking at installations that the ARL recognizes of applications that do have "log4j" in there name may be useful as one tactic for assessing your exposure, it is only ever going to be a minor tactic.
Dec 14, 2021 06:40 AM
I supported the idea.
Dec 14, 2021 04:43 AM
Hi, Of course libraries can be recognized by their name, but there is also a considerable amount of components that are located directly in the *.jar file etc.. these data cannot be read by the agent. That's probably the next big challenge, but that's where I don't think the Flexera Agent can help
Dec 13, 2021 01:53 PM
Maybe one comment: The Managesoft reader has a filter on file extensions implemented:
FROM dbo.SoftwareFileName AS sfn WITH (NOLOCK)
WHERE RIGHT(RTRIM(sfn.Name), 4) IN ('.exe', '.sys', 'sys2', 'wtag', 'ptag', '.lax', 'dtag', '.sig')
If you want to see the results in the FNMSCompliance database, you would need to adapt the reader, too.
Dec 14, 2021 04:44 PM
There's some great discussion on this thread. Thanks everybody! A number of the ideas discussed are now covered in the following post which has just gone out: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite.
Dec 14, 2021 10:45 PM
User | Count |
---|---|
8 | |
7 | |
3 | |
3 |