Looking for RH and 3rd party software inventory application

Latest response

I need to inventory the applications running on thousands of RHEL nodes. They can be RH or 3rd party applications. Is there a native RH or third party tool that can do this? Thank you.

Responses

Hi Dion,

I was involved in many places trying to deal with the same problem.

YOur question is not clear about what the exact goal is:

a) To audit licensed applications, or b) Just document whatever runs on the server.

The short answer: if the third-party applications were RPM based - it would not be that difficult to audit them.

if the applications were installed ad-hoc (via tar archives, shell scripts, and so on), the chance is no off-shelf software will help you without extra work.

In most places, we resorted to running our own scripts that can document applications we ran. Even documenting Java versions is fun :)

By the way, here is how I quickly get the details of Oracle, IBM, or OpenJDK installed:

for jc in $(find / -fstype 'ext4,ext3,xfs,gpfs' -prune -o -type d \( -path '*jdk*/bin' -o -path '*jre*/bin' \))
do
  if [ -f "$jc/java" ]
  then
    echo -n "$jc/java;"; $jc/java -version 2>&1 | tr '\n' ';'
    echo
  fi
done

Regards,

Dusan Baljevic (amateur radio VK2COT)

On systems with large automount maps or huge file systems this find takes ages to complete. I will add heuristics to SCC by searching the process list for /java and preserve the existing paths for subsequent runs.

Please be aware of the security risk you run with this code. I created an executable jdk/bin/java script and it was executed by the above code.

Hi Dion,

Please have a look at System Configuration Collector (SCC) at https://sourceforge.net/projects/sysconfcollect/ and examples of collected data at http://sysconfcollect.sourceforge.net/examples/scc-summary-sys.html

Regards, Siem

Hi,

Siem showed very nice tool SCC which works well for documenting server status (including applications). I used it many times.

Alas, as I mentioned before, it fails to document non-RPM based applications. I just tested it again on a server which runs Pivotal tcServer and Oracle WebLogic (installed without RPMs). SCC could not pick them up. In addition, Oracle Java version which was installed under Oracle WebLogic was also not picked up by SCC...

In ideal world, nobody should install applications without proper packaging (RPM for RHEL). But, we do not live in ideal world and none of us manage the whole world :)

Regards,

Dusan Baljevic (amateur radio VK2COT)

Besides documenting systems, detecting and recording changes of the configuration in a logbook is also an important feature of SCC that is being used by auditors and by administrators.

SCC indeed does have limited heuristics for applications not being installed via rpm's or packages. Please feel free to send suggestions for additional heuristics to https://sourceforge.net/p/sysconfcollect/discussion/

Siem. Thank you for the link, that application looks pretty cool. Dusan, thanks for the tip about non-conventional applications, I'll keep that in mind and for the script. Very useful stuff.

Dusan, I'm looking to record licensed/unlicensed applications and anything else running.

Hi Dion,

Lot of third-party software is licensed through entitlements without the actual "keys". So, on the servers, you really do not know if you are licensed or not. You need to audit if the application runs, then check what features the application uses, then compare against your contractual obligations and rights... Nightmare!

Very real examples: Oracle WebLogic, IBM MQ, Pivotal tcServer, and so on.

Oracle products are notorious for catching customers using software without proper licensing. To make things worse, their audits are complex and almost impossible through simple tools...

Regards,

Dusan Baljevic (amateur radio VK2COT)

Hi,

Siem gave me a good point to clarify for everyone.

This piece of code was just an illustration and would normally add extra checks for verification if java is a real executable or possibly a script:

for jc in $(find / -fstype 'ext4,ext3,xfs,gpfs,gfs' -prune -o -type d \( -path '*jdk*/bin' -o -path '*jre*/bin' \))
do
  if [ -f "$jc/java" ]
  then
    ISBINARY="$(file -bL --mime $jc/java | egrep -i binary)"
    if [ "$ISBINARY" != "" ]
    then
      echo -n "$jc/java;"; $jc/java -version 2>&1 | tr '\n' ';'
      echo
    fi
  fi
done

In fact, some installations of Java already have shells scripts:

$ file --mime-encoding /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.231-2.6.19.2.el7_7.x86_64/jre/bin/java
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.231-2.6.19.2.el7_7.x86_64/jre/bin/java: us-ascii

Regards,

Dusan Baljevic (amateur radio VK2COT)

Hi Dusan,

The check for a binary will not help much.

$ cat java.c
#include <stdio.h>
main( argc, argv )
int argc;
char *argv[];
{
        printf( "java version 1.2.3.4\n" );
        system( "echo my_payload" );
}
$ gcc java.c -o java
$ file -bL --mime ./java
application/x-executable; charset=binary
$ ./java
java version 1.2.3.4
my_payload

Hi Siem,

Point take, however:

Advanced Intrusion Detection Environment (AIDE), Tripwire , and Linux Audit should be set up on each decent server :) So, if somebody plants an unautorised program or tool, the IDE will help.

The job of the simple audit of applications is not to worry about it :)

Coincidentally, strata agency that manages my building got hit by ransomware via RDP on their Windows server. They did not have choice but to pay the ransom in bitcoins. Allegedly, they did not detect the break-in for two weeks and by that time it was too late to protect the servers on the local network...

Regards,

Dusan Baljevic (amateur radio VK2COT)