From 7518ef54c9e6da5cc08d78e44e7e547c31c85f43 Mon Sep 17 00:00:00 2001 From: Brice Dutheil Date: Fri, 30 May 2025 19:39:08 +0200 Subject: [PATCH 1/3] Deny Oracle Database JVM based tools APMS-16000 --- metadata/requirements.json | 119 +++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/metadata/requirements.json b/metadata/requirements.json index 39c7868f035..bd026b9c814 100644 --- a/metadata/requirements.json +++ b/metadata/requirements.json @@ -201,6 +201,125 @@ ], "envars": null }, + { + "id": "oracle_dbca", + "description": "Skip Oracle Database Configuration Assistant", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.assistants.dbca.driver.DBConfigurator" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_dbua", + "description": "Skip Oracle Database Upgrade Assistant", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.assistants.dbua.driver.StartDBUA" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_emca", + "description": "Skip Oracle Enterprise Manager Configuration Assistant", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.sysman.assistants.emca.sdkimpl.EMConfigAssistant" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_invctl", + "description": "Skip Oracle Inventory Control", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.install.common.endpoints.cli.CliExecutor" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_netca", + "description": "Skip Oracle Net Configuration Assistant", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.net.ca.NetCA" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_rconfig", + "description": "Skip Oracle RAC Converter", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.sysman.assistants.rconfig.RConfig" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_roohctl", + "description": "Skip Oracle Read-Only Oracle Home Control", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.assistants.roohctl.RoohCtl" + ], + "position": null + } + ], + "envars": null + }, { "id": "apache_lucene8_luke", "description": "Skip Lucene 8 Luke", From 8e7a6e166984313af0028a23a2930c147ed70726 Mon Sep 17 00:00:00 2001 From: Brice Dutheil Date: Mon, 2 Jun 2025 14:53:23 +0200 Subject: [PATCH 2/3] Deny Additional Oracle Database JVM based tools APMS-16000 --- metadata/requirements.json | 85 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/metadata/requirements.json b/metadata/requirements.json index bd026b9c814..1d02d566a99 100644 --- a/metadata/requirements.json +++ b/metadata/requirements.json @@ -320,6 +320,91 @@ ], "envars": null }, + { + "id": "oracle_srvctl", + "description": "Skip Oracle Server Control Utility", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.ops.opsctl.OPSCTLDriver" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_diagsetup", + "description": "Skip Oracle Setup Diagnostic Tool", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.diagfw.adr.diagsetup.DiagSetup" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_ldifmigrator", + "description": "Skip Oracle LDIF Migration Tool", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.ldap.util.LDIFMigration" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_trcasst", + "description": "Skip Oracle Trace Assistant", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.net.trcasst.Jtrcasst" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "oracle_trcsess", + "description": "Skip Oracle Session Tracer", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "oracle.ss.tools.trcsess.TrcSess" + ], + "position": null + } + ], + "envars": null + }, { "id": "apache_lucene8_luke", "description": "Skip Lucene 8 Luke", From ff1ba8eb0c66c9e138b2da485ca93ef03fddd63d Mon Sep 17 00:00:00 2001 From: Brice Dutheil Date: Tue, 3 Jun 2025 10:31:43 +0200 Subject: [PATCH 3/3] Updates deny arguments file for Oracle DB JVM based tools APMS-16000 --- metadata/README.md | 16 ++++++++++++++++ metadata/denied-arguments.tsv | 14 ++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 metadata/README.md diff --git a/metadata/README.md b/metadata/README.md new file mode 100644 index 00000000000..777ef7d334c --- /dev/null +++ b/metadata/README.md @@ -0,0 +1,16 @@ +# SSI injection metadata + +## Adding a new deny metadata. + +1. Adding or updating denied Java process metadata in order to avoid enabling the tracer is done by editing + the following files : + + * `base-requirements.json` + * `denied-arguments.tsv` + * `denied-environment-variables.tsv` + +2. Then run the following command to build/update the `requirements.json` file: + + ```bash + ./build-requirements.sh + ``` diff --git a/metadata/denied-arguments.tsv b/metadata/denied-arguments.tsv index 2309ddb2b52..48b6602c971 100644 --- a/metadata/denied-arguments.tsv +++ b/metadata/denied-arguments.tsv @@ -14,6 +14,20 @@ apache_cassandra_sstableupgrade org.apache.cassandra.tools.StandaloneUpgrader apache_cassandra_sstableutil org.apache.cassandra.tools.StandaloneSSTableUtil Skip Apache Cassandra sstableutil apache_cassandra_sstableverify org.apache.cassandra.tools.StandaloneVerifier Skip Apache Cassandra sstableverify +# Oracle Database JVM based tools +oracle_dbca oracle.assistants.dbca.driver.DBConfigurator Skip Oracle Database Configuration Assistant +oracle_dbua oracle.assistants.dbua.driver.StartDBUA Skip Oracle Database Upgrade Assistant +oracle_emca oracle.sysman.assistants.emca.sdkimpl.EMConfigAssistant Skip Oracle Enterprise Manager Configuration Assistant +oracle_invctl oracle.install.common.endpoints.cli.CliExecutor Skip Oracle Inventory Control +oracle_netca oracle.net.ca.NetCA Skip Oracle Net Configuration Assistant +oracle_rconfig oracle.sysman.assistants.rconfig.RConfig Skip Oracle RAC Converter +oracle_roohctl oracle.assistants.roohctl.RoohCtl Skip Oracle Read-Only Oracle Home Control +oracle_srvctl oracle.ops.opsctl.OPSCTLDriver Skip Oracle Server Control Utility +oracle_diagsetup oracle.diagfw.adr.diagsetup.DiagSetup Skip Oracle Setup Diagnostic Tool +oracle_ldifmigrator oracle.ldap.util.LDIFMigration Skip Oracle LDIF Migration Tool +oracle_trcasst oracle.net.trcasst.Jtrcasst Skip Oracle Trace Assistant +oracle_trcsess oracle.ss.tools.trcsess.TrcSess Skip Oracle Session Tracer + # Apache Lucene apache_lucene8_luke org.apache.lucene.luke.app.desktop.LukeMain Skip Lucene 8 Luke apache_lucene9_luke org.apache.lucene.luke Skip Apache Netbeans