In order for this script to work you will need to setup your SSH clients for auto login. If you don't know how to do this please refer to my post How to setup SSH Keys. This script doesn't need the automount in order to work.
What the scripts does.
First off you need to put both scripts in the same location. I put the scripts in the home directory in a folder called scripts. The main script, check-java copies the stig-java script to /tmp on all the servers. Then logs into all the servers, one at a time, and runs the stig-java script and sends the output to a file with the server's name. The check-java script then deletes stig-java form /tmp on all the servers. All those output files are then combined into a single file with extra lines removed.
The scripts have been test on Solaris 10, Red Hat 5 & 6 (RHEL) and SLES 11 and they work fine. On the Mac the colors don't work.
The check-java script
#!/bin/bash
# This script is for running the stig-java script on the servers.
SP=$(uname -n)
### Copy files section
echo -e "\e[1m Coping files \033[0m"
for host in $(cat COOP SOL SLES )
do if [ $host == $SP ]
then cp ~/scripts/stig-java3 /tmp/stig-java3 2>/dev/null
else scp -q stig-java $host:/tmp &>/dev/null
fi
done
for host in $(cat ACAS RHEL)
do scp -q stig-java $host:/var/tmp
done
for host in $(cat TD)
do scp -q stig-java3 $host:/tmp &>/dev/null
done
echo -e "\e[1m Done copying files \033[0m \n"
### Running the stig-java script section
echo -e "\e[1mLooking for Java on Solaris Servers\033[0m "
echo "-------------------------------------------------"
for s in $(cat COOP SOL)
do echo -e "Checking $s "
ssh -qt $s /usr/local/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sol/$s
done
echo -e "\n\e[1mLooking Java on RHEL Servers\033[0m "
echo "-------------------------------------------------"
for r in $(cat ACAS RHEL)
do echo -e "Checking $r "
ssh -qt $r /usr/bin/sudo ~/scripts/stig-java &> ~/scripts/outputJ/rhel/$r || ssh -qt $r /usr/bin/sudo /var/tmp/stig-java &> ~/scripts/outputJ/rhel/$r
done
echo -e "\n\e[1mLooking Java on SLES Servers \033[0m "
echo "------------------------------------------------"
for l in $(cat SLES)
do echo -e "Checking $l "
if [ $l == $SP ]
then sudo ~/scripts/stig-java &> ~/scripts/outputJ/sles/$SP
else
ssh -qt $l /usr/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sles/$l || ssh -q $l /usr/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sles/$l
fi
done
echo -e "\n\e[1mLooking Java on Teradata Servers \033[0m "
echo "------------------------------------------------"
for t in $(cat TD)
do echo -e "Checking $t "
ssh -qt $t /usr/bin/sudo /tmp/stig-java3 &> ~/scripts/outputJ/td/$t || ssh -q $t /usr/bin/sudo /tmp/stig-java3 &> ~/scripts/outputJ/td/$t
ssh -q $t rm /tmp/stig-java3
done
# Clean Up
echo "Deleting tmp files"
for host in $(cat COOP SOL ACAS RHEL SLES)
do if [ $l == $SP ]
then rm /tmp/stig-java 2>/dev/null
else
ssh -q $host rm /tmp/stig-java 2>/dev/null ||ssh -q $host rm /var/tmp/stig-java
fi
done
echo " "
# Finishing up
cat ~/scripts/outputJ/sol/* > ~/scripts/outputJ/solM
cat ~/scripts/outputJ/rhel/* > ~/scripts/outputJ/rhelM
cat ~/scripts/outputJ/sles/* > ~/scripts/outputJ/slesM
cat ~/scripts/outputJ/td/* > ~/scripts/outputJ/tdM
echo -e "\e[1m ------------------------ Solaris Servers ------------------------- \033[0m\n" > ~/scripts/outputJ/output
cat ~/scripts/outputJ/solM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ RHEL Servers ------------------------- \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/rhelM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ SLES Servers ------------------------- \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/slesM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ Teradata Servers ------------------------- \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/tdM >> ~/scripts/outputJ/output
egrep -v "(1.8.0_${1}|1.7.0_${2}|1.6.0_${3}|1.8.0.${4}|1.7.0.${5}|1.6.0.{6})" outputJ/output|more
# This script is for running the stig-java script on the servers.
SP=$(uname -n)
### Copy files section
echo -e "\e[1m Coping files \033[0m"
for host in $(cat COOP SOL SLES )
do if [ $host == $SP ]
then cp ~/scripts/stig-java3 /tmp/stig-java3 2>/dev/null
else scp -q stig-java $host:/tmp &>/dev/null
fi
done
for host in $(cat ACAS RHEL)
do scp -q stig-java $host:/var/tmp
done
for host in $(cat TD)
do scp -q stig-java3 $host:/tmp &>/dev/null
done
echo -e "\e[1m Done copying files \033[0m \n"
### Running the stig-java script section
echo -e "\e[1mLooking for Java on Solaris Servers\033[0m "
echo "-------------------------------------------------"
for s in $(cat COOP SOL)
do echo -e "Checking $s "
ssh -qt $s /usr/local/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sol/$s
done
echo -e "\n\e[1mLooking Java on RHEL Servers\033[0m "
echo "-------------------------------------------------"
for r in $(cat ACAS RHEL)
do echo -e "Checking $r "
ssh -qt $r /usr/bin/sudo ~/scripts/stig-java &> ~/scripts/outputJ/rhel/$r || ssh -qt $r /usr/bin/sudo /var/tmp/stig-java &> ~/scripts/outputJ/rhel/$r
done
echo -e "\n\e[1mLooking Java on SLES Servers \033[0m "
echo "------------------------------------------------"
for l in $(cat SLES)
do echo -e "Checking $l "
if [ $l == $SP ]
then sudo ~/scripts/stig-java &> ~/scripts/outputJ/sles/$SP
else
ssh -qt $l /usr/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sles/$l || ssh -q $l /usr/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sles/$l
fi
done
echo -e "\n\e[1mLooking Java on Teradata Servers \033[0m "
echo "------------------------------------------------"
for t in $(cat TD)
do echo -e "Checking $t "
ssh -qt $t /usr/bin/sudo /tmp/stig-java3 &> ~/scripts/outputJ/td/$t || ssh -q $t /usr/bin/sudo /tmp/stig-java3 &> ~/scripts/outputJ/td/$t
ssh -q $t rm /tmp/stig-java3
done
# Clean Up
echo "Deleting tmp files"
for host in $(cat COOP SOL ACAS RHEL SLES)
do if [ $l == $SP ]
then rm /tmp/stig-java 2>/dev/null
else
ssh -q $host rm /tmp/stig-java 2>/dev/null ||ssh -q $host rm /var/tmp/stig-java
fi
done
echo " "
# Finishing up
cat ~/scripts/outputJ/sol/* > ~/scripts/outputJ/solM
cat ~/scripts/outputJ/rhel/* > ~/scripts/outputJ/rhelM
cat ~/scripts/outputJ/sles/* > ~/scripts/outputJ/slesM
cat ~/scripts/outputJ/td/* > ~/scripts/outputJ/tdM
echo -e "\e[1m ------------------------ Solaris Servers ------------------------- \033[0m\n" > ~/scripts/outputJ/output
cat ~/scripts/outputJ/solM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ RHEL Servers ------------------------- \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/rhelM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ SLES Servers ------------------------- \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/slesM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ Teradata Servers ------------------------- \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/tdM >> ~/scripts/outputJ/output
egrep -v "(1.8.0_${1}|1.7.0_${2}|1.6.0_${3}|1.8.0.${4}|1.7.0.${5}|1.6.0.{6})" outputJ/output|more
The stig-java script
#!/bin/bash
# This script is for finding versions of Java on a server.
#
DATE=$(date)
echo -e "\e[1;34m <<<<<<<<<<<<<<<<<<<< $(uname -n) >>>>>>>>>>>>>>>>>>>\e[0m "
echo -e "Last scanned on $DATE"
### Find Java Section
for s in $(find / \( -name 10_Recommended* -o -name scratch -o -name zones -o -name mnt \) -prune -o -type f -name java -print 2>/dev/null)
do ee=$($s -fullversion 2>&1 |awk '{print $4}' )
echo -e "\e[1m$ee\e[0m \t $s"
done
echo " "
### Find Packages Section
if [ SunOS == $(uname -s) ]
then if [[ -z $(pkginfo |grep SUNWj[3-8]) ]]
then echo -e "\e[1mNo Java packages found\e[0m"
else echo -e "\e[1mPackages found:\e[0m \n$( pkginfo |grep SUNWj[3-8])"
fi
else if [[ -z $( rpm -qa |egrep '(jdk|jre)' ) ]]
then echo -e "\e[1mNo Java packages found\e[0m"
else echo -e "\e[1mPackages found:\e[0m \n$( rpm -qa |grep -v SYMC|egrep '(jdk|jre)' )"
fi
fi
### Find Directories Section
if [ SunOS != $(uname -s) ]
then DF=$( ls -d /usr/java/j* 2>/dev/null )
if [[ -n $DF ]]
then echo -e "\e[1mDirectories found:\e[0m\n$DF" 2>/dev/null
else echo -e "\e[1mNo directories found\e[0m"
fi
fi
### STIG Java Check List Section
if [ -e /usr/java ]
then JCKL="Passed Java Check List"
if [ -e /usr/java/jre/lib/deployment.properties ] &>/dev/null
then grep deployment.security.askgrantdialog.notinca=false /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.askgrantdialog.notinca.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.validation.crl=true /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.validation.crl.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.validation.ocsp=true /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.validation.ocsp.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\033[0m"
else JCKL="\e[1;31mFailed Java Check List\e[0m"
fi
if [ -e /usr/java/jre/lib/deployment.config ] &>/dev/null #JRE0070 V-32901 CAT II
then grep deployment.system.config=file:/usr/java/jre/lib/deployment.properties /usr/java/jre/lib/deployment.config &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.system.config.mandatory=false /usr/java/jre/lib/deployment.config &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
else JCKL="\e[1;31mFailed Java Check List\e[0m"
fi
else echo -e "\e[1;34mNo System Java from Oracle Found \e[0m"
fi
echo -e "\e[1m$JCKL \e[0m"
# This script is for finding versions of Java on a server.
#
DATE=$(date)
echo -e "\e[1;34m <<<<<<<<<<<<<<<<<<<< $(uname -n) >>>>>>>>>>>>>>>>>>>\e[0m "
echo -e "Last scanned on $DATE"
### Find Java Section
for s in $(find / \( -name 10_Recommended* -o -name scratch -o -name zones -o -name mnt \) -prune -o -type f -name java -print 2>/dev/null)
do ee=$($s -fullversion 2>&1 |awk '{print $4}' )
echo -e "\e[1m$ee\e[0m \t $s"
done
echo " "
### Find Packages Section
if [ SunOS == $(uname -s) ]
then if [[ -z $(pkginfo |grep SUNWj[3-8]) ]]
then echo -e "\e[1mNo Java packages found\e[0m"
else echo -e "\e[1mPackages found:\e[0m \n$( pkginfo |grep SUNWj[3-8])"
fi
else if [[ -z $( rpm -qa |egrep '(jdk|jre)' ) ]]
then echo -e "\e[1mNo Java packages found\e[0m"
else echo -e "\e[1mPackages found:\e[0m \n$( rpm -qa |grep -v SYMC|egrep '(jdk|jre)' )"
fi
fi
### Find Directories Section
if [ SunOS != $(uname -s) ]
then DF=$( ls -d /usr/java/j* 2>/dev/null )
if [[ -n $DF ]]
then echo -e "\e[1mDirectories found:\e[0m\n$DF" 2>/dev/null
else echo -e "\e[1mNo directories found\e[0m"
fi
fi
### STIG Java Check List Section
if [ -e /usr/java ]
then JCKL="Passed Java Check List"
if [ -e /usr/java/jre/lib/deployment.properties ] &>/dev/null
then grep deployment.security.askgrantdialog.notinca=false /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.askgrantdialog.notinca.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.validation.crl=true /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.validation.crl.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.validation.ocsp=true /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.security.validation.ocsp.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\033[0m"
else JCKL="\e[1;31mFailed Java Check List\e[0m"
fi
if [ -e /usr/java/jre/lib/deployment.config ] &>/dev/null #JRE0070 V-32901 CAT II
then grep deployment.system.config=file:/usr/java/jre/lib/deployment.properties /usr/java/jre/lib/deployment.config &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
grep deployment.system.config.mandatory=false /usr/java/jre/lib/deployment.config &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
else JCKL="\e[1;31mFailed Java Check List\e[0m"
fi
else echo -e "\e[1;34mNo System Java from Oracle Found \e[0m"
fi
echo -e "\e[1m$JCKL \e[0m"
This other script is used on the systems with spaces in the path
Put contents of files here
<<<<<<<<<<<<<<<<<<<< Linux server name >>>>>>>>>>>>>>>>>>>
Last scanned on Thu Sep 29 13:17:30 GMT 2016
"1.8.0_101-b13" /usr/java/jdk1.8.0_101/bin/
"1.8.0_101-b13" /usr/java/jdk1.8.0_101/jre/
Linux packages:
java-1.7.0-openjdk-devel-1.7.
java-1.7.0-openjdk-1.7.0.111-
jdk1.8.0_101-1.8.0_101-fcs.
Directories found:
/usr/java/jdk1.8.0_101
Failed Java Check List
<<<<<<<<<<<<<<<<<<<< Linux server name >>>>>>>>>>>>>>>>>>>
Last scanned on Thu Sep 29 13:17:30 GMT 2016
"1.8.0_101-b13" /usr/java/jdk1.8.0_101/bin/
"1.8.0_101-b13" /usr/java/jdk1.8.0_101/jre/
Linux packages:
java-1.7.0-openjdk-devel-1.7.
java-1.7.0-openjdk-1.7.0.111-
jdk1.8.0_101-1.8.0_101-fcs.
Directories found:
/usr/java/jdk1.8.0_101
Failed Java Check List
Example output
root@earth> ./check-java
<<<<<<<<<<<<<<<<<<<< Linux server name >>>>>>>>>>>>>>>>>>>
Last scanned on Thu Sep 29 13:17:30 GMT 2016
"1.8.0_101-b13" /usr/java/jdk1.8.0_101/bin/
"1.8.0_101-b13" /usr/java/jdk1.8.0_101/jre/
Linux packages:
java-1.7.0-openjdk-devel-1.7.
java-1.7.0-openjdk-1.7.0.111-
jdk1.8.0_101-1.8.0_101-fcs.
Directories found:
/usr/java/jdk1.8.0_101
Passed Java Check List
<<<<<<<<<<<<<<<<<<<< Linux server name >>>>>>>>>>>>>>>>>>>
Last scanned on Thu Sep 29 13:17:30 GMT 2016
"1.8.0_101-b13" /usr/java/jdk1.8.0_101/bin/
"1.8.0_101-b13" /usr/java/jdk1.8.0_101/jre/
Linux packages:
java-1.7.0-openjdk-devel-1.7.
java-1.7.0-openjdk-1.7.0.111-
jdk1.8.0_101-1.8.0_101-fcs.
Directories found:
/usr/java/jdk1.8.0_101
Passed Java Check List
Let me know if this script is helpful in anyway. If you need more details or have questions let me know, by posting below
No comments:
Post a Comment