I am going to give you is two scripts. The first one checks the four files against your central store to be sure that what is on the client machine matches the central store (discovery script). The second script copies the files from your central store to the client machine (remediation script). The contents of the four Java settings/configuration files are up to you.
Steps to set up your configuration item:
- Build a configuration item with a compliance rule of type "Script" and data type "String".
- Copy the scripts into the Discovery Script and Remediation Script areas of your CI. Both scripts are powershell.
- Put your Java files in a central place that all of your machine accounts have access to read (users don't need access but the machines do).
- Modify the Discovery Script and Remediation Script in your CI and change the CentralFileLocation variable to point to the location of your files.
- Add a compliance rule that evaluates as compliant if the value returned by the script = "True All Java files pass all checks."
- Check the check-box "Run the specified remediation script when this setting is noncompliant"
- Add the CI to a baseline and deploy the baseline to a collection. Be sure that in the deployment you have selected "Remediate noncompliant rules when supported".
Discovery Script:
<#
.Synopsis
Check the files in %windir%\Sun\Java\Deployment against centrally managed files.
.DESCRIPTION
This script is meant to be used in conjunction with the Copy_JavaSettings.ps1 script to
manage Java JRE settings from a central location. This script checks the files on the
local workstation. If the files do not match the central repository then Copy_JavaSettings.ps1
can be used to write the correct files.
It is suggested that the two files be used together in an SCCM configuration item for checking
and automated remediation.
You will need to set $CentralFileLocation to the location of your centrally managed files.
That should be the only change that you need to make to the script. It is suggested that
you use a location in your sysvol as shown in the example.
Success condition will return "True All Java files pass all checks."
Failure conditions will return "False " followed by the reason for failure.
#>
function Check-LocalJavaFolder
{
[OutputType([Boolean],[String])]
$Compliant=$false
$JavaFolderExist=Test-Path $JavaFolder
#write-host ("Checking Java Folder Existence")
if ($JavaFolderExist -eq $true)
{
$Compliant=$true
$Problem="Java Folder Exists in $JavaFolder"
}
else
{
$Compliant=$false
$Problem='Folder %windir%\Sun\Java\Deployment does not exist.'
}
Return $Compliant, $Problem
}
function Check-JavaSettingsFileExist
{
[OutputType([Boolean],[String])]
$Compliant=$false
$DeploymentConfigFileExist=Test-Path $DeploymentConfigFile
$DeploymentPropertiesFileExist=Test-Path $DeploymentPropertiesFile
$ExceptionSitesFileExist=Test-Path $ExceptionSitesFile
$TrustedCertsFileExist=Test-Path $TrustedCertsFile
if ($DeploymentConfigFileExist -ne $true)
{
$Compliant=$false
$Problem="$DeploymentConfigFile does not exist."
Return $Compliant, $Problem
}
if ($DeploymentPropertiesFileExist -ne $true)
{
$Compliant=$false
$Problem="$DeploymentPropertiesFile does not exist."
Return $Compliant, $Problem
}
if ($ExceptionSitesFileExist -ne $true)
{
$Compliant=$false
$Problem="$ExceptionSitesFile does not exist."
Return $Compliant, $Problem
}
if ($TrustedCertsFileExist -ne $true)
{
$Compliant=$false
$Problem="$TrustedCertsFile does not exist."
Return $Compliant, $Problem
}
$Compliant=$true
$Problem='All managed files exist.'
Return $Compliant, $Problem
}
function Check-JavaSettingsFileSizes
{
[OutputType([Boolean],[String])]
$Compliant=$false
$DeploymentConfigFileSize=(Get-Item $CentralDeploymentConfigFile).length
$DeploymentConfigLocalFileSize=(Get-Item $DeploymentConfigFile).Length
if ($DeploymentConfigLocalFileSize -ne $DeploymentConfigFileSize)
{
$Compliant=$false
$Problem="$DeploymentConfigFile file size is not correct."
Return $Compliant, $Problem
}
$DeploymentPropertiesFileSize=(Get-Item $CentralDeploymentPropertiesFile).length
$DeploymentPropertiesLocalFileSize=(Get-Item $DeploymentPropertiesFile).Length
if ($DeploymentPropertiesLocalFileSize -ne $DeploymentPropertiesFileSize)
{
$Compliant=$false
$Problem="$DeploymentPropertiesFile file size is not correct."
Return $Compliant, $Problem
}
$ExceptionSitesFileSize=(Get-Item $CentralExceptionSitesFile).length
$ExceptionSitesLocalFileSize=(Get-Item $ExceptionSitesFile).Length
if ($ExceptionSitesLocalFileSize -ne $ExceptionSitesFileSize)
{
$Compliant=$false
$Problem="$ExceptionSitesFile file size is not correct."
Return $Compliant, $Problem
}
$TrustedCertsFileSize=(Get-Item $CentralTrustedCertsFile).length
$TrustedCertsLocalFileSize=(Get-Item $TrustedCertsFile).Length
if ($TrustedCertsLocalFileSize -ne $TrustedCertsFileSize)
{
$Compliant=$false
$Problem="$TrustedCertsFile file size is not correct."
Return $Compliant, $Problem
}
$Compliant=$true
$Problem='All managed files are correct size.'
Return $Compliant, $Problem
}
function Check-JavaSettingsFileDates
{
[OutputType([Boolean],[String])]
$Compliant=$false
$DeploymentConfigFileDate=(Get-Item $CentralDeploymentConfigFile).length
$DeploymentConfigLocalFileDate=(Get-Item $DeploymentConfigFile).Length
if ($DeploymentConfigLocalFileDate -ne $DeploymentConfigFileDate)
{
$Compliant=$false
$Problem="$DeploymentConfigFile file date is not correct."
Return $Compliant, $Problem
}
$DeploymentPropertiesFileDate=(Get-Item $CentralDeploymentPropertiesFile).length
$DeploymentPropertiesLocalFileDate=(Get-Item $DeploymentPropertiesFile).Length
if ($DeploymentPropertiesLocalFileDate -ne $DeploymentPropertiesFileDate)
{
$Compliant=$false
$Problem="$DeploymentPropertiesFile file date is not correct."
Return $Compliant, $Problem
}
$ExceptionSitesFileDate=(Get-Item $CentralExceptionSitesFile).length
$ExceptionSitesLocalFileDate=(Get-Item $ExceptionSitesFile).Length
if ($ExceptionSitesLocalFileDate -ne $ExceptionSitesFileDate)
{
$Compliant=$false
$Problem="$ExceptionSitesFile file date is not correct."
Return $Compliant, $Problem
}
$TrustedCertsFileDate=(Get-Item $CentralTrustedCertsFile).length
$TrustedCertsLocalFileDate=(Get-Item $TrustedCertsFile).Length
if ($TrustedCertsLocalFileDate -ne $TrustedCertsFileDate)
{
$Compliant=$false
$Problem="$TrustedCertsFile file date is not correct."
Return $Compliant, $Problem
}
$Compliant=$true
$Problem='All managed files are correct dates.'
Return $Compliant, $Problem
}
$CentralFileLocation="\\domain.com\sysvol\domain.com\Java"
$WindowsFolder=$env:windir
$JavaFolder="$WindowsFolder\Sun\Java\Deployment"
$DeploymentConfigFile=$JavaFolder+"\deployment.config"
$DeploymentPropertiesFile=$JavaFolder+"\deployment.properties"
$ExceptionSitesFile=$JavaFolder+"\exception.sites"
$TrustedCertsFile=$JavaFolder+"\trusted.certs"
$CentralDeploymentConfigFile=$CentralFileLocation+"\deployment.config"
$CentralDeploymentPropertiesFile=$CentralFileLocation+"\deployment.properties"
$CentralExceptionSitesFile=$CentralFileLocation+"\exception.sites"
$CentralTrustedCertsFile=$CentralFileLocation+"\trusted.certs"
$Compliant=$false
$Problem='Compliant'
clear-host
$Compliance=(Check-LocalJavaFolder)
If ($Compliance -match $true)
{
$Compliance=(Check-JavaSettingsFileExist)
}
If ($Compliance -match $true)
{
$Compliance=(Check-JavaSettingsFileSizes)
}
If ($Compliance -match $true)
{
$Compliance=(Check-JavaSettingsFileDates)
}
If ($Compliance -match $true)
{
$Compliance=($true, "All Java files pass all checks.")
write-host $Compliance
}
else
{
write-host $Compliance
}
Remediation Script:
<#
.Synopsis
Copies files used for centralized management of Java JRE from central location to local workstation.
.DESCRIPTION
This script will copy the centrally managed Java config files from a
central repository (definied by $CentralFileLocation) to %windir%\Sun\Java\Deployment
You will need to set $CentralFileLocation to the location of your centrally managed files.
That should be the only change that you need to make to the script. It is suggested that
you use a location in your sysvol as shown in the example.
#>
$CentralFileLocation="\\domain.com\sysvol\domain.com\Java"
$WindowsFolder=$env:windir
$JavaFolder="$WindowsFolder\Sun\Java\Deployment"
$DeploymentConfigFile=$JavaFolder+"\deployment.config"
$DeploymentPropertiesFile=$JavaFolder+"\deployment.properties"
$ExceptionSitesFile=$JavaFolder+"\exception.sites"
$TrustedCertsFile=$JavaFolder+"\trusted.certs"
$CentralDeploymentConfigFile=$CentralFileLocation+"\deployment.config"
$CentralDeploymentPropertiesFile=$CentralFileLocation+"\deployment.properties"
$CentralExceptionSitesFile=$CentralFileLocation+"\exception.sites"
$CentralTrustedCertsFile=$CentralFileLocation+"\trusted.certs"
#Check first part of path - if it doesn't exist then create it
$JavaFolder="$WindowsFolder\Sun"
$JavaFolderExist=Test-Path $JavaFolder
if ($JavaFolderExist -eq $false) {New-Item $JavaFolder -type directory}
#Check second part of path - if it doesn't exist then create it
$JavaFolder="$WindowsFolder\Sun\Java"
$JavaFolderExist=Test-Path $JavaFolder
if ($JavaFolderExist -eq $false) {New-Item $JavaFolder -type directory}
#Check last part of path - if it doesn't exist then create it
$JavaFolder="$WindowsFolder\Sun\Java\Deployment"
$JavaFolderExist=Test-Path $JavaFolder
if ($JavaFolderExist -eq $false) {New-Item $JavaFolder -type directory}
Clear-Host
#clear any contents that might already be there
Get-ChildItem -Path $JavaFolder -Include *.* -File -Recurse | foreach { $_.Delete()}
#Drop in our configuration files
Copy-Item -path $CentralDeploymentConfigFile -destination $DeploymentConfigFile
Copy-Item -path $CentralDeploymentPropertiesFile -destination $DeploymentPropertiesFile
Copy-Item -path $CentralExceptionSitesFile -destination $ExceptionSitesFile
Copy-Item -path $CentralTrustedCertsFile -destination $TrustedCertsFile
No comments:
Post a Comment