feat(ssi): Add JMXFetch to denylist

DataDog · Nov 18, 2024 · 8042830 · 8042830
1 parent f3f2b15
commit 8042830
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 0 deletions.
diff --git a/metadata/denied-arguments.tsv b/metadata/denied-arguments.tsv
@@ -26,6 +26,9 @@ apache_solr8_start              -Dsolr.solr.home=*
 apache_solr8_stop               *solr/server/start.jar                              Skip Apache Solr 8 stop using path to jar
 apache_solr8_tools              org.apache.solr.util.SolrCLI                        Skip Apache Solr 8 CLI tools
 
+# DataDog JMXFetch
+datadog_jmxfetch                org.datadog.jmxfetch.App                            Skip DataDog JMXFetch
+
 # Elastic Search 7+
 elasticsearch7                  -Des.path.home=*                                    Skip Elastic Search 7+ commands
 

diff --git a/metadata/requirements-block.json b/metadata/requirements-block.json
@@ -197,5 +197,46 @@
             "arch": "x64",
             "libc": "glibc:2.17"
         }
+    },
+    {
+        "name": "should block JMXFetch instance from DataDog Agent",
+        "filepath": "/opt/java/openjdk/bin/java",
+        "args": [
+            "java",
+            "-Djdk.attach.allowAttachSelf=true",
+            "-XX:+UseContainerSupport",
+            "-XX:MaxRAMPercentage=25.0000",
+            "-classpath",
+            "/opt/datadog-agent/bin/agent/dist/jmx/jmxfetch.jar",
+            "org.datadog.jmxfetch.App",
+            "--ipc_host",
+            "localhost",
+            "--ipc_port",
+            "5001",
+            "--check_period",
+            "15000",
+            "--thread_pool_size",
+            "3",
+            "--collection_timeout",
+            "60",
+            "--reconnection_timeout",
+            "60",
+            "--reconnection_thread_pool_size",
+            "3",
+            "--log_level",
+            "INFO",
+            "--reporter",
+            "statsd:unix:///var/run/datadog/statsd.sock",
+            "--statsd_queue_size",
+            "4096",
+            "--jmxfetch_telemetry",
+            "collect"
+        ],
+        "envars": [],
+        "host": {
+            "os": "linux",
+            "arch": "x64",
+            "libc": "glibc:2.17"
+        }
     }
 ]
diff --git a/metadata/requirements.json b/metadata/requirements.json
@@ -303,6 +303,23 @@
       ],
       "envars": null
     },
+    {
+      "id": "datadog_jmxfetch",
+      "description": "Skip DataDog JMXFetch",
+      "os": null,
+      "cmds": [
+        "**/java"
+      ],
+      "args": [
+        {
+          "args": [
+            "org.datadog.jmxfetch.App"
+          ],
+          "position": null
+        }
+      ],
+      "envars": null
+    },
     {
       "id": "elasticsearch7",
       "description": "Skip Elastic Search 7+ commands",