EM13c – Block the usage of Metric Extensions for specific target type only

Metric Extensions allows extending monitoring for a target type by adding new metrics. These Metric Extensions (ME) can also be any OS commands to enhance OS monitoring.
Depending on security requirements this feature can be a risk. Especially if the Enterprise Manager is managed by other department or i.e. outside your organization.

Note: Oracle does not provide a supported solution to block this feature on agent side. There is an enhancement request (ENH 33180077 – ME$ execution restriction at Agent level) to implement this in future releases ( I hope they will do it… ).

Execute OS commands without credentials

You don’t even have to really deploy the Metric Extension to the host target. It is enough to create a new Metric Extension and execute the test run against the target to attack. the script will be executed with the default monitoring credentials (normally the oracle user) with its permission on the OS.

The procedure to create Metric Extensions is well known, so I do not explain this in detail.

Block this feature on agent level

To minimize the risk, you can block this feature on agent-level for all target types or for individual target types only.
Note: This approach should be tested to check for possible side effects before you use it in your productive environment.

Block Metric Extensions for all target types
By deleting the whole directory used as library for the ME’s, the OEM is no longer able to persists ME’s on disk and the deployment fails (OEM does not provide a error-message during the deployment). To ensure no update or automatic process is able to fixup this blocker, create the directory as root.

$> rm -rf {{AGENT_BASE}}/agent_inst/sysman/emd/metricExtLib
$> mkdir {{AGENT_BASE}}/agent_inst/sysman/emd/metricExtLib

Block Metric Extensions for specific target type(s) only
This example blocks the feature for target type host only. you can adapt it for all other target types too.

$> rm -rf {{AGENT_BASE}}/agent_inst/sysman/emd/metricExtLib/host
$> mkdir {{AGENT_BASE}}/agent_inst/sysman/emd/metricExtLib/host

As the Oracle-User will not be able to delete a directory owned by root, the directory must be removed manually for the agent decommission.

Test

A short test with a new Metric Extension shows the feature is no longer working. -> success 🙂

OEM allows you to deploy the Metric Extension even the agent is unable to save them on disk. An attempt to get the results manually under „All Metrics“ shows the expected error: