Jamf Nation Community

A-bomb · ‎04-04-2024

Hello!

I need a hand writing an Extension Attribute script to gather "Reason for privilege elevation".

The below command works in Terminal directly on a Mac running macOS 14 to gather the info but I don't know how to then parse it into a script for an Extension Attribute. The text in bold is what I want to gather. An endless running list of reasons would be ideal. Any help would be much appreciated 😊

sudo log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --info | grep "Reason for privilege elevation:"

Result:

2024-04-04 10:09:22.221 Df Jamf Connect[55703:31aeb0] [com.jamf.connect:PrivilegeElevation] Reason for privilege elevation: Admin elevation test 1

2024-04-04 10:18:37.006 Df Jamf Connect[55703:31aeb0] [com.jamf.connect:PrivilegeElevation] Reason for privilege elevation: Figma install

dennisnardi · ‎04-04-2024

I wrote an extension attribute that looks at the log that is generated at /Library/Logs/JamfConnect/UserElevationReasons.log and will pull the 3 most recent times & reasons. The log is in GMT, so my EA converts the time into Eastern time. My EA is below:

#!/bin/zsh
  
# Path to the log file
log_file="/Library/Logs/JamfConnect/UserElevationReasons.log"
  
# Check if the log file exists
if [ ! -f "$log_file" ]; then
    # If the log file doesn't exist, output a specific message for the extension attribute
    echo "<result>No Jamf Connect privilege elevations</result>"
    exit 0
fi
  
# Get the most recent 3 entries from the log file
latest_log_entries=$(tail -n 3 "$log_file")
  
# Begin the result string
recent_times="<result>\n"
  
# Process each log entry
echo "$latest_log_entries" | while read log_entry; do
    # Extract the date/time from the log entry
    gmt_date=$(echo $log_entry | awk '{print $1, $2}')
  
    # Convert GMT to Eastern Time
    eastern_date=$(date -jf "%Y-%m-%d %H:%M:%S" -v"-5H" "$gmt_date" "+%Y-%m-%d %H:%M:%S")
  
    # Check if Daylight Saving Time is in effect
    daylight_saving=$(date -v"-5H" -jf "%Y-%m-%d %H:%M:%S" "$gmt_date" "+%Z")
  
    if [ "$daylight_saving" = "EDT" ]; then
        eastern_date=$(date -jf "%Y-%m-%d %H:%M:%S" -v"-4H" "$gmt_date" "+%Y-%m-%d %H:%M:%S")
    fi
  
    # Extract the user information from the log entry
    user_info=$(echo $log_entry | cut -d ' ' -f4-)
  
    # Append the date/time and user information to the result string
    recent_times+="$eastern_date $user_info\n"
done
  
# End the result string
recent_times+="</result>"
  
# Output for Jamf Pro extension attribute
echo -e "$recent_times"

And that looks like the following in Jamf:

View solution in original post

Steven_Xu · ‎05-20-2024

#!/bin/bash

# cat elevation log
logs=$(cat /Library/Logs/JamfConnect/UserElevationReasons.log)

echo "<result>$logs</result>"

This script can be used in the EA to collect the elevation log. but the timezone is UTC+0.

View solution in original post

jamf-42 · ‎04-04-2024

ive not delved into this, but is this really the way its designed, that you have to pull the text via a grep from a 'log show' ... an EA will only be populated on each recon.. when-ever that is.. so that could be daily.. and then that could have 5 - 10 - 50 entries.. this does not seem something that is properly reportable or scalable..

A-bomb · ‎04-04-2024

recon population is what I am looking for. I just don't know how to parse the results with echo. This is what I have been testing with no success:

reason=$( log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --info | grep "Reason for privilege elevation:" )

echo "${reason}"

jamf-42 · ‎04-04-2024

echo "<result>$reason</result>"

A-bomb · ‎04-04-2024

Changing to that just returns the below. I really want to grab the text above in bold.

% sudo reason=$( log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --info | grep "Reason for privilege elevation:" ); echo "<result>$reason</result>"

10:09:22.221: command not found

jamf-42 · ‎04-04-2024

you need to use that in an EA, running in terminal will not return a value..

and the EA does not need sudo..

#/bin/sh

result='what ever you want to return'

echo "<result>$result</result>"

write this as a script and add 'set -x' after the shebang.. then you can scope to a test device and check it works before moving to an EA.

A-bomb · ‎04-04-2024

Thanks for your help with this! Would this work as an EA? I am trying it right now.

#!/bin/sh

##############################################################

# A script to determine the reason for Jamf Connect Reason for privilege elevation

##############################################################

result=$reason

reason=$( log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --info | grep "Reason for privilege elevation:" )

echo "<result>$reason</result>"

exit 0

jamf-42 · ‎04-04-2024

remove the result var.. not needed.. your just parsing $reason to the echo

but I'd make that just as a script in jamf for now.. not an EA.. and add.

set -x

on the next line after the /bin/sh this will output all of the script and variables so you can read them..

then create a policy, add script, add a test Mac.. and check the output.. you'll see $reason populated with the value returned.. we hope 😊

if its all good.. then you can make it into an EA.. EAs run on ALL devices as root.. on every recon.. so.. bad things can happen if they are not correct.

dennisnardi · ‎04-04-2024

I wrote an extension attribute that looks at the log that is generated at /Library/Logs/JamfConnect/UserElevationReasons.log and will pull the 3 most recent times & reasons. The log is in GMT, so my EA converts the time into Eastern time. My EA is below:

#!/bin/zsh
  
# Path to the log file
log_file="/Library/Logs/JamfConnect/UserElevationReasons.log"
  
# Check if the log file exists
if [ ! -f "$log_file" ]; then
    # If the log file doesn't exist, output a specific message for the extension attribute
    echo "<result>No Jamf Connect privilege elevations</result>"
    exit 0
fi
  
# Get the most recent 3 entries from the log file
latest_log_entries=$(tail -n 3 "$log_file")
  
# Begin the result string
recent_times="<result>\n"
  
# Process each log entry
echo "$latest_log_entries" | while read log_entry; do
    # Extract the date/time from the log entry
    gmt_date=$(echo $log_entry | awk '{print $1, $2}')
  
    # Convert GMT to Eastern Time
    eastern_date=$(date -jf "%Y-%m-%d %H:%M:%S" -v"-5H" "$gmt_date" "+%Y-%m-%d %H:%M:%S")
  
    # Check if Daylight Saving Time is in effect
    daylight_saving=$(date -v"-5H" -jf "%Y-%m-%d %H:%M:%S" "$gmt_date" "+%Z")
  
    if [ "$daylight_saving" = "EDT" ]; then
        eastern_date=$(date -jf "%Y-%m-%d %H:%M:%S" -v"-4H" "$gmt_date" "+%Y-%m-%d %H:%M:%S")
    fi
  
    # Extract the user information from the log entry
    user_info=$(echo $log_entry | cut -d ' ' -f4-)
  
    # Append the date/time and user information to the result string
    recent_times+="$eastern_date $user_info\n"
done
  
# End the result string
recent_times+="</result>"
  
# Output for Jamf Pro extension attribute
echo -e "$recent_times"

And that looks like the following in Jamf:

A-bomb · ‎04-04-2024

Thank you!!! This is exactly what I was looking for. Can you suggest how to make the results return in separate lines? They all run together for me.

A-bomb · ‎04-04-2024

NM, I moved it to the EA container in inventory and they are separated, like yours. Thanks again for the quick help. Your solution is perfect!

Steven_Xu · ‎05-20-2024

#!/bin/bash

# cat elevation log
logs=$(cat /Library/Logs/JamfConnect/UserElevationReasons.log)

echo "<result>$logs</result>"

This script can be used in the EA to collect the elevation log. but the timezone is UTC+0.

A-bomb · ‎05-20-2024

This is great! Thank you :)

John_Valdez · ‎06-07-2024

Thank you!

Jamf Nation Community

Jamf Connect 2.33.0 admin elevation Extension Attribute?