Jamf Nation Community

A-bomb · a month ago

Hello!

I need a hand writing an Extension Attribute script to gather "Reason for privilege elevation".

The below command works in Terminal directly on a Mac running macOS 14 to gather the info but I don't know how to then parse it into a script for an Extension Attribute. The text in bold is what I want to gather. An endless running list of reasons would be ideal. Any help would be much appreciated 😊

sudo log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --info | grep "Reason for privilege elevation:"

Result:

2024-04-04 10:09:22.221 Df Jamf Connect[55703:31aeb0] [com.jamf.connect:PrivilegeElevation] Reason for privilege elevation: Admin elevation test 1

2024-04-04 10:18:37.006 Df Jamf Connect[55703:31aeb0] [com.jamf.connect:PrivilegeElevation] Reason for privilege elevation: Figma install

dennisnardi · a month ago

I wrote an extension attribute that looks at the log that is generated at /Library/Logs/JamfConnect/UserElevationReasons.log and will pull the 3 most recent times & reasons. The log is in GMT, so my EA converts the time into Eastern time. My EA is below:

#!/bin/zsh
  
# Path to the log file
log_file="/Library/Logs/JamfConnect/UserElevationReasons.log"
  
# Check if the log file exists
if [ ! -f "$log_file" ]; then
    # If the log file doesn't exist, output a specific message for the extension attribute
    echo "<result>No Jamf Connect privilege elevations</result>"
    exit 0
fi
  
# Get the most recent 3 entries from the log file
latest_log_entries=$(tail -n 3 "$log_file")
  
# Begin the result string
recent_times="<result>\n"
  
# Process each log entry
echo "$latest_log_entries" | while read log_entry; do
    # Extract the date/time from the log entry
    gmt_date=$(echo $log_entry | awk '{print $1, $2}')
  
    # Convert GMT to Eastern Time
    eastern_date=$(date -jf "%Y-%m-%d %H:%M:%S" -v"-5H" "$gmt_date" "+%Y-%m-%d %H:%M:%S")
  
    # Check if Daylight Saving Time is in effect
    daylight_saving=$(date -v"-5H" -jf "%Y-%m-%d %H:%M:%S" "$gmt_date" "+%Z")
  
    if [ "$daylight_saving" = "EDT" ]; then
        eastern_date=$(date -jf "%Y-%m-%d %H:%M:%S" -v"-4H" "$gmt_date" "+%Y-%m-%d %H:%M:%S")
    fi
  
    # Extract the user information from the log entry
    user_info=$(echo $log_entry | cut -d ' ' -f4-)
  
    # Append the date/time and user information to the result string
    recent_times+="$eastern_date $user_info\n"
done
  
# End the result string
recent_times+="</result>"
  
# Output for Jamf Pro extension attribute
echo -e "$recent_times"

And that looks like the following in Jamf:

View solution in original post

jamf-42 · a month ago

ive not delved into this, but is this really the way its designed, that you have to pull the text via a grep from a 'log show' ... an EA will only be populated on each recon.. when-ever that is.. so that could be daily.. and then that could have 5 - 10 - 50 entries.. this does not seem something that is properly reportable or scalable..

A-bomb · a month ago

recon population is what I am looking for. I just don't know how to parse the results with echo. This is what I have been testing with no success:

reason=$( log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --info | grep "Reason for privilege elevation:" )

echo "${reason}"

jamf-42 · a month ago

echo "<result>$reason</result>"

A-bomb · a month ago

Changing to that just returns the below. I really want to grab the text above in bold.

% sudo reason=$( log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --info | grep "Reason for privilege elevation:" ); echo "<result>$reason</result>"

10:09:22.221: command not found

jamf-42 · a month ago

you need to use that in an EA, running in terminal will not return a value..

and the EA does not need sudo..

#/bin/sh

result='what ever you want to return'

echo "<result>$result</result>"

write this as a script and add 'set -x' after the shebang.. then you can scope to a test device and check it works before moving to an EA.

A-bomb · a month ago

Thanks for your help with this! Would this work as an EA? I am trying it right now.

#!/bin/sh

##############################################################

# A script to determine the reason for Jamf Connect Reason for privilege elevation

##############################################################

result=$reason

reason=$( log show --style compact --predicate 'subsystem == "com.jamf.connect"' --debug --info | grep "Reason for privilege elevation:" )

echo "<result>$reason</result>"

exit 0

jamf-42 · a month ago

remove the result var.. not needed.. your just parsing $reason to the echo

but I'd make that just as a script in jamf for now.. not an EA.. and add.

set -x

on the next line after the /bin/sh this will output all of the script and variables so you can read them..

then create a policy, add script, add a test Mac.. and check the output.. you'll see $reason populated with the value returned.. we hope 😊

if its all good.. then you can make it into an EA.. EAs run on ALL devices as root.. on every recon.. so.. bad things can happen if they are not correct.

dennisnardi · a month ago

I wrote an extension attribute that looks at the log that is generated at /Library/Logs/JamfConnect/UserElevationReasons.log and will pull the 3 most recent times & reasons. The log is in GMT, so my EA converts the time into Eastern time. My EA is below:

#!/bin/zsh
  
# Path to the log file
log_file="/Library/Logs/JamfConnect/UserElevationReasons.log"
  
# Check if the log file exists
if [ ! -f "$log_file" ]; then
    # If the log file doesn't exist, output a specific message for the extension attribute
    echo "<result>No Jamf Connect privilege elevations</result>"
    exit 0
fi
  
# Get the most recent 3 entries from the log file
latest_log_entries=$(tail -n 3 "$log_file")
  
# Begin the result string
recent_times="<result>\n"
  
# Process each log entry
echo "$latest_log_entries" | while read log_entry; do
    # Extract the date/time from the log entry
    gmt_date=$(echo $log_entry | awk '{print $1, $2}')
  
    # Convert GMT to Eastern Time
    eastern_date=$(date -jf "%Y-%m-%d %H:%M:%S" -v"-5H" "$gmt_date" "+%Y-%m-%d %H:%M:%S")
  
    # Check if Daylight Saving Time is in effect
    daylight_saving=$(date -v"-5H" -jf "%Y-%m-%d %H:%M:%S" "$gmt_date" "+%Z")
  
    if [ "$daylight_saving" = "EDT" ]; then
        eastern_date=$(date -jf "%Y-%m-%d %H:%M:%S" -v"-4H" "$gmt_date" "+%Y-%m-%d %H:%M:%S")
    fi
  
    # Extract the user information from the log entry
    user_info=$(echo $log_entry | cut -d ' ' -f4-)
  
    # Append the date/time and user information to the result string
    recent_times+="$eastern_date $user_info\n"
done
  
# End the result string
recent_times+="</result>"
  
# Output for Jamf Pro extension attribute
echo -e "$recent_times"

And that looks like the following in Jamf:

A-bomb · a month ago

Thank you!!! This is exactly what I was looking for. Can you suggest how to make the results return in separate lines? They all run together for me.

A-bomb · a month ago

NM, I moved it to the EA container in inventory and they are separated, like yours. Thanks again for the quick help. Your solution is perfect!

Jamf Nation Community

Jamf Connect 2.33.0 admin elevation Extension Attribute?