Help

Checking files for strings within files

ethicallyBlue
New Contributor

Posted on ‎04-05-2023 01:34 PM

Hi Community,

I had an idea to solve a problem I'm facing but wanted to know if Jamf Pro could encounter an issues with this idea.

 

Problem: users in our environment have been saving confidential information in specific location. Given the nature of the documents and contracts we have these files need to exist somewhere else.


Solution: script that does a search in the problem directory (I've nailed down this one) and create an EA that reports "True" if the script returns non null/0 results. Realistically I'd like to see these files and results but I can worry about that some other time.

 

Primary concerns here:

1. The directory has at least 30 files but could be over 100 so performance issues is a concern.

2. Running this kind of script on 30+ machines at a time - Jamf delays?

0 Kudos
Reply
4 REPLIES 4

talkingmoose
Moderator
Moderator

Posted on ‎04-05-2023 03:55 PM

Your script isn’t going to cause Jamf Pro any harm if all it’s doing is sending it to remote computers to run.

However, you’ll be running it as a policy and so long as a policy is running, no other policy will run. What you could run into is that commands are delayed for computers still trying to run the script. I believe Jamf Pro will timeout a policy after a certain time. (I want to say an hour, but I’m not sure.)

Test first on one of your most challenging Macs and see what results you get.

Reply

AJPinto
Honored Contributor III

Posted on ‎04-06-2023 04:56 AM

You need to use the right tool for the job, and in this case it would be a DLP tool which JAMF Pro is not. Of the DLP tools, Forcepoint seems to lead the pack but there are other options like EndPoint protector and many other options.

Reply

ethicallyBlue
New Contributor
In response to AJPinto

Posted on ‎04-06-2023 06:17 AM

While I agree Forcepoint may be a better tool, I was hoping to use Jamf as an introduction to the idea that DLP software would be a more appropriate contender based on preliminary findings. 

0 Kudos
Reply

AJPinto
Honored Contributor III
In response to ethicallyBlue

Posted on ‎04-07-2023 05:44 AM

The biggest part to any management is automation. You cannot really automate JAMF Pro to do the DLP functions you are wanting, JAMF Pro was not designed to do this. You would want something that would scan the entire disk looking for what you want as users could just move the files. You put the taste in the ivory towers mouth that they may not need to spend money on the proper tool they will try to make you make JAMF do it, proceed with caution.

 

An example of a work flow I had to put in my JAMF instance. My Security team does not want world writable files in /Applications or /Library. Without a tool that can manage file permissions I had to script it with JAMF. It is very much possible, but its like trying to carve a stake with a butcher knife. Maybe my script will give you some ideas.

 

This script is just checking the file attributes, but the general principle is the same for what you are wanting. A script to read a directory, and loop for every file looking for a thing and doing a thing. There is no reason a script cannot read the contents of the file so long as terminal can open the file. Or looking for common files names like "passwords", "homework", "Mom_Dont_Open_This_File" or so on. My recommendation is to move the files somewhere rather than deleting them, and hold them for a week or two before deletion. Incase you grab something that should not have been grabbed you can move it back.

#!/bin/zsh

######################
# Script Name: World_Writable_File_Remediation
# Author: 
# Date: 
# Script derived from the cis_L2 benchmark to attempt to adjust the permissions on files to remove world writable files from macOS
######################

######################
# Exit Codes
# 0 - Success: General Success
###################### 

echo "Begin script"

######################
# Global Variables
######################

LibraryLog="$4"
Date=$(date +%m.%d.%y-%H:%M:%S)

######################
# Remove old log files if present to clean up data
######################


if [[ -f "$LibraryLog" ]]; then
	sudo rm -rf "$LibraryLog"
else
	echo "" > /dev/null
fi


######################
# Setting file permissions and ownership
######################

touch "$LibraryLog"
sudo chown root:wheel "$LibraryLog"
sudo chmod 644 "$LibraryLog"

######################
# Command function
######################

#Check /System/Volumes/Data/Library and sub directories for files with world writable files.
#Log results to $LibraryLog

IFS=$'\n'
echo "Date and Time process ran: $Date" >> "$LibraryLog"
for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -perm -o+w -type f ); do
	echo "$libPermissions" >> "$LibraryLog"
	/bin/chmod -R o-w "$libPermissions"
done

#Check /Applications and sub directories for files with world writable files.
#Log results to $ApplicationLog


Echo "Script end"
exit 0

 

 

0 Kudos
Reply