MakeMeAnAdmin Update? Log fix?

Seko
New Contributor

I have been using krypted's MakeMeAnAdmin script. It works great for elevating standard users to admin users and demoting them back to standard users. I cannot get the script to generate a log. Does anyone have an updated fully functioning version of this script available?

3 REPLIES 3

Seko
New Contributor

Do I  need to set any parameter values in Jamf Pro to get the logging to work?

dennisnardi
Contributor

What kind of logging are you looking for? The script I'll put below is a modification I made to the script you mentioned, but it creates a log file, writes the user who is being elevated, the time they are elevated, and writes how many times they've elevated. You can change my "$CUSTOM" to your org. I don't know a good way to log what actions are taken with admin privlages though.

#!/bin/bash
    
##############
# TempAdmin.sh
# This script will give a user 30 minutes of Admin level access.
# It is designed to create its own offline self-destruct mechanism.
##############
    
logDir="/Library/Application Support/$CUSTOM/Logs"
    
if [ ! -d "$logDir" ]; then
    mkdir -p "$logDir"
    chown root:wheel "$logDir"
    chmod 755 "$logDir"
fi
  
# Create counter file if it doesn't exist
if [ ! -f "$logDir/AdminElevationCount.txt" ]; then
    echo 0 > "$logDir/AdminElevationCount.txt"
fi
    
USERNAME=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }')
    
adminTime=1800
  
# Increment counter
count=$(cat "$logDir/AdminElevationCount.txt")
count=$((count + 1))
echo $count > "$logDir/AdminElevationCount.txt"
    
# create LaunchDaemon to remove admin rights
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.$CUSTOM.adminremove</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/$CUSTOM/Scripts/removeTempAdmin.sh</string>
</array>
<key>StartInterval</key>
<integer>$adminTime</integer>
</dict>
</plist>" > "/Library/LaunchDaemons/com.$CUSTOM.adminremove.plist"
    
# create admin rights removal script
echo '#!/bin/bash
USERNAME=`cat "/Library/Application Support/$CUSTOM/Logs/AdminUsernameToRemove.txt"`
/usr/sbin/dseditgroup -o edit -d $USERNAME -t user admin
TIME=`date "+Date:%m-%d-%Y TIME:%H:%M:%S"`
logEntry="$TIME - Demoting $USERNAME to a standard user"
echo $logEntry >> "/Library/Application Support/$CUSTOM/Logs/TemporaryAdmin.log"
echo $logEntry # Display log entry in terminal
rm -f "/Library/Application Support/$CUSTOM/Logs/AdminUsernameToRemove.txt"
rm -f /Library/LaunchDaemons/com.$CUSTOM.adminremove.plist
rm -f "/Library/Application Support/$CUSTOM/Scripts/removeTempAdmin.sh"
exit 0'  > "/Library/Application Support/$CUSTOM/Scripts/removeTempAdmin.sh"
  
    
# set the permission on the files just made
chown root:wheel "/Library/LaunchDaemons/com.$CUSTOM.adminremove.plist"
chmod 644 "/Library/LaunchDaemons/com.$CUSTOM.adminremove.plist"
chown root:wheel "/Library/Application Support/$CUSTOM/Scripts/removeTempAdmin.sh"
chmod 755 "/Library/Application Support/$CUSTOM/Scripts/removeTempAdmin.sh"
    
# enable and load the LaunchDaemon
defaults write /Library/LaunchDaemons/com.$CUSTOM.adminremove.plist Disabled -bool false
launchctl load -w /Library/LaunchDaemons/com.$CUSTOM.adminremove.plist
    
# build log files in /Library/Application Support /$CUSTOM /Logs
echo "" >> "/Library/Application Support/$CUSTOM/Logs/TemporaryAdmin.log" # Add blank line
TIME=`date "+Date:%m-%d-%Y TIME:%H:%M:%S"`
logEntry="$TIME - Elevating $USERNAME to admin for $adminTime seconds. Elevation Count: $count"
echo $logEntry >> "/Library/Application Support/$CUSTOM/Logs/TemporaryAdmin.log"
echo $logEntry # Display log entry in terminal
  
# note the user
echo $USERNAME > "/Library/Application Support/$CUSTOM/Logs/AdminUsernameToRemove.txt"
echo "User noted: " $USERNAME # Display in terminal
  
# add the user to the admin group
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
echo "User promoted: " $USERNAME # Display in terminal

# notify
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -icon /System/Applications/Utilities/Keychain\ Access.app/Contents/Resources/AppIcon.icns -heading 'Temporary Admin Rights Granted             ' -description "
Please use responsibly.
All administrative activity is logged.
Access expires in 30 minutes." -button1 'OK' > /dev/null 2>&1 &

exit 0





AJPinto
Esteemed Contributor

I'm not sure it would be feasibly possibly to make a log of the actions taken while a user has escalated permissions. Everything would be recorded in Unified Logging, but Apple does not exactly make that easy to parse or export. Jamf Protect would redirect the logs to SIEM, but then filtering the logs for meaningful data is another chore. Just furthers your point of no easy way to gather what a user did with the permissions.