Policy Banner Check Script

phunkywan
New Contributor

 

Hi everyone,

I'm looking for some help and/or critique on the script below. I would like to mention that I'm still pretty new to scripting and use shellcheck and explainshell pretty heavily. If anyone has any other resources I could add to my arsenal, it would also be much appreciated.

Now that the PSA is out of the way, I want the script to check if the policy banner has been modified or deleted and if so, display a message and run the policy -event policybanner.

 

#!/bin/bash

loggedInUser=$(stat -f%Su /dev/console)

# Path to the file you want to monitor
file_path="/Users/$loggedInUser/Library/Security/PolicyBanner.rtfd"

# Get the initial modification time of the file
initial_mtime=$(stat -f %m "$file_path")

#changes permissions of after the packages is installed
chmod -R o+rx /Library/Security/PolicyBanner.rtfd

while true; do
    # Sleep for a short duration (e.g., 1 second)
    sleep 1

    # Get the current modification time of the file
    current_mtime=$(stat -f %m "$file_path")

    # Compare the current modification time with the initial one
    if [ "$current_mtime" -gt "$initial_mtime" ]; then
        echo "The Policy Banner has been modified"
        jamf policy -event policybanner -verbose
        /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -button1 "OK" -windowType hud -description "Please do not modifiy the policy banner. -TSS" -heading "Policy Banner " -title "Ocado Group" -defaultButton 1 -icon "/Library/Application Support/JAMF/ot.icns"
        # Update the initial modification time for the next iteration
        initial_mtime="$current_mtime"

    elif [ ! -e "$file_path" ]; then
        echo "The Policy Banner has been deleted!"
        jamf policy -event policybanner -verbose
        /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -button1 "OK" -windowType hud -description "Please do not delete the policy banner. -TSS" -heading "Policy Banner " -title "Ocado Group" -defaultButton 1 -icon "/Library/Application Support/JAMF/ot.icns"
       
    fi

sleep 86400 

done

 

 

6 REPLIES 6

mm2270
Legendary Contributor III

Just out of curiosity, why are you installing a PolicyBanner inside the user's /Library/Security/ folder, instead of just putting it at the root /Library/Security/ folder? This seems to be the file you're checking for any modifications:

file_path="/Users/$loggedInUser/Library/Security/PolicyBanner.rtfd"

In the root Library location, it can't be deleted or modified unless the user has admin rights. And in that location, it applies and shows up for any user on the machine logging in.

 

This is just me copying and pasting from other scripts, thanks for the callout.  

AJPinto
Honored Contributor III

Rather than trying to keep up with who is messing with what, which would be a very tall task; instead, I would just prevent people from modifying the file. Unless all your users are admins, removing modify access from the file would go a long way.

 

Suggestions:

Not all my users are admin but a lot are, and they make life difficult, but making it immutable might do the trick.

mm2270
Legendary Contributor III

If lots of the users are admins and they end up messing with or removing files from a system location, that's as much (or more) of a personnel / HR issue as it is a technical one. There should be consequences for repeat offenders that muck with company related controls when they know they shouldn't be. Like maybe revocation of admin status since it's clear they are abusing it.

But I digress. If you make it immutable, that will help, since it would require some additional steps, and maybe even some research on their part on how to unlock it and then remove it. You can also make a file/folder invisible in the Finder (still visible in the shell) but don't put a period at the start of the filename in the case of a PolicyBanner. I think the OS will ignore it unless it's actually named "PolicyBanner.txt" (or .rtf/.rtfd)

You can use the same chflags command to make something invisible without renaming it.

sudo chflags hidden /path/to/file

Change hidden to nohidden in the command to unhide it. Just make sure you FIRST make it invisible before making it immutable.

With deploying it to /Library/Security/ and making it both invisible and immutable, if someone still manages to remove it, then I'd say that warrants a discussion with higher ups to get some help on the matter.

obi-k
Valued Contributor III

You can use the CIS Sonoma 5.8 control to create the policy banner (package and push it) and set permissions on the file.

Screenshot 2024-01-18 at 9.17.21 AM.png