Skip to main content
Question

Policy Banner Check Script


Forum|alt.badge.img+4

 

Hi everyone,

I'm looking for some help and/or critique on the script below. I would like to mention that I'm still pretty new to scripting and use shellcheck and explainshell pretty heavily. If anyone has any other resources I could add to my arsenal, it would also be much appreciated.

Now that the PSA is out of the way, I want the script to check if the policy banner has been modified or deleted and if so, display a message and run the policy -event policybanner.

 

#!/bin/bash loggedInUser=$(stat -f%Su /dev/console) # Path to the file you want to monitor file_path="/Users/$loggedInUser/Library/Security/PolicyBanner.rtfd" # Get the initial modification time of the file initial_mtime=$(stat -f %m "$file_path") #changes permissions of after the packages is installed chmod -R o+rx /Library/Security/PolicyBanner.rtfd while true; do # Sleep for a short duration (e.g., 1 second) sleep 1 # Get the current modification time of the file current_mtime=$(stat -f %m "$file_path") # Compare the current modification time with the initial one if [ "$current_mtime" -gt "$initial_mtime" ]; then echo "The Policy Banner has been modified" jamf policy -event policybanner -verbose /Library/Application\\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -button1 "OK" -windowType hud -description "Please do not modifiy the policy banner. -TSS" -heading "Policy Banner " -title "Ocado Group" -defaultButton 1 -icon "/Library/Application Support/JAMF/ot.icns" # Update the initial modification time for the next iteration initial_mtime="$current_mtime" elif [ ! -e "$file_path" ]; then echo "The Policy Banner has been deleted!" jamf policy -event policybanner -verbose /Library/Application\\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -button1 "OK" -windowType hud -description "Please do not delete the policy banner. -TSS" -heading "Policy Banner " -title "Ocado Group" -defaultButton 1 -icon "/Library/Application Support/JAMF/ot.icns" fi sleep 86400 done

 

 

6 replies

mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • January 17, 2024

Just out of curiosity, why are you installing a PolicyBanner inside the user's /Library/Security/ folder, instead of just putting it at the root /Library/Security/ folder? This seems to be the file you're checking for any modifications:

file_path="/Users/$loggedInUser/Library/Security/PolicyBanner.rtfd"

In the root Library location, it can't be deleted or modified unless the user has admin rights. And in that location, it applies and shows up for any user on the machine logging in.

 


Forum|alt.badge.img+4
  • Author
  • New Contributor
  • 8 replies
  • January 17, 2024
mm2270 wrote:

Just out of curiosity, why are you installing a PolicyBanner inside the user's /Library/Security/ folder, instead of just putting it at the root /Library/Security/ folder? This seems to be the file you're checking for any modifications:

file_path="/Users/$loggedInUser/Library/Security/PolicyBanner.rtfd"

In the root Library location, it can't be deleted or modified unless the user has admin rights. And in that location, it applies and shows up for any user on the machine logging in.

 


This is just me copying and pasting from other scripts, thanks for the callout.  


AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2725 replies
  • January 17, 2024

Rather than trying to keep up with who is messing with what, which would be a very tall task; instead, I would just prevent people from modifying the file. Unless all your users are admins, removing modify access from the file would go a long way.

 

Suggestions:


mvu
Forum|alt.badge.img+20
  • Jamf Heroes
  • 909 replies
  • January 18, 2024

You can use the CIS Sonoma 5.8 control to create the policy banner (package and push it) and set permissions on the file.

 


Forum|alt.badge.img+4
  • Author
  • New Contributor
  • 8 replies
  • January 18, 2024
AJPinto wrote:

Rather than trying to keep up with who is messing with what, which would be a very tall task; instead, I would just prevent people from modifying the file. Unless all your users are admins, removing modify access from the file would go a long way.

 

Suggestions:


Not all my users are admin but a lot are, and they make life difficult, but making it immutable might do the trick.


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • January 18, 2024
phunkywan wrote:

Not all my users are admin but a lot are, and they make life difficult, but making it immutable might do the trick.


If lots of the users are admins and they end up messing with or removing files from a system location, that's as much (or more) of a personnel / HR issue as it is a technical one. There should be consequences for repeat offenders that muck with company related controls when they know they shouldn't be. Like maybe revocation of admin status since it's clear they are abusing it.

But I digress. If you make it immutable, that will help, since it would require some additional steps, and maybe even some research on their part on how to unlock it and then remove it. You can also make a file/folder invisible in the Finder (still visible in the shell) but don't put a period at the start of the filename in the case of a PolicyBanner. I think the OS will ignore it unless it's actually named "PolicyBanner.txt" (or .rtf/.rtfd)

You can use the same chflags command to make something invisible without renaming it.

sudo chflags hidden /path/to/file

Change hidden to nohidden in the command to unhide it. Just make sure you FIRST make it invisible before making it immutable.

With deploying it to /Library/Security/ and making it both invisible and immutable, if someone still manages to remove it, then I'd say that warrants a discussion with higher ups to get some help on the matter.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings