Scripting an Extension Attribute Help

SeanRussell
New Contributor II

Hello all! I am pretty new to scripting, and I'm having an issue creating an extension attribute I need. Usually I'm able to get these, but I'm having problems here.

We have edited /etc/pam.d/sudo to include the string "pam_smartcard.so" in it for some work we are doing. I'm trying to create an EA that will let me know if that string has been added to sudo, or not. The following:

grep "pam_smarcard.so" /etc/pam.d/sudo | awk '{print NR}'

...works to return a 1 if that addition has been made, or no return if that addition wasn't added to sudo.

Any idea how to script that and have the result either be Enabled if 1, or Disabled if no return?

Thanks for any help, I feel like this is super easy and I'm just missing some little thing with the numerous attempts I've tried. This is my first attempt as a grep command EA, usually I just do a readout of a plist file using read.

9 REPLIES 9

SeanRussell
New Contributor II

Example of what I've tried:

!/usr/bin/env bash

######################################################

A script to collect if PIVSudoEnable is enabled or disabled

If PIVSudoEnable is not installed "Disabled" will return back

######################################################

RESULT=$( grep “pam_smartcard.so” /etc/pam.d/sudo | awk ‘{print NR}' )

if $RESULT = 1: echo "<result>Enabled</result>"
else: echo "<result>Disabled</result>"
fi

bpavlov
Honored Contributor
!/usr/bin/bash

######################################################

A script to collect if PIVSudoEnable is enabled or disabled

If PIVSudoEnable is not installed "Disabled" will return back

######################################################

RESULT=$( grep “pam_smartcard.so” /etc/pam.d/sudo | awk ‘{print NR}' )

if [[ $RESULT = 1 ]]; then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fi

Just fixed the syntax issues. Give it a try.

SeanRussell
New Contributor II

Thanks for the response!

I copied that and gave it a shot, but the EA is still showing as blank after a few recons.

chris_kemp
Contributor III

Is that a backtick in front of the {print NR} statement? Maybe a typo?

SeanRussell
New Contributor II

Oh jeez. Yes, yes it is. That was it, haha.

thanks and good eyes! You guys rock!

tlarkin
Honored Contributor
#!/usr/bin/env python

with open('/etc/pam.d/sudo') as f:
    lines = readlines(f)
    if "pam_smartcard.so" in lines:
        print "<result>enabled</result>"
    else:
        print "<result>disabled</result>"

f.close()

Don't have ability to test but you could do something like this in Python

tlarkin
Honored Contributor

double post for some reason, so ignore this

mm2270
Legendary Contributor III

Just a quick note. If all you were doing is grepping to see if a line exists in a file, there's no need to count up the lines with awk. Unless it was important to know if there was more than one entry. If all you're looking for is the existence of any match, something like this would be enough:

#!/bin/sh

if [[ $(grep "pam_smartcard.so" /etc/pam.d/sudo) ]]; then
    echo "<result>enabled</result>"
else
    echo "<result>disabled</result>"
fi

This is because the if/then is really performing a test and sees what the exit result is (0 = "success" or not 0 = "failed") The if implies 'if the following test is true/successful, do something, else if it's false/failed, do something else'

vanschip-gerard
Contributor

Thanks for the clear explanation @mm2270 I used your lines for something else I was cooking up. But what if I would like to count how many times it found it. How would I go about that?