Jamf Nation Community

SeanRussell · ‎04-06-2017

Hello all! I am pretty new to scripting, and I'm having an issue creating an extension attribute I need. Usually I'm able to get these, but I'm having problems here.

We have edited /etc/pam.d/sudo to include the string "pam_smartcard.so" in it for some work we are doing. I'm trying to create an EA that will let me know if that string has been added to sudo, or not. The following:

grep "pam_smarcard.so" /etc/pam.d/sudo | awk '{print NR}'

...works to return a 1 if that addition has been made, or no return if that addition wasn't added to sudo.

Any idea how to script that and have the result either be Enabled if 1, or Disabled if no return?

Thanks for any help, I feel like this is super easy and I'm just missing some little thing with the numerous attempts I've tried. This is my first attempt as a grep command EA, usually I just do a readout of a plist file using read.

SeanRussell · ‎04-06-2017

Example of what I've tried:

!/usr/bin/env bash

######################################################

A script to collect if PIVSudoEnable is enabled or disabled

If PIVSudoEnable is not installed "Disabled" will return back

######################################################

RESULT=$( grep “pam_smartcard.so” /etc/pam.d/sudo | awk ‘{print NR}' )

if $RESULT = 1: echo "<result>Enabled</result>"
else: echo "<result>Disabled</result>"
fi

bpavlov · ‎04-06-2017

!/usr/bin/bash

######################################################

A script to collect if PIVSudoEnable is enabled or disabled

If PIVSudoEnable is not installed "Disabled" will return back

######################################################

RESULT=$( grep “pam_smartcard.so” /etc/pam.d/sudo | awk ‘{print NR}' )

if [[ $RESULT = 1 ]]; then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fi

Just fixed the syntax issues. Give it a try.

SeanRussell · ‎04-06-2017

Thanks for the response!

I copied that and gave it a shot, but the EA is still showing as blank after a few recons.

chris_kemp · ‎04-06-2017

Is that a backtick in front of the {print NR} statement? Maybe a typo?

SeanRussell · ‎04-06-2017

Oh jeez. Yes, yes it is. That was it, haha.

thanks and good eyes! You guys rock!

tlarkin · ‎04-06-2017

#!/usr/bin/env python

with open('/etc/pam.d/sudo') as f:
    lines = readlines(f)
    if "pam_smartcard.so" in lines:
        print "<result>enabled</result>"
    else:
        print "<result>disabled</result>"

f.close()

Don't have ability to test but you could do something like this in Python

tlarkin · ‎04-06-2017

double post for some reason, so ignore this

mm2270 · ‎04-06-2017

Just a quick note. If all you were doing is grepping to see if a line exists in a file, there's no need to count up the lines with awk. Unless it was important to know if there was more than one entry. If all you're looking for is the existence of any match, something like this would be enough:

#!/bin/sh

if [[ $(grep "pam_smartcard.so" /etc/pam.d/sudo) ]]; then
    echo "<result>enabled</result>"
else
    echo "<result>disabled</result>"
fi

This is because the if/then is really performing a test and sees what the exit result is (0 = "success" or not 0 = "failed") The if implies 'if the following test is true/successful, do something, else if it's false/failed, do something else'

vanschip-gerard · ‎05-18-2021

Thanks for the clear explanation @mm2270 I used your lines for something else I was cooking up. But what if I would like to count how many times it found it. How would I go about that?

Jamf Nation Community

Scripting an Extension Attribute Help

!/usr/bin/env bash

######################################################

A script to collect if PIVSudoEnable is enabled or disabled

If PIVSudoEnable is not installed "Disabled" will return back

######################################################