brunerd/EAGrabber.sh

## EAGrabber.sh
#!/bin/bash
# Joel Bruner - EA Grabber: Surreptitiously grabs Jamf Extension Attributes (EAs) during recon

#touch file for debug
[ -f /tmp/debug ] && set -x

#############
# VARIABLES #
#############

#get console user
consoleUser=$(stat -f %Su /dev/console)

#get home folder path of console user for output
consoleUserHome=$(dscl . read /Users/"${consoleUser}" NFSHomeDirectory | awk -F ": " '{print $2}')

#used for the output folder
dateStamp=$(date +"%Y-%m-%d %H.%M")

#date stamped named folder for the root
capturePath_Root="${consoleUserHome}/Desktop/EAGrabber_${dateStamp}"

#sub folders
capturePath_EA_Raw="${capturePath_Root}/EAs_Raw"
capturePath_EA_Renamed="${capturePath_Root}/EAs_Renamed"
capturePath_FV2Key="${capturePath_Root}/FV2Key"
reconOutputFile="${capturePath_Root}/verboseReconRAW.txt"
processCaptureFile="${capturePath_Root}/processCapture.log"
EANamesFile="${capturePath_Root}/EA_Names.txt"

#where jamf puts it's scripts when it runs
jamfTempFolder="/Library/Application Support/JAMF/tmp"

#############
# FUNCTIONS #
#############

function captureFiles
{
	#make root folder and it's sub folder
	mkdir -p "${capturePath_EA_Raw}"

	#to protect from runaway the script will kill itself neatly if not done in 3 minutes
	( sleep 480; kill -9 $$ ) &
	suicideWatchPID=$!

	#flush any temp files remaining in here
	rm "${jamfTempFolder}"/* 2>/dev/null

	echo "Starting jamf recon..."
	#start recon in background and get the output text into a file
	jamf recon -verbose 2>/dev/null 1>"${reconOutputFile}" &

	#until the jamf recon process is done, loop and hardlink to scripts
	while [ "$(ps auxww | grep -c [j]amf\ recon)" -ne 0 ]; do
		#find all files and make hard links in capture folder
		find "${jamfTempFolder}" -exec ln "{}" "${capturePath_EA_Raw}"/ 2>/dev/null \;
	done
}

function processFiles
{
	#make folder for key
	mkdir "${capturePath_FV2Key}"

	#remove the tmp file (of ethernet MAC addresses) sometimes captured
	rm "${capturePath_EA_Raw}"/*tmp 2>/dev/null
	rm "${capturePath_EA_Raw}"/*pid 2>/dev/null

	#count the files, use bc to trim wc's output
	captureCount=$(wc -l <<< "$(find "${capturePath_EA_Raw}" -type f)" | bc)

	echo "Captured ${captureCount} extension attributes..."

	#find the fv2 file, echo out result, then and move it
	for file in "${capturePath_EA_Raw}"/*; do
		#get 0 or 1 for match
		keyFound=$(grep -c '<key>Password</key>' "$file" 2>/dev/null)

		#if 1 we have a match let's print it
		if [ "${keyFound}" -eq 1 ]; then
			#get key data and echo it out
			FV2Key=$(/usr/libexec/PlistBuddy -c "print Password" "$file" 2>/dev/null)
			echo "FileVault 2 Key: ${FV2Key}"

			#move file into fv2 folder
			mv "${file}" "${capturePath_FV2Key}"/fv2key.plist

			break;
		fi
	done
}

function renameFiles
{
	#make new folder
	mkdir "${capturePath_EA_Renamed}"

	#chage IFS so only newlines make new array elements
	IFS=$'\n'

	#get the file names from the verbose recon output file
	filenames=$(grep "Running script for the extension attribute" "${reconOutputFile}" | awk -F 'attribute ' '{print $NF}')
	filenames_Array=( ${filenames} )

	echo "${filenames}" > "${EANamesFile}"

	#get all the raw file names from newest to oldest
	rawFiles_Array=( $(ls -r1t "${capturePath_EA_Raw}") )


	echo "Attempting to rename files..."
	#rename all the EAs in order - the weakness here is that we expect to have gotten all the files
	#but if we missed a file this or something gets out of sequence it'll be off (that's why we have the saw folder)
	for ((i=0; i < ${#filenames_Array[@]}; i++ )); do

		[ -z "${rawFiles_Array[$i]}" ] && continue
		#determine the file extension from the first #! line
		case "$(head -n1 "${capturePath_EA_Raw}/${rawFiles_Array[$i]}")" in
			*python* )
				extension="py" ;;
			#default to shell
			* )
				extension="sh" ;;
		esac

		#make a file copy from raw to the renamed folder
		cp "${capturePath_EA_Raw}/${rawFiles_Array[$i]}" "${capturePath_EA_Renamed}/${filenames_Array[$i]}.${extension}"
		#at the very least add .sh to the end so spotlight works on them instead of the Unix executable icon
		mv "${capturePath_EA_Raw}/${rawFiles_Array[$i]}" "${capturePath_EA_Raw}/${rawFiles_Array[$i]}".sh
	done
}

function systemCheck
{
	#run this as root so we don't get prompted for password when sudo jamf runs
	if [ "${USER}" != 'root' ]; then
		echo "Please run with sudo"
		exit
	fi

	#runs finishUp if INT TERM or HUP signal received
	trap 'finishUp' TERM INT HUP
}

function finishUp
{
	#kill the background suicide process if it still exists (tail cuts header off ps)
	[ -n "$(ps -p ${suicideWatchPID} 2>/dev/null | tail -n +2)" ] && kill -9 "${suicideWatchPID}"

	#own the folder for console user
	chown -R "${consoleUser}":staff "${capturePath_Root}"

	echo "Done."
	echo "Opening results in ${capturePath_Root}"

	#open it for the console user
	su $consoleUser -c "open \"${capturePath_Root}\""
}

########
# MAIN #
########

systemCheck
captureFiles
processFiles
renameFiles
finishUp

exit
	#!/bin/bash
	# Joel Bruner - EA Grabber: Surreptitiously grabs Jamf Extension Attributes (EAs) during recon

	#touch file for debug
	[ -f /tmp/debug ] && set -x

	#############
	# VARIABLES #
	#############

	#get console user
	consoleUser=$(stat -f %Su /dev/console)

	#get home folder path of console user for output
	consoleUserHome=$(dscl . read /Users/"${consoleUser}" NFSHomeDirectory \| awk -F ": " '{print $2}')

	#used for the output folder
	dateStamp=$(date +"%Y-%m-%d %H.%M")

	#date stamped named folder for the root
	capturePath_Root="${consoleUserHome}/Desktop/EAGrabber_${dateStamp}"

	#sub folders
	capturePath_EA_Raw="${capturePath_Root}/EAs_Raw"
	capturePath_EA_Renamed="${capturePath_Root}/EAs_Renamed"
	capturePath_FV2Key="${capturePath_Root}/FV2Key"
	reconOutputFile="${capturePath_Root}/verboseReconRAW.txt"
	processCaptureFile="${capturePath_Root}/processCapture.log"
	EANamesFile="${capturePath_Root}/EA_Names.txt"

	#where jamf puts it's scripts when it runs
	jamfTempFolder="/Library/Application Support/JAMF/tmp"

	#############
	# FUNCTIONS #
	#############

	function captureFiles
	{
	#make root folder and it's sub folder
	mkdir -p "${capturePath_EA_Raw}"

	#to protect from runaway the script will kill itself neatly if not done in 3 minutes
	( sleep 480; kill -9 $$ ) &
	suicideWatchPID=$!

	#flush any temp files remaining in here
	rm "${jamfTempFolder}"/* 2>/dev/null

	echo "Starting jamf recon..."
	#start recon in background and get the output text into a file
	jamf recon -verbose 2>/dev/null 1>"${reconOutputFile}" &

	#until the jamf recon process is done, loop and hardlink to scripts
	while [ "$(ps auxww \| grep -c [j]amf\ recon)" -ne 0 ]; do
	#find all files and make hard links in capture folder
	find "${jamfTempFolder}" -exec ln "{}" "${capturePath_EA_Raw}"/ 2>/dev/null \;
	done
	}

	function processFiles
	{
	#make folder for key
	mkdir "${capturePath_FV2Key}"

	#remove the tmp file (of ethernet MAC addresses) sometimes captured
	rm "${capturePath_EA_Raw}"/*tmp 2>/dev/null
	rm "${capturePath_EA_Raw}"/*pid 2>/dev/null

	#count the files, use bc to trim wc's output
	captureCount=$(wc -l <<< "$(find "${capturePath_EA_Raw}" -type f)" \| bc)

	echo "Captured ${captureCount} extension attributes..."

	#find the fv2 file, echo out result, then and move it
	for file in "${capturePath_EA_Raw}"/*; do
	#get 0 or 1 for match
	keyFound=$(grep -c '<key>Password</key>' "$file" 2>/dev/null)

	#if 1 we have a match let's print it
	if [ "${keyFound}" -eq 1 ]; then
	#get key data and echo it out
	FV2Key=$(/usr/libexec/PlistBuddy -c "print Password" "$file" 2>/dev/null)
	echo "FileVault 2 Key: ${FV2Key}"

	#move file into fv2 folder
	mv "${file}" "${capturePath_FV2Key}"/fv2key.plist

	break;
	fi
	done
	}

	function renameFiles
	{
	#make new folder
	mkdir "${capturePath_EA_Renamed}"

	#chage IFS so only newlines make new array elements
	IFS=$'\n'

	#get the file names from the verbose recon output file
	filenames=$(grep "Running script for the extension attribute" "${reconOutputFile}" \| awk -F 'attribute ' '{print $NF}')
	filenames_Array=( ${filenames} )

	echo "${filenames}" > "${EANamesFile}"

	#get all the raw file names from newest to oldest
	rawFiles_Array=( $(ls -r1t "${capturePath_EA_Raw}") )


	echo "Attempting to rename files..."
	#rename all the EAs in order - the weakness here is that we expect to have gotten all the files
	#but if we missed a file this or something gets out of sequence it'll be off (that's why we have the saw folder)
	for ((i=0; i < ${#filenames_Array[@]}; i++ )); do

	[ -z "${rawFiles_Array[$i]}" ] && continue
	#determine the file extension from the first #! line
	case "$(head -n1 "${capturePath_EA_Raw}/${rawFiles_Array[$i]}")" in
	python )
	extension="py" ;;
	#default to shell
	* )
	extension="sh" ;;
	esac

	#make a file copy from raw to the renamed folder
	cp "${capturePath_EA_Raw}/${rawFiles_Array[$i]}" "${capturePath_EA_Renamed}/${filenames_Array[$i]}.${extension}"
	#at the very least add .sh to the end so spotlight works on them instead of the Unix executable icon
	mv "${capturePath_EA_Raw}/${rawFiles_Array[$i]}" "${capturePath_EA_Raw}/${rawFiles_Array[$i]}".sh
	done
	}

	function systemCheck
	{
	#run this as root so we don't get prompted for password when sudo jamf runs
	if [ "${USER}" != 'root' ]; then
	echo "Please run with sudo"
	exit
	fi

	#runs finishUp if INT TERM or HUP signal received
	trap 'finishUp' TERM INT HUP
	}

	function finishUp
	{
	#kill the background suicide process if it still exists (tail cuts header off ps)
	[ -n "$(ps -p ${suicideWatchPID} 2>/dev/null \| tail -n +2)" ] && kill -9 "${suicideWatchPID}"

	#own the folder for console user
	chown -R "${consoleUser}":staff "${capturePath_Root}"

	echo "Done."
	echo "Opening results in ${capturePath_Root}"

	#open it for the console user
	su $consoleUser -c "open \"${capturePath_Root}\""
	}

	########
	# MAIN #
	########

	systemCheck
	captureFiles
	processFiles
	renameFiles
	finishUp

	exit