Linux Command fails when executed via Bigfix but works manually

I am having issues with some Oracle Enterprise Linux 7.9 servers, where the groupadd command works when I run it manually l, but not when executed through a BF action:

wait groupadd groupnane

I should note that I have tried it using the action script wait command, creating a batch with action script and running it. It always fails with exit code 1 though if fix and it always works manually at the command line.

groupadd may not be in the $PATH

The $PATH for besclient (running in a non-login shell) may not be the same as under your interactive user account.

You may need to spawn a login shell to run it. Example at Trying to run a Python script for Linux - #4 by JasonWalker

You may need to specify the full path to groupadd

Hi Jason, Thank you for the reply,

I tried running group add with ā€“login and the fullpath to the groupadd command (tried both /usr/sbin/groupadd and /sbin/groupadd) and the result remains exit code 1. The result from the BESClient log:

Command succeeded (Exit Code=1) wait /bin/sh --login -c ā€œ/usr/sbin/groupadd himds > /tmp/output.txt 2>&1ā€ (action:951917)

Output.txt is empty.

Again, if I run it directly in the command line, it works:

/bin/sh --login -c ā€œ/usr/sbin/groupadd himdsā€

getent group himds

himds:x:1002:

Appreciate you help, still stumped.

Greetings!

Have you tried changing the script type from actionscript to sh? I just tested this in my environment without issues:

#!/bin/bash
/usr/sbin/groupadd grouptest

1 Like

Hi Matt, thanks for the reply.

When I started all this (this is for installing Azure Arc Agent) I initially used the BF sh action setting but had issues and eventually switched to action script.

With that said I copy paste your suggestion with the sh setting selected:

#!/bin/bash

/usr/sbin/groupadd grouptest

Still fails with exit code 1.

That is interestingā€¦ Is there anything in the besclient log that hints at more information?

It just says ā€œScript ended (exit code = 1) (fillet 951993)ā€. When you run as an sh action it doesnā€™t show the individual commands.

Even when I run as action script with ā€˜waitā€™ it just shows the command ran successfully with exit code .

I should note that I used this command successfully on other servers with no issues. This only happens on ā€˜someā€™ Oracle and RHEL 7.9 servers. And only throug BF. Manually at the command line it works.

Is there some kind of third-party endpoint security running that could be blocking the execution?
Iā€™d try using it in a bash script but add more content, before & after, to see whether bash itself is launching ok. And also execute bash in debug mode.

Something like this - this script adds some more statements to debug and inform us about the environment. It works as expected on my RHEL 8.4. Give it a try, and please post the output from /tmp/script.out

delete __createfile
createfile until EOF_MARKER
#!/bin/bash
echo Script Started
echo Running shell:
ps -p $$
echo Shell is linked to:
readlink /proc/$$/exe
echo Attempting groupadd
/usr/sbin/groupadd grouptest
echo groupadd completed with exit code $?
EOF_MARKER

delete script.sh
move __createfile script.sh
wait chmod +x script.sh
wait /bin/sh --login -x -c "./script.sh > /tmp/script.out" 
1 Like

Jason, This is the result of script.out:

Script Started

Running shell:

PID TTY TIME CMD

79346 ? 00:00:00 script.sh

Shell is linked to:

/usr/bin/bash

Attempting groupadd

groupadd completed with exit code 1

Ok, at least we know the bash script is launching. Hereā€™s an actionscript Iā€™d like you to try that checks a couple more things on the ā€˜groupaddā€™ command, and also captures the stderr output (I intended that but missed it the first time)

delete __createfile
createfile until EOF_MARKER
#!/bin/bash
echo Script Started
echo Running shell:
ps -p $$
echo Shell is linked to:
readlink /proc/$$/exe
echo Listing groupadd:
ls -l /usr/sbin/groupadd
echo Listing groupadd help:
/usr/sbin/groupadd --help
echo Attempting groupadd
/usr/sbin/groupadd grouptest
echo groupadd completed with exit code $?
EOF_MARKER

delete script.sh
move __createfile script.sh
wait chmod +x script.sh
wait /bin/sh --login -x -c "./script.sh > /tmp/script.out 2>&1"
delete /tmp/script.sh
copy script.sh /tmp/script.sh

In addtion this one also leaves behind a copy of the generated script at /tmp/script.sh so you can review it later if that helps.

Jason,

We do have a number of the well known security tools.

This is the result of script.out 2.0:

Script Started

Running shell:

PID TTY TIME CMD

112668 ? 00:00:00 script.sh

Shell is linked to:

/usr/bin/bash

Listing groupadd:

-rwxr-xr-x. 1 root root 87704 Jul 18 2019 /usr/sbin/groupadd

Listing groupadd help:

Usage: groupadd [options] GROUP

Options:

-f, --force exit successfully if the group already exists,

                            and cancel -g if the GID is already used

-g, --gid GID use GID for the new group

-h, --help display this help message and exit

-K, --key KEY=VALUE override /etc/login.defs defaults

-o, --non-unique allow to create groups with duplicate

                            (non-unique) GID

-p, --password PASSWORD use this encrypted password for the new group

-r, --system create a system account

-R, --root CHROOT_DIR directory to chroot into

-P, --prefix PREFIX_DIR directory prefix

Attempting groupadd

groupadd completed with exit code 1

I think there must be some security tool blocking it. If the command runs correctly on that exact system when you run it manually, I canā€™t think of another explanation.

But do try to run it on that exact system. You might find there is a missing library or corrupt package thatā€™s preventing the binary from running.

But as far as BigFix and the actionscript, that all appears to be written correctly.

There was an interesting entry the /var/log/messages whenever the action made it to the endpoint:

cannot open login definitions /etc/login.defs [Permission denied]

We were able to come up with a solution on the individual machine. If you run into this issue, please DM me and I can assist.

1 Like