Using commands in conditions
Configuration objects of type Command in a rule condition enable you to execute shell scripting commands and analyze their output. Use of the Command object type replaces the need to define a command or script during the creation of a configuration object through the Local Configuration Objects tab.
Before you begin
To support the execution of commands through Compliance rules, ensure that the ComponentTemplate.ExecuteCommand authorization is assigned to the template (through the Permissions panel during template creation or through the Permissions view).
Command syntax in rules
For a Command configuration object, use the following syntax in a rule condition:
If you need quotes in the Command string, note that very often single quotes work better than double quotes.
These examples contain the following elements:
|Element||Example 1||Example 2|
|Object command||cat /etc/passwd|wc –l||which rpcinfo|
The command property at the end of the string determines the type of command output to be analyzed by the rule condition. You can choose from the following available command properties:
|Command property value||Type of output to analyze|
Standard output (stdout) of a command, textual output
|Int||Integer-type command output|
|Message||Standard error (stderr) textual output of a command|
|Exitcode||Exit code output of a command|
String list output of a command
Command exit codes
Every time you run a command, the command returns an exit status, also known as the return status or exit code. If the command was successful, the return status is 0. If the command was unsuccessful, the return status is 1 or some other non-zero value that can usually be interpreted as an error code.
To check for the exit status of the last command executed, you can use the
$? string. This returns 0 for success, or an integer in the range of 1–255 for an error.
Workaround for the grep command
During a Compliance Job or rule test for a condition that contains the
grep command, if no match is found for the specified string, the exit code for the rule is 1 (an error code), and not 0 (the number of matches). For example, during analysis of the
grep command in
“Command:echo hello|grep hellox", an exit code of 1 is returned if no match is found, and this non-zero exit code is treated as an error.
The same behavior is true for a condition that contains
grep -c, as in
"Command:echo hello |grep -c hellow". As a result, the output is not stored in the Out_put (stdout) or Message (stderr) output types, and it cannot be converted into an integer value (Int output type).
For this reason, do not use
grep as the last command in your condition if you do not want an exit code 1 to be returned whenever the command is unrecognized or executes with an error, or when the specified string is not found. As a workaround, you can add
wc –l to the command, to return a counter. For example:
echo hello|grep hellow|wc –l
Remediating with commands
The Command object can also be used in combination with the remediate operator to execute a shell command as a remediation action at the end of compliance analysis. To use the Command object in this manner, specify the shell command without appending a property to it. This combination of operand and operator is typically used in a then statement within a conditional construct.
"Command:touch /etc/test.cf" remediate
Parts that are used in a condition are collected even before the condition is evaluated. Therefore, whenever you include a part in a condition with the purpose of setting information on the operating system, ensure that the line ends with a remediate operator. Use the remediate operator, for example, whenever you include commands such as
awk, any command with
>>, or whenever you call a custom script or executable.
Command execution during Compliance analysis or rule testing
When a command is executed by a Compliance Job or during rule testing, TrueSight Server Automation performs the following steps:
- Creates a tmp directory on the Agent, within the RSCD directory.
- Copies a script file that contains the command from the Application Server to the Agent's tmp directory.
- Executes the script from the RSCD/tmp directory.
- After script execution, deletes the script file from the RSCD/tmp directory.