Using commands in conditions

Configuration objects of type Command in a rule condition enable you to execute shell scripting commands and analyze their output. Use of the Command object type replaces the need to define a command or script during the creation of a configuration object through the Local Configuration Objects tab.

Before you begin

To support the execution of commands through Compliance rules, ensure that the ComponentTemplate.ExecuteCommand authorization is assigned to the template (through the Permissions panel during template creation or through the Permissions-view).

Command syntax in rules

For a Command configuration object, use the following syntax in a rule condition:
"objectType:objectCommand".CommandProperty

Note

If you need quotes in the Command string, note that very often single quotes work better than double quotes. 

Examples:

"Command:cat /etc/passwd|wc -l".int
"Command:which rpcinfo".Out_Put

These examples contain the following elements:

Element

Example 1

Example 2

Object type

Command

Command

Object command

cat /etc/passwd|wc –l

which rpcinfo

Command property

Int

Out_Put

The command property at the end of the string determines the type of command output to be analyzed by the rule condition. You can choose from the following available command properties:

Command property value

Type of output to analyze

Out_Put

Standard output (stdout) of a command, textual output

Int

Integer-type command output

Message

Standard error (stderr) textual output of a command

Exitcode

Exit code output of a command

StringList

String list output of a command

Command exit codes

Every time you run a command, the command returns an exit status, also known as the return status or exit code. If the command was successful, the return status is 0. If the command was unsuccessful, the return status is 1 or some other non-zero value that can usually be interpreted as an error code.

To check for the exit status of the last command executed, you can use the $? string. This returns 0 for success, or an integer in the range of 1–255 for an error.

Examples

 Successful execution of the following command will return an exit status of 0. 

echo "hello"
echo $? 

In the following example, the command is unrecognized and execution will fail. Therefore, a non-zero exit status is returned.

hello
echo $? 

Workaround for the grep command

During a Compliance Job or rule test for a condition that contains the grep command, if no match is found for the specified string, the exit code for the rule is 1 (an error code), and not 0 (the number of matches). For example, during analysis of the grep command in “Command:echo hello|grep hellox", an exit code of 1 is returned if no match is found, and this non-zero exit code is treated as an error.

Examples

The following conditions demonstrate the use of the grep command with the various types of output. All return an exit code of 1, and the rule result will be blank and non-compliant.

"Command:echo hello|grep hellox".Out_Put = "0"

"Command:echo hello|grep hellox".Int = 0

"Command:echo hello|grep hellox".Message = "0"

"Command:echo hello|grep -c hellox".Exitcode = 0

"Command:cat /etc/passwd|grep hellox".StringList contains "0"

The same behavior is true for a condition that contains grep -c, as in "Command:echo hello |grep -c hellow". As a result, the output is not stored in the Out_put (stdout) or Message (stderr) output types, and it cannot be converted into an integer value (Int output type).

For this reason, do not use grep as the last command in your condition if you do not want an exit code 1 to be returned whenever the command is unrecognized or executes with an error, or when the specified string is not found. As a workaround, you can add wc –l to the command, to return a counter. For example: echo hello|grep hellow|wc –l

Example

For a condition with the following command:

"Command:rpm -qa| egrep -c 'hpsmh'".Out_put

Edit your condition to look like this:

"Command:rpm -qa| egrep 'hpsmh'| wc –l".Out_put


Remediating with commands

The Command object can also be used in combination with the remediate operator to execute a shell command as a remediation action at the end of compliance analysis. To use the Command object in this manner, specify the shell command without appending a property to it. This combination of operand and operator is typically used in a then statement within a conditional construct.

For example:

"Command:touch /etc/test.cf" remediate

Warning

Parts that are used in a condition are collected even before the condition is evaluated. Therefore, whenever you include a part in a condition with the purpose of setting information on the operating system, ensure that the line ends with a remediate operator. Use the remediate operator, for example, whenever you include commands such as touch, rm, cp, mv, sed, awk, any command with > or >>, or whenever you call a custom script or executable.


Command execution during Compliance analysis or rule testing

When a command is executed by a Compliance Job or during rule testing, TrueSight Server Automation performs the following steps:

  1. Creates a tmp directory on the Agent, within the RSCD directory.
  2. Copies a script file that contains the command from the Application Server to the Agent's tmp directory.
  3. Executes the script from the RSCD/tmp directory.
  4. After script execution, deletes the script file from the RSCD/tmp directory.

Related topics

Defining-a-basic-condition
scriptutil-The-Slightly-Odd-Duck
Summarized-descriptions-of-Network-Shell-commands

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*