We’ve started seeing entries like this in our Macs’ root user’s bash history. We’re not sure what’s generating them. Anyone seen similar?

looks like this: https://gist.github.com/talkingmoose/53a131b2324c0e0945a573dfc3f230f4

Hmm. We don’t use Jamf, and haven’t enabled the equivalent of an EA that would be doing this. Current assumption is one of our RMM tools is doing something from the vendor side. With it reading and writing from the root account but still using sudo, feels like a Windows dev trying to do cross-platform stuff poorly.

the order of the commands looks to be exactly the script/gist I posted, can you search the endpoint to see if there is such a shell script or something in cron? definitely seems odd.

I did, couldn’t find any shell scripts or launchdaemons that had those actual commands. And it’s not just one endpoint. That gist is written better though… there’s no reason for root to be calling sudo for those commands, and the repeated reads and lists feels like some tool trying to enforce the settings