EA question (Check SIP status)

Funny, i just did this....

only real difference between mine and @jkuo's is that mine looks for "OS is Greater than Yosemite", so should theoretically work with OS 10.12 LA River. :D

#!/bin/bash

osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

if [[ ${osvers} -gt 10 ]]; then
    echo "<result>`csrutil status | awk '{gsub(/.$/,"");print $5}'`</result>"
else
    echo "<result>Not Supported</result>"
fi

Has anybody, ask Apple to have csrutil, to keep track of the # of times...SIP has been disabled and re-enabled?

I kinda feel that if SIP has ever been turned off the Mac is no longer secure anymore.

C

@jkuo and @kstrick, this is awesome, both work, we went with the later so we (hopefully) won't need to touch it as much. :)

@gachowski hmmm....on a test 10.11 Mac one thing I noticed is that "enabled" didn't prevent me from writing to /Applications/Utilities or /usr/local. I'll check again when I get a chance. I remember enabling/disabling SIP during testing on the Mac.

hmmm....on a test 10.11 Mac one thing I noticed is that "enabled" didn't prevent me from writing to /Applications/Utilities or /usr/local. I'll check again when I get a chance. I remember enabling/disabling SIP during testing on the Mac.

Those locations aren't blocked by SIP. Per Apple, restrictions are:

System-Only Locations /bin /sbin /usr /System /Applications/Utilities In contrast, the following directories are available to any process: Locations Available to Developers /usr/local /Applications [~]/Library All directories in /usr except for /usr/local are restricted to the system. Apple app directories in /Applications are restricted to the system.

/Applications/Utilities/ is protected by SIP. @donmontalvo are you saying you could still write to that location with SIP confirmed to be on?

/Applications/Utilities/ is not protected by SIP, though the Apple-installed applications inside that directory are SIP-protected. That appears to be a mistake in the documentation, and I've filed a bug report for it:

http://www.openradar.me/radar?id=6126412251529216

Apple has a KBase article which was posted on ElCap's release day that correctly lists what's protected and what's not:

https://support.apple.com/HT204899

Thanks for the clarification on that @rtrouton It was indeed confusing the way had published that originally. Good to know we can still deploy any custom apps into Utilities. Just can't touch the Apple provided ones.

Anyone know why this would show up on some 10.11.3 computers?

$ csrutil status | awk '{ print $5 }' | sed 's/.$//'
enable









configuration

10 line returns after enabled, and then configuration shows up for some reason.

Don

@donmontalvo Not sure, but maybe try one of the following to prevent getting unwanted lines in the output.

csrutil status | awk '/Protection status/{ print $NF }' | sed 's/.$//'

or

csrutil status | awk '{ print $5; exit }' | sed 's/.$//'

The problem with simply telling awk to print $5 or any column is that if that column number shows up more than once in the output its receiving, it will print ALL column 5's, or whatever. Best to use awk's regex matching to only have it look at the line you care about, or, if you're certain the first line it encounters has the information you need, use the exit to have it stop once it prints that first result.

Hi guys -

Just wanted to throw in my 2¢ here as I created an Extension Attribute for this as well...

1) I believe the OS version check isn't really necessary as OS X prior to 10.11 does not include the csrutil binary. I think this is probably sufficient:

#!/bin/bash
csrstatus=$(/usr/bin/csrutil status | /usr/bin/awk '{print $NF}')
if [ "$csrstatus" = "" ]
then
    echo "<result>Not Supported</result>"
else
    echo "<result>$csrstatus</result>"
fi

Also, I feel in an EA that dot at the end is mostly harmless, but, if you really want to get rid of it you might want to escape it in the sed command as the . is a special character to sed (it should work either way...)

#!/bin/bash
csrstatus=$(/usr/bin/csrutil status | /usr/bin/awk '{print $NF}' | /usr/bin/sed 's/.//g')
if [ "$csrstatus" = "" ]
then
    echo "<result>Not Supported</result>"
else
    echo "<result>$csrstatus</result>"
fi

Lastly, @donmontalvo you may be seeing extra lines because you have netboot servers defined? I remember testing a csrutil Extension Attribute during the 10.11 beta & it gave some strange output having to do with csrutil configuration options - parsing the output was not as simple as it is now in the finalized version. Unless I'm mistaken the netboot options are really the only ones that can still be set.

@brock.walters I am thinking about adding a SIP extension attribute as well and in trying the csrutil command as written in your script it seems to be returning nothing at all on Macs running OS X 10.11. Shouldn't you be redirecting only errors using unixcommand 2> /dev/null?

#!/bin/bash
csrstatus=$(/usr/bin/csrutil status 2> /dev/null | /usr/bin/awk '{print $NF}' | /usr/bin/sed 's/.//g')
if [ "$csrstatus" = "" ]
then
    echo "<result>Not Supported</result>"
else
    echo "<result>$csrstatus</result>"
fi

Hi @spalmer -

Thanks for pointing this out. I pasted a version of the script to my post in which I was suppressing the error message for the csrutil binary not being present for testing out of an abundance of caution. Apologies.

The error message output shouldn't have any impact on populating the Extension Attribute if the binary is not present. The screen shot above was captured on a computer running OS X 10.10.5. The screen shot below was captured on OS X 10.11.3

I have edited my 1st post & removed the /dev/null statement. Thanks & happy Extension Attributing!

SIP status is stored in NVRAM, it can also be checked with:

nvram -p | awk /csr-active-config/

or possibly for just the value itself:

nvram -p | awk '/csr-active-config/ {print $NF}'

You will get results along the lines of w%00%00%00
If the NVRAM value is empty it defaults to ENABLED on 10.11

As per usual there are often multiple paths to an objective & as long as it's working I like yours because it's shorter! There were several changes to the way the nvram options functioned during the OS X 10.11 beta so I guess that would be my only concern with using your method - it's possible the nvram options might change again. csrutil is the newest & (seemingly) dedicated binary for SIP. Thanks!

@brock.walters
Yes, my actual usage came about from the fact we use rEFInd on dual boot machines and it has a function to adjust the SIP value, but only if it is populated in nvram so it was relevant for us as to how it was determining it was enabled (you get this situation when you do a PRAM reset for example).

Thanks guys for all the input, here is what we finalized on:

#!/bin/sh

OSMajorVersion=`sw_vers -productVersion | cut -d '.' -f 1,2`

if [ "$OSMajorVersion" == "10.11" ] ; then
    echo "<result>`csrutil status | awk '{ print $5; exit }' | sed 's/.$//'`</result>"
else
    echo "<result>NotElCapitan</result>"
fi

Works like a charm!

Don

You're not actually using the "OSVersion" line, just the "OSMajorVersion" so you could remove that happily and not notice.

@franton sorry for the late reply, removed the line, thanks!