Posted on 10-01-2015 03:22 PM
I'm embarassed to say, not sure how to have this "Check SIP status" EA to only proceed if OS version is 10.11*.
#!/bin/sh
if [ -e /usr/bin/csrutil ]; then
echo "<result>`csrutil status | awk '{ print $5 }' | sed 's/.$//'`</result>"
else
echo "<result>NotElCapitan</result>"
fi
Proceeding based on existence of /usr/bin/csrutil works but seems kludgy and convoluted.
How do we run the "if" statement to check for 10.11* before proceeding?
TIA,
Don
Solved! Go to Solution.
Posted on 10-01-2015 03:49 PM
Hey @donmontalvo ,
To check for the OS version, you can do this:
OSVersion=`sw_vers -productVersion`
OSMajorVersion=`sw_vers -productVersion | cut -d '.' -f 1,2`
Then, within your script, you can proceed only if you have a version of 10.11 or higher:
if [ "$OSMajorVersion" == "10.11" ] ; then
echo "<result>`csrutil status | awk '{ print $5 }' | sed 's/.$//'`</result>"
else
echo "<result>NotElCapitan</result>"
fi
Hope that helps!
Jason
Posted on 10-01-2015 04:05 PM
Funny, i just did this....
only real difference between mine and @jkuo's is that mine looks for "OS is Greater than Yosemite", so should theoretically work with OS 10.12 LA River. :D
#!/bin/bash
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
if [[ ${osvers} -gt 10 ]]; then
echo "<result>`csrutil status | awk '{gsub(/.$/,"");print $5}'`</result>"
else
echo "<result>Not Supported</result>"
fi
Posted on 10-01-2015 03:49 PM
Hey @donmontalvo ,
To check for the OS version, you can do this:
OSVersion=`sw_vers -productVersion`
OSMajorVersion=`sw_vers -productVersion | cut -d '.' -f 1,2`
Then, within your script, you can proceed only if you have a version of 10.11 or higher:
if [ "$OSMajorVersion" == "10.11" ] ; then
echo "<result>`csrutil status | awk '{ print $5 }' | sed 's/.$//'`</result>"
else
echo "<result>NotElCapitan</result>"
fi
Hope that helps!
Jason
Posted on 10-01-2015 04:05 PM
Funny, i just did this....
only real difference between mine and @jkuo's is that mine looks for "OS is Greater than Yosemite", so should theoretically work with OS 10.12 LA River. :D
#!/bin/bash
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
if [[ ${osvers} -gt 10 ]]; then
echo "<result>`csrutil status | awk '{gsub(/.$/,"");print $5}'`</result>"
else
echo "<result>Not Supported</result>"
fi
Posted on 10-01-2015 04:06 PM
Has anybody, ask Apple to have csrutil, to keep track of the # of times...SIP has been disabled and re-enabled?
I kinda feel that if SIP has ever been turned off the Mac is no longer secure anymore.
C
Posted on 10-02-2015 07:18 AM
@jkuo and @kstrick, this is awesome, both work, we went with the later so we (hopefully) won't need to touch it as much. :)
@gachowski hmmm....on a test 10.11 Mac one thing I noticed is that "enabled" didn't prevent me from writing to /Applications/Utilities or /usr/local. I'll check again when I get a chance. I remember enabling/disabling SIP during testing on the Mac.
Posted on 10-02-2015 07:25 AM
hmmm....on a test 10.11 Mac one thing I noticed is that "enabled" didn't prevent me from writing to /Applications/Utilities or /usr/local. I'll check again when I get a chance. I remember enabling/disabling SIP during testing on the Mac.
Those locations aren't blocked by SIP. Per Apple, restrictions are:
System-Only Locations /bin /sbin /usr /System /Applications/Utilities In contrast, the following directories are available to any process: Locations Available to Developers /usr/local /Applications [~]/Library All directories in /usr except for /usr/local are restricted to the system. Apple app directories in /Applications are restricted to the system.
Posted on 10-02-2015 07:38 AM
/Applications/Utilities/ is protected by SIP. @donmontalvo are you saying you could still write to that location with SIP confirmed to be on?
Posted on 10-02-2015 08:06 AM
/Applications/Utilities/ is not protected by SIP, though the Apple-installed applications inside that directory are SIP-protected. That appears to be a mistake in the documentation, and I've filed a bug report for it:
http://www.openradar.me/radar?id=6126412251529216
Apple has a KBase article which was posted on ElCap's release day that correctly lists what's protected and what's not:
https://support.apple.com/HT204899
Posted on 10-02-2015 08:33 AM
Thanks for the clarification on that @rtrouton It was indeed confusing the way had published that originally. Good to know we can still deploy any custom apps into Utilities. Just can't touch the Apple provided ones.
Posted on 02-17-2016 02:19 PM
Anyone know why this would show up on some 10.11.3 computers?
$ csrutil status | awk '{ print $5 }' | sed 's/.$//'
enable
configuration
10 line returns after enabled
, and then configuration
shows up for some reason.
Don
Posted on 02-17-2016 02:39 PM
@donmontalvo Not sure, but maybe try one of the following to prevent getting unwanted lines in the output.
csrutil status | awk '/Protection status/{ print $NF }' | sed 's/.$//'
or
csrutil status | awk '{ print $5; exit }' | sed 's/.$//'
The problem with simply telling awk to print $5 or any column is that if that column number shows up more than once in the output its receiving, it will print ALL column 5's, or whatever. Best to use awk's regex matching to only have it look at the line you care about, or, if you're certain the first line it encounters has the information you need, use the exit
to have it stop once it prints that first result.
Posted on 02-18-2016 11:03 AM
Hi guys -
Just wanted to throw in my 2¢ here as I created an Extension Attribute for this as well...
1) I believe the OS version check isn't really necessary as OS X prior to 10.11 does not include the csrutil binary. I think this is probably sufficient:
#!/bin/bash
csrstatus=$(/usr/bin/csrutil status | /usr/bin/awk '{print $NF}')
if [ "$csrstatus" = "" ]
then
echo "<result>Not Supported</result>"
else
echo "<result>$csrstatus</result>"
fi
Also, I feel in an EA that dot at the end is mostly harmless, but, if you really want to get rid of it you might want to escape it in the sed command as the . is a special character to sed (it should work either way...)
#!/bin/bash
csrstatus=$(/usr/bin/csrutil status | /usr/bin/awk '{print $NF}' | /usr/bin/sed 's/.//g')
if [ "$csrstatus" = "" ]
then
echo "<result>Not Supported</result>"
else
echo "<result>$csrstatus</result>"
fi
Lastly, @donmontalvo you may be seeing extra lines because you have netboot servers defined? I remember testing a csrutil Extension Attribute during the 10.11 beta & it gave some strange output having to do with csrutil configuration options - parsing the output was not as simple as it is now in the finalized version. Unless I'm mistaken the netboot options are really the only ones that can still be set.
Posted on 02-23-2016 09:50 AM
@brock.walters I am thinking about adding a SIP extension attribute as well and in trying the csrutil command as written in your script it seems to be returning nothing at all on Macs running OS X 10.11. Shouldn't you be redirecting only errors using unixcommand 2> /dev/null?
#!/bin/bash
csrstatus=$(/usr/bin/csrutil status 2> /dev/null | /usr/bin/awk '{print $NF}' | /usr/bin/sed 's/.//g')
if [ "$csrstatus" = "" ]
then
echo "<result>Not Supported</result>"
else
echo "<result>$csrstatus</result>"
fi
Posted on 02-23-2016 11:18 AM
Hi @spalmer -
Thanks for pointing this out. I pasted a version of the script to my post in which I was suppressing the error message for the csrutil binary not being present for testing out of an abundance of caution. Apologies.
The error message output shouldn't have any impact on populating the Extension Attribute if the binary is not present. The screen shot above was captured on a computer running OS X 10.10.5. The screen shot below was captured on OS X 10.11.3
I have edited my 1st post & removed the /dev/null statement. Thanks & happy Extension Attributing!
Posted on 02-23-2016 12:47 PM
SIP status is stored in NVRAM, it can also be checked with:
nvram -p | awk /csr-active-config/
or possibly for just the value itself:
nvram -p | awk '/csr-active-config/ {print $NF}'
You will get results along the lines of w%00%00%00
If the NVRAM value is empty it defaults to ENABLED on 10.11
Posted on 02-23-2016 01:03 PM
As per usual there are often multiple paths to an objective & as long as it's working I like yours because it's shorter! There were several changes to the way the nvram options functioned during the OS X 10.11 beta so I guess that would be my only concern with using your method - it's possible the nvram options might change again. csrutil is the newest & (seemingly) dedicated binary for SIP. Thanks!
Posted on 02-23-2016 04:15 PM
@brock.walters
Yes, my actual usage came about from the fact we use rEFInd on dual boot machines and it has a function to adjust the SIP value, but only if it is populated in nvram so it was relevant for us as to how it was determining it was enabled (you get this situation when you do a PRAM reset for example).
Posted on 03-01-2016 01:28 PM
Thanks guys for all the input, here is what we finalized on:
#!/bin/sh
OSMajorVersion=`sw_vers -productVersion | cut -d '.' -f 1,2`
if [ "$OSMajorVersion" == "10.11" ] ; then
echo "<result>`csrutil status | awk '{ print $5; exit }' | sed 's/.$//'`</result>"
else
echo "<result>NotElCapitan</result>"
fi
Works like a charm!
Don
Posted on 03-02-2016 02:01 AM
You're not actually using the "OSVersion" line, just the "OSMajorVersion" so you could remove that happily and not notice.
Posted on 07-06-2016 08:27 PM
@franton sorry for the late reply, removed the line, thanks!