EA question (Check SIP status)

donmontalvo
Esteemed Contributor III

I'm embarassed to say, not sure how to have this "Check SIP status" EA to only proceed if OS version is 10.11*.

#!/bin/sh
if [ -e /usr/bin/csrutil ]; then
    echo "<result>`csrutil status | awk '{ print $5 }' | sed 's/.$//'`</result>"
else
    echo "<result>NotElCapitan</result>"
fi

Proceeding based on existence of /usr/bin/csrutil works but seems kludgy and convoluted.

How do we run the "if" statement to check for 10.11* before proceeding?

TIA,
Don

--
https://donmontalvo.com
2 ACCEPTED SOLUTIONS

jkuo
Contributor

Hey @donmontalvo ,

To check for the OS version, you can do this:

OSVersion=`sw_vers -productVersion`
OSMajorVersion=`sw_vers -productVersion | cut -d '.' -f 1,2`

Then, within your script, you can proceed only if you have a version of 10.11 or higher:

if [ "$OSMajorVersion" == "10.11" ] ; then
     echo "<result>`csrutil status | awk '{ print $5 }' | sed 's/.$//'`</result>"
else
     echo "<result>NotElCapitan</result>"
fi

Hope that helps!

Jason

View solution in original post

kstrick
Contributor III

Funny, i just did this....

only real difference between mine and @jkuo's is that mine looks for "OS is Greater than Yosemite", so should theoretically work with OS 10.12 LA River. :D

#!/bin/bash

osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

if [[ ${osvers} -gt 10 ]]; then
    echo "<result>`csrutil status | awk '{gsub(/.$/,"");print $5}'`</result>"
else
    echo "<result>Not Supported</result>"
fi

View solution in original post

19 REPLIES 19

jkuo
Contributor

Hey @donmontalvo ,

To check for the OS version, you can do this:

OSVersion=`sw_vers -productVersion`
OSMajorVersion=`sw_vers -productVersion | cut -d '.' -f 1,2`

Then, within your script, you can proceed only if you have a version of 10.11 or higher:

if [ "$OSMajorVersion" == "10.11" ] ; then
     echo "<result>`csrutil status | awk '{ print $5 }' | sed 's/.$//'`</result>"
else
     echo "<result>NotElCapitan</result>"
fi

Hope that helps!

Jason

kstrick
Contributor III

Funny, i just did this....

only real difference between mine and @jkuo's is that mine looks for "OS is Greater than Yosemite", so should theoretically work with OS 10.12 LA River. :D

#!/bin/bash

osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

if [[ ${osvers} -gt 10 ]]; then
    echo "<result>`csrutil status | awk '{gsub(/.$/,"");print $5}'`</result>"
else
    echo "<result>Not Supported</result>"
fi

gachowski
Valued Contributor III

Has anybody, ask Apple to have csrutil, to keep track of the # of times...SIP has been disabled and re-enabled?

I kinda feel that if SIP has ever been turned off the Mac is no longer secure anymore.

C

donmontalvo
Esteemed Contributor III

@jkuo and @kstrick, this is awesome, both work, we went with the later so we (hopefully) won't need to touch it as much. :)

@gachowski hmmm....on a test 10.11 Mac one thing I noticed is that "enabled" didn't prevent me from writing to /Applications/Utilities or /usr/local. I'll check again when I get a chance. I remember enabling/disabling SIP during testing on the Mac.

--
https://donmontalvo.com

cdev
Contributor III
hmmm....on a test 10.11 Mac one thing I noticed is that "enabled" didn't prevent me from writing to /Applications/Utilities or /usr/local. I'll check again when I get a chance. I remember enabling/disabling SIP during testing on the Mac.

Those locations aren't blocked by SIP. Per Apple, restrictions are:

System-Only Locations /bin /sbin /usr /System /Applications/Utilities In contrast, the following directories are available to any process: Locations Available to Developers /usr/local /Applications [~]/Library All directories in /usr except for /usr/local are restricted to the system. Apple app directories in /Applications are restricted to the system.

mm2270
Legendary Contributor III

/Applications/Utilities/ is protected by SIP. @donmontalvo are you saying you could still write to that location with SIP confirmed to be on?

rtrouton
Release Candidate Programs Tester

/Applications/Utilities/ is not protected by SIP, though the Apple-installed applications inside that directory are SIP-protected. That appears to be a mistake in the documentation, and I've filed a bug report for it:

http://www.openradar.me/radar?id=6126412251529216

Apple has a KBase article which was posted on ElCap's release day that correctly lists what's protected and what's not:

https://support.apple.com/HT204899

d2b311a1465c44998f8bad782a513d4f

mm2270
Legendary Contributor III

Thanks for the clarification on that @rtrouton It was indeed confusing the way had published that originally. Good to know we can still deploy any custom apps into Utilities. Just can't touch the Apple provided ones.

donmontalvo
Esteemed Contributor III

Anyone know why this would show up on some 10.11.3 computers?

$ csrutil status | awk '{ print $5 }' | sed 's/.$//'
enable









configuration

10 line returns after enabled, and then configuration shows up for some reason.

Don

--
https://donmontalvo.com

mm2270
Legendary Contributor III

@donmontalvo Not sure, but maybe try one of the following to prevent getting unwanted lines in the output.

csrutil status | awk '/Protection status/{ print $NF }' | sed 's/.$//'

or

csrutil status | awk '{ print $5; exit }' | sed 's/.$//'

The problem with simply telling awk to print $5 or any column is that if that column number shows up more than once in the output its receiving, it will print ALL column 5's, or whatever. Best to use awk's regex matching to only have it look at the line you care about, or, if you're certain the first line it encounters has the information you need, use the exit to have it stop once it prints that first result.

brock_walters
Contributor
Contributor

Hi guys -

Just wanted to throw in my 2¢ here as I created an Extension Attribute for this as well...

1) I believe the OS version check isn't really necessary as OS X prior to 10.11 does not include the csrutil binary. I think this is probably sufficient:

#!/bin/bash
csrstatus=$(/usr/bin/csrutil status | /usr/bin/awk '{print $NF}')
if [ "$csrstatus" = "" ]
then
    echo "<result>Not Supported</result>"
else
    echo "<result>$csrstatus</result>"
fi

Also, I feel in an EA that dot at the end is mostly harmless, but, if you really want to get rid of it you might want to escape it in the sed command as the . is a special character to sed (it should work either way...)

#!/bin/bash
csrstatus=$(/usr/bin/csrutil status | /usr/bin/awk '{print $NF}' | /usr/bin/sed 's/.//g')
if [ "$csrstatus" = "" ]
then
    echo "<result>Not Supported</result>"
else
    echo "<result>$csrstatus</result>"
fi

Lastly, @donmontalvo you may be seeing extra lines because you have netboot servers defined? I remember testing a csrutil Extension Attribute during the 10.11 beta & it gave some strange output having to do with csrutil configuration options - parsing the output was not as simple as it is now in the finalized version. Unless I'm mistaken the netboot options are really the only ones that can still be set.

spalmer
Contributor III

@brock.walters I am thinking about adding a SIP extension attribute as well and in trying the csrutil command as written in your script it seems to be returning nothing at all on Macs running OS X 10.11. Shouldn't you be redirecting only errors using unixcommand 2> /dev/null?

#!/bin/bash
csrstatus=$(/usr/bin/csrutil status 2> /dev/null | /usr/bin/awk '{print $NF}' | /usr/bin/sed 's/.//g')
if [ "$csrstatus" = "" ]
then
    echo "<result>Not Supported</result>"
else
    echo "<result>$csrstatus</result>"
fi

brock_walters
Contributor
Contributor

Hi @spalmer -

Thanks for pointing this out. I pasted a version of the script to my post in which I was suppressing the error message for the csrutil binary not being present for testing out of an abundance of caution. Apologies.

458cbb383eb84695aa7ff573741085dd

The error message output shouldn't have any impact on populating the Extension Attribute if the binary is not present. The screen shot above was captured on a computer running OS X 10.10.5. The screen shot below was captured on OS X 10.11.3

e5e487bd449b4d9caa7f76d18d0b82a9

I have edited my 1st post & removed the /dev/null statement. Thanks & happy Extension Attributing!

Look
Valued Contributor III

SIP status is stored in NVRAM, it can also be checked with:

nvram -p | awk /csr-active-config/

or possibly for just the value itself:

nvram -p | awk '/csr-active-config/ {print $NF}'

You will get results along the lines of w%00%00%00
If the NVRAM value is empty it defaults to ENABLED on 10.11

brock_walters
Contributor
Contributor

As per usual there are often multiple paths to an objective & as long as it's working I like yours because it's shorter! There were several changes to the way the nvram options functioned during the OS X 10.11 beta so I guess that would be my only concern with using your method - it's possible the nvram options might change again. csrutil is the newest & (seemingly) dedicated binary for SIP. Thanks!

Look
Valued Contributor III

@brock.walters
Yes, my actual usage came about from the fact we use rEFInd on dual boot machines and it has a function to adjust the SIP value, but only if it is populated in nvram so it was relevant for us as to how it was determining it was enabled (you get this situation when you do a PRAM reset for example).

donmontalvo
Esteemed Contributor III

Thanks guys for all the input, here is what we finalized on:

#!/bin/sh

OSMajorVersion=`sw_vers -productVersion | cut -d '.' -f 1,2`

if [ "$OSMajorVersion" == "10.11" ] ; then
    echo "<result>`csrutil status | awk '{ print $5; exit }' | sed 's/.$//'`</result>"
else
    echo "<result>NotElCapitan</result>"
fi

Works like a charm!

Don

--
https://donmontalvo.com

franton
Valued Contributor III

You're not actually using the "OSVersion" line, just the "OSMajorVersion" so you could remove that happily and not notice.

donmontalvo
Esteemed Contributor III

@franton sorry for the late reply, removed the line, thanks!

--
https://donmontalvo.com