SilentKnight, LockRattler and silnite: which should you use?

By far the most popular of my free apps are SilentKnight and LockRattler, both of which check firmware versions installed, and a wide range of security-related features including Gatekeeper, XProtect and MRT versions. This article explains a bit more about each of them, and a third similar utility, silnite, which is the underused command tool equivalent of SilentKnight.

The oldest of the three is LockRattler, which I developed when a whole batch of brand new MacBook Pros were delivered to users with SIP disabled. I realised that there wasn’t any easy way to check key security settings, or how up-to-date the macOS security tools were.

LockRattler covers all the key items, but doesn’t tell you whether any of the version numbers it discovers is up to date – it leaves you to interpret its results. It does have convenient buttons which will display pages from this blog, from which you can work out whether your firmware is up-to-date, and the security data file versions too.

With LockRattler proving very popular, I was wrestling with the problem of firmware version numbers and updates. As working out whether your Mac has the latest firmware installed can be fairly complex, it occurred to me that I could set up a database and a new app could look them up for you: so SilentKnight was next in line. This covers most of the same features as in LockRattler, but spares you the trouble of looking any of them up to see if they’re correct.

Some sysadmins realised that being able to perform the same checks in SilentKnight remotely, on networked Macs, would be useful. They twisted my arm, and I turned the heart of the app into a command tool, silnite. For anyone wanting to run the same checks from Terminal’s command line, it should prove ideal.

silnite runs either of two checksets: with the a option, it runs the whole suite; with b it only does the basics. It returns the results in one of two forms: with no added option, they come back as lines of text including handy emoji, use the x option and they’re returned as a JSONised property list, ready for incorporation into databases, etc. There are also a couple of options to control checking for and downloading of available updates.

Run plain
silnite
and you’ll get a result something like
{ EFIV = "1037.147.4.0.0 (iBridge: 17.16.16610.0.0,0)"; FileVault = 1; GateUpdate = "2019-08-26 16:57:09 +0000"; GateVer = 181; GatekeeperDEV = "8.0"; GatekeeperV = 181; KEXTV = "15.6.1"; MRTUpdate = "2020-08-20 21:39:05 +0000"; MRTV = "1.66"; MRTVer = "1.66"; MacModel = "iMacPro1,1"; SIP = 1; TCCUpdate = "2019-06-05 04:49:18 +0000"; TCCV = "150.19"; TCCVer = "17.0"; XPro = 1; XProtectV = 2129; XproUpdate = "2020-08-20 21:39:05 +0000"; XproVer = 2129; macOS = "Version 10.15.6 (Build 19G2021)"; }
which is equivalent to the explicit command
silnite bmx
Those are the basic checks, without any check for available updates, returned in XML format. Note that silnite‘s options aren’t specified with a hyphen, just the bare letters.

Another example is
silnite a
which returns something like
Mac model iMacPro1,1
EFI version found 1037.147.4.0.0 (iBridge: 17.16.16610.0.0,0); expected 1037.147.4.0.0 iBridge 17.16.16610.0.0
✅ EFI firmware appears up to date.
✅ XProtect 2129 should be 2129
✅ Gatekeeper 181, 8.0 should be 181, 8.0
✅ MRT 1.66 should be 1.66
✅ TCC 150.19 should be 150.19
✅ KEXT 15.6.1 should be 15.6.1
✅ System Integrity Protection status: enabled.
✅ XProtect assessments enabled
✅ FileVault is On.
No update available.
macOS Version 10.15.6 (Build 19G2021)
XProtect 2020-08-20 21:39:05 +0000 : 2129
Gatekeeper 2019-08-26 16:57:09 +0000 : 181
MRT 2020-08-20 21:39:05 +0000 : 1.66
TCC 2019-06-05 04:49:18 +0000 : 17.0
Those are the full checks in text format.

Being a command tool, this can be run remotely, or automatically once a day perhaps, as you wish.

silnite is now available in version 5, which is a Universal binary, and runs native on all versions of macOS from El Capitan to Big Sur betas, and on both Intel and Apple Silicon Macs. That’s particularly important with command tools, as the last thing that you want on your shiny new Apple Silicon system is a call to any command to have to wait for Rosetta 2 to translate an Intel binary to run on ARM processors.

I’ve already explained how mixing Intel-only apps and tools can pose problems: it’s far better on an Apple Silicon system to run a complete calling chain using a single architecture where you can. This update now makes this possible.

SilentKnight, LockRattler and silnite are all available from their Product Page.

One final note. All these and almost all my other free apps and tools are now available in both Universal form, and in the previous release as Intel-only apps. Many of them use my auto-update mechanism which checks whether the version you’re running is the latest. If you opt to keep the previous Intel-only release instead of updating to the Universal App, that mechanism will prompt you once a day to download and install the Universal version.

To disable this auto-update check, so that you can continue running the Intel-only version, you’ll need to change the preferences of that app in Terminal. For example, to disable SilentKnight’s auto-update, enter the line
defaults write co.eclecticlight.SilentKnight noUpdateCheck true
Other apps are similar, but you’ll need to substitute the correct app ID. This is explained in the documentation accompanying each app which uses this auto-update system.

The disadvantage in doing this is that you will, of course, have to watch for future updates to be announced here. I don’t intend offering any more Intel-only updates in future, as that would quickly become too confusing. In case you’re wondering whether this means that you’ll waste lots of space with Universal apps, the amount required is actually very small: around 200-300 KB for each of my apps, although that will be larger with full-sized apps such as Pages and Word. So there’s no real disadvantage to running these Universal App versions of my small utilities. The main reason for retaining access to Intel-only versions here is in case you experience any problems with Universal versions.

7Comments

Add yours

1

EcleX on September 3, 2020 at 2:17 pm

Many thanks! SilentKnight is the most convenient. It is AWESOME!

LikeLiked by 1 person
- 2
  
  hoakley on September 3, 2020 at 5:37 pm
  
  Thank you.
  Howard.
  
  LikeLike
3

Bobby Anderson on October 3, 2020 at 12:16 pm

When running silentnight on latest big sur beta(as of 10/4/2020) it keeps reporting a gatekeeper fault. The fault is Gatekeeper 181, 8.0, 8.0 should be 94, 8.0? Given increasing version numbers this does not seem right??

LikeLiked by 1 person
- 4
  
  hoakley on October 3, 2020 at 12:23 pm
  
  SilentKnight is giving the correct version numbers for a clean Big Sur beta system, at least as far as beta 8. Those haven’t changed since the first developer beta, although I haven’t checked beta 9 yet.
  Howard
  
  LikeLike
- 5
  
  hoakley on October 3, 2020 at 5:29 pm
  
  I’ve just checked on beta 9, and the Gatekeeper version remains correct.
  If you’ve installed the beta over an existing release version of macOS, you may see up to date version for Gatekeeper, but when installed fresh they remain stuck at this. I don’t understand why, but I have now confirmed this on several Macs.
  In any case, security updates are unpredictable on beta releases. Sometimes they work fine, as here with XProtect and MRT, but others don’t update properly until release.
  Howard.
  
  LikeLike
  - 6
    
    banderiv on October 4, 2020 at 12:15 pm
    
    Thank you for checking. The behavior you describe is what I suspected. I just wanted to make sure I was not missing something important. Love the tool. I am confused if 181, 8.0 is correct version or 94, 8.0 is the correct version?
    
    LikeLiked by 1 person
    - 7
      
      hoakley on October 4, 2020 at 12:44 pm
      
      Thank you.
      Either of those versions: if you’ve installed the beta on a clean disk, then the older numbers have been fixed since the first beta. If you’ve installed over a copy of macOS, then the more recent ones seem to apply.
      Howard.
      
      LikeLike

Share this:

Related