hoakley January 29, 2024 Macs, Technology, Updates

Skint will keep a quiet eye on your Mac’s key settings

As I promised yesterday, I’m delighted to offer you a first release of my new, free app Skint, a companion for SilentKnight.

SilentKnight is great for thoroughly checking your Mac’s security data updates, installing them when necessary, and checking out everything from its firmware to detailed security settings specific to Apple silicon Macs. While I normally run SilentKnight at least a couple of times every day, most of the details it checks aren’t going to change very often, neither should you need to look for security data updates as often.

Skint can be run in two ways:

open Skint whenever you want to check that all is well with your Mac, then quit it;
leave Skint running, and it will automatically run a fresh set of checks roughly every 24 hours for you; you can add it as a Login Item if you wish.

I believe from my testing that this first version of Skint works well internally, but it has a basic interface, and I will be enhancing that in the coming weeks, adding a custom Dock icon that changes colour according to Skint’s results, and a widget you can add to your Mac’s desktop (in Sonoma). This is why Skint’s app icon is currently a dull grey, as that’s intended to be its base colour, replaced with red, amber or green according to the latest results.

Skint checks the following features, whether:

SIP is enabled
the SSV is enabled
Gatekeeper/XProtect checks are enabled
XProtect is up to date
XProtect Remediator is up to date
Skint itself is up to date
the installed macOS is up to date for its major version
XProtect Remediator scans are recorded in the log over the last 36 hours, and whether they reported anything abnormal.

From my experience, those are the key settings that are essential security protection, but can become changed during use. If those are all in order, Skint shows a green traffic light; if there are minor issues that merit your attention, it will display amber (orange), and for serious problems that need to be addressed, it shows red. For those with limited colour vision, the Dock icons I have designed incorporate symbols that should allow you to distinguish easily between them.

Skint isn’t a nanny: if your Mac is still running Monterey or Ventura, it won’t try to persuade you to upgrade to Sonoma, but will check that macOS is up to date with its security updates. As it doesn’t have anything to do with Apple’s servers or software updates, it carries no risk of triggering notifications or downloads for macOS.

Skint’s sole source of information about macOS versions and updates is a property list stored on my GitHub, that you can inspect for yourself. Each time it runs its checks, it downloads that small property list, and checks your Mac against its contents. As with my other software, that’s performed anonymously, and no data is transferred from your Mac to the GitHub server, or anywhere else, other than the request for that property list.

There are two hidden preference settings used by Skint that you can alter yourself, using a Property List editor on co.eclecticlight.Skint.plist in your Home folder’s Library/Preferences folder:

updateCheckInt, a real number, normally contains the value 86400, which is the number of seconds between Skint’s checks. That default is 24 hours, and can be reduced as low as 1 second if you really want.
updateCheckTol, another real number, normally contains the value 300, which is the number of seconds tolerance allowed for its timer, in that case a default of 5 minutes. Again, you can reduce that to 1 second at a minimum.

Skint is only 2.5 MB on disk, takes less than 30 MB of memory, uses no CPU in between its checks, uses App Nap, and doesn’t prevent your Mac from sleeping.

The first version of Skint is now available from here alone: skint1
I will add it to the SilentKnight Product Page in due course.

I look forward to hearing what you think of it, and how its interface should develop.

Postscript: Bug with dual- and multi-boot systems

Thanks to all those who have tried out this first release of Skint, particularly those who have run it on dual- or multi-boot systems, where they have demonstrated a bug. When presented with more than one mounted boot volume group, Skint isn’t able to discover whether the current system is a proper signed system volume (SSV), and incorrectly reports that it isn’t. I have already prepared a fix for this, which I am currently testing in version 1.01, hopefully to be released here on Thursday. Please bear with me.

51Comments

Add yours

1

EcleX on January 29, 2024 at 8:12 am
Reply

Many thanks!

LikeLiked by 1 person
2

Graham on January 29, 2024 at 8:32 am
Reply

Many thanks for this tool Howard, it’ll be a very useful addition to many Mac users’ toolset.

I wondered if you considered referring directly to Apple’s software catalog rather than maintaining your own GitHub page? I don’t know if you automate the updating of your GitHub page to stay in sync with Apple’s software update catalog. If so, then the only factors in favour of using ASU are removing the risk of GitHub being down or your automation failing. But if you are not automating it, then the recentness of the data provided to Skint (and SK) relies on your manual updates.

I happen to have written about the options for reporting XProtect status in the enterprise just last month, for use with management systems. This compares the use of silnite with the direct interrogation of Apple’s software update catalogs. If you’re interested, take a look at https://grahamrpugh.com/2023/12/06/xprotect-version-check.html

LikeLiked by 2 people
- 3
  
  hoakley on January 29, 2024 at 9:53 am
  Reply
  
  Thank you.
  My GitHub page is fully manual. Until I can locate, download and install an update nothing changes for SilentKnight. I don’t think minutes are critical here: anyone who runs SilentKnight will be informed of the updates available to them at that moment. There’s no point in telling people that there’s an update available via the catalogue when they can’t see and download it themselves. Not only that, but it allows me to verify whether the update installs correctly, and to provide an analysis of what it contains.
  Thank you for the article you wrote. I’m still a bit surprised that SilentKnight and silnite are the only two games in town, although they aren’t easy to maintain and support, and would hardly be profitable commercial products.
  I’m hoping that, with a bit more work on its interface, Skint might allow more to use SilentKnight less. Not that I’m complaining, but for most I think Skint is closer to the need.
  Howard.
  
  LikeLike
  - 4
    
    macitpros on January 29, 2024 at 2:31 pm
    Reply
    
    Thanks for this Howard! Are there any plans on making Skint a CLI tool? Besides “clint” having a nice ring, this would be great to use with reporting-only tools. Like Graham wrote above, verifying if Xprotect is up-to-date is essential. The other information this new tool is providing is also important to verify. I can see a CLI version of Skint running hourly via a LaunchAgent or other agent reporting to a central location.
    
    Regarding…
    “I’m still a bit surprised that SilentKnight and silnite are the only two games in town”
    … they do a great job of performing multiple checks of essential pieces of information that would typically take trips to various locations or multiple commands to gather.
    
    Many thanks for all you do Howard!
    
    LikeLiked by 1 person
    - 5
      
      hoakley on January 29, 2024 at 4:55 pm
      
      Thank you.
      Have thought of using
      silnite bmj
      ? That returns pretty well everything that Skint does and more, in JSON format. I’m also not sure why anyone would need to run these hourly: even XProtect doesn’t normally get updated more frequently than once a week, and it and XPR are normally on a 2+ week update cycle.
      Howard.
      
      LikeLike
6

nihilistischesabhoerkommando on January 29, 2024 at 11:32 am
Reply

Thanks for this easy tool and thanks for all your other indispensible tools. But I think, you need an interface designer. Why is the color field not centered or as wide as the window? And why can I click it and change the color? 😁

LikeLiked by 1 person
- 7
  
  hoakley on January 29, 2024 at 12:34 pm
  Reply
  
  Thank you.
  To quote my words above: “it has a basic interface, and I will be enhancing that in the coming weeks, adding a custom Dock icon that changes colour according to Skint’s results, and a widget you can add to your Mac’s desktop (in Sonoma).”
  “Why is the color field not centered or as wide as the window?”
  Because to the left of the Colour Well (the correct name for it) is an area used by the busy spinner. If I made the Colour Well full width, not only would it look overbearing (aesthetics), but you wouldn’t be able to see the busy spinner when it’s in use.
  “why can I click it and change the color?”
  Because if you couldn’t, then you wouldn’t be able to complain about it. Now stop clicking controls that you don’t understand 🙂
  Seriously, I want to minimise the window altogether, but need to work out a better way of delivering the text information. The Colour Well will vanish once Skint can change the colour of its Dock icon. But those interface things are a bit fiddly, and need experiment and thought, which take time. I’d rather get this out for folk to use now than wait several weeks, maybe, before the interface is finalised.
  Howard.
  
  LikeLike
- 8
  
  hoakley on January 29, 2024 at 5:00 pm
  Reply
  
  You’ll be pleased to learn that in version 1.01, I’m closing off that Easter Egg, and you won’t be able to make the Colour Well purple any more.
  Howard.
  
  LikeLike
9

mikebhm on January 29, 2024 at 12:48 pm
Reply

Skint1 says I have SSV disabled. How did that happen and how do I enable it? thanks.

Running 14.3 on a M2 MBA.

LikeLiked by 1 person
- 10
  
  hoakley on January 29, 2024 at 12:49 pm
  Reply
  
  Have you run SilentKnight, which will give a fuller report?
  Howard
  
  LikeLike
  - 11
    
    mikebhm on January 29, 2024 at 12:53 pm
    Reply
    
    SilentKnight shows everything as green and up to date, including SSV enabled.
    
    LikeLiked by 1 person
    - 12
      
      hoakley on January 29, 2024 at 12:55 pm
      
      Thank you.
      If you could run the following command in Terminal I’d be most grateful, please:
      csrutil authenticated-root status
      That’s the architecture-agnostic command that should reveal the SSV status.
      Howard.
      
      LikeLike
13

mikebhm on January 29, 2024 at 12:59 pm
Reply

Last login: Fri Jan 26 23:18:38 on console
michaelb@MBA21-Dualboot ~ % csrutil authenticated-root status
This computer has several macOS installations:
1: MACINTOSH
2: APPLESEED

Pick a macOS installation (1..2): 2
Authenticated Root status: enabled
michaelb@MBA21-Dualboot ~ %

LikeLiked by 1 person
- 14
  
  hoakley on January 29, 2024 at 1:02 pm
  Reply
  
  Ah. That explains it, thank you. Unfortunately, Apple has also screwed up the method that SilentKnight uses, so it doesn’t work on Apple silicon Macs that are running a primary language other than English. I’ll have to go back to the drawing board on that one.
  Thank you so much for your report, and help.
  Howard.
  
  LikeLiked by 1 person
  - 15
    
    nudge on January 29, 2024 at 1:34 pm
    Reply
    
    Just in case you hadn’t thought of this way:
    
    /usr/bin/csrutil authenticated-root status &>/dev/null
    gives a non-zero return status ($?) whatever language is being used if SIP is not enabled
    
    I think, but then there’s the dual boot issue…
    
    LikeLiked by 1 person
    - 16
      
      hoakley on January 29, 2024 at 4:58 pm
      
      Thank you. That’s the call that Skint uses, but when there’s more than one boot volume group, it goes into interactive mode and doesn’t give a straight answer. I do have other ways of getting the info, at least on Apple silicon Macs, but they’re language dependent. I know, you’d have thought this sort of thing would have been straightforward, but it all ends in translating from 40+ languages. Ugh!
      Howard.
      
      LikeLike
17

mikebhm on January 29, 2024 at 1:05 pm
Reply

My primary language is “English UK”. I guess that is different from plain “English” ?

LikeLiked by 1 person
- 18
  
  hoakley on January 29, 2024 at 1:10 pm
  Reply
  
  No: it’s complicated, but it basically means that there’s no way of discovering on every Mac whether it does have the SSV enabled, not without either interacting in Terminal (as here), or translating the answer from French, German, Dutch, Danish, etc. (the route used in SilentKnight).
  Skint will work perfectly well for you, it’s just that it will continue to report that ‘bug’ each time. I will see if I can implement a workaround in the next day or two, but the last time I visited this for SilentKnight, I wasted weeks trying to get a better answer, and there came none.
  Howard.
  
  LikeLiked by 1 person
19

mikebhm on January 29, 2024 at 1:13 pm
Reply

Thanks, I will watch this space. As a big fan of SilentKnight I don’t really feel I have a need for Skint, but happy to test any updates.

LikeLiked by 1 person
- 20
  
  hoakley on January 29, 2024 at 1:31 pm
  Reply
  
  I’ll go for a more elaborate strategy, that should give a clear answer for the great majority of users. But if you’re dual-booting from a Mac with a primary language other than any variant of English, I don’t know of a way to get a straight answer from macOS.
  I rather hope that you’ll find Skint a simpler, lightweight alternative that does the checking for you, automatically.
  Howard.
  
  LikeLiked by 1 person
21

mikebhm on January 29, 2024 at 1:35 pm
Reply

I will give Skint a good try out. The key difference is the automatic element.

LikeLiked by 1 person
22

Jean-François Brodeur on January 29, 2024 at 1:42 pm
Reply

Hi, I received my daily e-mail from The Eclectic Light Company title: Skint will keep a quiet eye on your Mac’s key settings and decided to click on the shortcut to get the file, addly it created a loop and downloaded the .zip multiple time on my Firefox browser, it does not happen on my Google Chrome?
Thanks
Jean-François

LikeLiked by 1 person
- 23
  
  hoakley on January 29, 2024 at 1:45 pm
  Reply
  
  I apologise for this: the messages are generated automatically by WordPress, and sometimes do this.
  Please download from the article here, where the link works correctly.
  Howard
  
  LikeLike
24

rfog926695139 on January 29, 2024 at 1:45 pm
Reply

Wow! Wow! and Re-Wow! I had in my 2017 iMac disabled SIP and SSV!!!!!

LikeLiked by 1 person
- 25
  
  hoakley on January 29, 2024 at 4:56 pm
  Reply
  
  Thank you. That’s exactly why I’m so keen to get this utility right.
  Howard.
  
  LikeLike
26

prairiewalker on January 29, 2024 at 3:12 pm
Reply

I just ran Skint for the first time on my M1 iMac running 14.3.

And I get this result! How can SSV be dsisabled on my iMac? Where can I correct the situation?

Thanks Howard,

Larry Nolan

>

LikeLiked by 1 person
- 27
  
  hoakley on January 29, 2024 at 3:15 pm
  Reply
  
  Do you have multiple boot systems? If so, please look a few comments up and you’ll see this explained. I’m aiming to have a new release out on Wednesday.
  Howard
  
  LikeLike
  - 28
    
    prairiewalker on January 29, 2024 at 4:03 pm
    Reply
    
    Yes I do. I will dismount the other boot volumes and run again.
    
    LikeLiked by 1 person
  - 29
    
    prairiewalker on January 29, 2024 at 4:48 pm
    Reply
    
    Results:
    larry@Larry-iMacM1-71365 ~ % csrutil authenticated-root status
    This computer has several macOS installations:
    1: Backup SSD
    2: Macintosh HD
    
    Pick a macOS installation (1..2): 2
    Authenticated Root status: enabled
    
    LikeLiked by 1 person
    - 30
      
      hoakley on January 29, 2024 at 5:06 pm
      
      Thank you. A fix is on its way once I have tested it thoroughly.
      Howard.
      
      LikeLike
31

Enzo Vincenzo on January 29, 2024 at 3:38 pm
Reply

First of all, a great thank you! 🙂
Then I ask you if you can add a point in the Menu bar that stays green if everything is ok, otherwise it changes color. In this case a simple mouse click would allow to read any reports.
Also, for anyone who likes to only see the open applications in the Dock and not utilities, I’m wondering if you could add an option to toggle the icon in the Dock, as several utilities allow to do; for example some utilities for memory management or other (e.g. “Boom 3D”, etc.)

LikeLiked by 1 person
- 32
  
  hoakley on January 29, 2024 at 5:05 pm
  Reply
  
  Thank you.
  Unfortunately, putting apps in the menu bar has become rather more complicated than it used to be, and essentially needs a second, different app to do that. I’d rather go for a widget, as those are better supported, although they need an additional widget front end. They can be displayed in the widgets section of the menu bar, and in Sonoma put on the Desktop as well.
  Howard.
  
  LikeLiked by 1 person
33

Franz on January 29, 2024 at 6:26 pm
Reply

It seems like the time in Skint is set to UTC+00:00 regardless of the system’s time zone. (In my case UTC +1).

LikeLiked by 1 person
- 34
  
  hoakley on January 29, 2024 at 8:13 pm
  Reply
  
  That’s correct. Whatever date-time stamp is used, there are always problems somewhere. As the timer is based not on clock time, but a period of 24 hours, changes such as moving timezone and summer/daylight savings time only confuse. The only standard time that is robust to all the weird things we do with our clocks is GMT/UTC+0.
  I don’t think this makes so much difference with a desktop Mac, but for notebooks using local time quickly becomes confusing.
  Howard.
  
  LikeLike
35

rgl7194 on January 31, 2024 at 1:26 am
Reply

Hi Howard, thank you very much for Skint, as well as for all the other free utilities that you provide. Your site is a daily must-read for me.

I run just about everything in a user account, and rarely log in to my admin account. When I tried to launch Skint, it gives me the following message: “An error occurred: Skint can’t get logs unless you’re an admin user. Please switch to an admin account and try again.”

Is there a way to enable Skint to request admin privs and run properly in a user account, or does it absolutely have to run in an admin account?

Thanks, Roman

LikeLiked by 1 person
- 36
  
  hoakley on January 31, 2024 at 9:58 am
  Reply
  
  I’m sorry about that: Apple has locked the logs from access by non-admin accounts since they changed in Sierra.
  That would require a privileged helper tool, which is something of a fraught issue at present. I am looking at whether I could introduce that, but that’s only like to work with Sonoma and later.
  Howard.
  
  LikeLiked by 1 person
  - 37
    
    rgl7194 on January 31, 2024 at 6:12 pm
    Reply
    
    Hi Howard, thanks for the reply. I am running Sonoma, so if you do end up implementing the privileged helper tool, I will be a happy camper. 😉
    
    LikeLiked by 1 person
    - 38
      
      hoakley on January 31, 2024 at 6:16 pm
      
      It’s on my list of jobs for the next few weeks. Sadly, for a task that’s increasingly common, there’s remarkably little useful example code available. This upsets me, because the whole purpose of privileged helpers is to ensure security, but many are implemented with gaping vulnerabilities. I have several other places that I want to obtain elevated privileges to support significant features, so will be trying to get this right. I apologise for the delay.
      Howard.
      
      LikeLiked by 1 person
39

artiste212 on January 31, 2024 at 1:37 am
Reply

Thanks for another great app!

LikeLiked by 1 person
- 40
  
  hoakley on January 31, 2024 at 9:51 am
  Reply
  
  Thank you.
  Howard.
  
  LikeLike
41

gofuse on February 1, 2024 at 6:34 pm
Reply

Thank you for your tools and so much good reads here. 🙏

Just some results for you.

MacStudio w/macOS 14.4 beta 1
——
macOS needs update.
Skint needs update.
XPR checks OK.
Completed at 2024-02-01T18_17_44Z

iMac Pro w/macOS 14.3
——
Skint needs update.
No updates needed.
XPR checks OK.
Completed at 2024-02-01T18_18_05Z

Mac Pro Trash Can w/OpenCore Legacy Patcher macOS 14.3
——
SIP disabled.
SSV disabled.
Skint needs update.
XPR checks OK.
Completed at 2024-02-01T18_18_53Z

LikeLiked by 1 person
- 42
  
  hoakley on February 1, 2024 at 7:56 pm
  Reply
  
  Thank you for those.
  I must admit I hadn’t thought about what to do about betas. As Skint works with version numbers and not strings, it wouldn’t be hard to allow (and perhaps note) a beta. Would that be better for you?
  When I next write about this, I must be careful to explain about OCLP too, lest I cause panic among its many happy users.
  Howard.
  
  LikeLike
  - 43
    
    gofuse on February 1, 2024 at 8:30 pm
    Reply
    
    I am not certain what you do or do not want to consider “valid” for the app’s POV. Since I have many Macs in various configurations and states of OS, I thought I share with you what your app is showing that happens to be on my desk now. I think your intent may be that whatever is current, officially from Apple is your reference point…maybe just stating that this is out of spec OS, but still report the data. I was expecting to see SIP and SSV disabled on OCLP, so you know, does the job. I wondered what beta would show, and there you have it.
    
    I don’t know what people think of OCLP, but being able to deploy older hardware for lower requirement duties is significant to extending the life of these older Macs. I do wish Apple would do something similar to keep them running…but you know, real world incentives don’t work like that. I would like to use them and I would like to keep the users using them safe…So, for now, I make sure these OCLP Macs have CrowdStrike sensors on them and the users accounts on watchlist just to be sure.
    
    LikeLiked by 1 person
    - 44
      
      hoakley on February 1, 2024 at 10:26 pm
      
      Thank you.
      Skint is intended to serve the user, so it’s really up to the user to determine whether they want to be warned that they’re running a beta-release. Although that shouldn’t be necessary, maybe it could be helpful.
      I don’t want any user to stop using Skint because they’re fed up of being told repeatedly what they already know. That only leads to them switching off, which is against the app’s whole purpose.
      I think I understand Apple’s approach to OCLP: it can’t be an Apple product, because that would require Apple to support it, and would then impose obligations as a result. Apple could be more supportive of OCLP, but those days are long since past unless you’re a major app developer.
      Howard.
      
      LikeLike
    - 45
      
      gofuse on February 1, 2024 at 10:38 pm
      
      Again, thank you for building this, and it is already useful. I use SilentKnight to check the our Macs and XPR is not always ok. Useful to know when you are dealing with lots of Macs and often have to stay with older macOS for longer than we should because not all software is up to date with support/compatibility with current macOS, or you know, older hardware without OCLP.
      
      LikeLiked by 1 person
46

Stefan on February 12, 2024 at 5:21 pm
Reply

This would be a very handy addition as a tile on the macOS Support App:
https://github.com/root3nl/SupportApp

Any chance that this could be made compatible?

LikeLiked by 1 person
- 47
  
  hoakley on February 12, 2024 at 6:02 pm
  Reply
  
  Thank you. Well, you could already add my command tool silnite to that. However, Skint won’t work as a command tool, I’m afraid, as it uses a timer and has an interface designed to work with both Dock icons and widgets. I don’t see any docs there indicating how it might deliver its information remotely either.
  But I’m always open to adapting.
  Howard.
  
  LikeLike
48

macitpros on February 27, 2024 at 7:27 pm
Reply

Thanks for the reply Howard!

I’m thinking using silnite bmj would work, if it could also have a flag to check against your GitHub version list. Xprotect doesn’t update often, but when checking the status of a few hundred computers, it would be good to have an option of checking for updates without having to run a full silnite scan that invokes softwareupdate -l … just to avoid that overhead.

I guess the request would be to have a silnite bmx command with a flag to version check against GitHub -bmxg (with g being the flag to invoke a GitHub version check)? Just a thought.

LikeLiked by 1 person
- 49
  
  hoakley on February 27, 2024 at 10:34 pm
  Reply
  
  Thank you.
  Thinking about this, do you really need every Mac to get its own data from the GitHub original? It’s freely available here, and all ready to parse. Wouldn’t it be better to download one local copy and use that to check the currency of versions?
  At present, XProtect is updated every 7-10 days, and XProtect Remediator every couple of weeks.
  Howard.
  
  LikeLiked by 1 person
50

Henner on March 4, 2024 at 9:43 am
Reply

I wonder if you could make the location of the versions list configurable. That way one would host the property list file as a resource under one’s own control and could (must) keep the file up to date without having to rely on your volunteered service during times of vacation or, pray not, medical leave.
I grant this might be more involved than what I imagine, as I don‘t know if you are performing e.g. certificate pinning or signature checks in the background?

LikeLiked by 1 person
- 51
  
  hoakley on March 4, 2024 at 5:05 pm
  Reply
  
  If someone would like to help me maintain the lists on my GitHub, I can easily add them so they can do so. However, that does require commitment. I don’t take vacations, and work on this blog seven days a week, Christmas Day included. That tends to put others off!
  Howard.
  
  LikeLike