silnite

A command tool to check EFI firmware, security updates and settings on Macs running macOS El Capitan, Sierra, High Sierra, Mojave, Catalina, Big Sur and Monterey, on both Intel and Apple Silicon Macs (as a Universal binary). silnite is the command tool equivalent of my free app SilentKnight.
by Howard Oakley

version 6
14 December 2021
re-issued with new installer certificate and notarization 7 February 2022.

Installation:
————————————

All users are recommend to use the Installer package provided. This is now notarized for Mojave and later.

silnite uses the Swift standard frameworks. These are installed at a system level in later versions of Mojave (10.14.4 and later) and in Catalina (10.15) and later. Those using earlier versions of Mojave (10.14.3 and before), Sierra or High Sierra may need to download and install Swift Runtime Support for Command Tools from https://support.apple.com/kb/DL1998

Use:
———

silnite
-or-
silnite [options]

When run with no arguments, silnite runs its basic set of checks, performs no check for available updates, and returns its results in a JSONised property list. This is the same as running
silnite bmx

Note that hyphens are not required in the argument. If supplied, they are ignored.

silnite h
returns the standard statement of usage.

There are 4 options -

a or b determines the number of checks made, with a running them all, and b running only a basic set.
m prevents checking for available updates, and is only available with the b option (not a)
x sets the output format to a JSONised property list. If not used, a text report will be returned.
u automatically calls for the download of all available updates.

So to run all checks including checking whether updates are available, and returning the result in JSONised XML, run
silnite ax

The a option requires Internet access to check the GitHub database there.
The b option will still check for available updates, unless the m option is added.

Options requiring remote access inevitably take time to complete and return their results. The longest step involved is usually checking for updates. However, if the GitHub server is down, commands requiring access to the data there are unlikely to complete.

JSONised Property List fields
—————————————————————————————

    ASSecstatus =     (
        "Controller:",
        "      Model Identifier: Macmini9,1",
        "      Firmware Version: iBoot-7429.61.2",
        "      Boot UUID: AFB7F2DE-3D19-4AA7-AA78-B76F6D2945D5",
        "      Boot Policy:  ",
        "        Secure Boot: Full Security",
        "        System Integrity Protection: Enabled",
        "        Signed System Volume: Enabled",
        "        Kernel CTRR: Enabled",
        "        Boot Arguments Filtering: Enabled",
        "        Allow All Kernel Extensions: No",
        "        User Approved Privileged MDM Operations: No",
        "        DEP Approved Privileged MDM Operations: No"
    ); M1 series Macs only, the full Controller settings
    EFIE = "220.270.99.0.0"; EFI firmware version expected (from GitHub database)
    EFIV = "220.270.99.0.0 (iBridge: 16.16.6568.0.0,0)"; EFI firmware version found
    FileVault = 1; FileVault status on boot volume, 1 = on
    GateUpdate = "2019-07-22 16:21:56 +0000"; datestamp of last Gatekeeper update
    GateVer = 173; version of last Gatekeeper update
    GatekeeperE = 173; Gatekeeper version expected (from GitHub database)
    GatekeeperV = 173; Gatekeeper version found
    GatekeeperDEE = "8.0"; Gatekeeper GKE version expected (from GitHub database) (Catalina and later)
    GatekeeperDEV = "8.0"; Gatekeeper GKE version found (Catalina and later)
    iBoot = "7429.61.2"; M1 series Macs only, installed iBoot version number
    KEXTE = "14.5.1"; KEXT blocker version expected (from GitHub database)
    KEXTV = "14.5.1"; KEXT blocker version found
    MRTE = "1.47"; MRT version expected (from GitHub database)
    MRTUpdate = "2019-07-18 17:16:09 +0000"; datestamp of last MRT update
    MRTV = "1.47"; MRT version found
    MRTVer = "1.47"; version of last MRT update
    MacModel = "iMacPro1,1"; model number
    macOS = "Version 12.1 (Build 21C52)"; current installed version of macOS
    SIP = 1; SIP status, 1 = on
    SIPstatus = "System Integrity Protection status: enabled.\n"; SIP status (T2 Macs only)
    SSVstatus = "Authenticated Root status: enabled\n"; SSV status (T2 Macs only)
    TCCE = "17.0"; TCC database version expected (from GitHub database)
    TCCUpdate = "2019-06-05 04:49:18 +0000"; datestamp of last TCC database update
    TCCV = "17.0"; TCC database version found
    TCCVer = "17.0"; version of last TCC database update
    UpdateWaiting = 0; whether an update is waiting, 1 = true
    XPro = 1; whether XProtect blacklists are enabled, 1 = true
    XProtectE = 2104; XProtect version expected (from GitHub database)
    XProtectV = 2104; XProtect version found
    XproUpdate = "2019-05-02 04:47:56 +0000"; datestamp of last XProtect update
    XproVer = 2103; version of last XProtect update
    macOS = "Version 10.14.6 (Build 18G84)"; current version of macOS running.

Example a and ax output
———————————————————————

✅ XProtect 2151 should be 2151
🔸 Gatekeeper 94, 8.0 should perhaps be 181, 8.0
✅ MRT 1.85 should be 1.85
✅ TCC 150.19 should be 150.19
✅ KEXT 17.0.0 should be 17.0.0
Apple Silicon Security:
	🍏 Secure Boot: Full Security
	🍏 System Integrity Protection: Enabled
	🍏 Signed System Volume: Enabled
	🍏 Kernel CTRR: Enabled
	🍏 Boot Arguments Filtering: Enabled
	🍏 Allow All Kernel Extensions: No
	User Approved Privileged MDM Operations: No
	DEP Approved Privileged MDM Operations: No
✅ XProtect assessments enabled
✅ FileVault is On.
No update available.
macOS Version 12.1 (Build 21C52)
	XProtect 2021-09-24 17:38:06 +0000 : 2151
	MRT 2021-11-14 20:55:35 +0000 : 1.85

{
    ASSecstatus =     (
        "Controller:",
        "      Model Identifier: Macmini9,1",
        "      Firmware Version: iBoot-7429.61.2",
        "      Boot UUID: AFB7F2DE-3D19-4AA7-AA78-B76F6D2945D5",
        "      Boot Policy:  ",
        "        Secure Boot: Full Security",
        "        System Integrity Protection: Enabled",
        "        Signed System Volume: Enabled",
        "        Kernel CTRR: Enabled",
        "        Boot Arguments Filtering: Enabled",
        "        Allow All Kernel Extensions: No",
        "        User Approved Privileged MDM Operations: No",
        "        DEP Approved Privileged MDM Operations: No"
    );
    EFIE = "No EFI firmware";
    EFIV = "No EFI firmware";
    FileVault = 1;
    GatekeeperDEE = "8.0";
    GatekeeperDEV = "8.0";
    GatekeeperE = 181;
    GatekeeperV = 94;
    KEXTE = "17.0.0";
    KEXTV = "17.0.0";
    MRTE = "1.85";
    MRTUpdate = "2021-11-14 20:55:35 +0000";
    MRTV = "1.85";
    MRTVer = "1.85";
    MacModel = "Macmini9,1";
    TCCE = "150.19";
    TCCV = "150.19";
    UpdateWaiting = 0;
    XPro = 1;
    XProtectE = 2151;
    XProtectV = 2151;
    XproUpdate = "2021-09-24 17:38:06 +0000";
    XproVer = 2151;
    iBoot = "7429.61.2";
    macOS = "Version 12.1 (Build 21C52)";
}

Example b and bx output
———————————————————————

Mac model iMacPro1,1
EFI version found 1037.40.124.0.0 (iBridge: 17.16.11081.0.0,0)
XProtect 2107
Gatekeeper 181
MRT 1.50
TCC 17.0
KEXT 14.5.1
✅ System Integrity Protection status: enabled.
✅ XProtect assessments enabled
✅ FileVault is On.
No update available.
macOS Version 10.14.6 (Build 18G1012)
	XProtect 2019-10-30 12:02:37 +0000 : 2107
	Gatekeeper 2019-08-26 16:57:09 +0000 : 181
	MRT 2019-10-01 21:37:16 +0000 : 1.50
	TCC 2019-06-05 04:49:18 +0000 : 17.0

{
    EFIV = "1037.40.124.0.0 (iBridge: 17.16.11081.0.0,0)";
    FileVault = 1;
    GateUpdate = "2019-08-26 16:57:09 +0000";
    GateVer = 181;
    GatekeeperV = 181;
    KEXTV = "14.5.1";
    MRTUpdate = "2019-10-01 21:37:16 +0000";
    MRTV = "1.50";
    MRTVer = "1.50";
    MacModel = "iMacPro1,1";
    SIP = 1;
    TCCUpdate = "2019-06-05 04:49:18 +0000";
    TCCV = "17.0";
    TCCVer = "17.0";
    UpdateWaiting = 0;
    XPro = 1;
    XProtectV = 2107;
    XproUpdate = "2019-10-30 12:02:37 +0000";
    XproVer = 2107;
    macOS = "Version 10.14.6 (Build 18G1012)";
}

Contents
————————

Provided in this archive are:
silnite - the signed and hardened command tool which you can copy to /usr/local/bin if you prefer to install manually.
silniteInstaller.pkg - this is a notarized package installer. Simply double-click it to open it in Installer and it should install the command tool automatically into /usr/local/bin for you
silniteReadme.txt - this file

Product Page
————————————

https://eclecticlight.co/lockrattler-systhist/

Technical information
———————————–—————————

See the Help file for SilentKnight for full details.

Change List
———————————

Version 6:
- largely rewritten for compatibility with Monterey and current M1 series Macs
- extended dictionary for M1 models.

Version 5:
- extensively revised for compatibility with Big Sur and Apple Silicon
- Universal binary.

Version 4:
- added support for separate firmware versions in Catalina.

Version 3:
- added support for the KEXT blocker extension in Catalina.

Version 2:
- added support for the gke.bundle Gatekeeper database in Catalina *only*.

Version 1:
first release.

Howard Oakley https://eclecticlight.co