Custom plugin for Watchman Monitoring to provide results of silnite by the Eclectic Light Company.
Alerting if specific Apple security updates have not been installed, or are available for installation.
silnite by the Eclectic Light Company to be installed.
silnite uses the Swift standard frameworks. These are installed at a system level in later versions of Mojave (10.14.4 and later) and in Catalina (10.15). Those using earlier versions of Mojave (10.14.3 and before), Sierra or High Sierra may need to download and install Swift Runtime Support for Command Tools from https://support.apple.com/kb/DL1998
- Uses curl to pull down current OS version information from https://gdmf.apple.com/v2/pmv
- Shout out to Ross Matsuda of https://www.sudoade.com/author/ross/ for the excellent write up on how to get the latest OS version updates
- Uses
curl
result to determine if the current OS matches on alerting for ticket/email (exit 2
) - Will run OS version check during every run
- Configuration Data related to XProtect/MRT/etc will continue to run according to schedule
- Results for Configuration data will be an informational result (no ticket/email) in the Watchman Monitoring dashboard (
exit 20
)
- Requires silnite 10 to be installed
- Creates a text file with results of a full run at
/Library/MonitoringClient/PluginSupport/_wm_silnite_results.txt
- Will run an hourly light run based off results file
- Full run of
silnite
results will still be based off Frequency to check for updates... results file will be updated at that time - Fixes stale plugin results (now that data is sent during every run)
- Added Run Count Information to Plugin results
- Removes Gatekeeper Version reporting (results removed from silnite 10)
- Adds XProtect Remediator Version reporting
- Uses
/Library/Preferences/com.apple.SoftwareUpdate.plist/Library/Preferences/com.apple.SoftwareUpdate.plist
for gathering list of recommended updates (stops usingsoftwareupdate -l
). - Adjusts if a plist setting file is missing an expected value.
- Creates a default settings plist on new installation.
- Changes default reporting frequency to 8 from 12 (more frequently)
- Simply a version bump to match current
silnite
binary version number - Requires silnite 9 to be installed
- Get silnite version 9 from Eclectic Light: https://eclecticlight.co/lockrattler-systhist/
- Adds compatibility for silnite 6, which in turn adds compatibility with Apple Silicon and macOS 12.
- Get silnite version 6 from Eclectic Light: https://eclecticlight.co/lockrattler-systhist/
- This version is NOT compatible with older versions of silnite. Requires silnite 6 to be installed.
Preference Pane
-
Frequency to check for updates
- Sets how often a full run will be done. More time between full checks will help speed up regular Watchman Monitoring reporting.
-
Unable to check for updates attempts
- If
silnite
is unable to check for updates due to a connection failure, an informational warning will be generated (no tickets/emails) in your Watchman Monitoring dashboard. If the number of attempts exceeds this number, an alert (ticket/email) will be generated.
- If
Terminal/Command Line Options
- Force a one-time full run ignoring the frequency count:
sudo defaults write /Library/MonitoringClient/PluginSupport/_wm_silnite_settings.plist First_Run -bool true
- Set the "Frequency to check for updates" count (set NUM to the number):
sudo defaults write /Library/MonitoringClient/PluginSupport/_wm_silnite_settings.plist Check_For_Updates _NUM_
- Set the "Unable to check for updates attempts" count (set NUM to the number):
sudo defaults write /Library/MonitoringClient/PluginSupport/_wm_silnite_settings.plist Warn_Updates_Attempts _NUM_
Emails daily/ticket created (exit 2) if...
silnite
reports updates are availableUpdateWaiting = 1
This means...
- MRT could be out-of-date
- XProtect Remediator could be out-of-date
- XProtect could be out-of-date
- Other updates from
softwareupdate
are available and will be listed
If unable to check for updates, shows informational warning (exit 20) Includes report of installed versions:
- MRT
- XProtect Remediator
- XProtect
(initial testing complete, still needs more testing) Sends one-time alerts (exit 200) if...
- SIP Disabled
- XProtect Disabled
Known Issues
- Need to make adjustments to prevent overwriting existing settings file
- Once update checking is working, a fresh run should begin, currently not the case.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.