Make the SIP check more resilient

The output of csrutil can be more than just one line of enabled or disabled. If it's in a custom config, it will have '"enabled (Custom Configuration)' in it, and many of the functions could still turned off. Searching for just 'enabled' would make SIP seem active if just any of the sup parts of SIP were enabled.
munkireport · Apr 11, 2018 · dc5035c · dc5035c
1 parent 778132f
commit dc5035c
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/app/modules/security/scripts/security.py b/app/modules/security/scripts/security.py
@@ -31,7 +31,13 @@ def sip_check():
     if float(os.uname()[2][0:2]) >= 15:
         sp = subprocess.Popen(['csrutil', 'status'], stdout=subprocess.PIPE)
         out, err = sp.communicate()
-        if "enabled" in out:
+
+        # just read the first line of the output, the
+        # System Integrity Protection status: ....
+        # search for a full stop, as custom configurations don't have
+        # that there. 
+        first_line = stdout.split("\n")[0]
+        if "enabled." in out:
             return "Active"
         else:
             return "Disabled"