how to check system integrity ?

[antoine23]

I was wondering if there is still a tool somewhere to check for system integrity, to verify that the system read-only partition has not been modified for instance, and if it has, recover to a previous snapshot.

Any ideas ?

Back in the days if the system would fail somehow one of the recommended actions was fixing permissions

Now we have SIP plus read-only system partition so fixing permissions is no longer a thing.

 

[bogdanw]

To modify the read-only system volume, you have to disable SIP and authenticated-root.
https://forums.macrumors.com/thread...tem-volume-as-writeable.2332937/post-30822017

 

[antoine23]

To modify the read-only system volume, you have to disable SIP and authenticated-root.
https://forums.macrumors.com/thread...tem-volume-as-writeable.2332937/post-30822017

I don't want to modify a system volume, I'm looking for a tool to check for its integrity and maybe even repair it, like fixing permissions used to do

 

[bogdanw]

I don't want to modify a system volume, I'm looking for a tool to check for its integrity and maybe even repair it, like fixing permissions used to do

If SIP is enabled, the volume is not modified, intact. You can’t fix anything file/folder related, like permissions, on a read-only volume.
What you should check for is APFS related errors. There can be a few
https://forums.macrumors.com/thread...is-not-the-currently-booted-snapshot.2378429/
https://forums.macrumors.com/threads/disc-utility-warning.2376773/
https://forums.macrumors.com/threads/apfs-or-mac-os-extended-for-external-hdd.2386349/post-32089488


APFS snapshots
https://support.apple.com/en-gb/guide/disk-utility/dskuf82354dc/mac
https://support.apple.com/guide/disk-utility/dskuf82354dc/mac
"Repair volumes, then containers, then disks"
https://support.apple.com/en-us/HT210898
https://support.apple.com/HT210898

 

[antoine23]

Thanks, I will check that.

Actually, I thought there were tools to compare APFS snapshots, check the system volume is not corrupt, and if so, repair it and so on.

Diskutility is for the filesystem only, it cannot repair a file that has been corrupted somehow. Maybe with a snapshot, but there should be one to pick from in the first place.

I think Apple has overly relied on a read-only system volume to not provide any tools to check that it actually remains that way.

It's not even clear if APFS snapshots are automatically created before any update (manual or automatic)

 

[KALLT]

You should read up about signed system volumes (SSV), which are used since macOS 11. In short, macOS installations are cryptographically validated during installation and updating as well as on boot and at runtime. The system computes hashes of the system volume and compares them against the hashes that Apple provides. It will refuse to boot if it finds any inconsistencies. Furthermore, since macOS 11, the system no longer merely loads from a read-only system volume, but from an APFS snapshot of that system volume.

You can check whether this feature is active with: csrutil authenticated-root status.

 

[chabig]

I was wondering if there is still a tool somewhere to check for system integrity, to verify that the system read-only partition has not been modified for instance, and if it has, recover to a previous snapshot.

If the machine boots, you can be sure the system has not been modified.

This is because macOS boots from a signed read-only snapshot of the operating system. Every machine running the same OS version has the same system, bit for bit. If even one bit has been modified from Apple's specification, the signature check will fail and the computer won't boot.