Updated System Integrity Protection status reporting script
After writing a Casper Extension Attribute script to report on the status of System Integrity Protection, I realized that I hadn’t accounted for reporting SIP’s custom configurations. These are configurations where SIP is enabled, but one or more of SIP’s protections or restrictions has been disabled. I’ve now updated the script to also report on the following SIP configurations:
- Kext Signing: disabled
- Filesystem Protections: disabled
- NVRAM Protections: disabled
- Debugging Restrictions: disabled
- DTrace Restrictions: disabled
For more details, please see below the jump.
The script has the following functions:
If the Mac is running 10.10.x or earlier
The script reports System Integrity Protection Not Available For and then reports the relevant version of OS X. For example, the script returns the following output on a Mac running OS X 10.10.5:
System Integrity Protection Not Available For 10.10.5
If the Mac is running 10.11.x or later
This script uses csrutil status to check SIP’s status.
If System Integrity Protection is disabled, the script returns the following output:
System Integrity Protection status: Disabled
If System Integrity Protection is enabled, the script returns the following output:
System Integrity Protection status: Active
If SIP has custom configurations, the script will return output similar to that shown below:
System Integrity Protection status: Active
Kext Signing: disabled
Filesystem Protections: disabled
NVRAM Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
This script is designed to be generic and usable by most reporting systems. I have also updated the counterpart Casper Extension Attribute with this same functionality.
For those interested, the script is available below and also from on my GitHub repo:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}') | |
| osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}') | |
| # Checks to see if the OS on the Mac is 10.x.x. If it is not, the | |
| # following message is displayed without quotes: | |
| # | |
| # "Unknown Version Of Mac OS X" | |
| if [[ ${osvers_major} -ne 10 ]]; then | |
| /bin/echo "Unknown Version of Mac OS X" | |
| fi | |
| # Checks to see if the OS on the Mac is 10.11.x or higher. | |
| # If it is not, the following message is displayed without quotes: | |
| # | |
| # "System Integrity Protection Not Available For" followed by the version of OS X. | |
| if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 11 ]]; then | |
| /bin/echo "System Integrity Protection Not Available For `sw_vers -productVersion`" | |
| fi | |
| if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 11 ]]; then | |
| # Checks System Integrity Protection status on Macs | |
| # running 10.11.x or higher | |
| SIP_status=`/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//'` | |
| if [ $SIP_status = "disabled" ]; then | |
| result=Disabled | |
| elif [ $SIP_status = "enabled" ]; then | |
| SIP_status="Active" | |
| # If SIP is enabled, run 'csrutil status' a second time | |
| # and export the output to a text file with a randomly | |
| # generated name. | |
| sip_output="/tmp/`/usr/bin/uuidgen`.txt" | |
| /usr/bin/csrutil status > "$sip_output" | |
| # Check the exported text file to see any custom SIP configuration | |
| # options have been enabled. If any custom SIP configurations are | |
| # active, display the configuration status. | |
| sip_kernel_extension_allowed=`cat "$sip_output" | grep -io "Kext Signing: disabled"` | |
| if [[ ${sip_kernel_extension_allowed} != "" ]]; then | |
| sip_kernel=`/usr/bin/printf "\n$sip_kernel_extension_allowed"` | |
| fi | |
| sip_filesystem_allowed=`cat "$sip_output" | grep -io "Filesystem Protections: disabled"` | |
| if [[ ${sip_filesystem_allowed} != "" ]]; then | |
| sip_filesystem=`/usr/bin/printf "\n$sip_filesystem_allowed"` | |
| fi | |
| sip_nvram_allowed=`cat "$sip_output" | grep -io "NVRAM Protections: disabled"` | |
| if [[ ${sip_nvram_allowed} != "" ]]; then | |
| sip_nvram=`/usr/bin/printf "\n$sip_nvram_allowed"` | |
| fi | |
| sip_debug_allowed=`cat "$sip_output" | grep -io "Debugging Restrictions: disabled"` | |
| if [[ ${sip_debug_allowed} != "" ]]; then | |
| sip_debug=`/usr/bin/printf "\n$sip_debug_allowed"` | |
| fi | |
| sip_dtrace_allowed=`cat "$sip_output" | grep -io "DTrace Restrictions: disabled"` | |
| if [[ ${sip_dtrace_allowed} != "" ]]; then | |
| sip_dtrace=`/usr/bin/printf "\n$sip_dtrace_allowed"` | |
| fi | |
| if [[ -e "$sip_output" ]]; then | |
| /bin/rm "$sip_output" | |
| fi | |
| result="$SIP_status$sip_kernel$sip_filesystem$sip_nvram$sip_debug$sip_dtrace" | |
| fi | |
| /bin/echo "System Integrity Protection status: ""$result" | |
| fi |
Der Flounder 
Recent Comments