After writing a Casper Extension Attribute script to report on the status of System Integrity Protection, I realized that I hadn’t accounted for reporting SIP’s custom configurations. These are configurations where SIP is enabled, but one or more of SIP’s protections or restrictions has been disabled. I’ve now updated the script to also report on the following SIP configurations:
- Kext Signing: disabled
- Filesystem Protections: disabled
- NVRAM Protections: disabled
- Debugging Restrictions: disabled
- DTrace Restrictions: disabled
For more details, please see below the jump.
The script has the following functions:
If the Mac is running 10.10.x or earlier
The script reports System Integrity Protection Not Available For and then reports the relevant version of OS X. For example, the script returns the following output on a Mac running OS X 10.10.5:
System Integrity Protection Not Available For 10.10.5
If the Mac is running 10.11.x or later
This script uses csrutil status to check SIP’s status.
If System Integrity Protection is disabled, the script returns the following output:
System Integrity Protection status: Disabled
If System Integrity Protection is enabled, the script returns the following output:
System Integrity Protection status: Active
If SIP has custom configurations, the script will return output similar to that shown below:
System Integrity Protection status: Active
Kext Signing: disabled
Filesystem Protections: disabled
NVRAM Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
This script is designed to be generic and usable by most reporting systems. I have also updated the counterpart Casper Extension Attribute with this same functionality.
For those interested, the script is available below and also from on my GitHub repo:
