[*] -
SecureInfo.eu,
/System/Security_macOS.md
/System/Security_macOS.md /System/Security_macOS.mdxattr – display and manipulate extended attributes
DESCRIPTION
The xattr command can be used to display, modify or remove the extended attributes of one or more files, including directories and symbolic links. Extended attributes are arbitrary metadata stored with a file, but separate from the filesystem attributes (such as modification time or file size). The metadata is often a null-terminated UTF-8 string, but can also be arbitrary binary data.
Exemple : xattr -d com.apple.quarantine /Applications/ElectronMail.app
DESCRIPTION
usage: csrutil
Modify the System Integrity Protection configuration.
Available commands:
clear
Clear the existing configuration.
disable
Disable the protection of the OS installation. Only available in Recovery OS.
enable
Enable the protection of the OS installation. Only available in Recovery OS.
status
In Recovery OS, displays the configuration for each OS installation.
In macOS, displays the configuration of the running OS.
authenticated-root
status
Show the current authenticated root setting.
disable
Allow booting from non-sealed system snapshots. Only available in Recovery OS.
enable
Only allow booting from sealed system snapshots. Only available in Recovery OS.Exemple : csrutil disable
DESCRIPTION
spctl manages the security assessment policy subsystem.
This subsystem maintains and evaluates rules that determine whether the system allows the installation, execution, and other operations on files on the system.
System Policy Basic Usage:
spctl --assess [--type type] [-v] path ... # assessment
spctl --add [--type type] [--path|--requirement|--anchor|--hash] spec ... # add rule(s)
spctl [--enable|--disable|--remove] [--type type] [--path|--requirement|--anchor|--hash|--rule] spec # change rule(s)
spctl --status | --global-enable | --global-disable # system global switch
Developer Mode Usage:
spctl developer-mode <action>
enable-terminal
Add Terminal as a developer tool.
Kernel Extension User Consent Usage:
spctl kext-consent <action> ** Modifications only available in Recovery OS **
status
Print whether kernel extension user consent is enabled or disabled.
enable
Enable requiring user consent for kernel extensions.
disable
Disable requiring user consent for kernel extensions.
add <team-id>
Insert a new Team Identifier into the list allowed to load kernel extensions without user consent.
list
Print the list of Team Identifiers allowed to load without user consent.
remove <team-id>
Remove a Team Identifier from the list allowed to load kernel extensions without user consent.Exemple : spctl status
echo "azeaze"
This utility is not meant for normal users or even sysadmins.
It provides unabstracted access to capabilities which are normally handled for the user automatically when changing the security policy through GUIs such as the Startup Security Utility in macOS Recovery ("recoveryOS").
It is possible to make your system security much weaker and therefore easier to compromise using this tool.
This tool is not to be used in production environments.
It is possible to render your system unbootable with this tool.
It should only be used to understand how the security of Apple Silicon Macs works.
Use at your own risk!
bputil v0.1.13 - a tool to modify boot policies
bputil <optional arguments> ...
Optional arguments:
-u, --username <username>
Used to specify the username for a user with access to the signing key to authenticate the change
If this is specified, the below password option is required too
If this is not specified, an interactive prompt will request the username
-p, --password <password>
Used to specify the password for a user with access to the signing key to authenticate the change
If this is specified, the above username option is required too
If this is not specified, an interactive prompt will request the password
-v, --vuid <AABBCCDD-EEFF-0011-2233-445566778899>
Set the Volume Group UUID value
If no option is specified, and there are multiple OS installations detected, an interactive prompt will request the UUID
Volume Group UUID for a given OS can be found with 'diskutil apfs listVolumeGroups'
-l, --debug-logging
Enables verbose logging to assist in debugging any issues associated with changing the policy
-d, --display-policy
Display the local policy. If the system has multiple bootable volumes, an interactive prompt will ask you to specify a volume
-e, --display-all-policies
Display local policies for all OS installations
-j, --json
Switch display mode to JSON. Can only be combined with --display-policy and --display-all-policies
-r, --remove <AABBCCDD-EEFF-0011-2233-445566778899>
Remove macOS and paired recoveryOS local policies for a given Volume Group UUID
-f, --full-security
Changes security mode to Full Security. This option is mutually exclusive with all options below which cause security downgrades
-g, --reduced-security
Changes security mode to Reduced Security
Passing this option will explicitly recreate the local policy, only the options specified via this tool will exist in the output local policy
-n, --permissive-security
Changes security mode to Permissive Security
Passing this option will explicitly recreate the local policy, only the options specified via this tool will exist in the output local policy
-m, --enable-mdm
Enables user-allowed MDM management of software updates & kernel extensions
Automatically downgrades to Reduced Security mode if not already true
-k, --enable-kexts
Enables trust in locally SEP-signed AuxiliaryKernelCache that contains 3rd party kexts
Automatically downgrades to Reduced Security mode if not already true
-c, --disable-kernel-ctrr
Disables the enforcement of the Configurable Text Read-only Region that protects Kernel code
Automatically downgrades to Permissive Security mode if not already true
-a, --disable-boot-args-restriction
Enables sending custom boot args to the kernel
Automatically downgrades to Permissive Security mode if not already true
-s, --disable-ssv
Disables Signed System Volume integrity checks
Automatically downgrades to Permissive Security mode if not already true
NOTE: SSV cannot be disabled while FileVault is enabled