About SIP/Rootless: SIP/Rooless Internal in El Capitan
In order to check the status of all security mechanisms provided by SIP/Rootless, a tiny little kext was built.
WARNING: This kext is for testing purpose ONLY.
1. OS X 10.11 for the SIP status check; bootargs flags check would be work on 10.10 and 10.11.
2. SIP must be configured correctly to allow “untrusted” kexts to be loaded.
1. Double click or use Terminal to run this script.
2. Enter password for current user.
3. Check output information in the Terminal or the kernel log in /private/var/log/system.log
If everything goes right, you could see kernel logs like below:
PS: Just ignore the string “LenovoY450”. This kext was built for the Lenovo Y450 at first.
In this case, results shows the SIP status after using the
“Security Configuration” “csrutil” tool in the Recovery or Installation environment. This kext is meaningless if you still depend on rootless=0 (will be removed in the future release of 10.11) to turn off the entire SIP. Actually, it wouldn’t report anything if the rootless=0 boot-args is detected.
If a kext without the proper signature needs to be loaded, maybe the best case is to set allow to load untrusted kexts ONLY and keep all the other protection on for the maximum security level.
Update 1: rootless=0 & kext-dev-mode=1 are removed in the current release of 10.11.
Update 2: Updated kext to check the bootargs flags: