I wrote the csrstat command line took back in 2015, after the first beta of El Capitan was seeded, and shared it some time later on my Github repository. Today I’d like to show you the new and improved output of csrstat v1.7 for High Sierra:
csrstat v1.7 Copyright (c) 2015-2017) by Pike R. Alpha System Integrity Protection status: enabled (0x00000080) (Custom Configuration). Configuration: Apple Internal............: 0 (disabled) Kext Signing Restrictions.: 0 (enabled) Task for PID Restrictions.: 0 (enabled) Filesystem Protections....: 0 (enabled) Debugging Restrictions....: 0 (enabled) DTrace Restrictions.......: 0 (enabled) NVRAM Protections.........: 0 (enabled) Device Configuration......: 1 (enabled) BaseSystem Verification...: 0 (enabled) User Approved Kext Loading: 0 (enabled) This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
Three lines more than what you get from:
System Integrity Protection status: enabled (Custom Configuration). Configuration: Apple Internal: disabled Kext Signing: enabled Filesystem Protections: enabled Debugging Restrictions: enabled DTrace Restrictions: enabled NVRAM Protections: enabled BaseSystem Verification: enabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
Not only that. It also reads csr_active_config and tests for 0x8 (CSR_ALLOW_KERNEL_DEBUGGER), 0x11 (CSR_ALLOW_UNTRUSTED_KEXTS/CSR_ALLOW_UNRESTRICTED_FS) and 0x180 (CSR_ALWAYS_ENFORCED_FLAGS), and shows the output based on the used booter (boot.efi or bootbase.efi) and the used settings.
Edit: There is something wrong with the output of v1.5 and I need to look into it. Will try to do that later today. Much later I’m afraid.
Update: The changes to v1.6 were not enough, but v1.7 now shows the correct output here. Please test and confirm that this one works. Thank you.