Начало Каталог Помощ
Вход
logic855
/
claude-mods
огледало от https://github.com/0xDarkMatter/claude-mods.git
1
0
Разклонения 0
Файлове Задачи 0 Уики
ИН на ревизия: 16abb50cf1
Клонове Маркери
claude-mods
/
skills
/
mac-ops
/
scripts
/
kext-audit.sh

kext-audit.sh 6.1 KB
История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155 
  1. #!/usr/bin/env bash
    2. 

  2. # mac-ops :: kext-audit.sh
    3. 

  3. # Inventory loaded kernel extensions + system extensions.
    4. 

  4. #
    5. 

  5. # Why: kexts and system extensions run with kernel privileges. A misbehaving
    6. 

  6. # one can panic the system, leak memory, or hold a system-wide lock. They're
    7. 

  7. # the #1 cause of "Mac kernel panic" on machines that get them.
    8. 

  8. 

  9. set -u
    10. 

  10. 

  11. while [[ $# -gt 0 ]]; do
    12. 

  12.     case "$1" in
    13. 

  13.         --help|-h)
    14. 

  14.             cat <<EOF
    15. 

  15. Usage: $0 [options]
    16. 

  16. 

  17.   --json, --redact, --quiet, --verbose
    18. 

  18. 

  19. Reports:
    20. 

  20.   1. Loaded kexts (kextstat) — third-party highlighted
    21. 

  21.   2. Installed system extensions (systemextensionsctl list)
    22. 

  22.   3. Kext load failures from log
    23. 

  23.   4. Pending kext approval (apps that requested kext but were denied)
    24. 

  24.   5. SIP and kernel security policy state
    25. 

  25. 

  26. On Apple Silicon (M1+), kexts are deprecated in favor of system extensions
    27. 

  27. which run in userspace. This script reports both because some legacy products
    28. 

  28. still ship kexts even on Apple Silicon (via boot policy reduction).
    29. 

  29. EOF
    30. 

  30.             exit 0 ;;
    31. 

  31.         *) shift ;;
    32. 

  32.     esac
    33. 

  33. done
    34. 

  34. 

  35. source "$(dirname "$0")/_lib/common.sh"
    36. 

  36. parse_common_flags "$@"
    37. 

  37. maybe_filter_self "$@"
    38. 

  38. 

  39. # ----------------------------------------------------------------------------
    40. 

  40. section "1. LOADED KEXTS"
    41. 

  41. # ----------------------------------------------------------------------------
    42. 

  42. total_kexts=$(kextstat -l 2>/dev/null | wc -l | tr -d ' ')
    43. 

  43. log_info "Loaded kexts (total)" "$total_kexts"
    44. 

  44. 

  45. # Third-party kexts — anything not com.apple.*
    46. 

  46. third_party=$(kextstat -l 2>/dev/null | awk '{print $6}' | grep -v "^com.apple\." | grep -v "^$" | sort -u)
    47. 

  47. third_party_count=$(echo "$third_party" | grep -c . 2>/dev/null || echo 0)
    48. 

  48. 

  49. if [[ "$third_party_count" -gt 0 ]]; then
    50. 

  50.     log_warn "Third-party kexts" "$third_party_count — primary panic suspects"
    51. 

  51.     note "  Third-party kexts (loaded right now):"
    52. 

  52.     echo "$third_party" | sed 's/^/    /'
    53. 

  53. else
    54. 

  54.     log_pass "Third-party kexts" "0 — clean kernel"
    55. 

  55. fi
    56. 

  56. 

  57. # ----------------------------------------------------------------------------
    58. 

  58. section "2. SYSTEM EXTENSIONS"
    59. 

  59. # ----------------------------------------------------------------------------
    60. 

  60. if command -v systemextensionsctl >/dev/null 2>&1; then
    61. 

  61.     sysext_out=$(systemextensionsctl list 2>/dev/null)
    62. 

  62.     if [[ -n "$sysext_out" ]]; then
    63. 

  63.         # The output has 0+ extensions per team. Skip the header line.
    64. 

  64.         ext_lines=$(echo "$sysext_out" | grep -E "^\s*\*?\s+[a-fA-F0-9]" || true)
    65. 

  65.         if [[ -n "$ext_lines" ]]; then
    66. 

  66.             ext_count=$(echo "$ext_lines" | wc -l | tr -d ' ')
    67. 

  67.             log_info "Installed system extensions" "$ext_count"
    68. 

  68.             note "  System extensions (team-id, bundle-id, name, state):"
    69. 

  69.             echo "$ext_lines" | head -20 | sed 's/^/    /'
    70. 

  70.         else
    71. 

  71.             log_pass "Installed system extensions" "0"
    72. 

  72.         fi
    73. 

  73.     fi
    74. 

  74. else
    75. 

  75.     log_info "systemextensionsctl" "not available (older macOS?)"
    76. 

  76. fi
    77. 

  77. 

  78. # ----------------------------------------------------------------------------
    79. 

  79. section "3. RECENT KEXT LOAD FAILURES"
    80. 

  80. # ----------------------------------------------------------------------------
    81. 

  81. load_fails=$(log show --last 7d --style compact \
    82. 

  82.     --predicate '(process == "kextd" OR process == "kernel") AND (eventMessage CONTAINS[c] "kext" AND (messageType == "Error" OR messageType == "Fault"))' \
    83. 

  83.     2>/dev/null | head -20)
    84. 

  84. 

  85. if [[ -n "$load_fails" ]]; then
    86. 

  86.     n=$(echo "$load_fails" | wc -l | tr -d ' ')
    87. 

  87.     log_warn "Kext load failures (7d)" "$n events"
    88. 

  88.     echo "$load_fails" | head -5 | sed 's/^/    /'
    89. 

  89. else
    90. 

  90.     log_pass "Kext load failures (7d)" "none"
    91. 

  91. fi
    92. 

  92. 

  93. # ----------------------------------------------------------------------------
    94. 

  94. section "4. PENDING KEXT APPROVAL"
    95. 

  95. # ----------------------------------------------------------------------------
    96. 

  96. # Apps that have requested kext load but were denied — usually because user
    97. 

  97. # hasn't approved in System Settings → Privacy & Security
    98. 

  98. pending=$(log show --last 30d --style compact \
    99. 

  99.     --predicate 'eventMessage CONTAINS[c] "kext approval"' \
    100. 

  100.     2>/dev/null | tail -5)
    101. 

  101. if [[ -n "$pending" ]]; then
    102. 

  102.     log_warn "Pending kext approvals (30d)" "see below"
    103. 

  103.     echo "$pending" | sed 's/^/    /'
    104. 

  104. else
    105. 

  105.     log_pass "Pending kext approvals" "none"
    106. 

  106. fi
    107. 

  107. 

  108. # ----------------------------------------------------------------------------
    109. 

  109. section "5. SECURITY POLICY"
    110. 

  110. # ----------------------------------------------------------------------------
    111. 

  111. # SIP status
    112. 

  112. sip_status=$(csrutil status 2>/dev/null | head -1 | awk -F': *' '{print $2}' | tr -d '.')
    113. 

  113. case "$sip_status" in
    114. 

  114.     *enabled*) log_pass "SIP" "$sip_status" ;;
    115. 

  115.     *disabled*) log_warn "SIP" "$sip_status — kernel security weakened" ;;
    116. 

  116.     *) log_info "SIP" "${sip_status:-unknown}" ;;
    117. 

  117. esac
    118. 

  118. 

  119. # On Apple Silicon: bputil reports boot policy
    120. 

  120. if is_apple_silicon && command -v bputil >/dev/null 2>&1; then
    121. 

  121.     note "  Apple Silicon boot policy (requires sudo for detail):"
    122. 

  122.     sudo -n bputil -d 2>/dev/null | grep -E "Security Policy|Manage Kernel Extensions|Allow User Kernel Extensions" | head -5 | sed 's/^/    /' || \
    123. 

  123.         note "    (sudo required for full bputil read)"
    124. 

  124. fi
    125. 

  125. 

  126. # Apple Silicon specific kext loading state
    127. 

  127. if is_apple_silicon; then
    128. 

  128.     kext_loading=$(kmutil showloaded 2>/dev/null | wc -l | tr -d ' ')
    129. 

  129.     log_info "kmutil showloaded count" "$kext_loading"
    130. 

  130. fi
    131. 

  131. 

  132. # ----------------------------------------------------------------------------
    133. 

  133. section "6. VENDOR PATTERNS"
    134. 

  134. # ----------------------------------------------------------------------------
    135. 

  135. # Known panic-prone vendors
    136. 

  136. note "  Scanning for known-problematic kexts:"
    137. 

  137. for pattern in "eltima" "paragon" "eset" "kaspersky" "norton" "sophos" "bitdefender"; do
    138. 

  138.     matches=$(kextstat -l 2>/dev/null | awk '{print $6}' | grep -i "$pattern" || true)
    139. 

  139.     if [[ -n "$matches" ]]; then
    140. 

  140.         log_warn "Vendor kext: $pattern" "$(echo "$matches" | wc -l | tr -d ' ') loaded"
    141. 

  141.         echo "$matches" | head -3 | sed 's/^/    /'
    142. 

  142.     fi
    143. 

  143. done
    144. 

  144. 

  145. # ----------------------------------------------------------------------------
    146. 

  146. emit_summary
    147. 

  147. 

  148. if [[ "$JSON_MODE" -eq 0 ]]; then
    149. 

  149.     echo
    150. 

  150.     note "  To uninstall a system extension:"
    151. 

  151.     note "    systemextensionsctl uninstall <team-id> <bundle-id>"
    152. 

  152.     note "  To inspect a specific kext:"
    153. 

  153.     note "    kextstat -l | grep <name>"
    154. 

  154.     note "    kmutil showloaded | grep <name>   # Apple Silicon"
    155. 

  155. fi
    156.