Evidence: System Integrity Protection Status
Description: Collect SIP status
Category: System
Platform: macos
Short Name: sip
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
System Integrity Protection (SIP) restricts the root user from performing certain operations to protect system integrity. This data is essential for assessing hardening state and detecting weakened protections.
Data Collected
This collector gathers structured data about system integrity protection status.
Collection Method
This collector queries the sip_config table via osquery and records results into sip_status.
Forensic Value
This evidence is crucial for forensic investigations as it indicates whether protections are disabled, potentially enabling malicious modifications to the system.
