Skip to content
(OS X) Intrusion Detection System for Single User Mode (EFI Password alternative)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

BTC donations: 1DzPaoarz8pCV8wMg96hAGYgW2coJd798K



  1. Admin computer running OS X 10.8-10.9
  2. terminal-notifier installed on the admin computer
  3. GeekTool running on a server (it can be any OS X machine; it is just acting as the server).
  4. Static IPs set on the admin and server computers (preferred) or at least a DHCP reservation
  5. An available static IP for the computers that will have the IDS installed
  6. .profile installed on to each computer you want to monitor for Single-user Mode intrustion--very important!
  7. SSH keys for passwordless-login between the admin computer and the server

What does it do?

When a computer with the .profile script is booted into Single-user Mode, it will assign itself a static IP. This IP is constantly being pinged by another computer (the server) via a GeekTool script. If it successfully pings that address, it sends a Notification Center message to an admin over ssh using terminal-notifier.

The .profile script will also log all commands entered into /var/log/system/log (timestampped). In addition, a plist with the date Single-user mode was accessed is created in /Library/Preferences/. Customize the plist name and key in the .profile script.

This works great if your organization does not use EFI passwords. This way, you at least always know when someone boots into this mode.

How it Works

This is a geeklet that runs in GeekTool every 2-10 seconds. It needs to be used in conjunction with the /var/root/.profile script that assigns the computer an IP address when it is booted into Single-user Mode.


  1. Set up a new GeekTool shell module and have it execute once every 2-10 seconds
  2. Copy and paste the code in and save it (modifying it per your enviornment)
  3. Any time that IP address is pingable, it will send a Notification to the admin 10.8+ computer
  4. If the alert it triggered, the admin can then click the Notification to copy the MAC address to the clipboard
  5. From there, they can manually paste it into a DB to find which computer it is


Make Changes to the Variables

Modify the variables to suit the environment (specific IP addresses, usernames, etc.)

You can’t perform that action at this time.