My Single-user Mode Intrusion Detection system works in two parts:

1. a local script is deployed to all client machines
2. a script runs via GeekTool every two seconds

Script Deployed To All Client Machines

The root users’  /var/root/.profile  file is a special file that is executed when Single-user mode is booted into.  I basically just turn this file into a bash script that:

• gives the computer a static IP address
• warns the user that they should not be accessing this mode
• writes the access time to a custom .plist (for retrieval by an Extension Attribute)
• logs any commands entered by the user into the system log with the tag SUM-IDS

Script For A “Server” Running GeekTool

This script runs every two seconds on a “server” computer via GeekTool.  It continually pings the static IP address mentioned above, and if successful, will do a few things:

• sound a Star Trek klaxon via the speakers
• sends a Notification Center message to an admin’s computer containing the offending devices MAC address (so it can be looked up in the JSS)
• the notification can be clicked and it will copy the MAC address to the clipboard for easy pasting
• sends a text message with the same information to an admin’s phone

Reasoning

In my situation, EFI passwords weren’t an option, so this was a way for me to tell when and if someone was doing something they weren’t supposed to and then go and stop them.  It was pretty exciting when the Star Trek klaxon went off suddenly while I was working quietly in my office.  It scared me the first few times, but then I got used to quickly looking up the MAC and then going to the machine to find the student.

My first two years in the job, I found that students tried to boot into this mode about 15-20 times throughout the year, in the years since deploying this, that number has been reduced to 0-1.

So while Single-user Mode is a bit of an obscure thing for students to try, it has helped prevent a lot of issues that they could cause like creating their own admin account.