---
name: Mac Security State (Apr 22, 2026)
description: Arnav's MacBook Pro M4 Pro security audit findings — SIP status, cracked apps, false positives
type: project
originSessionId: 38a0dcdb-5376-45aa-a4f3-1527accc3abe
---
# Mac Security State — Apr 22, 2026

**Host:** Arnavs-MacBook-Pro (user: asharma)

## 🚨 SIP Disabled
`csrutil status` returns **disabled**. Likely disabled ~Nov 22, 2025 (when `tmp_cleaner` was installed to system volume — only possible with SIP off).

**Why:** User may recall reason (Hackintosh tool, kext, crack install).
**How to apply:** Recommend re-enabling via Recovery Mode (`csrutil enable`) unless Arnav has active reason for it to stay off.

## Cracked Apps Currently Installed
- **CrossOver** — TNT group crack via `/tmp/tnt30511/mount/Extra/croslic/license.tool` (Apr 22, 2026). Self-signed RSA cert replaces real signature.
- **Dockitty** — `macked.app` signer (piracy site)
- **NotchNook** — "Antibiotics" signer (likely TNT crack, same group as CrossOver)

**Recommended replacements:**
- CrossOver → **Whisky** (free, open source, same Wine fork) — `brew install --cask whisky`
- NotchNook → **DynamicLake** ($5 legit) or **NotchMeister** (free)
- Dockitty → **Dockey** (free) or live without

## Benign Items
- **`/usr/libexec/tmp_cleaner`** — FreeBSD-style /tmp cleanup shell script. Installed Nov 22, 2025. Launched daily at 00:00 via `com.apple.tmp_cleaner.plist`. 1142 bytes, runs `find /tmp -atime +3 -delete`. Not malware, just unnecessary (macOS has its own periodic cleanup). Safe to leave or remove.
- **`/usr/libexec/gkreport`** — Apple's Gatekeeper telemetry binary. Shows "unsigned" in KnockKnock because it's on the sealed system volume (SSV). False positive.

## Legit Third-Party Items (from KnockKnock scan)
- Tailscale (`tailscaled`) — Homebrew, user's VPN to IdeaPad
- Parallels Desktop
- Sideloadly (iOS app sideloading, grey-but-legit)

## Scan Tools Used
- **KnockKnock** (Objective-See, free) — persistence scanner. Output saved to `~/upload.icedoutai.com/f/55209cb0.json` on Apr 22.

## Recommended Future Hygiene
1. Never run cracks from random DMGs (TNT group, macked.app, etc.)
2. Keep SIP enabled except for specific, temporary, known-reason disabling
3. Use notarized + signed apps — verify via `spctl --assess -vvv /Applications/<App>.app`
4. After any crack install, always run KnockKnock + check `/usr/libexec`, `/Library/LaunchDaemons`, `/Library/LaunchAgents`, `~/Library/LaunchAgents`