Configure System Integrity Protection (SIP). SIP is available in El Capitan (10.11) and later.
Syntax
csrutil status View the SIP status
csrutil enable Turn SIP on, when booted in Recovery mode
csrutil disable Turn SIP off, when booted in Recovery mode
csrutil netboot Configure a list of allowed NetBoot sources.
csrutil help
SIP can prevent applications from: modifying system files, runtime attachment to system binaries and unsigned kernel extensions (KEXTs)
SIP is turned on by default.
SIP maintains file system permissions automatically - they are checked and repaired when system updates are performed.
System-only locations now forbidden:
/bin
/sbin
/usr (except for /usr/local)
/System
Folders which are still protected by permissions, but not by SIP:
/usr/local
/Applications
/Library
To Enable or Disable System Integrity Protection:
Reboot while holding Cmd + R, open Terminal and then enter:
csrutil disable && reboot
or
csrutil enable && reboot
“I don’t want to live in a world where everything that I say, everything I do, everyone I talk to, every expression of creativity or love or friendship is recorded” ~ Edward Snowden
security - Administer Keychains, keys, certificates and the Security framework.
softwareupdate - System software update tool.