Configure System Integrity Protection (SIP). SIP is available in El Capitan (10.11) and later.
Syntax csrutil status View the SIP status csrutil enable Turn SIP on, when booted in Recovery mode csrutil disable Turn SIP off, when booted in Recovery mode csrutil netboot Configure a list of allowed NetBoot sources. csrutil help
SIP can prevent applications from: modifying system files, runtime attachment to system binaries and unsigned kernel extensions (KEXTs)
SIP is turned on by default.
SIP maintains file system permissions automatically - they are checked and repaired when system updates are performed.
System-only locations now forbidden:
/usr (except for /usr/local)
Folders which are still protected by permissions, but not by SIP:
To Enable or Disable System Integrity Protection:
Reboot while holding Cmd + R, open Terminal and then enter:
csrutil disable && reboot
csrutil enable && reboot
“I don’t want to live in a world where everything that I say, everything I do, everyone I talk to, every expression of creativity or love or friendship is recorded” - Edward Snowden
Related macOS commands:
security - Administer Keychains, keys, certificates and the Security framework
softwareupdate - System software update tool