Configure System Integrity Protection (SIP). SIP is available in El Capitan (10.11) and later.

      csrutil status   View the SIP status

      csrutil enable   Turn SIP on, when booted in Recovery mode

      csrutil disable  Turn SIP off, when booted in Recovery mode

      csrutil netboot  Configure a list of allowed NetBoot sources.

      csrutil help

SIP can prevent applications from: modifying system files, runtime attachment to system binaries and unsigned kernel extensions (KEXTs)

SIP is turned on by default.

SIP maintains file system permissions automatically - they are checked and repaired when system updates are performed.

System-only locations now forbidden:
/usr (except for /usr/local)

Folders which are still protected by permissions, but not by SIP:


To Enable or Disable System Integrity Protection:

Reboot while holding Cmd + R, open Terminal and then enter:
csrutil disable && reboot
csrutil enable && reboot

“I don’t want to live in a world where everything that I say, everything I do, everyone I talk to, every expression of creativity or love or friendship is recorded” - Edward Snowden


security - Administer Keychains, keys, certificates and the Security framework
softwareupdate - System software update tool

Copyright © SS64.com 1999-2018
Some rights reserved