Configure System Integrity Protection (SIP). SIP is available in El Capitan (10.11) and later.
Syntax
csrutil clear Clear the existing configuration.
csrutil status View the SIP status.
csrutil enable Turn SIP on, when booted in Recovery OS.
csrutil disable Turn SIP off, when booted in Recovery OS.
csrutil netboot Configure a list of allowed NetBoot sources.
csrutil authenticated-root status
Show the current authenticated root setting.
csrutil authenticated-root disable
Allow booting from non-sealed system snapshots.
Only available in Recovery OS.
csrutil authenticated-root enable
Only allow booting from sealed system snapshots.
Only available in Recovery OS.
csrutil help
SIP can prevent applications from: modifying system files, runtime attachment to system binaries and unsigned kernel extensions (KEXTs)
SIP is turned on by default.
SIP maintains file system permissions automatically - they are checked and repaired when system updates are performed.
System-only locations now forbidden:
/bin
/sbin
/usr (except for /usr/local)
/System
Folders which are still protected by permissions, but not by SIP:
/usr/local
/Applications
/Library
To Enable or Disable System Integrity Protection:
Reboot while holding Cmd + R, open Terminal and then enter:
csrutil disable && reboot
or
csrutil enable && reboot
“I don’t want to live in a world where everything that I say, everything I do, everyone I talk to, every expression of creativity or love or friendship is recorded” ~ Edward Snowden
Local man page: csrutil - Command line help page on your local machine.
security - Administer Keychains, keys, certificates and the Security framework.
softwareupdate - System software update tool.