5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled

Information

System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID.

Rationale:

Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP.

Impact:

System binaries and processes could become compromised.

Solution

Perform the following to enable System Integrity Protection:

Reboot into the Recovery Partition (reboot and hold down Command + R)

Select Utilities

Select Terminal

Run the following command:

$ sudo /usr/bin/csrutil enable

Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.



Reboot the computer

Note: You cannot enable System Integrity Protection from the booted operating system. If the remediation is attempted in the booted OS and not the Recovery Partition the output will give the error csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-7(2), 800-53|CM-8(3), 800-53|CM-10, 800-53|CM-11, 800-53|SI-16, CSCv7|2.6

Plugin: Unix

Control ID: 0721a1aa5ed5b74301b6d171932f47a3136eda56e1038dc29bc8cde0167caeab