5.1.2 Ensure System Integrity Protection Status (SIP) Is Enabled

Information

System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID.

Rationale:

Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP.

Impact:

System binaries and processes could become compromised.

Solution

Terminal Method:
Perform the following steps to enable System Integrity Protection:

Reboot into the Recovery Partition (reboot and hold down Command (CMD) + R)

Select Utilities

Select Terminal

Run the following command:

$ /usr/bin/sudo /usr/bin/csrutil enable

Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

Reboot the computer

Note: If SIP has been disabled, the admin should research why it was disabled. You might also want to assume that the operating system has been compromised. If you believe that, back up any files, and do a clean install to a known good Operating System
It might be a better option to erase the Mac and reinstall the operating system. That is at your discretion.
Note: You cannot enable System Integrity Protection from the booted operating system. If the remediation is attempted in the booted OS and not the Recovery Partition the output will give the error csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-7(2), 800-53|CM-8(3), 800-53|CM-10, 800-53|CM-11, 800-53|SI-16, CSCv7|2.6

Plugin: Unix

Control ID: 9a2c492f09c932ba80ee4710bf19337c7e91dca928357bee245c9a73c8ca3b6f