id: os_sip_enable
title: Ensure System Integrity Protection is Enabled
discussion: |
  System Integrity Protection (SIP) _MUST_ be enabled.

  SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders.

  NOTE: SIP is enabled by default in macOS.
check: |
  /usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.'
result:
  integer: 1
fix: |
  [source,bash]
  ----
  /usr/bin/csrutil enable
  ----
  NOTE: To re-enable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
references:
  cce:
    - CCE-95298-6
  cci:
    - CCI-000154
    - CCI-000158
    - CCI-000169
    - CCI-001493
    - CCI-001494
    - CCI-001495
    - CCI-001499
    - CCI-001875
    - CCI-001876
    - CCI-001877
    - CCI-001878
    - CCI-001879
    - CCI-001880
    - CCI-001881
    - CCI-001882
    - CCI-001090
    - CCI-001496
  800-53r5:
    - AC-3
    - AU-9
    - AU-9(3)
    - CM-5
    - CM-5(6)
    - SC-4
    - SI-2
    - SI-7
  800-53r4:
    - AC-3
    - AU-6(4)
    - AU-7(1)
    - AU-7
    - AU-9
    - AU-9(3)
    - CM-5(6)
    - CM-5
    - SC-4
  srg:
    - SRG-OS-000256-GPOS-00097
    - SRG-OS-000057-GPOS-00027
    - SRG-OS-000062-GPOS-00031
    - SRG-OS-000051-GPOS-00024
    - SRG-OS-000054-GPOS-00025
    - SRG-OS-000278-GPOS-00108
    - SRG-OS-000080-GPOS-00048
    - SRG-OS-000059-GPOS-00029
    - SRG-OS-000138-GPOS-00069
    - SRG-OS-000257-GPOS-00098
    - SRG-OS-000258-GPOS-00099
    - SRG-OS-000259-GPOS-00100
    - SRG-OS-000122-GPOS-00063
    - SRG-OS-000058-GPOS-00028
  disa_stig:
    - APPL-26-005001
  800-171r3:
    - 03.01.02
    - 03.03.08
    - 03.04.05
    - 03.13.04
  cis:
    benchmark:
      - 5.1.2 (level 1)
    controls v8:
      - 2.3
      - 2.6
      - 10.5
  cmmc:
    - AC.L1-3.1.1
    - AU.L2-3.3.8
    - CM.L2-3.4.5
    - SC.L2-3.13.4
    - SI.L1-3.14.1
    - SI.L1-3.14.4
macOS:
  - '26.0'
tags:
  - 800-53r5_low
  - 800-53r5_moderate
  - 800-53r5_high
  - 800-53r4_low
  - 800-53r4_moderate
  - 800-53r4_high
  - 800-171
  - cisv8
  - cis_lvl1
  - cis_lvl2
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
  - cmmc_lvl1
  - stig
  - cnssi-1253_moderate
severity: high
mobileconfig: false
mobileconfig_info: