The macOS system must ensure System Integrity Protection is enabled.

STIG ID: APPL-14-005001  |  SRG: SRG-OS-000051-GPOS-00024 |  Severity: high |  CCI: CCI-000154,CCI-000158,CCI-000162,CCI-000163,CCI-000164,CCI-000169,CCI-000213,CCI-001493,CCI-001494,CCI-001495,CCI-001496,CCI-001499,CCI-001876,CCI-001878 |  Vulnerability Id: V-259560

Vulnerability Discussion

System Integrity Protection (SIP) must be enabled.

SIP is vital to protecting the integrity of the system as it prevents malicious users and software from
making unauthorized and/or unintended modifications to protected files and folders; ensures the presence
of an audit record generation capability for defined auditable events for all operating system
components; protects audit tools from unauthorized access, modification, and deletion; restricts the
root user account and limits the actions that the root user can perform on protected parts of the macOS;
and prevents nonprivileged users from granting other users direct access to the contents of their home
directories and folders.

Note: SIP is enabled by default in macOS.

Satisfies:
SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000062-GPOS-00031,SRG-OS-000080-GPOS-00048,SRG-OS-000122-GPOS-00063,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000259-GPOS-00100,SRG-OS-000278-GPOS-00108,SRG-OS-000350-GPOS-00138

Check

Verify the macOS system is configured to enable System Integrity Protection with the
following command:

/usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.'

If the result is not "1", this is a finding.

/usr/bin/grep -c "logger -s -p" /etc/security/audit_warn

If the result is not "1", this is a finding.

Fix

Configure the macOS system to enable "System Integrity Protection" by
booting into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the following
command:

/usr/bin/csrutil enable