The macOS system must ensure System Integrity Protection is enabled.

STIG ID: APPL-14-005001  |  SRG: SRG-OS-000051-GPOS-00024 |  Severity: high |  CCI: CCI-000154,CCI-000158,CCI-000162,CCI-000163,CCI-000164,CCI-000169,CCI-000213,CCI-001493,CCI-001494,CCI-001495,CCI-001496,CCI-001499,CCI-001876,CCI-001878 |  Vulnerability Id: V-259560 | 

Vulnerability Discussion

System Integrity Protection (SIP) must be enabled.

SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents nonprivileged users from granting other users direct access to the contents of their home directories and folders.

Note: SIP is enabled by default in macOS.

Satisfies: SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000062-GPOS-00031,SRG-OS-000080-GPOS-00048,SRG-OS-000122-GPOS-00063,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000259-GPOS-00100,SRG-OS-000278-GPOS-00108,SRG-OS-000350-GPOS-00138

Check

Verify the macOS system is configured to enable System Integrity Protection with the following command:

/usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.'

If the result is not "1", this is a finding.

/usr/bin/grep -c "logger -s -p" /etc/security/audit_warn

If the result is not "1", this is a finding.

Fix

Configure the macOS system to enable "System Integrity Protection" by booting into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the following command:

/usr/bin/csrutil enable