Citadel / Controls / SystemIntegrityProtection

SystemIntegrityProtection Control

What does this control check?

The SystemIntegrityProtection control verifies that macOS System Integrity Protection (SIP) is enabled. SIP is a security feature that protects critical system files and processes from being modified, even by users with administrator privileges or by malware with root access.

Important: SIP works at a fundamental level in macOS, preventing unauthorized modifications to essential system files, frameworks, and applications. Even if malware gains administrative access to your Mac, SIP prevents it from tampering with core macOS components. SIP is usually only disabled intentionally by developers or system administrators for very specific technical reasons, but doing so significantly weakens your Mac's security by removing this fundamental protection layer.

Why is this important?

🔒

System Integrity

SIP prevents malware and unauthorized software from modifying critical macOS components, ensuring your system remains in a known, secure state.

🦠

Rootkit Prevention

Even advanced malware with root access cannot bypass SIP to install rootkits or modify protected system files, providing defense against sophisticated attacks.

🛡️

Kernel Protection

SIP prevents unauthorized kernel extensions and system modifications that could compromise your Mac's security, stability, and privacy at the deepest level.

How to fix this

Enabling System Integrity Protection on macOS

⚠️ This requires advanced technical steps:
  • Re-enabling SIP requires booting into Recovery Mode
  • The process varies depending on your Mac model (Intel vs Apple Silicon)
  • Incorrect steps could cause problems with your system
  • We strongly recommend contacting IT support for assistance

Why might SIP be disabled?

SIP is usually only disabled for specific technical reasons:

  • Installing certain developer tools or kernel extensions
  • Running older professional software incompatible with SIP
  • Troubleshooting system issues under IT supervision
  • Using virtualization or low-level development tools

If you disabled SIP for a specific task, it should be re-enabled afterward. Contact IT support to determine if you still need SIP disabled or if it can be safely re-enabled.

Re-enabling SIP (Intel Macs):

  1. Restart your Mac
  2. Hold Command + R during startup to enter Recovery Mode
  3. Wait for the macOS Utilities window to appear
  4. Click UtilitiesTerminal from the menu bar
  5. Type: csrutil enable
  6. Press Enter
  7. You should see "Successfully enabled System Integrity Protection"
  8. Click Apple menuRestart

Re-enabling SIP (Apple Silicon Macs):

  1. Shut down your Mac completely
  2. Press and hold the Power button until you see "Loading startup options"
  3. Click Options and then Continue
  4. Select your user account and enter your password
  5. Click UtilitiesTerminal from the menu bar
  6. Type: csrutil enable
  7. Press Enter
  8. You should see "Successfully enabled System Integrity Protection"
  9. Click Apple menuRestart
⚠️ Important notes:
  • Recovery Mode looks different from normal macOS - this is expected
  • Make sure you type the command exactly: csrutil enable
  • You must restart after running the command for SIP to take effect
  • If you have software that requires SIP disabled, it may stop working
  • Contact IT support if you encounter any errors or issues

Verifying the fix

After enabling System Integrity Protection, Citadel will automatically verify this control during its next check.

To verify SIP is enabled:

  1. Open Terminal (Applications → Utilities → Terminal)
  2. Type: csrutil status
  3. Press Enter
  4. You should see: "System Integrity Protection status: enabled."
  5. If you see "disabled" or any individual protections disabled, SIP is not fully enabled