Documenting macOS commands that are useful for exploring the system.


dscl is the command line interface for the macOS directory services authentication framework. It can list, write and read information regarding the users on the local machine, or about the directory if deployed in a LDAP envrioment.

Example uses:

  • dscl . -ls /Users - List all users on the system.
  • dscl . -read /Users/$(whoami) - List detailed information from a user.
  • dscl . -read /Users/$(whoami) | grep LinkedIdentity - Get the linked identity of a user.


Starting in macOS 10.12 (High Sierra), the logging system shifted to using os_log API for the system logging which reduced the number of logs written to disk as they would be stored in memory. The log command or can be used to read these logs. The default behavior of the log command can be altered by using a ~/.logrc file in the users home.

Example uses:

  • log [show]|[stream] -last 1h --predicate 'subsystem == ""'


csrutil is the interface to macOS’s System Intergrity Protection (SIP). Changing the settings from this utility can only be done when the machine is booted into recovery mode.

Example uses:

  • csrutil status - The default value is enabled.
  • csrutil [enable]|[disable] - Can only be used from recovery mode.
  • csrutil netboot [add]|[delete] IPv4 - Adds a macOS NetBoot server. NetBoot servers add scripts that can be run versus full installs.


Apple stores many configuration files as property lists which can be be stored as XML, JSON, or a binary format. plutil can lint, display and modify these .plist files.


  • plutil <file>.plist - Lint the sytax of the file.
  • plutil -p <file>.plust - Print the file to stdout.
  • plutil -convert [xml]|[json] <file>.plist Converts files to a new format.


Provides a CLI to the data stored by configd(8).


  • scutil --dns - Grab DNS configuraion for the system


This research is a culimnation of testing things, and reading material by the following folks: