How to trace system calls of a program in Mac OS X?

Under current versions of macOS, executables under paths covered by SIP (like /usr/bin) cannot be traced.

You can bypass this by making a copy of the executable in your home directory and tracing the copy:

cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …

You needed to remove the code signature from the new find executable, otherwise SIP still notices that a system file is being accessed (credit: @Anmol Singh Jaggi).


You can use dtruss like in

sudo dtruss find ~/repo -depth 2 -type d -name '.git'

The manual page of that utility will help you to tailor the use of the tool to your needs.