I have the same issue even SIP disabled # csrutil status System Integrity Protection status: disabled. execsnoop dtrace: invalid probe specifier /* * Command line arguments */ inline int OPT_dump = 0; inline int OPT_cmd = 0; inline int OPT_time = 0; inline int OPT_timestr = 0; inline int OPT_zone = 0; inline int OPT_safe = 0; inline int OPT_proj = 0; inline int FILTER = 0; inline string COMMAND = "."; #pragma D option quiet #pragma D option switchrate=10hz /* * Print header */ dtrace:::BEGIN { /* print optional headers */ OPT_time ? printf("%-14s ", "TIME") : 1; OPT_timestr ? printf("%-20s ", "STRTIME") : 1; OPT_zone ? printf("%-10s ", "ZONE") : 1; OPT_proj ? printf("%5s ", "PROJ") : 1; /* print main headers */ /* APPLE: Removed "ZONE" header, it has no meaning in darwin */ OPT_dump ? printf("%s %s %s %s %s %s %s\n", "TIME", "PROJ", "UID", "PID", "PPID", "COMM", "ARGS") : printf("%5s %6s %6s %s\n", "UID", "PID", "PPID", "ARGS"); } /* * Print exec event */ /* SOLARIS: syscall::exec:return, syscall::exece:return */ proc:::exec-success /(FILTER == 0) || (OPT_cmd == 1 && COMMAND == strstr(COMMAND, execname)) || (OPT_cmd == 1 && execname == strstr(execname, COMMAND))/ { /* print optional fields */ OPT_time ? printf("%-14d ", timestamp/1000) : 1; OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; OPT_zone ? printf("%-10s ", zonename) : 1; OPT_proj ? printf("%5d ", curpsinfo->pr_projid) : 1; /* print main data */ /* APPLE: Removed the zonename output, it has no meaning in darwin */ OPT_dump ? printf("%d %d %d %d %d %s ", timestamp/1000, curpsinfo->pr_projid, uid, pid, ppid, execname) : printf("%5d %6d %6d ", uid, pid, ppid); OPT_safe ? printf("%S\n", curpsinfo->pr_psargs) : printf("%s\n", curpsinfo->pr_psargs); } : probe description proc:::exec-success does not match any probes