Under current versions of macOS, executables under paths covered by SIP (like /usr/bin
) cannot be traced.
You can bypass this by making a copy of the executable in your home directory and tracing the copy:
cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …
You needed to remove the code signature from the new find
executable, otherwise SIP still notices that a system file is being accessed (credit: @Anmol Singh Jaggi).