While working with CIS Benchmarks PDF (guidelines for scripts and/or Configuration Profiles) I felt there must be a better and faster way. The guys from the macOS Security Compliance Project did an amazing job automating the guidance, needed scripts, configuration profiles, and remediation script.
While working with CIS Benchmarks PDF (guidelines for scripts and/or Configuration Profiles) I felt there must be a better and faster way. The guys from the macOS Security Compliance Project did an amazing job automating the guidance, needed scripts, configuration profiles, and remediation script.
So I started to transform the CIS Benchmark PDF from Big Sur into custom rules set to integrate with the macOS Security Compliance Project. You can find the mSCP here and the CIS Benchmark custom rules set here github.com/mvdbent/CIS-macOS-Security
Usage/Requirements
The CIS Benchmark rules are tested on macOS Big Sur 11. and the latest macOS Security Compliance Project release.*
- Download the CIS-macOS-Security to your device.
- Download the macOS Security Compliance Project to your device.
- Install the Prerequisites for the macOS Security Compliance Project, see instuctions here
- Copy the CIS-macOS-Security
/custom/
folder into the macOS Security Compliance Project and overwrite the empty/custom/
folder.
The /custom/
folder in the macOS Security Compliance Project is in the .gitignore file so you can safely update to the latest version of macOS Security Compliance Project without loosing the CIS Benchmark baselines.
Generate a Baseline
The project provides the following baseline files, located in the /custom/baselines/
folder:
- CIS-Benchmark.yaml
- CIS-Benchmark-L1.yaml
- CIS-Benchmark-L2.yaml
If you want to create your own baseline or modify an existing baseline, the generate-baseline.py
found in the scripts folder will generate a {baseline}.yaml
file containing all the rules corresponding with the provided tag (baseline). This {baseline}.yaml
is required to run the generate-guidance.py
script.
Get a list of available tags and you will see the CIS-Benchmark tags as well
$ macOS-Security git:(master) ./scripts/generate_baseline.py -l
- 800-171
- 800-53r4_high
- 800-53r4_low
- 800-53r4_moderate
- CIS-Benchmark
- CIS-Benchmark-L1
- CIS-Benchmark-L2
- cnssi-1253
- inherent
- manual
- n_a
- none
- permanent
- stig
- supplemental
Generate a new baseline
$ macOS-Security git:(master) ./scripts/generate_baseline.py -k CIS-Benchmark-L1
$ macOS-Security git:(master) ls -dn build/baselines/*
-rw-r--r-- 1 501 20 6350 May 10 13:30 build/baselines/CIS-Benchmark-L1.yaml
The generated baseline will be saved into the build/baselines/
Generate CIS Benchmark guidance
To generate the guidance files (AsciiDoc, HTML, PDF, Excel, mobileconfigs, and compliance script) run the generate-guidance.py
script and point it to either one of the built-in baseline.yaml
files or a custom CIS Benchmark baseline.yaml file in the custom/baselines
folder or created by the generate-baseline.py
script.
AsciiDoc, HTML, and PDF
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml
**AsciiDoc, HTML, and PDF with custom logo **
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -l /Git/macOS-Security/custom/Images/cis_banner.png
AsciiDoc, HTML, PDF, and Excel
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -x
AsciiDoc, HTML, PDF, Excel, and mobileconfigs
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -x -p
AsciiDoc, HTML, PDF, Excel, mobileconfigs, and custom logo use full-path to custom logo
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -l /Git/macOS-Security/custom/Images/cis_banner.png -p -x
Hope this will help you building your custom documentation based on CIS Benchmark “Big Sur”