GitHub

While working with CIS Benchmarks PDF (guidelines for scripts and/or Configuration Profiles) I felt there must be a better and faster way. The guys from the macOS Security Compliance Project did an amazing job automating the guidance, needed scripts, configuration profiles, and remediation script.

While working with CIS Benchmarks PDF (guidelines for scripts and/or Configuration Profiles) I felt there must be a better and faster way. The guys from the macOS Security Compliance Project did an amazing job automating the guidance, needed scripts, configuration profiles, and remediation script.

So I started to transform the CIS Benchmark PDF from Big Sur into custom rules set to integrate with the macOS Security Compliance Project. You can find the mSCP here and the CIS Benchmark custom rules set here github.com/mvdbent/CIS-macOS-Security

Usage/Requirements

The CIS Benchmark rules are tested on macOS Big Sur 11. and the latest macOS Security Compliance Project release.*

  1. Download the CIS-macOS-Security to your device.
  2. Download the macOS Security Compliance Project to your device.
  3. Install the Prerequisites for the macOS Security Compliance Project, see instuctions here
  4. Copy the CIS-macOS-Security /custom/ folder into the macOS Security Compliance Project and overwrite the empty /custom/ folder.

The /custom/ folder in the macOS Security Compliance Project is in the .gitignore file so you can safely update to the latest version of macOS Security Compliance Project without loosing the CIS Benchmark baselines.

Generate a Baseline

The project provides the following baseline files, located in the /custom/baselines/ folder:

  • CIS-Benchmark.yaml
  • CIS-Benchmark-L1.yaml
  • CIS-Benchmark-L2.yaml

If you want to create your own baseline or modify an existing baseline, the generate-baseline.py found in the scripts folder will generate a {baseline}.yaml file containing all the rules corresponding with the provided tag (baseline). This {baseline}.yaml is required to run the generate-guidance.py script.

Get a list of available tags and you will see the CIS-Benchmark tags as well

$ macOS-Security git:(master) ./scripts/generate_baseline.py -l
  • 800-171
  • 800-53r4_high
  • 800-53r4_low
  • 800-53r4_moderate
  • CIS-Benchmark
  • CIS-Benchmark-L1
  • CIS-Benchmark-L2
  • cnssi-1253
  • inherent
  • manual
  • n_a
  • none
  • permanent
  • stig
  • supplemental

Generate a new baseline

$ macOS-Security git:(master) ./scripts/generate_baseline.py -k CIS-Benchmark-L1
$ macOS-Security git:(master) ls -dn build/baselines/*
-rw-r--r--  1 501  20  6350 May 10 13:30 build/baselines/CIS-Benchmark-L1.yaml

The generated baseline will be saved into the build/baselines/

Generate CIS Benchmark guidance

To generate the guidance files (AsciiDoc, HTML, PDF, Excel, mobileconfigs, and compliance script) run the generate-guidance.py script and point it to either one of the built-in baseline.yaml files or a custom CIS Benchmark baseline.yaml file in the custom/baselines folder or created by the generate-baseline.py script.

AsciiDoc, HTML, and PDF

$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml

**AsciiDoc, HTML, and PDF with custom logo **

$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -l /Git/macOS-Security/custom/Images/cis_banner.png

AsciiDoc, HTML, PDF, and Excel

$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -x

AsciiDoc, HTML, PDF, Excel, and mobileconfigs

$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -x -p

AsciiDoc, HTML, PDF, Excel, mobileconfigs, and custom logo use full-path to custom logo

$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -l /Git/macOS-Security/custom/Images/cis_banner.png -p -x

Hope this will help you building your custom documentation based on CIS Benchmark “Big Sur”

Resources

github.com/mvdbent/CIS-Reporting