Current state of the scripts are: "This project is 'As is" please be free to give me any feedback
This CIS Benchmark rule set is build to use with the macOS Security Compliance Project here
While working with CIS Benchmarks PDF (guidelines for scripts and/or Configuration Profiles) I felt there must be a better and faster way. The guys from the macOS Security Compliance Project did an amazing job automating the guidance, needed scripts, configuration profiles, and remediation script.
So I started to transform the CIS Benchmark PDF from Big Sur into custom rules set to integrate with the macOS Security Compliance Project.
The CIS Benchmark rules are tested on macOS Big Sur 11. and the latest macOS Security Compliance Project release.*
- Download the CIS-macOS-Security to your device.
- Download the macOS Security Compliance Project to your device.
- Install the Prerequisites for the macOS Security Compliance Project, see instuctions here
- Copy the CIS-macOS-Security
/custom/folder into the macOS Security Compliance Project and overwrite the empty/custom/folder.
The /custom/ folder in the macOS Security Compliance Project is in the .gitignore file so you can safely update to the latest version of macOS Security Compliance Project without loosing the CIS Benchmark baselines.
The project provides the following baseline files, located in the /custom/baselines/ folder:
- CIS-Benchmark.yaml
- CIS-Benchmark-L1.yaml
- CIS-Benchmark-L2.yaml
If you want to create your own baseline or modify an existing baseline, the generate-baseline.py found in the scripts folder will generate a {baseline}.yaml file containing all the rules corresponding with the provided tag (baseline). This {baseline}.yaml is required to run the generate-guidance.py script.
Get a list of available tags and you will see the CIS-Benchmark tags as well
$ macOS-Security git:(master) ./scripts/generate_baseline.py -l- 800-171
- 800-53r4_high
- 800-53r4_low
- 800-53r4_moderate
- CIS-Benchmark
- CIS-Benchmark-L1
- CIS-Benchmark-L2
- cnssi-1253
- inherent
- manual
- n_a
- none
- permanent
- stig
- supplemental
Generate a new baseline
$ macOS-Security git:(master) ./scripts/generate_baseline.py -k CIS-Benchmark-L1
$ macOS-Security git:(master) ls -dn build/baselines/*
-rw-r--r-- 1 501 20 6350 May 10 13:30 build/baselines/CIS-Benchmark-L1.yamlThe generated baseline will be saved into the build/baselines/
To generate the guidance files (AsciiDoc, HTML, PDF, Excel, mobileconfigs, and compliance script) run the generate-guidance.py script and point it to either one of the built-in baseline.yaml files or a custom CIS Benchmark baseline.yaml file in the custom/baselines folder or created by the generate-baseline.py script.
AsciiDoc, HTML, and PDF
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml**AsciiDoc, HTML, and PDF with custom logo **
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -l /Git/macOS-Security/custom/Images/cis_banner.pngAsciiDoc, HTML, PDF, and Excel
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -xAsciiDoc, HTML, PDF, Excel, and mobileconfigs
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -x -pAsciiDoc, HTML, PDF, Excel, mobileconfigs, and custom logo use full-path to custom logo
$ ./scripts/generate_guidance.py custom/baselines/CIS-Benchmark.yaml -l /Git/macOS-Security/custom/Images/cis_banner.png -p -x