usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Overhaul NIST Pages (#512)

Browse Source 
* customization

* Fixing case sensitive error

* ignoring website temp files

* Prettied the home page, changed words, added links

* Upgraded Astro & Starlight

* Updated social for Astro/Starlight upgrade

* Fixed content to support NIST header/footer

* building new menu and pages

* adding a quick guide, needs correcting

* add supported for .sl-banner if present

* adding a css fix for the anchor links

* fixed accent colors in light/dark mode, added fun to the logo

* Redid menu, reworked all pages, added pages/content

* Fixed URLs to support NIST Pages Upload

* hiding last updated for 404 page

* rewrote home page to reflect changes

* Star Button Support for Light/Dark Mode

* Github Live Data Scripts

* Added Latest Release To Home Screen

* removed homebrew, as advised by the team

* Removed shake, titled logo more
This commit is contained in:
Cody Keats
2025-08-05 09:35:38 -04:00
committed by GitHub
parent 252852d3d2
commit c291db2aa3
65 changed files with 2985 additions and 1273 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -4,3 +4,6 @@
.bundle
bin
mscp_gems
docs/node_modules/
docs/.astro/
docs/package-lock.json

116
docs/astro.config.mjs
View File

@@ -1,11 +1,10 @@
import { defineConfig } from 'astro/config';
import starlight from '@astrojs/starlight';
export default defineConfig({
integrations: [
starlight({
title: 'macOS Security Compliance Project',
title: 'mSCP',
favicon: '/favicon.png',
logo: {
src: './src/assets/logo.png',
@@ -13,6 +12,7 @@ export default defineConfig({
customCss: [
// Path to your custom CSS file
'./src/styles/custom.css',
'./src/styles/home_page.css',
],
head: [
{
@@ -31,58 +31,110 @@ head: [
},
},
],
social: {
slack: 'https://macadmins.slack.com/archives/C0158JKQTC5',
github: 'https://github.com/usnistgov/macos_security',
},
social: [
{ icon: 'github', label: 'GitHub', href: 'https://github.com/usnistgov/macos_security' },
{ icon: 'slack', label: 'Slack', href: 'https://macadmins.slack.com/archives/C0158JKQTC5' },
],
sidebar: [
{
label: 'Introduction',
label: 'Welcome',
collapsed: false,
items: [
{ label: 'Home', link: '/' },
{ label: 'Introduction', link: '/guides/introduction/' },
{ label: 'Getting Started', link: '/guides/getting-started/' },
{ label: 'Introduction', link: '/welcome/introduction/' },
{ label: 'Getting Started', link: '/welcome/getting-started/' },
{ label: 'Quick Guide', link: '/welcome/quick-guide/' },
],
},
{
label: 'How To',
collapsed: false,
label: 'Baselines',
collapsed: true,
items: [
{ label: 'Generate a Baseline', link: '/guides/how-to/generate-baseline/' },
{ label: 'Tailoring', link: '/guides/how-to/tailoring/' },
{ label: 'Generate Guidance', link: '/guides/how-to/generate-guidance/' },
{ label: 'Generate Configuration Profiles', link: '/guides/how-to/generate-profiles/' },
{ label: 'Generate DDM Components', link: '/guides/how-to/generate-declarative/' },
{ label: 'Compliance Script', link: '/guides/how-to/compliance-script/' },
{ label: 'Exemptions', link: '/guides/how-to/exemptions/' },
{ label: 'Customization', link: '/guides/how-to/customization/' },
{ label: 'Generate Mapping', link: '/guides/how-to/generate-mapping/' },
{ label: 'Generate SCAP', link: '/guides/how-to/generate-scap/' },
{ label: 'What Are Baselines?', link: '/baselines/what-are-baselines/' },
{ label: 'How To Generate Baseline', link: '/baselines/how-to-generate-baselines/' },
{ label: 'Baseline File Layout', link: '/baselines/baseline-file-layout/' },
{ label: 'Tailoring a Baseline', link: '/baselines/tailoring-a-baseline/' },
],
},
{
label: 'Guidance',
collapsed: true,
items: [
{ label: 'What Is Guidance?', link: '/guidance/what-is-guidance/' },
{ label: 'How To Generate Guidance', link: '/guidance/how-to-generate-guidance/' },
{ label: 'Guidance File Layout', link: '/guidance/guidance-file-example/' },
],
},
{
label: 'Configuration Profiles',
collapsed: true,
items: [
{ label: 'What Are Configuration Profiles?', link: '/configuration-profiles/what-are-configuration-profiles/' },
{ label: 'How to Generate Configuration Profiles', link: '/configuration-profiles/how-to-generate-configuration-profiles/' },
{ label: 'Configuration Profile Layout', link: '/configuration-profiles/configuration-profile-layout/' },
],
},
{
label: 'DDM Components',
collapsed: true,
items: [
{ label: 'What is DDM?', link: '/ddm-components/what-is-ddm/' },
{ label: 'How to Generate DDM Components', link: '/ddm-components/how-to-generate-ddm-components/' },
{ label: 'DDM Component Layout', link: '/ddm-components/ddm-component-layout/' },
],
},
{
label: 'Compliance Scripts',
collapsed: true,
items: [
{ label: 'What Are Compliance Scripts?', link: '/compliance-scripts/what-are-compliance-scripts/' },
{ label: 'How to Generate Compliance Scripts', link: '/compliance-scripts/how-to-generate-compliance-scripts/' },
{ label: 'Compliance Script Layout', link: '/compliance-scripts/compliance-script-layout/' },
],
},
{
label: 'Other Generated Content',
collapsed: true,
items: [
{ label: 'Generate Mapping', link: '/other/generate-mapping/' },
{ label: 'Generate SCAP', link: '/other/generate-scap/' },
],
},
{
label: 'Personalization',
collapsed: true,
items: [
{ label: 'Tailoring Rules', link: '/personalization/tailoring-rules/' },
{ label: 'Customize Rules', link: '/personalization/customize-rules/' },
{ label: 'Exempting Rules', link: '/personalization/exempting-rules/' },
],
},
{
label: 'Repository',
collapsed: true,
items: [
{ label: 'Layout', link: '/reference/layout/' },
{ label: 'Baselines', link: '/reference/baselines/' },
{ label: 'Includes', link: '/reference/includes/' },
{ label: 'Rules', link: '/reference/rules/' },
{ label: 'Sections', link: '/reference/sections/' },
{ label: 'Scripts', link: '/reference/scripts/' },
{ label: 'Directory Layout', link: '/repository/directory-layout/' },
{ label: 'Includes Directory', link: '/repository/includes-directory/' },
{ label: 'Rules File Layout', link: '/repository/rule-file-layout/' },
{ label: 'Sections File Layout', link: '/repository/sections-file-layout/' },
{ label: 'Script Arguments List', link: '/repository/script-arguments-list/' },
],
},
{
label: 'More Information',
collapsed: true,
items: [
{ label: 'mSCP Resources', link: '/reference/more/resources/' },
{ label: 'Contributing', link: '/reference/more/contributing/' },
{ label: 'Vendor Attribution', link: '/reference/more/vendor-attribution/' },
{ label: 'FAQ', link: '/reference/more/faq/' },
{ label: 'mSCP Training/Resources', link: '/more-information/resources/' },
{ label: 'Contributing', link: '/more-information/contributing/' },
{ label: 'Vendor Attribution', link: '/more-information/vendor-attribution/' },
{ label: 'FAQ', link: '/more-information/faq/' },
],
},
],
editLink: {
baseUrl: 'https://github.com/usnistgov/macos_security/edit/main/docs/',
},
lastUpdated: true,
}),
],
});

4
docs/package.json
View File

@@ -10,8 +10,8 @@
"astro": "astro"
},
"dependencies": {
"@astrojs/starlight": "^0.32.4",
"astro": "^5.5.3",
"@astrojs/starlight": "^0.35.1",
"astro": "^5.12.0",
"sharp": "^0.33.5"
}
}

226
docs/pnpm-lock.yaml generated
View File

@@ -9,11 +9,11 @@ importers:
.:
dependencies:
'@astrojs/starlight':
specifier: ^0.32.4
version: 0.32.6(astro@5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))
specifier: ^0.35.1
version: 0.35.1(astro@5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))
astro:
specifier: ^5.5.3
version: 5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)
specifier: ^5.12.0
version: 5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)
sharp:
specifier: ^0.33.5
version: 0.33.5
@@ -29,6 +29,9 @@ packages:
'@astrojs/markdown-remark@6.3.2':
resolution: {integrity: sha512-bO35JbWpVvyKRl7cmSJD822e8YA8ThR/YbUsciWNA7yTcqpIAL2hJDToWP5KcZBWxGT6IOdOkHSXARSNZc4l/Q==}
'@astrojs/markdown-remark@6.3.3':
resolution: {integrity: sha512-DDRtD1sPvAuA7ms2btc9A7/7DApKqgLMNrE6kh5tmkfy8utD0Z738gqd3p5aViYYdUtHIyEJ1X4mCMxfCfu15w==}
'@astrojs/mdx@4.3.0':
resolution: {integrity: sha512-OGX2KvPeBzjSSKhkCqrUoDMyzFcjKt5nTE5SFw3RdoLf0nrhyCXBQcCyclzWy1+P+XpOamn+p+hm1EhpCRyPxw==}
engines: {node: 18.20.8 || ^20.3.0 || >=22.0.0}
@@ -42,10 +45,10 @@ packages:
'@astrojs/sitemap@3.4.1':
resolution: {integrity: sha512-VjZvr1e4FH6NHyyHXOiQgLiw94LnCVY4v06wN/D0gZKchTMkg71GrAHJz81/huafcmavtLkIv26HnpfDq6/h/Q==}
'@astrojs/starlight@0.32.6':
resolution: {integrity: sha512-ASWGwNzq+0TmJ+GJFFxFFxx6Yra7BqIIMQbvOy/cweTHjqejB6mcaEWtS3Mag12LM7tXCES7v/fzmdPgjz8Yxw==}
'@astrojs/starlight@0.35.1':
resolution: {integrity: sha512-/hshlAayMd3B+E+h8wY6JWT1lNmX/K1+ugiZPirW5XFo5QUcNMk/Bsa4oHgg+TFoU6kbxPtijo0VppATfD9XuA==}
peerDependencies:
astro: ^5.1.5
astro: ^5.5.0
'@astrojs/telemetry@3.3.0':
resolution: {integrity: sha512-UFBgfeldP06qu6khs/yY+q1cDAaArM2/7AEIqQ9Cuvf7B1hNLq0xDrZkct+QoIGyjq56y8IaE2I3CTvG99mlhQ==}
@@ -232,17 +235,17 @@ packages:
cpu: [x64]
os: [win32]
'@expressive-code/core@0.40.2':
resolution: {integrity: sha512-gXY3v7jbgz6nWKvRpoDxK4AHUPkZRuJsM79vHX/5uhV9/qX6Qnctp/U/dMHog/LCVXcuOps+5nRmf1uxQVPb3w==}
'@expressive-code/core@0.41.3':
resolution: {integrity: sha512-9qzohqU7O0+JwMEEgQhnBPOw5DtsQRBXhW++5fvEywsuX44vCGGof1SL5OvPElvNgaWZ4pFZAFSlkNOkGyLwSQ==}
'@expressive-code/plugin-frames@0.40.2':
resolution: {integrity: sha512-aLw5IlDlZWb10Jo/TTDCVsmJhKfZ7FJI83Zo9VDrV0OBlmHAg7klZqw68VDz7FlftIBVAmMby53/MNXPnMjTSQ==}
'@expressive-code/plugin-frames@0.41.3':
resolution: {integrity: sha512-rFQtmf/3N2CK3Cq/uERweMTYZnBu+CwxBdHuOftEmfA9iBE7gTVvwpbh82P9ZxkPLvc40UMhYt7uNuAZexycRQ==}
'@expressive-code/plugin-shiki@0.40.2':
resolution: {integrity: sha512-t2HMR5BO6GdDW1c1ISBTk66xO503e/Z8ecZdNcr6E4NpUfvY+MRje+LtrcvbBqMwWBBO8RpVKcam/Uy+1GxwKQ==}
'@expressive-code/plugin-shiki@0.41.3':
resolution: {integrity: sha512-RlTARoopzhFJIOVHLGvuXJ8DCEme/hjV+ZnRJBIxzxsKVpGPW4Oshqg9xGhWTYdHstTsxO663s0cdBLzZj9TQA==}
'@expressive-code/plugin-text-markers@0.40.2':
resolution: {integrity: sha512-/XoLjD67K9nfM4TgDlXAExzMJp6ewFKxNpfUw4F7q5Ecy+IU3/9zQQG/O70Zy+RxYTwKGw2MA9kd7yelsxnSmw==}
'@expressive-code/plugin-text-markers@0.41.3':
resolution: {integrity: sha512-SN8tkIzDpA0HLAscEYD2IVrfLiid6qEdE9QLlGVSxO1KEw7qYvjpbNBQjUjMr5/jvTJ7ys6zysU2vLPHE0sb2g==}
'@img/sharp-darwin-arm64@0.33.5':
resolution: {integrity: sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ==}
@@ -495,39 +498,21 @@ packages:
cpu: [x64]
os: [win32]
'@shikijs/core@1.29.2':
resolution: {integrity: sha512-vju0lY9r27jJfOY4Z7+Rt/nIOjzJpZ3y+nYpqtUZInVoXQ/TJZcfGnNOGnKjFdVZb8qexiCuSlZRKcGfhhTTZQ==}
'@shikijs/core@3.6.0':
resolution: {integrity: sha512-9By7Xb3olEX0o6UeJyPLI1PE1scC4d3wcVepvtv2xbuN9/IThYN4Wcwh24rcFeASzPam11MCq8yQpwwzCgSBRw==}
'@shikijs/engine-javascript@1.29.2':
resolution: {integrity: sha512-iNEZv4IrLYPv64Q6k7EPpOCE/nuvGiKl7zxdq0WFuRPF5PAE9PRo2JGq/d8crLusM59BRemJ4eOqrFrC4wiQ+A==}
'@shikijs/engine-javascript@3.6.0':
resolution: {integrity: sha512-7YnLhZG/TU05IHMG14QaLvTW/9WiK8SEYafceccHUSXs2Qr5vJibUwsDfXDLmRi0zHdzsxrGKpSX6hnqe0k8nA==}
'@shikijs/engine-oniguruma@1.29.2':
resolution: {integrity: sha512-7iiOx3SG8+g1MnlzZVDYiaeHe7Ez2Kf2HrJzdmGwkRisT7r4rak0e655AcM/tF9JG/kg5fMNYlLLKglbN7gBqA==}
'@shikijs/engine-oniguruma@3.6.0':
resolution: {integrity: sha512-nmOhIZ9yT3Grd+2plmW/d8+vZ2pcQmo/UnVwXMUXAKTXdi+LK0S08Ancrz5tQQPkxvjBalpMW2aKvwXfelauvA==}
'@shikijs/langs@1.29.2':
resolution: {integrity: sha512-FIBA7N3LZ+223U7cJDUYd5shmciFQlYkFXlkKVaHsCPgfVLiO+e12FmQE6Tf9vuyEsFe3dIl8qGWKXgEHL9wmQ==}
'@shikijs/langs@3.6.0':
resolution: {integrity: sha512-IdZkQJaLBu1LCYCwkr30hNuSDfllOT8RWYVZK1tD2J03DkiagYKRxj/pDSl8Didml3xxuyzUjgtioInwEQM/TA==}
'@shikijs/themes@1.29.2':
resolution: {integrity: sha512-i9TNZlsq4uoyqSbluIcZkmPL9Bfi3djVxRnofUHwvx/h6SRW3cwgBC5SML7vsDcWyukY0eCzVN980rqP6qNl9g==}
'@shikijs/themes@3.6.0':
resolution: {integrity: sha512-Fq2j4nWr1DF4drvmhqKq8x5vVQ27VncF8XZMBuHuQMZvUSS3NBgpqfwz/FoGe36+W6PvniZ1yDlg2d4kmYDU6w==}
'@shikijs/types@1.29.2':
resolution: {integrity: sha512-VJjK0eIijTZf0QSTODEXCqinjBn0joAHQ+aPSBzrv4O2d/QSbsMw+ZeSRx03kV34Hy7NzUvV/7NqfYGRLrASmw==}
'@shikijs/types@3.6.0':
resolution: {integrity: sha512-cLWFiToxYu0aAzJqhXTQsFiJRTFDAGl93IrMSBNaGSzs7ixkLfdG6pH11HipuWFGW5vyx4X47W8HDQ7eSrmBUg==}
@@ -634,13 +619,13 @@ packages:
resolution: {integrity: sha512-LElXdjswlqjWrPpJFg1Fx4wpkOCxj1TDHlSV4PlaRxHGWko024xICaa97ZkMfs6DRKlCguiAI+rbXv5GWwXIkg==}
hasBin: true
astro-expressive-code@0.40.2:
resolution: {integrity: sha512-yJMQId0yXSAbW9I6yqvJ3FcjKzJ8zRL7elbJbllkv1ZJPlsI0NI83Pxn1YL1IapEM347EvOOkSW2GL+2+NO61w==}
astro-expressive-code@0.41.3:
resolution: {integrity: sha512-u+zHMqo/QNLE2eqYRCrK3+XMlKakv33Bzuz+56V1gs8H0y6TZ0hIi3VNbIxeTn51NLn+mJfUV/A0kMNfE4rANw==}
peerDependencies:
astro: ^4.0.0-beta || ^5.0.0-beta || ^3.3.0
astro@5.9.3:
resolution: {integrity: sha512-VReZrpUa/3rfeiVvsQ1A2M3ujDPI+pDGIYOMtXPEZwut8tZoEyealXXLjitgCsJ+3dunKGZbg4Eak6i+r0vniw==}
astro@5.12.0:
resolution: {integrity: sha512-Oov5JsMFHuUmuO+Nx6plfv3nQNK1Xl/8CgLvR8lBhZTjYnraxhuPX5COVAzbom+YLgwaDfK7KBd8zOEopRf9mg==}
engines: {node: 18.20.8 || ^20.3.0 || >=22.0.0, npm: '>=9.6.5', pnpm: '>=7.1.0'}
hasBin: true
@@ -821,9 +806,6 @@ packages:
resolution: {integrity: sha512-2QF/g9/zTaPDc3BjNcVTGoBbXBgYfMTTceLaYcFJ/W9kggFUkhxD/hMEeuLKbugyef9SqAx8cpgwlIP/jinUTA==}
engines: {node: '>=4'}
emoji-regex-xs@1.0.0:
resolution: {integrity: sha512-LRlerrMYoIDrT6jgpeZ2YYl/L8EulRTt5hQcYjy5AInh7HWXKimpqx68aknBFpGL2+/IcogTcaydJEgaTmOpDg==}
emoji-regex@10.4.0:
resolution: {integrity: sha512-EC+0oUMY1Rqm4O6LLrgjtYDvcVYTy7chDnM4Q7030tP4Kwj3u/pR6gP9ygnp2CJMK5Gq+9Q2oqmrFJAz01DXjw==}
@@ -879,8 +861,8 @@ packages:
eventemitter3@5.0.1:
resolution: {integrity: sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==}
expressive-code@0.40.2:
resolution: {integrity: sha512-1zIda2rB0qiDZACawzw2rbdBQiWHBT56uBctS+ezFe5XMAaFaHLnnSYND/Kd+dVzO9HfCXRDpzH3d+3fvOWRcw==}
expressive-code@0.41.3:
resolution: {integrity: sha512-YLnD62jfgBZYrXIPQcJ0a51Afv9h8VlWqEGK9uU2T5nL/5rb8SnA86+7+mgCZe5D34Tff5RNEA5hjNVJYHzrFg==}
extend@3.0.2:
resolution: {integrity: sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==}
@@ -1292,9 +1274,6 @@ packages:
oniguruma-parser@0.12.1:
resolution: {integrity: sha512-8Unqkvk1RYc6yq2WBYRj4hdnsAxVze8i7iPfQr8e4uSP3tRv0rpZcbGUDvxfQQcdwHt/e9PrMvGCsa8OqG9X3w==}
oniguruma-to-es@2.3.0:
resolution: {integrity: sha512-bwALDxriqfKGfUufKGGepCzu9x7nJQuoRoAFp4AnwehhC2crqrDIAP/uN2qdlsAvSMpeRC3+Yzhqc7hLmle5+g==}
oniguruma-to-es@4.3.3:
resolution: {integrity: sha512-rPiZhzC3wXwE59YQMRDodUwwT9FZ9nNBwQQfsd1wfdtlKEyCdRV0avrTcSZ5xlIvGRVPd/cx6ZN45ECmS39xvg==}
@@ -1387,23 +1366,17 @@ packages:
recma-stringify@1.0.0:
resolution: {integrity: sha512-cjwII1MdIIVloKvC9ErQ+OgAtwHBmcZ0Bg4ciz78FtbT8In39aAYbaA7zvxQ61xVMSPE8WxhLwLbhif4Js2C+g==}
regex-recursion@5.1.1:
resolution: {integrity: sha512-ae7SBCbzVNrIjgSbh7wMznPcQel1DNlDtzensnFxpiNpXt1U2ju/bHugH422r+4LAVS1FpW1YCwilmnNsjum9w==}
regex-recursion@6.0.2:
resolution: {integrity: sha512-0YCaSCq2VRIebiaUviZNs0cBz1kg5kVS2UKUfNIx8YVs1cN3AV7NTctO5FOKBA+UT2BPJIWZauYHPqJODG50cg==}
regex-utilities@2.3.0:
resolution: {integrity: sha512-8VhliFJAWRaUiVvREIiW2NXXTmHs4vMNnSzuJVhscgmGav3g9VDxLrQndI3dZZVVdp0ZO/5v0xmX516/7M9cng==}
regex@5.1.1:
resolution: {integrity: sha512-dN5I359AVGPnwzJm2jN1k0W9LPZ+ePvoOeVMMfqIMFz53sSwXkxaJoxr50ptnsC771lK95BnTrVSZxq0b9yCGw==}
regex@6.0.1:
resolution: {integrity: sha512-uorlqlzAKjKQZ5P+kTJr3eeJGSVroLKoHmquUj4zHWuR+hEyNqlXsSKlYYF5F4NI6nl7tWCs0apKJ0lmfsXAPA==}
rehype-expressive-code@0.40.2:
resolution: {integrity: sha512-+kn+AMGCrGzvtH8Q5lC6Y5lnmTV/r33fdmi5QU/IH1KPHKobKr5UnLwJuqHv5jBTSN/0v2wLDS7RTM73FVzqmQ==}
rehype-expressive-code@0.41.3:
resolution: {integrity: sha512-8d9Py4c/V6I/Od2VIXFAdpiO2kc0SV2qTJsRAaqSIcM9aruW4ASLNe2kOEo1inXAAkIhpFzAHTc358HKbvpNUg==}
rehype-format@5.0.1:
resolution: {integrity: sha512-zvmVru9uB0josBVpr946OR8ui7nJEdzZobwLOOqHb/OOD88W0Vk2SqLwoVOj0fM6IPCCO6TaV9CvQvJMWwukFQ==}
@@ -1477,9 +1450,6 @@ packages:
resolution: {integrity: sha512-haPVm1EkS9pgvHrQ/F3Xy+hgcuMV0Wm9vfIBSiwZ05k+xgb0PkBQpGsAA/oWdDobNaZTH5ppvHtzCFbnSEwHVw==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
shiki@1.29.2:
resolution: {integrity: sha512-njXuliz/cP+67jU2hukkxCNuH1yUi4QfdZZY+sMr5PPrIyXSu5iTb/qYC4BiWWB0vZ+7TbdvYUCeL23zpwCfbg==}
shiki@3.6.0:
resolution: {integrity: sha512-tKn/Y0MGBTffQoklaATXmTqDU02zx8NYBGQ+F6gy87/YjKbizcLd+Cybh/0ZtOBX9r1NEnAy/GTRDKtOsc1L9w==}
@@ -1840,12 +1810,38 @@ snapshots:
transitivePeerDependencies:
- supports-color
'@astrojs/mdx@4.3.0(astro@5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))':
'@astrojs/markdown-remark@6.3.3':
dependencies:
'@astrojs/internal-helpers': 0.6.1
'@astrojs/prism': 3.3.0
github-slugger: 2.0.0
hast-util-from-html: 2.0.3
hast-util-to-text: 4.0.2
import-meta-resolve: 4.1.0
js-yaml: 4.1.0
mdast-util-definitions: 6.0.0
rehype-raw: 7.0.0
rehype-stringify: 10.0.1
remark-gfm: 4.0.1
remark-parse: 11.0.0
remark-rehype: 11.1.2
remark-smartypants: 3.0.2
shiki: 3.6.0
smol-toml: 1.3.4
unified: 11.0.5
unist-util-remove-position: 5.0.0
unist-util-visit: 5.0.0
unist-util-visit-parents: 6.0.1
vfile: 6.0.3
transitivePeerDependencies:
- supports-color
'@astrojs/mdx@4.3.0(astro@5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))':
dependencies:
'@astrojs/markdown-remark': 6.3.2
'@mdx-js/mdx': 3.1.0(acorn@8.15.0)
acorn: 8.15.0
astro: 5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)
astro: 5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)
es-module-lexer: 1.7.0
estree-util-visit: 2.0.0
hast-util-to-html: 9.0.5
@@ -1869,16 +1865,17 @@ snapshots:
stream-replace-string: 2.0.0
zod: 3.25.64
'@astrojs/starlight@0.32.6(astro@5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))':
'@astrojs/starlight@0.35.1(astro@5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))':
dependencies:
'@astrojs/mdx': 4.3.0(astro@5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))
'@astrojs/markdown-remark': 6.3.2
'@astrojs/mdx': 4.3.0(astro@5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))
'@astrojs/sitemap': 3.4.1
'@pagefind/default-ui': 1.3.0
'@types/hast': 3.0.4
'@types/js-yaml': 4.0.9
'@types/mdast': 4.0.4
astro: 5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)
astro-expressive-code: 0.40.2(astro@5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))
astro: 5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)
astro-expressive-code: 0.41.3(astro@5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3))
bcp-47: 2.1.0
hast-util-from-html: 2.0.3
hast-util-select: 6.0.4
@@ -1894,6 +1891,7 @@ snapshots:
rehype: 13.0.2
rehype-format: 5.0.1
remark-directive: 3.0.1
ultrahtml: 1.6.0
unified: 11.0.5
unist-util-visit: 5.0.0
vfile: 6.0.3
@@ -2017,7 +2015,7 @@ snapshots:
'@esbuild/win32-x64@0.25.5':
optional: true
'@expressive-code/core@0.40.2':
'@expressive-code/core@0.41.3':
dependencies:
'@ctrl/tinycolor': 4.1.0
hast-util-select: 6.0.4
@@ -2029,18 +2027,18 @@ snapshots:
unist-util-visit: 5.0.0
unist-util-visit-parents: 6.0.1
'@expressive-code/plugin-frames@0.40.2':
'@expressive-code/plugin-frames@0.41.3':
dependencies:
'@expressive-code/core': 0.40.2
'@expressive-code/core': 0.41.3
'@expressive-code/plugin-shiki@0.40.2':
'@expressive-code/plugin-shiki@0.41.3':
dependencies:
'@expressive-code/core': 0.40.2
shiki: 1.29.2
'@expressive-code/core': 0.41.3
shiki: 3.6.0
'@expressive-code/plugin-text-markers@0.40.2':
'@expressive-code/plugin-text-markers@0.41.3':
dependencies:
'@expressive-code/core': 0.40.2
'@expressive-code/core': 0.41.3
'@img/sharp-darwin-arm64@0.33.5':
optionalDependencies:
@@ -2236,15 +2234,6 @@ snapshots:
'@rollup/rollup-win32-x64-msvc@4.43.0':
optional: true
'@shikijs/core@1.29.2':
dependencies:
'@shikijs/engine-javascript': 1.29.2
'@shikijs/engine-oniguruma': 1.29.2
'@shikijs/types': 1.29.2
'@shikijs/vscode-textmate': 10.0.2
'@types/hast': 3.0.4
hast-util-to-html: 9.0.5
'@shikijs/core@3.6.0':
dependencies:
'@shikijs/types': 3.6.0
@@ -2252,49 +2241,25 @@ snapshots:
'@types/hast': 3.0.4
hast-util-to-html: 9.0.5
'@shikijs/engine-javascript@1.29.2':
dependencies:
'@shikijs/types': 1.29.2
'@shikijs/vscode-textmate': 10.0.2
oniguruma-to-es: 2.3.0
'@shikijs/engine-javascript@3.6.0':
dependencies:
'@shikijs/types': 3.6.0
'@shikijs/vscode-textmate': 10.0.2
oniguruma-to-es: 4.3.3
'@shikijs/engine-oniguruma@1.29.2':
dependencies:
'@shikijs/types': 1.29.2
'@shikijs/vscode-textmate': 10.0.2
'@shikijs/engine-oniguruma@3.6.0':
dependencies:
'@shikijs/types': 3.6.0
'@shikijs/vscode-textmate': 10.0.2
'@shikijs/langs@1.29.2':
dependencies:
'@shikijs/types': 1.29.2
'@shikijs/langs@3.6.0':
dependencies:
'@shikijs/types': 3.6.0
'@shikijs/themes@1.29.2':
dependencies:
'@shikijs/types': 1.29.2
'@shikijs/themes@3.6.0':
dependencies:
'@shikijs/types': 3.6.0
'@shikijs/types@1.29.2':
dependencies:
'@shikijs/vscode-textmate': 10.0.2
'@types/hast': 3.0.4
'@shikijs/types@3.6.0':
dependencies:
'@shikijs/vscode-textmate': 10.0.2
@@ -2348,7 +2313,7 @@ snapshots:
'@types/sax@1.2.7':
dependencies:
'@types/node': 17.0.45
'@types/node': 24.0.1
'@types/unist@2.0.11': {}
@@ -2387,16 +2352,16 @@ snapshots:
astring@1.9.0: {}
astro-expressive-code@0.40.2(astro@5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)):
astro-expressive-code@0.41.3(astro@5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)):
dependencies:
astro: 5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)
rehype-expressive-code: 0.40.2
astro: 5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3)
rehype-expressive-code: 0.41.3
astro@5.9.3(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3):
astro@5.12.0(@types/node@24.0.1)(rollup@4.43.0)(typescript@5.8.3):
dependencies:
'@astrojs/compiler': 2.12.2
'@astrojs/internal-helpers': 0.6.1
'@astrojs/markdown-remark': 6.3.2
'@astrojs/markdown-remark': 6.3.3
'@astrojs/telemetry': 3.3.0
'@capsizecss/unpack': 2.4.0
'@oslojs/encoding': 1.1.0
@@ -2439,6 +2404,7 @@ snapshots:
rehype: 13.0.2
semver: 7.7.2
shiki: 3.6.0
smol-toml: 1.3.4
tinyexec: 0.3.2
tinyglobby: 0.2.14
tsconfck: 3.1.6(typescript@5.8.3)
@@ -2634,8 +2600,6 @@ snapshots:
dset@3.1.4: {}
emoji-regex-xs@1.0.0: {}
emoji-regex@10.4.0: {}
emoji-regex@8.0.0: {}
@@ -2725,12 +2689,12 @@ snapshots:
eventemitter3@5.0.1: {}
expressive-code@0.40.2:
expressive-code@0.41.3:
dependencies:
'@expressive-code/core': 0.40.2
'@expressive-code/plugin-frames': 0.40.2
'@expressive-code/plugin-shiki': 0.40.2
'@expressive-code/plugin-text-markers': 0.40.2
'@expressive-code/core': 0.41.3
'@expressive-code/plugin-frames': 0.41.3
'@expressive-code/plugin-shiki': 0.41.3
'@expressive-code/plugin-text-markers': 0.41.3
extend@3.0.2: {}
@@ -3535,12 +3499,6 @@ snapshots:
oniguruma-parser@0.12.1: {}
oniguruma-to-es@2.3.0:
dependencies:
emoji-regex-xs: 1.0.0
regex: 5.1.1
regex-recursion: 5.1.1
oniguruma-to-es@4.3.3:
dependencies:
oniguruma-parser: 0.12.1
@@ -3660,28 +3618,19 @@ snapshots:
unified: 11.0.5
vfile: 6.0.3
regex-recursion@5.1.1:
dependencies:
regex: 5.1.1
regex-utilities: 2.3.0
regex-recursion@6.0.2:
dependencies:
regex-utilities: 2.3.0
regex-utilities@2.3.0: {}
regex@5.1.1:
dependencies:
regex-utilities: 2.3.0
regex@6.0.1:
dependencies:
regex-utilities: 2.3.0
rehype-expressive-code@0.40.2:
rehype-expressive-code@0.41.3:
dependencies:
expressive-code: 0.40.2
expressive-code: 0.41.3
rehype-format@5.0.1:
dependencies:
@@ -3861,17 +3810,6 @@ snapshots:
'@img/sharp-win32-ia32': 0.33.5
'@img/sharp-win32-x64': 0.33.5
shiki@1.29.2:
dependencies:
'@shikijs/core': 1.29.2
'@shikijs/engine-javascript': 1.29.2
'@shikijs/engine-oniguruma': 1.29.2
'@shikijs/langs': 1.29.2
'@shikijs/themes': 1.29.2
'@shikijs/types': 1.29.2
'@shikijs/vscode-textmate': 10.0.2
'@types/hast': 3.0.4
shiki@3.6.0:
dependencies:
'@shikijs/core': 3.6.0

BIN
docs/public/guidance-example.pdf Normal file
View File

Binary file not shown.

95
docs/scripts/github-buttons.js Normal file
View File

@@ -0,0 +1,95 @@
// GitHub Star Button Script
// ------------------------------------------------------------
// Dynamically inserts a GitHub "Star" button that adapts to light/dark mode
// and updates automatically when the theme changes. Works with Astro/MDX docs.
//
// Usage:
// 1. Add this to your page where you want the button:
//
// <div id="github-button-container"></div>
// <script src="/scripts/github-buttons.js"></script>
//
// 2. The button will automatically update for light/dark mode.
//
// ------------------------------------------------------------
// Returns the GitHub button HTML as a string based on the current theme
function getGitHubButtonHTML() {
const theme = document.documentElement.getAttribute('data-theme');
// Only use "light" or "dark" for GitHub Buttons
const colorScheme = theme === 'dark' ? 'dark' : 'light';
return `<a
class="github-button"
href="https://github.com/usnistgov/macos_security"
data-size="large"
data-show-count="true"
data-color-scheme="${colorScheme}"
aria-label="Star usnistgov/macos_security on GitHub"
>Star</a>`;
}
// Insert or update the GitHub button in the container
function renderDynamicGitHubButton(containerId = 'github-button-container') {
const container = document.getElementById(containerId);
if (!container) return;
// Remove any existing button to avoid duplicates
container.innerHTML = '';
container.innerHTML = getGitHubButtonHTML();
// Always try to render after updating the HTML
if (window.GitHubButtons && typeof window.GitHubButtons.render === 'function') {
setTimeout(() => {
window.GitHubButtons.render();
}, 0);
}
}
// Helper to ensure GitHubButtons.render is called after the library is loaded
function renderGitHubButtonWhenReady(containerId = 'github-button-container') {
renderDynamicGitHubButton(containerId);
// Remove the retry loop, since renderDynamicGitHubButton already calls render if available
}
// Optionally, insert the button into a container and load the library if needed
function insertGitHubButton(containerId = 'github-button-container') {
// Remove any existing GitHub Buttons script to force re-processing
const existingScript = document.querySelector('script[src="https://buttons.github.io/buttons.js"]');
if (existingScript) {
existingScript.remove();
window._githubButtonsLoaded = false;
}
// Only render after the library is loaded
if (!window._githubButtonsLoaded) {
var script = document.createElement('script');
script.async = true;
script.defer = true;
script.src = 'https://buttons.github.io/buttons.js';
script.onload = () => {
window._githubButtonsLoaded = true;
renderDynamicGitHubButton(containerId);
};
document.body.appendChild(script);
} else {
renderDynamicGitHubButton(containerId);
}
}
// Export for manual use
window.getGitHubButtonHTML = getGitHubButtonHTML;
window.insertGitHubButton = insertGitHubButton;
// Listen for theme changes via MutationObserver
const observer = new MutationObserver(() => {
insertGitHubButton(); // Use insertGitHubButton to ensure script is loaded
});
observer.observe(document.documentElement, { attributes: true, attributeFilter: ['data-theme'] });
// Still listen for custom themechange event for compatibility
document.addEventListener('themechange', () => {
insertGitHubButton(); // Use insertGitHubButton to ensure script is loaded
});
window.addEventListener('DOMContentLoaded', () => {
insertGitHubButton();
});

120
docs/scripts/github-latest-release.js Normal file
View File

@@ -0,0 +1,120 @@
// GitHub Latest Release Info Script
// Usage:
// 1. Add <div id="github-latest-release"></div> where you want the info.
// 2. Add <script src="/scripts/github-latest-release.js"></script> to your page.
const GITHUB_OWNER = 'usnistgov';
const GITHUB_REPO = 'macos_security';
const CONTAINER_ID = 'github-latest-release';
function renderReleaseInfo({ tag_name, name, html_url, published_at, body }) {
const date = published_at
? new Date(published_at).toLocaleDateString(undefined, { year: 'numeric', month: 'short', day: 'numeric' })
: '';
let notes = '';
if (body) {
notes = body.replace(/</g, "&lt;");
notes = notes.replace(
/\*\*Full Changelog\*\*:\s*(https?:\/\/[^\s]+)/g,
(match, url) =>
`<a href="${url}" target="_blank" rel="noopener">Full Changelog</a>`
);
notes = `<div class="github-release-notes" style="margin-top:1em; font-size:0.98em; color:var(--sl-color-text, #444); white-space:pre-line;">${notes}</div>`;
}
return `
<div class="github-release-info">
<strong><a href="${html_url}" target="_blank" rel="noopener">
${name || tag_name}
</a></strong>
<span style="color: #888; font-size: 0.9em; font-style: italic;">(${tag_name})</span>
${date ? `<div style="font-size:0.9em; color:var(--sl-color-text, #666); margin-top:2px;">Released: <strong>${date}</strong></div>` : ''}
${notes}
<div style="margin-top:0.7em;">
<a href="https://github.com/${GITHUB_OWNER}/${GITHUB_REPO}/releases" target="_blank" rel="noopener" style="font-size:0.95em;">
View all releases &rarr;
</a>
</div>
</div>
`;
}
function showReleaseLoading() {
const container = document.getElementById(CONTAINER_ID);
if (container) container.innerHTML = 'Loading latest release...';
}
function showReleaseError() {
const container = document.getElementById(CONTAINER_ID);
if (container) container.innerHTML = 'Could not load release info.';
}
function fetchLatestRelease() {
showReleaseLoading();
fetch(`https://api.github.com/repos/${GITHUB_OWNER}/${GITHUB_REPO}/releases/latest`)
.then(res => {
if (!res.ok) throw new Error('Network response was not ok');
return res.json();
})
.then(release => {
const container = document.getElementById(CONTAINER_ID);
if (container) container.innerHTML = renderReleaseInfo(release);
})
.catch(() => showReleaseError());
}
function injectReleaseBoxStyles() {
if (document.getElementById('github-release-style')) return;
const style = document.createElement('style');
style.id = 'github-release-style';
style.textContent = `
.github-release-info {
border-radius: 12px;
padding: 1.25em 1.5em;
margin: 1.5em 0;
border: 1px solid #cbd3d8ff;
background: var(--sl-color-bg, #fff);
color: var(--sl-color-text, #316431);
box-shadow: 0 2px 8px 0 rgba(60,60,60,0.06);
transition: background 0.2s, color 0.2s, border-color 0.2s;
}
[data-theme="dark"] .github-release-info {
background: var(--sl-color-bg, #161b22);
color: var(--sl-color-text, #6ab549);
border-color: #2d3133ff;
box-shadow: 0 2px 8px 0 rgba(0,0,0,0.10);
}
.github-release-info a {
color: var(--sl-color-accent, #316431);
text-decoration: none;
font-weight: 500;
transition: color 0.2s;
}
[data-theme="dark"] .github-release-info a {
color: var(--sl-color-accent-high, #6ab549);
}
.github-release-info a:hover {
text-decoration: underline;
}
.github-release-info span {
color: #888;
font-size: 0.9em;
}
[data-theme="dark"] .github-release-info span {
color: #aaa;
}
.github-release-info strong {
color: #111;
font-size: 1.08em;
}
[data-theme="dark"] .github-release-info strong {
color: #fff;
}
`;
document.head.appendChild(style);
}
window.addEventListener('DOMContentLoaded', () => {
injectReleaseBoxStyles();
fetchLatestRelease();
});

27
docs/src/content/docs/404.mdx Normal file
View File

@@ -0,0 +1,27 @@
---
title: ''
template: splash
editUrl: false
lastUpdated: false
hero:
title: '404 You&apos;re Lost!'
tagline: |
Looks like you wandered off the path of greatness into a no man's land.<br>
Find your way back to the best macOS compliance project ever!
image:
file: ../../assets/logo.png
class: hero-logo-effect
style: |
width: 120px;
margin-bottom: 2rem;
opacity: 0.8;
actions:
- text: Go Back Home
link: /
icon: right-arrow
variant: primary
- text: Head To Getting Started
link: /macos_security/welcome/getting-started/
icon: right-arrow
variant: primary
---

84
docs/src/content/docs/baselines/baseline-file-layout.mdx Normal file
View File

@@ -0,0 +1,84 @@
---
title: Baseline File Layout
description: A baselines reference.
---
Baseline files define the controls and rules that make up a security profile. They are used to generate guides, scripts, and mobileconfig files for macOS security.
## Baseline File Structure
A baseline file typically includes the following fields:
### title
A human-readable name for the baseline.
*Example:*
```yaml
title: "Apple macOS 13 (Ventura) Test Baseline"
```
### description
A brief summary describing the purpose and scope of the baseline.
*Example:*
```yaml
description: |
This guide describes the prudent actions to take when securing a macOS 13 system against the Test Baseline.
```
### authors
A list of authors and their organizations.
*Example:*
```yaml
authors: |
|===
|John Smith|NIST
|Jack Doe|NIST
|===
```
### profile
Defines the structure of the baseline, mapping sections to their associated rules:
- **section**: The name of the section (as defined in the `sections` directory) to be included in the guide.
- **rules**: A list of rule IDs that are part of this section. Each rule ID should match the filename and ID of a corresponding rule in the `rules` directory.
*Example:*
```yaml
profile:
- section: "Authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- section: "Auditing"
rules:
- audit_acls_files_configure
- audit_acls_files_mode_configure
- audit_acls_folder_wheel_configure
```
---
## Complete Example Baseline File
```yaml
title: "Apple macOS 13 (Ventura) Test Baseline"
description: |
This guide describes the prudent actions to take when securing a macOS 13 system against the Test Baseline.
authors: |
|===
|John Smith|NIST
|Jack Doe|NIST
|===
profile:
- section: "Authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- section: "Auditing"
rules:
- audit_acls_files_configure
- audit_acls_files_mode_configure
- audit_acls_folder_wheel_configure
```

70
docs/src/content/docs/baselines/how-to-generate-baselines.mdx Normal file
View File

@@ -0,0 +1,70 @@
---
title: How To Generate Baselines
description: An overview on how to generate a baseline.
tableOfContents: false
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
The primary script for generating baselines is located here in the `macos_security` repository:
<FileTree>
- macos_security/
- scripts/ ---> Project scripts
- generate_baseline.py ---> Script to generate baselines
</FileTree>
<Aside type="caution">
<strong>*Always use the branch matching your target OS version. Do not use the <code>main</code> branch for workflow or development.*</strong>
</Aside>
Follow these steps to generate a baseline:
<Steps>
1. **Select or Download the Correct Branch**
- Make sure you are on the branch you want to work from.
- If using `git`, run `git checkout <branch-name>` to switch branches if needed.
2. **Choose the Baseline to Generate**
- Identify the baseline you want to generate (e.g., CIS_lvl1, STIG, etc.).
- Use the `-l` flag to list available baseline options for the selected branch:
```sh
./macos_security-sequoia/scripts/generate_baseline.sh -l
```
3. **Generate the Selected Baseline**
- Use the `-k` flag with the selected tag to generate the baseline:
```sh
./macos_security-sequoia/scripts/generate_baseline.sh -k 800-53r5_moderate
```
This example generates a baseline for `800-53r5_moderate`.
- Use the `-t` flag to customize the baseline for your organization:
```sh
./macos_security-sequoia/scripts/generate_baseline.sh -k 800-53r5_moderate -t
```
If you use `-t`, you will be prompted with questions to tailor the baseline. See [How to Tailor a Baseline](./how-to-tailor-a-baseline) for more details.
4. **Locate the Generated Files**
- After running the generation command, the baseline files are created in the following directories:
</Steps>
<FileTree>
- macos_security/
- build/
- baselines/
- BASELINENAME.yaml ---> The generated baseline file (name depends on your selection or customization)
- custom/
- rules/
- *.yaml ---> Custom values you set if you used `-t`
</FileTree>
These files are required to generate the guidance files.
For more information, see [How to Tailor a Baseline](../how-to-tailor-a-baseline) or review the [baseline file layout](../baseline-file-layout).

77
docs/src/content/docs/baselines/tailoring-a-baseline.mdx Normal file
View File

@@ -0,0 +1,77 @@
---
title: Tailoring a baseline
description: Step-by-step guide to tailoring a security baseline for your organization.
tableOfContents: false
---
import { Steps, FileTree } from '@astrojs/starlight/components';
Tailoring allows you to create a custom security baseline that fits your organization's needs. The tailoring process lets you select which rules to include and set organization-defined values (ODVs) for controls that require them.
<FileTree>
- macos_security/
- scripts/
- generate_baseline.py ---> Script to generate and tailor baselines
</FileTree>
Follow these steps to tailor a baseline:
<Steps>
1. **Start the Tailoring Script**
- Run the script with the `-t` flag to begin tailoring:
```sh
./macos_security/scripts/generate_baseline.py -k 800-53r5_moderate -t
```
Replace `800-53r5_moderate` with your desired baseline tag.
2. **Enter Basic Information**
- You will be prompted for:
- Benchmark Name
- Authors Name
- Organization
3. **Select Rules to Include**
- For each rule, you will be asked whether to include it in your tailored baseline:
```
Would you like to include the rule for "audit_acls_files_configure" in your benchmark? [Y/n/all/?]:
```
- Enter `?` to see more details about a rule.
4. **Set Organization Defined Values (ODVs)**
- If a rule requires an ODV, you will be prompted to enter a value or accept the recommended default:
```
Number of failed attempts.
Enter the ODV for "pwpolicy_account_lockout_enforce" or press Enter for the recommended value (3):
```
5. **Review Output Files**
- After completing the prompts, the following files are created:
</Steps>
<FileTree>
- macos_security/
- build/
- baselines/
- YOUR_BENCHMARK.yaml ---> The tailored baseline file
- custom/
- rules/
- *.yaml ---> Custom ODV values for tailored rules
</FileTree>
Each tailored rule with a custom ODV will have a YAML file like:
```yaml
odv:
custom: 11
```
- The `odv.custom` value reflects your organization's choice for that rule.
*Use these tailored files to generate guidance or further customize your security posture. For more details, see [Customization](https://github.com/usnistgov/macos_security/wiki/Customization).*

118
docs/src/content/docs/baselines/what-are-baselines.mdx Normal file
View File

@@ -0,0 +1,118 @@
---
title: What Are Baselines?
description: An overview of baselines and how to use them in the project.
---
import { Aside } from '@astrojs/starlight/components';
A **baseline** is a collection of security rules and configuration settings that define a minimum standard for compliance with a specific security framework or policy. Baselines help organizations ensure their systems meet required security controls and best practices. In this project, a baseline is represented as a YAML file that lists all the rules relevant to a particular compliance target, such as NIST 800-53, DISA-STIG, CIS, or CMMC.
Each baseline is tailored to a specific operating system (macOS, iOS/iPadOS, or visionOS) and compliance level (such as High, Moderate, or Low). This ensures that the security guidance and automation generated from a baseline are appropriate for the OS and the compliance requirements you are targeting. Selecting the correct baseline for your OS and compliance needs is essential for generating accurate guidance and scripts.
The baselines provided in this project are derived from widely recognized security standards and frameworks, including:
- [NIST SP 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
- [DISA-STIG](https://public.cyber.mil/stigs/)
- [NIST SP 800-171](https://csrc.nist.gov/pubs/sp/800/171/r3/final)
- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
- [CIS Controls V8](https://www.cisecurity.org/controls/v8)
- [CMMC](https://dodcio.defense.gov/cmmc/About/)
- CNSSI 1254
- Indigo (internal or community-driven baseline for iOS)
---
## Baselines Available in This Project
The project provides a variety of baselines, each designed for a specific OS and compliance framework. These files are located in the `/baselines/` folder of the repository. Below is a summary of the available baselines:
- **NIST 800-53** (macOS, iOS/iPadOS, visionOS)
- High: `800-53r5_high.yaml`
- Moderate: `800-53r5_moderate.yaml`
- Low: `800-53r5_low.yaml`
- **DISA-STIG**
- macOS: `DISA-STIG.yaml`
- iOS/iPadOS:
- iOS STIG: `ios_stig.yaml`
- iOS STIG BYOAD: `ios_stig_byoad.yaml`
- **NIST 800-171**
- `800-171.yaml`
- **CIS Benchmarks**
- macOS:
- Level 1: `cis_lvl1.yaml`
- Level 2: `cis_lvl2.yaml` (includes Level 1)
- iOS/iPadOS:
- Level 1 BYOD: `cis_lvl1_byod.yaml`
- Level 2 BYOD: `cis_lvl2_byod.yaml`
- Level 1 Enterprise: `cis_lvl1_enterprise.yaml`
- Level 2 Enterprise: `cis_lvl2_enterprise.yaml`
- **CIS Controls V8**
- `cisv8.yaml`
- **CMMC**
- Level 1: `cmmc_lvl1.yaml`
- Level 2: `cmmc_lvl2.yaml`
- **CNSSI 1254**
- High: `cnssi-1254_high.yaml`
- Moderate: `cnssi-1254_moderate.yaml`
- Low: `cnssi-1254_low.yaml`
- **Indigo (iOS Only)**
- Base: `indigo_base.yaml`
- High: `indigo_high.yaml`
<Aside type="note">
*Each baseline is specific to the OS and compliance level it is designed for. For example, a macOS baseline for NIST 800-53 High will differ from an iOS baseline for CIS Level 1.*
</Aside>
---
## Checking Available Baselines for the Selected Branch
To see all available baseline tags for the currently checked-out branch, run:
```bash
./scripts/generate_baseline.py -l
```
This will list all baseline tags available for your current branch.
Example output:
```bash
800-171
800-53r4_high
800-53r4_low
800-53r4_moderate
800-53r5_high
800-53r5_low
800-53r5_moderate
800-53r5_privacy
all_rules
arm64
cis_lvl1
cis_lvl2
cisv8
cmmc_lvl1
cmmc_lvl2
cnssi-1253_high
cnssi-1253_low
cnssi-1253_moderate
i386
inherent
manual
n_a
none
permanent
srg
stig
supplemental
```
---
## More About Baselines
- **Purpose:** Baselines provide a clear, measurable standard for system configuration and security, serving as a benchmark for compliance efforts.
- **Maintenance:** Baselines are periodically reviewed and updated to reflect changes in security standards, best practices, and emerging threats.
- **Customization:** Organizations can adapt baselines to fit their specific operational requirements or risk tolerance.
- **Auditing:** Baselines are essential during audits, providing evidence that systems are configured according to recognized standards.
- **Automation:** Baselines enable automated tools to assess, enforce, and remediate system configurations.
- **Versioning:** Each baseline may have versions to track updates and changes over time.
- **Community Contributions:** Contributions from the community help keep baselines current and relevant.

75
docs/src/content/docs/compliance-scripts/compliance-script-layout.mdx Normal file
View File

@@ -0,0 +1,75 @@
---
title: Compliance Script Layout
description: An overview of how to generate configuration profiles.
---
import { Aside } from '@astrojs/starlight/components';
Below are the main parameters and interactive options available in the compliance script.
Due to the script's complexity and flexibility, we provide an overview of its usage and interface rather than the full layout.
## Running the Script
You can run the script either interactively or by using command-line flags:
```zsh
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh
```
### Interactive Menu Example
When run interactively, you'll see a menu like this:
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
M A I N - M E N U
macOS Security Compliance Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Last compliance scan: No scans have been run
1. View Last Compliance Report
2. Run New Compliance Scan
3. Run Commands to remediate non-compliant settings
4. Exit
Enter choice [ 1 - 4 ]
```
## Command-Line Options
You can also use command-line flags for automated or non-interactive use:
```zsh
./mscp_compliance.sh Usage
./mscp_compliance.sh [--check] [--fix] [--cfc] [--stats] [--compliant] [--non_compliant] [--reset] [--reset-all] [--quiet=<value>]
```
**Optional parameters:**
- `--check`
Run the compliance checks without interaction.
- `--fix`
Run the remediation commands without interaction.
- `--cfc`
Runs a check, fix, and check cycle without interaction.
- `--stats`
Display statistics from the last compliance check.
- `--compliant`
Report the number of compliant checks.
- `--non_compliant`
Report the number of non-compliant checks.
- `--reset`
Clear all results for the current baseline.
- `--reset-all`
Clear all results for all MSCP baselines.
- `--quiet=<value>`
Control output verbosity:
&nbsp;&nbsp;`1` Show only failed and exempted checks
&nbsp;&nbsp;`2` Show minimal output

125
docs/src/content/docs/compliance-scripts/how-to-generate-compliance-scripts.mdx Normal file
View File

@@ -0,0 +1,125 @@
---
title: How To Generate Compliance Scripts
description: An overview of how to generate configuration profiles.
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
The primary script for generating compliance scripts is located here in the `macos_security` repository:
<FileTree>
- macos_security/
- scripts/
- generate_guidance.py
</FileTree>
<Aside type="caution">
<strong>*Always use the branch matching your target OS version. Do not use the <code>main</code> branch for workflow or development.*</strong>
</Aside>
## Steps to Generate a Compliance Script
<Steps>
1. **Run the Compliance Script Generator**
Use the `-s` flag with `generate_guidance.py` to generate a compliance script for your baseline YAML file:
```sh
./scripts/generate_guidance.py -s baselines/800-53r5_moderate.yaml
```
2. **Review the Output**
The script will generate several files in the `build/BASELINE/` directory:
<FileTree>
- build/
- 800-53r5_moderate/
- 800-53r5_moderate.adoc
- 800-53r5_moderate.html
- 800-53r5_moderate.pdf
- 800-53r5_moderate_compliance.sh
- preferences/
- org.800-53r5_moderate.audit.plist
</FileTree>
</Steps>
## What Gets Generated?
- **Compliance Script**: `{baseline}_compliance.sh`
The main script to check/fix compliance.
- **Audit Plist**: `org.{baseline}.audit.plist`
Used for exemptions and compliance tracking.
- **Reports**: `.adoc`, `.html`, `.pdf`
Documentation and reports for the baseline.
<Aside>
See the section on [Exemptions](https://github.com/usnistgov/macos_security/wiki/exemptions) for more information about how exemptions are implemented.
</Aside>
## Running the Compliance Script
You can run the script interactively or with command-line flags:
```zsh
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh
```
This will present an interactive menu:
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
M A I N - M E N U
macOS Security Compliance Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Last compliance scan: No scans have been run
1. View Last Compliance Report
2. Run New Compliance Scan
3. Run Commands to remediate non-compliant settings
4. Exit
Enter choice [ 1 - 4 ]
```
**Note:**
The `--cfc` flag will trigger a check/fix/check when running the compliance script.
After running, results are written to:
- `/Library/Preferences/org.{baseline}.audit.plist`
- `/Library/Logs/{baseline}_baseline.log`
**Example log output:**
```
Thu Jan 21 15:09:41 UTC 2021 auth_pam_login_smartcard_enforce passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_allow passed (Result: 1, Expected: {integer: 1})
Thu Jan 21 15:09:41 UTC 2021 auth_pam_sudo_smartcard_enforce passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_certificate_trust_enforce_moderate passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_enforce has an exemption (Reason: Broken Reader)
```
<Aside>
To add a custom reference in front of the rule in the `{baseline}_baseline.log`, use the `-r` flag with your custom reference (case sensitive) when running `generate_guidance.py`.
</Aside>
## Compliance Script Command Line Reference
**Note:**
The compliance script expects to be run in a Z Shell (zsh). Running with `sh` or `bash` will result in errors.
```zsh
./mscp_compliance.sh Usage
./mscp_compliance.sh [--check] [--fix] [--cfc] [--stats] [--compliant] [--non_compliant] [--reset] [--reset-all] [--quiet=<value>]
Optional parameters:
--check : run the compliance checks without interaction
--fix : run the remediation commands without interaction
--cfc : runs a check, fix, check without interaction
--stats : display the statistics from last compliance check
--compliant : reports the number of compliant checks
--non_compliant : reports the number of non_compliant checks
--reset : clear out all results for current baseline
--reset-all : clear out all results for ALL MSCP baselines
--quiet=<value> : 1 - show only failed and exempted checks in output
2 - show minimal output
```

18
docs/src/content/docs/compliance-scripts/what-are-compliance-scripts.mdx Normal file
View File

@@ -0,0 +1,18 @@
---
title: What Are Compliance Scripts?
description: An overview of baselines and how to use them in the project.
tableOfContents: false
---
import { Aside } from '@astrojs/starlight/components';
Compliance scripts in the NIST macOS Security Compliance Project (mSCP) are automated scripts designed to check and enforce security settings on macOS systems. These scripts are generated from the project's baselines, which define recommended security controls and configurations.
The compliance scripts allow organizations to:
- **Assess**: Automatically check a system's current configuration against the selected baseline.
- **Remediate**: Apply changes to bring the system into compliance with the baseline.
- **Report**: Generate output showing which settings are compliant or non-compliant.
These scripts are typically generated using the project's tooling and can be run locally or integrated into enterprise management workflows. They help ensure that macOS devices meet NIST and organizational security requirements efficiently and consistently.

99
docs/src/content/docs/configuration-profiles/configuration-profile-layout.mdx Normal file
View File

@@ -0,0 +1,99 @@
---
title: Configuration Profile Layout
description: An overview of how to generate configuration profiles.
---
import { Aside } from '@astrojs/starlight/components';
This page provides a detailed breakdown of a macOS configuration profile in XML (plist) format. Each element is explained to help you understand how to configure and interpret configuration profiles.
## ConsentText
- **ConsentText**: Text displayed to users to inform them about terms, conditions, or warnings before applying the profile.
- **default**: The default consent message shown to users.
## PayloadContent
- **PayloadContent**: An array of dictionaries, each representing a payload (setting or policy) included in the profile.
### Example Payload (com.apple.screensaver)
- **PayloadIdentifier**: A unique identifier for this payload.
- **PayloadType**: The type of payload, specifying the domain or feature being configured.
- **PayloadUUID**: A unique UUID for this payload.
- **PayloadVersion**: The version number of this payload.
- **askForPassword**: If `true`, requires a password to unlock the screensaver.
- **askForPasswordDelay**: The delay (in seconds) before requiring a password after the screensaver starts.
- **idleTime**: Time (in seconds) of inactivity before the screensaver activates.
- **loginWindowIdleTime**: Time (in seconds) of inactivity at the login window before the screensaver activates.
- **moduleName**: The name of the screensaver module to use.
## Other Top-Level Keys
- **PayloadDescription**: A description of the profile and its purpose.
- **PayloadDisplayName**: The display name for the profile.
- **PayloadIdentifier**: A unique identifier for the entire profile.
- **PayloadOrganization**: The organization responsible for the profile.
- **PayloadScope**: The scope of the profile (e.g., `System`).
- **PayloadType**: The type of the profile (should be `Configuration`).
- **PayloadUUID**: A unique UUID for the profile.
- **PayloadVersion**: The version number of the profile.
---
## Complete Example
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ConsentText</key>
<dict>
<key>default</key>
<string>THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER.</string>
</dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadIdentifier</key>
<string>alacarte.macOS.all_rules.4413990e-a57b-4e0e-8902-59f780718b1c</string>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadUUID</key>
<string>4413990e-a57b-4e0e-8902-59f780718b1c</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>askForPassword</key>
<true/>
<key>askForPasswordDelay</key>
<integer>5</integer>
<key>idleTime</key>
<integer>1200</integer>
<key>loginWindowIdleTime</key>
<integer>1200</integer>
<key>moduleName</key>
<string>Sequoia</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>Created: 2025-07-23
Configuration settings for the com.apple.screensaver preference domain.</string>
<key>PayloadDisplayName</key>
<string>[all_rules] com.apple.screensaver settings</string>
<key>PayloadIdentifier</key>
<string>com.apple.screensaver.all_rules</string>
<key>PayloadOrganization</key>
<string>macOS Security Compliance Project</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8e4caf27-a378-4fca-b753-a87d8123636b</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```

61
docs/src/content/docs/configuration-profiles/how-to-generate-configuration-profiles.mdx Normal file
View File

@@ -0,0 +1,61 @@
---
title: How To Generate Configuration Profiles
description: An overview of how to generate configuration profiles.
tableOfContents: false
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
The primary script for generating configuration profiles is located here in the `macos_security` repository:
<FileTree>
- macos_security/
- scripts/ ---> Project scripts
- generate_guidance.py ---> Script to generate configuration profiles
</FileTree>
<Aside type="caution">
<strong>*Always use the branch matching your target OS version. Do not use the <code>main</code> branch for workflow or development.*</strong>
</Aside>
Follow these steps to generate configuration profiles:
<Steps>
1. **Prepare Your Rules YAML**
- Ensure your rules YAML file contains rules with `mobileconfig: true` and the appropriate `mobileconfig_info` section.
Example:
```yaml
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
enforceSmartCard: true
```
2. **Generate Unsigned Configuration Profiles**
- Run the following command to generate unsigned configuration profiles and corresponding plists:
```sh
./scripts/generate_guidance.py -p build/baselines/800-53r5_moderate.yaml
```
3. **(Optional) Generate Signed Configuration Profiles**
- If you want to generate signed configuration profiles, you need the certificate Subject Key ID (not the SHA-1 hash).
- Retrieve the Subject Key ID with:
```sh
skid=$(security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse | awk -F: '/X509v3 Subject Key Identifier/ {getline; print $1}')
security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse -strparse $skid | awk -F: '/HEX DUMP/{print $4}'
```
- Then use the `-H` flag with the Subject Key ID to generate signed profiles:
```sh
./scripts/generate_guidance.py -p -H <HASHVALUE> build/baselines/800-53r5_moderate.yaml
```
4. **Locate the Generated Files**
- After running the script, the configuration profiles and plists will be created in the appropriate output directories.
</Steps>
For more information, see [How to Generate Baselines](../how-to-generate-baselines) or review the [baseline file layout](../baseline-file-layout).

29
docs/src/content/docs/configuration-profiles/what-are-configuration-profiles.mdx Normal file
View File

@@ -0,0 +1,29 @@
---
title: What Are Configuration Profiles?
description: An overview of baselines and how to use them in the project.
---
import { Aside } from '@astrojs/starlight/components';
**Apple Configuration Profiles** are XML files (.mobileconfig) used to define settings, restrictions, and policies for macOS, iOS, iPadOS, and tvOS devices. They allow administrators to manage and enforce configurations such as Wi-Fi settings, VPN, certificates, security restrictions, and more across Apple devices.
### How Configuration Profiles Work
Configuration profiles are created by IT administrators and can be distributed to devices via Mobile Device Management (MDM) solutions, Apple Configurator, email, or direct download. Once installed, the profile automatically applies the specified settings to the device. Profiles can be signed to ensure authenticity and integrity.
### End-User Experience
For end-users, configuration profiles are typically deployed silently and automatically through the organization's MDM solution. Once the profile is pushed to the device, most restrictions and settings are enforced immediately—users may notice changes right away, or in some cases, a reboot may be required before all settings take full effect.
Profiles can be viewed or removed in **System Settings > Privacy & Security > Profiles** (macOS) or **Settings > General > VPN & Device Management** (iOS/iPadOS).
<Aside type="note">
If a configuration profile is deployed via a Mobile Device Management (MDM) solution, the user cannot remove it manually. Only the MDM administrator can remove or update these profiles, ensuring organizational control and compliance.
</Aside>
### Helpful Links
- [Apple Platform Deployment: Configuration Profiles](https://support.apple.com/guide/deployment/configuration-profiles-depca5db5d51/web)
- [Apple Developer Documentation: Configuration Profile Reference](https://developer.apple.com/documentation/devicemanagement/configuration-profile)
- [About configuration profiles on Mac](https://support.apple.com/guide/mac-help/mchlp2469/mac)

90
docs/src/content/docs/ddm-components/ddm-component-layout.mdx Normal file
View File

@@ -0,0 +1,90 @@
---
title: DDM Component Layout
description: An overview of how to generate configuration profiles.
---
import { Aside } from '@astrojs/starlight/components';
This page provides a detailed breakdown of a DDM payload for `com.apple.configuration.passcode.settings`. Each setting is explained to help you understand how to configure passcode requirements effectively.
## Identifier
- **Identifier**: A unique string that identifies this configuration profile.
_Example_: `"org.mscp.all_rules.config.passcode.settings"`
## Type
- **Type**: Specifies the type of configuration.
_Example_: `"com.apple.configuration.passcode.settings"`
## Payload
- **Payload**: Contains the actual settings for the passcode policy.
### MaximumFailedAttempts
- **MaximumFailedAttempts**: The number of failed passcode attempts allowed before the device is locked or wiped.
_Example_: `3`
### MaximumGracePeriodInMinutes
- **MaximumGracePeriodInMinutes**: The maximum time (in minutes) allowed after unlocking before the passcode is required again.
_Example_: `15`
### RequireAlphanumericPasscode
- **RequireAlphanumericPasscode**: If `true`, the passcode must include both letters and numbers.
_Example_: `true`
### CustomRegex
- **CustomRegex**: A custom regular expression that the passcode must match.
_Example_: `^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$`
_This requires at least one uppercase letter, one lowercase letter, and one digit._
### PasscodeReuseLimit
- **PasscodeReuseLimit**: The number of previous passcodes that cannot be reused.
_Example_: `5`
### MaximumPasscodeAgeInDays
- **MaximumPasscodeAgeInDays**: The maximum number of days a passcode can be used before it must be changed.
_Example_: `60`
### MinimumLength
- **MinimumLength**: The minimum number of characters required for the passcode.
_Example_: `15`
### RequireComplexPasscode
- **RequireComplexPasscode**: If `true`, the passcode must meet complexity requirements (such as including special characters).
_Example_: `true`
### MinimumComplexCharacters
- **MinimumComplexCharacters**: The minimum number of complex (non-alphanumeric) characters required in the passcode.
_Example_: `1`
---
## Complete Example
```json
{
"Identifier": "org.mscp.all_rules.config.passcode.settings",
"Type": "com.apple.configuration.passcode.settings",
"Payload": {
"MaximumFailedAttempts": 3,
"MaximumGracePeriodInMinutes": 15,
"RequireAlphanumericPasscode": true,
"CustomRegex": "^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$",
"PasscodeReuseLimit": 5,
"MaximumPasscodeAgeInDays": 60,
"MinimumLength": 15,
"RequireComplexPasscode": true,
"MinimumComplexCharacters": 1
}
}
```

52
docs/src/content/docs/ddm-components/how-to-generate-ddm-components.mdx Normal file
View File

@@ -0,0 +1,52 @@
---
title: How To Generate DDM Components
description: An overview of how to generate DDM configuration components.
tableOfContents: false
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
The primary script for generating DDM components is located here in the `macos_security` repository:
<FileTree>
- macos_security/
- scripts/
- generate_guidance.py
</FileTree>
<Aside type="caution">
<strong>*Always use the branch matching your target OS version. Do not use the <code>main</code> branch for workflow or development.*</strong>
</Aside>
To generate all DDM components, run:
```sh
./scripts/generate_guidance.py -D baselines/all_rules.yaml -p -s
```
This will create DDM components in the following directories:
<FileTree>
- Build/
- BASELINENAME/
- activations/
- org.mscp.all_rules.activation.diskmanagement.settings.json
- org.mscp.all_rules.activation.pam.json
- org.mscp.all_rules.activation.passcode.settings.json
- org.mscp.all_rules.activation.sshd.json
- org.mscp.all_rules.activation.sudo.json
- assets/
- com.apple.pam.zip
- com.apple.sshd.zip
- com.apple.sudo.zip
- org.mscp.all_rules.asset.pam.json
- org.mscp.all_rules.asset.sshd.json
- org.mscp.all_rules.asset.sudo.json
- configurations/
- org.mscp.all_rules.config.diskmanagement.settings.json
- org.mscp.all_rules.config.pam.json
- org.mscp.all_rules.config.passcode.settings.json
- org.mscp.all_rules.config.sshd.json
- org.mscp.all_rules.config.sudo.json
</FileTree>
For more information, see [How to Generate Baselines](../how-to-generate-baselines) or review the [baseline file layout](../baseline-file-layout).

44
docs/src/content/docs/ddm-components/what-is-ddm.mdx Normal file
View File

@@ -0,0 +1,44 @@
---
title: What is Declarative Device Management (DDM)?
description: An overview of baselines and how to use them in the project.
---
import { Aside } from '@astrojs/starlight/components';
Declarative Device Management (DDM) is Apple's modern framework for managing Apple devices, introduced to provide a more efficient, scalable, and responsive approach to device management compared to traditional MDM (Mobile Device Management). DDM enables devices to take a more active role in their own management by evaluating conditions and applying configurations locally, rather than relying solely on server-driven commands.
### Why Do You Need DDM?
- **Efficiency:** DDM reduces the need for constant communication between the device and the management server. Devices can react to changes and apply configurations immediately, improving responsiveness and reducing network traffic.
- **Scalability:** By shifting logic and evaluation to the device, DDM allows organizations to manage large fleets of Apple devices more effectively.
- **Reliability:** Devices can enforce compliance and configuration even when offline, ensuring that security and policy requirements are always met.
- **Security:** DDM supports more granular and secure management of settings, profiles, and compliance checks, aligning with Apple's latest security and privacy standards.
### The Old Way: Traditional MDM
Before DDM, Apple devices were managed using Mobile Device Management (MDM), a server-driven approach where the management server dictated all device configurations, compliance checks, and actions. In this model:
- The server sends commands and configuration profiles to the device.
- The device passively waits for instructions and reports back its status.
- Any change or compliance check requires a round-trip to the server.
- Devices are less responsive to changes when offline or between server check-ins.
**Limitations of Traditional MDM:**
- **Latency:** Devices may not react instantly to policy changes or compliance issues, especially if they are offline or have infrequent check-ins.
- **Scalability:** As organizations grow, the server becomes a bottleneck, handling all logic and state for every device.
- **Reliability:** Devices cannot enforce or adapt policies without server communication.
- **Limited Autonomy:** Devices are unable to make decisions or enforce compliance on their own.
### Why Apple is Shifting to DDM
Apple is moving away from traditional MDM because modern device fleets require:
- **Real-time responsiveness:** Devices should react to changes and enforce policies immediately, even when offline.
- **Distributed logic:** Offloading evaluation and compliance to the device itself reduces server load and increases scalability.
- **Better user experience:** Devices can provide instant feedback and adapt to user or environment changes without waiting for server instructions.
- **Enhanced security and privacy:** DDM enables more granular, secure, and privacy-respecting management.
<Aside type="tip">
<strong>In summary:</strong>
The shift from MDM to DDM is about empowering devices to be smarter, more autonomous, and more secure—meeting the needs of modern organizations and users.
</Aside>

20
docs/src/content/docs/guidance/guidance-file-example.mdx Normal file
View File

@@ -0,0 +1,20 @@
---
title: Guidance File Layout
description: An overview on how to generate a baseline.
tableOfContents: false
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
Below is a full example PDF of a generated STIG baseline guidance document.
<br />
<span style="font-size:0.95em;color:var(--sl-color-text-accent,#0070f3);">
<strong>Note:</strong> This example is for the <strong>Sequoia</strong> branch and the <strong>DISA STIGS</strong> baseline.
</span>
<iframe src="/guidance-example.pdf" width="100%" style={{ minHeight: "90vh", border: "1px solid #ccc" }}>
This browser does not support PDFs. Please download the PDF to view it: <a href="/guidance-example.pdf">Download PDF</a>
</iframe>
<Aside type="note">
*The AsciiDoc (`.adoc`) and HTML (`.html`) guidance files generated by the project are very similar in content and layout to this PDF output.*
</Aside>

103
docs/src/content/docs/guidance/how-to-generate-guidance.mdx Normal file
View File

@@ -0,0 +1,103 @@
---
title: How To Generate Guidance
description: An overview on how to generate guidance from an existing baseline.
tableOfContents: false
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
To generate guidance files (AsciiDoc, HTML, and PDF) from an existing baseline, use the `generate_guidance.py` script in the `macos_security` repository.
<Aside type="note">
*The guidance information is generated directly from the baseline YAML file you created or selected. All recommendations, control details, and configuration steps in the guidance output are based on the contents of your chosen baseline.*
</Aside>
<FileTree>
- macos_security/
- scripts/
- generate_guidance.py ---> Script to generate guidance files
- build/
- baselines/
- BASELINENAME.yaml ---> Your generated or customized baseline file
</FileTree>
<Aside type="caution">
<strong>*Always use the branch matching your target OS version. Do not use the <code>main</code> branch for workflow or development.*</strong>
</Aside>
<Steps>
1. **Ensure You Are Using the Correct Baseline File**
- Use either a baseline you generated (custom baseline) or one of the built-in baselines provided by the project.
2. **Run the Guidance Generation Script**
- Point the script to your baseline YAML file:
```sh
./scripts/generate_guidance.py build/baselines/BASELINENAME.yaml
```
Replace `BASELINENAME.yaml` with your actual baseline file.
- The script will generate AsciiDoc, HTML, and PDF guidance documents.
3. **Locate the Generated Guidance Files**
- The output files will be created in a directory under `build/` matching your baseline name, for example:
<FileTree>
- macos_security/
- build/
- 800-53r5_moderate/
- 800-53r5_moderate.adoc
- 800-53r5_moderate.html
- 800-53r5_moderate.pdf
</FileTree>
</Steps>
## Built-in Baseline vs Custom Baseline
When generating guidance, you can use either a **built-in baseline** or a **custom baseline**:
- **Built-in Baseline:**
These are standard baseline YAML files provided by the project and located in the `baselines/` directory. They represent default security configurations such as NIST 800-53, CIS, or STIG profiles.
<FileTree>
- macos_security/
- baselines/
- 800-53r5_moderate.yaml
</FileTree>
Example usage:
```sh
./scripts/generate_guidance.py baselines/800-53r5_moderate.yaml
```
The output files will be generated in a directory under `build/` matching the baseline name.
- **Custom Baseline:**
These are baselines you have tailored for your organization, typically created using the baseline generation and tailoring scripts. Custom baseline files are usually found in `build/baselines/`.
<FileTree>
- macos_security/
- build/
- baselines/
- 800-53r5_moderate.yaml
</FileTree>
Example usage:
```sh
./scripts/generate_guidance.py build/baselines/800-53r5_moderate.yaml
```
The output files will be generated in a directory under `build/` matching your custom baseline.
Both approaches produce guidance files in AsciiDoc, HTML, and PDF formats, but custom baselines allow you to reflect organization-specific requirements and tailoring.
Example output files:
<FileTree>
- macos_security/
- build/
- 800-53r5_moderate/
- 800-53r5_moderate.adoc
- 800-53r5_moderate.html
- 800-53r5_moderate.pdf
</FileTree>

16
docs/src/content/docs/guidance/what-is-guidance.mdx Normal file
View File

@@ -0,0 +1,16 @@
---
title: What is Guidance?
description: An overview of baselines and how to use them in the project.
tableOfContents: false
---
import { Aside } from '@astrojs/starlight/components';
**Guidance** provides clear documentation for security controls, describing what each control is, its purpose, and how it protects your systems.
- **Explanations of security controls:** Clarifies the intent and importance of each control, and how it contributes to securing macOS systems.
- **Implementation steps:** Offers detailed instructions for configuring macOS settings to meet baseline requirements.
- **Assessment procedures:** Outlines methods to verify that systems are properly configured and compliant with security objectives.
- **References and rationale:** Includes links to relevant NIST standards, Apple documentation, and other authoritative sources to support each control.
You can generate guidance files based on the created baseline in formats such as AsciiDoc, HTML, and PDF. These documents are often required by organizations for submission, enabling administrators to efficiently document and justify how the baseline is enforced and the reasoning behind each control.

38
docs/src/content/docs/guides/getting-started.md
View File

@@ -1,38 +0,0 @@
---
title: Getting Started
description: A getting-started reference.
---
## Prerequisites
```
. Git
. Python3
. Python3 Modules
. pyyaml
. xlwt
. Ruby
. Gemfiles
. asciidoctor
. asciidoctor-pdf
. rouge
```
## Getting Started
To work locally, first clone into the repository and install the required Python3 modules and Ruby gems:
```bash
git clone https://github.com/usnistgov/macos_security.git
cd macos_security
# always git checkout one of the OS branches
git checkout sequoia
pip3 install -r requirements.txt --user
bundle install --binstubs --path mscp_gems
```
**❗ IMPORTANT**\
Never work off the `main` branch, always `git checkout` one of the OS branches.

88
docs/src/content/docs/guides/how-to/compliance-script.mdx
View File

@@ -1,88 +0,0 @@
---
title: Compliance Script
description: A compliance-script reference.
---
Adding the `-s` flag to the `generate-guidance.py` script will generate a compliance script, written for Z Shell (zsh), which can be used to check/fix a system.
```
➜ macos_security git:(sequoia) ./scripts/generate_guidance.py -s baselines/800-53r5_moderate.yaml
Profile YAML: baselines/800-53r5_moderate.yaml
Output path: /Users/mscp/src/macos_security/build/800-53r5_moderate/800-53r5_moderate.adoc
Generating compliance script...
Finished building /Users/mscp/src/macos_security/build/800-53r5_moderate/800-53r5_moderate_compliance.sh
Generating HTML file from AsciiDoc...
Generating PDF file from AsciiDoc...
➜ macos_security git:(sequoia) ✗ ls -dn build/800-53r5_moderate/*
-rw-r--r-- 1 501 20 259522 Jan 19 15:23 build/800-53r5_moderate/800-53r5_moderate.adoc
-rw-r--r-- 1 501 20 859486 Jan 19 15:23 build/800-53r5_moderate/800-53r5_moderate.html
-rw-r--r-- 1 501 20 2667622 Jan 19 15:23 build/800-53r5_moderate/800-53r5_moderate.pdf
-rwxr-xr-x 1 501 20 276876 Jan 19 15:23 build/800-53r5_moderate/800-53r5_moderate_compliance.sh
drwxr-xr-x 3 501 20 96 Jan 19 15:23 build/800-53r5_moderate/preferences
➜ macos_security git:(sequoia) ✗ ls -dn build/800-53r5_moderate/preferences/*
-rw-r--r-- 1 501 20 13688 Jan 19 15:23 build/800-53r5_moderate/preferences/org.800-53r5_moderate.audit.plist
```
When generating the compliance script a `org.{baseline}.audit.plist` will be created. This file represents the structure of how exemptions can be implemented. See the section on [Exemptions](https://github.com/usnistgov/macos_security/wiki/exemptions) for more information.
The `{baseline}_compliance.sh` script can run interactively or with the --check/--fix/--cfc flags. To run the script interactively run the following command:
```zsh
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
M A I N - M E N U
macOS Security Compliance Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Last compliance scan: No scans have been run
1. View Last Compliance Report
2. Run New Compliance Scan
3. Run Commands to remediate non-compliant settings
4. Exit
Enter choice [ 1 - 4 ]
```
**📌 NOTE**\
The `--cfc` flag will trigger a check/fix/check when running the compliance script.
After running the script the results are written to `/Library/Preferences/org.{baseline}.audit.plist` and `/Library/Logs/{baseline}_baseline.log`.
**📌 NOTE**\
In order for the script to run commands to remediate non-compliant settings, a successful compliance scan must be run first.
**800-53r5_moderate_baseline.log**
```
Thu Jan 21 15:09:41 UTC 2021 auth_pam_login_smartcard_enforce passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_allow passed (Result: 1, Expected: {integer: 1})
Thu Jan 21 15:09:41 UTC 2021 auth_pam_sudo_smartcard_enforce passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_certificate_trust_enforce_moderate passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_enforce has an exemption (Reason: Broken Reader)
```
**💡 TIP**\
To add a custom reference in front of the rule in the `{baseline}_baseline.log` use the `-r` flag along with the custom reference **(case sensitive)** when running the `generate_guidance.py` script.
## Compliance Script Command Line Argument Reference
**📌 NOTE**\
The compliance script expects to be run in a Z Shell (zsh), trying to execute the script using `sh` or `bash` will result in errors.
```zsh
./mscp_compliance.sh Usage
./mscp_compliance.sh [--check] [--fix] [--cfc] [--stats] [--compliant] [--non_compliant] [--reset] [--reset-all] [--quiet=<value>]
Optional parameters:
--check : run the compliance checks without interaction
--fix : run the remediation commands without interaction
--cfc : runs a check, fix, check without interaction
--stats : display the statistics from last compliance check
--compliant : reports the number of compliant checks
--non_compliant : reports the number of non_compliant checks
--reset : clear out all results for current baseline
--reset-all : clear out all results for ALL MSCP baselines
--quiet=<value> : 1 - show only failed and exempted checks in output
2 - show minimal output
```

46
docs/src/content/docs/guides/how-to/customization.md
View File

@@ -1,46 +0,0 @@
---
title: Customization
description: A customization reference.
---
The project supports modifying existing rules and adding new rules to a baseline, to meet an organizations requirements. For existing rules, only the fields that are being customized need to remain — this ensures that your custom rules will continue working as the project is updated (including updates to meet the needs of future OS releases). Where [tailoring](https://github.com/usnistgov/macos_security/wiki/Tailoring) is used to select which rules to include in a benchmark, customizing is modifying the rules themselves.
To modify an existing rule do the following:
1. Copy the existing rule file to the `custom` folder. The name must rename the same.
2. Remove any fields that dont need to be modified.
3. Modify the fields that meet your organizational defined values.
4. Run `generate_guidance.py`, the custom version of the rule will be added to the output.
**Example (Configure macOS to Use an Authorized Time Server)**
```YAML
references:
custom:
MSCP:
- MSCP-OS-001
URL:
- https://developer.apple.com/documentation/devicemanagement/timeserver
Remediation Tool:
- MDM
```
To add an new rule, follow these steps:
1. Create a new rules.yaml file in the `custom` folder.
1. If the rule contains a configuration profile payload not in the project, add the new payload to `supported_payloads.yaml` in the `includes` folder.
2. Run `generate_baseline.py` to add the new rule to your baseline.
3. Run `generate_guidance.py` against the customized baseline.
**Use Case:**
If you want to include a custom version of rule that still explains the control, but do not want to include a check, result, or fix see below. By adding the `manual` tag to the custom rule will also ensure it does not show up in the compliance script.
**Example Rule (No Check/Result/Fix)**
```YAML
check: |
result: |
fix: |
tag:
- manual

25
docs/src/content/docs/guides/how-to/exemptions.mdx
View File

@@ -1,25 +0,0 @@
---
title: Exemptions
description: A exemptions reference.
---
The `org.{baseline}.audit.plist` is used to set an exemption to rules that users in your organization have approval to be configured out of compliance. Exemptions allow these systems to be reported as compliant even when the setting is configured different from the rules expected result. While the check will still be identified as a finding in the logs and .plist file, having it also marked as exempt will allow reporting tools to exclude it from being non-compliant.
This file can either exist in `/Library/Preferences/org.{baseline}.audit.plist` or applied via a custom configuration profile.
To set an exemption for a rule, `exempt` should be set to true and an `exempt_reason` should be added. To set an exemption for `auth_smartcard_enforce` the rule, run the following:
```
sudo /usr/libexec/PlistBuddy -c "Add :auth_smartcard_enforce:exempt bool true" /Library/Preferences/org.800-53r5_moderate.audit.plist
sudo /usr/libexec/PlistBuddy -c "Add :auth_smartcard_enforce:exempt_reason string 'Reader Issues'" /Library/Preferences/org.800-53r5_moderate.audit.plist
/usr/libexec/PlistBuddy -c "Print auth_smartcard_enforce" /Library/Preferences/org.800-53r5_moderate.audit.plist
Dict {
finding = true
exempt = true
exempt_reason = Reader Issues
}
```
**📌 NOTE**\
If `org.{baseline}.audit.plist` is not set, the script will default `exempt` to false.

55
docs/src/content/docs/guides/how-to/generate-SCAP.md
View File

@@ -1,55 +0,0 @@
---
title: Generate SCAP
description: A generate-scap reference.
---
To generate SCAP, OVAL, or XCCDF run the `generate_scap.py` script.
**❗ IMPORTANT**\
Never work off the `main` branch, always `git checkout` one of the OS branches.
When running the `generate_scap.py` with no arguments, it will generate an SCAP 1.3 document with an XCCDF profile for every baseline available as a tag in the `rules` and `custom` folder.
Running `generate_scap.py` with the `-x` argument it will generate an XCCDF document and running `generate_scap.py` with the `-o` argument will generate an OVAL document.
Documents can be generated for just a specific baseline using the `-b` argument. The baselines that the `generate_scap.py` scripts sees are tags that are listed on rule files in `rules` and in `custom`. The baselines can be listed with the `-l` argument.
**Built-in Baseline**
```bash
➜ macos_security git:(sequoia) ./scripts/generate_scap.py
./scripts/generate_scap.py -l
800-171
800-53r4_high
800-53r4_low
800-53r4_moderate
800-53r5_high
800-53r5_low
800-53r5_moderate
800-53r5_privacy
cis_lvl1
cis_lvl2
cisv8
cnssi-1253
stig
➜ macos_security git:(ventura) ./scripts/generate_scap.py -b stig -x
```
This would generate an XCCDF document in the `build` folder for just the stig baseline.
## SCAP References
[Security Content Automation Protocol (SCAP) 1.3](https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3)
That page has links to most of the SCAP-related normative documents.
An SCAP data stream (typically) consists of several XML documents knit together in a containing XML document.
The component documents are
- An XCCDF document
- An OVAL document referenced by the XCCDF document
- An OCIL document referenced by the XCCDF document
- A CPE dictionary document referenced by the XCCDF document
- An OVAL document referenced by the CPE dictionary document
[National Checklist Program for IT Products Guidelines for Checklist Users and Developers](https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final)
[National Checklist Program Repository](https://nvd.nist.gov/ncp/repository)

85
docs/src/content/docs/guides/how-to/generate-baseline.mdx
View File

@@ -1,85 +0,0 @@
---
title: Generate a Baseline
description: A generate-a-baseline reference.
---
The project provides the following baseline files, located in the `/baselines/` folder:
* NIST 800-53
* macOS, iOS/iPadOS, and visionOS
* High `800-53r5_high.yaml`
* Moderate `800-53r5_moderate.yaml`
* Low `800-53r5_low.yaml`
* DISA-STIG
* macOS
* `DISA-STIG.yaml`
* iOS/iPadOS
* iOS STIG `ios_stig.yaml`
* iOS STIG BYOAD `ios_stig_byoad.yaml`
* NIST 800-171 `800-171.yaml`
* CIS
* macOS
* CIS Level 1 `cis_lvl1.yaml`
* CIS Level 2 `cis_lvl2.yaml` (Contains Level 1)
* iOS/iPadOS
* CIS Level 1 BYOD `cis_lvl1_byod.yaml`
* CIS Level 2 BYOD `cis_lvl2_byod.yaml`
* CIS Level 1 Enterprise `cis_lvl1_enterprise.yaml`
* CIS Level 2 Enterprise `cis_lvl1_enterprise.yaml`
* CIS Controls V8 `cisv8.yaml`
* CMMC Level 1 `cmmc_lvl1.yaml`
* CMMC Level 2 `cmmc_lvl2.yaml`
* CNSSI 1254
* High `cnssi-1254_high.yaml`
* Moderate `cnssi-1254_moderate.yaml`
* Low `cnssi-1254_low.yaml`
* indigo (iOS Only)
* Base `indigo_base.yaml`
* High `indigo_high.yaml`
**❗ IMPORTANT**\
Never work off the `main` branch, always `git checkout` one of the OS branches.
If you want to create your own baseline or modify an existing baseline, the `generate-baseline.py` found in the scripts folder will generate a `{baseline}.yaml` file containing all the rules corresponding with the provided tag (baseline). This `{baseline}.yaml` is required to run the `generate-guidance.py` script.
**Get a list of available tags**
```bash
➜ macos_security git:(sequoia) ./scripts/generate_baseline.py -l
800-171
800-53r4_high
800-53r4_low
800-53r4_moderate
800-53r5_high
800-53r5_low
800-53r5_moderate
800-53r5_privacy
US_HIPAA
all_rules
arm64
cis_lvl1
cis_lvl2
cisv8
cmmc_lvl1
cmmc_lvl2
cnssi-1253_high
cnssi-1253_low
cnssi-1253_moderate
i386
inherent
manual
n_a
none
permanent
srg
stig
supplemental
```
**Generate a new baseline**
```bash
➜ macos_security git:(sequoia) ./scripts/generate_baseline.py -k 800-53r5_moderate
➜ macos_security git:(sequoia) ls -dn build/baselines/*
-rw-r--r-- 1 501 20 6350 Jan 19 13:30 build/baselines/800-53r5_moderate.yaml
```

34
docs/src/content/docs/guides/how-to/generate-declarative.md
View File

@@ -1,34 +0,0 @@
---
title: Generate Declarative Device Management Components
description: A generate-declarative-components reference.
---
Adding the `-D` flag to the `generate_guidance.py` script will generate all the necessary components for the rules that support declarative device management (DDM). Depending on the configurations chosen, the output might differ.
**Generate DDM content**
`➜ macos_security git:(sequoia) ./scripts/generate_guidance.py -D baselines/all_rules.yaml -p -s`
**Example Output (all_rules)**
```
├── activations
│ ├── org.mscp.all_rules.activation.diskmanagement.settings.json
│ ├── org.mscp.all_rules.activation.pam.json
│ ├── org.mscp.all_rules.activation.passcode.settings.json
│ ├── org.mscp.all_rules.activation.sshd.json
│ └── org.mscp.all_rules.activation.sudo.json
├── assets
│ ├── com.apple.pam.zip
│ ├── com.apple.sshd.zip
│ ├── com.apple.sudo.zip
│ ├── org.mscp.all_rules.asset.pam.json
│ ├── org.mscp.all_rules.asset.sshd.json
│ └── org.mscp.all_rules.asset.sudo.json
└── configurations
├── org.mscp.all_rules.config.diskmanagement.settings.json
├── org.mscp.all_rules.config.pam.json
├── org.mscp.all_rules.config.passcode.settings.json
├── org.mscp.all_rules.config.sshd.json
└── org.mscp.all_rules.config.sudo.json
```

39
docs/src/content/docs/guides/how-to/generate-guidance.mdx
View File

@@ -1,39 +0,0 @@
---
title: Generate Guidance
description: A generate-guidance reference.
---
To generate the guidance files (AsciiDoc, HTML, and PDF) run the `generate_guidance.py` script and point it to either one of the built-in `baseline.yaml` files or a custom `baseline.yaml` file created by the `generate_baseline.py` script.
**❗ IMPORTANT**\
Never work off the `main` branch, always `git checkout` one of the OS branches.
**Built-in Baseline**
```bash
➜ macos_security git:(sequoia) ./scripts/generate_guidance.py baselines/800-53r5_moderate.yaml
Profile YAML: baselines/800-53r5_moderate.yaml
Output path: /Users/mscp/src/macos_security/build/800-53r5_moderate/800-53r5_moderate.adoc
Generating HTML file from AsciiDoc...
Generating PDF file from AsciiDoc...
➜ macos_security git:(sequoia) ls -dn 800-53r5_moderate/*
-rw-r--r-- 1 501 20 259522 Jan 19 15:23 800-53_moderate/800-53r5_moderate.adoc
-rw-r--r-- 1 501 20 859486 Jan 19 15:23 800-53_moderate/800-53r5_moderate.html
-rw-r--r-- 1 501 20 2667622 Jan 19 15:23 800-53_moderate/800-53r5_moderate.pdf
```
**Custom Baseline**
```bash
macos_security git:(sequoia) ./scripts/generate_guidance.py build/baselines/800-53r5_moderate.yaml
Profile YAML: build/baselines/800-53r5_moderate.yaml
Output path: /Users/mscp/src/macos_security/build/800-53r4_moderate/800-53r5_moderate.adoc
Generating HTML file from AsciiDoc...
Generating PDF file from AsciiDoc...
➜ macos_security git:(sequoia) ls -dn build/800-53r5_moderate/*
-rw-r--r-- 1 501 20 260525 Jan 19 13:47 build/800-53r5_moderate/800-53r5_moderate.adoc
-rw-r--r-- 1 501 20 861254 Jan 19 13:47 build/800-53r5_moderate/800-53r5_moderate.html
-rw-r--r-- 1 501 20 2675654 Jan 19 13:47 build/800-53r5_moderate/800-53r5_moderate.pdf
```

38
docs/src/content/docs/guides/how-to/generate-mapping.md
View File

@@ -1,38 +0,0 @@
---
title: Generate Mapping
description: A generate-mapping reference.
---
The generate mapping script allows you to quickly create custom rules and baselines for a compliance framework not published by the project. This is achieved by creating a CSV that contains controls from one framework (Column 1) to one supported by the project (Column 2).
**CSV Format**
```csv
800-171r2,800-53r5
3.1.1,"AC-2, AC-3, AC-17"
3.1.2,"AC-2, AC-3, AC-17"
3.1.3,AC-4
3.1.4,AC-5
```
By default, the script is designed to map a framework to NIST SP 800-53r5. Adding `-f` allows you to map to another supported framework.
**Generate custom rule files**
```
➜ macos_security git:(sequoia) ./scripts/generate_mapping.py ~/Desktop/171-to-53.csv
Mapping CSV: /Users/mscp/Desktop/171-to-53.csv
Source compliance framework: 800-53r5
auth_pam_login_smartcard_enforce - 800-53r5 IA-2(1) maps to 800-171r2 3.5.3
auth_pam_login_smartcard_enforce - 800-53r5 IA-2(8) maps to 800-171r2 3.5.4
auth_smartcard_allow - 800-53r5 IA-2(1) maps to 800-171r2 3.5.3
auth_pam_sudo_smartcard_enforce - 800-53r5 IA-2(1) maps to 800-171r2 3.5.3
auth_pam_sudo_smartcard_enforce - 800-53r5 IA-2(8) maps to 800-171r2 3.5.4
auth_smartcard_enforce - 800-53r5 IA-2 maps to 800-171r2 3.5.1
....
sysprefs_improve_siri_dictation_disable - 800-53r5 AC-20 maps to 800-171r2 3.1.20
sysprefs_improve_siri_dictation_disable - 800-53r5 CM-7 maps to 800-171r2 3.4.6
sysprefs_improve_siri_dictation_disable - 800-53r5 CM-7(1) maps to 800-171r2 3.4.7
800-171r2.yaml baseline file created in build/800-171r2/baseline/
Move all of the folders in rules into the custom folder.
```
For a compliance framework such as the CIS Controls v8. Column 2 header would be `cis/controls v8` and the same would be used for the `-f` option.

34
docs/src/content/docs/guides/how-to/generate-profiles.md
View File

@@ -1,34 +0,0 @@
---
title: Generate Configuration Profiles
description: A generate-configuration-profiles reference.
---
Adding the `-p` flag to the `generate-guidance.py` script will generate configuration profiles and the corresponding plists for the rules that have the `mobileconfig` set to true in the rules YAML file.
```yaml
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
enforceSmartCard: true
```
**Generate Unsigned Configuration Profiles**
```
➜ macos_security git:(sequoia) ./scripts/generate_guidance.py -p build/baselines/800-53r5_moderate.yaml
```
Adding the `-H` flag to the `generate-guidance.py` script will generate signed configuration profiles as well as unsigned for viewing. In order to sign the profiles, the certificate subject key ID and not the SHA-1 hash of the code signing certificate must be provided.
**Get the Subject Key ID for Signing**
```
skid=$(security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse | awk -F: '/X509v3 Subject Key Identifier/ {getline; print $1}')
security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse -strparse $skid | awk -F: '/HEX DUMP/{print $4}'
```
**Generate Signed Configuration Profiles**
```
➜ macos_security git:(sequoia) ./scripts/generate_guidance.py -p -H <HASHVALUE> build/baselines/800-53r5_moderate.yaml
```

49
docs/src/content/docs/guides/how-to/tailoring.mdx
View File

@@ -1,49 +0,0 @@
---
title: Tailoring
description: A tailoring reference.
---
The project makes it simple for organizations to construct a tailored benchmark whether starting from one of the NIST 800-53 control baselines, or customizing an already established benchmark. Tailoring a benchmark is different than customizing specific rules. See [Customization](https://github.com/usnistgov/macos_security/wiki/Customization) to learn more.
**Organization Defined Values**
Organization Defined Values, or ODVs, are values determined for controls that meet both the security and functional requirements in an organization. Benchmark authors, like DISA and CIS provide these values for their respective published guidance. In the project, we include recommended values, as well as the defined values for the DISA STIG and CIS Benchmarks as part of the ODV field in the YAML.
## Tailoring a Benchmark
Running the generate_baseline script with the new `-t` argument will step you through the tailoring process. The process will start by prompting for the following:
* Benchmark Name
* Authors Name
* Organization
```
➜ macos_security git:(sequoia) ./scripts/generate_baseline.py -k 800-53r5_moderate -t
Enter a name for your tailored benchmark or press Enter for the default value (800-53r5_moderate): MyOrgs_Benchmark
Enter your name: Allen Golbig
Enter your organization: MyOrg
The inclusion of any given rule is a risk-based-decision (RBD). While each rule is mapped to an 800-53 control, deploying it in your organization should be part of the decision-making process.
You will be prompted to include each rule, and for those with specific organizational defined values (ODV), you will be prompted for those as well.
```
Once completed, you will be prompted whether or not to include each rule in your benchmark.
```
Would you like to include the rule for "audit_acls_files_configure" in your benchmark? [Y/n/all/?]:
```
**📌 NOTE**\
The `?` option with display additional details about the rule, to help an organization decide if it meets their requirements.
If a rule contains an ODV, you will be prompted to assign a value that meets your organizations requirements.
```
Number of failed attempts.
Enter the ODV for "pwpolicy_account_lockout_enforce" or press Enter for the recommended value (3):
```
After the tailoring process is completed, a new yaml file will be created in `build/baselines` and custom rules containing their ODV values will be created in `custom/rules/`. Now you can run the generate guidance script against that tailored benchmark.
```
./scripts/generate_guidance.py build/baselines/MyOrgs_Benchmark.yaml -p -s -x
```

60
docs/src/content/docs/guides/introduction.mdx
View File

@@ -1,60 +0,0 @@
---
title: Introduction
description: A macOS Security Compliance Project Overview.
---
import { Aside } from '@astrojs/starlight/components';
The macOS security compliance project is an open source effort to provide a programmatic approach to generating security guidance. This project can be used to create customized security baselines of technical security controls by leveraging a library of rules which are mapped to compliance requirements in existing security guides or used to develop customized guidance. Through the use of a library of rules that enhance security, and mapping them back to existing guides and policies, a single project can support multiple security guides and regulated industry policies while also allowing for documentation and QA to be uniformly managed through a single effort. This approach simplifies, and radically accelerates, the updating of annual security guidance through a unification and standardization of effort.
Rationale for this project:
* Normalize and accelerate annual adoption of OS/Hardware by having guidance available to meet the needs of new operating systems on release
* Reduce worldwide effort in creating annual guidance by unifying and consolidating compliance efforts into a single project
* Develop a methodology to foster collaboration between baseline authors, reducing overhead and redundancy
* Unify approach in setting controls
* Provide MDM/EMM/security/audit vendors and Apple insight into customer hardening needs
<Aside type="note">
This project is a programmatic approach to security policy and can produce output content to be used IN CONJUNCTION with management and security tools to achieve compliance.
</Aside>
The project includes guidance from the following publications, sourced from various government agencies:
* NIST 800-53 (https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
* FISMA High
* FISMA Moderate
* FISMA Low
* NIST 800-171 (https://csrc.nist.gov/pubs/sp/800/171/r3/final)
* DISA STIG (https://public.cyber.mil/stigs/downloads/)
* CMMC 2.0 (https://dodcio.defense.gov/CMMC/)
* CNSSI-1253 (https://www.dcsa.mil/portals/91/documents/ctp/nao/CNSSI_No1253.pdf)
* indigo (https://www.bsi.bund.de/EN/Themen/Oeffentliche-Verwaltung/Zulassung/mobile_Kommunikation/mobileKommunikation_node.html#doc919528bodyText2)
* indigo Base (iOS Only)
* indigo High (iOS Only)
Non-governmental organizations may use other standards. For example, the Center for Internet Security (CIS) is a nonprofit that publishes its benchmarks. The following CIS projects are supported by the project:
* CIS Benchmarks (https://www.cisecurity.org/benchmark)
* CIS Critical Security Controls Version 8 (https://www.cisecurity.org/controls/v8/)
## Development Team
This effort is a joint project of federal operational IT Security staff and macOS Administrators and is published as a collaboration of: National Institute of Standards and Technology (NIST) (https://www.nist.gov), National Aeronautics and Space Administration (NASA) (https://www.nasa.gov), Defense Information Systems Agency (DISA) (https://www.disa.mil), and Los Alamos National Lab (LANL) (https://www.lanl.gov).
## Objective
To develop an extensible, modern approach to security guidance that can be used by any organization (Government, Enterprise, Education) with the need to adhere to security compliance frameworks and policy. Project outputs include scripts, documentation, and configuration profile payloads that can be applied using modern management tools.
## Audience
* System Administrators
* Choose individual actions or a complete guide to generate baseline documentation, configuration profile payloads, and scripts
* Security Professionals
* Review reporting of applied controls against guidance
* Policy Authors
* Map policy metadata to a library of identified and verified controls in order to create/update baselines
* MDM/EMM/Security/Compliance Tool Vendors
* Easily support the configuration, verification, and reporting of security guidance and controls in a product - without recreation or reinterpretation - through the use of trusted source material
* Privacy Officers
* Easily ensure that adequate privacy controls are enabled for institutional organizations

50
docs/src/content/docs/index.mdx
View File

@@ -1,36 +1,60 @@
---
title: macOS Security Compliance Project
description: The macOS security compliance project is an open source effort to provide a programmatic approach to generating security guidance.
description: The macOS Security Compliance Project delivers open source, automated security guidance for macOS, based on NIST SP 800-53 and 800-219. Developed by federal experts and recognized by Apple, it enables organizations to create customized security baselines and technical controls with ease.
template: splash
editUrl: false
lastUpdated: false
hero:
tagline: This is the macOS Security Compliance Project Wiki
tagline: Comprehensive, open source macOS security guidance—built by federal experts, based on NIST SP 800-53 and 800-219, and recognized by Apple.
image:
file: ../../assets/logo.png
class: hero-logo-effect
actions:
- text: Introduction
link: /macos_security/guides/introduction/
link: /macos_security/welcome/introduction/
icon: right-arrow
- text: Getting Started
link: /macos_security/guides/getting-started/
link: /macos_security/welcome/getting-started/
icon: external
variant: minimal
---
import { Card, CardGrid } from '@astrojs/starlight/components';
## Quick Links
## Latest Release:
<div id="github-latest-release"></div>
<script src="/scripts/github-latest-release.js"></script>
## Quick Links
<CardGrid cols={3}>
<Card title="How To" icon="setting">
<Card title="How To Guides" icon="open-book">
Learn how to generate baselines, guidance documents, configuration profiles, and more.
[View How-To Guides](/macos_security/guides/how-to/generate-baseline/)
<ul class="howto-link-list">
<li><a href="/macos_security/welcome/getting-started/">Getting Started<span class="arrow"></span></a></li>
<li><a href="/macos_security/baselines/how-to-generate-baselines/">Generate Baseline<span class="arrow"></span></a></li>
<li><a href="/macos_security/guidance/how-to-generate-guidance/">Generate Guidance<span class="arrow"></span></a></li>
<li><a href="/macos_security/configuration-profiles/how-to-generate-configuration-profiles/">Generate Configuration Profiles<span class="arrow"></span></a></li>
<li><a href="/macos_security/compliance-scripts/how-to-generate-compliance-scripts/">Generate Compliance Scripts<span class="arrow"></span></a></li>
</ul>
</Card>
<Card title="Repository" icon="document">
<Card title="Repository Reference" icon="seti:folder">
Explore the repository structure, including baselines, rules, sections, and scripts.
[Browse Repository](/macos_security/reference/layout/)
</Card>
<Card title="More Information" icon="open-book">
Find additional resources, contribution notes, presentations and training, and the FAQ.
[Learn More](/macos_security/reference/more/resources/)
<ul class="howto-link-list">
<li><a href="/macos_security/repository/directory-layout/">Repository Layout<span class="arrow"></span></a></li>
<li><a href="/macos_security/repository/rule-file-layout/">Rules File Layout<span class="arrow"></span></a></li>
<li><a href="/macos_security/repository/sections-file-layout/">Sections File Layout<span class="arrow"></span></a></li>
<li><a href="/macos_security/repository/includes-directory/">Includes Directory<span class="arrow"></span></a></li>
<li><a href="/macos_security/repository/script-arguments-list/">Scripts Arguments<span class="arrow"></span></a></li>
</ul>
</Card>
</CardGrid>
<Card title="More Information & FAQ" icon="comment" style={{ width: "100%", marginTop: "2rem" }}>
Looking for more details, help, or community resources?
<ul class="howto-link-list">
<li><a href="/macos_security/more-information/resources/">mSCP Resources<span class="arrow"></span></a></li>
<li><a href="/macos_security/more-information/contributing/">How-To Contribute<span class="arrow"></span></a></li>
<li><a href="/macos_security/more-information/faq/">Frequently Asked Questions (FAQ)<span class="arrow"></span></a></li>
</ul>
</Card>

22
docs/src/content/docs/reference/more/Contributing.md → docs/src/content/docs/more-information/Contributing.mdx
View File

@@ -1,24 +1,28 @@
---
title: Contributing
title: How to Contribute to the macOS Security Compliance Project
description: A contributing reference.
---
# How to contribute to the macOS Security Compliance Project
We **encourage contributions and feedback** from the community! This project was created **by Mac Admins, for Mac Admins**—your input, questions, and improvements help make it better for everyone. If you see something that can be improved, have an idea, or spot an issue, please speak up and get involved.
---
## Operating Rules
These operating rules describe and govern NISTs management of this repository and contributors responsibilities. NIST reserves the right to modify this policy at any time.
## Criteria for Contributions and Feedback
This is a moderated platform. NIST will only accept contributions that are contribute per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: 
This is a moderated platform. NIST will only accept contributions that comply with the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
* states or implies NIST endorsement of any entities, services, or products;  
* is inaccurate;  
* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;  
* is clearly "off topic"; 
NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:
* states or implies NIST endorsement of any entities, services, or products;
* is inaccurate;
* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;
* is clearly "off topic";
* makes unsupported accusations;
* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government [guidelines](http://www.osec.doc.gov/opog/privacy/PII_BII.html); or,
* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government [guidelines](http://www.osec.doc.gov/opog/privacy/PII_BII.html); or,
* contains .exe or .jar file types.
_These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._

56
docs/src/content/docs/more-information/FAQ.mdx Normal file
View File

@@ -0,0 +1,56 @@
---
title: FAQ
description: A faq reference.
---
## Why create this project?
Every year, Apple releases a new version of macOS. Traditionally, security professionals and administrators spend months waiting for the release of an official security baseline. By creating an open source, community-driven method for generating baselines for new macOS versions, we can dramatically reduce the time to release and improve security for everyone.
---
## How can I contribute, ask questions, or report bugs?
We encourage everyone to participate!
- **Open an issue** on our [GitHub repository](https://github.com/usnistgov/macos_security/issues) to:
- Ask questions
- Report bugs or problems
- Suggest new features or improvements
- Start or join discussions and decisions about the project
Your feedback and contributions help make the project better for all Mac Admins.
---
## Why use a command line based approach when a configuration profile is available?
Some configuration profiles are set once and do not enforce the setting continuously. The only way to reliably validate and enforce certain settings is through a command line based approach, which allows for ongoing compliance checks and remediation.
---
## Is a Mac management system (MDM) required to implement the controls defined in the YAML?
No, an MDM is not strictly required to implement all controls. However, as macOS evolves, Apple is making it increasingly clear that an MDM server will be necessary to properly secure and manage macOS devices in enterprise environments.
---
## Where can I find more help or documentation?
- Browse our [documentation site](https://usnistgov.github.io/macos_security/)
- Check the [GitHub Discussions](https://github.com/usnistgov/macos_security/discussions) for community Q&A
- Open an [issue](https://github.com/usnistgov/macos_security/issues) for specific questions or problems
---
## How do I stay up to date with project changes?
- Watch or star the [GitHub repository](https://github.com/usnistgov/macos_security)
- Join the [MacAdmins Slack](https://macadmins.slack.com/archives/C0158JKQTC5)
We recommend the `#macos_security_compliance` channel for project updates and discussion.
---
<aside>
Have a question not answered here?
Open an issue or join the discussion on [GitHub](https://github.com/usnistgov/macos_security/issues)!
</aside>

37
docs/src/content/docs/more-information/Resources.mdx Normal file
View File

@@ -0,0 +1,37 @@
---
title: mSCP Training & Resources
description: A resources reference.
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
Explore these curated resources to help you learn, implement, and get the most out of the macOS Security Compliance Project (mSCP).
---
## mSCP Presentations
- [Implementing MSCP using Jamf Pro (JNUC 2023)](https://www.youtube.com/watch?v=hCq4PbLX0Tc)
- [Using the NIST macOS Security Toolchain to Implement Security Benchmarks (JNUC 2022)](https://www.youtube.com/watch?v=0F2JhCJ_RaI)
- [macOS Security Compliance Project MacSysAdmin 2020](https://docs.macsysadmin.se/2020/video/Day2Session3.mp4)
- [macOS Security Compliance Project 2020 PSU MacAdmins Campfire Session](https://www.youtube.com/watch?v=mpEBEelSWlI&list=PLRUboZUQxbyUyqkH7BFaQGAR7x51olLNt&index=17)
---
## Apple Training
- [Developing your Mac Compliance Strategy](https://it-training.apple.com/tutorials/apt-deployment#developing-your-mac-compliance-strategy)
---
## Additional Tools & Tutorials
- [Jamf Compliance Editor](https://trusted.jamf.com/docs/establishing-compliance-baselines)
- [[Lesson 6] macOS Security Compliance Project Jamf 170 Course](https://youtu.be/pYDfrYQrfqc?si=BnJqQqbsRcYf7DNX)
- [Workspace ONE Tutorial: Enforcing mSCP Baselines](https://techzone.vmware.com/resource/enforcing-macos-security-compliance-project-baselines-workspace-one-operational-tutorial)
---
<aside>
Have a resource to suggest?
Open an issue or pull request on our [GitHub repository](https://github.com/usnistgov/macos_security) to help us keep this list up to date!
</aside>

76
docs/src/content/docs/more-information/Vendor-Attribution.mdx Normal file
View File

@@ -0,0 +1,76 @@
---
title: Vendor-Attribution
description: A vendor-attribution reference.
---
The following vendors have contributed to or implemented various portions of the macOS Security Compliance Project in their products.
Product and/or vendor acknowledgement does not constitute recommendation or endorsement by the National Institute of Standards and Technology.
---
## Apple Apple Professional Services
Apple Professional Services is a team within Apple that provides organizations with expert guidance, deployment planning, and technical implementation services for Apple products and solutions. They help customers design, deploy, and optimize Apple technology in enterprise and education environments, including security and compliance initiatives.
[Apple Professional Services](https://support.apple.com/guide/deployment/professional-services-services/web)
---
## Center for Internet Security CIS macOS Benchmark
> "By contributing our secure configuration expertise to the NIST macOS Security Compliance Project, we are supporting our mission in making the connected world a safer place by promoting timely, consistent macOS configuration security best practices which will help people, businesses, and governments better protect themselves against pervasive cyber threats."
> — Center for Internet Security (CIS)
[https://www.cisecurity.org/benchmark/apple_os](https://www.cisecurity.org/benchmark/apple_os)
---
## Jamf Jamf Compliance Editor
> "By implementing automated monitoring and enforcement of the compliance standards published by the NIST Special Publication 800-219 (macOS Security Compliance Project), Jamf easily helps organizations maintain OS compliance of the latest macOS releases according to industry recognized hardening benchmarks."
> — Jamf
[https://trusted.jamf.com/docs/establishing-compliance-baselines](https://trusted.jamf.com/docs/establishing-compliance-baselines)
---
## Mosyle Mosyle Business
> "macOS hardening & compliance is a foundational requirement for all organizations using Apple as they work to minimize risk. It would take countless labor hours if each company had to dissect the operating system and applications within their environment to achieve this goal. The excellent work by NIST macOS Security compliance project and other trusted standards provide frameworks and methodologies to alleviate the burden of individually identifying each setting and features “safe” configuration. As macOS increases in capabilities with each version, so does the library of controls these frameworks address. These public projects continue to grow in scale and value through the collaborative effort put forth by their authors. We rely on these resources to provide our customers with easy to implement, standards-based security controls for each entitys hardening and compliance needs."
> — Mosyle
[https://business.mosyle.com/solutions/macos/hardening](https://business.mosyle.com/solutions/macos/hardening)
---
## Tenable
> "Tenable, Inc. automated the conversion of https://github.com/usnistgov/macos_security YAML rules into the .audit format using Python and YAML libraries. Programmatically approaching this conversion allows for faster future releases, consistency, and maintaining the integrity of the source content. Because the YAML content is all command driven, this is converted to Tenables CMD_EXEC check type for use with the Unix plugin. The YAML rules have a “tags” section that was used to create unique audit profiles related to common frameworks."
> — Tenable
[https://www.tenable.com](https://www.tenable.com)
---
## Naval Information Warfare Center (NIWC) Atlantic SCAP Compliance Checker (SCC)
> "The SCC development team at NIWC Atlantic assisted in developing and troubleshooting SCAP content for the macOS Security Compliance Project. NIWC Atlantic tests the content using SCC, and bundles the content released by the macOS Security Compliance Project with SCC to promote security automation on MacOS."
[https://www.niwcatlantic.navy.mil/scap/](https://www.niwcatlantic.navy.mil/scap/)
---
## Qmulos
> "Qmulos Apple Compliance leverages the NIST macOS Security Compliance Project to bring secure configuration assessment data to our flagship product Q-Compliance, which is built on top of the leading big data platform, Splunk. Qmulos products provide the ability to continuously assess in near real-time and report against multiple frameworks like NIST 800-53, CMMC, CIS and many more. We are the only platform enabling Converged Continuous Compliance® enterprise wide."
[https://www.qmulos.com/qmulos-apple-compliance-enterprise-compliance-scanning-for-macos/](https://www.qmulos.com/qmulos-apple-compliance-enterprise-compliance-scanning-for-macos/)
---
## Addigy
> "Using the macOS Security Compliance Project, Addigy facilitates a seamless approach to implementing, monitoring, and enforcing the most recent CIS and NIST benchmarks. We ardently advocate for the notion that simplifying the journey toward device compliance is crucial in bolstering global security and mitigating cyber threats."
[https://support.addigy.com/hc/en-us/articles/11443879062931](https://support.addigy.com/hc/en-us/articles/11443879062931)

79
docs/src/content/docs/other/generate-mapping.mdx Normal file
View File

@@ -0,0 +1,79 @@
---
title: Generate Mapping
description: A generate-mapping reference.
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
The **generate mapping** script helps you quickly create custom rules and baselines for a compliance framework not published by the project. This is done by providing a CSV that maps controls from your framework (Column 1) to a supported framework (Column 2).
<Aside>
💡 <strong>Tip:</strong> This is useful when you need to align your organization's controls with industry standards.
</Aside>
## CSV Format
```csv
800-171r2,800-53r5
3.1.1,"AC-2, AC-3, AC-17"
3.1.2,"AC-2, AC-3, AC-17"
3.1.3,AC-4
3.1.4,AC-5
```
- **Column 1:** Your framework's control identifier (e.g., 800-171r2 3.1.1)
- **Column 2:** Supported framework controls (e.g., 800-53r5 AC-2)
<aside>
By default, the script maps to <strong>NIST SP 800-53r5</strong>. Use the <code>-f</code> option to map to another supported framework.
</aside>
## Generate Custom Rule Files
<Aside type="caution">
<strong>*Always use the branch matching your target OS version. Do not use the <code>main</code> branch for workflow or development.*</strong>
</Aside>
Run the script with your mapping CSV:
```shell
./scripts/generate_mapping.py ~/Desktop/171-to-53.csv
```
Example output:
```
Mapping CSV: /Users/mscp/Desktop/171-to-53.csv
Source compliance framework: 800-53r5
auth_pam_login_smartcard_enforce - 800-53r5 IA-2(1) maps to 800-171r2 3.5.3
auth_pam_login_smartcard_enforce - 800-53r5 IA-2(8) maps to 800-171r2 3.5.4
auth_smartcard_allow - 800-53r5 IA-2(1) maps to 800-171r2 3.5.3
auth_pam_sudo_smartcard_enforce - 800-53r5 IA-2(1) maps to 800-171r2 3.5.3
auth_pam_sudo_smartcard_enforce - 800-53r5 IA-2(8) maps to 800-171r2 3.5.4
auth_smartcard_enforce - 800-53r5 IA-2 maps to 800-171r2 3.5.1
...
sysprefs_improve_siri_dictation_disable - 800-53r5 AC-20 maps to 800-171r2 3.1.20
sysprefs_improve_siri_dictation_disable - 800-53r5 CM-7 maps to 800-171r2 3.4.6
sysprefs_improve_siri_dictation_disable - 800-53r5 CM-7(1) maps to 800-171r2 3.4.7
800-171r2.yaml baseline file created in build/800-171r2/baseline/
Move all of the folders in rules into the custom folder.
```
<FileTree>
- build/
- 800-171r2/
- baseline/
- 800-171r2.yaml
- rules/
- ... (move generated folders here into your custom folder)
</FileTree>
<Aside>
<strong>Note:</strong> Move all generated folders in <code>rules/</code> into your <code>custom</code> folder for further customization.
</Aside>
## Mapping to Other Frameworks
For frameworks such as **CIS Controls v8**, set the Column 2 header to `cis/controls v8` and use the same value with the `-f` option.
<aside>
Example: <code>./scripts/generate_mapping.py ~/Desktop/cis-mapping.csv -f "cis/controls v8"</code>
</aside>

111
docs/src/content/docs/other/generate-scap.mdx Normal file
View File

@@ -0,0 +1,111 @@
---
title: Generate SCAP
description: A generate-scap reference.
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
<Aside type="caution">
<strong>*Always use the branch matching your target OS version. Do not use the <code>main</code> branch for workflow or development.*</strong>
</Aside>
To generate SCAP, OVAL, or XCCDF documents, use the <code>generate_scap.py</code> script.
<Steps>
<ol>
<li>
<strong>List available baselines:</strong>
<br />
<code>./scripts/generate_scap.py -l</code>
</li>
<li>
<strong>Generate SCAP 1.3 document for all baselines:</strong>
<br />
<code>./scripts/generate_scap.py</code>
</li>
<li>
<strong>Generate only XCCDF or OVAL:</strong>
<br />
<code>./scripts/generate_scap.py -x</code> <em>(XCCDF)</em><br />
<code>./scripts/generate_scap.py -o</code> <em>(OVAL)</em>
</li>
<li>
<strong>Generate for a specific baseline:</strong>
<br />
<code>./scripts/generate_scap.py -b stig -x</code>
</li>
</ol>
</Steps>
<Aside type="note">
The script detects baselines as tags listed in rule files under <code>rules/</code> and <code>custom/</code> folders.
</Aside>
<FileTree>
<ul>
<li>
build/
<ul>
<li>[generated SCAP/XCCDF/OVAL files]</li>
</ul>
</li>
<li>
rules/
<ul>
<li>[rule files with baseline tags]</li>
</ul>
</li>
<li>
custom/
<ul>
<li>[custom rule files with baseline tags]</li>
</ul>
</li>
<li>
scripts/
<ul>
<li>generate_scap.py</li>
</ul>
</li>
</ul>
</FileTree>
**Example Output:**
```bash
➜ macos_security git:(sequoia) ./scripts/generate_scap.py
./scripts/generate_scap.py -l
800-171
800-53r4_high
800-53r4_low
800-53r4_moderate
800-53r5_high
800-53r5_low
800-53r5_moderate
800-53r5_privacy
cis_lvl1
cis_lvl2
cisv8
cnssi-1253
stig
➜ macos_security git:(ventura) ./scripts/generate_scap.py -b stig -x
```
This generates an XCCDF document in the <code>build</code> folder for just the <code>stig</code> baseline.
## SCAP References
[Security Content Automation Protocol (SCAP) 1.3](https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3)
<Aside type="note">
That page has links to most of the SCAP-related normative documents.
</Aside>
An SCAP data stream (typically) consists of several XML documents knit together in a containing XML document.
The component documents are:
- An XCCDF document
- An OVAL document referenced by the XCCDF document
- An OCIL document referenced by the XCCDF document
- A CPE dictionary document referenced by the XCCDF document
- An OVAL document referenced by the CPE dictionary document
[National Checklist Program for IT Products Guidelines for Checklist Users and Developers](https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final)
[National Checklist Program Repository](https://nvd.nist.gov/ncp/repository)

65
docs/src/content/docs/personalization/customize-rules.mdx Normal file
View File

@@ -0,0 +1,65 @@
---
title: Customizing Rules
description: A customization reference.
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
The project supports **modifying existing rules** and **adding new rules** to a baseline to meet your organization's requirements. Customizing a rule means changing the rule's content itself, while [tailoring](./Tailoring-rules) is about selecting which rules to include in a benchmark.
<Aside type="note">
For existing rules, only keep the fields you want to customize. This ensures your custom rules remain compatible as the project updates for future OS releases.
</Aside>
## Modifying an Existing Rule
<Steps>
1. **Copy** the existing rule file to the `custom` folder. The filename must remain the same.
2. **Remove** any fields that dont need to be modified.
3. **Edit** the fields to match your organizations requirements.
4. **Run** `generate_guidance.py`. The custom version of the rule will be included in the output.
</Steps>
**Example: Configure macOS to Use an Authorized Time Server**
```yaml
references:
custom:
MSCP:
- MSCP-OS-001
URL:
- https://developer.apple.com/documentation/devicemanagement/timeserver
Remediation Tool:
- MDM
```
---
## Adding a New Rule
<Steps>
1. **Create** a new `rules.yaml` file in the `custom` folder.
- If your rule uses a configuration profile payload not already in the project, add it to `supported_payloads.yaml` in the `includes` folder.
2. **Run** `generate_baseline.py` to add the new rule to your baseline.
3. **Run** `generate_guidance.py` against your customized baseline.
</Steps>
---
## Use Case: Informational Rules (No Check/Result/Fix)
If you want a custom rule that explains a control but does **not** include a check, result, or fix, add the `manual` tag. This ensures it does **not** appear in the compliance script.
**Example Rule (No Check/Result/Fix)**
```yaml
check: |
result: |
fix: |
tag:
- manual
```
---
*Customizing rules helps ensure your security baseline is both robust and tailored to your organization's needs.*
*Customizing rules helps ensure your security baseline is both robust and tailored to your organization's needs.*

51
docs/src/content/docs/personalization/exempting-rules.mdx Normal file
View File

@@ -0,0 +1,51 @@
---
title: Exemptions
description: A exemptions reference.
---
import { Steps, FileTree, Aside } from '@astrojs/starlight/components';
Exemptions allow you to mark certain rules as "approved exceptions" for your organization. Systems with exemptions are reported as compliant, even if the setting differs from the rules expected result.
> **Note:** The check will still be logged as a finding, but marking it as exempt allows reporting tools to exclude it from non-compliance.
---
## How Exemptions Work
Exemptions are set in the `org.{baseline}.audit.plist` file, which can be placed in `/Library/Preferences/org.{baseline}.audit.plist` or applied via a custom configuration profile.
---
## Setting an Exemption
<Steps>
1. **Set** `exempt` to `true` for the rule.
2. **Add** an `exempt_reason` describing why the exemption is needed.
</Steps>
**Example: Exempting `auth_smartcard_enforce`**
```sh
sudo /usr/libexec/PlistBuddy -c "Add :auth_smartcard_enforce:exempt bool true" /Library/Preferences/org.800-53r5_moderate.audit.plist
sudo /usr/libexec/PlistBuddy -c "Add :auth_smartcard_enforce:exempt_reason string 'Reader Issues'" /Library/Preferences/org.800-53r5_moderate.audit.plist
/usr/libexec/PlistBuddy -c "Print auth_smartcard_enforce" /Library/Preferences/org.800-53r5_moderate.audit.plist
```
**Result:**
```plaintext
Dict {
finding = true
exempt = true
exempt_reason = Reader Issues
}
```
---
<Aside type="note">
If `org.{baseline}.audit.plist` is not set, the script will default `exempt` to `false`.
</Aside>
*Exemptions help you document and manage approved exceptions in your compliance reporting.*
*Exemptions help you document and manage approved exceptions in your compliance reporting.*

79
docs/src/content/docs/personalization/tailoring-rules.mdx Normal file
View File

@@ -0,0 +1,79 @@
---
title: Tailoring
description: A tailoring reference.
---
import { Steps, FileTree } from '@astrojs/starlight/components';
The project makes it simple for organizations to construct a tailored benchmark whether starting from one of the NIST 800-53 control baselines, or customizing an already established benchmark. Tailoring a benchmark is different than customizing specific rules. See [Customization](https://github.com/usnistgov/macos_security/wiki/Customization) to learn more.
**Organization Defined Values**
Organization Defined Values, or ODVs, are values determined for controls that meet both the security and functional requirements in an organization. Benchmark authors, like DISA and CIS, provide these values for their respective published guidance. In the project, we include recommended values, as well as the defined values for the DISA STIG and CIS Benchmarks as part of the ODV field in the YAML.
## Tailoring a Benchmark
Running the `generate_baseline` script with the `-t` argument will step you through the tailoring process. The process will start by prompting for the following:
* Benchmark Name
* Authors Name
* Organization
```
➜ macos_security git:(sequoia) ./scripts/generate_baseline.py -k 800-53r5_moderate -t
Enter a name for your tailored benchmark or press Enter for the default value (800-53r5_moderate): MyOrgs_Benchmark
Enter your name: Allen Golbig
Enter your organization: MyOrg
The inclusion of any given rule is a risk-based decision (RBD). While each rule is mapped to an 800-53 control, deploying it in your organization should be part of the decision-making process.
You will be prompted to include each rule, and for those with specific organizational defined values (ODV), you will be prompted for those as well.
```
Once completed, you will be prompted whether or not to include each rule in your benchmark.
```
Would you like to include the rule for "audit_acls_files_configure" in your benchmark? [Y/n/all/?]:
```
**📌 NOTE**\
The `?` option will display additional details about the rule to help your organization decide if it meets your requirements.
If a rule contains an ODV, you will be prompted to assign a value that meets your organizations requirements.
```
Number of failed attempts.
Enter the ODV for "pwpolicy_account_lockout_enforce" or press Enter for the recommended value (3):
```
After the tailoring process is completed, a new YAML file will be created in `build/baselines`, and custom rules containing their ODV values will be created in `custom/rules/`. Now you can run the generate guidance script against that tailored benchmark.
```
./scripts/generate_guidance.py build/baselines/MyOrgs_Benchmark.yaml -p -s -x
```
## Tailored File Layout
When you provide custom ODV values during tailoring, the project creates a separate YAML file for each tailored rule. These files are saved in the following directory structure:
<FileTree>
- macos_security/
- custom/
- rules/
- *.yaml ---> Custom values you set if you used `-t`
</FileTree>
Here, `*` matches the ID of the rule you tailored.
### Tailored Rule File Structure
A tailored rule file contains only the custom ODV values you specified. For example:
```yaml
odv:
custom: 11
```
- The `odv` field contains a `custom` key with your organization's chosen value (in this example, `11`).
- This structure makes it easy to see and manage the specific ODV values set for each tailored rule.
All tailored rule files are stored in the `custom/rules/` directory, allowing you to track and update your organization's customizations as needed.
*This process helps ensure your security baseline is both robust and tailored to your organization's needs.*

50
docs/src/content/docs/reference/Baselines.md
View File

@@ -1,50 +0,0 @@
---
title: Baselines
description: A baselines reference.
---
# Baselines
Baseline files are used for the creation of the guide, scripts, and mobileconfig files. Each baseline defines the associated controls which are used to meet a given security profile.
**title**
A human-readable title for the baseline (e.g., "macOS 13 Security Configuration:NIST SP 800-53 Rev 5 High Impact Security Baseline").
**description**
A description of the baseline.
**authors**
A list of authors of the baseline file.
**profile**
* section - this relates to a section (as defined in the `sections` directory) to be used in generating a baseline guide.
* rules - the list of rules applied in the baseline which match the file name and ID of a corresponding rule.
**Example**
```
title: "Apple macOS 13 (Ventura) Test Baseline"
description: |
This guide describes the prudent actions to take when securing a macOS 12 system against the Test Baseline.
authors: |
|===
|John Smith|NIST
|Jack Doe|NIST
|===
profile:
- section: "Authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- section: "Auditing"
rules:
- audit_acls_files_configure
- audit_acls_files_mode_configure
- audit_acls_folder_wheel_configure
```

8
docs/src/content/docs/reference/Includes.md
View File

@@ -1,8 +0,0 @@
---
title: Includes
description: A includes reference.
---
# Includes
The `includes` directory serves as a location for housing libraries which are used by the scripts to parse the information required to build validation scripts, mobileconfig files, and guide documents.

70
docs/src/content/docs/reference/Layout.md
View File

@@ -1,70 +0,0 @@
---
title: Layout
description: A layout reference.
---
# Directories
## Layout
```
baselines/ ---> Baseline profiles containing all the rules
build/ ---> Script output directory. Contains scripts, documents, and
mobileconfig files generated by scripts
custom/ ---> Custom rules and sections
includes/ ---> supporting files for build scripts
rules/ ---> Rules for securing the operating system; YAML content
with one rule per file
SCAP/ ---> Makefile, scripts, and required content for SCAP generation
scripts/ ---> Scripts to generate reports and configuration
sections/ ---> YAML configurations for sections in generating the guides
templates/ ---> AsciiDoc templates
```
### baselines
The baselines directory contains the defined baseline files for:
* NIST SP 800-53 rev5 Low, Moderate, and High
* NIST SP 800-171 Rev2
* DISA STIG
* CIS Level 1 & 2
* CIS Controls Version 8
* CMMC Level 1 & 2
* CNSSI 1253 Low, Moderate, and High
* indigo Base & High
* A baseline for all the rules in this repository
### build
The build directory is where generated outputs (eg documents, mobileconfig) will be saved.
### custom
The custom directory is used for creating tailored versions of the rules and sections files, to meet an organizations requirements. The YAML files placed within this folder will take priority when running generate_guidance.py.
**📌 NOTE**\
The filenames must remain the same as the original YAML filenames.
### includes
The includes directory contains YAML-based libraries required for currently developed scripts.
### rules
The rules directory includes the following categories of control settings for configuring the operating system:
* audit - configuration and enforcement of the OpenBSM settings.
* auth - configuration and enforcement of smartcard authentication.
* icloud - configuration of Apples iCloud/Apple ID service.
* os - rules to configure the operating system that are not defined within other categories of the rules directory.
* pwpolicy - configuration and enforcement of password policy.
* supplemental - additional information to support the guidance provided by the baselines.
* system_settings (sysprefs on macOS Monterey and older) - configuration and enforcement of settings controlled within the System Settings/System Preferences application.
### SCAP
The SCAP directory is where required Extensible Stylesheet Language Transformations(XSL) files are stored, along with the CPE oval and definition, and scripts to generate an SCAP document.
### scripts
The scripts directory is where scripts that will be used to create specific baselines are stored, along with the required files for them.
### sections
The sections directory is used to define the different sections that correlate to the different directories in the rules folder. The YAML files contain the name and descriptions as they will appear in the generated guide.
### templates
The templates directory includes AsciiDoc templates for generating an AsciiDoc guide.

118
docs/src/content/docs/reference/Rules.md
View File

@@ -1,118 +0,0 @@
---
title: Rules
description: A rules reference.
---
# Rules YAML Format
**id**
The id should match the file name, without the yaml file extension.
**title**
The title is a human-readable title of the rule.
**discussion**
The discussion should provide a concise description of the intended use of the rule.
**check**
Every rule will have a check. Most rules should be able to be validated and checked with a shell based check.
**result**
Expected results from the check.
**fix**
The fix will appear in a document when generated. If a fix includes `[source,bash]` the fix will be used for generating the script to enforce the rule.
**references**
The references include a CCE and a mapping of the security frameworks, guidance, and individual controls, which have been mapped to the rule.
**macos**
The version of macOS for which this rule is validated.
**odv**
Sets Organization Defined Values. If a rule falls under this designation, the odv section will/should be added. At a minimum this field should contain a hint (provides a description when tailoring a baseline) and a default value which replaces the $ODV variable.
**tags**
Tags are keywords used to categorize and identify related rules and can be added to or modified as needed. Tags can also be used to make index-based searching of the rules faster and easier.
**mobileconfig**
The `mobileconfig` and `mobileconfig_info` are related. If `mobileconfig` is set to "true", the information required for creating the mobileconfig configuration profile is required in the `mobileconfig_info` area.
## Example:
```
id: system_settings_screensaver_timeout_enforce
title: Enforce Screen Saver Timeout
discussion: |
The screen saver timeout _MUST_ be set to $ODV seconds or a shorter length of time.
This rule ensures that a full session lock is triggered within no more than $ODV seconds of inactivity.
check: |
/usr/bin/osascript -l JavaScript << EOS
function run() {
let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
.objectForKey('idleTime'))
if ( timeout <= $ODV ) {
return("true")
} else {
return("false")
}
}
EOS
result:
string: 'true'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94390-2
cci:
- CCI-000057
800-53r5:
- AC-11
- IA-11
800-53r4:
- AC-11
srg:
- SRG-OS-000029-GPOS-00010
disa_stig:
- N/A
800-171r3:
- 03.01.10
- 03.05.01
cis:
benchmark:
- 2.10.1 (level 1)
controls v8:
- 4.3
cmmc:
- AC.L2-3.1.10
macOS:
- '15.0'
odv:
hint: Number of seconds.
recommended: 1200
cis_lvl1: 1200
cis_lvl2: 1200
stig: 900
tags:
- 800-53r5_moderate
- 800-53r5_high
- 800-53r5_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cis_lvl1
- cis_lvl2
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.screensaver:
idleTime: $ODV
```

98
docs/src/content/docs/reference/Scripts.md
View File

@@ -1,98 +0,0 @@
---
title: Scripts
description: A scripts reference.
---
## generate_guidance.py script
The generate_guidance script is used to generate the following:
* AsciiDoc document
* HTML guide from asciidoc
* PDF guide from asciidoc
* Configuration Profiles
* Compliance Script
* Excel Document
When running generate guidance, the first argument given must be the baseline desired to create the asciidoc, PDF, and HTML files.
```bash
python3 ./scripts/generate_guidance.py -h
usage: generate_guidance.py [-h] [-l LOGO] [-p] [-r REFERENCE] [-s] [-x] [-H HASH] baseline
Given a baseline, create guidance documents and files.
positional arguments:
baseline Baseline YAML file used to create the guide.
optional arguments:
-h, --help show this help message and exit
-l LOGO, --logo LOGO Full path to logo file to be included in the guide.
-p, --profiles Generate configuration profiles for the rules.
-r REFERENCE, --reference REFERENCE
Use the reference ID instead of rule ID for identification.
-s, --script Generate the compliance script for the rules.
-x, --xls Generate the excel (xls) document for the rules.
-H HASH, --hash HASH sign the configuration profiles with subject key ID (hash value without spaces)
```
**Example:**
```
python3 scripts/generate_guidance.py baselines/800-53r5_moderate.yaml
Profile YAML: baselines/800-53r5_moderate.yaml
Output path: /Users/mscp/src/macos_security/build/800-53r5_moderate/800-53r5_moderate.adoc
Generating HTML file from AsciiDoc...
Generating PDF file from AsciiDoc...
```
## generate_baseline.py
The generate baseline script creates a baseline.yaml which can be used for content generation. The output file can be found under `build/baselines`
```bash
python3 scripts/generate_baseline.py -h
usage: generate_baseline.py [-h] [-c] [-k KEYWORD] [-l] [-t]
Given a keyword tag, generate a generic baseline.yaml file containing rules with the tag.
optional arguments:
-h, --help show this help message and exit
-c, --controls Output the 800-53 controls covered by the rules.
-k KEYWORD, --keyword KEYWORD
Keyword tag to collect rules containing the tag.
-l, --list_tags List the available keyword tags to search for.
-t, --tailor Customize the baseline to your organizations values.
```
**📌 NOTE**\
If the script is called without any flags it will provide a list of all possible keywords.
**Example:**
```
python3 scripts/generate_baseline.py -k all_rules
```
## generate_scap.py
The generate oval script creates the OVAL checks required for SCAP generation.
```bash
usage: generate_scap.py [-h] [-x] [-o] [-l] [-b BASELINE]
Easily generate xccdf, oval, or scap datastream. If no option is defined, it will generate an scap datastream file.
optional arguments:
-h, --help show this help message and exit
-x, --xccdf Generate an xccdf file.
-o, --oval Generate an oval file of the checks.
-l, --list_tags List the available keyword tags to search for.
-b BASELINE, --baseline BASELINE
Choose a baseline to generate an xml file for, if none is specified it will generate for every rule found.
```
**Example:**
```
git checkout monterey
python3 scripts/generate_scap.py
builds an SCAP 1.3 document in build/macOS_12.0_Security_Compliance_Benchmark-Revision_3.xml
```

42
docs/src/content/docs/reference/Sections.md
View File

@@ -1,42 +0,0 @@
---
title: Sections
description: A sections reference.
---
# Sections
The `sections` directory contains YAML files that are used to define different sections of your guide.
**name**
This is the name of the section as it would appear in the guide.
**description**
The description of each section as it would appear in the guide.
## Sections Included
```
. auditing
. authentication
. icloud
. inherent
. macos
. not_applicable
. passwordpolicy
. permanent
. srg
. supplemental
. system_settings
. systempreferences
```
## Example:
```
name: "iCloud"
description: |
This section contains the configuration and enforcement of iCloud and the Apple ID service settings.
NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with with elevated privileges.
```

13
docs/src/content/docs/reference/more/FAQ.md
View File

@@ -1,13 +0,0 @@
---
title: FAQ
description: A faq reference.
---
# Frequently Asked Questions
1. Why create this project?
* Every year, a new version of the macOS is released by Apple. With each new version, security professionals and administrators spend months waiting for the release of a security baseline. By creating an open source, community-based method for generating baselines to match new versions of macOS, the timeline for releasing these baselines should be reduced.
2. Why are you using a command line based approach when a configuration profile is available?
* Some configuration profiles are set once, and do not enforce the setting. Therefore, the only way to be able to validate and enforce a setting is through a command line based approach.
3. Is a mac management system required to implement the controls defined in the YAML?
* No, but as the operating system matures, Apple has made it very clear that an MDM server will become required to properly secure and manage macOS.

25
docs/src/content/docs/reference/more/Resources.md
View File

@@ -1,25 +0,0 @@
---
title: Resources
description: A resources reference.
---
# mSCP Training and Resources
### mSCP Presentations
[Implementing MSCP using Jamf Pro | JNUC 2023](https://www.youtube.com/watch?v=hCq4PbLX0Tc)
[Using the NIST macOS Security Toolchain to Implement Security Benchmarks | JNUC 2022](https://www.youtube.com/watch?v=0F2JhCJ_RaI)
[macOS Security Compliance Project - MacSysAdmin 2020 ](https://docs.macsysadmin.se/2020/video/Day2Session3.mp4)
[macOS Security Compliance Project - 2020 PSU MacAdmins Campfire Session](https://www.youtube.com/watch?v=mpEBEelSWlI&list=PLRUboZUQxbyUyqkH7BFaQGAR7x51olLNt&index=17)
### Apple Training
[Developing your Mac Compliance Strategy](https://it-training.apple.com/tutorials/apt-deployment#developing-your-mac-compliance-strategy)
### Additional Resources
[Jamf Compliance Editor](https://trusted.jamf.com/docs/establishing-compliance-baselines)
[[Lesson 6\] macOS Security Compliance Project - Jamf 170 Course](https://youtu.be/pYDfrYQrfqc?si=BnJqQqbsRcYf7DNX)
[Workspace One Tutorial](https://techzone.vmware.com/resource/enforcing-macos-security-compliance-project-baselines-workspace-one-operational-tutorial)

54
docs/src/content/docs/reference/more/Vendor-Attribution.md
View File

@@ -1,54 +0,0 @@
---
title: Vendor-Attribution
description: A vendor-attribution reference.
---
The following vendors have contributed to or implemented various portions of the macOS Security Compliance Project in their products.
Product and/or vendor acknowledgement does not constitute recommendation or endorsement by the National Institute of Standards and Technology.
**Apple - Apple Professional Services**
[https://support.apple.com/guide/deployment/professional-services-services/web](https://support.apple.com/guide/deployment/professional-services-services/web)
**Center for Internet Security - CIS macOS Benchmark**
"By contributing our secure configuration expertise to the NIST macOS Security Compliance Project, we are supporting our mission in making the connected world a safer place by promoting timely, consistent macOS configuration security best practices which will help people, businesses, and governments better protect themselves against pervasive cyber threats." -- Center for Internet Security (CIS)
[https://www.cisecurity.org/benchmark/apple_os](https://www.cisecurity.org/benchmark/apple_os)
**Jamf - Jamf Compliance Editor**
"By implementing automated monitoring and enforcement of the compliance standards published by the NIST Special Publication 800-219 (macOS Security Compliance Project), Jamf easily helps organizations maintain OS compliance of the latest macOS releases according to industry recognized hardening benchmarks." -- Jamf
[https://trusted.jamf.com/docs/establishing-compliance-baselines](https://trusted.jamf.com/docs/establishing-compliance-baselines)
**Mosyle - Mosyle Business**
"macOS hardening & compliance is a foundational requirement for all organizations using Apple as they work to minimize risk. It would take countless labor hours if each company had to dissect the operating system and applications within their environment to achieve this goal. The excellent work by NIST macOS Security compliance project and other trusted standards provide frameworks and methodologies to alleviate the burden of individually identifying each setting and features “safe” configuration. As macOS increases in capabilities with each version, so does the library of controls these frameworks address. These public projects continue to grow in scale and value through the collaborative effort put forth by their authors. We rely on these resources to provide our customers with easy to implement, standards-based security controls for each entitys hardening and compliance needs." -- Mosyle
[https://business.mosyle.com/solutions/macos/hardening](https://business.mosyle.com/solutions/macos/hardening)
**Tenable**
"Tenable, Inc. automated the conversion of https://github.com/usnistgov/macos_security YAML rules into the .audit format using Python and YAML libraries. Programmatically approaching this conversion allows for faster future releases, consistency, and maintaining the integrity of the source content. Because the YAML content is all command driven, this is converted to Tenables CMD_EXEC check type for use with the Unix plugin. The YAML rules have a “tags” section that was used to create unique audit profiles related to common frameworks." -- Tenable
[https://www.tenable.com](https://www.tenable.com)
**Naval Information Warfare Center (NIWC) Atlantic: SCAP Compliance Checker (SCC)**
"The SCC development team at NIWC Atlantic assisted in developing and troubleshooting SCAP content for the macOS Security Compliance Project. NIWC Atlantic tests the content using SCC, and bundles the content released by the macOS Security Compliance Project with SCC to promote security automation on MacOS."
[https://www.niwcatlantic.navy.mil/scap/](https://www.niwcatlantic.navy.mil/scap/)
**Qmulos**
"Qmulos Apple Compliance leverages the NIST macOS Security Compliance Project to bring secure configuration assessment data to our flagship product Q-Compliance, which is built on top of the leading big data platform, Splunk. Qmulos products provide the ability to continuously assess in near real-time and report against multiple frameworks like NIST 800-53, CMMC, CIS and many more. We are the only platform enabling Converged Continuous Compliance® enterprise wide."
https://www.qmulos.com/qmulos-apple-compliance-enterprise-compliance-scanning-for-macos/
**Addigy**
"Using the macOS Security Compliance Project, Addigy facilitates a seamless approach to implementing, monitoring, and enforcing the most recent CIS and NIST benchmarks. We ardently advocate for the notion that simplifying the journey toward device compliance is crucial in bolstering global security and mitigating cyber threats."
https://support.addigy.com/hc/en-us/articles/11443879062931

17
docs/src/content/docs/repository/Includes-directory.mdx Normal file
View File

@@ -0,0 +1,17 @@
---
title: Includes
description: Reference for the includes directory.
---
The `includes/` directory contains reusable YAML libraries that support the repository's build scripts.
These libraries provide structured data and helper content used to:
- Build validation scripts
- Generate mobileconfig files
- Assemble guide documents
**Purpose:**
Centralize supporting YAML files so scripts can efficiently parse and reuse information across different outputs.
**Tip:**
Keep this directory organized and up-to-date to ensure all scripts have access to the latest supporting data.

83
docs/src/content/docs/repository/directory-layout.mdx Normal file
View File

@@ -0,0 +1,83 @@
---
title: Directory Layout
description: A layout reference.
---
import { FileTree } from '@astrojs/starlight/components';
## Repository Layout Overview
Below is a quick reference to the main directories in this repository and their purposes.
| Directory | Description |
| -------------- | -------------------------------------------------------------------------------------------- |
| `baselines/` | Baseline profiles containing all rules (e.g., NIST, CIS, DISA STIG, CMMC, CNSSI, indigo). |
| `build/` | Output directory for generated scripts, documents, and mobileconfig files. |
| `custom/` | Custom rules and sections for organization-specific requirements. |
| `includes/` | Supporting YAML libraries for build scripts. |
| `rules/` | YAML files, one per rule, for securing the operating system. |
| `SCAP/` | Makefile, scripts, and content for SCAP document generation. |
| `scripts/` | Scripts for generating reports, baselines, and configurations. |
| `sections/` | YAML configurations for guide sections, mapping to rule categories. |
| `templates/` | AsciiDoc templates for generating documentation guides. |
<FileTree>
- baselines/
- baseline.yaml
- build/
- custom/
- includes/
- rules/
- SCAP/
- scripts/
- sections/
- templates/
</FileTree>
---
## Directory Details
### `baselines/`
Contains baseline files for various standards and frameworks:
- NIST SP 800-53 rev5 (Low, Moderate, High)
- NIST SP 800-171 Rev2
- DISA STIG
- CIS Level 1 & 2
- CIS Controls Version 8
- CMMC Level 1 & 2
- CNSSI 1253 (Low, Moderate, High)
- indigo Base & High
- A comprehensive baseline for all repository rules
### `build/`
Stores all generated outputs, such as documents and mobileconfig files.
### `custom/`
For organization-specific customizations of rules and sections.
**Note:** Filenames must match the originals to override them during guide generation.
### `includes/`
YAML-based libraries and supporting files for build scripts.
### `rules/`
Contains individual YAML files for each rule, organized by category:
- **audit**: OpenBSM settings
- **auth**: Smartcard authentication
- **icloud**: Apple iCloud/Apple ID configuration
- **os**: General OS settings
- **pwpolicy**: Password policy enforcement
- **supplemental**: Additional supporting information
- **system_settings**: System Settings/Preferences configuration
### `SCAP/`
Resources for SCAP document generation, including XSL files, CPE OVAL/definitions, and scripts.
### `scripts/`
Scripts for generating reports, baselines, and configurations, plus required resources.
### `sections/`
YAML files defining guide sections, mapping to rule categories.
### `templates/`
AsciiDoc templates for generating documentation guides.

127
docs/src/content/docs/repository/rule-file-layout.mdx Normal file
View File

@@ -0,0 +1,127 @@
---
title: Rules File Layout
description: A rules reference.
---
A rule file defines a single security control for macOS. Each rule is written in YAML and should follow the structure below.
## Rule File Fields
### id
A unique identifier for the rule. This should match the filename (without the `.yaml` extension).
### title
A human-readable title for the rule.
### discussion
A concise description of the rule's intent and context.
### check
A shell-based or script-based check to validate compliance.
### result
The expected result from the check.
### fix
Remediation steps or configuration to enforce the rule. If a fix includes `[source,bash]`, it will be used for script generation.
### references
Mappings to CCEs, security frameworks, and controls relevant to the rule.
### macOS
The macOS versions for which this rule is validated.
### odv
(Optional) Organization Defined Values. If present, should include a hint and default/recommended values.
### tags
Keywords for categorizing and searching rules.
### severity
The severity level of the rule (e.g., low, medium, high).
### mobileconfig
Set to `true` if the rule can be enforced via a configuration profile.
### mobileconfig_info
Required if `mobileconfig` is `true`. Contains the configuration profile payload.
---
## Example Rule File
```yaml
id: system_settings_bluetooth_disable
title: Disable Bluetooth When no Approved Device is Connected
discussion: |
The macOS system _MUST_ be configured to disable Bluetooth unless there is an approved device connected.
[IMPORTANT]
====
Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\
.objectForKey('DisableBluetooth').js
EOS
result:
string: 'true'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94352-2
cci:
- CCI-001967
- CCI-002418
800-53r5:
- AC-18
- SC-8
- AC-18(3)
800-53r4:
- AC-18(3)
- SC-8
srg:
- SRG-OS-000423-GPOS-00187
- SRG-OS-000481-GPOS-00481
- SRG-OS-000480-GPOS-00228
disa_stig:
- APPL-15-002062
800-171r2:
- 3.13.8
- N/A
800-171r3:
- 03.01.16
- 03.13.08
cis:
benchmark:
- N/A
controls v8:
- 4.8
- 12.6
- 13.9
cmmc:
- AC.L2-3.1.16
macOS:
- '15.0'
tags:
- 800-53r5_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cisv8
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
- cnssi-1253_moderate
severity: high
mobileconfig: true
mobileconfig_info:
com.apple.ManagedClient.preferences:
com.apple.MCXBluetooth:
DisableBluetooth: true
```

120
docs/src/content/docs/repository/script-arguments-list.mdx Normal file
View File

@@ -0,0 +1,120 @@
---
title: Scripts Arugments List
description: A scripts reference.
---
This page explains the main scripts used for generating content in this repository, including their arguments and usage examples.
---
## `generate_guidance.py`
Generates various outputs from a baseline YAML file:
- AsciiDoc document
- HTML guide (from AsciiDoc)
- PDF guide (from AsciiDoc)
- Configuration Profiles
- Compliance Script
- Excel Document
**Usage:**
```bash
python3 ./scripts/generate_guidance.py -h
usage: generate_guidance.py [-h] [-l LOGO] [-p] [-r REFERENCE] [-s] [-x] [-H HASH] baseline
Given a baseline, create guidance documents and files.
positional arguments:
baseline Baseline YAML file used to create the guide.
optional arguments:
-h, --help Show this help message and exit.
-l LOGO, --logo LOGO Full path to logo file to be included in the guide.
-p, --profiles Generate configuration profiles for the rules.
-r REFERENCE, --reference REFERENCE
Use the reference ID instead of rule ID for identification.
-s, --script Generate the compliance script for the rules.
-x, --xls Generate the Excel (xls) document for the rules.
-H HASH, --hash HASH Sign the configuration profiles with subject key ID (hash value without spaces)
```
<aside>
💡 <b>Tip:</b> The first argument must be the baseline YAML file you want to use.
</aside>
**Example:**
```bash
python3 scripts/generate_guidance.py baselines/800-53r5_moderate.yaml
# Output:
# Profile YAML: baselines/800-53r5_moderate.yaml
# Output path: /Users/mscp/src/macos_security/build/800-53r5_moderate/800-53r5_moderate.adoc
# Generating HTML file from AsciiDoc...
# Generating PDF file from AsciiDoc...
```
---
## `generate_baseline.py`
Creates a `baseline.yaml` file for content generation. The output is saved under `build/baselines`.
**Usage:**
```bash
python3 scripts/generate_baseline.py -h
usage: generate_baseline.py [-h] [-c] [-k KEYWORD] [-l] [-t]
Given a keyword tag, generate a generic baseline.yaml file containing rules with the tag.
optional arguments:
-h, --help Show this help message and exit.
-c, --controls Output the 800-53 controls covered by the rules.
-k KEYWORD, --keyword KEYWORD
Keyword tag to collect rules containing the tag.
-l, --list_tags List the available keyword tags to search for.
-t, --tailor Customize the baseline to your organization's values.
```
<aside>
📌 <b>Note:</b> If you run the script without any flags, it will list all possible keywords.
</aside>
**Example:**
```bash
python3 scripts/generate_baseline.py -k all_rules
```
---
## `generate_scap.py`
Creates OVAL checks and SCAP content for compliance automation.
**Usage:**
```bash
usage: generate_scap.py [-h] [-x] [-o] [-l] [-b BASELINE]
Easily generate xccdf, oval, or scap datastream. If no option is defined, it will generate a SCAP datastream file.
optional arguments:
-h, --help Show this help message and exit.
-x, --xccdf Generate an XCCDF file.
-o, --oval Generate an OVAL file of the checks.
-l, --list_tags List the available keyword tags to search for.
-b BASELINE, --baseline BASELINE
Choose a baseline to generate an XML file for. If none is specified, it will generate for every rule found.
```
**Example:**
```bash
git checkout monterey
python3 scripts/generate_scap.py
# Builds an SCAP 1.3 document in build/macOS_12.0_Security_Compliance_Benchmark-Revision_3.xml
```

46
docs/src/content/docs/repository/sections-file-layout.mdx Normal file
View File

@@ -0,0 +1,46 @@
---
title: Sections File Layout
description: A sections reference.
---
The `sections/` directory contains YAML files that define the major sections of your security guide. Each section file provides a name and a description, which are used to organize and present rules in generated documentation.
## Section File Structure
- **name**:
The display name of the section as it will appear in the guide.
- **description**:
A description of the section, shown in the guide for context.
## Example Section File
```yaml
name: "iCloud"
description: |
This section contains the configuration and enforcement of iCloud and the Apple ID service settings.
NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges.
```
## Common Sections
Below are typical section names you may find in this repository:
```
. auditing
. authentication
. icloud
. inherent
. macos
. not_applicable
. passwordpolicy
. permanent
. srg
. supplemental
. system_settings
. systempreferences
```
**Tip:**
Keep section names and descriptions clear and concise to ensure guides are easy to navigate and understand.

92
docs/src/content/docs/welcome/getting-started.mdx Normal file
View File

@@ -0,0 +1,92 @@
---
title: Getting Started
description: A getting-started reference.
---
import { Aside } from '@astrojs/starlight/components';
The macOS Security Compliance Project is developed and maintained on [GitHub](https://github.com/usnistgov/macos_security).
**Each branch of the repository contains the rules and resources specific to a particular macOS version.** To work with the project or run its workflows, there are some prerequisites you need to install first.
---
## Prerequisites
Before you begin, ensure you have the following installed on your system:
- **Git** (optional, only needed if you want to clone the repository instead of downloading files directly from GitHub)
[Download Git](https://git-scm.com/downloads) or use your system's package manager (see note below).
- **Python 3** (required for running the project scripts and generating files)
[Download Python](https://www.python.org/downloads/) or install via your package manager (see note below).
- Python modules:
- `pyyaml`
- `xlwt`
- These can be installed using `pip` after Python is set up.
For example:
```bash
pip3 install pyyaml xlwt --user
```
- **Ruby** (optional, only needed for working with certain documentation formats)
[Download Ruby](https://www.ruby-lang.org/en/downloads/) or install via your package manager (see note below).
- Gems:
- `asciidoctor`
- `asciidoctor-pdf`
- `rouge`
- These can be installed using `gem` or `bundle` after Ruby is set up.
---
## Downloading the Repository
You can obtain the project files in one of two ways:
- **Download directly from GitHub:**
Visit the [GitHub repository](https://github.com/usnistgov/macos_security), select the branch that matches your target OS version (e.g., `sequoia`) using the branch dropdown, then use the "Download ZIP" option.
<Aside type="caution">
*<strong>Always pull or checkout the branch that matches your target OS version (e.g., <code>sequoia</code>). Do not use the <code>main</code> branch for workflow or development.</strong>*
</Aside>
<small>*If you download the ZIP for the correct branch, you can [skip to Working with Project Files](#working-with-project-files).* </small>
**OR**
- **Clone using Git:**
```bash
git clone https://github.com/usnistgov/macos_security.git
cd macos_security
```
Then, continue below to select the correct branch.
---
## Selecting the Correct Branch
Before you begin working, select the repository branch that corresponds to the macOS version you intend to work with.
<Aside type="caution">
*<strong>Always pull or checkout the branch that matches your target OS version (e.g., <code>sequoia</code>). Do not use the <code>main</code> branch for workflow or development.</strong>*
</Aside>
To switch to the appropriate branch:
```bash
git checkout sequoia
```
---
## Working with Project Files
All the files you will work with are located in the `macos_security` folder. The contents of this folder are specific to the branch you have selected and include the tools and resources required to generate project outputs.
Within this folder, you can:
- Generate baselines
- Produce guidance documentation
- Create DDM and SCAP content
- Generate mappings and compliance scripts
- Make exemptions
- Customize and tailor the output content to your needs
For next steps, feel free to check out the [Quick Guide](/welcome/quick-guide/) for a quick overview, explore the Guides section of this website, or visit the project's [wiki](https://github.com/usnistgov/macos_security/wiki).

76
docs/src/content/docs/welcome/introduction.mdx Normal file
View File

@@ -0,0 +1,76 @@
---
title: Introduction
description: A macOS Security Compliance Project Overview.
---
import { Aside } from '@astrojs/starlight/components';
The **macOS Security Compliance Project** is an open source initiative providing a programmatic approach to generating security guidance for macOS. This project enables the creation of customized security baselines by leveraging a comprehensive library of rules mapped to compliance requirements from established security guides, or for developing custom guidance.
By mapping security-enhancing rules to existing guides and policies, this project supports multiple security frameworks and regulated industry policies. Documentation and QA are uniformly managed, simplifying and accelerating the annual update process through unified and standardized efforts.
---
## Why This Project?
- **Accelerate Adoption:** Ensure guidance is available for new OS/hardware releases.
- **Reduce Global Effort:** Unify and consolidate compliance work into a single project.
- **Foster Collaboration:** Develop methodologies to reduce overhead and redundancy among baseline authors.
- **Standardize Controls:** Unify the approach to setting security controls.
- **Inform Vendors:** Provide MDM/EMM/security/audit vendors and Apple with insight into customer hardening needs.
<Aside type="note">
<em>This project provides a programmatic approach to security policy and produces output content to be used <strong>in conjunction</strong> with management and security tools to achieve compliance.</em>
</Aside>
---
## Supported Publications
The project includes guidance from the following sources:
### Government Publications
- **NIST 800-53** ([link](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final))
- FISMA High
- FISMA Moderate
- FISMA Low
- **NIST 800-171** ([link](https://csrc.nist.gov/pubs/sp/800/171/r3/final))
- **DISA STIG** ([link](https://public.cyber.mil/stigs/downloads/))
- **CMMC 2.0** ([link](https://dodcio.defense.gov/CMMC/))
- **CNSSI-1253** ([link](https://www.dcsa.mil/portals/91/documents/ctp/nao/CNSSI_No1253.pdf))
- **indigo** ([link](https://www.bsi.bund.de/EN/Themen/Oeffentliche-Verwaltung/Zulassung/mobile_Kommunikation/mobileKommunikation_node.html#doc919528bodyText2))
- indigo Base (iOS Only)
- indigo High (iOS Only)
### Non-Governmental Standards
- **CIS Benchmarks** ([link](https://www.cisecurity.org/benchmark))
- **CIS Critical Security Controls v8** ([link](https://www.cisecurity.org/controls/v8/))
---
## Development Team
This project is a collaboration between federal IT Security staff and macOS Administrators, published by:
- [National Institute of Standards and Technology (NIST)](https://www.nist.gov)
- [National Aeronautics and Space Administration (NASA)](https://www.nasa.gov)
- [Defense Information Systems Agency (DISA)](https://www.disa.mil)
- [Los Alamos National Lab (LANL)](https://www.lanl.gov)
---
## Objective
To develop an extensible, modern approach to security guidance usable by any organization (Government, Enterprise, Education) needing to adhere to security compliance frameworks and policy. Project outputs include scripts, documentation, and configuration profile payloads for use with modern management tools.
---
## Audience
- **System Administrators:** Generate baseline documentation, configuration profile payloads, and scripts.
- **Security Professionals:** Review reporting of applied controls against guidance.
- **Policy Authors:** Map policy metadata to a library of verified controls to create or update baselines.
- **MDM/EMM/Security/Compliance Tool Vendors:** Support configuration, verification, and reporting of security guidance and controls in products using trusted source material.
- **Privacy Officers:** Ensure adequate privacy controls are enabled for institutional organizations.

109
docs/src/content/docs/welcome/quick-guide.mdx Normal file
View File

@@ -0,0 +1,109 @@
---
title: Quick Guide
description: High-level overview for generating all project files.
tableOfContents: false
---
import { Steps, Aside } from '@astrojs/starlight/components';
If you're new to the project, start with this Quick Guide for a high-level overview of the workflow. After reviewing these steps, check out each step's corresponding "How To" section in the documentation menu. These sections explain in more detail what each step does, why it's important, and what outputs to expect.
This quick guide provides a high-level overview of the steps required to generate all files with the macOS Security Compliance Project.
<Aside type="note">
For details about each step, check out the corresponding menu item and the "What are..." section for that topic to understand its purpose and outputs.
</Aside>
<Steps>
<ol>
<li>
<strong>1. Prepare Your Environment</strong>
<ul>
<li>Ensure all <a href="/macos_security/welcome/getting-started/">prerequisites</a> are installed (Python, required modules, etc.).</li>
<li>Download or clone the repository.</li>
</ul>
<Aside type="note">
See <a href="/macos_security/welcome/getting-started/">Getting Started</a> for setup details.
</Aside>
</li>
<li>
<strong>2. Verify and Select the Correct Branch</strong>
<ul>
<li>Checkout the branch that matches your target OS version (e.g., <code>sequoia</code>).</li>
</ul>
<Aside type="caution">
<strong>*Always use the branch matching your target OS version. Do not use the <code>main</code> branch for workflow or development.*</strong>
</Aside>
</li>
<li>
<strong>3. Generate a Baseline</strong>
<ul>
<li>Use <a href="/macos_security/baselines/how-to-generate-baselines/">generate_baseline.py</a> to create a baseline YAML file for your compliance needs.</li>
<li><span style="display:inline-block;font-size:0.85em;font-weight:500;padding:0.1em 0.5em;border-radius:0.3em;background:var(--sl-color-bg-inline-code,#f5f5f5);color:var(--sl-color-text-accent,#0070f3);margin-left:0.5em;border:1px solid var(--sl-color-border,#eaeaea);">Optional</span> <a href="/macos_security/baselines/tailoring-a-baseline/">Tailor the baseline</a> to your organization using the <code>-t</code> flag.</li>
</ul>
<Aside type="note">
See <a href="/macos_security/baselines/how-to-generate-baselines/">How To Generate Baseline</a> for details.
</Aside>
</li>
<li>
<strong>4. Personalize: Customize Rules</strong> <span style="display:inline-block;font-size:0.85em;font-weight:500;padding:0.1em 0.5em;border-radius:0.3em;background:var(--sl-color-bg-inline-code,#f5f5f5);color:var(--sl-color-text-accent,#0070f3);margin-left:0.5em;border:1px solid var(--sl-color-border,#eaeaea);">Optional</span>
<ul>
<li><a href="/macos_security/personalization/customize-rules/">Customize rules</a> by modifying or adding rule YAML files in the <code>custom</code> folder as needed.</li>
</ul>
<Aside type="note">
See <a href="/macos_security/personalization/customize-rules/">Customization</a> for more information.
</Aside>
</li>
<li>
<strong>5. Generate Guidance Documentation</strong> <span style="display:inline-block;font-size:0.85em;font-weight:500;padding:0.1em 0.5em;border-radius:0.3em;background:var(--sl-color-bg-inline-code,#f5f5f5);color:var(--sl-color-text-accent,#0070f3);margin-left:0.5em;border:1px solid var(--sl-color-border,#eaeaea);">Optional</span>
<ul>
<li>Run <a href="/macos_security/guidance/how-to-generate-guidance/">generate_guidance.py</a> to create human-readable guidance (AsciiDoc, HTML, PDF, etc.).</li>
</ul>
<Aside type="note">
See <a href="/macos_security/guidance/how-to-generate-guidance/">How To Generate Guidance</a> for details.
</Aside>
</li>
<li>
<strong>6. Generate Configuration Profiles</strong>
<ul>
<li>Add the <code>-p</code> flag to <code>generate_guidance.py</code> to generate configuration profiles for supported rules.</li>
</ul>
<Aside type="note">
See <a href="/macos_security/configuration-profiles/how-to-generate-configuration-profiles/">How To Generate Configuration Profiles</a> for details.
</Aside>
</li>
<li>
<strong>7. Generate DDM Content</strong>
<ul>
<li>Add the <code>-D</code> flag to <code>generate_guidance.py</code> to generate Declarative Device Management (DDM) components.</li>
</ul>
<Aside type="note">
See <a href="/macos_security/ddm-components/how-to-generate-ddm-components/">How To Generate DDM Components</a> for details.
</Aside>
</li>
<li>
<strong>8. Generate Compliance Scripts</strong>
<ul>
<li>Add the <code>-s</code> flag to <code>generate_guidance.py</code> to generate a compliance script for automated checking and remediation.</li>
</ul>
<Aside type="note">
See <a href="/macos_security/compliance-scripts/how-to-generate-compliance-scripts/">How To Generate Compliance Scripts</a> for details.
</Aside>
</li>
<li>
<strong>9. Make Exemptions</strong> <span style="display:inline-block;font-size:0.85em;font-weight:500;padding:0.1em 0.5em;border-radius:0.3em;background:var(--sl-color-bg-inline-code,#f5f5f5);color:var(--sl-color-text-accent,#0070f3);margin-left:0.5em;border:1px solid var(--sl-color-border,#eaeaea);">Optional</span>
<ul>
<li>Customize or exempt specific rules as needed for your environment.</li>
</ul>
<Aside type="note">
See the <strong>exemptions</strong> folder or the project's wiki for customization options.
</Aside>
</li>
</ol>
</Steps>
<Aside type="tip">
<strong>Need help?</strong>
If you encounter issues, check the Guides section, review the <a href="/macos_security/more-information/faq/">FAQ</a>, or visit the project's <a href="https://github.com/usnistgov/macos_security/wiki">wiki</a> for troubleshooting and community support.
</Aside>

87
docs/src/styles/custom.css
View File

@@ -1,4 +1,4 @@
/* Color theme variables */
/* Light mode colors rgba(49, 100, 49, 1) */
:root {
--sl-color-accent: rgb(49, 100, 49);
@@ -6,9 +6,14 @@
/* Dark mode colors */
:root[data-theme='dark'] {
--sl-color-accent: rgb(49, 100, 49);
--sl-color-accent-high: #6ab549 !important;
}
/* ---------------------------------------------------------------------- */
/* This section contains custom styles for the NIST Header */
/* ---------------------------------------------------------------------- */
/* NIST header styles */
#nistheadergoeshere {
position: fixed;
top: 0;
@@ -18,15 +23,89 @@
width: 100%;
}
/* NIST footer styles */
#nistfootergoeshere {
position: relative;
z-index: 1000;
z-index: 0;
margin-top: 50px;
}
/* Custom header styles */
.header {
#position: fixed;
top: 40px;
left: 0;
width: 100%;
}
/* Do not apply .header styles if inside .expressive-code */
.expressive-code .header {
position: static !important;
top: unset !important;
left: unset !important;
width: unset !important;
}
/* Sidebar content - push down to avoid overlap with header */
.sidebar-content,
.right-sidebar-content,
.right-sidebar-panel {
margin-top: 45px;
}
/* Bring down the mobile TOC summary */
#starlight__on-this-page--mobile {
margin-top: 40px;
}
/* Bring the body down to avoid overlap with header */
body {
margin-top: 30px;
}
/* If sl-banner is present, increase body margin-top */
body:has(.sl-banner) {
margin-top: 40px;
}
/* Add extra scroll offset when clicking anchor links */
sl-anchor-link,
.sl-heading-wrapper,
.sl-heading-wrapper h1,
.sl-heading-wrapper h2,
.sl-heading-wrapper h3,
.sl-heading-wrapper h4,
.sl-heading-wrapper h5,
.sl-heading-wrapper h6 {
scroll-margin-top: 30px;
}
/* Only Apply the following style when in mobile view */
@media (max-width: 50rem) {
@layer starlight.core {
starlight-menu-button > button {
position: fixed;
/* Only adjust vertical position, do not change size */
top: calc((var(--sl-nav-height) - var(--sl-menu-button-size)) / 2 + 40px);
inset-inline-end: var(--sl-nav-pad-x);
z-index: var(--sl-z-index-navbar);
}
}
}
/* ---------------------------------------------------------------------- */
/* ---------------------------------------------------------------------- */
/* Site title transition and hover effect */
.site-title {
transition: transform 0.2s ease, color 0.2s ease;
}
.site-title:hover {
color: #6ab549; /* dark for light mode */
cursor: pointer;
transform: translateY(-4px);
}
:root[data-theme='dark'] .site-title:hover {
color: rgb(49, 100, 49); /* light for dark mode */
}

134
docs/src/styles/home_page.css Normal file
View File

@@ -0,0 +1,134 @@
/* Hero image and HTML container styles */
.hero img,
.hero > .hero-html {
object-fit: contain;
/* Responsive width and height */
width: min(90%, 32rem);
height: auto;
margin-inline: auto;
/* Initial rotation and scale */
transform: rotate(12deg) scale(1.05);
transition: all 0.3s;
}
/* Hover effect: stronger glow, increased brightness, and opposite rotation/scale */
.hero img:hover,
.hero > .hero-html:hover {
transform: rotate(-5deg) scale(1.12);
}
/* Light mode hero image color */
/* Applies a lighter green glow and increased brightness to hero images in light mode */
:root:not([data-theme='dark']) .hero img {
/* Lighter green glow for light mode */
filter: drop-shadow(0 0 16px #7ed957) brightness(1.1);
}
/* Dark mode hero image color */
/* Applies a deeper green glow and increased brightness to hero images in dark mode */
:root[data-theme='dark'] .hero img {
/* Deeper green glow for dark mode */
filter: drop-shadow(0 0 16px #236c2b) brightness(1.1);
}
/* Button colors: background always dark green, text adapts to mode */
/* Define CSS variables for hero button background and text color based on theme */
:root:not([data-theme='dark']) {
--hero-btn-bg: #236c2b; /* dark green background */
--hero-btn-color: #fff; /* lighter text for light mode */
}
:root[data-theme='dark'] {
--hero-btn-bg: #236c2b; /* dark green background */
--hero-btn-color: #fff; /* lighter text for dark mode */
}
/* Hero button styles */
/* Styles for hero section buttons, using theme variables for background and text color */
.hero .Button {
background: var(--hero-btn-bg, #7ed957); /* fallback to light green if variable not set */
color: var(--hero-btn-color, #222); /* fallback to dark text if variable not set */
border: none;
padding: 0.75em 1.5em;
border-radius: 0.5em;
font-weight: bold;
cursor: pointer;
transition: background 0.3s, color 0.3s;
}
/* Color flop on hover */
.hero .Button:hover {
background: var(--hero-btn-color, #222);
color: var(--hero-btn-bg, #7ed957);
}
/* Color flop for Starlight hero primary buttons (text only, works in both modes, custom color) */
.hero .sl-link-button.primary:hover {
color: var(--hero-primary-hover);
}
/* Color flop for Starlight hero secondary buttons (text only, works in both modes, custom color) */
.hero .sl-link-button.secondary:hover {
color: var(--hero-link-color);
}
/* Color flop for Starlight hero minimal buttons (text only, works in both modes) */
.hero .sl-link-button.minimal:hover {
color: var(--hero-link-color);
}
/* Stronger glow for minimal button hover in light mode only */
:root:not([data-theme='dark']) .hero .sl-link-button.minimal:hover {
text-shadow:
0 0 8px #fff,
0 0 16px #7ed957;
}
/* Custom button color for primary and secondary hero buttons */
.hero .sl-link-button.primary,
.hero .sl-link-button.secondary {
background: var(--hero-btn-bg);
color: var(--hero-btn-color);
border: none;
}
/* How-to link list styles */
.howto-link-list {
list-style: none;
padding: 0;
margin: 0;
}
.howto-link-list li {
border-bottom: 1px solid var(--sl-color-gray-6);
padding: 0.25rem 0;
margin: 0;
}
.howto-link-list li:last-child {
border-bottom: none;
}
.howto-link-list a {
display: flex;
justify-content: space-between;
align-items: center;
text-decoration: none;
}
.howto-link-list .arrow {
display: inline-block;
width: 1rem;
height: 1rem;
background-color: currentColor;
mask-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M17.92 11.62a1.001 1.001 0 0 0-.21-.33l-5-5a1.003 1.003 0 1 0-1.42 1.42l3.3 3.29H7a1 1 0 0 0 0 2h7.59l-3.3 3.29a1.002 1.002 0 0 0 .325 1.639 1 1 0 0 0 1.095-.219l5-5a1 1 0 0 0 .21-.33 1 1 0 0 0 0-.76Z'%3E%3C/path%3E%3C/svg%3E");
-webkit-mask-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M17.92 11.62a1.001 1.001 0 0 0-.21-.33l-5-5a1.003 1.003 0 1 0-1.42 1.42l3.3 3.29H7a1 1 0 0 0 0 2h7.59l-3.3 3.29a1.002 1.002 0 0 0 .325 1.639 1 1 0 0 0 1.095-.219l5-5a1 1 0 0 0 .21-.33 1 1 0 0 0 0-.76Z'%3E%3C/path%3E%3C/svg%3E");
mask-size: 100%;
-webkit-mask-size: 100%;
}
/* Responsive: shrink hero image on mobile screens and add padding */
@media (max-width: 600px) {
.hero img,
.hero > .hero-html {
width: 85vw;
max-width: 20rem;
padding: 1rem; /* Add padding for small screens */
padding-top: 3rem; /* Add extra space from the top */
}
}