usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Set ODV values (and perhaps other things like excluded rules) non-interactively #105

New Issue
Closed
opened 2026-01-19 18:29:14 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:29:14 +00:00
Owner
Copy Link

Originally created by @bernstei on GitHub.

The only was I see in the documentation (https://github.com/usnistgov/macos_security/wiki/Tailoring#tailoring-a-benchmark) to set ODVs is interactive, running generate_baseline.py with -t. I think it would be useful if those could be set without having to do it interactively (e.g. set an env VAR rule_name_ODV=... or something, or maybe a yaml dict with rule names as keys and ODV values as values). I guess that also applies to everything else that script asks about, e.g. excluding rules.

Originally created by @bernstei on GitHub. The only was I see in the documentation (https://github.com/usnistgov/macos_security/wiki/Tailoring#tailoring-a-benchmark) to set ODVs is interactive, running `generate_baseline.py` with `-t`. I think it would be useful if those could be set without having to do it interactively (e.g. set an env VAR `rule_name_ODV=...` or something, or maybe a yaml dict with rule names as keys and ODV values as values). I guess that also applies to everything else that script asks about, e.g. excluding rules.
michael commented 2026-01-19 18:29:15 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

The process of selecting which rules are to be included and what the values to be used is a manual process and requires interaction. Once this process is complete, the generated documents and scripts include those values that were chosen during the testing and development of and orgs baseline. The scripts that subsequently run include the values chosen at the time that the baseline was generated, and they typically not changed during the course of operations.

We already have baselines with recommended values that are populated based on a chosen benchmark (housed within yaml files/dicts). If you'd like to customize those recommended values, then you could achieve a similar result to what you are describing. You can modify the yaml files, or create custom rules manually with the key/value pairs which will be picked up when you generate guidance. The generate_baseline.py script using -t just simplifies this process, but you can manually do that if you want.

@brodjieski commented on GitHub: The process of selecting which rules are to be included and what the values to be used is a manual process and requires interaction. Once this process is complete, the generated documents and scripts include those values that were chosen during the testing and development of and orgs baseline. The scripts that subsequently run include the values chosen at the time that the baseline was generated, and they typically not changed during the course of operations. We already have baselines with recommended values that are populated based on a chosen benchmark (housed within yaml files/dicts). If you'd like to customize those recommended values, then you could achieve a similar result to what you are describing. You can modify the yaml files, or create custom rules manually with the key/value pairs which will be picked up when you generate guidance. The `generate_baseline.py` script using `-t` just simplifies this process, but you can manually do that if you want.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#105
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?