Getting to Know: macOS Security Compliance Project - Part 1

Last June, after months of collaboration, engineers from NIST, NASA, DISA, and LANL released the macOS Security Compliance Project (MSCP). The project is an open-source effort designed to provide a programmatic approach to generating security configuration guidance for macOS. The guidance provided by this project is available to any organization (e.g., government, enterprise, education) that is required to adhere to security compliance frameworks and policies. The objective of MSCP is to provide - in an easily accessible and tailorable manner - the necessary files that any Mac admin, security professional, policy author, privacy officer, or MDM/Compliance tool vendor would need to secure macOS.

MSCP currently supports the following US Federal published guides:

• NIST 800–53 (High, Moderate, and Low)
• NIST 800–171
• DISA STIG
• CNSSI 1253

All of the rule and baseline files are written in YAML. Python scripts are then used to parse the YAML and generate customized guides containing the rule files a given organization is required to implement.

This blog post will walk through the process of cloning the project and running the Python scripts so that you can generate all the files associated with a specific baseline.

Structure

The main folders of the project are:

• baselines - the files that contain all the rules and sections for the publications that are supported by the project
• build - all files that are generated by the project are output here - broken down by baselines
• custom - all files used for creating tailored versions of the rules and sections (to meet an organization’s specific requirements)
• rules - individual YAML content (used for securing the operating system)
• scripts - all scripts used by the project to generate all possible outputs for the chosen baseline

Getting Started

In order to begin, make sure that you’ve got Apple’s Command-Line tools installed. If you don’t, run the following:

xcode-select --install

Once the tools are installed, you can follow this gist to get your system ready to create guidance files. This post will use the Python3 that ships with the Apple’s Command-Line tools, but Python3 from any source will work.

Generating Guidance

Now that your system is configured, you are ready to generate some guidance. MSCP is designed to be easily adjusted, so it can remain up-to-date with macOS release cycles. Be sure to git checkout the version of macOS your organization is looking to configure, as that branch contains the most up-to-date version of the content you need .

The generate_guidance.py script allows you to choose what content is generated. If no arguments are passed, AsciiDoc, HTML, and PDF documents are created, by default.

Additional command-line arguments are available to create:

• -p Configuration Profiles (unsigned or signed) / custom preferences - upload into the MDM of your choice
• -x Excel spreadsheet - to hand over to auditors
• -s Compliance Script - audit your fleet and remediate settings not applied via a configuration profile

That’s it! Now you’re now ready to use MSCP to create one of the built-in baselines. In my next post, we’ll explore how to customize the content to meet your organization’s requirements.