NIST SP 800-219 macOS Security Compliance Project (mSCP) Guidance

Apple; baseline; configuration management; endpoint device security; macOS; macOS Security Compliance Project (mSCP); operating system security; security compliance.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-219-draft.pdf

This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-219-draft

Jamf Pro Extension Attributes for the mSCP (macOS Security Compliance project)
https://github.com/hardstriker/mSCP_EAs/blob/main/mSCP-FailedResultsList.xml

Checking out older versions

As per getting started: check to work locally, first clone into the repository and install the required Python3 modules and Ruby gems:

Getting Started: from macOS Terminal
a. git clone https://github.com/usnistgov/macos_security.git
b. cd macos_security
c. pip3 install -r requirements.txt --user
d. bundle install

1. older macOS Security Releases from Github: This project is Catalina Guidance Revision 6

Photograph of Git checkout (a100688) I am using to load the older Catalina STIG

Follow these steps in Terminal
Link to updated-legacy Catalina resource(s).
1. Get Catalina to overwrite current (Monterey) resources locally
https://github.com/usnistgov/macos_security/releases/tag/catalina_rev6
git checkout a100688

switch
git switch -c a100688

Baseline(s)

Baseline files are used for the creation of the guide, scripts, and mobileconfig files. Each baseline defines the associated controls which are used to meet a given security profile.

2. Generate STIG baseline:
If you want to create your own baseline or modify an existing baseline, the generate-baseline.py found in the scripts folder will generate a {baseline}.yaml file containing all the rules corresponding with the provided tag (baseline). This {baseline}.yaml is required to run the generate-guidance.py script.

Run this for the STIG
sudo ./scripts/generate_baseline.py -k stig

generate-baseline.py Usage

python3 scripts/generate_baseline.py -h
usage: generate_baseline.py [-h] [-c] [-k KEYWORD] [-l]

Given a keyword tag, generate a generic baseline.yaml file containing rules
with the tag.

optional arguments:
-h, --help show this help message and exit
-c, --controls Output the 800-53 controls covered by the rules.
-k KEYWORD, --keyword KEYWORD
Keyword tag to collect rules containing the tag.
-l, --list_tags List the available keyword tags to search for.

Link: https://github.com/usnistgov/macos_security/wiki/Baselines
—- EOF Baselines

Guidance

3. Generate STIG Mobile Configuration Profiles (-p)
sudo ./scripts/generate_guidance.py -p build/baselines/stig.yaml

Generate code signed STIG Mobile Configuration Profiles (-p) (-H) with hashvalue
sudo ./scripts/generate_guidance.py -p -H build/baselines/stig.yaml

python3 ./scripts/generate_guidance.py -h
usage: generate_guidance.py [-h] [-l LOGO] [-p] [-r REFERENCE] [-s] [-x] [-H HASH] baseline

Given a baseline, create guidance documents and files.

positional arguments:
baseline Baseline YAML file used to create the guide.

optional arguments:
-h, –help show this help message and exit
-l LOGO, –logo LOGO Full path to logo file to be included in the guide.
-p, –profiles Generate configuration profiles for the rules.
-r REFERENCE, –reference REFERENCE
Use the reference ID instead of rule ID for identification.
-s, –script Generate the compliance script for the rules.
-x, –xls Generate the excel (xls) document for the rules.
-H HASH, –hash HASH sign the configuration profiles with subject key ID (hash value without spaces)

4. Generate STIG Guidance Script (-s)
sudo ./scripts/generate_guidance.py -s build/baselines/stig.yaml

The supplied macOS Security Compliance Project (mSCP) Portable Network Graphics is a raster-graphics file type logo is a large 1024×1024 pixels in size; also note to save this in the more compressed-legacy compatible format available to your graphics program. I also had to experiment with reducing the sizes of the custom logos. To apply a new logo note the (-l) followed by the path to your png file.
mscp logo

NOTE: VARIATION -> Generate STIG Guidance Script (-s), Excel file (-x) and Path to custom logo (-l)
a.

./scripts/generate_guidance.py -s -x -l /Users/username_here/Library/Application\ Support/macos_security/templates/images/YOURLogo_logo.png build/baselines/stig.yaml 

5. Generate STIG Rules Export to Excel
sudo ./scripts/generate_guidance.py -x build/baselines/stig.yaml

Big Sur Guidance: (REPEAT STEPS 1-4 AFTER following this step)

https://github.com/usnistgov/macos_security/releases/tag/big_sur_rev5
git checkout 3903e57
– 3903e57

Monterey Guidance: (REPEAT STEPS 1-4 AFTER following this step)

https://github.com/usnistgov/macos_security/releases/tag/big_sur_rev5
git checkout e8cdc49
– e8cdc49

Undo Git Commit to older Catalina from 1st steps above:
git switch –

Link:
https://github.com/usnistgov/macos_security/wiki

https://golbiga.medium.com/getting-to-know-macos-security-compliance-project-part-1-31d0689b7c30

Cloning older gits
https://stackoverflow.com/questions/12256137/cloning-an-older-version-of-github-repo

Previous releases
https://github.com/usnistgov/macos_security/releases

Instructions for Generating DISA STIG Guidance – Catalina rev6

1. Downloaded https://github.com/usnistgov/macos_security/archive/refs/tags/catalina_rev6.zip
2. Saved to Desktop and unzipped:
cd ~/Desktop/macos_security-catalina_rev6/

3. Generate a baseline
sudo ./scripts/generate_baseline.py -k stig
4. Generate Profiles
sudo ./scripts/generate_guidance.py -p build/baselines/stig.yaml
5. Generate guidance
sudo ./scripts/generate_guidance.py -s build/baselines/stig.yaml
6. Generate Excel guidance: Generate the excel (xls) document for the rules.
sudo ./scripts/generate_guidance.py -x build/baselines/stig.yaml

——————————–
IMPORTANT NOTES REGARDING Editing the compliance script so it can be loaded into Jamf MDM
————–
remove everything after
echo “$(date -u) Remediation complete” >> “$audit_log”

}
—————————–

Generate Oval Content

The generate oval script creates the OVAL checks required for SCAP generation. Link

python3 scripts/generate_oval.py -h
usage: generate_oval.py [-h] baseline

Given a profile, create oval checks.

positional arguments:
baseline Baseline YAML file used to create the oval.

optional arguments:
-h, –help show this help message and exit

cd /Users/USERFOLDER/Library/Application Support/macos_security/scripts

Utilizing this
python3 scripts/generate_oval.py baselines/DISA-STIG.yaml


./generate_jamf.py -j /Users/edarnold/Library/Application\ Support/macos_security/baselines/DISA-STIG.yamlpython3 ./generate_jamf.py -j /Users/edarnold/Library/Application\ Support/macos_security/baselines/DISA-STIG.yaml

————– EOF Oval instructions

—————– new code below

echo "$(date -u) Remediation complete" >> "$audit_log"

}
and add
case $4 in
    --check)
        check=0
        run_scan
        ;;
    --fix)
        fix=0
        run_fix
        ;;
    *)
        exit 0
        ;;
esac

—————– check fix

then under the policy where you add the script you can add –check or –fix
————–

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Share via
Copy link