Baseline File Layout

A baseline file is a YAML document that defines which security rules apply to a specific compliance framework. Understanding the structure helps you customize baselines or create your own.

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

Tip

You don’t need to create baseline files manually. The ./mscp.py baseline command creates them for you. This page is for understanding what’s inside.

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

Tip

You don’t need to create baseline files manually. The generate_baseline.py script creates them for you. This page is for understanding what’s inside.

---

File Structure Overview

Field	Purpose	Version
title	Human-readable name for the baseline	Both
description	Brief summary of the baseline’s purpose	Both
authors	List of contributors and their organizations	Both
parent_values	Default configuration level for organization-defined values	Both
platform	Target OS and version	2.0 only
profile	Sections and rules that make up the baseline	Both

---

Field Details

title

The display name shown in generated documentation.

title: "macOS 15 (Sequoia): NIST 800-53r5 Moderate"

description

A summary that appears at the top of generated guides. Use the | character for multi-line text.

description: |
  This guide describes the actions to take when
  securing a macOS 15 system against the NIST
  800-53 Rev 5 Moderate baseline.

authors

Contributors who appear in generated documentation.

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

authors:
  - name: John Smith
    organization: NIST
  - name: Jane Doe
    organization: NASA

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

Listed in AsciiDoc table format:

authors: |
  |===
  |Name|Organization
  |John Smith|NIST
  |Jane Doe|NASA
  |===

parent_values

Sets the default configuration level for organization-defined values (ODVs). Common values include recommended, cis_lvl1, or cis_lvl2.

parent_values: "recommended"

Note

Organization-defined values are settings like password length or screen lock timeout that vary by organization. This field sets the default values to use.

platform (mSCP 2.0 only)

Specifies the target operating system and version. This field is not present in mSCP 1.0 baselines.

platform:
  macOS:
    os_version: "26.0"

profile

The core of the baseline. Organizes rules into sections for the generated documentation.

• section — Category name (matches files in the sections/ folder)
• rules — List of rule IDs (matches files in the rules/ folder)

profile:
  - section: "Authentication"
    rules:
      - auth_pam_login_smartcard_enforce
      - auth_pam_su_smartcard_enforce
      - auth_smartcard_allow
  - section: "Auditing"
    rules:
      - audit_acls_files_configure
      - audit_acls_files_mode_configure

---

Complete Example

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

title: "macOS 26 (Tahoe): NIST 800-53r5 Moderate"
description: |
  This guide describes the actions to take when securing
  a macOS 26 system against the NIST 800-53 Rev 5 Moderate baseline.
authors:
  - name: John Smith
    organization: NIST
  - name: Jane Doe
    organization: NASA
parent_values: "recommended"
platform:
  macOS:
    os_version: "26.0"
profile:
  - section: "Auditing"
    rules:
      - audit_acls_files_configure
      - audit_acls_files_mode_configure
  - section: "Authentication"
    rules:
      - auth_pam_login_smartcard_enforce
      - auth_pam_su_smartcard_enforce
      - auth_smartcard_allow
  - section: "System Settings"
    rules:
      - system_settings_firewall_enable
      - system_settings_gatekeeper_enable

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

title: "macOS 15 (Sequoia): NIST 800-53r5 Moderate"
description: |
  This guide describes the actions to take when securing
  a macOS 15 system against the NIST 800-53 Rev 5 Moderate baseline.
authors: |
  |===
  |Name|Organization
  |John Smith|NIST
  |Jane Doe|NASA
  |===
parent_values: "recommended"
profile:
  - section: "Authentication"
    rules:
      - auth_pam_login_smartcard_enforce
      - auth_pam_su_smartcard_enforce
      - auth_smartcard_allow
  - section: "Auditing"
    rules:
      - audit_acls_files_configure
      - audit_acls_files_mode_configure
  - section: "System Settings"
    rules:
      - system_settings_firewall_enable
      - system_settings_gatekeeper_enable

---

Next Steps

• How to Generate Baselines — Create a baseline from a framework
• Tailoring a Baseline — Customize rules and values