Skip to content

How To Generate Baselines

The primary script for generating baselines is located here in the macos_security repository:

  • Directorymacos_security/
    • Directoryscripts/ ---> Project scripts
      • generate_baseline.py ---> Script to generate baselines

Follow these steps to generate a baseline:

  1. Select or Download the Correct Branch

    • Make sure you are on the branch you want to work from.
    • If using git, run git checkout <branch-name> to switch branches if needed.
  2. Choose the Baseline to Generate

    • Identify the baseline you want to generate (e.g., CIS_lvl1, STIG, etc.).
    • Use the -l flag to list available baseline options for the selected branch:
      Terminal window
      ./macos_security-sequoia/scripts/generate_baseline.sh -l
  3. Generate the Selected Baseline

    • Use the -k flag with the selected tag to generate the baseline:

      Terminal window
      ./macos_security-sequoia/scripts/generate_baseline.sh -k 800-53r5_moderate

      This example generates a baseline for 800-53r5_moderate.

    • Use the -t flag to customize the baseline for your organization:

      Terminal window
      ./macos_security-sequoia/scripts/generate_baseline.sh -k 800-53r5_moderate -t

      If you use -t, you will be prompted with questions to tailor the baseline. See How to Tailor a Baseline for more details.

  4. Locate the Generated Files

    • After running the generation command, the baseline files are created in the following directories:
  • Directorymacos_security/
    • Directorybuild/
      • Directorybaselines/
        • BASELINENAME.yaml ---> The generated baseline file (name depends on your selection or customization)
    • Directorycustom/
      • Directoryrules/
        • *.yaml ---> Custom values you set if you used -t

These files are required to generate the guidance files.
For more information, see How to Tailor a Baseline or review the baseline file layout.