How To Generate Baselines
The primary script for generating baselines is located here in the macos_security
repository:
Directorymacos_security/
Directoryscripts/ ---> Project scripts
- generate_baseline.py ---> Script to generate baselines
Follow these steps to generate a baseline:
-
Select or Download the Correct Branch
- Make sure you are on the branch you want to work from.
- If using
git
, rungit checkout <branch-name>
to switch branches if needed.
-
Choose the Baseline to Generate
- Identify the baseline you want to generate (e.g., CIS_lvl1, STIG, etc.).
- Use the
-l
flag to list available baseline options for the selected branch:Terminal window ./macos_security-sequoia/scripts/generate_baseline.sh -l
-
Generate the Selected Baseline
-
Use the
-k
flag with the selected tag to generate the baseline:Terminal window ./macos_security-sequoia/scripts/generate_baseline.sh -k 800-53r5_moderateThis example generates a baseline for
800-53r5_moderate
. -
Use the
-t
flag to customize the baseline for your organization:Terminal window ./macos_security-sequoia/scripts/generate_baseline.sh -k 800-53r5_moderate -tIf you use
-t
, you will be prompted with questions to tailor the baseline. See How to Tailor a Baseline for more details.
-
-
Locate the Generated Files
- After running the generation command, the baseline files are created in the following directories:
Directorymacos_security/
Directorybuild/
Directorybaselines/
- BASELINENAME.yaml ---> The generated baseline file (name depends on your selection or customization)
Directorycustom/
Directoryrules/
- *.yaml ---> Custom values you set if you used
-t
- *.yaml ---> Custom values you set if you used
These files are required to generate the guidance files.
For more information, see How to Tailor a Baseline or review the baseline file layout.