How To Generate Baselines

The primary script for generating baselines is located here in the macos_security repository:

• Directorymacos_security/

  • Directoryscripts/ ---> Project scripts

    • generate_baseline.py ---> Script to generate baselines

Caution

Always use the branch matching your target OS version. Do not use the main branch for workflow or development.

Follow these steps to generate a baseline:

1. Select or Download the Correct Branch

   • Make sure you are on the branch you want to work from.
   • If using git, run git checkout <branch-name> to switch branches if needed.

2. Choose the Baseline to Generate

   • Identify the baseline you want to generate (e.g., CIS_lvl1, STIG, etc.).
   • Use the -l flag to list available baseline options for the selected branch:

     ./macos_security-sequoia/scripts/generate_baseline.sh -l

3. Generate the Selected Baseline

   • Use the -k flag with the selected tag to generate the baseline:

     ./macos_security-sequoia/scripts/generate_baseline.sh -k 800-53r5_moderate

     This example generates a baseline for 800-53r5_moderate.

   • Use the -t flag to customize the baseline for your organization:

     ./macos_security-sequoia/scripts/generate_baseline.sh -k 800-53r5_moderate -t

     If you use -t, you will be prompted with questions to tailor the baseline. See How to Tailor a Baseline for more details.

4. Locate the Generated Files

   • After running the generation command, the baseline files are created in the following directories:

• Directorymacos_security/

  • Directorybuild/

    • Directorybaselines/

      • BASELINENAME.yaml ---> The generated baseline file (name depends on your selection or customization)
  • Directorycustom/

    • Directoryrules/

      • *.yaml ---> Custom values you set if you used -t

These files are required to generate the guidance files.
For more information, see How to Tailor a Baseline or review the baseline file layout.