Tailoring a baseline

Tailoring allows you to create a custom security baseline that fits your organization’s needs. The tailoring process lets you select which rules to include and set organization-defined values (ODVs) for controls that require them.

Directorymacos_security/
- Directoryscripts/
  - generate_baseline.py ---> Script to generate and tailor baselines

Follow these steps to tailor a baseline:

Start the Tailoring Script
- Run the script with the -t flag to begin tailoring:
  Terminal window
```
./macos_security/scripts/generate_baseline.py -k 800-53r5_moderate -t
```
  Replace 800-53r5_moderate with your desired baseline tag.
Enter Basic Information
- You will be prompted for:
  - Benchmark Name
  - Author’s Name
  - Organization
Select Rules to Include
- For each rule, you will be asked whether to include it in your tailored baseline:
```
Would you like to include the rule for "audit_acls_files_configure" in your benchmark? [Y/n/all/?]:
```
- Enter ? to see more details about a rule.
Set Organization Defined Values (ODVs)
- If a rule requires an ODV, you will be prompted to enter a value or accept the recommended default:
```
Number of failed attempts.
Enter the ODV for "pwpolicy_account_lockout_enforce" or press Enter for the recommended value (3):
```
Review Output Files
- After completing the prompts, the following files are created:

Directorymacos_security/
- Directorybuild/
  - Directorybaselines/
    YOUR_BENCHMARK.yaml ---> The tailored baseline file
- Directorycustom/
  - Directoryrules/
    *.yaml ---> Custom ODV values for tailored rules

Each tailored rule with a custom ODV will have a YAML file like:

odv:
  custom: 11

The odv.custom value reflects your organization’s choice for that rule.

Use these tailored files to generate guidance or further customize your security posture. For more details, see Customization.