Skip to content
mSCP

Tailoring a Baseline

Tailoring lets you customize a baseline to fit your organization’s specific needs. You can include or exclude rules and set organization-defined values like password length or screen lock timeout.

When to Tailor

Section titled “When to Tailor”

Consider tailoring when you need to:

  • Exclude rules that don’t apply to your environment
  • Set custom values for settings like password requirements or timeout periods
  • Document exceptions for rules your organization can’t implement
  • Create a named baseline specific to your organization

Tailor a Baseline

Section titled “Tailor a Baseline”

  1. Run the tailoring command

    Terminal window
    ./scripts/generate_baseline.py -k BASELINE_NAME -t

    Example:

    Terminal window
    ./scripts/generate_baseline.py -k 800-53r5_moderate -t

  2. Enter baseline information

    You’ll be prompted for:

    • Baseline name
    • Author name
    • Organization

  3. Select rules to include

    For each rule, choose whether to include it:

    Include "audit_acls_files_configure"? [Y/n/all/?]:
    OptionAction
    YInclude this rule (default)
    nExclude this rule
    allInclude all remaining rules
    ?Show rule details

  4. Set organization-defined values

    For rules that need custom values, enter your setting or press Enter for the default:

    Enter value for "pwpolicy_account_lockout_enforce"
    or press Enter for recommended (3):

  5. Find your files

    Your tailored baseline and custom values are saved:

    • Directorymacos_security/
      • Directorybuild/
        • Directorybaselines/
          • YOUR_BASELINE.yaml - Tailored baseline
      • Directorycustom/
        • Directoryrules/
          • *.yaml - Custom ODV values

Custom ODV Files

Section titled “Custom ODV Files”

When you set a custom value, a YAML file is created in custom/rules/:

---
odv:
  custom: 5

This file overrides the default value for that rule. Your custom values are preserved and reused when you regenerate the baseline.

Example Workflow

Section titled “Example Workflow”
Terminal window
# Generate a tailored NIST 800-53 Moderate baseline
./scripts/generate_baseline.py -k 800-53r5_moderate -t


# Generate outputs from your tailored baseline
./scripts/generate_guidance.py -s -p build/baselines/my_org_baseline.yaml

Next Steps

Section titled “Next Steps”