How To Generate Compliance Scripts
The primary script for generating compliance scripts is located here in the macos_security
repository:
Directorymacos_security/
Directoryscripts/
- generate_guidance.py
Steps to Generate a Compliance Script
Section titled “Steps to Generate a Compliance Script”-
Run the Compliance Script Generator
Use the
-s
flag withgenerate_guidance.py
to generate a compliance script for your baseline YAML file:Terminal window ./scripts/generate_guidance.py -s baselines/800-53r5_moderate.yaml -
Review the Output
The script will generate several files in the
build/BASELINE/
directory:Directorybuild/
Directory800-53r5_moderate/
- 800-53r5_moderate.adoc
- 800-53r5_moderate.html
- 800-53r5_moderate.pdf
- 800-53r5_moderate_compliance.sh
Directorypreferences/
- org.800-53r5_moderate.audit.plist
What Gets Generated?
Section titled “What Gets Generated?”- Compliance Script:
{baseline}_compliance.sh
The main script to check/fix compliance. - Audit Plist:
org.{baseline}.audit.plist
Used for exemptions and compliance tracking. - Reports:
.adoc
,.html
,.pdf
Documentation and reports for the baseline.
Running the Compliance Script
Section titled “Running the Compliance Script”You can run the script interactively or with command-line flags:
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh
This will present an interactive menu:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ M A I N - M E N U macOS Security Compliance Tool~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Last compliance scan: No scans have been run
1. View Last Compliance Report2. Run New Compliance Scan3. Run Commands to remediate non-compliant settings4. ExitEnter choice [ 1 - 4 ]
Note:
The --cfc
flag will trigger a check/fix/check when running the compliance script.
After running, results are written to:
/Library/Preferences/org.{baseline}.audit.plist
/Library/Logs/{baseline}_baseline.log
Example log output:
Thu Jan 21 15:09:41 UTC 2021 auth_pam_login_smartcard_enforce passed (Result: 2, Expected: {integer: 2})Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_allow passed (Result: 1, Expected: {integer: 1})Thu Jan 21 15:09:41 UTC 2021 auth_pam_sudo_smartcard_enforce passed (Result: 2, Expected: {integer: 2})Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_certificate_trust_enforce_moderate passed (Result: 2, Expected: {integer: 2})Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_enforce has an exemption (Reason: Broken Reader)
Compliance Script Command Line Reference
Section titled “Compliance Script Command Line Reference”Note:
The compliance script expects to be run in a Z Shell (zsh). Running with sh
or bash
will result in errors.
./mscp_compliance.sh Usage./mscp_compliance.sh [--check] [--fix] [--cfc] [--stats] [--compliant] [--non_compliant] [--reset] [--reset-all] [--quiet=<value>]
Optional parameters:--check : run the compliance checks without interaction--fix : run the remediation commands without interaction--cfc : runs a check, fix, check without interaction--stats : display the statistics from last compliance check--compliant : reports the number of compliant checks--non_compliant : reports the number of non_compliant checks--reset : clear out all results for current baseline--reset-all : clear out all results for ALL MSCP baselines--quiet=<value> : 1 - show only failed and exempted checks in output 2 - show minimal output