Skip to content
mSCP

How to Generate Compliance Scripts

Compliance scripts are generated as part of the guidance output using the -s flag. The script reads your baseline and creates a zsh script ready for deployment.

Generate a Compliance Script

Section titled “Generate a Compliance Script”

  1. Run the command

    Terminal window
    ./mscp.py guidance custom/baselines/BASELINE_NAME.yaml -s

    Example:

    Terminal window
    ./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -s

  2. Find your files

    The -s flag generates the compliance script and audit plist. Guidance documents are also created by default.

    • Directorybuild/
      • Directory800-53r5_moderate_macos_26.0/
        • 800-53r5_moderate_macos_26.0_compliance.sh Compliance script
        • 800-53r5_moderate_macos_26.0.adoc AsciiDoc guidance
        • 800-53r5_moderate_macos_26.0.html HTML guidance
        • 800-53r5_moderate_macos_26.0.pdf PDF guidance
        • Directorypreferences/
          • org.800-53r5_moderate_macos_26.0.audit.plist

Running the Script

Section titled “Running the Script”

Run with sudo for full access to system settings:

Terminal window
sudo ./build/800-53r5_moderate_macos_26.0/800-53r5_moderate_macos_26.0_compliance.sh
FlagDescription
(no flags)Interactive menu mode
--checkRun compliance checks without interaction
--fixRun remediation commands without interaction
--cfcRun check, fix, check sequence
--statsDisplay statistics from last scan
--compliantReport number of compliant checks
--non_compliantReport number of non-compliant checks
--resetClear results for current baseline
--reset-allClear results for all mSCP baselines

Runtime Output

Section titled “Runtime Output”

When executed, the script creates:

FileLocation
Audit plist/Library/Preferences/org.BASELINE_NAME.audit.plist
Log file/Library/Logs/BASELINE_NAME_baseline.log

Next Steps

Section titled “Next Steps”