How to Generate Compliance Scripts
Compliance scripts are generated using the generate_guidance.py script with the -s flag. The script reads your baseline and creates a zsh script ready for deployment.
Generate a Compliance Script
Section titled “Generate a Compliance Script”-
Run the generation script
Terminal window ./scripts/generate_guidance.py -s baselines/BASELINE_NAME.yamlExample:
Terminal window ./scripts/generate_guidance.py -s baselines/800-53r5_moderate.yaml -
Find your files
The
-sflag generates the compliance script and audit plist. Guidance documents are also created by default.Directorybuild/
Directory800-53r5_moderate/
- 800-53r5_moderate_compliance.sh - Compliance script
- 800-53r5_moderate.adoc - AsciiDoc guidance
- 800-53r5_moderate.html - HTML guidance
- 800-53r5_moderate.pdf - PDF guidance
Directorypreferences/
- org.800-53r5_moderate.audit.plist
Running the Script
Section titled “Running the Script”Run with sudo for full access to system settings:
sudo ./build/BASELINE_NAME/BASELINE_NAME_compliance.sh| Flag | Description |
|---|---|
| (no flags) | Interactive menu mode |
--check | Run compliance checks without interaction |
--fix | Run remediation commands without interaction |
--cfc | Run check, fix, check sequence |
--stats | Display statistics from last scan |
--compliant | Report number of compliant checks |
--non_compliant | Report number of non-compliant checks |
--reset | Clear results for current baseline |
--reset-all | Clear results for all mSCP baselines |
Runtime Output
Section titled “Runtime Output”When executed, the script creates:
| File | Location |
|---|---|
| Audit plist | /Library/Preferences/org.BASELINE_NAME.audit.plist |
| Log file | /Library/Logs/BASELINE_NAME_baseline.log |
Next Steps
Section titled “Next Steps”- Compliance Script Layout - Understand the script structure
- What Are Compliance Scripts? - Learn more about compliance scripts