mSCP 2.0 Beta

BETA

mSCP 2.0 is in active development
Available on the dev_2.0 branch. Not for production use.
All information is subject to change.

mSCP 2.0 is a major architectural evolution — a unified codebase that eliminates the need for separate branches per macOS version.

---

What’s New

📦

Unified RepositoryOne branch for all macOS versions — no more per-version branches.

📋

Multi-Version RulesEach rule contains configs for macOS 14, 15, 26+ in one file.

🗂️

Organized ReferencesReferences grouped by source: nist, disa, cis.

⚡

Simplified SetupJust pip3 install -r requirements.txt to get started.

---

At a Glance

	mSCP 1.0	mSCP 2.0
Repository	Branch per macOS version	Single unified branch
Rules	One version per file	All versions in one file
References	Flat (800-53r5, disa_stig)	Nested (nist.800-53r5, disa.disa_stig)
Maintenance	Update each branch	Single source of truth

---

Rule Comparison

The biggest change is how rules handle multiple macOS versions:

mSCP 1.0 — Separate file per version in each branch:

macOS: ['15.0']
references:
  cce: [CCE-94195-5]
  disa_stig: [APPL-15-002064]

mSCP 2.0 — All versions in one file:

references:
  nist:
    cce:
      macos_26: [CCE-95195-4]
      macos_15: [CCE-94195-5]
      macos_14: [CCE-92795-4]
  disa:
    disa_stig:
      macos_26: [APPL-26-002064]
      macos_15: [APPL-15-002064]
      macos_14: [APPL-14-002064]

platforms:
  macOS:
    '26.0':
      benchmarks:
        - name: disa_stig
          severity: high
    '15.0':
      benchmarks:
        - name: disa_stig
          severity: high

Key Takeaway

Version-specific data (CCE, STIG IDs, benchmarks) now lives in one rule file — no separate branches needed.

---

Directory Structure

macos_security/
├── config/
│   └── default/
│       ├── rules/           # Rule YAML files
│       │   ├── audit/
│       │   ├── auth/
│       │   ├── os/
│       │   ├── pwpolicy/
│       │   └── system_settings/
│       └── baselines/       # Baseline definitions
├── src/
│   └── mscp/                # Python CLI package
│       ├── cli.py
│       ├── classes/
│       └── generate/
├── schema/                  # YAML schema definitions
├── rules → config/default/rules      # Symlink
├── baselines → config/default/baselines
└── custom/                  # User customizations

---

Installation

Note

For testing only. Requirements may change before release.

1. Clone the dev_2.0 Branch

   git clone -b dev_2.0 https://github.com/usnistgov/macos_security.git
   cd macos_security

2. Install Prerequisites

   Requires Python 3.12.1 or higher.

   Python packages (required):

   pip3 install -r requirements.txt

   Ruby gems (optional — only needed for PDF output):

   gem install asciidoctor asciidoctor-pdf rouge --user-install

   Want isolated installs? Click to expand

   Python virtual environment:

   python3 -m venv .venv
   source .venv/bin/activate
   pip3 install -r requirements.txt
   deactivate  # when done

---

Why the Change?

• Faster Updates — Rule changes apply to all versions at once
• Less Maintenance — No branch synchronization headaches
• Clear Version Support — See all supported versions in one file
• Version Overrides — Different checks per macOS version when needed
• Easier Contributions — Work in one branch, not many

---

Status

Completed

• Unified multi-version rule format
• Restructured references (nist/disa/cis)
• New directory layout
• Python package setup

In Progress

• Full feature parity with 1.0
• CLI documentation
• Migration guide
• Production release

---

Get Involved

Test the BetaTry the dev_2.0 branchReport IssuesGitHub IssuesDiscussGitHub DiscussionsChat#macos_security_compliance

---

Next Steps

• Getting Started (mSCP 1.0) — Current stable version
• Resources — Training and tools