Skip to content
mSCP

Tailoring

The project makes it simple for organizations to construct a tailored benchmark whether starting from one of the NIST 800-53 control baselines, or customizing an already established benchmark. Tailoring a benchmark is different than customizing specific rules. See Customization to learn more.

Organization Defined Values

Organization Defined Values, or ODVs, are values determined for controls that meet both the security and functional requirements in an organization. Benchmark authors, like DISA and CIS, provide these values for their respective published guidance. In the project, we include recommended values, as well as the defined values for the DISA STIG and CIS Benchmarks as part of the ODV field in the YAML.

Tailoring a Benchmark

Section titled “Tailoring a Benchmark”

Running the generate_baseline script with the -t argument will step you through the tailoring process. The process will start by prompting for the following:

  • Benchmark Name
  • Author’s Name
  • Organization
➜  macos_security git:(sequoia) ./scripts/generate_baseline.py -k 800-53r5_moderate -t
Enter a name for your tailored benchmark or press Enter for the default value (800-53r5_moderate): MyOrgs_Benchmark
Enter your name: Allen Golbig
Enter your organization: MyOrg
The inclusion of any given rule is a risk-based decision (RBD). While each rule is mapped to an 800-53 control, deploying it in your organization should be part of the decision-making process.
You will be prompted to include each rule, and for those with specific organizational defined values (ODV), you will be prompted for those as well.

Once completed, you will be prompted whether or not to include each rule in your benchmark.

Would you like to include the rule for "audit_acls_files_configure" in your benchmark? [Y/n/all/?]:

📌 NOTE
The ? option will display additional details about the rule to help your organization decide if it meets your requirements.

If a rule contains an ODV, you will be prompted to assign a value that meets your organization’s requirements.

Number of failed attempts.
Enter the ODV for "pwpolicy_account_lockout_enforce" or press Enter for the recommended value (3):

After the tailoring process is completed, a new YAML file will be created in build/baselines, and custom rules containing their ODV values will be created in custom/rules/. Now you can run the generate guidance script against that tailored benchmark.

./scripts/generate_guidance.py build/baselines/MyOrgs_Benchmark.yaml -p -s -x

Tailored File Layout

Section titled “Tailored File Layout”

When you provide custom ODV values during tailoring, the project creates a separate YAML file for each tailored rule. These files are saved in the following directory structure:

  • Directorymacos_security/
    • Directorycustom/
      • Directoryrules/
        • *.yaml ---> Custom values you set if you used -t

Here, * matches the ID of the rule you tailored.

Tailored Rule File Structure

Section titled “Tailored Rule File Structure”

A tailored rule file contains only the custom ODV values you specified. For example:

odv:
  custom: 11
  • The odv field contains a custom key with your organization’s chosen value (in this example, 11).
  • This structure makes it easy to see and manage the specific ODV values set for each tailored rule.

All tailored rule files are stored in the custom/rules/ directory, allowing you to track and update your organization’s customizations as needed.

This process helps ensure your security baseline is both robust and tailored to your organization’s needs.