Rule File Layout
A rule file defines a single security control for macOS. Each rule is written in YAML and must follow the structure below.
Required Fields
Section titled “Required Fields”| Field | Description |
|---|---|
id | Unique identifier matching the filename (without .yaml) |
title | Human-readable title for the rule |
discussion | Description of the rule’s intent and context |
check | Shell command or script to validate compliance |
result | Expected result from the check |
fix | Remediation steps or configuration to enforce the rule |
tags | Keywords for categorizing and filtering rules |
Optional Fields
Section titled “Optional Fields”| Field | Description |
|---|---|
references | Mappings to CCEs, security frameworks, and controls |
macOS | macOS versions this rule is validated for |
odv | Organization Defined Values with hint and defaults |
severity | Severity level (low, medium, high) |
mobileconfig | Set to true if enforceable via configuration profile |
mobileconfig_info | Configuration profile payload (required if mobileconfig is true) |
ddm_info | DDM configuration declaration (for DDM-supported settings) |
References Structure
Section titled “References Structure”The references field maps to various compliance frameworks:
| Key | Framework |
|---|---|
cce | Common Configuration Enumeration |
cci | Control Correlation Identifier |
800-53r5 | NIST SP 800-53 Rev 5 |
800-53r4 | NIST SP 800-53 Rev 4 |
800-171r3 | NIST SP 800-171 Rev 3 |
srg | Security Requirements Guide |
disa_stig | DISA STIG identifiers |
cis | CIS Benchmarks and Controls |
cmmc | CMMC level mappings |
Example Rule File
Section titled “Example Rule File”id: system_settings_bluetooth_disabletitle: Disable Bluetooth When no Approved Device is Connecteddiscussion: | The macOS system _MUST_ be configured to disable Bluetooth unless there is an approved device connected.check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\ .objectForKey('DisableBluetooth').js EOSresult: string: 'true'fix: | This is implemented by a Configuration Profile.references: cce: - CCE-94352-2 800-53r5: - AC-18 - SC-8 disa_stig: - APPL-15-002062macOS: - '15.0'tags: - 800-53r5_moderate - 800-53r5_high - stigseverity: highmobileconfig: truemobileconfig_info: com.apple.ManagedClient.preferences: com.apple.MCXBluetooth: DisableBluetooth: trueNext Steps
Section titled “Next Steps”- Sections File Layout - Understand section YAML structure
- Customize Rules - Create custom rules