Quick Guide

5-Step Workflow

Already completed Getting Started? Skip to Step 3: Generate a Baseline.

Install Prerequisites
Section titled “Install Prerequisites”

macOS includes Python 3 and Ruby. You just need to install the packages:

Python packages (required):
Terminal window
```
pip3 install pyyaml xlwt --user
```
Ruby gems (optional — only needed for PDF output):
Terminal window
```
gem install asciidoctor asciidoctor-pdf rouge --user-install
```
Want isolated installs? Click to expand
A virtual environment keeps packages separate from your system Python — useful if you don’t want to install packages globally or need to avoid conflicts.
Python virtual environment:
Terminal window
```
# Create environment (once)
python3 -m venv venv

# Activate before running scripts
source venv/bin/activate

# Install packages inside the environment
pip3 install -r requirements.txt

# When done, deactivate
deactivate
```
Ruby local bundle:
Terminal window
```
bundle install --path vendor/bundle
```
Clone & Checkout Branch
Section titled “Clone & Checkout Branch”
Terminal window
```
git clone https://github.com/usnistgov/macos_security.git
cd macos_security
git checkout sequoia
```
Replace sequoia with your target macOS version.
Generate a Baseline
Section titled “Generate a Baseline”

List baselines: ./scripts/generate_baseline.py -l
Generate: ./scripts/generate_baseline.py -k BASELINE_NAME
With tailoring: ./scripts/generate_baseline.py -k BASELINE_NAME -t
Terminal window
```
# Example: Generate NIST 800-53 Moderate baseline
./scripts/generate_baseline.py -k 800-53r5_moderate
```
Generate Outputs
Section titled “Generate Outputs”

Run generate_guidance.py with the flags you need:
Terminal window
```
./scripts/generate_guidance.py [flags] baselines/BASELINE_NAME.yaml
```
Flag Output
(none) Guidance docs (.adoc, .html, .pdf)
-s Compliance script
-p Configuration profiles (one per payload)
-P Single consolidated profile
-D DDM components
-x Excel spreadsheet

Example — Generate all common outputs:
Terminal window
```
./scripts/generate_guidance.py -s -p -x baselines/800-53r5_moderate.yaml
```

Flag	Output
(none)	Guidance docs (`.adoc`, `.html`, `.pdf`)
`-s`	Compliance script
`-p`	Configuration profiles (one per payload)
`-P`	Single consolidated profile
`-D`	DDM components
`-x`	Excel spreadsheet

Use Your Files

Everything goes to build/BASELINE_NAME/:

build/800-53r5_moderate/
├── 800-53r5_moderate.adoc
├── 800-53r5_moderate.html
├── 800-53r5_moderate.pdf
├── 800-53r5_moderate_compliance.sh
├── mobileconfigs/
├── preferences/
├── activations/    ← DDM (if -D used)
├── assets/
└── configurations/

Running the Compliance Script

Interactive mode:

sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh

Automated mode:

Flag	What it does
`--check`	Run checks only
`--fix`	Run fixes only
`--cfc`	Check → Fix → Check
`--stats`	Show last run statistics
`--compliant`	Report compliant count
`--non_compliant`	Report non-compliant count
`--reset`	Clear results for this baseline
`--reset-all`	Clear results for all baselines
`--quiet=1`	Show failed/exempt only
`--quiet=2`	Minimal output

# Quick check
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh --check

# Full remediation
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh --cfc --quiet=2

Available Baselines

Example baselines (may vary by branch):

Framework	Baseline Name
NIST 800-53 Rev 5	`800-53r5_high`, `800-53r5_moderate`, `800-53r5_low`
NIST 800-171	`800-171`
DISA STIG	`DISA-STIG`
CIS Benchmarks	`cis_lvl1`, `cis_lvl2`, `cisv8`
CMMC 2.0	`cmmc_lvl1`, `cmmc_lvl2`
CNSSI 1253	`cnssi-1253_high`, `cnssi-1253_moderate`, `cnssi-1253_low`
All Rules	`all_rules`

Script Reference

`generate_baseline.py`

Creates the baseline YAML file.

Flag	Purpose
`-l`	List available baselines
`-k NAME`	Generate baseline
`-t`	Interactive tailoring
`-c`	Show 800-53 controls

`generate_guidance.py`

Generates all outputs from a baseline.

Flag	Purpose
`-s`	Compliance script
`-p`	Config profiles
`-P`	Consolidated profile
`-D`	DDM components
`-x`	Excel file
`-l LOGO`	Custom logo
`-H HASH`	Sign profiles
`-a NAME`	Custom audit name
`-r REF`	Custom reference ID

`generate_scap.py`

Generates SCAP/OVAL content for compliance scanning tools.

Flag	Purpose
`-x`	XCCDF file
`-o`	OVAL file
`-b NAME`	Specific baseline
`-d FILE`	Include DISA STIG references from file
`-l`	List tags

Common Workflows

Compliance Check

Scan a Mac for compliance issues:

./scripts/generate_baseline.py -k 800-53r5_moderate
./scripts/generate_guidance.py -s baselines/800-53r5_moderate.yaml
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh --check

MDM Deployment Package

Generate profiles and DDM for device management:

./scripts/generate_baseline.py -k DISA-STIG -t
./scripts/generate_guidance.py -p -D -s build/baselines/DISA-STIG.yaml

Full Documentation Set

Create all outputs for documentation and audit:

./scripts/generate_baseline.py -k cis_lvl2
./scripts/generate_guidance.py -s -p -x baselines/cis_lvl2.yaml

Customization Options

Option	Description	Link
Tailor Baseline	Select rules and set Organization Defined Values	Learn more →
Customize Rules	Modify rules in `custom/rules/` folder	Learn more →
Exempt Rules	Mark rules as approved exceptions	Learn more →
Sign Profiles	Sign with your certificate using `-H HASH`	Learn more →

Quick Guide

5-Step Workflow

Install Prerequisites

Clone & Checkout Branch

Generate a Baseline

Generate Outputs