blog.dataJAR

The macOS Security Compliance Project

Security plays an increasingly significant part in device management. As a technology professional tasked with configuring, deploying and supporting corporate devices, you will most likely be using some sort of mobile device management solution, such as Jamf Pro or datajar.mobi, to manage your devices.

In addition to configuration management, MDM solutions help you manage and enforce your organisation’s security posture. For instance, you could enforce FileVault on computers or set a minimum password length. And with each new version of macOS, new features and functionality are gained that may require you to think about how this affects security.

However, it is not always obvious what should be managed or what can be managed. Even if you have a list of organisational security requirements, you still have to go ahead and create those policies, deploy them out and then perform an audit to verify they have been set. And let us not forget about documentation.

This is where the macOS Security Compliance Project comes in handy.

Overview

The macOS Security Compliance Project is an open source collaborative effort to provide a programmatic approach to generating security guidelines.

This project can be used as a resource to easily create customised security baselines of security controls from a library of actions.

Various third parties have contributed to this project including National Institute of Standards and Technology (NIST), National Aeronautic and Space Administration (NASA) and JAMF.

Download and requirements

The project can be downloaded from https://github.com/usnistgov/macos_security

This is a collection of scripts and a library of security rules which can be applied to the specific security baseline you wish to use.

As security requirements will differ between versions of macOS, there are different branches available for each version of macOS, from macOS 10.15 to macOS 12.

There are some requirements to utilise this project.

These include a few modules that need to be installed.

pyyaml, xlwt, asciidoctor and asciidoctor-pdf.

To download and install the correct modules, you can run the following in Terminal

git clone https://github.com/usnistgov/macos_security.git

cd to the macos_security directory

pip3 install -r requirements.txt –user

bundle install

Directory structure

Once downloaded, the following directory structure is available:

The main folders of interest are:

baselines – a set of yaml files, where each yaml file represents a specific security baseline, for instance CIS Level 1. This file contains all the rules for that published baseline, where a rule represents a value or setting for a specific service or feature.

build – any files generated by this project are placed here.

custom – here you can add custom rules that override default values.

rules – a set of yaml files , where each yaml file describes the values for a specific rule.

script – contains the scripts used by this project.

Security baselines

The project provides a set of baselines from different organisations, all recommending a default security posture.

These include:

NIST 800-53
- high
- medium
- low
DISA-STIG
NIST 800-171
CNSSI 1253
CIS Level 1
CIS Level 2

There are a few more – a complete list is available.

Within the directory you download, you will find a scripts folder. This contains the scripts we need to use for this project.

One of the scripts is called ‘generate_baseline.py’

If you simply run this script without any arguments, you will receive a list of all the baselines available.

The baselines themselves are yaml files that contain all the rules corresponding to the selected baseline. The CIS Level 1 baseline may have different rules to NIST, for example. Each rule defines a specific feature or service on macOS with a recommended setting or value.

These baselines can have hundreds of rules.

Within the project, you will find a baseline directory. In here are pre-built yaml files for some of the more popular baselines.

You can use these if you are happy to go with the default recommendation for each one, or you can create your own for a baseline unique to you.

You can use the ‘generate_baseline.py’ script to create a customised baseline – just run it and pass in the name of the baseline you want to create with -k. The name to use comes from the list you get back when you run the script without any arguments.

As an example, this will create a new baseline we can customise based off CIS Level 1.

‘generate_baseline.py -k cis_lvl1’

This will build a new yaml file for the CIS Level 1 but place this in the ‘Build/baselines’ directory. You can then edit this file to match the requirements you want.

Baseline yaml files

Each baseline yaml file is a collection of rules. The rules are broken down into sections of related rules. For instance, you would have one section for auditing, one for password policies and so on.

An example section would look like this:

section: ’passwordpolicy’

rules:

– pwpolicy_account_lockout_enforce

– pwpolicy_history_enforce

– pwpolicy_minimum_length_enforce

Here you will find the section called ‘passwordpolicy’ and underneath, three rules specific for passwords.

Having generated your baseline file, if there are rules you do not want to implement, you can edit the yaml file and delete the specific rule entry.

Rules

Within the project directory is a ‘rules’ directory. This contains yaml files for each specific rule. They have the same name as the entries in the baseline file. i.e pwpolicy_history_enforce.yaml

Each rule file contains a description of that rule, a method to check if that setting has been applied and some default values. There may be different default values for different baselines.

As an example, one rule may set how many previous passwords would be recorded for the password history, thus stopping the user from re-using an old password.

Now you may not want these default values, so you can override them. To do this copy the specific yaml file for that rule to the ‘custom’ directory and then edit that version and change the value. A custom rule will override the default ones.

Building your guidance

At this point we have chosen our base guideline and, if required, removed any unwanted rules or over written some default values.

We can now automatically generate the following:

individual preference files for each rule
configuration profiles
documentation in the following formats
- .adoc
- html
- pdf
a compliance script

Configuration profiles will be created with the settings from all the rules in the selected baseline. These can be uploaded to your management server and deployed to your clients.

We also have the raw preference files used for those configuration profiles.

Most importantly, everything is documented for you. The documentation is pretty comprehensive, comprising a table of contents and a detailed description of each rule used including an overview, how to audit that rule and what value was supplied.

You also get a compliance script which you can deploy via your management server to check the security posture was applied correctly.

To generate the guidance you will use the script called ‘generate_guidance.py’

You can pass in a number of arguments to specify what gets created.

If you pass in the yaml file of the baseline you wish to use, it will simply create the documentation. This gets created in the ’build’ folder

“generate_guidance.py cis_lvl1.yaml”