-
Notifications
You must be signed in to change notification settings - Fork 209
Compliance Script
Allen Golbig edited this page Oct 8, 2024
·
28 revisions
Adding the -s
flag to the generate-guidance.py
script will generate a compliance script, which can be used to check/fix a system.
➜ macos_security git:(sequoia) ./scripts/generate_guidance.py -s baselines/800-53r5_moderate.yaml
Profile YAML: baselines/800-53r5_moderate.yaml
Output path: /Users/mscp/src/macos_security/build/800-53r5_moderate/800-53r5_moderate.adoc
Generating compliance script...
Finished building /Users/mscp/src/macos_security/build/800-53r5_moderate/800-53r5_moderate_compliance.sh
Generating HTML file from AsciiDoc...
Generating PDF file from AsciiDoc...
➜ macos_security git:(sequoia) ✗ ls -dn build/800-53r5_moderate/*
-rw-r--r-- 1 501 20 259522 Jan 19 15:23 build/800-53r5_moderate/800-53r5_moderate.adoc
-rw-r--r-- 1 501 20 859486 Jan 19 15:23 build/800-53r5_moderate/800-53r5_moderate.html
-rw-r--r-- 1 501 20 2667622 Jan 19 15:23 build/800-53r5_moderate/800-53r5_moderate.pdf
-rwxr-xr-x 1 501 20 276876 Jan 19 15:23 build/800-53r5_moderate/800-53r5_moderate_compliance.sh
drwxr-xr-x 3 501 20 96 Jan 19 15:23 build/800-53r5_moderate/preferences
➜ macos_security git:(sequoia) ✗ ls -dn build/800-53r5_moderate/preferences/*
-rw-r--r-- 1 501 20 13688 Jan 19 15:23 build/800-53r5_moderate/preferences/org.800-53r5_moderate.audit.plist
When generating the compliance script a org.{baseline}.audit.plist
will be created. This file represents the structure of how exemptions can be implemented. See the section on Exemptions for more information.
The {baseline}_compliance.sh
script can run interactively or with the --check/--fix/--cfc flags. To run the script interactively run the following command:
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
M A I N - M E N U
macOS Security Compliance Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Last compliance scan: No scans have been run
1. View Last Compliance Report
2. Run New Compliance Scan
3. Run Commands to remediate non-compliant settings
4. Exit
Enter choice [ 1 - 4 ]
📎
|
The --cfc flag will trigger a check/fix/check when running the compliance script.
|
After running the script the results are written to /Library/Preferences/org.{baseline}.audit.plist
and /Library/Logs/{baseline}_baseline.log
.
📎
|
In order for the script to run commands to remediate non-compliant settings, a successful compliance scan must be run first. |
800-53r5_moderate_baseline.log
Thu Jan 21 15:09:41 UTC 2021 auth_pam_login_smartcard_enforce passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_allow passed (Result: 1, Expected: {integer: 1})
Thu Jan 21 15:09:41 UTC 2021 auth_pam_sudo_smartcard_enforce passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_certificate_trust_enforce_moderate passed (Result: 2, Expected: {integer: 2})
Thu Jan 21 15:09:41 UTC 2021 auth_smartcard_enforce has an exemption (Reason: Broken Reader)
💡
|
To add a custom reference in front of the rule in the {baseline}_baseline.log use the -r flag along with the custom reference (case sensitive) when running the generate_guidance.py script.
|