The project provides the following baseline files, located in the /baselines/ folder:

• NIST 800-53
  • macOS, iOS/iPadOS, and visionOS
    • High 800-53r5_high.yaml
    • Moderate 800-53r5_moderate.yaml
    • Low 800-53r5_low.yaml
• DISA-STIG
  • macOS
    • DISA-STIG.yaml
  • iOS/iPadOS
    • iOS STIG ios_stig.yaml
    • iOS STIG BYOAD ios_stig_byoad.yaml
• NIST 800-171 800-171.yaml
• CIS
  • macOS
    • CIS Level 1 cis_lvl1.yaml
    • CIS Level 2 cis_lvl2.yaml (Contains Level 1)
  • iOS/iPadOS
    • CIS Level 1 BYOD cis_lvl1_byod.yaml
    • CIS Level 2 BYOD cis_lvl2_byod.yaml
    • CIS Level 1 Enterprise cis_lvl1_enterprise.yaml
    • CIS Level 2 Enterprise cis_lvl1_enterprise.yaml
• CIS Controls V8 cisv8.yaml
• CMMC Level 1 cmmc_lvl1.yaml
• CMMC Level 2 cmmc_lvl2.yaml
• CNSSI 1254
  • High cnssi-1254_high.yaml
  • Moderate cnssi-1254_moderate.yaml
  • Low cnssi-1254_low.yaml
• indigo (iOS Only)
  • Base indigo_base.yaml
  • High indigo_high.yaml

If you want to create your own baseline or modify an existing baseline, the generate-baseline.py found in the scripts folder will generate a {baseline}.yaml file containing all the rules corresponding with the provided tag (baseline). This {baseline}.yaml is required to run the generate-guidance.py script.

Get a list of available tags

➜  macos_security git:(sequoia) ./scripts/generate_baseline.py -l
800-171
800-53r4_high
800-53r4_low
800-53r4_moderate
800-53r5_high
800-53r5_low
800-53r5_moderate
800-53r5_privacy
US_HIPAA
all_rules
arm64
cis_lvl1
cis_lvl2
cisv8
cmmc_lvl1
cmmc_lvl2
cnssi-1253_high
cnssi-1253_low
cnssi-1253_moderate
i386
inherent
manual
n_a
none
permanent
srg
stig
supplemental

Generate a new baseline

➜  macos_security git:(sequoia) ./scripts/generate_baseline.py -k 800-53r5_moderate
➜  macos_security git:(sequoia) ls -dn build/baselines/*
-rw-r--r--  1 501  20  6350 Jan 19 13:30 build/baselines/800-53r5_moderate.yaml