US NIST GOV / macos_security / baseline / all rules.yaml

sgiesbrecht
Contributor III

Our client want to us to start using the US NIST GOV / macos_security / baseline / all rules.yaml in our environment.  Until recently I have never heard of YAML.

How can I configure the .YAML file to work with JAMF Pro 

They have sent an example of what they want

sgiesbrecht_0-1658178068573.png

Any help will be greatly appreciated 

3 REPLIES 3

mm2270
Legendary Contributor III

I haven't used it myself, but you might want to head over to the NIST Github page for the macOS Security project, which has a Wiki that explains more on how to use it and configure it.

https://github.com/usnistgov/macos_security

 

AntMac
Contributor

I've gone through something similar to this but for CIS compliance with differential/additive NIST items.
The YAML is part of the baseline generation process. As mm2270 mentioned, there is a wiki for the project that goes through each of the steps required to build the config profiles and remediation scripts. The wiki is here Home · usnistgov/macos_security Wiki (github.com)

You'll likely need to build the EAs yourself to pull the data out of the generated csv. This will give you your compliant/not compliant items per your image.   

boberito
Valued Contributor

As others have said, you'll want to check out the wiki on the GitHub. But also there are other resources on getting started, some older presentations

These are from 2020, while some things have changed, the general idea is the same.
http://docs.macsysadmin.se/2020/video/Day2Session3.mp4

https://www.youtube.com/watch?v=mpEBEelSWlI

And a NIST Special Publication on the macOS Security Compliance Project https://csrc.nist.gov/publications/detail/sp/800-219/final

There are also sessions at JNUC 2022 coming up that cover the macOS Security Compliance Project and how to use it within Jamf.

 

You do NOT want to use the all_rules as your baseline, all rules is exactly what it sounds like...all the rules, which can end up with conflicting settings, and settings that could hinder usability or lock you out of the system totally. Figure out what your client is really trying to accomplish...is it CIS compliance, is it 800-171, is it 800-53, or is it just general security? You should build your own custom baseline that has specific rules to cover settings you want to control. 

 

Once you've figured out what settings you want to control, then you'll generate the compliance script and potentially the configuration profiles and deploy it to computers. When the compliance script is ran it writes a log to /Library/Logs and a plist in /Library/Preferences. You'll have to create an extension attribute to read 1 or the other.

 

Feel free to open discussions on the GitHub page or on the Mac Admins slack in the #macos_security_compliance channel.