An inital touch base with the macos_security project

Mid of last week National Institute of Standards and Technology
has a released an exiting open-source Framework on GitHub: macos_security.

macos_security — a macOS Security Compliance Project

The project helps to setup and organize security baselines, and technical security controls in a structured and formulated fashion.

The intention is to provide a unified way to define and set security controls on the macOS platform. The project is scoped mostly towards System Administrators, Security Researchers, and Vendors.

The projects’s FAQ states a great summary on it’s motives here:

Every year, a new version of the macOS is released by Apple. With each new version, security professionals and administrators spend months waiting for the release of a security baseline. By creating an open source, community-based method for generating baselines to match new versions of macOS, the timeline for releasing these baselines should be reduced.

The US Federal published guides that the macos_security project currently supports are:

• NIST 800–53
• FISMA High
• FISMA Moderate
• FISMA Low
• CNSSI 1253

Alongside the above guides also prevalent in the field are the well known CIS Apple OS Benchmark guides by the Center for Internet Security. Many controls referenced match to the CIS guide and vice versa, so the macos_security can be used complementary to existing baseline definitions.

In a governmental use scenario for macOS that setup looks very restricted — see the SmartCard enforcement and almost every cloud services disabled (think about iCloud, Siri, et-al. here), often, a more lightweight subset of the broader security controls is used in typical business or higher educational environments.

The macos_security project tries here to address such differing need, not only by organizing a well defined structure to write down definition of controls. It also provides some practical tools — that help to build a documentation or sheet (.xlsx file), create an accompanying shell-script to setup/validate security settings, and also provide mobile config profiles that could be directly used to set certain controls. The use of macos_security as a Framework effectively reduces workload and time to finalize a security baseline for macOS.

Rationale for this project:

Normalize and accelerate annual adoption of OS/Hardware by having guidance available to meet the needs of new operating systems on release

Reduce worldwide effort in creating annual guidance by unifying and consolidating compliance efforts into a single project

Develop a methodology to foster collaboration between baseline authors, reducing overhead and redundancy

Unify approach in setting controls

Provide MDM/EMM/security/audit vendors and Apple insight into customer hardening needs

The project structure

The project wiki gives a good overview on the layout here:

baselines/  ---> Baseline profiles containing all the rules
build/      ---> Script output directory. Contains scripts, documents, and
                 mobileconfig files generated by scripts
custom/     ---> Custom baseline creation
includes/   ---> YAML-based libraries for build scripts
rules/      ---> Rules for securing the operating system; YAML content
                 with one rule per file
scripts/    ---> Scripts to generate reports and configuration
sections/   ---> YAML configurations for sections in generating the guides
templates/  ---> AsciiDoc templates

Note: All scripts require the use of Python 3, in macOS Catalina this usually is installed along with the Apple Developer Command Line Tools — more details about the transition to Python 3 in macOS Catalina can be read here.

Customize (in PyCharm)

The getting started guide is very well written and straightforward— you can simply follow all along here and use the Terminal.

As a variation to that, here we run a an activity to create a custom baseline file, then apply the scripts to the set definitions.

To work along the steps, we proceed the tasks with a rather lightweight use of PyCharm (Community Edition) — a free to use IDE for Python. PyCharm here provides an example graphical editor to see/edit the rules, allow to install Python 3 dependencies, and work within the Project from a single text editor.

Prepare the project

First clone the project (requirement: Apple Developer CLI already installed)

git clone https://github.com/usnistgov/macos_security.git

1. Navigate to the cloned project in your filesystem, open that folder in PyCharm.
2. By default the Project interpreter is set to Python 2.7, this must be changed to Python 3 before you can proceed.

Click the link to configure Python interpreter

1. For the Virtualenv Environment, set Base interpreter to /usr/bin/python3
2. Create a new file, name itRequirements.txt
3. Insert the Requirements pyyaml , lxml , and xlwt(one per line)
4. Click the “Install requirements” link
5. Install the shown packages

1. Base interpreter for Virtual Environment set

2-4. Set Requirements, click the “Install requirements” link

5. Install the shown packages

Customize a baseline file

Baseline files are used for the creation of a guide or xlsx sheet, scripts, and mobileconfig files. In the baseline one defines the associated controls which are used to meet a given security profile.

Quick steps to create and use a new custom.yaml baseline file:

1. Create a new file, we name that custom.yaml in our example
2. Copy the yaml structure from an existing baseline file into the custom.yaml
3. Edit the yaml structure, refine the profiles, set the rules to your liking
4. Run the scripts, then inspect the results.

• Run the yaml-to-xlsx script
• Run the script generator script
• Run the Profile generator script

Update(2021): With the code updates, the commands have changed recently

• Create XLSX: ./scripts/generate_guidance.py -x baselines/custom.yaml
• Create a script:./scripts/generate_guidance.py -s baselines/custom.yaml
• Create profiles:./scripts/generate_guidance.py -p baselines/custom.yaml

Edit the custom.yaml, set rules, run the script files (in PyCharm Terminal)

Result: generated script and mobileconfig files

The xlsx table file with the defined rules

This was a short touch base and practice how to leverage the macos_security project, quickly customize a baseline and look into the resulting files.

Next steps would be to apply and test the resulting shell-script/mobileconfig files from the build folder carefully on a test device. And later prepare them to deploy with a client managment and MDM solution.

Great thanks to Allen Golbig, Bob Gendler, Dan Brodjieski, and other core contributors. Very likely they have worked some longer to structure and build this flexible Security Compliance Project, that now onwards can help a broader audience and is easy to start with.

Pretty sure this project will see a lot more traction in the following weeks and months.

In future it would be nice to see the macos_security project getting cross referenced and/or implemented by vendors as well as with tools such as Osquery, Kolide Fleet, and other projects in same vain.