For Home Users, Ignore Some Rule Sections?

[MilkandGinn]

Hello:

I am trying to adapt this for home use, and while I am well-versed in macOS, I am not a programmer or IT professional.

The main thing that I want to change to the baselines is that, because this is for home use, I don't want the PAM/Smartcard or iCloud restriction settings. I also don't want to completely disable location services, FMF, Find My, etc.

If I want the scripts to ignore these sections, can I just edit the baseline YAML by deleting those sections? If so, where in custom do I save it? custom/rules/ or just custom/?

OR do I have to leave those in there but edit the rules themselves? If so, that's a lot more complicated. I wish the rules were in JSON, so it's a matter of change values. I also wish there was a baseline for home use that wasn't so strict, so its intuitive for home users. I don't see much difference between the 800-r53 low and high baselines.

I tried editing the kext files, and then later the mobileconfig files themselves, and for the most part it worked, but many of the related rules that I did want broke.

[robertgendler]

Hey @MilkandGinn So you can edit a baseline file and honestly save it anywhere you want. You just have to point the generate_guidance script at it. Custom is mainly for custom rules, like if you wanted to build custom checks or something.

Check out the wiki on the project. Jamf also has a great walk through on getting started. Jamf 170 - Lesson 6

To be honest, the project isn't aimed much for home use, it definitely can be used for that. But you may want to just use something like CIS Level 1 which is pretty minimal.

[beerisgood]

To be fair even the level 1 isn’t for enduser, like why would anyone disable Airdrop?

@MilkandGinn better take a look at Apple’s own documentation and keep your system clean and up2date.

[jamierrichardson]

Why not simply take the 800-53 low or cis lvl 1, and use the generate baseline script with -t -k cis_lvl1

(Or whatever tag for whatever baseline you want )

It will ask you to customize the name of the baseline, and then will prompt you whether or not you want every rule (say no to the ones you don't want) and every organizationally defined value (ODV).

You can then run generate guidance against this- (use the -s -x -p flags and the path to your baseline file. Everything you don't want will be gone, scripts and profiles are made, and everything fully documented.

[MilkandGinn]

@robertgendler Thank you, that was very helpful. The wiki docs didn’t appear to indicate using the -t flag to create custom baselines.

Also, it gave me some insights on the next question I had regarding errors when trying to create a signed profile.

@beerisgood I’d have a better answer for you if I ever used Air Drop.

@jamierrichardson Thank you!