Lesson 6: macOS Security Compliance Project

Question 1

What is the macOS Security Compliance Project (mSCP)?

Answer 1

The mSCP is an open-source project on GitHub maintained by top IT security professionals.

Question 2

What are the primary uses of the mSCP?

Answer 2

To create configuration profiles, compliance scripts, and guidance documentation.

Question 3

Where can instructions for setting up and using the mSCP be found?

Answer 3

In the mSCP Wiki.

Question 4

What are the prerequisites for using the mSCP?

Answer 4

Command line tools for Xcode, Python3 modules, and Ruby gems.

Question 5

Which branch should you avoid working from in the mSCP?

Answer 5

The main branch.

Question 6

What should you use instead of the main branch in the mSCP?

Answer 6

One of the OS-specific branches.

Question 7

What built-in baselines can be used with mSCP?

Answer 7

CIS Benchmarks and custom-tailored baselines.

Question 8

What script is used to create a tailored baseline in mSCP?

Answer 8

generate_baseline.py

Question 9

What do the -k and -t options do in generate_baseline.py?

Answer 9

-k specifies the baseline; -t enables tailoring.

Question 10

Where should configuration profile settings be deployed when possible?

Answer 10

Via Jamf Pro, rather than mSCP scripts.

Question 11

What script generates signed configuration profiles and documentation?

Answer 11

generate_guidance.py

Question 12

What file formats are generated by default with generate_guidance.py?

Answer 12

HTML and PDF guidance documentation.

Question 13

What does the -p option in generate_guidance.py do?

Answer 13

Generates unsigned configuration profiles and corresponding plists.

Question 14

What does the -H option in generate_guidance.py do?

Answer 14

Generates signed configuration profiles using the subject key ID.

Question 15

What does the -l option in generate_guidance.py do?

Answer 15

Adds a custom branding image.

Question 16

What does the -s option in generate_guidance.py do?

Answer 16

Generates a compliance script.

Question 17

What does the -x option in generate_guidance.py do?

Answer 17

Generates documentation in .xls format.

Question 18

How do you retrieve the subject key ID for signing certificates?

Answer 18

Use a Terminal command with security find-certificate and openssl asn1parse.

Question 19

Can signed configuration profiles from mSCP be used in Jamf Pro?

Answer 19

Yes, they can be uploaded and deployed.

Question 20

What is the purpose of the compliance script in mSCP?

Answer 20

To scan for and remediate noncompliant settings.

Question 21

What do --check and --fix do in a Jamf Pro policy using the compliance script?

Answer 21

--check initiates a scan; --fix remediates non-compliant settings.

Question 22

What option can be used to customize existing baselines when running the generate_baseline.py script?

Answer 22

-t

Question 23

What is required to generate signed configuration profiles when running the generate_guidance.py script?

Answer 23

The -H option and the subject key ID of a signing certificate.

Question 24

How can the compliance script be run on managed computers with a policy in Jamf Pro?

Answer 24

Use --check as parameter 4 to run a scan and --fix as parameter 5 to remediate noncompliant settings.