General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

Security Benchmark Reporting Logs

Daniel Griggs

Modified on: Mon, 9 Nov, 2020 at 3:52 PM

cmdReporter has contributed to and implemented reporting support for the macOS Security Project https://github.com/usnistgov/macos_security

Baselines:

Currently Supported

NIST 800-53r4 (low, moderate, or high)
CMMC ( level 1, 2, or 3)
CNSSI-1253
NIST 800-171

In Development @cmdReporter

ISO 27001 & 27002
CIS
HIPAA
PCI

Results locations

/var/cmdreporter/com.cmdsec.baseline.results.plist (simplified results for MDM)
SIEM or log aggregator of choice
/var/log/cmdReporter.log (default)

How to configure collection:

SecurityBaselineReportingInterval = Minutes between baseline evaluations

# In com.cmdsec.cmdreporter preference domain 
# or configuration profile, add the following.

<key>SecurityBaseline</key>
<string>cmmc_lvl_3</string>
<key>SecurityBaselineReportingInterval</key>
<integer>720</integer>

All possible SecurityBaseline values:

800-171
800-53_high
800-53_moderate
800-53_low
cmmc_lvl_1
cmmc_lvl_2
cmmc_lvl_3
cnssi-1253
all_rules  # evaluate all possible rules

# In development @cmdReporter
CIS
ISO 27001 & 27002
HIPAA
PCI

Output plist example:

Intended usage is for collection of whole or part of these simplified results for use in MDM products to scope remediation actions.

Results plist file will only contain the most recent evaluation data and is tagged with a "lastRunTime" field.

defaults read /var/cmdreporter/com.cmdsec.baseline.results.plist
{
    "audit_acls_files_configure" = pass;
    "audit_acls_folders_configure" = pass;
    "audit_auditd_enabled" = pass;
    "audit_configure_capacity_notify" = fail;
    "audit_failure_halt" = fail;
    lastRunTime = "Mon Nov  9 13:29:31 2020 EST";
    "os_airdrop_disable" = fail;
    "os_allow_info_passed" = pass;
    ...
}

SIEM log event example:

All results are tagged with all baseline references for auditor cross-walks.

result_details.result_is_value_forced field references whether the tested preference is forced via configuration profile.

{
    "_event_score": 0,
    "event_attributes":
    {
        "module": "cmmc_lvl_3",
        "references":
        {
            "800-171r2": ["3.1.10"],
            "800-53r4": ["AC-11"],
            "cce": ["CCE-84785-5"],
            "cci": ["CCI-000056"],
            "cmmc": ["AC.2.010"],
            "disa_stig": ["AOSX-14-000003"],
            "srg": ["SRG-OS-000028-GPOS-00009"]
        },
        "result_details": [
        {
            "result_actual": "0",
            "result_expected": "5",
            "result_is_value_forced": true,
            "result_key_checked": "askForPasswordDelay"
        }],
        "rule": "sysprefs_screensaver_ask_for_password_delay_enforce",
        "section": "systempreferences",
        "status": "pass"
    },
    "header":
    {
        "event_name": "SECURITY_BASELINE_EVENT",
        "time_seconds_epoch": 1604582641
    },
    "host_info":
    {
        "host_name": "dan_macbook_pro",
        "host_uuid": "212B...",
        "osversion": "macOS 10.15.7 (Build 19H2)",
        "primary_mac_address": "3c:...",
        "serial_number": "C02..."
    }
}