About this tool
macOS (local device)
Security Baseline Script Assistant

macOS Security Baseline Script Assistant

This page explains what the assistant does, who it is for, and how to use the generated bash script safely alongside your own backups, MDM policies, and macOS hardening plans.

Overview

What this assistant is designed to do

The macOS Security Baseline Script Assistant helps you turn individual DISA STIG–inspired controls into a single, readable bash script. You choose which critical and medium severity items to include, then the tool builds a script that combines native commands, safe local checks, and clearly marked manual steps you can follow in Terminal on Macs you manage.

Who it is for

  • Mac owners who want stronger defaults on personal or lab systems.
  • Small teams that need a repeatable baseline for a handful of macOS devices.
  • Admins and homelab builders who prefer plain bash over heavy management stacks.

The tool does not push changes remotely. It simply generates a script you can review, edit, and run yourself from a root or sudo-enabled shell.

What the script includes

  • Controls grouped by severity and impact, including SSH, FileVault, SIP, and service hardening.
  • Comments that explain each section in plain language before any command runs.
  • Manual-only items that appear as clearly labelled guidance and checklists inside the script.
  • A simple “pre / post” JSON snapshot under /usr/local/CyberLifeCoach/Reports/MacOSBaseline so you can track what was selected on each run.

How profiles work (Relaxed, Strict, Custom)

When you use the main assistant page you can choose between Relaxed, Strict, and Custom profiles. Relaxed focuses on safer changes that rarely affect everyday apps. Strict layers on stronger SSH and network service controls that can impact legacy workflows. Custom lets you hand-pick each STIG control so you can align the script with your own risk tolerance and MDM configuration.

How to use it in a safe workflow

  • Generate the script from the main assistant and save it as macos-baseline.sh.
  • Read through every section, especially SSH, SMB, web server, and crypto-tightening items.
  • Create a Time Machine backup, snapshot, or image before making any changes.
  • Test on a non-critical Mac first from Terminal using sudo bash ./macos-baseline.sh apply, and review the output carefully.
  • If you need to undo changes that support rollback, run sudo bash ./macos-baseline.sh rollback on the same system.
  • After you are comfortable with the effect of each control, decide which pieces should move into configuration profiles or MDM policies for long-term enforcement.

How the “pre / post” reporting works

Each time you run the script with the apply option, it writes a small JSON file under /usr/local/CyberLifeCoach/Reports/MacOSBaseline. The report records the date, hostname, macOS version, selected profile label, and which controls were chosen before and after changes. This gives you a simple local audit trail you can pair with your own images, configuration backups, and change log notes.

These reports stay on the Mac where you run the script. They are not transmitted to CyberLife Coach or to any third party.

Command basics

The generated script is written in bash and is intended to run from Terminal on macOS. By default you can execute it using:

  • sudo bash ./macos-baseline.sh apply to record a snapshot and apply selected controls.
  • sudo bash ./macos-baseline.sh rollback to run the rollback block where it exists.

If you prefer to run it as a direct executable, mark it as executable first with chmod +x macos-baseline.sh and then call it from a root or sudo-enabled shell.

This tool includes a curated subset of DISA STIG controls selected for real world use by home users, entrepreneurs, digital nomads, and small businesses. It is not a full STIG implementation but a practical baseline designed to reduce your attack surface.

Important notice & Legal disclaimer

This assistant and the generated bash script run entirely on your local device. Your selections and output are not sent to CyberLife Coach, to any server, or to any third party. The script is a generic starting point based on macOS hardening ideas and public DISA STIG guidance and is provided for educational and informational use only. It is not tailored to your specific environment and does not guarantee compliance with NIST, CIS Benchmarks, DISA STIGs, or any other framework, and it carries no warranty or guarantee.

You are responsible for reviewing, testing, and validating every line before use. Always create reliable backups, test in a non-critical environment, and confirm you are authorized to make changes on any systems you manage. Do not apply these settings to employer, school, or MDM-managed devices without explicit written approval from the appropriate owner or administrator, and never bypass your organization’s official profiles or management controls.