Customizing Rules
Full control over every aspect of your security rules.
Edit check scripts, fix commands, ODVs, profiles, and more. MACE preserves your customizations while keeping baseline rules intact.
Understanding Rulesโ
All compliance rules in mSCP are defined as YAML files. Each rule contains multiple fields: metadata like title and discussion, check scripts to verify compliance, fix scripts to remediate issues, configuration profile payloads, and references to compliance frameworks.
MACE reads all the YAML files created by mSCP and provides a nice interface to view, change, and interact with them. You can edit rules in two views:
- Field View โ Each field and its value displayed separately for easy editing. Some fields are not editable in this view to prevent workflow issues for newer users.
- Raw YAML View โ The entire rule shown as raw YAML where every field is editable for full control.
Some fields like id and title are best left unchanged as modifying them can break references and workflows.
id: system_settings_screensaver_password_enforce
title: Enforce Screen Saver Password
discussion: |
Users _MUST_ authenticate when unlocking the screen saver.
platforms:
macOS:
enforcement_info:
check:
shell: /usr/bin/osascript -l JavaScript << EOS
...
result:
string: 'true'
tags:
- 800-53r5_moderate
- cisv8
mobileconfig_info:
- PayloadType: com.apple.screensaver
PayloadContent:
- askForPassword: true
Editable Fieldsโ
discussionRule rationale and contextcheck.shellVerification commandcheck.resultExpected check outputfix.shellRemediation commandfix.additional_infoManual fix stepsodvOrganization defined valuesreferencesNIST, DISA, CIS citationstagsCategorization metadatamobileconfig_infoProfile payload dataddm_infoDDM declaration dataOrganization Defined Values (ODVs)โ
ODVs are parameterized values that differ by organization. Instead of hardcoding values, mSCP rules use $ODV variables that you can customize. Each baseline can have different default values.
$ODV in pwpolicy_minimum_length_enforce
$ODV in system_settings_screensaver_timeout
ODV Structure in Rulesโ
Rules with ODVs include baseline-specific defaults:
odv:
hint:
datatype: number
description: Minimum password length. e.g. 15
validation:
min: 1
recommended: 6
cis_lvl1: 15
cis_lvl2: 15
stig: 14
Scripts & Commandsโ
Check Scriptโ
The shell command used to verify compliance. Located under platforms.macOS.enforcement_info.check.shell in the YAML.
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
.objectForKey('askForPassword').js
EOS
Customize the check logic for your environment or edge cases.
Expected Resultโ
What the check script should return for a passing result. Can be a string or integer value.
result:
string: 'true'
or
result:
integer: 0
Fix Scriptโ
The remediation command to bring a system into compliance. Located under platforms.macOS.enforcement_info.fix.shell.
/bin/launchctl enable system/com.apple.auditd
/bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist
/usr/sbin/audit -i
Additional Fix Informationโ
Manual remediation steps when automation isn't possible. Located under fix.additional_info.
fix:
additional_info: |-
. Go to System Settings -> Time Machine
. Click *Select Disk*
. Select existing Backup Disk
. Click *Encrypt Backups*
| ๐ฅ๏ธ | GUI steps that can't be scripted |
| โ | Prerequisites to check first |
| ๐ | Post-fix verification steps |
Configuration Profilesโ
Mobileconfig Payloadsโ
For rules that deploy via configuration profile, edit the payload directly. The structure includes PayloadType and PayloadContent.
mobileconfig_info:
- PayloadType: com.apple.security.smartcard
PayloadContent:
- enforceSmartCard: true
- allowSmartCard: true
Changes affect the generated .mobileconfig files.
DDM Declarationsโ
For rules using Declarative Device Management. Edit DDM configurations for modern Apple device management.
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: MinimumLength
ddm_value: $ODV
Referencesโ
Rules include comprehensive references to compliance frameworks:
references:
nist:
cce:
macos_26:
- CCE-95138-4
800-53r5:
- IA-2(1)
- IA-2(2)
disa:
cci:
- CCI-000186
disa_stig:
macos_26:
- APPL-26-003020
Modification Trackingโ
MACE tracks all your customizations, making it easy to see what changed and revert when needed.
How Customizations are Savedโ
custom/rules/Best Practicesโ
| ๐ | Document changes โ Add notes in Discussion explaining why you modified the rule |
| ๐งช | Test check scripts โ Verify modified checks work before deploying |
| ๐ง | Use ODVs โ Prefer ODV variables over hardcoded values for flexibility |
| โฉ๏ธ | Keep fixes reversible โ Remediation scripts should be safely re-runnable |
| ๐ | Track in version control โ Commit your custom/rules/ folder to git |
Creating New Rulesโ
Need to create entirely new rules that don't exist in any baseline? See Custom Rules for creating your own rules from scratch using the mSCP YAML format.