root3nl · jordywitteman · Jan 6, 2026 · Sep 12, 2024 · Dec 16, 2024 · Mar 27, 2025
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,6 @@
 .bundle
 bin
 mscp_gems
+docs/node_modules/
+docs/.astro/
+docs/package-lock.json
diff --git a/baselines/nlmapgov_base.yaml b/baselines/nlmapgov_base.yaml
@@ -0,0 +1,67 @@
+title: "macOS 15.0: Security Configuration - NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base)"
+description: |
+  This guide describes the actions to take when securing a macOS 15.0 system against the NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base) security baseline.
+authors: |
+  *macOS Security Compliance Project*
+
+  |===
+  |Jordy Witteman|Root3
+  |===
+parent_values: "nlmapgov_base"
+profile:
+  - section: "auditing"
+    rules:
+      - audit_acls_files_configure
+      - audit_acls_folders_configure
+      - audit_auditd_enabled
+      - audit_control_acls_configure
+      - audit_control_group_configure
+      - audit_control_mode_configure
+      - audit_control_owner_configure
+      - audit_files_group_configure
+      - audit_files_mode_configure
+      - audit_files_owner_configure
+      - audit_flags_ad_configure
+      - audit_folder_group_configure
+      - audit_folder_owner_configure
+      - audit_folders_mode_configure
+      - audit_retention_configure
+  - section: "macos"
+    rules:
+      - os_anti_virus_installed
+      - os_config_data_install_enforce
+      - os_gatekeeper_enable
+      - os_mdm_require
+      - os_safari_open_safe_downloads_disable
+      - os_sip_enable
+      - os_sudo_log_enforce
+      - os_time_server_enabled
+  - section: "passwordpolicy"
+    rules:
+      - pwpolicy_minimum_length_enforce
+  - section: "systemsettings"
+    rules:
+      - system_settings_automatic_login_disable
+      - system_settings_critical_update_install_enforce
+      - system_settings_filevault_enforce
+      - system_settings_find_my_disable
+      - system_settings_gatekeeper_identified_developers_allowed
+      - system_settings_gatekeeper_override_disallow
+      - system_settings_guest_account_disable
+      - system_settings_install_macos_updates_enforce
+      - system_settings_loginwindow_loginwindowtext_enable
+      - system_settings_software_update_app_update_enforce
+      - system_settings_software_update_download_enforce
+      - system_settings_software_update_enforce
+      - system_settings_softwareupdate_current
+      - system_settings_time_server_configure
+      - system_settings_time_server_enforce
+  - section: "Inherent"
+    rules:
+      - os_secure_enclave
+  - section: "Permanent"
+    rules:
+      - audit_off_load_records
+  - section: "Supplemental"
+    rules:
+      - supplemental_filevault
diff --git a/baselines/nlmapgov_plus.yaml b/baselines/nlmapgov_plus.yaml
@@ -0,0 +1,118 @@
+title: "macOS 15.0: Security Configuration - NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus)"
+description: |
+  This guide describes the actions to take when securing a macOS 15.0 system against the NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus) security baseline.
+authors: |
+  *macOS Security Compliance Project*
+
+  |===
+  |Jordy Witteman|Root3
+  |===
+parent_values: "nlmapgov_plus"
+profile:
+  - section: "auditing"
+    rules:
+      - audit_acls_files_configure
+      - audit_acls_folders_configure
+      - audit_auditd_enabled
+      - audit_control_acls_configure
+      - audit_control_group_configure
+      - audit_control_mode_configure
+      - audit_control_owner_configure
+      - audit_files_group_configure
+      - audit_files_mode_configure
+      - audit_files_owner_configure
+      - audit_flags_ad_configure
+      - audit_folder_group_configure
+      - audit_folder_owner_configure
+      - audit_folders_mode_configure
+      - audit_retention_configure
+  - section: "icloud"
+    rules:
+      - icloud_drive_disable
+      - icloud_keychain_disable
+      - icloud_sync_disable
+  - section: "macos"
+    rules:
+      - os_anti_virus_installed
+      - os_authenticated_root_enable
+      - os_config_data_install_enforce
+      - os_external_storage_access_defined
+      - os_gatekeeper_enable
+      - os_home_folders_secure
+      - os_httpd_disable
+      - os_install_log_retention_configure
+      - os_mdm_require
+      - os_nfsd_disable
+      - os_on_device_dictation_enforce
+      - os_password_hint_remove
+      - os_password_proximity_disable
+      - os_password_sharing_disable
+      - os_rapid_security_response_removal_disable
+      - os_root_disable
+      - os_safari_advertising_privacy_protection_enable
+      - os_safari_open_safe_downloads_disable
+      - os_safari_prevent_cross-site_tracking_enable
+      - os_safari_show_full_website_address_enable
+      - os_safari_show_status_bar_enabled
+      - os_safari_warn_fraudulent_website_enable
+      - os_secure_boot_verify
+      - os_setup_assistant_filevault_enforce
+      - os_sip_enable
+      - os_sudo_log_enforce
+      - os_sudo_timeout_configure
+      - os_sudoers_timestamp_type_configure
+      - os_terminal_secure_keyboard_enable
+      - os_tftpd_disable
+      - os_time_server_enabled
+      - os_unlock_active_user_session_disable
+  - section: "passwordpolicy"
+    rules:
+      - pwpolicy_minimum_length_enforce
+  - section: "systemsettings"
+    rules:
+      - system_settings_automatic_login_disable
+      - system_settings_critical_update_install_enforce
+      - system_settings_diagnostics_reports_disable
+      - system_settings_filevault_enforce
+      - system_settings_find_my_disable
+      - system_settings_firewall_enable
+      - system_settings_firewall_stealth_mode_enable
+      - system_settings_gatekeeper_identified_developers_allowed
+      - system_settings_gatekeeper_override_disallow
+      - system_settings_guest_account_disable
+      - system_settings_improve_assistive_voice_disable
+      - system_settings_improve_search_disable
+      - system_settings_improve_siri_dictation_disable
+      - system_settings_install_macos_updates_enforce
+      - system_settings_internet_sharing_disable
+      - system_settings_loginwindow_loginwindowtext_enable
+      - system_settings_media_sharing_disabled
+      - system_settings_password_hints_disable
+      - system_settings_personalized_advertising_disable
+      - system_settings_printer_sharing_disable
+      - system_settings_rae_disable
+      - system_settings_remote_management_disable
+      - system_settings_screen_sharing_disable
+      - system_settings_screensaver_ask_for_password_delay_enforce
+      - system_settings_screensaver_password_enforce
+      - system_settings_screensaver_timeout_enforce
+      - system_settings_smbd_disable
+      - system_settings_software_update_app_update_enforce
+      - system_settings_software_update_download_enforce
+      - system_settings_software_update_enforce
+      - system_settings_softwareupdate_current
+      - system_settings_ssh_disable
+      - system_settings_system_wide_preferences_configure
+      - system_settings_time_machine_encrypted_configure
+      - system_settings_time_server_configure
+      - system_settings_time_server_enforce
+  - section: "Inherent"
+    rules:
+      - os_secure_enclave
+  - section: "Permanent"
+    rules:
+      - audit_off_load_records
+      - os_provide_automated_account_management
+  - section: "Supplemental"
+    rules:
+      - supplemental_filevault
diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml
@@ -77,6 +77,14 @@ authors:
       - Allen Golbig|Jamf
       - Bob Gendler|National Institute of Standards and Technology
       - Aaron Kegerreis|Defense Information Systems Agency
+  nlmapgov_base:
+    names:
+      - Jordy Witteman|Root3
+      - Aron van den Herik|Root3
+  nlmapgov_plus:
+    names:
+      - Jordy Witteman|Root3
+      - Aron van den Herik|Root3
 titles:
   all_rules: All Rules
   800-53r5_high: NIST SP 800-53 Rev 5 High Impact
@@ -92,6 +100,8 @@ titles:
   cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate)
   cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High)
   stig: Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1
+  nlmapgov_base: NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base)
+  nlmapgov_plus: NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus)
 ddm:
   supported_types:
     - com.apple.configuration.services.configuration-files

diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml
@@ -46,6 +46,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -64,6 +66,8 @@ tags:
   - stig
   - cnssi-1253_moderate
   - cnssi-1253_high
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml
@@ -46,6 +46,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -64,6 +66,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml
@@ -118,6 +118,8 @@ references:
   cmmc:
     - AU.L2-3.3.2
     - AU.L2-3.3.6
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -136,6 +138,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml
@@ -45,6 +45,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -56,6 +58,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml
@@ -45,6 +45,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -56,6 +58,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml
@@ -45,6 +45,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -56,6 +58,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml
@@ -45,6 +45,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -56,6 +58,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml
@@ -47,6 +47,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -65,6 +67,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml
@@ -43,6 +43,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -61,6 +63,8 @@ tags:
   - cnssi-1253_high
   - cmmc_lvl2
   - stig
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml
@@ -47,6 +47,8 @@ references:
       - 3.3
   cmmc:
     - AU.L2-3.3.8
+  bio:
+    - 8.18.02
 macOS:
   - '26.0'
 tags:
@@ -65,6 +67,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 severity: medium
 mobileconfig: false
 mobileconfig_info: