macos_security VS content

For starters there's an entire NIST project for macOS Security Compliance - https://github.com/usnistgov/macos_security this will make your life a million times easier to meet a lot of the technical controls required for compliance. Nothing like this really exists for Windows or Linux(closest is Compliance As Code https://github.com/ComplianceAsCode/content)

https://github.com/usnistgov/macos_security - for macOS this would help.

I’d highly recommend checking out the usnistgov/macos_security on GitHub. You can generate a benchmark and then feed the output into extension attributes to trigger policies on.

Study about cybersecurity, or how to harden a macOS fleet against published security frameworks.

Weigh the pros and cons about having your end-users be standard users or admins on their Macs. If they are already admins (probably), consider the political blowback if you take away their admin rights and flexibility and autonomy they've become used to. Conversely, consider the security posture of your organization. If it has to adhere to some well-known guides (like 800-171 o 800-53r5), then you may not be able to allow end-users to be admins. Take a look at the macOS Security Compliance Project.

NIST Compliance Benchmarks: github.com/usnistgov/macos_security

Like OP, I'm trying to disable both bonjour and netbios. I'm using this script: https://github.com/usnistgov/macos_security/blob/main/includes/enablePF-mscp.sh

I cannot speak for AlmaLinux, but it's incorrect to say they're not compatible. They are most definitely still compatible with the upstream distributions. Yes, they have made some changes that make them quite different from the upstreams, but this was their choice and it works for their community and their overall goals. I personally don't see any issues with what they've chosen to do, but that's my extremely narrow view as all clients I work for only use RHEL or Ubuntu.

In regards to STIG, this makes me think of the "scap-security-guide" package that helps the openscap package run tests for compliance like PCI-DSS and HIPPA (among other things). While it is true that we mark ourselves as a "derivative" of RHEL in that package, it doesn't mean we have any certifications or the like and we certainly do not claim to have such certifications. The only thing we actually have officially is a CIS benchmark set at cisecurity.org.

AlmaLinux on the other hand appears to be upstreaming themselves into the content itself, which I think is pretty cool (https://github.com/ComplianceAsCode/content/tree/master/prod...). I've always wanted to see Rocky Linux do the same thing for the past few years, but I don't know what it would take. I've asked our security team some weeks back to look into what has to be done, so maybe something will happen. I just know it will take a long, long time to get things figured out either way. (As much as I'd like to look into it myself and work with the security team, I just don't have the time in between my personal life, day job, and the project.)

This is great https://github.com/ComplianceAsCode/content

I use it for regular scanning, flagging potential issues, automatically making changes, aligning images to CIS Level 2, and for ongoing scanning to satisfy SOC2 auditors.

sudo wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.74/scap-security-guide-0.1.74.zip

For starters there's an entire NIST project for macOS Security Compliance - https://github.com/usnistgov/macos_security this will make your life a million times easier to meet a lot of the technical controls required for compliance. Nothing like this really exists for Windows or Linux(closest is Compliance As Code https://github.com/ComplianceAsCode/content)

I haven't used this in a while but take a look at ComplianceAsCode it is attempting to apply controls for each of the different benchmarks on different OSes. It might have what you are looking for, plus you can always contribute back any changes you make to help others.