Thanks for getting this discussion started Josh and Prabhu! As Prahbu mentioned, we have the existing macos-def:plist510_test and the ind-def:xmlfilecontent_test that can support the assessment of plist files (including configuration profiles). There is also an experimental plist511_test in the OVAL Language Sandbox (https://github.com/OVALProject/Sandbox/blob/master/x-macos-plist-xpath.xsd) which utilizes xpath to reference the preference key of interest. To help show how these three tests can be used, I have attached sample definitions that check for CCE-28300-2 idle_time_for_screen_saver. Hope this helps! Thanks, Danny From: scap-on-apple-dev-bounces@lists.macosforge.org [mailto:scap-on-apple-dev-bounces@lists.macosforge.org] On Behalf Of Prabhu S Angadi Sent: Friday, May 31, 2013 3:38 AM To: scap-on-apple-dev@lists.macosforge.org Subject: Re: [SCAP-On-Apple-Dev] Configuration Profiles vs Plist file diddling Hi All, Yes! I completely agree with Josh, on the usage configuration profiles. Being the XML formatted content of these files can be easily parsed to fetch the composed policies values, to develop the SCAP OVALl definitions, using available '< xmlfilecontent_test >' or '< plist510_test >' probes for better assessment. And also, as these files can be easily deployed with customized values as per user's choice. Either by * By physically connecting the device * In an email message * On a webpage * Using over-the air configuration as described in this document so I think it will be of great use in remediation part as well. _______________________________________________________________________________________ In supportive to Josh, I have attached few Profile files, that were developed to address the Apple iOS Hardening Checklists by The University Of Texas at Austin. FMI : https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist https://wikis.utexas.edu/display/ISO/iOS+Configuration+Profiles -- Thanks !! Prabhu S A http://www.scaprepo.com On 05/31/2013 02:50 AM, Josh Wisenbaker wrote: Hi all, I think that from an audit and remediation standpoint things can be greatly simplified by using Configuration Profiles. You can easily get a XML formatted list of the composited policies that are on the Mac and you can easily apply settings by installing a profile. Using the policy mechanisms in OS X is highly recommended over messing with files. As an example here is a profile I made that implements all of the settings for the initial loginwindow tickets that are in the tracker. This profile allows for removal without authentication so it's easy to test with. Thoughts? Josh -- Josh Wisenbaker Consulting Engineer - Apple U.S. Commercial and Governmental Sales dubs@apple.com<mailto:dubs@apple.com> _______________________________________________ SCAP-On-Apple-Dev mailing list SCAP-On-Apple-Dev@lists.macosforge.org<mailto:SCAP-On-Apple-Dev@lists.macosforge.org> https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev