Don't overthink this. For compliance purposes, seeing that installed software is consistent with the package receipts is a giant step forward and sufficient (from my perspective, which I will defend). Especially when compared to everything done previously, such as close inspection of various aspects of certain randomly chosen files (e.g. /etc/services, really?). Reading/processing logs and audit data is a very good idea, but the nature of such processing is outside the compliance realm (for now), at least at the host level, which should focus instead on what to collect and to make it available to the enterprise. On 07/23/2013 02:50 PM, Todd Heberlein wrote:
During the discussion started last week on trying to find out what programs, libraries, plug-ins, etc. were installed on a system to determine if a system is vulnerable, someone asked about using audit data (I think to validate the accuracy of data collected about programs).
Virtually everywhere I go, no one seems to know that they can do with audit data, which isn't surprising since there aren't exactly a lot of books or training courses on audit data as there are for network monitoring.
I put together this 7:38 min video on some of the information Apple's BSM audit data can provide.
Should you be leveraging Apple's BSM audit system? http://www.netsq.com/Podcasts/Data/2013/AuditIntro/
If scap-on-apple will include audit system configuration, at some point we should have a discussion about what types of questions you want to ask of that data.
Todd
_______________________________________________ SCAP-On-Apple-Dev mailing list SCAP-On-Apple-Dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev