True, but if that application is still on the Mac, system profiler will find it and report when it was installed/modified. Isn't this what you want any test to show?


On Jul 16, 2013, at 6:08 AM, "Jacobsen, Jasen W." <jasenj1@mitre.org> wrote:

"I'm guessing that a receipt database only works for executable code that was installed through some standard process. Is this the case?"

Yes. When the "Installer" is used to install something, then receipts get written. There is lots of software that is installed without using the Installer – e.g. Dragging an application to the Applications folder.

- Jasen.

From: Todd Heberlein <todd_heberlein@mac.com>
Date: Monday, July 15, 2013 9:24 PM
To: MITRE Employee <jasenj1@mitre.org>
Cc: Peter Link <plink53@mac.com>, oval-developer-list OVAL Developer List/Closed Public Discussion <oval-developer-list@lists.mitre.org>, "scap-on-apple@lists.macosforge.org" <scap-on-apple@lists.macosforge.org>, "scap-on-apple-dev@lists.macosforge.org" <scap-on-apple-dev@lists.macosforge.org>
Subject: Re: [SCAP-On-Apple-Dev] [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.


On Jul 11, 2013, at 11:30 AM, "Jacobsen, Jasen W." <jasenj1@mitre.org> wrote:

We (MITRE) developed the referenced extension schema. Mac OS provides an installation receipt capability much like other package managers on other UNIX systems. It seems that OVAL should support checking this system provided audit trail.

If the audit trail is unreliable or unsuitable for the purpose, that's another good discussion.
I'm guessing that a receipt database only works for executable code that was installed through some standard process. Is this the case?


_______________________________________________
SCAP-On-Apple-Dev mailing list
SCAP-On-Apple-Dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev

Peter and Nancy Link
plink53@mac.com
plink53@me.com