We have already seen many instances where our patch management solution reports the inventory for all applications including those on backup drives. If I am trying to plumb the inventory to look at vulnerability data I don't really need to see the back-up versions of the now patched MS Office, Adobe Reader, Safari, Firefox etc if they are unlikely to be used. I am all for a full list of all the exectuables but I need to be able to tell between boot volumes and other volumes, especially if they are rarely mounted.

On 7/12/13 10:34 AM, Shane Shaffer wrote:

On Thu, Jul 11, 2013 at 1:14 PM, Jacobsen, Jasen W. <jasenj1@mitre.org> wrote:
Great points Shane. Comments inline below.

From: Shane Shaffer <shane.shaffer@g2-inc.com>
Date: Thursday, July 11, 2013 12:49 PM
To: MITRE Employee <jasenj1@mitre.org>
Cc: "scap-on-apple-dev@lists.macosforge.org" <scap-on-apple-dev@lists.macosforge.org>, "scap-on-apple@lists.macosforge.org" <scap-on-apple@lists.macosforge.org>, oval-developer-list OVAL Developer List/Closed Public Discussion <oval-developer-list@lists.mitre.org>
Subject: Re: [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.

Since the target volume can often be specified during installation, it seems that we would need to specify the volume. However that is going to require the ability to enumerate the volumes via OVAL, and an existing way to do that isn't jumping out at me.

Jasen: I think there are two "volumes" in play here. One is the command option "--volume" which tells pkgutil which volume's receipt database to check (I'm pretty sure). Second is the volume reported by "--pkg-info" which is the volume the package is installed on. So something installed to a different volume could have its receipt info on the boot volume. Would OVAL need/want to check the receipt database on multiple volumes? Or is the boot volume sufficient? Clarification from Apple or someone else who really knows this would be helpful. 

I have a system with two volumes, the boot volume and one named Partition2. I installed an application on Partition2. If I run "pkgutil --pkgs" that package is not listed. If I run "pkgutil --pkgs --volume /Volumes/Partition2" then it is listed. So it appears that querying the receipt database is volume specific. If I subsequently install the same application on the root volume, then it shows up as you'd expect via "pkgutil --pkgs" and there appears to be no link between the two installs. I would think that just checking the boot volume would be akin to just checking C:\Program Files on Windows - overwhelming probability of being the location, but not good enough.
 
-- 


********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<ron.colvin@nasa.gov>
Direct phone 301-286-2451
NASA Jabber (rdcolvin@im.nasa.gov) AIM rcolvin13
NASA LCS (ronald.d.colvin@nasa.gov)
********************************************************