Someone in the OVAL community mentioned they were trying to use the package receipt plist files to determine if things were installed. "Things" could be applications, patches, libraries, printer drivers, plug-ins, all sorts of things, not just applications. They found directly checking the plist files to be problematic and found pkgutil should be used instead. We (MITRE) developed the referenced extension schema. Mac OS provides an installation receipt capability much like other package managers on other UNIX systems. It seems that OVAL should support checking this system provided audit trail. If the audit trail is unreliable or unsuitable for the purpose, that's another good discussion. - Jasen. From: Peter Link <plink53@mac.com<mailto:plink53@mac.com>> Date: Thursday, July 11, 2013 2:11 PM To: MITRE Employee <jasenj1@mitre.org<mailto:jasenj1@mitre.org>> Cc: "scap-on-apple-dev@lists.macosforge.org<mailto:scap-on-apple-dev@lists.macosforge.org>" <scap-on-apple-dev@lists.macosforge.org<mailto:scap-on-apple-dev@lists.macosforge.org>>, "scap-on-apple@lists.macosforge.org<mailto:scap-on-apple@lists.macosforge.org>" <scap-on-apple@lists.macosforge.org<mailto:scap-on-apple@lists.macosforge.org>>, oval-developer-list OVAL Developer List/Closed Public Discussion <oval-developer-list@lists.mitre.org<mailto:oval-developer-list@lists.mitre.org>> Subject: Re: [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test. Jasen, What are you trying to achieve? Is your goal a test that logs whether a specific application has (ever) been installed? I'm trying to understand why this would be needed. Knowing whether a patch has been installed was used for Windows systems (although I'm not sure that actually means anything was fixed) but using the existence of an application being installed (or attempted to be) doesn't mean it actually patched something or should be used as validation that something was fixed. It also doesn't necessarily mean the patch or application was completely installed.