No subject
Mon Jan 28 08:41:14 PST 2013
are in order. Exactly what that test or tests should be I won't go in to. T=
he other thing I'm reading is that the "Spotlight metadata indexes" may be =
something OVAL would want to expose.
What I don't know, is whether all this discussion on better ways to access =
the current system state negates the need for a test that reads the package=
receipt database. If the answer from the experts is "don't look in there".=
Then OVAL may want to intentionally NOT have a test that queries the recei=
pt database to keep content authors from using an unreliable source.
Hopefully we'll have some good discussion on the subject this week at Devel=
oper Days.
- Jasen.
From: Peter Link <plink53 at mac.com<mailto:plink53 at mac.com>>
Date: Sunday, July 21, 2013 6:57 PM
To: Josh Wisenbaker <dubs at apple.com<mailto:dubs at apple.com>>
Cc: "scap-on-apple-dev at lists.macosforge.org<mailto:scap-on-apple-dev at lists.=
macosforge.org>" <scap-on-apple-dev at lists.macosforge.org<mailto:scap-on-app=
le-dev at lists.macosforge.org>>
Subject: Re: [SCAP-On-Apple-Dev] [SCAP-On-Apple] Mac OS X proposed pkginfo =
OVAL Test.
Josh,
Remember in NIST's definition "vulnerabilities" mean anything that can comp=
romise a system, especially the way it's configured/misconfigured. Vulnerab=
ility scanning isn't just about finding malware. When you look at the two t=
hings I want to use SCAP for you get 1) common malware detection using CVE =
(NIST def.: CVE is a dictionary of publicly known information security vuln=
erabilities and exposures.) and 2) a way to validate the proper configurati=
on of a computer using as many of the SCAP data feeds as possible all tied =
together using XCCDF and OVAL. I am hoping the end result of the SCAP-on-Ap=
ple project is to create everything necessary to move to the next step of a=
documented USGCB baseline configuration. This is what I've been asking for=
over the last several years and never got while working at LLNL. I'm hopin=
g this project gets us there.
On Jul 21, 2013, at 2:49 PM, Josh Wisenbaker <dubs at apple.com<mailto:dubs at ap=
ple.com>> wrote:
On Jul 21, 2013, at 3:03 PM, Todd Heberlein <todd_heberlein at mac.com<mailto:=
todd_heberlein at mac.com>> wrote:
I've been conducting some experiments to figure out how different data coll=
ection methods behave. (spoiler, I like system_profiler). Here are my findi=
ngs on three methods.
system_profiler
I found this very useful. It caught application bundles I dragged to the /A=
pplications folder (something pkgutil did not). I also searched for app bun=
dles installed in home folders and found a surprising number (though, much =
of that is because I do software development):
system_profiler -xml SPApplicationsDataType | grep '/Users/.*\.app<'
There are some limitations however. For example, it did *not* pick up "java=
", which seems pretty critical.
The system_profiler tool works much in the way that the code snippet I post=
ed before works. Although the tool isn't in the open source projects you ca=
n see how you can leverage the Spotlight metadata indexes to help find thin=
gs quickly without using a lot of resources.
Java doesn't get picked up as it isn't an application. Java does appear in =
the Frameworks queries against system_profiler. Building off of our earlier=
metadata queries you can see that SPApplicationsDataType is going to retur=
n everything that is listed with 'com.apple.application'.
Going back a few emails though I agree that there are two different topics =
at hand here.
1) Inventory scanning: Wherein we just want to find everything on the syste=
m.
2) Vulnerability scanning: Wherein we are starting with a vulnerability and=
then checking the system for it.
I tend to think that #1 falls more into the domain of client management sui=
tes as this is the sort of thing they were designed to do. #2 however seems=
exactly like what OVAL and SCAP consuming tools need to do. If you have 50=
defined tests, then you really don't need to care about anything outside t=
he scope of those tests.
Simply put, the workflow for testing should be:
Load tests -> Run tests -> Return results.
Not:
Load tests -> Do a bunch of other stuff -> Run tests -> Return results.
Just my 2-cents,
Josh
--
Josh Wisenbaker
Consulting Engineer - Apple
dubs at apple.com<mailto:dubs at apple.com>
_______________________________________________
SCAP-On-Apple-Dev mailing list
SCAP-On-Apple-Dev at lists.macosforge.org<mailto:SCAP-On-Apple-Dev at lists.macos=
forge.org>
https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev
Peter and Nancy Link
plink53 at mac.com<mailto:plink53 at mac.com>
plink53 at me.com<mailto:plink53 at me.com>
--_000_CE12A98E256Cjasenj1mitreorg_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <79DB729C144676408B998AEB5639B46F at imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Calibri, sans-serif; ">
<div>This is excellent discussion =96 and on a Sunday!</div>
<div><br>
</div>
<div>From the discussion, it seems a set of OVAL tests based on system_prof=
iler are in order. Exactly what that test or tests should be I won't go in =
to. The other thing I'm reading is that the "Spotlight metadata indexe=
s" may be something OVAL would want to
expose.</div>
<div><br>
</div>
<div>What I don't know, is whether all this discussion on better ways to ac=
cess the current system state negates the need for a test that reads the pa=
ckage receipt database. If the answer from the experts is "don't look =
in there". Then OVAL may want to intentionally
NOT have a test that queries the receipt database to keep content authors =
from using an unreliable source.</div>
<div><br>
</div>
<div>Hopefully we'll have some good discussion on the subject this week at =
Developer Days.</div>
<div><br>
</div>
<div>- Jasen.</div>
<div><br>
</div>
<span id=3D"OLK_SRC_BODY_SECTION">
<div style=3D"font-family:Calibri; font-size:11pt; text-align:left; color:b=
lack; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM:=
0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;=
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style=3D"font-weight:bold">From: </span>Peter Link <<a href=3D"mai=
lto:plink53 at mac.com">plink53 at mac.com</a>><br>
<span style=3D"font-weight:bold">Date: </span>Sunday, July 21, 2013 6:57 PM=
<br>
<span style=3D"font-weight:bold">To: </span>Josh Wisenbaker <<a href=3D"=
mailto:dubs at apple.com">dubs at apple.com</a>><br>
<span style=3D"font-weight:bold">Cc: </span>"<a href=3D"mailto:scap-on=
-apple-dev at lists.macosforge.org">scap-on-apple-dev at lists.macosforge.org</a>=
" <<a href=3D"mailto:scap-on-apple-dev at lists.macosforge.org">scap-o=
n-apple-dev at lists.macosforge.org</a>><br>
<span style=3D"font-weight:bold">Subject: </span>Re: [SCAP-On-Apple-Dev] [S=
CAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.<br>
</div>
<div><br>
</div>
<div>
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
Josh,
<div><span class=3D"Apple-tab-span" style=3D"white-space:pre"></span>Rememb=
er in NIST's definition "vulnerabilities" mean anything that can =
compromise a system, especially the way it's configured/misconfigured. Vuln=
erability scanning isn't just about finding malware.
When you look at the two things I want to use SCAP for you get 1) common m=
alware detection using CVE (NIST def.: CVE is a dictionary of publicly=
known information security vulnerabilities and exposures.) and 2) a way to=
validate the proper configuration of
a computer using as many of the SCAP data feeds as possible all tied toget=
her using XCCDF and OVAL. I am hoping the end result of the SCAP-on-Apple p=
roject is to create everything necessary to move to the next step of a docu=
mented USGCB baseline configuration.
This is what I've been asking for over the last several years and never go=
t while working at LLNL. I'm hoping this project gets us there.</div>
<div><br>
</div>
<div><br>
<div>
<div>On Jul 21, 2013, at 2:49 PM, Josh Wisenbaker <<a href=3D"mailto:dub=
s at apple.com">dubs at apple.com</a>> wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<br>
<div>
<div>On Jul 21, 2013, at 3:03 PM, Todd Heberlein <<a href=3D"mailto:todd=
_heberlein at mac.com">todd_heberlein at mac.com</a>> wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div style=3D"font-family: Helvetica; font-size: medium; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line-h=
eight: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text=
-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
I've been conducting some experiments to figure out how different data coll=
ection methods behave. (spoiler, I like system_profiler). Here are my findi=
ngs on three methods.</div>
<div style=3D"font-family: Helvetica; font-size: medium; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line-h=
eight: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text=
-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<b><font size=3D"4" color=3D"#ff8647">system_profiler</font></b></div>
<div style=3D"font-family: Helvetica; font-size: medium; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line-h=
eight: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text=
-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<br>
</div>
<div style=3D"font-family: Helvetica; font-size: medium; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line-h=
eight: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text=
-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
I found this very useful. It caught application bundles I dragged to the /A=
pplications folder (something pkgutil did not). I also searched for app bun=
dles installed in home folders and found a surprising number (though, much =
of that is because I do software
development):</div>
<div style=3D"font-family: Helvetica; font-size: medium; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line-h=
eight: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text=
-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<br>
</div>
<div style=3D"font-family: Helvetica; font-size: medium; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line-h=
eight: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text=
-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<span class=3D"Apple-tab-span" style=3D"white-space: pre; "></span>system_p=
rofiler -xml SPApplicationsDataType | grep '/Users/.*\.app<'</div>
<div style=3D"font-family: Helvetica; font-size: medium; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line-h=
eight: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text=
-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<br>
</div>
<div style=3D"font-family: Helvetica; font-size: medium; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line-h=
eight: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text=
-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
There are some limitations however. For example, it did *not* pick up "=
;java", which seems pretty critical.</div>
</blockquote>
<div><br>
</div>
<div>The system_profiler tool works much in the way that the code snippet I=
posted before works. Although the tool isn't in the open source projects y=
ou can see how you can leverage the Spotlight metadata indexes to help find=
things quickly without using a
lot of resources.</div>
<div><br>
</div>
<div>Java doesn't get picked up as it isn't an application. Java does appea=
r in the Frameworks queries against system_profiler. Building off of our ea=
rlier metadata queries you can see that SPApplicationsDataType is going to =
return everything that is listed
with 'com.apple.application'.</div>
<div><br>
</div>
<div>Going back a few emails though I agree that there are two different to=
pics at hand here.</div>
<div><br>
</div>
<div>1) Inventory scanning: Wherein we just want to find everything on the =
system.</div>
<div>2) Vulnerability scanning: Wherein we are starting with a vulnerabilit=
y and then checking the system for it.</div>
<div><br>
</div>
<div>I tend to think that #1 falls more into the domain of client managemen=
t suites as this is the sort of thing they were designed to do. #2 however =
seems exactly like what OVAL and SCAP consuming tools need to do. If you ha=
ve 50 defined tests, then you really
don't need to care about anything outside the scope of those tests.</div>
<div><br>
</div>
<div>Simply put, the workflow for testing should be:</div>
<div><span class=3D"Apple-tab-span" style=3D"white-space:pre"></span>Load t=
ests -> Run tests -> Return results.</div>
<div><br>
</div>
<div>Not:</div>
<div><span class=3D"Apple-tab-span" style=3D"white-space:pre"></span>Load t=
ests -> Do a bunch of other stuff -> Run tests -> Return resu=
lts.</div>
<div><br>
</div>
<div>Just my 2-cents,</div>
<div>Josh</div>
<div><br>
</div>
<div>-- <br>
Josh Wisenbaker<br>
Consulting Engineer - Apple<br>
<a href=3D"mailto:dubs at apple.com">dubs at apple.com</a></div>
</div>
</div>
_______________________________________________<br>
SCAP-On-Apple-Dev mailing list<br>
<a href=3D"mailto:SCAP-On-Apple-Dev at lists.macosforge.org">SCAP-On-Apple-Dev=
@lists.macosforge.org</a><br>
<a href=3D"https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev"=
>https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev</a><br>
</blockquote>
</div>
<br>
<div apple-content-edited=3D"true"><span class=3D"Apple-style-span" style=
=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica;=
font-size: medium; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align=
: auto; text-indent: 0px; text-transform: none; white-space: normal; widows=
: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-bor=
der-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webki=
t-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">Peter
and Nancy Link<br>
<a href=3D"mailto:plink53 at mac.com">plink53 at mac.com</a><br>
<a href=3D"mailto:plink53 at me.com">plink53 at me.com</a><br>
<br>
<br>
</span></div>
<br>
</div>
</div>
</div>
</span>
</body>
</html>
--_000_CE12A98E256Cjasenj1mitreorg_--
More information about the SCAP-On-Apple-Dev
mailing list