[SCAP-On-Apple-Dev] Configuration Profiles vs Plist file diddling
Haynes, Dan
dhaynes at mitre.org
Fri May 31 08:12:12 PDT 2013
Thanks for getting this discussion started Josh and Prabhu!
As Prahbu mentioned, we have the existing macos-def:plist510_test and the ind-def:xmlfilecontent_test that can support the assessment of plist files (including configuration profiles). There is also an experimental plist511_test in the OVAL Language Sandbox (https://github.com/OVALProject/Sandbox/blob/master/x-macos-plist-xpath.xsd) which utilizes xpath to reference the preference key of interest.
To help show how these three tests can be used, I have attached sample definitions that check for CCE-28300-2 idle_time_for_screen_saver.
Hope this helps!
Thanks,
Danny
From: scap-on-apple-dev-bounces at lists.macosforge.org [mailto:scap-on-apple-dev-bounces at lists.macosforge.org] On Behalf Of Prabhu S Angadi
Sent: Friday, May 31, 2013 3:38 AM
To: scap-on-apple-dev at lists.macosforge.org
Subject: Re: [SCAP-On-Apple-Dev] Configuration Profiles vs Plist file diddling
Hi All,
Yes! I completely agree with Josh, on the usage configuration profiles.
Being the XML formatted content of these files can be easily parsed to fetch the composed policies values, to develop the
SCAP OVALl definitions, using available '< xmlfilecontent_test >' or '< plist510_test >' probes for better assessment.
And also, as these files can be easily deployed with customized values as per user's choice. Either by
* By physically connecting the device
* In an email message
* On a webpage
* Using over-the air configuration as described in this document
so I think it will be of great use in remediation part as well.
_______________________________________________________________________________________
In supportive to Josh, I have attached few Profile files, that were developed to address the Apple iOS Hardening Checklists
by The University Of Texas at Austin.
FMI :
https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist
https://wikis.utexas.edu/display/ISO/iOS+Configuration+Profiles
--
Thanks !!
Prabhu S A
http://www.scaprepo.com
On 05/31/2013 02:50 AM, Josh Wisenbaker wrote:
Hi all,
I think that from an audit and remediation standpoint things can be greatly simplified by using Configuration Profiles.
You can easily get a XML formatted list of the composited policies that are on the Mac and you can easily apply settings by installing a profile. Using the policy mechanisms in OS X is highly recommended over messing with files.
As an example here is a profile I made that implements all of the settings for the initial loginwindow tickets that are in the tracker.
This profile allows for removal without authentication so it's easy to test with.
Thoughts?
Josh
--
Josh Wisenbaker
Consulting Engineer - Apple U.S. Commercial and Governmental Sales
dubs at apple.com<mailto:dubs at apple.com>
_______________________________________________
SCAP-On-Apple-Dev mailing list
SCAP-On-Apple-Dev at lists.macosforge.org<mailto:SCAP-On-Apple-Dev at lists.macosforge.org>
https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130531/471c5a22/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: plist510_test_example.xml
Type: text/xml
Size: 3160 bytes
Desc: plist510_test_example.xml
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130531/471c5a22/attachment-0003.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: plist511_test_example.xml
Type: text/xml
Size: 3269 bytes
Desc: plist511_test_example.xml
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130531/471c5a22/attachment-0004.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xmlfilecontent_test_example.xml
Type: text/xml
Size: 3205 bytes
Desc: xmlfilecontent_test_example.xml
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130531/471c5a22/attachment-0005.xml>
More information about the SCAP-On-Apple-Dev
mailing list