[SCAP-On-Apple-Dev] Mac OS X proposed pkginfo OVAL Test.

Jacobsen, Jasen W. jasenj1 at mitre.org
Thu Jul 11 06:56:09 PDT 2013

The Mac OS Installer program writes receipt files to a database after installing software. This receipt information includes version, install time, install volume, install location, and any groups the installed package may be a part of. This receipt information is precisely the type of data OVAL is frequently used to examine. This sort of information is already collected in other component schemas using the dpkginfo, rmpinfo, and other tests.

The Apple provided way to get at this information is the "pkgutil" command line tool. It is proposed to create an OVAL test and supporting items based on the
"pkgutil --pkg-info" command output.

A detailed paper describing this test can be found at https://github.com/OVALProject/Sandbox/blob/master/resources/x-macos-pkginfo/Mac%20OS%20X%20pkginfo%20Test.docx<https://github.com/jasenj1/Sandbox/blob/master/resources/x-macos-pkginfo/Mac%20OS%20X%20pkginfo%20Test.docx>

The proposed schema can be viewed at https://github.com/OVALProject/Sandbox/blob/master/x-macos-pkginfo.xsd<https://github.com/jasenj1/Sandbox/blob/master/x-macos-pkginfo.xsd>

The Linux rpminfo test is very similar to what is being proposed and provides a good model. http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/linux-definitions-schema.html#rpminfo_test

The structure of the proposed test is as follows:

             package_id – The ID of the package to examine
             (volume? - pkgutil allows a different volume to be specified. It's unclear if this would be needed or useful.)

pkginfo_state & pkginfo_item
             package_id – The ID of the package examined
             version – The version of the package
             install_time – When the package was installed. Given in seconds since the UNIX epoch.
             volume – The volume the package is installed on.
             location – The path where the package was installed, if specified at time of install.
             group – The group(s) the package is a part of. Element repeats for multiple groups.
             (filepath?– file(s) associated with the package. See question below for discussion of this.)


Exactly what portions of the information provided by --pkg-info are needed for OVAL? e.g. Volume, location, group, filepath?

Is there a public API to get the information provided by pkgutil? Or is calling the command the only way to get it?

The rpminfo test has a "filepaths" behavior that will collect all of the files associated with a package. pkgutil supports the same function using the "-- files" command. Should this be added to the pkginfo test?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130711/77a0b6ae/attachment.html>

More information about the SCAP-On-Apple-Dev mailing list