[SCAP-On-Apple-Dev] [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.

Ron Colvin Ron.Colvin at nasa.gov
Fri Jul 12 08:44:13 PDT 2013

We have already seen many instances where our patch management solution 
reports the inventory for all applications including those on backup 
drives. If I am trying to plumb the inventory to look at vulnerability 
data I don't really need to see the back-up versions of the now patched 
MS Office, Adobe Reader, Safari, Firefox etc if they are unlikely to be 
used. I am all for a full list of all the exectuables but I need to be 
able to tell between boot volumes and other volumes, especially if they 
are rarely mounted.

On 7/12/13 10:34 AM, Shane Shaffer wrote:
> On Thu, Jul 11, 2013 at 1:14 PM, Jacobsen, Jasen W. <jasenj1 at mitre.org 
> <mailto:jasenj1 at mitre.org>> wrote:
>     Great points Shane. Comments inline below.
>     From: Shane Shaffer <shane.shaffer at g2-inc.com
>     <mailto:shane.shaffer at g2-inc.com>>
>     Date: Thursday, July 11, 2013 12:49 PM
>     To: MITRE Employee <jasenj1 at mitre.org <mailto:jasenj1 at mitre.org>>
>     Cc: "scap-on-apple-dev at lists.macosforge.org
>     <mailto:scap-on-apple-dev at lists.macosforge.org>"
>     <scap-on-apple-dev at lists.macosforge.org
>     <mailto:scap-on-apple-dev at lists.macosforge.org>>,
>     "scap-on-apple at lists.macosforge.org
>     <mailto:scap-on-apple at lists.macosforge.org>"
>     <scap-on-apple at lists.macosforge.org
>     <mailto:scap-on-apple at lists.macosforge.org>>, oval-developer-list
>     OVAL Developer List/Closed Public Discussion
>     <oval-developer-list at lists.mitre.org
>     <mailto:oval-developer-list at lists.mitre.org>>
>     Subject: Re: [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.
>     Since the target volume can often be specified during
>     installation, it seems that we would need to specify the volume.
>     However that is going to require the ability to enumerate the
>     volumes via OVAL, and an existing way to do that isn't jumping out
>     at me.
>     Jasen: I think there are two "volumes" in play here. One is the
>     command option "--volume" which tells pkgutil which volume's
>     receipt database to check (I'm pretty sure). Second is the volume
>     reported by "--pkg-info" which is the volume the package is
>     installed on. So something installed to a different volume could
>     have its receipt info on the boot volume. Would OVAL need/want to
>     check the receipt database on multiple volumes? Or is the boot
>     volume sufficient? Clarification from Apple or someone else who
>     really knows this would be helpful.
> I have a system with two volumes, the boot volume and one named 
> Partition2. I installed an application on Partition2. If I run 
> "pkgutil --pkgs" that package is not listed. If I run "pkgutil --pkgs 
> --volume /Volumes/Partition2" then it is listed. So it appears that 
> querying the receipt database is volume specific. If I subsequently 
> install the same application on the root volume, then it shows up as 
> you'd expect via "pkgutil --pkgs" and there appears to be no link 
> between the two installs. I would think that just checking the boot 
> volume would be akin to just checking C:\Program Files on Windows - 
> overwhelming probability of being the location, but not good enough.

Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<ron.colvin at nasa.gov>
Direct phone 301-286-2451
NASA Jabber (rdcolvin at im.nasa.gov) AIM rcolvin13
NASA LCS (ronald.d.colvin at nasa.gov)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130712/be45ede6/attachment-0001.html>

More information about the SCAP-On-Apple-Dev mailing list