[SCAP-On-Apple-Dev] [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.
todd_heberlein at mac.com
Sat Jul 20 18:52:44 PDT 2013
On Jul 16, 2013, at 6:39 AM, Peter Link <plink53 at mac.com> wrote:
> True, but if that application is still on the Mac, system profiler will find it and report when it was installed/modified. Isn't this what you want any test to show?
I looked at the output of
system_profiler -xml SPApplicationsDataType
and it appears to only have .app bundles (e.g., Cocoa applications) and not executable code in general. I couldn't find an argument that would gather all executable code on the system. Anyone know how to search for all executable code on the system (including helper programs)?
I am also guessing that it uses data provided by the application itself. That is, the applications are "self reporting". From a security point of view, that seems like an issue to me.
There were two more data types I personally found interesting: SPFrameworksDataType (for some of the framework libraries (but again, not libraries in general) and SPExtensionsDataType (for kernel extensions).
In addition to whatever security purposes you are looking for, it seems like this would be nice data to help diagnose why one machine in your fleet doesn't behave like the others.
PS. I'm not on the Oval mailing list, so if anyone thinks it is appropriate, please forward this email to that list.
More information about the SCAP-On-Apple-Dev