[SCAP-On-Apple-Dev] [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.

David Solin david at joval.org
Sun Jul 21 07:59:46 PDT 2013 

I'm not sure there's really a need to know a single command to fetch 
every executable.  However, it's important to be able to determine 
whether or not some specific program exists someplace on a machine, for 
two use-cases:

1) Inventory (this could be what's motivating the desire to have a 
complete list, but most solutions only scan for a specific set of 
application signatures)
2) Vulnerability (if there's a know vulnerability in some program, you 
want to scan for its presence on the machine)

The original test proposal was an attempt to create an object that could 
be used generically to represent an installed application on OSX.  But 
it seems that it's not useful for this purpose, so the next logical 
question would be, what is?

We already have a Unix file test on OVAL, which can search for 
executable files (and which should also work on OSX), to satisfy the 
most generic case.  But on Solaris there are packages, and on RedHat 
Linux there are RPMs, and on Debian Linux there are Debian packages -- 
and in these cases that are also corresponding OVAL tests that make it 
relatively simple to find applications installed using those methods.

So, what is the most popular way to package an application for OSX, and 
what's a method one can use to test whether such a package is 
installed?  The answer will tell us what schema object we need to add to 
OVAL.

Regards,
--David Solin

On 7/21/2013 8:48 AM, Peter Link wrote:
> I'd like to ask my original question again.
>
> What are we trying to find and how does it help define an OVAL test or anything related to the SCAP-on-Apple project?
>
> This started with the pkgutil test to figure out what the version and installation date of specific software was. I don't remember seeing anything related to finding every executable (per David Solin posting, Like this? find / -type f -perm +111 -print) on a Windows system only specific ones.
>
> I commented on some of the initial tickets posted on http://scap-on-apple.macosforge.org but haven't looked at all of the second batch. I'm going to try and focus my effort on helping get these tickets completed so Shawn can release more.
>   
>
>
> On Jul 20, 2013, at 6:52 PM, Todd Heberlein <todd_heberlein at mac.com> wrote:
>
>> On Jul 16, 2013, at 6:39 AM, Peter Link <plink53 at mac.com> wrote:
>>
>>> True, but if that application is still on the Mac, system profiler will find it and report when it was installed/modified. Isn't this what you want any test to show?
>> I looked at the output of
>>
>> 	system_profiler -xml SPApplicationsDataType
>>
>> and it appears to only have .app bundles (e.g., Cocoa applications) and not executable code in general. I couldn't find an argument that would gather all executable code on the system. Anyone know how to search for all executable code on the system (including helper programs)?
>>
>> I am also guessing that it uses data provided by the application itself. That is, the applications are "self reporting". From a security point of view, that seems like an issue to me.
>>
>>
>> There were two more data types I personally found interesting: SPFrameworksDataType (for some of the framework libraries (but again, not libraries in general) and SPExtensionsDataType (for kernel extensions).
>>
>>
>> In addition to whatever security purposes you are looking for, it seems like this would be nice data to help diagnose why one machine in your fleet doesn't behave like the others.
>>
>> Todd
>>
>> PS. I'm not on the Oval mailing list, so if anyone thinks it is appropriate, please forward this email to that list.
> Peter Link
> LLNL retired
> plink53 at mac.com
>
>
>
> _______________________________________________
> SCAP-On-Apple-Dev mailing list
> SCAP-On-Apple-Dev at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev


-- 

jOVAL.org: SCAP Simplified.
Learn More <http://www.joval.org> | Features 
<http://www.joval.org/features/> | Download 
<http://www.joval.org/download/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130721/59f3cf0d/attachment-0001.html>

More information about the SCAP-On-Apple-Dev mailing list