[SCAP-On-Apple-Dev] [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.

Josh Wisenbaker dubs at apple.com
Sun Jul 21 14:49:06 PDT 2013 

On Jul 21, 2013, at 3:03 PM, Todd Heberlein <todd_heberlein at mac.com> wrote:

> I've been conducting some experiments to figure out how different data collection methods behave. (spoiler, I like system_profiler). Here are my findings on three methods.
> system_profiler
> 
> I found this very useful. It caught application bundles I dragged to the /Applications folder (something pkgutil did not). I also searched for app bundles installed in home folders and found a surprising number (though, much of that is because I do software development):
> 
> 	system_profiler -xml SPApplicationsDataType | grep '/Users/.*\.app<'
> 
> There are some limitations however. For example, it did *not* pick up "java", which seems pretty critical.

The system_profiler tool works much in the way that the code snippet I posted before works. Although the tool isn't in the open source projects you can see how you can leverage the Spotlight metadata indexes to help find things quickly without using a lot of resources.

Java doesn't get picked up as it isn't an application. Java does appear in the Frameworks queries against system_profiler. Building off of our earlier metadata queries you can see that SPApplicationsDataType is going to return everything that is listed with 'com.apple.application'.

Going back a few emails though I agree that there are two different topics at hand here.

1) Inventory scanning: Wherein we just want to find everything on the system.
2) Vulnerability scanning: Wherein we are starting with a vulnerability and then checking the system for it.

I tend to think that #1 falls more into the domain of client management suites as this is the sort of thing they were designed to do. #2 however seems exactly like what OVAL and SCAP consuming tools need to do. If you have 50 defined tests, then you really don't need to care about anything outside the scope of those tests.

Simply put, the workflow for testing should be:
	Load tests -> Run tests -> Return results.

Not:
	Load tests -> Do a bunch of other stuff -> Run tests -> Return results.

Just my 2-cents,
Josh

-- 
Josh Wisenbaker
Consulting Engineer - Apple
dubs at apple.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130721/90a6d87d/attachment-0001.html>

More information about the SCAP-On-Apple-Dev mailing list