[SCAP-On-Apple-Dev] [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.
plink53 at mac.com
Sun Jul 21 15:57:04 PDT 2013
Remember in NIST's definition "vulnerabilities" mean anything that can compromise a system, especially the way it's configured/misconfigured. Vulnerability scanning isn't just about finding malware. When you look at the two things I want to use SCAP for you get 1) common malware detection using CVE (NIST def.: CVE is a dictionary of publicly known information security vulnerabilities and exposures.) and 2) a way to validate the proper configuration of a computer using as many of the SCAP data feeds as possible all tied together using XCCDF and OVAL. I am hoping the end result of the SCAP-on-Apple project is to create everything necessary to move to the next step of a documented USGCB baseline configuration. This is what I've been asking for over the last several years and never got while working at LLNL. I'm hoping this project gets us there.
On Jul 21, 2013, at 2:49 PM, Josh Wisenbaker <dubs at apple.com> wrote:
> On Jul 21, 2013, at 3:03 PM, Todd Heberlein <todd_heberlein at mac.com> wrote:
>> I've been conducting some experiments to figure out how different data collection methods behave. (spoiler, I like system_profiler). Here are my findings on three methods.
>> I found this very useful. It caught application bundles I dragged to the /Applications folder (something pkgutil did not). I also searched for app bundles installed in home folders and found a surprising number (though, much of that is because I do software development):
>> system_profiler -xml SPApplicationsDataType | grep '/Users/.*\.app<'
>> There are some limitations however. For example, it did *not* pick up "java", which seems pretty critical.
> The system_profiler tool works much in the way that the code snippet I posted before works. Although the tool isn't in the open source projects you can see how you can leverage the Spotlight metadata indexes to help find things quickly without using a lot of resources.
> Java doesn't get picked up as it isn't an application. Java does appear in the Frameworks queries against system_profiler. Building off of our earlier metadata queries you can see that SPApplicationsDataType is going to return everything that is listed with 'com.apple.application'.
> Going back a few emails though I agree that there are two different topics at hand here.
> 1) Inventory scanning: Wherein we just want to find everything on the system.
> 2) Vulnerability scanning: Wherein we are starting with a vulnerability and then checking the system for it.
> I tend to think that #1 falls more into the domain of client management suites as this is the sort of thing they were designed to do. #2 however seems exactly like what OVAL and SCAP consuming tools need to do. If you have 50 defined tests, then you really don't need to care about anything outside the scope of those tests.
> Simply put, the workflow for testing should be:
> Load tests -> Run tests -> Return results.
> Load tests -> Do a bunch of other stuff -> Run tests -> Return results.
> Just my 2-cents,
> Josh Wisenbaker
> Consulting Engineer - Apple
> dubs at apple.com
> SCAP-On-Apple-Dev mailing list
> SCAP-On-Apple-Dev at lists.macosforge.org
Peter and Nancy Link
plink53 at mac.com
plink53 at me.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the SCAP-On-Apple-Dev