[SCAP-On-Apple-Dev] Mac's Audit Data (slightly OT)
Jeffrey Blank
blank at eclipse.ncsc.mil
Tue Jul 23 12:44:09 PDT 2013
Don't overthink this.
For compliance purposes, seeing that installed software is consistent
with the package receipts is a giant step forward and sufficient (from
my perspective, which I will defend). Especially when compared to
everything done previously, such as close inspection of various aspects
of certain randomly chosen files (e.g. /etc/services, really?).
Reading/processing logs and audit data is a very good idea, but the
nature of such processing is outside the compliance realm (for now), at
least at the host level, which should focus instead on what to collect
and to make it available to the enterprise.
On 07/23/2013 02:50 PM, Todd Heberlein wrote:
> During the discussion started last week on trying to find out what programs, libraries, plug-ins, etc. were installed on a system to determine if a system is vulnerable, someone asked about using audit data (I think to validate the accuracy of data collected about programs).
>
> Virtually everywhere I go, no one seems to know that they can do with audit data, which isn't surprising since there aren't exactly a lot of books or training courses on audit data as there are for network monitoring.
>
> I put together this 7:38 min video on some of the information Apple's BSM audit data can provide.
>
> Should you be leveraging Apple's BSM audit system?
> http://www.netsq.com/Podcasts/Data/2013/AuditIntro/
>
> If scap-on-apple will include audit system configuration, at some point we should have a discussion about what types of questions you want to ask of that data.
>
> Todd
>
> _______________________________________________
> SCAP-On-Apple-Dev mailing list
> SCAP-On-Apple-Dev at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev
>
More information about the SCAP-On-Apple-Dev
mailing list