[SCAP-On-Apple-Dev] Mac OS X - system_profiler test?

Jacobsen, Jasen W. jasenj1 at mitre.org
Fri Jul 26 08:44:03 PDT 2013


At Developer Days during my pkginfo test presentation it was mentioned that system_profiler can be used to get an accurate list of the applications that are currently installed. It was also mentioned that system_profiler can output XML in plist form. The suggestion was made that an OVAL test based on system_profiler could be created and XPath could be used to find the information being queried. Based on that, I took a little time to see what the XPath might look like for such a test.

$ system_profiler -xml SPApplicationsDataType > applications.plist

The above tells system profiler to list all the applications it knows about, format the output as XML (plist), and write it to a file.

Here's a snippet of the output:

<plist version="1.0">
<array>
  <dict>
    <key>_SPCommandLineArguments</key>
    <array>
      <string>/usr/sbin/system_profiler</string>
      <string>-xml</string>
      <string>SPApplicationsDataType</string>
    </array>
    <key>_SPCompletionInterval</key>
    <real>0.54004198312759399</real>
    <key>_dataType</key>
    <string>SPApplicationsDataType</string>
    <key>_detailLevel</key>
    <integer>1</integer>
    <key>_items</key>
    <array>
      <dict>
        <key>_name</key>
        <string>TextEdit</string>
        <key>app_store</key>
        <string>no</string>
        <key>has64BitIntelCode</key>
        <string>yes</string>
        <key>lastModified</key>
        <date>2012-09-02T10:52:45Z</date>
        <key>path</key>
        <string>/Applications/TextEdit.app</string>
        <key>runtime_environment</key>
        <string>arch_x86</string>
        <key>version</key>
        <string>1.8</string>
      </dict>

      … (lots of dict elements, each representing an application)


One XPath that could be used to answer the question "What version of TextEdit is installed?" is:

/plist/array[1]/dict[1]/key[.='_items']/following-sibling::array[1]/dict/key[.='_name']/following-sibling::*[1][.='TextEdit']/following-sibling::key[.='version']/following-sibling::*[1]


That XPath can be broken down into sections as follows:

/plist/array[1]/dict[1]/key[.='_items'] - Find the "_items"

/following-sibling::array[1]/dict - Find to the "dict" elements that contain each application's info.

key[.='_name']/following-sibling::*[1][.='TextEdit'] - Find "_name" "TextEdit".

/following-sibling::key[.='version']/following-sibling::*[1] - Find the "version" value.


Run against the above, all that will return "1.8".


Does that seem reasonable? Are XPaths of that complexity typically used in OVAL?

Or does this fall into the territory of trying to treat INI files as text files?


- Jasen.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple-dev/attachments/20130726/d8cb49e2/attachment.html>


More information about the SCAP-On-Apple-Dev mailing list